Skip to content

Update packageurl-dotnet to 2.0.0-rc.2#1730

Merged
JamieMagee merged 2 commits intomainfrom
users/jamagee/package-url-2.0
Mar 20, 2026
Merged

Update packageurl-dotnet to 2.0.0-rc.2#1730
JamieMagee merged 2 commits intomainfrom
users/jamagee/package-url-2.0

Conversation

@JamieMagee
Copy link
Member

@JamieMagee JamieMagee commented Mar 19, 2026
edited
Loading

Bumps packageurl-dotnet from 1.0.0 to 2.0.0-rc.2.

What changed

  • Renamed PackageURL to PackageUrl across all TypedComponent classes (the library renamed the type).
  • GoComponent.PackageUrl now splits the module path into namespace + name, since v2 enforces the purl spec requirement that golang purls have a namespace. E.g. github.com/gorilla/context becomes namespace=github.com/gorilla, name=context.
  • Updated test data: Go tests use real module paths instead of bare names like "test". CocoaPod purl assertions updated for v2's qualifier URL-encoding. Removed a stale CA1308 suppression in CppSdkComponentTests.

Links

@JamieMagee JamieMagee requested a review from a team as a code owner March 19, 2026 17:17
@JamieMagee JamieMagee requested review from Copilot and edgarrs March 19, 2026 17:17

This comment was marked as outdated.

Sign in to view

@JamieMagee JamieMagee force-pushed the users/jamagee/package-url-2.0 branch from dc95d69 to 0bac78d Compare March 19, 2026 17:34
@JamieMagee JamieMagee changed the title Update Package Url to 2.0.0 Update packageurl-dotnet to 2.0.0-rc.1 Mar 19, 2026
Copilot AI review requested due to automatic review settings March 19, 2026 18:15

This comment was marked as outdated.

Sign in to view

@JamieMagee JamieMagee force-pushed the users/jamagee/package-url-2.0 branch from f1d09c6 to 8d70be1 Compare March 19, 2026 19:05
@JamieMagee JamieMagee changed the title Update packageurl-dotnet to 2.0.0-rc.1 Update packageurl-dotnet to 2.0.0-rc.2 Mar 19, 2026
@JamieMagee
Fix GoComponent PackageUrl to split namespace from name
4a2c654 
packageurl-dotnet v2 enforces that golang purls have a namespace.
GoComponent was passing null for namespace and the full module path
as the name. Now splits on the last "/" so e.g.
"github.com/gorilla/context" becomes namespace="github.com/gorilla",
name="context".

Also updates test data to use realistic Go module paths, fixes
CocoaPod purl assertions for v2 qualifier encoding, and removes
an obsolete CA1308 suppression in CppSdkComponentTests.
Copilot AI review requested due to automatic review settings March 19, 2026 20:59
Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repository to use packageurl-dotnet v2.0.0-rc.2 and aligns Contracts + tests with the renamed PackageUrl type, ensuring typed components continue to produce valid PURLs.

Changes:

  • Bump packageurl-dotnet to 2.0.0-rc.2 and migrate from PackageURLPackageUrl.
  • Update multiple TypedComponent implementations to construct PackageUrl instances with the new API/normalization behavior.
  • Adjust unit tests and documentation examples to match the new PURL object model and string formatting.

Reviewed changes

Copilot reviewed 20 out of 21 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
Directory.Packages.props Updates packageurl-dotnet dependency version to rc.2.
src/Microsoft.ComponentDetection.Contracts/TypedComponent/TypedComponent.cs Switches base PackageUrl property type to PackageUrl.
src/Microsoft.ComponentDetection.Contracts/TypedComponent/*.cs Updates typed components to return PackageUrl (including updated Go PURL namespace/name handling).
test/Microsoft.ComponentDetection.Contracts.Tests/PurlGenerationTests.cs Updates PURL expectations (casing/encoding) for updated library behavior.
test/Microsoft.ComponentDetection.Contracts.Tests/TypedComponentSerializationTests.cs Updates Go component serialization test data to include module-path names.
test/Microsoft.ComponentDetection.Contracts.Tests/CppSdkComponentTests.cs Updates assertions to match new PackageUrl name behavior.
test/Microsoft.ComponentDetection.Detectors.Tests/SwiftComponentTests.cs Updates Swift PURL tests to construct PackageUrl.
docs/creating-a-new-detector.md Updates documentation sample to use PackageUrl.
docs/schema/manifest.schema.json Formatting-only change.
Comments suppressed due to low confidence (1)

src/Microsoft.ComponentDetection.Contracts/TypedComponent/GoComponent.cs:63

  • GetNamespaceAndName() calls this.Name.LastIndexOf('/') without validating Name. Since GoComponent() exists for deserialization, this can throw a NullReferenceException if PackageUrl is accessed before Name is populated (or if deserialization input is malformed). Consider validating required fields in the PackageUrl getter (e.g., via ValidateRequiredInput) so failures are deterministic and throw an ArgumentNullException with the existing standardized message.
    private (string Namespace, string Name) GetNamespaceAndName()
    {
        var lastSlash = this.Name.LastIndexOf('/');
        if (lastSlash > 0)
        {
            return (this.Name.Substring(0, lastSlash), this.Name.Substring(lastSlash + 1));
        }

@JamieMagee JamieMagee merged commit aa548cd into main Mar 20, 2026
29 checks passed
@JamieMagee JamieMagee deleted the users/jamagee/package-url-2.0 branch March 20, 2026 16:35
@codecov
Copy link

codecov bot commented Mar 20, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.0%. Comparing base (4e30e9e) to head (4a2c654).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@     Coverage Diff      @@
##   main   #1730   +/-   ##
============================
============================

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions
Copy link

github-actions bot commented Mar 20, 2026

👋 Hi! It looks like you modified some files in the Detectors folder.
You may need to bump the detector versions if any of the following scenarios apply:

  • The detector detects more or fewer components than before
  • The detector generates different parent/child graph relationships than before
  • The detector generates different devDependencies values than before

If none of the above scenarios apply, feel free to ignore this comment 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pauld-msft pauld-msft pauld-msft approved these changes

@edgarrs edgarrs Awaiting requested review from edgarrs edgarrs is a code owner automatically assigned from microsoft/ose-component-detection-maintainers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JamieMagee @pauld-msft