Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate npm package ownership #2459

Open
ccerv1 opened this issue Nov 10, 2024 · 1 comment
Open

Validate npm package ownership #2459

ccerv1 opened this issue Nov 10, 2024 · 1 comment
Assignees
@Jabolol
Labels
c:data Gathering data (e.g. indexing)
Milestone
[c] RF7: Dev Tool...

Comments

@ccerv1
Copy link
Member

ccerv1 commented Nov 10, 2024

What is it?

Using Rust as an example, but this is also the case for NPM...

The SBOM data tells us the name of the Rust package. Now we need to ping the Crates API to look up the GitHub repo that maintains the package. We need to write the Crates collector and then an intermediate model for linking packages to repos. Finally, we should have another model that sees if these artifacts have already been claimed by a project in OSS Directory (and if not we can have a list of popular packages that are unclaimed)
@ccerv1 ccerv1 added the c:data Gathering data (e.g. indexing) label Nov 10, 2024
@ryscheng-mobile ryscheng-mobile changed the title Identify the Github repo that owns a package Validate npm package ownership Nov 11, 2024
@ryscheng-mobile
Copy link
Contributor

Rescoping this down to npm.

Please use separate issues for each line of work.
The rust one was filed a couple weeks ago
#2381

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Jabolol Jabolol

Labels
c:data Gathering data (e.g. indexing)
Projects
OSO
Status: Backlog
Milestone
[c] RF7: Dev Tooling [downstream impact]
Development

No branches or pull requests
3 participants
@ryscheng-mobile @ccerv1 @Jabolol