CycloneDX / cyclonedx-cocoapods

Creates CycloneDX Software Bill-of-Materials (SBOM) from Objective-C and Swift projects that use CocoaPods.
Apache License 2.0
21 stars 12 forks source link

Add proper qualifier to purl for directly downloaded pods #4

Closed jgongo closed 3 years ago

jgongo commented 3 years ago

According to the CocoaPods Podfile guide, pods can be directly downloaded using one of the following mechanisms:

These cases should be taken into account when generating the purl for the dependency, using download_url/vcs_url as specified in the purl specification

For each of these cases, the following should be decided:

jgongo commented 3 years ago

Related to package-url/purl-spec#103

macblazer commented 3 years ago

It was pointed out in package-url/purl-spec#103 that direct :git references should use the vcs_url qualifier on the pod's purl instead of the download_url qualifier.

jgongo commented 3 years ago

After a bit of research:

jgongo commented 3 years ago

Fixed by #7