Closed JosiahParry closed 3 years ago
JosiahParry
commented
3 years ago According to the purl-spec the version is optional. However the REST API requires it—thought it doesn't care what that is. The OSS index search does not require version.
Take the following purl for example "pkg:rpm/make". This does not POST to the API successfull, but it is accepted in the following search https://ossindex.sonatype.org/component/pkg:rpm/make.
DarthHater
commented
3 years ago In terms of Linux stuff, you might take a look at this project: https://github.com/sonatype-nexus-community/ahab , we created that for helping people query those types of things (primarily for a docker use case)
ndonewar
commented
3 years ago Hi @JosiahParry - unfortunately, the API for OSS Index does not support purls without versions.
Is anyone able to provide guidance on how to ping the OSS Index API with regards to the debain and rpm sources? What is an example purl?
As you noted, a good source of example purls is the OSS Index website. You can either search or browse directly for debian or rpm components. Again though, the purls for the API will require version. Here's an example purl with a version: pkg:rpm/make@3.77.44
JosiahParry
commented
3 years ago @DarthHater, thanks! It appears that library executes commands on the linux machine which is something I'm hoping to avoid (a little irony!).
@ndonewar, I've noticed this. However take, for example, the purl "pkg:pypi/django@*. If you provide the wildcard—at least for PyPI—I believe this uses the most recent version of the package. Perhaps this is an issue in the recording of the CVEs where * is treated as its own version.
DarthHater
commented
3 years ago Wild! When I wrote ahab that was the best thing I could figure out.
JosiahParry
commented
3 years ago I'll note that this doesn't appear to work for linux as far as i can tell—unless knows something I can try it on. Any one know of a very CVE prone library?
DarthHater
commented
3 years ago ndonewar
commented
3 years ago If you provide the wildcard—at least for PyPI—I believe this uses the most recent version of the package.
Hi @JosiahParry - unfortunately, OSS Index does not work that way. What you're seeing is a side effect of lenient version parsing combined with how a version range for a vulnerability is stored (which changes). The results will be inconsistent over time and won't match up to any expected set (such as "last version" or "all versions", etc.)
For example, the latest version of Django returns no vulnerabilities from OSS Index: https://ossindex.sonatype.org/component/pkg:pypi/django@3.1.7
And all versions combined return 85 (20+62+3) vulnerabilities: https://ossindex.sonatype.org/component/pkg:pypi/django
For now, the OSS Index API requires clients to provide a valid version for good results.
I am making progress in addressing the underlying system requirements for R packages on linux. While this doesn't help folks on MacOS or Windows, the vast majority of enterprise R users are on Linux boxes.
The method I am using to retrieve Linux requirements does not provide versions and thus the purl is missing the
@versionportion. I've tried using a wildcard, but that does not work. My linux knowledge is very minimal.Is anyone able to provide guidance on how to ping the OSS Index API with regards to the
debainandrpmsources? What is an example purl?cc @bhamail / @DarthHater / @brittanybelle / @adrianpowell / @csgillespie