github.com/kastenhq/syft@v0.0.0-20230821225854-0710af25cdbe/syft/pkg/cataloger/dotnet/package.go (about) 1 package dotnet 2 3 import ( 4 "strings" 5 6 "github.com/anchore/packageurl-go" 7 "github.com/kastenhq/syft/syft/file" 8 "github.com/kastenhq/syft/syft/pkg" 9 ) 10 11 func newDotnetDepsPackage(nameVersion string, lib dotnetDepsLibrary, locations ...file.Location) *pkg.Package { 12 if lib.Type != "package" { 13 return nil 14 } 15 16 fields := strings.Split(nameVersion, "/") 17 name := fields[0] 18 version := fields[1] 19 20 m := pkg.DotnetDepsMetadata{ 21 Name: name, 22 Version: version, 23 Path: lib.Path, 24 Sha512: lib.Sha512, 25 HashPath: lib.HashPath, 26 } 27 28 p := &pkg.Package{ 29 Name: name, 30 Version: version, 31 Locations: file.NewLocationSet(locations...), 32 PURL: packageURL(m), 33 Language: pkg.Dotnet, 34 Type: pkg.DotnetPkg, 35 MetadataType: pkg.DotnetDepsMetadataType, 36 Metadata: m, 37 } 38 39 p.SetID() 40 41 return p 42 } 43 44 func packageURL(m pkg.DotnetDepsMetadata) string { 45 var qualifiers packageurl.Qualifiers 46 47 return packageurl.NewPackageURL( 48 // This originally was packageurl.TypeDotnet, but this isn't a valid PURL type, according to: 49 // https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst 50 // Some history: 51 // https://github.com/anchore/packageurl-go/pull/8 added the type to Anchore's fork 52 // due to this PR: https://github.com/anchore/syft/pull/951 53 // There were questions about "dotnet" being the right purlType at the time, but it was 54 // acknowledged that scanning a dotnet file does not necessarily mean the packages found 55 // are nuget packages and so the alternate type was added. Since this is still an invalid 56 // PURL type, however, we will use TypeNuget and revisit at such time there is a better 57 // official PURL type available. 58 packageurl.TypeNuget, 59 "", 60 m.Name, 61 m.Version, 62 qualifiers, 63 "", 64 ).ToString() 65 }