Open nathanwn opened 10 months ago
Thanks for reporting this issue. Part of this behavior is actually intended:
However, after removing the version part from the PURL in the target field, Macaron now recognizes this expectation to correspond to the software component.
We don't want to require the version string to be specified in the expectation. Otherwise, the expectation file needs to be updated for each artifact version.
I wonder if we could provide a regex option to let users decide if they want to keep the target field version-agnostic.
It may look like this, where =~
is the Cue regex matching operator:
{
target: =~"pkg:maven/io.micronaut/micronaut-test.*",
...
This may require changes to how the expectation is evaluated.
Reproduction
We use the
macaron analyze
command under the use case of "user providing both a PackageURL to identify a software component and a repo URL explicitly".Macaron then does not recognize the following expectation to correspond to the software component being analyzed:
However, after removing the version part from the PURL in the
target
field, Macaron now recognizes this expectation to correspond to the software component.This is undesirable from a user's perspective because it is not clear why the same PURL can be specified in the analyze command, but not in the expectation.
Cause
Macaron stores expectations for all analysis targets in a dictionary, in which each key is a PURL identifying a software component, and each value is the corresponding provenance expectation for that software component.
Before a pair of (PURL, expectation) is added to this dictionary, the version part of the PURL (starting from the
@
character), is stripped away from the PURL.Other unexpected details
target
column in theExpectation
table seems to store PURL, not "full repository name" as stated in the doc comment.