Add Arch Linux ecosystem and fix distro-namespace purl lookups#1622
Open
andrew wants to merge 1 commit into
Open
Add Arch Linux ecosystem and fix distro-namespace purl lookups#1622andrew wants to merge 1 commit into
andrew wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds support for indexing Arch Linux packages from both the official repos and the AUR.
One
Ecosystem::Archclass with two registries, branching onregistry.metadata['kind'](official/aur):archlinux.org/packages/search/json/for the full list (~16k),/feeds/packages/RSS for recently updated,pacman -Sinstall commandaur.archlinux.org/packages.gzfor the full list (~111k),/rpc/v5/infofor metadata,/rss/modified+/rss/via Nokogiri for recently updated (SimpleRSS chokes on the single-quoted XML declaration),yay -Sinstall commanddepends/makedepends/checkdepends/optdependswith version constraint splitting (pacman>6.1→ namepacman, requirement>6.1) and optdepend description strippingalpm, namespacearch, version[epoch:]pkgver-pkgrel, qualifiersarchandupstream— matches what syft emits forarchlinux:base(trivy doesn't catalog ALPM packages at all)Also fixes purl lookups for distro-namespace types. SBOM scanners emit
pkg:alpm/arch/jq,pkg:apk/alpine/jq,pkg:deb/debian/curlwhere the namespace is the distro, not part of the package name. The lookup code was joining namespace into the name (arch/jq) and only resolving one ecosystem per purl type, soapkanddeblookups returned nothing. Changes:Ecosystem::Base.name_from_purlcentralises name construction (replaces three copies of the join logic)purl_namespace_in_name?hook, set false onArch,Deb,Alpine,Adelie,Postmarketospurl_type_to_ecosystems(plural) soapkresolves to alpine/adelie/postmarketos anddebto deb/debian/ubuntu; all four registry-lookup callsites updatedself.purl_typeadded to alpine/adelie/postmarketos (apk) and debian/ubuntu (deb)To enable in production:
Closes #1613