Closed tgagneret-embedded closed 9 months ago
Sorry duplicate of this https://github.com/scanoss/purl2cpe/issues/11. But I'm not sure to understand why it's not possible to extract version from cpe and add it to purl ?
The CPE version cannot be automatically added at the end of the PURL because in various cases the 2 of them are different strings. Take for example "cpe:2.3:a:openssl:openssl:1.1.1r:::::::*". The GitHub PURL with version included, for openssl 1.1.1r, is "pkg:github/openssl/openssl@OpenSSL_1_1_1r", since that's how the openssl developers have declared the version(tag) in GitHub. And, according to the PURL specifications, the version for a GitHub purl is the tag name.
Hi,
Today, the database only have one purl matching one cpe with all its different versions. So for exemple
pkg:github/wp-plugins/simple-banner
will have the following cpe:cpe:2.3:a:simple_banner_project:simple_banner:1.0.1:*:*:*:*:wordpress:*:*
cpe:2.3:a:simple_banner_project:simple_banner:1.0.2:*:*:*:*:wordpress:*:*
cpe:2.3:a:simple_banner_project:simple_banner:1.0.3:*:*:*:*:wordpress:*:*
cpe:2.3:a:simple_banner_project:simple_banner:2.9.4:*:*:*:*:wordpress:*:*
cpe:2.3:a:simple_banner_project:simple_banner:-:*:*:*:*:wordpress:*:*
Don't you think it would make sense to add the version in the purl field ?
For with my previous example purl field would becomes:
pkg:github/wp-plugins/simple-banner@1.0.1
pkg:github/wp-plugins/simple-banner@1.0.2
pkg:github/wp-plugins/simple-banner@1.0.3
pkg:github/wp-plugins/simple-banner@2.9.4
pkg:github/wp-plugins/simple-banner
Is it something that would make sense for you ?
Thank you