search

package-url / packageurl-python

Python implementation of the package url spec. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ , the Google Summer of Code, nexB and other generous sponsors.
68 stars 42 forks source link

Incorrect parsing for PURLs without names #131

Open matt-phylum opened 11 months ago

matt-phylum commented 11 months ago

The PURL test suite contains an invalid PURL pkg:swift/github.com/Alamofire/@5.4.3 which is supposed to fail parsing because it has no name. packageurl-python parses the PURL as having namespace github.com and name Alamofire.

tdruez commented 10 months ago

@matt-phylum I'm not sure what you mean by "is supposed to fail parsing because it has no name".

The purl seems a bit wrongly formatted because of the extra / between name and version but it matches the purl spec: scheme:type/namespace/name@version

The behavior of packageurl-python on this purl seems fine:

>>> from packageurl import PackageURL

>>> PackageURL.from_string("pkg:swift/github.com/Alamofire/@5.4.3")
PackageURL(type='swift', namespace='github.com', name='Alamofire', version='5.4.3', qualifiers={}, subpath=None)

>>> PackageURL.from_string("pkg:swift/github.com/Alamofire/@5.4.3").to_string()
'pkg:swift/github.com/Alamofire@5.4.3'
matt-phylum commented 10 months ago

The PURL test suite says that packageurl-python is supposed to fail parsing this malformed PURL. Alamofire is incorrectly being parsed as the name when it's part of the namespace. PURLs that are interpreted differently across implementations cause interoperability issues.

https://github.com/package-url/purl-spec/blob/f729aec79e3e13ac709d6675788634e53fe4d571/test-suite-data.json#L422-L433