CRA Tool

Source Code Resolver

Resolve source code locations for packages identified by their Package URL (PURL).

StatusOpen
TypeClosed-Source Collaborative
Eligible CoursesSEMI, PRAK/PROJ
Scope5 ECTS - 10 ECTS
Use of Artificial IntelligenceAllowed
CLA Required?Yes

Summary

CRA Tool receives a list of Package URLs (PURLs) for a codebase. Metadata for these packages is resolved from package registries, which often provide incomplete, inaccurate, or no source code information at all (e.g. a repository URL without a specific revision, or a link that no longer exists). Access to the actual source code is crucial for downstream license, copyright, and open source health analysis.

The goal of this contribution is to build a source code resolver that reliably maps a PURL to a source code repository and, ideally, to the exact revision matching the package version.

This involves several steps. First, existing databases and services that map packages to source code locations should be evaluated (e.g. ClearlyDefined, Software Heritage, deps.dev). Second, heuristic strategies should be developed to discover source code locations from other metadata fields such as the homepage, bug tracker, or VCS URLs provided by the registry. Finally, once a repository is identified, the resolver should use Git or GitHub APIs to find tags that match the PURL version, pinpointing the concrete revision for analysis.

The implementation should be designed as a pipeline of resolution strategies, ordered by reliability, so that results from authoritative databases are preferred over heuristic approaches. Where possible, resolution results from previous versions of the same package should be reused, since the source repository typically remains the same across versions.

Expected Tasks

  1. Research and evaluate existing PURL-to-source-code databases
  2. Create detailed GitHub issues for this work
  3. Define an implementation timeline in the GitHub Project Roadmap
  4. Implement the solution and adapt your plan if necessary
  5. Write a brief project report (1-2 pages max)

Technologies

You should be familiar with the following programming languages:

  • Java

You should be familiar with the following frameworks/libraries:

  • Spring Boot

Knowing the following concepts will be helpful:

  • Package URL (PURL) specification
  • Package registries (npm, Maven Central, PyPI, etc.)

SBOM Extraction

Support additional package managers for dependency graph extraction.

Vulnerability Monitoring

Add vulnerability monitoring capabilities to CRA Tool.

On this page

SummaryExpected TasksTechnologies