Maven Model

[vorburger]

The pkg: scheme, à la pkg:maven/ch.vorburger.mariaDB4j/[email protected], is shown e.g. on https://central.sonatype.com/artifact/ch.vorburger.mariaDB4j/mariaDB4j.

But it's not "standard" (IANA), and also already used e.g. by the the uri-scheme package for Node.js as a prefix for custom URI schemes used by mobile apps, according to Google Gemini - although https://www.npmjs.com/package/uri-scheme does not mention it.

An Enola specific URL template may be simplest; I'm thinking e.g. something like https://enola.dev/java/maven/central/ch.vorburger.mariaDB4j/mariaDB4j-core/3.1.0 perhaps. (Where central could alternatively also be either an alias or an encoded full URL e.g. to an in-house repo.)

Unless Security (CVE) community already have a useful URI standard for packages, such as Maven? (And others, probably.)

https://spdx.dev might have something we could map to?

[vorburger]

https://maven.apache.org/repository/central-index.html

Unless Security (CVE) community already have a useful URI standard for packages, such as Maven? (And others, probably.)

CPE pkg:maven/com.google.protobuf/protobuf-java

• https://osv.dev/list?ecosystem=Maven
• https://docs.dependencytrack.org/datasources/routing/
• https://owasp.org/www-project-web-security-testing-guide/latest/5-Reporting/02-Naming_Schemes
• https://en.wikipedia.org/wiki/Common_Platform_Enumeration
• https://github.com/jeremylong/DependencyCheck/wiki/How-does-it-work%3F ?
• Java: Read CPE from MANIFEST jeremylong/DependencyCheck#4207
• https://csrc.nist.gov/projects/security-content-automation-protocol/specifications/cpe
• https://nvd.nist.gov/products/cpe
• https://mvnrepository.com/artifact/org.mitre.cpe/cpe/2.3.4
• https://sourceforge.net/projects/cpereferenceimp/