vorburger
commented
1 month ago https://maven.apache.org/repository/central-index.html
Unless Security (CVE) community already have a useful URI standard for packages, such as Maven? (And others, probably.)
CPE pkg:maven/com.google.protobuf/protobuf-java
- https://osv.dev/list?ecosystem=Maven
- https://docs.dependencytrack.org/datasources/routing/
- https://owasp.org/www-project-web-security-testing-guide/latest/5-Reporting/02-Naming_Schemes
- https://en.wikipedia.org/wiki/Common_Platform_Enumeration
- https://github.com/jeremylong/DependencyCheck/wiki/How-does-it-work%3F ?
- https://github.com/jeremylong/DependencyCheck/issues/4207
- https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/cpe
- https://nvd.nist.gov/products/cpe
- https://mvnrepository.com/artifact/org.mitre.cpe/cpe/2.3.4
- https://sourceforge.net/projects/cpereferenceimp/
The
pkg:scheme, à lapkg:maven/ch.vorburger.mariaDB4j/mariaDB4j@3.1.0, is shown e.g. on https://central.sonatype.com/artifact/ch.vorburger.mariaDB4j/mariaDB4j.But it's not "standard" (IANA), and also already used e.g. by the the
uri-schemepackage for Node.js as a prefix for custom URI schemes used by mobile apps, according to Google Gemini - although https://www.npmjs.com/package/uri-scheme does not mention it.An Enola specific URL template may be simplest; I'm thinking e.g. something like https://enola.dev/java/maven/central/ch.vorburger.mariaDB4j/mariaDB4j-core/3.1.0 perhaps. (Where
centralcould alternatively also be either an alias or an encoded full URL e.g. to an in-house repo.)Unless Security (CVE) community already have a useful URI standard for packages, such as Maven? (And others, probably.)
https://spdx.dev might have something we could map to?