// Copyright 2024 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package openvex

import (
	"net/url"
	"strings"

	"golang.org/x/vuln/internal/govulncheck"
)

// The PURL is printed as: pkg:golang/MODULE_PATH@VERSION
// Conceptually there is no namespace and the name is entirely defined by
// the module path. See https://github.com/package-url/purl-spec/issues/63
// for further disucssion.

const suffix = "pkg:golang/"

type purl struct {
	name    string
	version string
}

func (p *purl) String() string {
	var b strings.Builder
	b.WriteString(suffix)
	b.WriteString(url.PathEscape(p.name))
	if p.version != "" {
		b.WriteString("@")
		b.WriteString(p.version)
	}
	return b.String()
}

// purlFromFinding takes a govulncheck finding and generates a purl to the
// vulnerable dependency.
func purlFromFinding(f *govulncheck.Finding) string {
	purl := purl{
		name:    f.Trace[0].Module,
		version: f.Trace[0].Version,
	}

	return purl.String()
}