Add VS Code extensions

[booniepepper]

Closes:

• Support for vscode type #287

Clashes a little with a different approach at #671 since this will consider the VS Code extension marketplace as the default repository

I think we're aligned on this now

The type vsx refers to "VS code eXtension" and seems to be used in multiple places. Open to alternatives like vscode. As a note, the file extension for these IDE extension packages is .vsix.

After discussion, the PR now proposes the type vscode. The previous suggestion of vsx is ambiguous as it could refer to either VS Code extensions (JS) or to Visual Studio extensions (C#) which are incompatible. (Refer to this comment thread)

Happy to hear & take feedback, thanks!

[booniepepper]

@jkowalleck Any thoughts on this?

[mixmix]

As I raised here : #671 (comment) , I'm really interested in how we keep consumers of PURLs safe from things like typosquat attacks. Some context is I work in security and have had a client ask me to review an extension giving just it's name ... and it was really hard to answer their question because I did not know which code I was meant to be auditing! (because there are two registries and they can have different code).

To that end I'm against vsx because I'm scared of it being a foot-gun. I think vscode would be a lot safer.

I think we should explore the question of how we handle referencing extensions in these two registries before merging these PRs though. Propose we continue discussion in that other PR (it's got a bit of discussion already)

[booniepepper]

I have examples in the PR. I think it's easy to distinguish the source by repository_url and this follows the convention used in many other PURL specs.

P.S. I incorporated your changes and credited you in one of the commits included in this PR

P.P.S. I've also been working on software supply chain security for much of the past 5 years

[mixmix]

Update: after some great input from community, have opted to close #671 in favour of this proposal ❤️

[amvanbaren]

Hi! I don't know why, but I got notified about this issue. Any way I can help?

[booniepepper]

@amvanbaren The PR was waiting on me to update (which I have now) -- I'm not sure either, but the more eyes the merrier

[mixmix]

Once again, really appreciate the depth of everyones attention to detail, listening, and thoughtful dialogue. I think we've come to something which is better than any one of alone would have suggesting 🌈 🚀

[booniepepper]

@pombredanne Looks like we've got all the comments addressed. Are you ready to take a look again?

[pombredanne]

Thanks!

[mjherzog]

@booniepepper @mixmix It would probably be more accurate to set the PURL type to "vscode-extension" to be more descriptive and to leave "space" just in case there are future PURL types related to vscode. What do you think?

[booniepepper]

@mjherzog I was trying to keep it succinct, but I'd be happy with that more-precise proposal

[mjherzog]

The PR looks ready to go with the changes to type of vscode-extension.

[mjherzog]

@johnmhoran Please double-check the tests when you have a minute.
@booniepepper We will need to update the PURL Types grid at: https://package-url.github.io/www.packageurl.org/docs/purl/purl-spec-purl-types#registered-purl-types for the new vscode-extension type.
Do you want to display an icon there? If yes, please tell us where to find the appropriate icon.

[johnmhoran]

@booniepepper -- the tests look great, and thank you in particular for including a number of "expected_failure": true tests. 👍 Approving and merging.

[booniepepper]

@mjherzog Yeah, I think the "blue/stable" icon from here would be best: https://code.visualstudio.com/brand

Thanks @johnmhoran - lots of testing credit goes to @mixmix from a previous PR

[mjherzog]

@johnmhoran Please update Tool grid with the blue/stable icon.