sonatype/ossindex-public

Scanning RPM packages for vulnerabilities

itsecforu opened this issue · 2 comments

Hey folks!

How do correctly scanning rpm packages ?

Maybe you have some kind of page with examples or even a wiki?

Internet search gave no results

Hi!

OSS Index uses the Package URL (purl) specification for packages (components). Here's a link with info:
https://ossindex.sonatype.org/doc/coordinates

The URL of each component on the OSS Index website contains the purl. You can browse a list of rpm components here:
https://ossindex.sonatype.org/browse/rpm?page=0

An easy way to try out the OSS Index API is via this page:
https://ossindex.sonatype.org/rest

Note that the API requires a version number for each purl. For example, here's a specific version of a component: https://ossindex.sonatype.org/component/pkg:rpm/nginx@1.10.1

The purl starts with "pkg:", so the purl is pkg:rpm/nginx@1.10.1.

A request to the API for that purl would be the following:

{
  "coordinates": [
    "pkg:rpm/nginx@1.10.1"
  ]
}

Up to 128 purls per request are allowed (add additional ones to the "coordinates" array above).

Hi, thx for feedback.