47 lines
1.0 KiB
Go
47 lines
1.0 KiB
Go
// Copyright 2024 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package openvex
|
|
|
|
import (
|
|
"net/url"
|
|
"strings"
|
|
|
|
"golang.org/x/vuln/internal/govulncheck"
|
|
)
|
|
|
|
// The PURL is printed as: pkg:golang/MODULE_PATH@VERSION
|
|
// Conceptually there is no namespace and the name is entirely defined by
|
|
// the module path. See https://github.com/package-url/purl-spec/issues/63
|
|
// for further disucssion.
|
|
|
|
const suffix = "pkg:golang/"
|
|
|
|
type purl struct {
|
|
name string
|
|
version string
|
|
}
|
|
|
|
func (p *purl) String() string {
|
|
var b strings.Builder
|
|
b.WriteString(suffix)
|
|
b.WriteString(url.PathEscape(p.name))
|
|
if p.version != "" {
|
|
b.WriteString("@")
|
|
b.WriteString(p.version)
|
|
}
|
|
return b.String()
|
|
}
|
|
|
|
// purlFromFinding takes a govulncheck finding and generates a purl to the
|
|
// vulnerable dependency.
|
|
func purlFromFinding(f *govulncheck.Finding) string {
|
|
purl := purl{
|
|
name: f.Trace[0].Module,
|
|
version: f.Trace[0].Version,
|
|
}
|
|
|
|
return purl.String()
|
|
}
|