go: valid purl but incorrect name #1737
Comments
|
Hi @Mikcl, thanks for the report. We have looked into this and there are definitely some edge cases around purl generation that affect us, and we aren't exactly sure how to handle them based on our read of the purl spec. We will put this into our backlog for further investigation. We'll keep an eye on your linked issue (package-url/purl-spec#63) -- it looks like there is some active discussion now, and we will watch for consensus there. Let us know if anything else comes up! |
|
Hi @tgerla , thanks for responding. The linked issue in package-url/purl-spec#63 has had more discussions. I think a lot of the "facts" and research has been mentioned in the issue. However it seems like there is no consesnus yet. I would image that the |
The purls syft generates for golang are valid but provide the incorrect name
Example:
https://pkg.go.dev/github.com/russross/blackfriday/v2@v2.1.0
Syft generates the purl:
pkg:golang/github.com/russross/blackfriday/v2@v2.1.0When parsed according to the purl spec, the namespace of this package is
github.com/russross/blackfridayand the name isv2You would expect the name (after decoding) to be
github.com/russross/blackfriday/v2rather than justv2The purl is incorrect as the name field is wrong.
The correct name field is:
Via https://go.dev/ref/mod
Via https://go.dev/doc/modules/gomod-ref
To work around this "bug", you could use the following formula to get the name.
but this is calculating the canonical name which syft should provide in the purl.
Every downstream user needing to workaround it (and the implications of possibly using the wrong name in databases/searches).
From reading the literature, it seems the action to take is to:
There is perhaps the question of what value a "namespace" would bring? however I think this is a mutually exclusive problem
For even more references see:
https://go.dev/doc/modules/developing
https://go.dev/doc/modules/managing-dependencies
The text was updated successfully, but these errors were encountered: