Skip to content

Continue reporting/displaying PURLs with URL encoding? #1253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
johnmhoran opened this issue Aug 1, 2023 · 1 comment
Open

Continue reporting/displaying PURLs with URL encoding? #1253

johnmhoran opened this issue Aug 1, 2023 · 1 comment
Assignees
@johnmhoran
Labels
API enhancement ui

Comments

@johnmhoran
Copy link
Member

This is related to #1228 and #1252.

I noticed yesterday while working on #1228 that my tests using univers (https://github.com/nexB/univers) to compare affected and fixed by versions threw a univers.versions.InvalidVersion: '2.12.1-1%2Bdeb11u1' is not a valid <class 'univers.versions.DebianVersion'> error when I included pkg:deb/debian/[email protected]%2Bdeb11u1 in the test.

I eventually figured out that the culprit was the string %2B -- the URL-encoded + that debian.org uses for this jackson-databind package. (See, e.g., https://developer.mozilla.org/en-US/docs/Glossary/Percent-encoding.) Importing urllib.parse and using the unquote() function enabled me to complete the comparison without error, and is now part of my draft tests as well:

        # Test the error
        with pytest.raises(versions.InvalidVersion):
            assert versions.DebianVersion("2.12.1-1%2Bdeb11u1") < versions.DebianVersion(
                "2.13.1-1%2Bdeb11u1"
            )
        # Decode the version and test.
        assert versions.DebianVersion(
            urllib.parse.unquote("2.12.1-1%2Bdeb11u1")
        ) < versions.DebianVersion(urllib.parse.unquote("2.13.1-1%2Bdeb11u1"))

My question: do we want to continue this approach, or would we prefer instead to use non-URL-encoded versions in our PURLs?

If we search in vulnerablecode.io for pkg:deb/debian/[email protected]%2Bdeb11u1 and pkg:deb/debian/[email protected]+deb11u1, we get the same results -- displayed in the UI, for example like this

pkg:deb/debian/[email protected]%2Bdeb11u1

with these respective links

https://public.vulnerablecode.io/packages/pkg:deb/debian/[email protected]%252Bdeb11u1?search=pkg:deb/debian/[email protected]%2Bdeb11u1

https://public.vulnerablecode.io/packages/pkg:deb/debian/[email protected]%252Bdeb11u1?search=pkg:deb/debian/[email protected]+deb11u1

FWIW, debian.org displays the non-encoded version 2.12.1-1+deb11u1 with an underlying link to a details page. See https://tracker.debian.org/pkg/jackson-databind.
@johnmhoran johnmhoran self-assigned this Aug 1, 2023
@johnmhoran
Copy link
Member Author

I see that packageurl.PackageURL.from_string() will also provide us with a decoded (or non-URL-encoded) version from a PURL.

import urllib.parse

import packageurl

deb_purl = "pkg:deb/debian/[email protected]%2Bdeb11u1"
decoded_deb_purl = urllib.parse.unquote(deb_purl)

print("\ndecoded_deb_purl = {}\n".format(decoded_deb_purl))

# Test PURL
purl = packageurl.PackageURL.from_string(deb_purl)
print("\npurl = {}\n".format(purl))
print(purl.type)
print(purl.namespace)
print(purl.name)
print(purl.version)
print(purl.qualifiers)
print(purl.subpath)

produces this output:

decoded_deb_purl = pkg:deb/debian/[email protected]+deb11u1


purl = pkg:deb/debian/[email protected]%2Bdeb11u1

deb
debian
jackson-databind
2.12.1-1+deb11u1
{}
None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johnmhoran johnmhoran

Labels
API enhancement ui
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@johnmhoran