|
1 | | -purl-validator |
2 | | -================================ |
3 | | - |
4 | | -PURLs are everywhere in SBOMs. But with adoption comes widespread errors. |
5 | | -A recent study on the quality of SBOMs revealed that for many proprietary and |
6 | | -open source tools, PURLs in SBOMs are inconsistent, fake, incorrect, or |
7 | | -misleading. This is a serious problem to any application of SBOMs for |
8 | | -cybersecurity and application security, as well as related compliance |
9 | | -regulations. This project is to create a PURL validator that's decentralized |
10 | | -such that libraries can use it offline and help them create better PURLs. |
11 | | - |
12 | | -Building this compact dataset is new territory. There is research |
13 | | -and exploration necessary for creating a super compact data structure |
14 | | -that is also easy and fast to query across multiple languages. The data |
15 | | -structure will also need memory-mapping to avoid running out of memory. |
| 1 | +# purl-validator |
| 2 | + |
| 3 | +[](https://opensource.org/licenses/Apache-2.0) |
| 4 | +[](https://github.com/aboutcode-org/purl-validator/releases) |
| 5 | +[](https://github.com/aboutcode-org/purl-validator/actions) |
| 6 | + |
| 7 | +**purl-validator** is a Rust library for validating [Package URLs (PURLs)](https://github.com/package-url/purl-spec). It works fully offline, including in **air-gapped** or **restricted environments**, and answers one key question: **Does the package this PURL represents actually exist?** |
| 8 | + |
| 9 | +## How It Works? |
| 10 | + |
| 11 | +**purl-validator** is shipped with a pre-built FST (Finite State Transducer), a set of compact automata containing latest Package URLs mined by the MineCode[^1]. Library uses this FST to perform lookups and confirm whether the **base PURL**[^2] exists. |
| 12 | +
|
| 13 | +## Currently Supported Ecosystems |
| 14 | + |
| 15 | +- **apk** |
| 16 | +- **cargo** |
| 17 | +- **composer** |
| 18 | +- **conan** |
| 19 | +- **cpan** |
| 20 | +- **cran** |
| 21 | +- **debain** |
| 22 | +- **maven** |
| 23 | +- **npm** |
| 24 | +- **nuget** |
| 25 | +- **pypi** |
| 26 | +- **swift** |
| 27 | + |
| 28 | +## Usage |
| 29 | + |
| 30 | +Add `purl-validator` to your Python dependencies |
| 31 | + |
| 32 | +```bash |
| 33 | +pypi install purl-validator |
| 34 | +``` |
| 35 | + |
| 36 | +Use it in your code like this: |
| 37 | + |
| 38 | +```python |
| 39 | +
|
| 40 | +from purl_validator import PurlValidator |
| 41 | +
|
| 42 | +validator = PurlValidator() |
| 43 | +
|
| 44 | +PurlValidator.validate_purl("pkg:nuget/FluentValidation") |
| 45 | +>>> True |
| 46 | +
|
| 47 | +PurlValidator.validate_purl("pkg:nuget/non-existent-foo-bar") |
| 48 | +>>> False |
| 49 | +``` |
| 50 | + |
| 51 | +## Contribution |
| 52 | + |
| 53 | +We welcome contributions from the community! If you find a bug or have an idea for a new feature, please open an issue on the GitHub repository. If you want to contribute code, you can fork the repository, make your changes, and submit a pull request. |
| 54 | + |
| 55 | +* Please try to write a good commit message, see [good commit message wiki](https://aboutcode.readthedocs.io/en/latest/contributing/writing_good_commit_messages.html). |
| 56 | +* Add DCO `Sign Off` to your commits. |
| 57 | + |
| 58 | +## Development Setup |
| 59 | + |
| 60 | +Run these commands, starting from a git clone of [https://github.com/aboutcode-org/purl-validator.git](https://github.com/aboutcode-org/purl-validator.git) |
| 61 | + |
| 62 | +Run tests: |
| 63 | + |
| 64 | +```bash |
| 65 | +make test |
| 66 | +``` |
| 67 | + |
| 68 | +Fix formatting and linting: |
| 69 | + |
| 70 | +```bash |
| 71 | +make valid |
| 72 | +``` |
| 73 | + |
| 74 | +## License |
| 75 | + |
| 76 | +SPDX-License-Identifier: Apache-2.0 |
| 77 | + |
| 78 | +purl-validator is licensed under Apache License version 2.0. |
| 79 | + |
| 80 | +```text |
| 81 | +You may not use this software except in compliance with the License. |
| 82 | +You may obtain a copy of the License at |
| 83 | +
|
| 84 | + http://www.apache.org/licenses/LICENSE-2.0 |
| 85 | +
|
| 86 | +Unless required by applicable law or agreed to in writing, software |
| 87 | +distributed under the License is distributed on an "AS IS" BASIS, |
| 88 | +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 89 | +See the License for the specific language governing permissions and |
| 90 | +limitations under the License. |
| 91 | +``` |
| 92 | + |
| 93 | +[^1]: MineCode continuously collects package metadata from various package ecosystems to maintain an up-to-date catalog of known packages. |
| 94 | +[^2]: A Base Package URL is a Package URL without a version, qualifiers or subpath. |
0 commit comments