-
-
Notifications
You must be signed in to change notification settings - Fork 476
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for PURL (Package URL) #1497
Comments
Adding support for PURL on packagist.org alone seems doable. However, I'm wondering what how this should look like when consider the whole composer ecosystem. |
@stof the first part is covered by the
Though can't find any info though about how package mirroring would be displayed. |
More and more tools use PURL to identify packages in a standardized way.
It's heavily used in SBOMs and SCA tooling. An example tool is Dependency Track. Currently it's based around official standards, and only supports PURL (or CPE) to idenfity packages. So currently it doesn't index vulnerabilities from packagist (or specific repository instances such as https://packages.drupal.org/files/packages/8.
The request here is to support PURLs in packagist composer respositores. Use cases / features affected by this based on my limited knowledge of the ecosystem (not exhaustive):
Is this something that could be considered?
The text was updated successfully, but these errors were encountered: