Add new spec for go package URLs
#338
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -297,6 +297,22 @@ github | |||||
| pkg:github/package-url/purl-spec@244fd47e07d1004 | ||||||
| pkg:github/package-url/purl-spec@244fd47e07d1004#everybody/loves/dogs | ||||||
|
|
||||||
| go | ||||||
| ------ | ||||||
| ``go`` for Go modules: | ||||||
|
|
||||||
| - The ``namespace`` field is empty and implies the go mod proxy. | ||||||
| - The ``name`` will be the full module path. | ||||||
|
There was a problem hiding this comment. This should probably specify that it is case sensitive. There was a problem hiding this comment. Exactly. this is what the whole #308 is about. There was a problem hiding this comment.
Suggested change
this change would close #308 There was a problem hiding this comment.
I don't think this is correct.
There was a problem hiding this comment. re 1: I see. i was wrong there. Adjusted my suggestion for the protocol. There was a problem hiding this comment. As far as Go is concerned, it's usually a host-part but it has additional restrictions and it is case sensitive: https://go.dev/ref/mod#go-mod-file-ident There was a problem hiding this comment. I see. I will modify my change-suggestion accordingly. does it fit better, now? |
||||||
| - The ``subpath`` will represent the package path within a module. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| - The ``version`` will be a valid go version or pseudoversion, or empty. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| - Additional Build information for binaries can be included as ``qualifiers`` (i.e VCS info, go version info, GoArch/GoOS info etc) | ||||||
|
There was a problem hiding this comment. The additional information should be explicitly defined here. There was a problem hiding this comment. exactlty. be specific in the spec, so we all are on the same page. |
||||||
| - Examples:: | ||||||
|
|
||||||
| pkg:go/google.golang.org%2Fgenproto#googleapis/api/annotations | ||||||
| pkg:go/github.com%2Fjmorion%[email protected]#api | ||||||
| pkg:go/golang.org%2Fx%2Fvuln?goversion=1.23.2&vcs=git&vcs_modified=true#cmd/govulncheck | ||||||
|
There was a problem hiding this comment. There is a likely problem with the use of subpath: there is no way to determine where the module ends and the package starts in the general case, is there? There was a problem hiding this comment. There is a way, if the module's code is available to you, to determine from a package import where module path ends and the package path begins by making HTTP requests. I think the use of the subpath here is good because it puts the burden of determining this on whatever generates the PURL, which is likely aware of Go and either has the module paths or is most likely to be able to find the module path from the full package path. Then if you want to use a tool that checks PURLs against a database of information about modules (eg vulnerabilities), the tool already has all the information it needs. Otherwise, either the tool would need to make external API calls to figure out the module path of the PURL or the database would need to have an entry for every package in the module. There was a problem hiding this comment. Just to add to @matt-phylum's comment. If a tool is producing a PURL for a Go artifact, then it can use There was a problem hiding this comment. I don't believe this is true for the general use case of PURLs. E.g. we do static analysis of binaries and while we can get information about linked packages, there's no indication of which part of the paths correspond to modules There was a problem hiding this comment. Right, if you are looking at a Go symbol from the symbol table, you can get its package. You can get the module correctly by prefix-matching it with module information from There was a problem hiding this comment. Is the plan to include all the buildinfo structure as qualifiers? There was a problem hiding this comment. good point. currently it reads:
I am afraid this documentation is insufficient. |
||||||
| pkg:go/golang.org%2Fx%[email protected]?goversion=1.23.2#cmd/govulncheck | ||||||
|
There was a problem hiding this comment. Are the Go module versions always to be prefixed with a There was a problem hiding this comment.
There was a problem hiding this comment. A pseudoversion is a special kind of version that also starts with a v: https://go.dev/doc/modules/version-numbers#pseudo-version-number I think for Go modules, including when using the Go module system to refer to something that predates modules, the version always starts with a v. In which case, versions that don't start with v would only be used with older tools like Dep? There was a problem hiding this comment. If a version exists, it should be a valid Go module version. It should start with a Note that hashes should not be permitted, they are not a valid Go version (resolution of hash commits in go tooling is a convenience feature). |
||||||
|
|
||||||
| golang | ||||||
| ------ | ||||||
| ``golang`` for Go packages: | ||||||
|
|
||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the field empty or does it imply the go mod proxy? It can't be both.