Skip to content

Update CPAN Spec#827

Open
giterlizzi wants to merge 6 commits intopackage-url:mainfrom
giterlizzi:gdt-cpan-spec
Open

Update CPAN Spec#827
giterlizzi wants to merge 6 commits intopackage-url:mainfrom
giterlizzi:gdt-cpan-spec

Conversation

@giterlizzi
Copy link
Copy Markdown
Contributor

@giterlizzi giterlizzi commented Mar 5, 2026

This PR proposes updates to the CPAN PURL type definition to improve adoption in vulnerability and packaging workflows.

Requiring a namespace is too restrictive when only the CPAN distribution name/version is available (e.g., CVE attribution, CSAF, vulnerability management, downstream packaging such as NixOS, etc.).

Changes

  • namespace is now optional (not deprecated). It may be reserved for future semantics.
  • Added author qualifier for the CPAN author/publisher ID (CPANID).
  • Added distpath qualifier for a repository-relative distribution path (e.g., authors/id/...).
  • Clarified name is the distribution name; parsers MUST reject name containing :: (module naming).

Examples

  • pkg:cpan/perl@5.42
  • pkg:cpan/DBI@1.646
  • pkg:cpan/SBOM-CycloneDX
  • pkg:cpan/URI-PackageURL?author=GDT
  • pkg:cpan/libwww-perl@6.76?author=OALDERS
  • pkg:cpan/DateTime@1.55?author=DROLSKY&repository_url=backpan.perl.org
  • pkg:cpan/Term-Gnuplot@0.90380906?distpath=authors/id/I/IL/ILYAZ/modules/Term-Gnuplot-0.90380906.zip

sjn
sjn reviewed Mar 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sjn sjn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments about the optionality of the CPAN ID (author) namespace; We may want to consider keeping around tests and comments describing it's use (and recommended alternative when this is the wrong option).

Comment thread tests/types/cpan-test.json Outdated
Comment thread types/cpan-definition.json Outdated
Comment thread types/cpan-definition.json Outdated
Comment thread types/cpan-definition.json
stigtsp
stigtsp approved these changes Mar 5, 2026
View reviewed changes
Copy link
Copy Markdown

@stigtsp stigtsp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Thanks for fixing this

@stigtsp
Copy link
Copy Markdown

stigtsp commented Apr 15, 2026

Anything left to address on this PR? With this change, we will be able to add package URLs to new and historical CVE records for example.

mjherzog
mjherzog reviewed Apr 15, 2026
View reviewed changes
Comment thread types/cpan-definition.json
@mjherzog mjherzog changed the title Updated CPAN Spec Update CPAN Spec Apr 15, 2026
@mjherzog mjherzog added the PURL type: change Change(s) to a registered PURL type label Apr 15, 2026
@mjherzog
Copy link
Copy Markdown
Member

mjherzog commented Apr 15, 2026

@stigtsp Three things seem open:

  • Resolution of the comments from @sjn
  • The PR is missing the updated version of types-doc/cpan-definition.md
  • The PR is still in WIP status

@giterlizzi giterlizzi marked this pull request as ready for review April 15, 2026 20:50
@giterlizzi
Copy link
Copy Markdown
Contributor Author

giterlizzi commented Apr 15, 2026

The PR is missing the updated version of types-doc/cpan-definition.md

I remember that GH Action converts to MD format, which is why I didn't include it in the PR

@mjherzog
Copy link
Copy Markdown
Member

mjherzog commented Apr 15, 2026

The PR is missing the updated version of types-doc/cpan-definition.md

I remember that GH Action converts to MD format, which is why I didn't include it in the PR

The GH Action is not automatically running atm - we need to make adjustments for security such as pinning the GH Actions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sjn sjn sjn left review comments

@mjherzog mjherzog mjherzog left review comments

+1 more reviewer

@stigtsp stigtsp stigtsp approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

PURL type: change Change(s) to a registered PURL type

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@giterlizzi @stigtsp @mjherzog @sjn