Open pombredanne opened 2 years ago
There are some issue wrt. Go which is why we did not enable imports from the various datasources that provide Go vulnerability data.
Go is problematic as when we scan there is no universal way to find when a go package names ends and when a subpath stats. Hence creating a PURL is difficult because it may need to access the whole set of know packages to find what is the namespace/name of a package.
Go vulnerabilities provide two types of vulnerabilities:
For Go system or "builtin" packages, there is a path and a Go SDK/runtime version and no package name For instance https://pkg.go.dev/vuln/GO-2023-2185
For other packages, there is a package name and separately a file path(s?) and symbols For instance https://pkg.go.dev/vuln/GO-2023-2115
Some other data sources may conflate the package and paths like in Gitlab where we have a package with and without "subpath" for the same vulneraility:
OSV is a copy of upstream https://pkg.go.dev/vuln/
Github does not track paths
For VulnerableCode, let's use the Go way for Go and we will not use path in a PURL namespace/name and not in a subpath.
Since at scan time, ScanCode and other tool may have a PURL with full paths instead, we will need to be smart about this in our API and UI code and have some special processing for Go.
In the future, we may need to evolve refinements of the PURL spec to always include paths in the name or never include it like today with subpath.
Note that in the future we will need to store paths and symbols to support reachability #1313
For example:
This is a go package - github.com/go-jose/go-jose/v3
This is a purl - "pkg:golang/github.com/go-jose/go-jose/v3@3.1.0"
type - "golang"
namespace - "github.com/go-jose/go-jose"
name - "v3"
version - "3.1.0"
See https://github.com/golang/vulndb/blob/master/reports/ This is a follow up from #466