Add Schema that defines PURL types #401
Conversation
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
…b action is activated. Signed-off-by: Steve Springett <steve@springett.us>
Signed-off-by: Steve Springett <steve@springett.us>
| "normalization": { | ||
| "type": "string", | ||
| "enum": [ | ||
| "lowercase", | ||
| "uppercase", | ||
| "none" | ||
| ], | ||
| "description": "Defines if values must be normalized to lowercase, uppercase, or kept as provided." | ||
| } |
There was a problem hiding this comment.
This is incompatible with pkg:pypi: https://packaging.python.org/en/latest/specifications/name-normalization/#name-normalization . The simpler rules in the current PURL spec are wrong (#262) but those can't be described by this normalization section either.
| "case-sensitive", | ||
| "case-insensitive" | ||
| ], | ||
| "description": "Determines if case must be preserved or ignored." |
There was a problem hiding this comment.
What is the difference between sensitivity and normalization? AFAIK PURLs are always case sensitive and case-insensitive values are normalized to one casing. Un-normalized comparison with selective case insensitivity means that all code comparing PURLs needs to understand how to parse them and have a correct understanding of the comparison rules for the package type.
| "lowercase", | ||
| "uppercase", |
There was a problem hiding this comment.
These are insufficiently defined. Technically, with Unicode I think this is an infeasible problem. For package types that allow Unicode characters in a PURL component that has normalization rules, the set of characters to be lowercased (or uppercased? does anything actually do that?) can be ASCII characters or Unicode characters. For Unicode, expect some packaging implementations to have bugs where non-BMP characters are handled incorrectly, leading to the potential need for a "lowercase BMP characters only" rule. There may even be cases where the version of Unicode makes a difference, but I doubt the package manager authors are thinking about that.
| }, | ||
| "character_constraints": { | ||
| "type": "string", | ||
| "description": "Regex defining valid characters." |
There was a problem hiding this comment.
This is slightly risky. Not all regex implementations work the same way. It would be good to specify a well known flavor of regex.
Maybe it would be better to just remove this concept entirely. PURL should not be deciding whether a package name is valid or not. It provides little benefit and causes problems if the rules become more permissive later or when bad data is received from another source.
| "$id": { | ||
| "type": "string", | ||
| "description": "The unique identifier for this PURL type definition.", | ||
| "pattern": "^https://purl-spec\\.org/types/[a-z0-9-]+\\.json$" |
There was a problem hiding this comment.
This seems overly restrictive. Sometimes people invent their own package types and this rule appears to force those people to masquerade as purl-spec.org.
| "definition": { | ||
| "namespace": { | ||
| "requirement": "optional", | ||
| "allowed_characters": "^[a-z0-9-]+$", |
There was a problem hiding this comment.
This rule forbids all prefixed packages because the prefix must (currently) begin with @.
| "allowed_characters": "^[a-z0-9-]+$", | ||
| "case_rules": { | ||
| "sensitivity": "case-sensitive", | ||
| "normalization": "lowercase" |
There was a problem hiding this comment.
This is incorrect. NPM package IDs are case sensitive, so they should not be lowercased.
| "allowed_characters": "^[a-z0-9-]+$", | ||
| "case_rules": { | ||
| "sensitivity": "case-sensitive", | ||
| "normalization": "lowercase" |
There was a problem hiding this comment.
Some packages have mixed case names so uppercase must be allowed and the name must not be lowercased.
| }, | ||
| "name": { | ||
| "requirement": "required", | ||
| "allowed_characters": "^[a-zA-Z0-9_.-]+$", |
There was a problem hiding this comment.
This is incorrect. Maven Central contains packages like pkg:maven/net.databinder/dispatch-http%252Bjson_2.7.3@0.6.0 and pkg:maven/org.bouncycastle/bctsp-jdk15+@1.46.
There was a problem hiding this comment.
@matt-phylum this makes sense. We should likely drop allowed_characters
| }, | ||
| "name": { | ||
| "requirement": "required", | ||
| "allowed_characters": "^[a-z0-9-]+$", |
There was a problem hiding this comment.
This is incorrect. NPM contains packages like pkg:npm/%2F18_wahajali/.adventure_game@4.0.2.
johnmhoran
added
PURL type definition
pombredanne
dismissed
Dustin4444’s stale review
Unknown user, no comments. Looks like spam
This PR adds a formal structure to PURL type definitions. This PR contains:
index.jsonof all PURL type definitionsThis PR closes #310