Comments (5)
@scovetta @gfs You might want to be careful before doing this. As I mentioned on #418, the Package URL spec expects @
to be percent-encoded in package names in order to avoid parsing ambiguity, since @
indicates that characters to the right should be interpreted as a version string. The implications of accepting package URLs that deviate from the spec might be difficult to predict.
Maybe instead we could improve the error messaging? E.g. if a given Package URL fails to parse, we could check for cases like this (e.g. the package URL looks like an npm package, with @
in the namespace position) and print a more helpful error message explaining that namespace
and `name components of package URLs need to be percent-encoded?
from ossgadget.
I think the reporting user makes a fair point that even if that is what the spec says it's not very intuitive.
Particularly for handling perhaps manually typed input on a command line if we can reasonably detect this case where the @ for the namespace needs to be encoded why don't we just automatically do it on the users behalf?
from ossgadget.
Actually, I think we deviate from the spec too a bit - in at least some cases, we require the slash separator between namespace and name to be encoded. This means we get namespace=[blank]
and name=foo%2fbar
. I don't recall why this was needed.
// FAILS
oss-download pkg:npm/%40microsoft/fast-web-utilities
// SUCCESS
oss-download pkg:npm/%40microsoft%2ffast-web-utilities
According to the spec, that /
separator between namespace and name must not be encoded.
from ossgadget.
Particularly for handling perhaps manually typed input on a command line if we can reasonably detect this case where the @ for the namespace needs to be encoded why don't we just automatically do it on the users behalf?
@gfs That's not an unreasonable point. I can't think of any way that might go wrong - but that said, the types of subtle bugs that can result from tolerating deviations from specs tend to be hard to predict.
If you go forward with that approach, would you mind keeping that tolerant parsing behavior at the CLI layer? For Terrapin (which consumes the Shared and oss-find-squats-lib libraries), strict compliance with spec is part of how we make sure subtle bugs in our system get surfaced while handling millions of distinct package versions. (I think those libraries primarly work with already-parsed Package URL objects so this point might be a non-issue - but I thought I would mention it just in case any part(s) of those libraries accepts package URLs as strings).
from ossgadget.
from ossgadget.
Related Issues (20)
- oss-metadata for golang (native) errors out
- oss-detect-cryptography directory issues
- oss-detect-backdoor: Add additional patterns HOT 1
- Fail to build Docker image
- Wrong parameter order in OssGadgetLib.cs? HOT 1
- Can not find source for tensorflow and torch package HOT 1
- GITHUB_ACCESS_TOKEN environment variable is never used
- osshealth: NPM purl convention is incomplete, excludes most packages HOT 6
- oss-health doesn't work for github repositories HOT 1
- Please change Reproducible to another term, e.g., Semantically reproducible HOT 5
- Top-level README doesn't note oss-reproducible nor link to its README HOT 2
- Add usage to oss reproducible wiki
- Rename "semantically reproducible build" to something else? HOT 6
- Report if a package is a reproducible build or is just semantically equivalent
- Unable to fetch versions for a Cocoapods package HOT 3
- Replace moq with NSubstitute HOT 2
- Migrate Dockerfile to use Mariner 2
- OSS-Download CLI outputs all output on std error
- Refactor Logging
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ossgadget.