feat: add support for purl (#102)

Author: blackheaven

.github/workflows/haskell-ci.yml

@@ -198,6 +198,7 @@ jobs:
           echo "packages: $GITHUB_WORKSPACE/source/code/hsec-sync" >> cabal.project
           echo "packages: $GITHUB_WORKSPACE/source/code/hsec-core" >> cabal.project
           echo "packages: $GITHUB_WORKSPACE/source/code/cvss" >> cabal.project
+          echo "packages: $GITHUB_WORKSPACE/source/code/purl" >> cabal.project
           cat cabal.project
       - name: sdist
         run: |
@@ -219,6 +220,8 @@ jobs:
           echo "PKGDIR_hsec_core=${PKGDIR_hsec_core}" >> "$GITHUB_ENV"
           PKGDIR_cvss="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/cvss-[0-9.]*')"
           echo "PKGDIR_cvss=${PKGDIR_cvss}" >> "$GITHUB_ENV"
+          PKGDIR_purl="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/purl-[0-9.]*')"
+          echo "PKGDIR_purl=${PKGDIR_purl}" >> "$GITHUB_ENV"
           rm -f cabal.project cabal.project.local
           touch cabal.project
           touch cabal.project.local
@@ -227,6 +230,7 @@ jobs:
           echo "packages: ${PKGDIR_hsec_sync}" >> cabal.project
           echo "packages: ${PKGDIR_hsec_core}" >> cabal.project
           echo "packages: ${PKGDIR_cvss}" >> cabal.project
+          echo "packages: ${PKGDIR_purl}" >> cabal.project
           echo "package osv" >> cabal.project
           echo "    ghc-options: -Werror=missing-methods" >> cabal.project
           echo "package hsec-tools" >> cabal.project
@@ -237,9 +241,11 @@ jobs:
           echo "    ghc-options: -Werror=missing-methods" >> cabal.project
           echo "package cvss" >> cabal.project
           echo "    ghc-options: -Werror=missing-methods" >> cabal.project
+          echo "package purl" >> cabal.project
+          echo "    ghc-options: -Werror=missing-methods" >> cabal.project
           cat >> cabal.project <<EOF
           EOF
-          $HCPKG list --simple-output --names-only | perl -ne 'for (split /\s+/) { print "constraints: any.$_ installed\n" unless /^(cvss|hsec-core|hsec-sync|hsec-tools|osv)$/; }' >> cabal.project.local
+          $HCPKG list --simple-output --names-only | perl -ne 'for (split /\s+/) { print "constraints: any.$_ installed\n" unless /^(cvss|hsec-core|hsec-sync|hsec-tools|purl|osv)$/; }' >> cabal.project.local
           cat cabal.project
           cat cabal.project.local
       - name: dump install plan
@@ -277,6 +283,8 @@ jobs:
           ${CABAL} -vnormal check
           cd ${PKGDIR_cvss} || false
           ${CABAL} -vnormal check
+          cd ${PKGDIR_purl} || false
+          ${CABAL} -vnormal check
       - name: haddock
         run: |
           $CABAL v2-haddock --disable-documentation --haddock-all $ARG_COMPILER --with-haddock $HADDOCK $ARG_TESTS $ARG_BENCH all

cabal.project

@@ -5,5 +5,6 @@ package hsec-tools
 package hsec-sync
 package cvss
 package osv
+package purl
 
 test-show-details: direct

code/osv/osv.cabal

@@ -34,6 +34,7 @@ library
     , aeson                 >=2.0.1.0  && <3
     , base                  >=4.14     && <5
     , cvss                  >=0.2      && <0.3
+    , purl                  >=0.1      && <0.2
     , text                  >=1.2      && <3
     , time                  >=1.9      && <1.15
 

code/osv/src/Security/OSV.hs

@@ -44,6 +44,7 @@ import Data.Time (UTCTime)
 import Data.Time.Format.ISO8601 (iso8601ParseM)
 import Data.Tuple (swap)
 
+import Data.Purl (Purl)
 import qualified Security.CVSS as CVSS
 
 data Affected dbSpecific ecosystemSpecific rangeDbSpecific = Affected
@@ -182,8 +183,8 @@ instance ToJSON Severity where
 data Package = Package
   { packageName :: Text
   , packageEcosystem :: Text
-  , packagePurl :: Maybe Text  -- TODO refine type
-  } deriving (Show, Eq, Ord)
+  , packagePurl :: Maybe Purl
+  } deriving (Show, Eq)
 
 data Range dbSpecific
   = RangeSemVer [Event Text {- TODO refine -}] (Maybe dbSpecific)

code/purl/CHANGELOG.md

@@ -0,0 +1,3 @@
+# 0.1.0.0
+
+Introduction

code/purl/purl.cabal

@@ -0,0 +1,48 @@
+cabal-version:   3.0
+name:            purl
+version:         0.1.0.0
+synopsis:        Support for purl (mostly universal package url).
+description:
+  Support for the purl specification: <https://github.com/package-url/purl-spec>
+
+license:         BSD-3-Clause
+author:          Gautier DI FOLCO
+maintainer:      [email protected]
+category:        Data
+extra-doc-files: CHANGELOG.md
+tested-with:
+  GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1
+
+library
+  exposed-modules:  Data.Purl
+  build-depends:
+    , base             >=4.14   && <5
+    , aeson            >=2.0    && <2.3
+    , case-insensitive             <1.3
+    , containers       >=0.6    && <0.8
+    , http-types       >=0.10.0 && <0.13
+    , parsec           ==3.1.*
+    , text             >=1.2    && <3
+
+  hs-source-dirs:   src
+  default-language: Haskell2010
+  ghc-options:
+    -Wall -Wcompat -Widentities -Wincomplete-record-updates
+    -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints
+
+test-suite spec
+  type:             exitcode-stdio-1.0
+  hs-source-dirs:   test
+  main-is:          Spec.hs
+  build-depends:
+    , base         <5
+    , containers
+    , purl
+    , tasty        <1.6
+    , tasty-hunit  <1.0
+    , text
+
+  default-language: Haskell2010
+  ghc-options:
+    -Wall -Wcompat -Widentities -Wincomplete-record-updates
+    -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints