Merge pull request #112 from snyk/fix/validate-golang-purl

fix: consider purl subpath when validating golang package
snyk · Aug 29, 2023 · 2f3203e · 2f3203e
2 parents 58ab39c + e2c5bb7
commit 2f3203e
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/src/core/validate-graph.ts b/src/core/validate-graph.ts
@@ -60,8 +60,16 @@ export function validatePackageURL(pkg: types.PkgInfo): void {
         );
         break;
 
+      case 'golang': {
+        let expected = purlPkg.namespace
+          ? `${purlPkg.namespace}/${purlPkg.name}`
+          : purlPkg.name;
+        if (purlPkg.subpath) expected += `/${purlPkg.subpath}`;
+        assert(pkg.name === expected, `name and packageURL name do not match`);
+        break;
+      }
+
       case 'composer':
-      case 'golang':
       case 'npm':
       case 'swift':
         assert(

diff --git a/test/core/validate-graph.test.ts b/test/core/validate-graph.test.ts
@@ -158,6 +158,14 @@ describe('validatePackageURL', () => {
           purl: 'pkg:golang/foo@1.2.3',
         },
       ],
+      [
+        'golang package with subpath',
+        {
+          name: 'github.com/foo/bar/pkg/baz',
+          version: '1.2.3',
+          purl: 'pkg:golang/github.com/foo/bar@1.2.3#pkg/baz',
+        },
+      ],
     ])('validates golang Purls: %s', (name, pkg) => {
       expect(() => validatePackageURL(pkg)).not.toThrow();
     });
@@ -179,6 +187,14 @@ describe('validatePackageURL', () => {
           purl: 'pkg:golang/google.golang.org/bar@1.2.3',
         },
       ],
+      [
+        'package name does not match purl subpath',
+        {
+          name: 'bar/baz',
+          version: '1.2.3',
+          purl: 'pkg:golang/bar@1.2.3#pkg/baz',
+        },
+      ],
       [
         'package name does not include purl namespace',
         {
@@ -187,6 +203,14 @@ describe('validatePackageURL', () => {
           purl: 'pkg:golang/google.golang.org/bar@1.2.3',
         },
       ],
+      [
+        'package name does not include purl subpath',
+        {
+          name: 'bar',
+          version: '1.2.3',
+          purl: 'pkg:golang/bar@1.2.3#pkg/baz',
+        },
+      ],
     ])('should throw on invalid purl: %s', (name, pkg) => {
       expect(() => validatePackageURL(pkg)).toThrow();
     });