Skip to content

feat: include package purls in JSON output#2885

Open
gotgolem wants to merge 4 commits into
google:mainfrom
gotgolem:feat/json-package-purls
Open

feat: include package purls in JSON output#2885
gotgolem wants to merge 4 commits into
google:mainfrom
gotgolem:feat/json-package-purls

Conversation

@gotgolem

Copy link
Copy Markdown
Contributor

Overview

Fixes #2874.

JSON output currently includes each scanned package's name, version, and ecosystem, but not its package URL.

This PR includes the package URL when scalibr provides one.

Details

I added an optional purl field to PackageInfo and populate it from scalibr's package URL in buildVulnerabilityResults.

The field is omitted (omitempty) when no PURL is available.

Testing

  • go test ./pkg/osvscanner
  • go test ./internal/output
  • go test ./pkg/models
  • ./scripts/run_lints.sh

Checklist

@another-rex another-rex left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for the late review!

Im happy with the change overall, though I think the test that's added is a bit too complicated for what we're actually doing. I would say try to simplify the test or just remove it entirely.

We're currently a bit busy recently, so might be a little while before we can get this merge in, but I will try to make sure this change is in the next osv-scanner release.

@gotgolem

Copy link
Copy Markdown
Contributor Author

@another-rex
Updated, thanks. I dropped the extra PURL-specific test since the existing snapshots already cover the JSON output.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

JSON output doesn't include purls for scanned packages

2 participants