fix(api): handle golang subpath (#2967)

Related issue: https://github.com/google/osv-scanner/issues/1428 Added support for Go module PURL strings containing `subpath`
google · Dec 9, 2024 · 4d98169 · 4d98169
1 parent ba5235a
commit 4d98169
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 15 deletions.
diff --git a/gcp/api/server.py b/gcp/api/server.py
@@ -734,26 +734,28 @@ def do_query(query: osv_service_v1_pb2.Query,
           'Invalid PURL.',
       )
 
-    if purl is None:
-      # TODO(gongh@): Previously, we didn't perform any PURL validation.
-      # All unsupported PURL queries would simply return a 200
-      # status code with an empty response.
-      # To avoid breaking existing behavior,
-      # we return an empty response here with no error.
-      # This needs to be revisited with a more considerate design.
-      return [], None
-
     if package_name:  # Purls already include the package name
       context.service_context.abort(
           grpc.StatusCode.INVALID_ARGUMENT,
           'name specified in a PURL query',
       )
+
     if ecosystem:
       # Purls already include the ecosystem inside
       context.service_context.abort(
           grpc.StatusCode.INVALID_ARGUMENT,
           'ecosystem specified in a PURL query',
       )
+
+    if purl is None:
+      # TODO(gongh@): Previously, we didn't perform any PURL validation.
+      # All unsupported PURL queries would simply return a 200
+      # status code with an empty response.
+      # To avoid breaking existing behavior,
+      # we return an empty response here with no error.
+      # This needs to be revisited with a more considerate design.
+      return [], None
+
     if purl.version and version:
       # version included both in purl and query
       context.service_context.abort(
@@ -763,7 +765,8 @@ def do_query(query: osv_service_v1_pb2.Query,
 
     ecosystem = purl.ecosystem
     package_name = purl.package
-    version = purl.version
+    if purl.version:
+      version = purl.version
 
   if ecosystem and not ecosystems.get(ecosystem):
     context.service_context.abort(grpc.StatusCode.INVALID_ARGUMENT,

diff --git a/osv/purl_helpers.py b/osv/purl_helpers.py
@@ -132,12 +132,20 @@ def parse_purl(purl_str: str) -> ParsedPURL | None:
 
   # For ecosystems with optional namespaces, the namespace might need to be
   # included as part of the package name.
-  if purl.type in ('composer', 'golang', 'hex', 'npm',
-                   'swift') and purl.namespace:
-    package = purl.namespace + '/' + purl.name
-  elif purl.type == 'maven' and purl.namespace:
-    package = purl.namespace + ':' + purl.name
+  if purl.namespace:
+    if purl.type == 'golang':
+      package = purl.namespace + '/' + purl.name
+      if purl.subpath:
+        package = package + '/' + purl.subpath
+    elif purl.type in ('composer', 'hex', 'npm', 'swift'):
+      package = purl.namespace + '/' + purl.name
+    elif purl.type == 'maven':
+      package = purl.namespace + ':' + purl.name
+    else:
+      # Handle the case where the ecosystem shouldn't have a namespace.
+      return None
   else:
+    # Handle the case where the namespace is not supported.
     return None
 
   return ParsedPURL(ecosystem, package, version)
diff --git a/osv/purl_helpers_test.py b/osv/purl_helpers_test.py
@@ -163,6 +163,10 @@ def test_parse_purl(self):
                      purl_helpers.parse_purl(
                          'pkg:golang/github.com/treeverse/[email protected]'))
 
+    self.assertEqual(
+        ('Go', 'github.com/jackc/pgx/v5', 'v5.6.0'),
+        purl_helpers.parse_purl('pkg:golang/github.com/jackc/[email protected]#v5'))
+
     self.assertEqual(('Hackage', 'process', None),
                      purl_helpers.parse_purl('pkg:hackage/process'))