We usually reference the node binary with vendor + product nodejs/node (for example in our CPE) since we ship multiple packages under the node.js organization.
However the ecosystem references the node.js binary PURL as pkg:generic/node, you can verify this with a quick google search .
I believe the PURL should be pkg:generic/nodejs/node.
According to the PURL spec the namespace is optional, but I think it better represent our convention.
I'm writing this issue to seek agreement on our preferred PURL convention.
If we agree I'll send a PR to https://github.com/package-url/purl-registry/tree/main/registry/purl so tools can track our decision.
Dependening on the ouput of the conversation we should fix our purl in the vex file which is wrong because node is not a type so its against the spec.
@nodejs/security-wg
We usually reference the node binary with vendor + product
nodejs/node(for example in our CPE) since we ship multiple packages under the node.js organization.However the ecosystem references the node.js binary PURL as
pkg:generic/node, you can verify this with a quick google search .I believe the PURL should be
pkg:generic/nodejs/node.According to the PURL spec the namespace is optional, but I think it better represent our convention.
I'm writing this issue to seek agreement on our preferred PURL convention.
If we agree I'll send a PR to https://github.com/package-url/purl-registry/tree/main/registry/purl so tools can track our decision.
Dependening on the ouput of the conversation we should fix our purl in the vex file which is wrong because
nodeis not a type so its against the spec.@nodejs/security-wg