Closed jgongo closed 3 years ago
Related to package-url/purl-spec#103
It was pointed out in package-url/purl-spec#103 that direct :git
references should use the vcs_url
qualifier on the pod's purl instead of the download_url
qualifier.
After a bit of research:
:git
dependencies should use vcs_url
(as mentioned by @macblazer) using the SPDX format:podspec
dependencies should probably use download_url
:path
dependencies should probably be ignored, but it must be confirmedFixed by #7
According to the CocoaPods Podfile guide, pods can be directly downloaded using one of the following mechanisms:
:path
:git
possibly adding:branch
,:tag
or:commit
:podspec
These cases should be taken into account when generating the purl for the dependency, using
download_url
/vcs_url
as specified in the purl specificationFor each of these cases, the following should be decided:
:path
) taking into account that any other software processing the BOM won't probably have access to that pod?:path
is usually specified with a plain path, not a URL. If we implement this, should we make sure this is afile:
URL?:podspec
or can we trust the URL is valid if CocoaPods was already able to download it?