containerbuildsystem / cachi2

Cachi2 is a CLI tool that pre-fetches your project's dependencies to aid in making your build process network-isolated.
GNU General Public License v3.0
8 stars 26 forks source link

[gomod] Propagate the effect of the 'goproxy_url' config option to SBOM #577

Open eskultety opened 3 months ago

eskultety commented 3 months ago

If consumers use a private goproxy, then without formatting it to the PURL the generic package locator is not accurate to describe the package location. The PURL spec sadly doesn't mention anything that would be even remotely related to what we need here with repository_url/download_url being the closest having a different meaning. We'll probably have to come up with a custom qualifier, i.e. proxy to denote that a proxy was used to locate the package given its identifier.