search

microsoft / component-detection

Scans your project to determine what components you use
MIT License
396 stars 81 forks source link

Invalid purls when scanning Rust(cargo) repository #1172

Open kennylam91 opened 2 weeks ago

kennylam91 commented 2 weeks ago

Hi guys, When I scan a Rust(cargo) repository (e.g https://github.com/rust-lang/rustlings), the sbom file result contains these purls:

pkg:cargo//ryu@1.0.17#
pkg:cargo//which@6.0.1#
pkg:cargo//hashbrown@0.14.3#
pkg:cargo//anstream@0.6.13#
pkg:cargo//regex-automata@0.4.6#

As per purl-specification, these purls seem not to be valid with // And when extracting them, the name info would include a slash (e.g /ryu instead of ryu)

annaowens commented 1 day ago

Adding @FernandoRojo to help on this issue.