diff --git a/Cargo.lock b/Cargo.lock index 182446ecb..c97cfe538 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2090,7 +2090,7 @@ dependencies = [ [[package]] name = "csaf" version = "0.5.0" -source = "git+https://github.com/trustification/csaf-rs?branch=main#4d65f7c791e16b7f80e0a3945bde9b91820f8f5b" +source = "git+https://github.com/trustification/csaf-rs?branch=main#63ac9e19d881cbf1808de38b6849635cda19931d" dependencies = [ "chrono", "cpe", @@ -5141,12 +5141,12 @@ dependencies = [ [[package]] name = "packageurl" -version = "0.3.0" +version = "0.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c53362339d1c48910f1b0c35e2ae96e2d32e442c7dc3ac5f622908ec87221f08" +checksum = "35da99768af1ae8830ccf30d295db0e09c24bcfda5a67515191dd4b773f6d82a" dependencies = [ "percent-encoding", - "thiserror 1.0.69", + "thiserror 2.0.16", ] [[package]] diff --git a/Cargo.toml b/Cargo.toml index 2035c7596..499a39ace 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -101,7 +101,7 @@ opentelemetry-otlp = "0.31" opentelemetry_sdk = "0.31" opentelemetry-instrumentation-actix-web = "0.23.0" osv = { version = "0.2.1", default-features = false, features = [] } -packageurl = "0.3.0" +packageurl = "0.6" parking_lot = "0.12" peak_alloc = "0.3.0" pem = "3" diff --git a/common/src/purl.rs b/common/src/purl.rs index 2f25099e3..bef9e56f9 100644 --- a/common/src/purl.rs +++ b/common/src/purl.rs @@ -222,7 +222,7 @@ struct PurlVisitor; impl Visitor<'_> for PurlVisitor { type Value = Purl; - fn expecting(&self, formatter: &mut Formatter) -> std::fmt::Result { + fn expecting(&self, formatter: &mut Formatter) -> fmt::Result { formatter.write_str("a pURL") } @@ -235,13 +235,13 @@ impl Visitor<'_> for PurlVisitor { } impl Display for Purl { - fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result { + fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { let mut purl = PackageUrl::new(&self.ty, &self.name).map_err(|_| fmt::Error)?; if let Some(ns) = &self.namespace { - purl.with_namespace(ns); + purl.with_namespace(ns).map_err(|_| fmt::Error)?; } if let Some(version) = &self.version { - purl.with_version(version); + purl.with_version(version).map_err(|_| fmt::Error)?; } for (key, value) in &self.qualifiers { purl.add_qualifier(key, value).map_err(|_| fmt::Error)?; @@ -251,7 +251,7 @@ impl Display for Purl { } impl Debug for Purl { - fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result { + fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { write!(f, "{self}") } } @@ -439,6 +439,11 @@ mod tests { purl.to_string().as_str(), "pkg:npm/%40fastify/this%40that@3.8-%236.el8" ); + let purl = Purl::from_str("pkg:generic/ibm-granite%2Fgranite-docling-258M@1.0")?; + assert_eq!( + purl.to_string().as_str(), + "pkg:generic/ibm-granite%2Fgranite-docling-258M@1.0" + ); Ok(()) } diff --git a/modules/fundamental/Cargo.toml b/modules/fundamental/Cargo.toml index 749a6062e..27b188289 100644 --- a/modules/fundamental/Cargo.toml +++ b/modules/fundamental/Cargo.toml @@ -49,7 +49,6 @@ tracing-futures = { workspace = true, features = ["futures-03"] } utoipa = { workspace = true, features = ["actix_extras", "uuid", "time"] } utoipa-actix-web = { workspace = true } uuid = { workspace = true } -packageurl = { workspace = true } semver = { workspace = true } regex = { workspace = true } lenient_semver = { workspace = true } diff --git a/modules/fundamental/src/sbom/endpoints/test.rs b/modules/fundamental/src/sbom/endpoints/test.rs index 3211cb334..c51fc3a3e 100644 --- a/modules/fundamental/src/sbom/endpoints/test.rs +++ b/modules/fundamental/src/sbom/endpoints/test.rs @@ -1661,14 +1661,14 @@ async fn get_aibom(ctx: &TrustifyContext) -> Result<(), anyhow::Error> { "purl": [ { "uuid": "b3d8c434-ec9c-592a-91c8-596183beb691", - "purl": "pkg:generic/ibm-granite/granite-docling-258M@1.0", + "purl": "pkg:generic/ibm-granite%2Fgranite-docling-258M@1.0", "base": { "uuid": "c28a16be-ec3a-5289-a37c-769330a32905", - "purl": "pkg:generic/ibm-granite/granite-docling-258M" + "purl": "pkg:generic/ibm-granite%2Fgranite-docling-258M" }, "version": { "uuid": "b3d8c434-ec9c-592a-91c8-596183beb691", - "purl": "pkg:generic/ibm-granite/granite-docling-258M@1.0", + "purl": "pkg:generic/ibm-granite%2Fgranite-docling-258M@1.0", "version": "1.0" }, "qualifiers": {} @@ -1681,7 +1681,19 @@ async fn get_aibom(ctx: &TrustifyContext) -> Result<(), anyhow::Error> { ], "total": 1 } - ); + ); assert!(expected_result.contains_subset(response.clone())); + + let uri = format!( + "/api/v2/sbom/by-package?purl={}", + encode("pkg:generic/ibm-granite%2Fgranite-docling-258M@1.0") + ); + let req = TestRequest::get().uri(&uri).to_request(); + let response: Value = app.call_and_read_body_json(req).await; + assert_eq!( + response["items"][0]["described_by"][0]["id"], + "pkg:generic/ibm-granite%2Fgranite-docling-258M@1.0" + ); + Ok(()) } diff --git a/modules/ingestor/src/service/advisory/osv/translate.rs b/modules/ingestor/src/service/advisory/osv/translate.rs index c23cd1e37..8ba2d0c57 100644 --- a/modules/ingestor/src/service/advisory/osv/translate.rs +++ b/modules/ingestor/src/service/advisory/osv/translate.rs @@ -27,7 +27,7 @@ fn translate<'a>(ecosystem: &Ecosystem, name: &'a str) -> Option> let name = split[1]; PackageUrl::new("maven", name) .and_then(|mut purl| { - purl.with_namespace(namespace); + purl.with_namespace(namespace)?; if repo != MAVEN_DEFAULT_REPO { purl.add_qualifier("repository_url", repo.clone())?; } @@ -59,9 +59,9 @@ fn split_name<'a>(name: &'a str, ty: &'a str, separator: &str) -> Option