purl of scoped packages

[scolytus]

I'm trying to get my head around scoped packages in npm.
Maybe I'm wrong and overlooked something, please have a look.

Purl Spec

According to purl-spec for npm packages scoped packages shall use the package's scope as purl namespace. Example from spec

pkg:npm/%40angular/animation@12.3.1

• type: npm
• namespace: @angular encoded as %40angular
• name: animation
• version: 12.3.1

Problem

However, when I use cyclonedx-bom -d -o bom.xml I get in the generated BOM URLs like this:

<purl>pkg:npm/angular/%40angular%2Fanimations@9.1.4</purl>

• type: npm ✔️
• namespace: angular, not encoded because no @ in there
  • ❌ should be @angular
• name: @angular/animation, encoded as %40angular%2Fanimations
  • ❌ should be animation
• version: 9.1.4 ✔️

Version

$ cyclonedx-bom --version
1.1.3

[scolytus]

FYI: Dependency Track relies on this format pkg:npm/angular/%40angular%2Fanimations@9.1.4 and does not work with pkg:npm/%40angular/animation@12.3.1.

[stevespringett]

It should be producing scoped packages in the following format: pkg:npm/%40angular/animations@9.1.4. If it doesn't, then that is certainly a defect.

[scolytus]

@stevespringett on my machine it's reproducible, see for example:
https://github.com/scolytus/dependency-demo/blob/master/boms/angular20200506.bom.xml

I also checked the implementation in Dependency Track, it also relies on this faulty behavior for scoped packages, it does not use purl.namespace at all for npm analysis.
Shall I open an issue there as well?

And just for completeness, OSS Index understands neither version, see OSSIndex/vulns#91

[stevespringett]

Thank you.

I also checked the implementation in Dependency Track, it also relies on this faulty behavior for scoped packages, it does not use purl.namespace at all for npm analysis.
Shall I open an issue there as well?

Yes please

[stevespringett]

This fix will be included in the upcoming 2.0.0 release.

[stevespringett]

2.0.0 was pushed to npm. closing.