Consider using `packageurl::PackageUrl` instead of custom `Purl` type.

CycloneDX / cyclonedx-rust-cargo

Creates CycloneDX Software Bill of Materials (SBOM) from Rust (Cargo) projects

https://cyclonedx.org/

Apache License 2.0

105 stars 44 forks source link

Consider using `packageurl::PackageUrl` instead of custom `Purl` type. #410

Open alilleybrinker opened 1 year ago

alilleybrinker commented 1 year ago

Right now the crate uses its own Purl type, with only hidden fields (which also makes it not terribly useful as-is, except for validation; use of its contents requires Display-ing and then reparsing with packageurl::PackageUrl or url::Url anyway). It's probably better to transition this to packageurl::PackageUrl to enable easier interoperation and enable extraction of the purl's components.

Shnatsel commented 1 year ago

There is a downside to exposing packageurl::PackageUrl in the public API: every time packageurl makes a semver-breaking release, we would have to make one too. Switching to another PURL crate would also be semver-breaking.

For now we've instead exposed FromStr implementations for Purl in #381 to make it writable, but without actually transitioning to a foreign type.

alilleybrinker commented 1 year ago

Alright, seems like a good enough solution. Do you think documentation could be added to more clearly indicate this is the recommended way to interoperate with the packageurl crate?

Shnatsel commented 1 year ago

There are several package URL crates in use already. I don't think it makes sense to enumerate every one in the documentation.

I'd be happy to accept a PR adding a code example that uses the FromStr impl, and a note that other package URL types should be converted to an &str first.