Closed tgagneret-embedded closed 9 months ago
tgagneret-embedded
commented
10 months ago Sorry duplicate of this https://github.com/scanoss/purl2cpe/issues/11. But I'm not sure to understand why it's not possible to extract version from cpe and add it to purl ?
scanossmining
commented
9 months ago The CPE version cannot be automatically added at the end of the PURL because in various cases the 2 of them are different strings. Take for example "cpe:2.3:a:openssl:openssl:1.1.1r:::::::*". The GitHub PURL with version included, for openssl 1.1.1r, is "pkg:github/openssl/openssl@OpenSSL_1_1_1r", since that's how the openssl developers have declared the version(tag) in GitHub. And, according to the PURL specifications, the version for a GitHub purl is the tag name.
Hi,
Today, the database only have one purl matching one cpe with all its different versions. So for exemple
pkg:github/wp-plugins/simple-bannerwill have the following cpe:cpe:2.3:a:simple_banner_project:simple_banner:1.0.1:*:*:*:*:wordpress:*:*cpe:2.3:a:simple_banner_project:simple_banner:1.0.2:*:*:*:*:wordpress:*:*cpe:2.3:a:simple_banner_project:simple_banner:1.0.3:*:*:*:*:wordpress:*:*cpe:2.3:a:simple_banner_project:simple_banner:2.9.4:*:*:*:*:wordpress:*:*cpe:2.3:a:simple_banner_project:simple_banner:-:*:*:*:*:wordpress:*:*Don't you think it would make sense to add the version in the purl field ?
For with my previous example purl field would becomes:
pkg:github/wp-plugins/simple-banner@1.0.1pkg:github/wp-plugins/simple-banner@1.0.2pkg:github/wp-plugins/simple-banner@1.0.3pkg:github/wp-plugins/simple-banner@2.9.4pkg:github/wp-plugins/simple-bannerIs it something that would make sense for you ?
Thank you