What happened:

I process a go.mod with a module statement like this:

module dev.azure.com/ab-cde/ABC/_git/repo-name.git/abcdef

A Syft-JSON SBOM is generated, the PURL is

pkg:golang/dev.azure.com/ab-cde/ABC#_git/repo-name.git/abcdef

The general part of the purl-spec defines subpath as 'Subpath within a package, relative to the package root', 'The subpath must be interpreted as relative to the root of the package'.

What you expected to happen:

The PURL should be constructed without subpath ('#').

Note from purl-spec: The current definition predates Go modules and has several practical problems, and in particular it is impossible to determine what is a module and what is a package short of having full access to the source code or making an API call to the Go module proxy.

Steps to reproduce the issue:

Create a go.mod with an Azure Repo compatible module statement and a fictive module having the same leading path + "/other_module" as given above an scan it.

Anything else we need to know?:
N/A

Environment:

• Output of syft version:
  Windows (Win 11)
  Application: syft
  Version: 1.38.0
  BuildDate: 2025-11-17T17:42:49Z
  GitCommit: a033ae5
  GitDescription: v1.38.0
  Platform: windows/amd64
  GoVersion: go1.25.4
  Compiler: gc
  SchemaVersion: 16.1.0

Linux (Debian wsl2)
Application: syft
Version: 1.38.0
BuildDate: 2025-11-17T17:42:49Z
GitCommit: a033ae5
GitDescription: v1.38.0
Platform: linux/amd64
GoVersion: go1.25.4
Compiler: gc
SchemaVersion: 16.1.0