[proposal] support namespaces for cargo

[prabhu]

cargo doesn't have or like namespaces.

https://github.com/package-url/purl-spec/blob/main/PURL-TYPES.rst#cargo

We are beginning to see a number of crates becoming unmaintained, forcing developers to fork and vendor them. Here is an example. Unfortunately, the vendored crate components also get the same PURL as the official one. This creates confusions when it comes to prioritizing CVEs raised against official crates.

To avoid assumptions and guesswork, PURL specification could support namespaces or official qualifiers to represent clones and vendored libraries. Unfortunately, neither of these solutions are perfect.

Namespace approach

Example clipboard is a vendored dependency.

We use the name of the parent crate as the namespace.

pkg:cargo/rustdesk/[email protected]

This approach might fail if the project has multiple parents or namespaces. In case of rustdesk, they use another namespace rustdesk-org in multiple places.

Qualifiers approach

The source attribute in Cargo.lock could be used as a qualifier in PURL. Below are couple of examples of source.

# Downloaded from a forked repo
source = "git+https://github.com/rustdesk-org/clipboard-master#4fb62e5b62fb6350d82b571ec7ba94b3cd466695"

# Downloaded from the official repository
source = "registry+https://github.com/rust-lang/crates.io-index"

Unfortunately, we have two issues with this approach.

• What happens when there are no lock files? Then the PURLs become indistinguishable.
• Not every vendored dependency gets a source attribute in the lock file. For example, the package clipboard only has the child dependencies listed in the lock file with no mention of the source :(

[[package]]
name = "clipboard"
version = "0.1.0"
dependencies = [
 "cacao",
 "cc",
 "dashmap",
 "dirs 5.0.1",
 "fsevent",
 "fuser",
 "hbb_common",
 "lazy_static",
 "libc",
 "objc2 0.5.2",
 "objc2-app-kit",
 "objc2-foundation",
 "once_cell",
 "parking_lot",
 "percent-encoding",
 "rand 0.8.5",
 "serde 1.0.203",
 "serde_derive",
 "thiserror 1.0.61",
 "utf16string",
 "uuid",
 "x11-clipboard 0.8.1",
 "x11rb 0.12.0",
 "xattr",
]

To manually compute the source, we can look for any workspace attribute in the toml file. But this is a hack, which we must try and avoid.

Any other better ideas? (Ignore hashes in PURL ideas, since I'm not a fan)

[matt-phylum]

Unfortunately, the vendored crate components also get the same PURL as the official one.

That is a bug in whatever is creating those PURLs. This is a completely independent crate.

We use the name of the parent crate as the namespace.

Vendored crates do not have parent crates. This crate is directly part of the rustdesk repo. It could be in a different repo or a different folder in the same repo.

If the crate is not published to crates.io (or a different registry), it does not have a pkg:cargo PURL. There shouldn't be a cargo-specific way to represent vendoring differently than how it is already (not) handled by the other package types where a package may be vendored.