PURL组件标识与来源治理（type-name-qualifiers）最佳实践

实现示例type Purl = { type: string; name: string; version?: string; qualifiers?: Record<string,string>; namespace?: string } const allowTypes = new Set<string>(['npm','maven','pypi','golang','nuget','github']) function validName(n: string): boolean { return !!n && !/\s/.test(n) } function semverLike(v?: string): boolean { return v ? /^(\d+\.\d+\.\d+)(?:[-A-Za-z0-9_.]+)?$/.test(v) : true } function qualifierAllowed(q?: Record<string,string>): boolean { if (!q) return true for (const [k,v] of Object.entries(q)) { if (!/^[a-z0-9_\-]+$/.test(k)) return false if (!/^[A-Za-z0-9_.:\-]+$/.test(v)) return false } return true } function evaluate(p: Purl): { ok: boolean; errors: string[] } { const errors: string[] = [] if (!allowTypes.has(p.type)) errors.push('type') if (!validName(p.name)) errors.push('name') if (!semverLike(p.version)) errors.push('version') if (!qualifierAllowed(p.qualifiers)) errors.push('qualifiers') return { ok: errors.length === 0, errors } } 审计与运行治理审计 PURL 组件的类型、名称、版本与限定符；异常阻断并输出修复建议。与 SBOM 对齐组件标识，确保跨生态一致性。