fix: golang PURL should include full module #4395
Conversation
Signed-off-by: Rez Moss <[email protected]>
There was a problem hiding this comment.
I did some digging into this, are you seeing this issue when scanning source code with go.mod or Go binaries?
I think the go.mod case should have a different fix, and I think the go binary case could also have a slightly different fix. I assume we are, in fact, using the packages library now to determine the go.mod case, which should be returning the correct modules, that match the go.mod, and similarly should just use those directly rather than being split to subpaths at all.
For go.mod, I think we should be using the full value we found in the go.mod or go.sum, not processing it to have any subpaths -- these are modules already. The subpath from the PURL spec is "used to point to a subpath inside a package" -- package, not module.
For the binary case, we could think about extending the online license lookup to include identification of the module paths (not asking for this as part of your PR here), but default to a slightly different behavior that looks for a EDIT: I was conflating this with something else we're working on, but today with binaries, we also get module names, not packages, and these should similarly be used directly. At such time as we surface packages, we will have some additional metadata that may be output in a PURL subpath somewhere, but for all current processing we should use module names directly./v# anywhere within the path before falling back to <host>/<segment1>/<segment2>, though a package with /v# doesn't necessarily mean the module has that, we need the go.mod to be able to tell for sure, though I suspect most modules are good citizens and update when using this versioning scheme.
|
@kzantow t main issue the user reported in #4316 was about go.mod, not the go binary t purl returned something like "pkg:golang/github.com/golang-jwt/[email protected]#v5" but it should be "pkg:golang/github.com/golang-jwt/jwt/[email protected]" and this is the output from my implementation Before After to reproduce, just create a go.mod file and scan |
|
@rezmoss right, read the comment I left on the issue -- I think when reading |
Signed-off-by: Rez Moss <[email protected]>
|
@kzantow added new func to handle modules straight from go.mod, no processing needed, kept the original packageurl() for binary scan support, jwt/v5 and aws sdk edge cases are now handled |
|
I believe this PR will also partially fix the following Grype issues: |
* main: (76 commits) feat: snap can be queried by revision and ```track/risk/branch``` (#4439) fix: 4423 dotnet-deps cataloger skips project type by def signpost to docs site (#4483) chore(deps): bump github/codeql-action from 4.31.8 to 4.31.9 (#4481) chore(deps): bump github.com/goccy/go-yaml from 1.19.0 to 1.19.1 (#4482) Detect embedded deps.json in .NET binaries (#4375) chore(deps): bump actions/cache from 5.0.0 to 5.0.1 (#4476) chore(deps): bump actions/cache in /.github/actions/bootstrap (#4477) chore(deps): update tools to latest versions (#4473) unapply base path for resolver inbound requests (#4478) fix: golang PURL should include full module (#4395) fix:best effort to get the os info of an ELF binary (#4438) Improve PR template (#4472) feat: add support for Gemfile.next.lock (#4457) chore:cancel in-progress workflows for new commits on same PR (#4465) chore(deps): update tools to latest versions (#4466) chore(deps): bump github/codeql-action from 4.31.7 to 4.31.8 (#4468) chore(deps): bump actions/cache from 4.3.0 to 5.0.0 (#4469) chore(deps): bump github.com/anchore/stereoscope from 0.1.14 to 0.1.16 (#4470) chore(deps): bump actions/cache in /.github/actions/bootstrap (#4471) ... Signed-off-by: Christopher Phillips <[email protected]>
Description
fixed wrong go module purl when module paths had version suffixes like /v5
Type of change
Checklist: