maennchen
commented
9 months ago Shouldn’t accept use the hex type instead of otp?
https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#hex
Open LaurentGoderre opened 9 months ago
maennchen
commented
9 months ago Shouldn’t accept use the hex type instead of otp?
https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#hex
LaurentGoderre
commented
9 months ago @maennchen I'm not sure. These are not installed from hex package manager so this might be more accurate
voltone
commented
9 months ago Interesting to see this being used. Did your needs match the "background" in the OTP Purl proposal?
Please note that this spec should be considered experimental: there was quite a bit of opposition at the time, hence this is marked as a "draft". I haven't heard any better ideas for tracking the contents of a release, for those things that don't come from Hex (in particular Erlang/Elixir standard library applications).
LaurentGoderre
commented
9 months ago The use case I'm using it for is to document packages that are bundled with rabbitmq.
Hi,
I wanted to let you know I created an implementation to detect OTP application and return Purl matching your spec in Syft (https://github.com/anchore/syft/pull/2403).
Here is an example of it in action in a custom build of RabbitMQ (built for the RabbitMQ Docker Official Image but with the custom scanner)
https://explore.ggcr.dev/?blob=laurentgoderre689/rabbitmq@sha256:3fee3016c2f207cfbd47eac190a3b3d3a89bfe8d00cb1178f3d8086e4d93f94d&mt=application%2Fvnd.in-toto%2Bjson&size=848381
(Search for
pkg:otp/accept@0.3.5)