Coordinates
Coordinates are used to identify various components in ClearlyDefined. For example, components to harvest and source locations. The coordinates for an entity has at least five parts: type, provider, namespace, name and revision.
-
type -- the form of the component being identified. For example,
git,npm,sourceArchive. This is logically, though not actually, equivalent to a mime type. -
provider -- where component can be found. Examples include
github,npmjs,mavencentral. The system supports a finite set of providers at any given time. -
namespace -- a qualifier that helps scope the name of the component being identified. This typically comes from the context of the type. For example, for NPM packages, it is the
scope, for Maven project it would be thegroupid, and for GitHub, thelogin(oftenorg) is used. If an entity does not have a reasonable namespace, a-(hyphen) must be used. That is, the namespace is logically optional but the property must be set. -
name -- the name of the component. As with
namespace, the name typically comes from the context of the type. Soartifactidfor Maven, reponamefor GitHub, etc. -
revision -- the instance of the component being identified. The exact form of the revision depends on the type and provider. In Git, a commit hash is used. In package managers, the typical package version is used. This value is largely uninterpreted by ClearlyDefined and simply either passed to the provider as needed or used as an opaque string in internal keys.
For a complete list of valid types and providers, see documentation at swagger ui
Purl type mapping
Examples below illustrate coordinates for each of the following purl type supported. In general, the following holds true:
purl type = type in coordinates
purl namespace = namespace in coordinates
purl name = name in coordinates
purl version = revision in coordinates
There are some exceptions however, which are provided in the notes below.
cocoapods https://cdn.cocoapods.org/
-> pod (in coordinates)
e.g. pod/cocoapods/-/SoftButton/0.1.0
cargo https://crates.io/
-> crate (in coordinates)
e.g. crate/cratesio/-/bitflags/1.0.4
composer https://packagist.org
-> composer (in coordinates)
e.g. composer/packagist/symfony/polyfill-mbstring/1.11.0
conda https://repo.anaconda.com
-> conda (in coordinates)
e.g. conda/conda-forge/linux-aarch64/numpy/1.16.6-py36hdc1b780_0
notes:
- channel -> provider in coordinates (3 providers: anaconda-main, anaconda-r, conda-forge)
- subdir -> namespace in coordinates
- version-build -> revision in coordinates
e.g.
pkg:conda/[email protected]?build=py36h06a4308_0&channel=main&subdir=linux-64&type=tar.bz2
-> conda/anaconda-main/linux-64/absl-py/0.4.1-py36h06a4308_0
deb
-> deb (in coordinates)
e.g. deb/debian/-/mini-httpd/1.30-0.2_arm64
notes:
-
version_architecture -> revision in coordinates
-
source component: arch=source in purl -> debsrc type in coordinates,
e.g. debsrc/debian/-/mini-httpd/1.30-0.2
gem https://rubygems.org
-> gem (in coordinates)
e.g. gem/rubygems/-/sorbet/0.5.11226
github https://github.com
-> git/github (type/provider in coordinates)
e.g. git/github/ratatui-org/ratatui/bcf43688ec4a13825307aef88f3cdcd007b32641
golang for Go packages:
-> go (in coordinates)
e.g. go/golang/rsc.io/quote/v1.3.0
notes:
- component name is url encoded.
maven https://repo.maven.apache.org/maven2
-> maven (in coordinates)
notes:
- three providers: mavencentral, mavengoogle and gradleplugin
e.g.
maven/mavencentral/org.apache.httpcomponents/httpcore/4.3
maven/mavengoogle/android.arch.lifecycle/common/1.0.1
maven/gradleplugin/io.github.lognet/grpc-spring-boot-starter-gradle-plugin/4.6.0 - source component:
e.g. sourcearchive/mavencentral/org.apache.httpcomponents/httpcore/4.3
npm
-> npm (in coordinates)
e.g. npm/npmjs/-/redis/0.1.0
notes:
- namespace is used for scope
nuget: https://www.nuget.org
-> nuget (in coordinates)
e.g. nuget/nuget/-/xunit.core/2.4.1
pypi https://pypi.org
-> pypi (in coordinates)
e.g. pypi/pypi/-/backports.ssl_match_hostname/3.7.0.1