Update docs

Author: andrew

CONTRIBUTING.md

@@ -0,0 +1,167 @@
+# Contributing to Purl
+
+Thank you for your interest in contributing to the Purl Ruby library! This document provides guidelines and information for contributors.
+
+## Code of Conduct
+
+This project and everyone participating in it is governed by our [Code of Conduct](CODE_OF_CONDUCT.md). By participating, you are expected to uphold this code.
+
+## How to Contribute
+
+### Reporting Issues
+
+Before creating an issue, please:
+1. Search existing issues to avoid duplicates
+2. Use the latest version of the gem
+3. Provide a clear, descriptive title
+4. Include steps to reproduce the issue
+5. Share relevant code examples or error messages
+
+### Suggesting Enhancements
+
+Enhancement suggestions are welcome! Please:
+1. Check if the enhancement is already requested
+2. Explain the use case and expected behavior
+3. Consider if it fits the project's scope
+4. Be willing to help implement if accepted
+
+### Pull Requests
+
+1. **Fork** the repository
+2. **Create** a feature branch (`git checkout -b my-new-feature`)
+3. **Make** your changes following our coding standards
+4. **Add** tests for your changes
+5. **Ensure** all tests pass (`rake test`)
+6. **Run** the full test suite including compliance tests
+7. **Commit** your changes with clear, descriptive messages
+8. **Push** to your branch (`git push origin my-new-feature`)
+9. **Create** a Pull Request with a clear description
+
+## Development Setup
+
+### Prerequisites
+
+- Ruby 3.1 or higher
+- Bundler gem
+
+### Setup
+
+```bash
+git clone https://github.com/package-url/purl-ruby.git
+cd purl-ruby
+bundle install
+```
+
+### Running Tests
+
+```bash
+# Run all tests
+rake test
+
+# Run PURL specification compliance tests
+rake spec:compliance
+
+# Validate JSON schemas
+rake spec:validate_schemas
+
+# Validate PURL examples
+rake spec:validate_examples
+
+# Show all available tasks
+rake -T
+```
+
+### Coding Standards
+
+- Follow Ruby best practices and conventions
+- Use meaningful variable and method names
+- Add documentation for public methods
+- Keep methods focused and concise
+- Follow the existing code style
+
+### Testing Requirements
+
+All contributions must include appropriate tests:
+
+- **Unit tests** for new functionality
+- **Integration tests** for feature interactions
+- **Compliance tests** must continue to pass
+- **Example validation** for any new PURL examples
+
+### Documentation
+
+- Update the README.md if adding new features
+- Add inline documentation for complex methods
+- Update CHANGELOG.md following the format
+- Include examples in documentation
+
+## Project Structure
+
+```
+├── lib/
+│   ├── purl.rb              # Main module
+│   └── purl/
+│       ├── errors.rb        # Error classes
+│       ├── package_url.rb   # Core PURL parsing
+│       └── registry_url.rb  # Registry URL handling
+├── test/                    # Test files
+├── schemas/                 # JSON schemas
+├── purl-types.json         # Package types configuration
+└── test-suite-data.json    # Official test cases
+```
+
+## Adding New Package Types
+
+To add support for a new package type:
+
+1. **Add type definition** to `purl-types.json`
+2. **Include examples** from the official specification
+3. **Add registry configuration** if applicable
+4. **Update tests** to verify the new type
+5. **Run validation** to ensure compliance
+
+## JSON Schema Updates
+
+When modifying JSON files:
+
+1. **Validate** against schemas: `rake spec:validate_schemas`
+2. **Update schemas** if structure changes
+3. **Test examples** are valid: `rake spec:validate_examples`
+
+## PURL Specification Compliance
+
+This library maintains 100% compliance with the official PURL specification:
+
+- All changes must maintain compliance
+- Run `rake spec:compliance` before submitting
+- New features should align with the spec
+- Report spec issues upstream when discovered
+
+## Release Process
+
+Releases are handled by maintainers:
+
+1. Update version in `lib/purl/version.rb`
+2. Update `CHANGELOG.md` with changes
+3. Run full test suite
+4. Create release tag
+5. Publish to RubyGems
+
+## Getting Help
+
+- **Issues**: Use GitHub issues for bugs and feature requests
+- **Discussions**: Use GitHub discussions for questions
+- **Security**: Follow our [Security Policy](SECURITY.md)
+
+## Recognition
+
+Contributors will be recognized in:
+- Git commit history
+- CHANGELOG.md for significant contributions
+- Project documentation where appropriate
+
+## License
+
+By contributing to Purl, you agree that your contributions will be licensed under the [MIT License](LICENSE).
+
+Thank you for contributing to make Purl better for everyone!

README.md

@@ -1,10 +1,10 @@
 # Purl - Package URL Parser for Ruby
 
-A comprehensive Ruby library for parsing, validating, and working with Package URLs (PURLs) as defined by the [PURL specification](https://github.com/package-url/purl-spec).
+A Ruby library for parsing, validating, and generating Package URLs (PURLs) as defined by the [PURL specification](https://github.com/package-url/purl-spec).
 
-This library provides better error handling than existing solutions with namespaced error types, bidirectional registry URL conversion, and JSON-based configuration for cross-language compatibility.
+This library features comprehensive error handling with namespaced error types, bidirectional registry URL conversion, and JSON-based configuration for cross-language compatibility.
 
