Python purl URLs seem incorrect, some examples don't work #627
Description
Across this repo, the examples for Python PURLs uses pkg:pip but the purl-spec says it should be pkg:pypi.
Here's a code search showing all the instances of this.
I've been trying to use this action in a new workflow to deny, for example, pycrypto, which is one of the examples in the action.yml among other places:
- uses: actions/checkout@v4
- name: "Dependency Review"
uses: actions/dependency-review-action@v3
with:
fail-on-severity: high
comment-summary-in-pr: "on-failure"
deny-packages: "pkg:pip/pycrypto, pkg:pypi/pycrypto, pkg:PYPI/pycrypto, pkg:PIP/pycrypto, pycrypto"I've tried a number of variants but none of them blocks pycrypto. After adding debug logging though, I found this is because the pycrypto purl is blank in the run:
{"change_type":"added",
"manifest":"pyproject.toml",
"ecosystem":"pip",
"name":"pycrypto",
"version":"",
"package_url":"",
"license":null,
"source_repository_url":"https://github.com/pycrypto/pycrypto",
"scope":"runtime",
"vulnerabilities":[]},here's one it gets right:
{"change_type":"added",
"manifest":"pyproject.toml",
"ecosystem":"pip",
"name":"howso-engine",
"version":"10.0.0",
"package_url":"pkg:pypi/[email protected]",
"license":null,
"source_repository_url":"https://github.com/howsoai/howso-engine-py",
"scope":"runtime",
"vulnerabilities":[]},even weirder is what it comes up with for python itself:
{"change_type":"added",
"manifest":"pyproject.toml",
"ecosystem":"pip",
"name":"python",
"version":">= 3.8,< 3.12",
"package_url":"",
"license":null,
"source_repository_url":"https://github.com/mathspp/building-a-python-compiler-and-interpreter",
"scope":"runtime",
"vulnerabilities":[]},This is in a pyproject.toml-based project using poetry. Here's the dependency section for completeness:
[tool.poetry.dependencies]
python = ">=3.8,<3.12"
cowsay = "~=5.0"
requests = "*"
opentelemetry-instrumentation = "0.39b0"
howso-engine = "10.0.0"
pycrypto = "*"(the weird set of dependencies was chosen specifically to trigger warnings, this project exists to test Github advanced security and related tooling like this dependency review action 😂 )