Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JSON Schema for PURL? #54

Closed
chandanbn opened this issue Feb 25, 2019 · 4 comments
Closed

JSON Schema for PURL? #54

chandanbn opened this issue Feb 25, 2019 · 4 comments
Labels
invalid

Comments

@chandanbn
Copy link

Is there a JSON schema for PURL?

A well defined JSON schema would be able to encode the rules and restrictions on each PURL component in a programmer friendly way. This would enable the use of existing JSON schema validation and manipulation tools in multiple programming languages to create, validate or exchange PURL information. One may also embed or store PURL in a JSON document in a more programmatically accessible format (for eg. with CVE JSON data as on CVElist). This would also help in storing PURL information without the need to parse a PURL on every use (think SQL or NoSQL queries).

The test-suite-data.json seems to contain PURL components encoded as JSON, but is missing scheme, and may not need is_invalid.

  {
    "description": "valid maven purl",
    "purl": "pkg:maven/org.apache.commons/[email protected]",
    "canonical_purl": "pkg:maven/org.apache.commons/[email protected]",
    "type": "maven",
    "namespace": "org.apache.commons",
    "name": "io",
    "version": "1.3.4",
    "qualifiers": null,
    "subpath": null,
    "is_invalid": false
  }
@jdillon
Copy link

jdillon commented Apr 16, 2019

IMO a JSON schema for PURL isn't super-useful, except for how to define the component parts, but generally the idea of a PURL is to render as a single-line string, so a definition of a JSON schema seems to be generally limited in use.

@stevespringett
Copy link
Member

stevespringett commented Apr 16, 2019
edited
Loading

Agreed. JSON schema is completely unrelated to the URI syntax of Package-URL.

@chandanbn
Copy link
Author

If I am storing a huge list of PURLs (as in a SBoM) in a database (SQL or NoSQL), I would like to store each purl component in a separate field, (and may be the PURL too). I don't think popular SQL or NoSQL databases are good at directly querying PURL components without some complicated/expensive regex and normalization magic.

Almost all PURL implementations listed here seem to do one or two of:

  1. take components as input and construct a PURL,
  2. take a PURL and decompose to components.

IMHO the most valuable thing here is a data model of a package locator.
The URI syntax is a serialized version of that data. So is JSON, or XML, or YAML ...
These are like containers, the stuff inside is package locating information. IMHO that information is what matters most, more than the wrapper format.

A well constructed JSON or XML schema essentially takes the prose rules for PURL components and turns them into machine readable rule sets for ease of validation and exchange of the information between systems, databases and tools.

IOW, do you have a formal grammar equivalent of rules for each purl component ?

@stevespringett
Copy link
Member

A set of rules in machine readable format would be useful. We are still debating some of them and clarifying others. JSON schema or XML schema would not help us here though.

You can refer to the CycloneDX project which is an SBOM specification that supports PackageURL. You can also look at the Dependency-Track project which can ingest both CycloneDX and SPDX SBOMs.

Support for PackageURL will be included with SPDX v2.2. It was requested on December 2017, but still hasn't made it into the spec yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jdillon @chandanbn @stevespringett