Specify Maven classifiers / types as part of PURLs / metadata

[sschuberth]

Maven has the concept of a classifier that "distinguishes artifacts that were built from the same POM but differ in content". An example is the struts2-assembly dependency which has "lib", "min-lib" etc. variants that also are ZIPs instead of JARs (see Maven's "type").

As contents between such artifact variants differ, e.g. different vulnerabilities may apply. Also, when trying to use the PURL to construct the exact download location of the artifact for further inspection, that is not possible in this case without knowing about the classifier and type.

PURL already specifies how to map Maven classifier and type to its qualifiers, so it would be nice to have them there. Additionally, maybe a package's metadata object in GitHub's dependency submission API could be used to also list these properties.

[JLLeitschuh]

I had always intended to do this, but I couldn't figure out where to get this information out of the Gradle API. Hoping that @bigdaz has a better idea where to find this information

[sschuberth]

I couldn't figure out where to get this information out of the Gradle API.

That's indeed something I've been banging my head for, too. In ORT, we currently have some not-so-nice code that searches all resolved artifacts for the id of a ResolvedComponentResult, which seems rather inefficient. It would be nice to learn if there's a better way...

[JLLeitschuh]

Oh, interesting! You should consider presenting ORT to the Open Source Security Foundation in one of the WG meetings.

https://openssf.org/getinvolved/
https://slack.openssf.org

[sschuberth]

You should consider presenting ORT to the Open Source Security Foundation

I was actually assuming OSSF to already be aware of ORT as both are Linux Foundation projects in more or less the same domain 😉 But I'll reach out on Slack, thanks!

[sschuberth]

In ORT, we currently have some not-so-nice code that searches all resolved artifacts for the id of a ResolvedComponentResult, which seems rather inefficient. It would be nice to learn if there's a better way...

To add to that, the challenge is that also when determining the classifier / type of a (Maven) artifact, you don't want to download the (binary) artifact itself, but just its metadata, for performance reasons. I'm not sure if that's even possible with Gradle right now, or if the resolution process in this case always triggers the download of the artifact.

[sschuberth]

I couldn't figure out where to get this information out of the Gradle API.

For reference, @ov7a just mentioned over here that no API is planned for this, and that Maven classifiers / types should be parsed from the file name...

[sschuberth]

@bigdaz, since you assigned this to yourself, is there any time frame for adding support for this?

[bigdaz]

@sschuberth No, I don't have any plans to tackle this soon.