Open TG1999 opened 1 year ago
Case 1: A vulnerable package without qualifiers or subpath is inside DB and input is purl with qualifiers and subpath Case 2: A vulnerable package with qualifiers and subpath is inside DB and input is purl without qualifiers and subpath Case 3: Multiple vulnerable package with different qualifiers and subpath and input is purl without qualifiers and subpath Case 4: Multiple vulnerable package with different qualifiers and subpath and input is purl with qualifiers and subpath that we do not have in DB
@pombredanne suggested that we should have 2 functionalities lookup
and search
.
lookup
should only return data when it's an exact match in the db for what the user searched for and search
should support fuzzy matching and return more than what it needs.
1st option: The client should do a filtering on their purls and we will give an exact match on purls.
2nd option: The client sends the purl with or without qualifiers and VCIO makes a choice to look with or without qualifiers.
If we have 3 purls, pkg:npm/foo/bar@1.2 , pkg:npm/foo/bar@1.2?baz=jon, pkg:npm/foo/bar@1.2?baz=doe and you ask for plain purls only with this input pkg:npm/foo/bar@1.2?baz=jondoe, what should I send as output here all 3 purls or the purl without qualifiers?