-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PurlLookup does not work for Go module names containing uppercase letters #93
Comments
Hi @pxp928! Just to clarify, you said you tried this in both the v3 and v3alpha APIs, but purls are only supported in v3alpha, via the Unfortunately, the issue you report isn't one deps.dev can fix, at least not without a bit of help, as it's due to a mismatch between the purl spec and the actual behavior of the Go ecosystem. Here's what's going on: The purl spec for the
We use the canonical Go implementation, which follows this, meaning that it parses the purl in your request, The purl spec is incorrect in this regard; Go module names are case-sensitive. For example:
This is also reflected by other tooling in the Go ecosystem, such as pkg.go.dev:
More information can be found in the documentation for the protocol used by the Go module proxy. It's also mentioned in this issue. So, to fix the issue you report, the purl spec and implementation both need to be updated. I've added a comment on this issue Meanwhile, as an option, you can instead use the |
Hello @sarnesjo! Thank you for the response. Sorry, yes for
and we were getting a similar error: retry it again with (Capital
works properly and does not return an error. It seems like both versions of the API are facing the same case sensitivity issue. |
yea looks like its looking for a different convention depending on querying by versionKey compared to query by PURL. What would be the equivalent PURL that key
I tried the following that didn't yield results :|
|
v3Alpha with purl fails with both: v3 with |
Let me try to untangle the issue into the parts that relate to Go, to purl, and to deps.dev. In Go, module names are case sensitive. In the deps.dev API, calling the The cause for the bug is that the purl implementation (which we use in the deps.dev API server implementation) lowercases the name when parsing. It does that because the purl spec says it must. So, to properly fix this issue, we need to change the purl spec and then change the implementation. |
I would propose exploring the use of qualifiers. Example:
Here |
Querying for:
pkg:golang/github.com/antlr/antlr4/runtime/Go/[email protected]
fails and returns nothing with the error:I did the query via the new deps.dev/api/v3alpha and v3 and they both return the same error.
but in reality, it does exist on deps.dev webpage: https://deps.dev/go/github.com%2Fantlr%2Fantlr4%2Fruntime%2FGo%2Fantlr/v0.0.0-20220418222510-f25a4f6275ed
Is there a reason for this discrepancy?
The text was updated successfully, but these errors were encountered: