Explicitly test PURL generation against key packages #2071
Assignees
Labels
Comments
willmurphyscode
added
enhancement
|
Fixed by #2075 |
This was referenced Sep 12, 2023
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like to be added:
During the last syft release (v.0.88.0), we did a fair amount of manual testing of package url (PURL) generation during the release process, and this caught some regressions that would otherwise have been released. The ask here is to put automated testing in syft to assert that syft generates the correct set of PURLs off some known test images, especially images that have JARs in them, since that is the ecosystem where we caught the regressions.
A simple implementation might be: add some Java test images to or JARs to the test fixtures, and then add an integration test that asserts that these new test fixtures generate a correct set of PURLs.
Why is this needed:
GHSAs are a great source for data about vulnerabilities, but matching against them depends on generating correct PURLs.
The text was updated successfully, but these errors were encountered: