Skip to content

Commit 60e4665

Browse files
saquibsaifeeclaude
andcommitted
refactor: remove packageurl-python dependency completely
Completely remove packageurl-python from the project - both runtime and dev dependencies. The library now treats PURL as an opaque string, aligning with the CycloneDX specification. Changes: - Component.purl strictly accepts and returns Optional[str] - Removed all packageurl imports from source and test files - Updated test data to use PURL string format directly - Regenerated snapshots with updated PURL string representation BREAKING CHANGE: Component.purl no longer accepts PackageURL objects - Type changed from Optional[PackageURL] to Optional[str] - Bom.get_component_by_purl() now requires string argument - Users must update code to pass PURL as a plain string Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
1 parent 782e381 commit 60e4665

18 files changed

Lines changed: 31 additions & 71 deletions

cyclonedx/model/component.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1389,7 +1389,7 @@ def purl(self) -> Optional[str]:
13891389

13901390
@purl.setter
13911391
def purl(self, purl: Optional[str]) -> None:
1392-
self._purl = None if purl is None else str(purl)
1392+
self._purl = purl
13931393

13941394
@property
13951395
@serializable.json_name('omniborId')

pyproject.toml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,6 @@ json-validation = ["jsonschema", "referencing"]
8484
xml-validation = ["lxml"]
8585

8686
[tool.poetry.group.dev.dependencies]
87-
packageurl-python = ">=0.11, <2"
8887
ddt = "1.7.2"
8988
coverage = "7.10.7"
9089
flake8 = "7.3.0"

tests/_data/models.py

Lines changed: 8 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -24,9 +24,6 @@
2424
from typing import Any, Optional
2525
from uuid import UUID
2626

27-
# See https://github.com/package-url/packageurl-python/issues/65
28-
from packageurl import PackageURL
29-
3027
from cyclonedx.builder.this import this_component, this_tool
3128
from cyclonedx.model import (
3229
AttachedText,
@@ -482,9 +479,7 @@ def get_bom_with_component_evidence() -> Bom:
482479
component = Component(
483480
name='setuptools', version='50.3.2',
484481
bom_ref='pkg:pypi/setuptools@50.3.2?extension=tar.gz',
485-
purl=PackageURL(
486-
type='pypi', name='setuptools', version='50.3.2', qualifiers='extension=tar.gz'
487-
),
482+
purl='pkg:pypi/setuptools@50.3.2?extension=tar.gz',
488483
licenses=[DisjunctiveLicense(id='MIT')],
489484
author='Test Author'
490485
)
@@ -845,9 +840,7 @@ def get_component_setuptools_simple(
845840
return Component(
846841
name='setuptools', version='50.3.2',
847842
bom_ref=bom_ref,
848-
purl=PackageURL(
849-
type='pypi', name='setuptools', version='50.3.2', qualifiers='extension=tar.gz'
850-
),
843+
purl='pkg:pypi/setuptools@50.3.2?extension=tar.gz',
851844
licenses=[DisjunctiveLicense(id='MIT')],
852845
author='Test Author'
853846
)
@@ -856,9 +849,7 @@ def get_component_setuptools_simple(
856849
def get_component_setuptools_simple_no_version(bom_ref: Optional[str] = None) -> Component:
857850
return Component(
858851
name='setuptools', bom_ref=bom_ref or 'pkg:pypi/setuptools?extension=tar.gz',
859-
purl=PackageURL(
860-
type='pypi', name='setuptools', qualifiers='extension=tar.gz'
861-
),
852+
purl='pkg:pypi/setuptools?extension=tar.gz',
862853
licenses=[DisjunctiveLicense(id='MIT')],
863854
author='Test Author'
864855
)
@@ -867,9 +858,7 @@ def get_component_setuptools_simple_no_version(bom_ref: Optional[str] = None) ->
867858
def get_component_toml_with_hashes_with_references(bom_ref: Optional[str] = None) -> Component:
868859
return Component(
869860
name='toml', version='0.10.2', bom_ref=bom_ref or 'pkg:pypi/toml@0.10.2?extension=tar.gz',
870-
purl=PackageURL(
871-
type='pypi', name='toml', version='0.10.2', qualifiers='extension=tar.gz'
872-
), hashes=[
861+
purl='pkg:pypi/toml@0.10.2?extension=tar.gz', hashes=[
873862
HashType.from_composite_str('sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b')
874863
], external_references=[
875864
get_external_reference_1()
@@ -1365,19 +1354,13 @@ def get_bom_for_issue_598_multiple_components_with_purl_qualifiers() -> Bom:
13651354
return _make_bom(components=[
13661355
Component(
13671356
name='dummy', version='2.3.5', bom_ref='dummy-a',
1368-
purl=PackageURL(
1369-
type='pypi', namespace=None, name='pathlib2', version='2.3.5', subpath=None,
1370-
qualifiers={}
1371-
)
1357+
purl='pkg:pypi/pathlib2@2.3.5'
13721358
),
13731359
Component(
13741360
name='dummy', version='2.3.5', bom_ref='dummy-b',
1375-
purl=PackageURL(
1376-
type='pypi', namespace=None, name='pathlib2', version='2.3.5', subpath=None,
1377-
qualifiers={
1378-
'vcs_url': 'git+https://github.com/jazzband/pathlib2.git@5a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6'
1379-
}
1380-
)
1361+
purl='pkg:pypi/pathlib2@2.3.5'
1362+
'?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git'
1363+
'%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6'
13811364
)
13821365
])
13831366

tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.0.xml.bin

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
<component type="library">
1111
<name>dummy</name>
1212
<version>2.3.5</version>
13-
<purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
13+
<purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
1414
<modified>false</modified>
1515
</component>
1616
</components>

tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.1.xml.bin

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
<component type="library" bom-ref="dummy-b">
1010
<name>dummy</name>
1111
<version>2.3.5</version>
12-
<purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
12+
<purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
1313
</component>
1414
</components>
1515
</bom>

tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.2.json.bin

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
{
1111
"bom-ref": "dummy-b",
1212
"name": "dummy",
13-
"purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
13+
"purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
1414
"type": "library",
1515
"version": "2.3.5"
1616
}

tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.2.xml.bin

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
<component type="library" bom-ref="dummy-b">
1313
<name>dummy</name>
1414
<version>2.3.5</version>
15-
<purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
15+
<purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
1616
</component>
1717
</components>
1818
<dependencies>

tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.3.json.bin

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
{
1111
"bom-ref": "dummy-b",
1212
"name": "dummy",
13-
"purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
13+
"purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
1414
"type": "library",
1515
"version": "2.3.5"
1616
}

tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.3.xml.bin

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
<component type="library" bom-ref="dummy-b">
1313
<name>dummy</name>
1414
<version>2.3.5</version>
15-
<purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
15+
<purl>pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
1616
</component>
1717
</components>
1818
<dependencies>

tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.4.json.bin

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
{
1111
"bom-ref": "dummy-b",
1212
"name": "dummy",
13-
"purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
13+
"purl": "pkg:pypi/pathlib2@2.3.5?vcs_url=git%2Bhttps%3A%2F%2Fgithub.com%2Fjazzband%2Fpathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
1414
"type": "library",
1515
"version": "2.3.5"
1616
}

0 commit comments

Comments
 (0)