pombredanne
commented
7 months ago There are some issue wrt. Go which is why we did not enable imports from the various datasources that provide Go vulnerability data.
Problem
Go is problematic as when we scan there is no universal way to find when a go package names ends and when a subpath stats. Hence creating a PURL is difficult because it may need to access the whole set of know packages to find what is the namespace/name of a package.
Context
Go vulnerabilities provide two types of vulnerabilities:
-
For Go system or "builtin" packages, there is a path and a Go SDK/runtime version and no package name For instance https://pkg.go.dev/vuln/GO-2023-2185
-
For other packages, there is a package name and separately a file path(s?) and symbols For instance https://pkg.go.dev/vuln/GO-2023-2115
Some other data sources may conflate the package and paths like in Gitlab where we have a package with and without "subpath" for the same vulneraility:
-
OSV is a copy of upstream https://pkg.go.dev/vuln/
-
Github does not track paths
Solution
For VulnerableCode, let's use the Go way for Go and we will not use path in a PURL namespace/name and not in a subpath.
Since at scan time, ScanCode and other tool may have a PURL with full paths instead, we will need to be smart about this in our API and UI code and have some special processing for Go.
In the future, we may need to evolve refinements of the PURL spec to always include paths in the name or never include it like today with subpath.
TG1999
See https://github.com/golang/vulndb/blob/master/reports/ This is a follow up from #466