You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently cyclonedx-bom relies on packageurl crate, which does not support important fields such as qualifiers (e.g. ?vcs_url=... so that we could encode repo URLs for git dependencies), and the last release of packageurl has been 2 years ago.
The purl crate is a lot more complete and is actively maintained. The maintainers aren't afraid of tackling tough issues across the whole PURL ecosystem that require changes to the spec. (Naturally, spec authors ignore their PRs, but it's the thought that counts!)
cargo cyclonedx already depends on purl to compose the actual PURLs and then converts them to packageurl to feed them to cyclonedx-bom. We should migrate cyclonedx-bom itself to purl crate as well, since the packageurl is woefully insufficient even for our own use cases and that is not going to change anytime soon.
The text was updated successfully, but these errors were encountered:
Currently
cyclonedx-bom
relies onpackageurl
crate, which does not support important fields such as qualifiers (e.g.?vcs_url=...
so that we could encode repo URLs for git dependencies), and the last release ofpackageurl
has been 2 years ago.The
purl
crate is a lot more complete and is actively maintained. The maintainers aren't afraid of tackling tough issues across the whole PURL ecosystem that require changes to the spec. (Naturally, spec authors ignore their PRs, but it's the thought that counts!)cargo cyclonedx
already depends onpurl
to compose the actual PURLs and then converts them topackageurl
to feed them tocyclonedx-bom
. We should migratecyclonedx-bom
itself topurl
crate as well, since thepackageurl
is woefully insufficient even for our own use cases and that is not going to change anytime soon.The text was updated successfully, but these errors were encountered: