scanoss / purl2cpe Goto Github PK
View Code? Open in Web Editor NEWPURL to CPE Relationship mapping project.
License: MIT License
PURL to CPE Relationship mapping project.
License: MIT License
PURL: pkg:maven/com.google.protobuf/protobuf-java
Query Command:
select cpe from purl2cpe where purl = 'pkg:maven/com.google.protobuf/protobuf-java';
https://github.com/nexB/purl2cpe and https://github.com/sbs2001/purl2cpe have long been using this name. Please try to find another name for your project to avoid confusion, even if the purpose are similar!
Hello,
I find out your project by googling and it seems great. I would like to use it in other open sources such as cve-bin-tool. However, it seems that there is no official release of your project on pypi. So I'm wondering if you plan to make one some day? If not, what is the best way to integrate your project? Should I make a github submodule or perhaps just build and update purl2cpe.db
regularly?
Best Regards and thanks for your work
Hi,
Today, the database only have one purl matching one cpe with all its different versions. So for exemple pkg:github/wp-plugins/simple-banner
will have the following cpe:
cpe:2.3:a:simple_banner_project:simple_banner:1.0.1:*:*:*:*:wordpress:*:*
cpe:2.3:a:simple_banner_project:simple_banner:1.0.2:*:*:*:*:wordpress:*:*
cpe:2.3:a:simple_banner_project:simple_banner:1.0.3:*:*:*:*:wordpress:*:*
cpe:2.3:a:simple_banner_project:simple_banner:2.9.4:*:*:*:*:wordpress:*:*
cpe:2.3:a:simple_banner_project:simple_banner:-:*:*:*:*:wordpress:*:*
Don't you think it would make sense to add the version in the purl field ?
For with my previous example purl field would becomes:
pkg:github/wp-plugins/[email protected]
pkg:github/wp-plugins/[email protected]
pkg:github/wp-plugins/[email protected]
pkg:github/wp-plugins/[email protected]
pkg:github/wp-plugins/simple-banner
Is it something that would make sense for you ?
Thank you
Any reason why the PURL references don't contain the version information which is contained within the cpe entry?
For example, look at purl2cpe/data/libav/libav/purls.yml
pkggithub/libav/libav
is not correct. That shouldn't pass the most basic check.
I've processed the entire repo and there are thousands of invalid purls. Not sure how they are derived but some simple quality check using https://github.com/package-url/purl-spec would be very helpful.
Hi there,
Just a heads up there's a new prototype pollution CVE for cronvel/tree-kit that is listed in this file.
More info about the CVE: https://www.code-intelligence.com/blog/treekit-prototype-pollution-cve-2023-38894
Make sure whatever's pulling this repo is updating to the latest version of tree-kit.
Cheers
the name currently used is node-ipic_project
, but it seems to me that the correct name is node-ipc_project
.
We probably need to change this from - pkg:github/wordpress/wordpress-developt
to - pkg:github/wordpress/wordpress-develop
. in file data/wordpress/wordpress/purls.yml
The project cannot be cloned on a windows system.
Here is the log:
Receiving objects: 100% (74000/74000), 579.43 MiB | 6.40 MiB/s, done.
Resolving deltas: 100% (6009/6009), done.
error: invalid path 'data/arj_software_inc./unarj/cpes.yml'
fatal: unable to checkout working tree
warning: Clone succeeded, but checkout failed.
You can inspect what was checked out with 'git status'
and retry with 'git restore --source=HEAD :/'
git did not exit cleanly (exit code 128) (117781 ms @ 06/10/2023 14:04:40)
My work is not dependent on this but we found this in a related project.
Firstly, thank you for your great job!
Recently, I find that some CPEs ending with :*:*:*:*:*:*:*:*
are missing, for example, cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:*
is not listed in this yaml. And it's not an isolated case.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.