How to query scoped (@) npm packages?

[scolytus]

Problem

• coordinates are provided as package-url
• according to package-url spec, for scoped package names the url should be built like this: pkg:npm/%40angular/animation@12.3.1
• not clear to me how to use it with OSS Index

Example

• npm advisory: https://www.npmjs.com/advisories/613
• package name @impala/bmap
• the package-url for version 1.0.3 according to spec would be pkg:npm/%40impala/bmap@1.0.3
• trying to use this on OSS Index web page:
  • HTTP 404: https://ossindex.sonatype.org/component/pkg:npm/%40impala/bmap@1.0.3
  • HTTP 404: https://ossindex.sonatype.org/component/pkg:npm/@impala/bmap@1.0.3
  • HTTP 200: https://ossindex.sonatype.org/component/pkg:npm/impala/bmap@1.0.3
• so it seems that at least the web page needs the @ stripped
• trying this on the API:

curl -X GET "https://ossindex.sonatype.org/api/v3/component-report/pkg%3Anpm%2F%2540impala%2Fbmap%401.0.3" -H  "accept: application/vnd.ossindex.component-report.v1+json"

{
  "coordinates": "pkg:npm/%40impala/bmap@1.0.3",
  "reference": "https://ossindex.sonatype.org/component/pkg:npm/%40impala/bmap@1.0.3",
  "vulnerabilities": []
}

--> No error reported, but reference leads to 404

curl -X GET "https://ossindex.sonatype.org/api/v3/component-report/pkg%3Anpm%2F%40impala%2Fbmap%401.0.3" -H  "accept: application/vnd.ossindex.component-report.v1+json"

{
  "code": 404,
  "message": "HTTP 404 Not Found"
}

--> So this is clearly the wrong encoding

curl -X GET "https://ossindex.sonatype.org/api/v3/component-report/pkg%3Anpm%2Fimpala%2Fbmap%401.0.3" -H  "accept: application/vnd.ossindex.component-report.v1+json"

{
  "coordinates": "pkg:npm/impala/bmap@1.0.3",
  "reference": "https://ossindex.sonatype.org/component/pkg:npm/impala/bmap@1.0.3",
  "vulnerabilities": [
    {
      "id": "cb9167cb-4123-4912-8008-1428689fff7a",
      "title": "CWE-506: Embedded Malicious Code",
      "description": "The application contains code that appears to be malicious in nature.",
      "cvssScore": 9.6,
      "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "cwe": "CWE-506",
      "reference": "https://ossindex.sonatype.org/vuln/cb9167cb-4123-4912-8008-1428689fff7a"
    },
    {
      "id": "94b76588-9623-4e55-b882-d4cbd2709a9e",
      "title": "CWE-506: Embedded Malicious Code",
      "description": "The application contains code that appears to be malicious in nature.",
      "cvssScore": 9.6,
      "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "cwe": "CWE-506",
      "reference": "https://ossindex.sonatype.org/vuln/94b76588-9623-4e55-b882-d4cbd2709a9e"
    }
  ]
}

--> works

Conclusion

• please support package-url according to specification

[ndonewar]

Thanks for reporting this issue! Sorry it took so long to get back to you. This bug has been fixed in OSS Index, so the following should work as expected:

Site:
https://ossindex.sonatype.org/component/pkg:npm/%40impala/bmap@1.0.3

API:
(Note: POST is typically preferred as it allows for multiple coordinates per request)

curl -H "Content-Type: application/json" -X POST -d '{ "coordinates": [ "pkg:npm/%40impala/bmap@1.0.3" ] }' https://ossindex.sonatype.org/api/v3/component-report

curl -H "Content-Type: application/json" -X GET "https://ossindex.sonatype.org/api/v3/component-report/pkg:npm/%40impala/bmap@1.0.3"

Please let us know if you have any other questions. Thanks!