Backport 2156 to release/0.4.z

[jcrossley3]

To address https://redhat.atlassian.net/browse/TC-3090

Summary by Sourcery

Update package URL handling to be compatible with newer dependencies and fix formatting and translation behavior.

Bug Fixes:

• Ensure pURL string formatting correctly propagates errors from setting namespace and version.
• Fix Maven and other ecosystem name translation to handle fallible namespace assignment without panicking.
• Add a regression test for preserving encoded slashes in generic pURLs.

Enhancements:

• Update the packageurl dependency to version 0.6 and align code with its fallible API.
• Point the csaf dependency to the main branch instead of a fixed revision and remove an unused packageurl dependency from the fundamental module.

Build:

• Adjust Cargo.toml dependencies to newer versions and clean up unused workspace dependencies.

Tests:

• Extend pURL tests to cover encoded namespace components and ensure round-trip string stability.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Backports the upgrade to packageurl 0.6 and associated API adjustments, cleans up error handling around purl construction/formatting, updates a csaf dependency reference, and adds a regression test for preserving encoded slashes in purls.

Class diagram for updated Purl formatting and PackageUrl interaction

classDiagram
    class Purl {
        +String ty
        +String name
        +Option_String namespace
        +Option_String version
        +HashMap_String_String qualifiers
        +Option_String subpath
        +from_str(s~str~) Purl
        +to_string() String
    }

    class PurlVisitor {
        +expecting(formatter~Formatter~) fmt_Result
        +visit_str(v~str~) Purl
    }

    class PackageUrl {
        +new(ty~str~, name~str~) Result_PackageUrl_PackageUrlError
        +with_namespace(namespace~impl_AsRef_str~) Result_Unit_PackageUrlError
        +with_version(version~impl_AsRef_str~) Result_Unit_PackageUrlError
        +add_qualifier(key~impl_AsRef_str~, value~impl_AsRef_str~) Result_Unit_PackageUrlError
        +set_subpath(subpath~impl_AsRef_str~) Result_Unit_PackageUrlError
        +to_string() String
    }

    class fmt_Result {
    }

    class Formatter {
    }

    class TranslateModule {
        +translate(ecosystem~Ecosystem~, name~str~) Option_PackageUrl
        +split_name(name~str~, ty~str~, separator~str~) Option_PackageUrl
    }

    Purl ..> PackageUrl : builds_via
    Purl ..> fmt_Result : uses
    PurlVisitor ..> Purl : produces
    PurlVisitor ..> Formatter : formats_errors_with
    PackageUrl ..> fmt_Result : returns
    TranslateModule ..> PackageUrl : constructs_and_configures

Loading

File-Level Changes

Change	Details	Files
Adjust purl Display/Debug implementations to use the updated packageurl error types and enforce proper error propagation when setting namespace/version.	Change Visitor::expecting, Display::fmt, and Debug::fmt signatures to return fmt::Result instead of std::fmt::Result for consistency with fmt import. Propagate errors from PackageUrl::with_namespace and PackageUrl::with_version via map_err(	_
Align ingestor OSV translators with the new packageurl API by handling fallible namespace assignment and simplifying purl construction helpers.	In the Maven translator, use the ? operator on purl.with_namespace(namespace) within an and_then closure so failures bubble up properly. In split_name, switch from map to and_then and make with_namespace fallible with ?, returning Ok(purl) on success and converting the result to Option with ok().	modules/ingestor/src/service/advisory/osv/translate.rs
Upgrade packageurl and csaf dependencies and remove an unused workspace packageurl reference in the fundamental module.	Bump packageurl crate from 0.3.0 to 0.6 in the root Cargo.toml. Point the csaf dependency to the main branch of the upstream repository instead of a fixed revision in Cargo.toml. Remove the redundant packageurl workspace dependency from modules/fundamental/Cargo.toml and refresh Cargo.lock accordingly.	Cargo.toml modules/fundamental/Cargo.toml Cargo.lock
Add a regression test ensuring purl stringification preserves percent-encoded forward slashes in generic package names.	Extend the existing tests module with a new case that parses a generic purl containing %2F in the name and asserts the round-tripped string matches exactly.	common/src/purl.rs

Possibly linked issues

• #(none provided): The PR updates packageurl usage and adds tests so %2F-encoded PURLs round-trip correctly, fixing the ingestion issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• Switching the csaf dependency from a pinned rev to tracking the main branch may introduce non-deterministic behavior for the release/0.4.z line; consider keeping a fixed commit hash (or tag) for the backport to ensure reproducible builds.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Switching the `csaf` dependency from a pinned `rev` to tracking the `main` branch may introduce non-deterministic behavior for the `release/0.4.z` line; consider keeping a fixed commit hash (or tag) for the backport to ensure reproducible builds.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}