Invalid purls when scanning Rust(cargo) repository

microsoft / component-detection

Scans your project to determine what components you use

MIT License

436 stars 90 forks source link

Invalid purls when scanning Rust(cargo) repository #1172

Open kennylam91 opened 5 months ago

kennylam91 commented 5 months ago

Hi guys, When I scan a Rust(cargo) repository (e.g https://github.com/rust-lang/rustlings), the sbom file result contains these purls:

pkg:cargo//ryu@1.0.17#
pkg:cargo//which@6.0.1#
pkg:cargo//hashbrown@0.14.3#
pkg:cargo//anstream@0.6.13#
pkg:cargo//regex-automata@0.4.6#

As per purl-specification, these purls seem not to be valid with // And when extracting them, the name info would include a slash (e.g /ryu instead of ryu)

annaowens commented 4 months ago

Adding @FernandoRojo to help on this issue.