github.com/nextlinux/gosbom@v0.81.1-0.20230627115839-1ff50c281391/gosbom/pkg/cataloger/dotnet/package.go (about) 1 package dotnet 2 3 import ( 4 "strings" 5 6 "github.com/nextlinux/gosbom/gosbom/file" 7 "github.com/nextlinux/gosbom/gosbom/pkg" 8 9 "github.com/anchore/packageurl-go" 10 ) 11 12 func newDotnetDepsPackage(nameVersion string, lib dotnetDepsLibrary, locations ...file.Location) *pkg.Package { 13 if lib.Type != "package" { 14 return nil 15 } 16 17 fields := strings.Split(nameVersion, "/") 18 name := fields[0] 19 version := fields[1] 20 21 m := pkg.DotnetDepsMetadata{ 22 Name: name, 23 Version: version, 24 Path: lib.Path, 25 Sha512: lib.Sha512, 26 HashPath: lib.HashPath, 27 } 28 29 p := &pkg.Package{ 30 Name: name, 31 Version: version, 32 Locations: file.NewLocationSet(locations...), 33 PURL: packageURL(m), 34 Language: pkg.Dotnet, 35 Type: pkg.DotnetPkg, 36 MetadataType: pkg.DotnetDepsMetadataType, 37 Metadata: m, 38 } 39 40 p.SetID() 41 42 return p 43 } 44 45 func packageURL(m pkg.DotnetDepsMetadata) string { 46 var qualifiers packageurl.Qualifiers 47 48 return packageurl.NewPackageURL( 49 // This originally was packageurl.TypeDotnet, but this isn't a valid PURL type, according to: 50 // https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst 51 // Some history: 52 // https://github.com/anchore/packageurl-go/pull/8 added the type to Nextlinux's fork 53 // due to this PR: https://github.com/nextlinux/gosbom/pull/951 54 // There were questions about "dotnet" being the right purlType at the time, but it was 55 // acknowledged that scanning a dotnet file does not necessarily mean the packages found 56 // are nuget packages and so the alternate type was added. Since this is still an invalid 57 // PURL type, however, we will use TypeNuget and revisit at such time there is a better 58 // official PURL type available. 59 packageurl.TypeNuget, 60 "", 61 m.Name, 62 m.Version, 63 qualifiers, 64 "", 65 ).ToString() 66 }