Skip to content

Update CPAN Spec#827

Open
giterlizzi wants to merge 6 commits intopackage-url:mainfrom
giterlizzi:gdt-cpan-spec
Open

Update CPAN Spec#827
giterlizzi wants to merge 6 commits intopackage-url:mainfrom
giterlizzi:gdt-cpan-spec

Conversation

@giterlizzi
Copy link
Copy Markdown
Contributor

This PR proposes updates to the CPAN PURL type definition to improve adoption in vulnerability and packaging workflows.

Requiring a namespace is too restrictive when only the CPAN distribution name/version is available (e.g., CVE attribution, CSAF, vulnerability management, downstream packaging such as NixOS, etc.).

Changes

  • namespace is now optional (not deprecated). It may be reserved for future semantics.
  • Added author qualifier for the CPAN author/publisher ID (CPANID).
  • Added distpath qualifier for a repository-relative distribution path (e.g., authors/id/...).
  • Clarified name is the distribution name; parsers MUST reject name containing :: (module naming).

Examples

  • pkg:cpan/perl@5.42
  • pkg:cpan/DBI@1.646
  • pkg:cpan/SBOM-CycloneDX
  • pkg:cpan/URI-PackageURL?author=GDT
  • pkg:cpan/libwww-perl@6.76?author=OALDERS
  • pkg:cpan/DateTime@1.55?author=DROLSKY&repository_url=backpan.perl.org
  • pkg:cpan/Term-Gnuplot@0.90380906?distpath=authors/id/I/IL/ILYAZ/modules/Term-Gnuplot-0.90380906.zip

Copy link
Copy Markdown
Contributor

@sjn sjn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some comments about the optionality of the CPAN ID (author) namespace; We may want to consider keeping around tests and comments describing it's use (and recommended alternative when this is the wrong option).

Comment thread tests/types/cpan-test.json Outdated
Comment thread types/cpan-definition.json Outdated
Comment thread types/cpan-definition.json Outdated
Comment thread types/cpan-definition.json
Copy link
Copy Markdown

@stigtsp stigtsp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Thanks for fixing this

@stigtsp
Copy link
Copy Markdown

stigtsp commented Apr 15, 2026

Anything left to address on this PR? With this change, we will be able to add package URLs to new and historical CVE records for example.

Comment thread types/cpan-definition.json
@mjherzog mjherzog changed the title Updated CPAN Spec Update CPAN Spec Apr 15, 2026
@mjherzog mjherzog added the PURL type: change Change(s) to a registered PURL type label Apr 15, 2026
@mjherzog
Copy link
Copy Markdown
Member

@stigtsp Three things seem open:

  • Resolution of the comments from @sjn
  • The PR is missing the updated version of types-doc/cpan-definition.md
  • The PR is still in WIP status

@giterlizzi giterlizzi marked this pull request as ready for review April 15, 2026 20:50
@giterlizzi
Copy link
Copy Markdown
Contributor Author

The PR is missing the updated version of types-doc/cpan-definition.md

I remember that GH Action converts to MD format, which is why I didn't include it in the PR

@mjherzog
Copy link
Copy Markdown
Member

The PR is missing the updated version of types-doc/cpan-definition.md

I remember that GH Action converts to MD format, which is why I didn't include it in the PR

The GH Action is not automatically running atm - we need to make adjustments for security such as pinning the GH Actions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

PURL type: change Change(s) to a registered PURL type

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants