Open flemminglau opened 1 year ago
goneall
commented
1 year ago Would it make sense to check the purl to find the package manager or what would be a good strategy?
Makes sense. We should follow the conventions of the package manager.
@flemminglau - would you like to create a PR?
flemminglau
commented
1 year ago I have the code needed but I cannot figure out how to get the test working. So I guess my change would be unwelcome. Line 487 of CycloneSpdxConverter.java:
String group = component.getGroup();
if (Objects.nonNull(group) && !group.isBlank()) {
String purl = component.getPurl();
if (Objects.nonNull(purl) && purl.startsWith("pkg:npm")) {
name = group + "/" + name;
} else {
name = group + ":" + name;
}
}
My point is that the test validates that the ":" is always a ":". But actually for npm it must be a "/" so the test fails.
So the test must be taught to distinguish between java and npm.
We are seeing that an NPM package like
"@angular/router"in the cyclonedx file is represented asWhen the converter constructs the SPDX "name" value it does
yielding an SPDX name of
"name": "@angular:router"For java this works fine as the delimiter between group and name in java is ":" But for NPM it is a "/" which is implicit in the cyclonedx.
Would it make sense to check the purl to find the package manager or what would be a good strategy?