From 3a5d973d7cdee739cef28e1fa8948d1fe7fcdc6e Mon Sep 17 00:00:00 2001
From: Maceo Thompson <maceothompson@google.com>
Date: Mon, 4 Nov 2024 13:13:24 -0500
Subject: [PATCH] Add new spec for `go` package URLs

---
 PURL-TYPES.rst | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/PURL-TYPES.rst b/PURL-TYPES.rst
index 2e8086d..0cb8fc4 100644
--- a/PURL-TYPES.rst
+++ b/PURL-TYPES.rst
@@ -297,6 +297,22 @@ github
       pkg:github/package-url/purl-spec@244fd47e07d1004
       pkg:github/package-url/purl-spec@244fd47e07d1004#everybody/loves/dogs
 
+go
+------
+``go`` for Go modules:
+
+- The ``namespace`` field is empty and implies the go mod proxy.
+- The ``name`` will be the full module path.
+- The ``subpath`` will represent the package path within a module.
+- The ``version`` will be a valid go version or pseudoversion, or empty.
+- Additional Build information for binaries can be included as ``qualifiers`` (i.e VCS info, go version info, GoArch/GoOS info etc)
+- Examples::
+
+      pkg:go/google.golang.org%2Fgenproto#googleapis/api/annotations
+      pkg:go/github.com%2Fjmorion%2Fsqlx@v1.1.2#api
+      pkg:go/golang.org%2Fx%2Fvuln?goversion=1.23.2&vcs=git&vcs_modified=true#cmd/govulncheck
+      pkg:go/golang.org%2Fx%2Fvuln@v1.1.3?goversion=1.23.2#cmd/govulncheck
+
 golang
 ------
 ``golang`` for Go packages: