search

google / deps.dev

Resources for the deps.dev API
https://deps.dev
Apache License 2.0
258 stars 20 forks source link

Case-sensitive Maven package names lead to 404s #34

Closed jamietanna closed 8 months ago

jamietanna commented 1 year ago

Similar to https://github.com/google/deps.dev/issues/7, I'm seeing 404s when the package name doesn't match some canonical form:

% curl https://api.deps.dev/v3alpha/systems/maven/packages/org.codenarc%3ACodeNarc/versions/3.3.0:dependencies -i
HTTP/2 200 
content-type: application/json
x-envoy-upstream-service-time: 17
strict-transport-security: max-age=2592000; includeSubDomains
grpc-status: 0
grpc-message: 
content-length: 3794
vary: Accept-Encoding
date: Sun, 24 Sep 2023 16:45:06 GMT
server: envoy
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

{"nodes":[{"versionKey":{"system":"MAVEN","name":"org.codenarc:CodeNarc","version":"3.3.0"},"bundled":false,"relation":"SELF","errors":[]},{"versionKey":{"system":"MAVEN","name":"com.github.javaparser:javaparser-core","version":"3.23.0"},"bundled":false,"relation":"INDIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"com.thoughtworks.qdox:qdox","version":"1.12.1"},"bundled":false,"relation":"INDIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.apache.ant:ant","version":"1.10.11"},"bundled":false,"relation":"INDIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.apache.ant:ant-antlr","version":"1.10.11"},"bundled":false,"relation":"INDIRECT","errors":["could not find a version that satisfies requirement 1.8.0 for package com.sun:tools"]},{"versionKey":{"system":"MAVEN","name":"org.apache.ant:ant-junit","version":"1.10.11"},"bundled":false,"relation":"INDIRECT","errors":["could not find a version that satisfies requirement 1.8.0 for package com.sun:tools"]},{"versionKey":{"system":"MAVEN","name":"org.apache.ant:ant-launcher","version":"1.10.11"},"bundled":false,"relation":"INDIRECT","errors":["could not find a version that satisfies requirement 1.8.0 for package com.sun:tools"]},{"versionKey":{"system":"MAVEN","name":"org.codehaus.groovy:groovy","version":"3.0.9"},"bundled":false,"relation":"DIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.codehaus.groovy:groovy-ant","version":"3.0.9"},"bundled":false,"relation":"DIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.codehaus.groovy:groovy-docgenerator","version":"3.0.9"},"bundled":false,"relation":"INDIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.codehaus.groovy:groovy-groovydoc","version":"3.0.9"},"bundled":false,"relation":"DIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.codehaus.groovy:groovy-json","version":"3.0.9"},"bundled":false,"relation":"DIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.codehaus.groovy:groovy-templates","version":"3.0.9"},"bundled":false,"relation":"DIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.codehaus.groovy:groovy-xml","version":"3.0.9"},"bundled":false,"relation":"DIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.gmetrics:GMetrics","version":"2.1.0"},"bundled":false,"relation":"DIRECT","errors":[]},{"versionKey":{"system":"MAVEN","name":"org.slf4j:slf4j-api","version":"1.7.35"},"bundled":false,"relation":"DIRECT","errors":[]}],"edges":[{"fromNode":0,"toNode":7,"requirement":"3.0.9"},{"fromNode":0,"toNode":8,"requirement":"3.0.9"},{"fromNode":0,"toNode":10,"requirement":"3.0.9"},{"fromNode":0,"toNode":11,"requirement":"3.0.9"},{"fromNode":0,"toNode":12,"requirement":"3.0.9"},{"fromNode":0,"toNode":13,"requirement":"3.0.9"},{"fromNode":0,"toNode":14,"requirement":"2.1.0"},{"fromNode":0,"toNode":15,"requirement":"1.7.35"},{"fromNode":5,"toNode":3,"requirement":"1.10.11"},{"fromNode":8,"toNode":3,"requirement":"1.10.11"},{"fromNode":8,"toNode":4,"requirement":"1.10.11"},{"fromNode":8,"toNode":5,"requirement":"1.10.11"},{"fromNode":8,"toNode":6,"requirement":"1.10.11"},{"fromNode":8,"toNode":7,"requirement":"3.0.9"},{"fromNode":8,"toNode":10,"requirement":"3.0.9"},{"fromNode":9,"toNode":2,"requirement":"1.12.1"},{"fromNode":9,"toNode":7,"requirement":"3.0.9"},{"fromNode":9,"toNode":12,"requirement":"3.0.9"},{"fromNode":10,"toNode":1,"requirement":"3.23.0"},{"fromNode":10,"toNode":7,"requirement":"3.0.9"},{"fromNode":10,"toNode":9,"requirement":"3.0.9"},{"fromNode":10,"toNode":12,"requirement":"3.0.9"},{"fromNode":11,"toNode":7,"requirement":"3.0.9"},{"fromNode":12,"toNode":7,"requirement":"3.0.9"},{"fromNode":12,"toNode":13,"requirement":"3.0.9"},{"fromNode":13,"toNode":7,"requirement":"3.0.9"}],"error":""}
% curl https://api.deps.dev/v3alpha/systems/maven/packages/org.codenarc%3acodenarc/versions/3.3.0:dependencies -i
HTTP/2 404 
content-type: application/grpc
grpc-status: 5
grpc-message: dependencies not found
x-envoy-upstream-service-time: 9
strict-transport-security: max-age=2592000; includeSubDomains
content-length: 0
date: Sun, 24 Sep 2023 16:45:15 GMT
server: envoy
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

This package name is derived from the purl in the below SBOM from the GitHub API, taken from https://api.github.com/repos/jenkinsci/job-dsl-plugin/dependency-graph/sbom, located at https://gist.github.com/jamietanna/3a2a933e06aea06a7e833a0f1b43876d#file-job-dsl-sbom-json-L8313-L8327

I don't believe that Maven packages are case-sensitive.

adg commented 1 year ago

It is my understanding that Maven package names are indeed case-sensitive.

I don't know why the name is lowercased in the purl. The API response from GitHub has the correct name in the name field, so could you use that instead?

The authority for this particular string is the central repository: https://repo1.maven.org/maven2/org/codenarc/