purl-next: Package a command line library for PURL binary validation

[pombredanne]

Package a library/tool to validate the integrity of open source package.

We have a base with PurlCLI and PurlDB that needs to be documented and packaged for easy deployment. Or we can have a script for straight SCIO run.

The ideal solution would be:

• a script that can run locally (and in the CI, but not dependent on the CI)
• ... taking as an input the from and to from the map_deploy_devel pipeline, and the tech stack options (Java, ...) and running it
• ... returning the results in particular the unmapped binary files

By default we should have a way to bypass code matching and PurlDB lookup.

Later, we could have also:

• failure conditions: should this fail if some files and not mapped
• exclusions: based on a given context, I may want to have a specific config file to exclude some well known files

Ecosystem-wise, I suggest looking at these for testing:

• Java (in particular things with shaded Log4shell)
• Python (things like Numpy with native C/C++ extensions)
• Javascript (in particular the recent chalk 2fa compromise)
  • Or fairly complex TypeSCript with ts, tsx and js compiled as in https://www.npmjs.com/package/antd?activeTab=code and https://github.com/ant-design/ant-design/blob/master/components/affix/utils.ts

[pombredanne]

We could use:

• a docker image (the SCIO docker image) that we pull and run with a wrapper
• OR a flatpack or snap ? TBD

[pombredanne]

Some simple shell script could look like this:

curl to/get/the/docker/compose.yml and dockerfile
docker compose up of compose.yml
docker compose run ..... to get 2 inputs and create outputs

or we could reuse the purlcli as a base for its UX.

[pombredanne]

Alternatively it could be a debian package too?