-[![Ruby](https://img.shields.io/badge/ruby-%3E%3D%202.7-red.svg)](https://www.ruby-lang.org/)
+[![Ruby](https://img.shields.io/badge/ruby-%3E%3D%203.1-red.svg)](https://www.ruby-lang.org/)
 [![Gem Version](https://badge.fury.io/rb/purl.svg)](https://rubygems.org/gems/purl)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 

SECURITY.md

@@ -0,0 +1,164 @@
+# Security Policy
+
+## Supported Versions
+
+We actively support and provide security updates for the following versions:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 1.x.x   | :white_check_mark: |
+| < 1.0   | :x:                |
+
+## Reporting a Vulnerability
+
+The Purl team takes security seriously. If you discover a security vulnerability, please follow these steps:
+
+### 1. Do NOT Create a Public Issue
+
+Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
+
+### 2. Report Privately
+
+Send a detailed report to **[email protected]** with:
+
+- **Subject**: `[SECURITY] Purl Ruby - [Brief Description]`
+- **Description** of the vulnerability
+- **Steps to reproduce** the issue
+- **Potential impact** assessment
+- **Suggested fix** (if you have one)
+- **Your contact information** for follow-up
+
+### 3. What to Include
+
+Please provide as much information as possible:
+
+```
+- Affected versions
+- Attack vectors
+- Proof of concept (if safe to share)
+- Environmental details (Ruby version, OS, etc.)
+- Any relevant configuration details
+```
+
+## Response Process
+
+### Initial Response
+
+- **24-48 hours**: We will acknowledge receipt of your report
+- **Initial assessment**: Within 1 week of acknowledgment
+- **Status updates**: Weekly until resolution
+
+### Investigation
+
+We will:
+1. **Confirm** the vulnerability exists
+2. **Assess** the severity and impact
+3. **Develop** a fix and mitigation strategy
+4. **Test** the fix thoroughly
+5. **Coordinate** disclosure timeline
+
+### Resolution
+
+- **High/Critical**: Immediate fix and release
+- **Medium**: Fix within 30 days
+- **Low**: Fix in next regular release cycle
+
+## Security Considerations
+
+### Input Validation
+
+The Purl library processes Package URL strings and performs:
+
+- **Scheme validation**: Ensures proper `pkg:` prefix
+- **Component parsing**: Validates type, namespace, name, version
+- **URI encoding**: Handles percent-encoded characters
+- **Qualifier parsing**: Processes key-value parameters
+
+### Potential Risk Areas
+
+Areas that warrant security attention:
+
+1. **URL Parsing**: Malformed URLs could cause parsing errors
+2. **Regular Expressions**: Complex patterns may be vulnerable to ReDoS
+3. **JSON Processing**: Configuration files require safe parsing
+4. **Network Requests**: Registry URL generation involves external URLs
+
+### Safe Usage Practices
+
+When using Purl in applications:
+
+- **Validate input**: Don't trust user-provided PURL strings
+- **Handle errors**: Properly catch and handle parsing exceptions
+- **Sanitize output**: Be careful when displaying parsed components
+- **Rate limiting**: If parsing many PURLs, implement appropriate limits
+
+## Disclosure Policy
+
+### Coordinated Disclosure
+
+We follow coordinated disclosure principles:
+
+1. **Private reporting** allows us to fix issues before public disclosure
+2. **Reasonable timeline** for fixes (typically 90 days maximum)
+3. **Credit and recognition** for responsible reporters
+4. **Public disclosure** after fixes are available
+
+### Public Disclosure
+
+After a fix is released:
+
+1. **Security advisory** published on GitHub
+2. **CVE requested** if applicable
+3. **Release notes** include security information
+4. **Community notification** through appropriate channels
+
+## Security Updates
+
+### Notification Channels
+
+Security updates are announced through:
+
+- **GitHub Security Advisories**
+- **RubyGems security alerts**
+- **Release notes and CHANGELOG**
+- **Project README updates**
+
+### Update Recommendations
+
+To stay secure:
+
+- **Monitor** our security advisories
+- **Update regularly** to the latest version
+- **Review** release notes for security fixes
+- **Subscribe** to GitHub notifications for this repository
+
+## Bug Bounty
+
+Currently, we do not offer a formal bug bounty program. However, we deeply appreciate security researchers who help improve the project's security posture.
+
+### Recognition
+
+Contributors who responsibly disclose security issues will be:
+
+- **Credited** in security advisories (with permission)
+- **Mentioned** in release notes
+- **Recognized** in project documentation
+- **Thanked** publicly (unless anonymity is requested)
+
+## Contact Information
+
+**Security Contact**: [email protected]
+
+**PGP Key**: Available upon request for encrypted communications
+
+**Response Time**: We aim to acknowledge security reports within 24-48 hours
+
+## Additional Resources
+
+- [PURL Specification Security Considerations](https://github.com/package-url/purl-spec)
+- [Ruby Security Best Practices](https://guides.rubyonrails.org/security.html)
+- [OWASP Secure Coding Practices](https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/)
+
+---
+
+Thank you for helping keep Purl and its users safe!

purl.gemspec

@@ -9,8 +9,10 @@ Gem::Specification.new do |spec|
   spec.email = ["[email protected]"]
 
   spec.summary = "Parse and convert package urls (purls)"
+  spec.description = "This library features comprehensive error handling with namespaced error types, bidirectional registry URL conversion, and JSON-based configuration for cross-language compatibility.
+It supports 37 package types (32 official + 5 additional ecosystems) and is fully compliant with the official PURL specification test suite."
   spec.homepage = "https://github.com/andrew/purl"
-  spec.required_ruby_version = ">= 3.2.0"
+  spec.required_ruby_version = ">= 3.1.0"
 
   spec.metadata["allowed_push_host"] = "https://rubygems.org"
   spec.metadata["homepage_uri"] = spec.homepage