maennchen
commented
11 months ago Shouldn’t accept use the hex type instead of otp?
https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#hex
Open LaurentGoderre opened 11 months ago
maennchen
commented
11 months ago Shouldn’t accept use the hex type instead of otp?
https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#hex
LaurentGoderre
commented
11 months ago @maennchen I'm not sure. These are not installed from hex package manager so this might be more accurate
voltone
commented
11 months ago Interesting to see this being used. Did your needs match the "background" in the OTP Purl proposal?
Please note that this spec should be considered experimental: there was quite a bit of opposition at the time, hence this is marked as a "draft". I haven't heard any better ideas for tracking the contents of a release, for those things that don't come from Hex (in particular Erlang/Elixir standard library applications).
LaurentGoderre
commented
11 months ago The use case I'm using it for is to document packages that are bundled with rabbitmq.
Hi,
I wanted to let you know I created an implementation to detect OTP application and return Purl matching your spec in Syft (https://github.com/anchore/syft/pull/2403).
Here is an example of it in action in a custom build of RabbitMQ (built for the RabbitMQ Docker Official Image but with the custom scanner)
https://explore.ggcr.dev/?blob=laurentgoderre689/rabbitmq@sha256:3fee3016c2f207cfbd47eac190a3b3d3a89bfe8d00cb1178f3d8086e4d93f94d&mt=application%2Fvnd.in-toto%2Bjson&size=848381
(Search for
pkg:otp/accept@0.3.5)