purl-validator

purl-validator is a Rust library for validating Package URLs (PURLs). It works fully offline, including in air-gapped or restricted environments, and answers one key question: Does the package this PURL represents actually exist?

How It Works

purl-validator is shipped with a pre-built FST (Finite State Transducer), a set of compact automata containing latest Package URLs mined by the MineCode¹. Library uses this FST to perform lookups and confirm whether the base PURL² exists.

Currently Supported Ecosystems

• apk
• cargo
• composer
• conan
• cpan
• cran
• debian
• maven
• npm
• nuget
• pypi
• swift

Usage

Add purl-validator to your Rust dependencies:

cargo add purl_validator

Use it in your code like this:

use purl_validator::validate;

fn main() {
    let exists: bool = validate("pkg:nuget/FluentValidation")
        .expect("only fails if PURL is invalid or contains version, qualifier, or subpath");

    println!("{exists}");
}

Examples and errors:

use purl_validator::ValidateError;
use purl_validator::validate;

fn example() -> Result<(), ValidateError> {
    assert_eq!(validate("pkg:nuget/FluentValidation")?, true);
    assert_eq!(validate("pkg:nuget/non-existent-foo-bar")?, false);

    let version_result = validate("pkg:nuget/FluentValidation@10.2.3");
    assert!(matches!(version_result, Err(ValidateError::UnsupportedPurl(_))));

    let invalid_result = validate("nuget/FluentValidation");
    assert!(matches!(invalid_result, Err(ValidateError::InvalidPurl(_))));

    Ok(())
}

validate returns:

• Ok(true) when the base PURL exists in the packaged data.
• Ok(false) when the base PURL is syntactically valid but unknown.
• Err(ValidateError::InvalidPurl(_)) when the input is not a valid PURL.
• Err(ValidateError::UnsupportedPurl(_)) when the PURL contains a version, qualifiers, or subpath.

Use the released crate version when you need reproducible validation results. Use a newer patch release when you need newer packaged PURL data.

How to get latest Package-URL data?

A patch release is published daily with the latest FST generated from newly mined package-urls.

Contribution

We welcome contributions from the community! If you find a bug or have an idea for a new feature, please open an issue on the GitHub repository. If you want to contribute code, you can fork the repository, make your changes, and submit a pull request.

• Please try to write a good commit message, see good commit message wiki.
• Add DCO Sign Off to your commits.

Development Setup

Run these commands, starting from a git clone of https://github.com/aboutcode-org/purl-validator.rs.git

Generate FST:

make build-fst

Run tests:

make test

Fix formatting and linting:

make valid

License

SPDX-License-Identifier: Apache-2.0

purl-validator is licensed under Apache License version 2.0.

You may not use this software except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Footnotes

1. MineCode continuously collects package metadata from various package ecosystems to maintain an up-to-date catalog of known packages. ↩

2. A Base Package URL is a Package URL without a version, qualifiers, or subpath. ↩