Docs: Document rules for generating a valid CycloneDX report

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Work on this issue
• Close this issue

Problem to solve

This issue is intended to document the guidelines for generating a valid CycloneDX report that can be utilized for license scanning.

Further details

A subset of the package types supported by Gemnasium have rules like case sensitivity, lowercase naming, or character substitutions. To handled these edge cases, GitLab tests for compatibility with the PURL type specification.

Proposal

The rules outlined in the PURL type specification should be followed. Specifically, the following apply to the supported package managers:

• PyPi: The package names should be lowercased, and all underscores _ replaced with a dash -.
• Composer: The package names should all be lowercased.
• NPM: The package names should all be lowercased.
• Golang: The namespace and name must be lowercased.

To test compatibility, the provided test suite can be used.

Who can address the issue

Other links/references

• PURL type specification
• PURL type test suite
• GitLab PURL test suite