From e2c5bb7457ecdde357111ac974f626d465c1b3ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maximilian=20Comb=C3=BCchen?= <max.combuchen@snyk.io>
Date: Tue, 29 Aug 2023 09:45:01 +0200
Subject: [PATCH] fix: consider purl subpath when validating golang package

---
 src/core/validate-graph.ts       | 10 +++++++++-
 test/core/validate-graph.test.ts | 24 ++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/src/core/validate-graph.ts b/src/core/validate-graph.ts
index da57e92..3ce4578 100644
--- a/src/core/validate-graph.ts
+++ b/src/core/validate-graph.ts
@@ -60,8 +60,16 @@ export function validatePackageURL(pkg: types.PkgInfo): void {
         );
         break;
 
+      case 'golang': {
+        let expected = purlPkg.namespace
+          ? `${purlPkg.namespace}/${purlPkg.name}`
+          : purlPkg.name;
+        if (purlPkg.subpath) expected += `/${purlPkg.subpath}`;
+        assert(pkg.name === expected, `name and packageURL name do not match`);
+        break;
+      }
+
       case 'composer':
-      case 'golang':
       case 'npm':
       case 'swift':
         assert(
diff --git a/test/core/validate-graph.test.ts b/test/core/validate-graph.test.ts
index e59012a..185527a 100644
--- a/test/core/validate-graph.test.ts
+++ b/test/core/validate-graph.test.ts
@@ -158,6 +158,14 @@ describe('validatePackageURL', () => {
           purl: 'pkg:golang/foo@1.2.3',
         },
       ],
+      [
+        'golang package with subpath',
+        {
+          name: 'github.com/foo/bar/pkg/baz',
+          version: '1.2.3',
+          purl: 'pkg:golang/github.com/foo/bar@1.2.3#pkg/baz',
+        },
+      ],
     ])('validates golang Purls: %s', (name, pkg) => {
       expect(() => validatePackageURL(pkg)).not.toThrow();
     });
@@ -179,6 +187,14 @@ describe('validatePackageURL', () => {
           purl: 'pkg:golang/google.golang.org/bar@1.2.3',
         },
       ],
+      [
+        'package name does not match purl subpath',
+        {
+          name: 'bar/baz',
+          version: '1.2.3',
+          purl: 'pkg:golang/bar@1.2.3#pkg/baz',
+        },
+      ],
       [
         'package name does not include purl namespace',
         {
@@ -187,6 +203,14 @@ describe('validatePackageURL', () => {
           purl: 'pkg:golang/google.golang.org/bar@1.2.3',
         },
       ],
+      [
+        'package name does not include purl subpath',
+        {
+          name: 'bar',
+          version: '1.2.3',
+          purl: 'pkg:golang/bar@1.2.3#pkg/baz',
+        },
+      ],
     ])('should throw on invalid purl: %s', (name, pkg) => {
       expect(() => validatePackageURL(pkg)).toThrow();
     });