aboutcode-org / purldb

Tools to create and expose a database of purls (Package URLs). This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ and nexB for https://www.aboutcode.org/ Chat is at https://gitter.im/aboutcode-org/discuss
https://purldb.readthedocs.io/
35 stars 23 forks source link

Enhancement: Provide a public PURL Service web form #522

Open DennisClark opened 3 months ago

DennisClark commented 3 months ago

In order to support and encourage universal PURL adoption and improved standards, please consider a new web form, open to the general public, that supports at least 3 things when you enter (or paste) a PURL into an input field:

Also find ways to publicize the availability of this web form. Also explain how it works and how you can use available tools and API's to do the same thing yourself.

DennisClark commented 3 months ago

For reference, please see https://public.purldb.io/api/validate/

This issue is about providing a user-friendly front end and expanding the results.

DennisClark commented 3 months ago

Another useful feature to provide on the form would be a link to a suitable GitHub project issues page to support questions, suggestions, issues, etc.

DennisClark commented 3 months ago

@johnmhoran when you start working on the UI design, you might get some inspiration from the DejaCode user form to edit a Package, since it breaks out the PURL into its individual parts, so that when your new form provides feedback to the user, it can show how each of the pieces of the user-entered PURL were interpreted. Just an idea!

sample-package-essentials-UI
johnmhoran commented 3 months ago

Thanks @DennisClark -- I'll give that a close look. 👍 Would I be correct in thinking that we're talking about a Django-based front end rather than something related to the forms I've seen connected to a REST API?

DennisClark commented 3 months ago

@johnmhoran not really sue about that, although it would probably make sense to make use of whatever we have done for VCIO.

johnmhoran commented 3 months ago

For example, this UI enables basic querying (both JSON and a more-familiar but more limited HTML form) of the VCIO bulk_search endpoint. I'd guess that this is a REST Framework-specific form with its own abilities and limitations. Django likely provides more options and flexibilities -- and complexities.

I'll start digging into this.

johnmhoran commented 3 months ago

@DennisClark I've created an initial draft of a PURL web form that addresses a subset of the attributes and behaviors you've identified in this issue. When you have time, it would be helpful if we could take a look at the draft UI together and discuss your thoughts on both the current contents and the details of those items above that I've not yet addressed. Here's a sample screenshot:

image

DennisClark commented 3 months ago

@johnmhoran to summarize a bit our recent conversation, there are 3 cases to consider:

In all 3 cases, we want the user to get some meaningful and helpful feedback, and ideally that means parsing out the specific chunks of the PURL into their specific fields as best as can be determined. If the PURL exists in the PurlDB, we can present some useful selected fields and also provide a link to equivalent API results.

Also, as we discussed, a link from the "About" dropdown should be sufficient to allow the user to navigate to the purldb repo and do further research there, and possibly enter a question issue.

johnmhoran commented 2 months ago

@DennisClark One of your first bullets above refers to constructing download URLs -- Construct a Download URL, when possible, and present that in a copy-enabled, click-enabled field. Do we already have code that does that which you contemplate using as the basis for the construction in the UI? (I'm currently getting the download URL value from the PurlDB record if it exists there.)

DennisClark commented 2 months ago

@johnmhoran there ought to be something in DejaCode that constructs download URLs

johnmhoran commented 2 months ago

@pombredanne The PURL spec prohibits the inclusion of URL Authorities in a PURL, but notes that there can be exceptions, and this example passes both my local code and testing and is validated by the public validate endpoint. Is that because there is something about the specific circumstance that means it is not treated as a URL authority?

pkg:/nefarious/powned/user:password@mydatabase.com:5432

In contrast, this fails (and appears to clearly violate the spec's guidelines):

pkg:hello/user:pass@host:port

ValueError =
        Invalid purl 'pkg:hello/user:pass@host:port' cannot contain a "user:pass@host:port"
        URL Authority component: ''.
pombredanne commented 2 months ago

@johnmhoran an authority would be a combination of user:pass@host:port and would technically come before the namespace/name parts, in all cases I think the colon would likely need to be escaped. In pkg:hello/user:pass@host:port I guess the parsing would either end up failing or would return hello as namespace, user:pass as name, host:port as version.

pkg:/nefarious/powned/user:password@mydatabase.com:5432 would also likely be parsed in something like: nefarious/powned as namespace, user:password as name and mydatabase.com:5432 as version

The point is the spec does not accept nor does not care nor knows about URL Authority (see https://en.wikipedia.org/wiki/URL#Syntax )

In particular a true authority would have to come with // The base URI looks like this:

The base PURL looks like this:

This table shows the components equivalence between each:

URI PURL
scheme type
authority N/A
namespace path
name path
version path
query qualifiers
fragment subpath
johnmhoran commented 2 months ago

Thank you for the detailed reply @pombredanne -- greatly appreciated. 🙂

johnmhoran commented 2 months ago

BTW my current draft parses the PURL slightly differently, treating nefarious as the type (a leading/ is disregarded per the spec):

image