scanoss / purl2cpe Goto Github PK

PURL: pkg:maven/com.google.protobuf/protobuf-java

Query Command:
select cpe from purl2cpe where purl = 'pkg:maven/com.google.protobuf/protobuf-java';

https://github.com/nexB/purl2cpe and https://github.com/sbs2001/purl2cpe have long been using this name. Please try to find another name for your project to avoid confusion, even if the purpose are similar!

Hello,

I find out your project by googling and it seems great. I would like to use it in other open sources such as cve-bin-tool. However, it seems that there is no official release of your project on pypi. So I'm wondering if you plan to make one some day? If not, what is the best way to integrate your project? Should I make a github submodule or perhaps just build and update purl2cpe.db regularly?

Best Regards and thanks for your work

Hi,

Today, the database only have one purl matching one cpe with all its different versions. So for exemple pkg:github/wp-plugins/simple-banner will have the following cpe:

• cpe:2.3:a:simple_banner_project:simple_banner:1.0.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:simple_banner_project:simple_banner:1.0.2:*:*:*:*:wordpress:*:*
• cpe:2.3:a:simple_banner_project:simple_banner:1.0.3:*:*:*:*:wordpress:*:*
• [...]
• cpe:2.3:a:simple_banner_project:simple_banner:2.9.4:*:*:*:*:wordpress:*:*
• cpe:2.3:a:simple_banner_project:simple_banner:-:*:*:*:*:wordpress:*:*

Don't you think it would make sense to add the version in the purl field ?

For with my previous example purl field would becomes:

• pkg:github/wp-plugins/[email protected]
• pkg:github/wp-plugins/[email protected]
• pkg:github/wp-plugins/[email protected]
• [...]
• pkg:github/wp-plugins/[email protected]
• pkg:github/wp-plugins/simple-banner

Is it something that would make sense for you ?

Thank you

Any reason why the PURL references don't contain the version information which is contained within the cpe entry?

For example, look at purl2cpe/data/libav/libav/purls.yml

pkggithub/libav/libav is not correct. That shouldn't pass the most basic check.

I've processed the entire repo and there are thousands of invalid purls. Not sure how they are derived but some simple quality check using https://github.com/package-url/purl-spec would be very helpful.

Hi there,
Just a heads up there's a new prototype pollution CVE for cronvel/tree-kit that is listed in this file.
More info about the CVE: https://www.code-intelligence.com/blog/treekit-prototype-pollution-cve-2023-38894
Make sure whatever's pulling this repo is updating to the latest version of tree-kit.
Cheers

the name currently used is node-ipic_project, but it seems to me that the correct name is node-ipc_project.

We probably need to change this from - pkg:github/wordpress/wordpress-developt to - pkg:github/wordpress/wordpress-develop. in file data/wordpress/wordpress/purls.yml

The project cannot be cloned on a windows system.
Here is the log:

Receiving objects: 100% (74000/74000), 579.43 MiB | 6.40 MiB/s, done.
Resolving deltas: 100% (6009/6009), done.
error: invalid path 'data/arj_software_inc./unarj/cpes.yml'
fatal: unable to checkout working tree
warning: Clone succeeded, but checkout failed.
You can inspect what was checked out with 'git status'
and retry with 'git restore --source=HEAD :/'

git did not exit cleanly (exit code 128) (117781 ms @ 06/10/2023 14:04:40)

My work is not dependent on this but we found this in a related project.

Firstly, thank you for your great job!

Recently, I find that some CPEs ending with :*:*:*:*:*:*:*:* are missing, for example, cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:* is not listed in this yaml. And it's not an isolated case.