Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: fix go purl with subpath to syft package name error #4107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: fix go purl with subpath to syft package name error #4107

wants to merge 1 commit into from

Conversation

goatwu1993
Copy link

@goatwu1993 goatwu1993 commented Jul 31, 2025
edited
Loading

Description

Fix anchore/grype#2838

https://pkg.go.dev/github.com/hashicorp/vault/api/auth/[email protected] is a package without vulnerability.

It is different from https://pkg.go.dev/github.com/hashicorp/[email protected] which is vulnerable.

syft produce purl like pkg:golang/github.com/hashicorp/[email protected]#api/auth/kubernetes, which I believe is correct.

However when running

grype 'pkg:golang/github.com/hashicorp/[email protected]#api/auth/kubernetes'
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 7 high, 10 medium, 1 low, 0 negligible
   └── by status:   18 fixed, 0 not-fixed, 0 ignored
NAME                        INSTALLED  FIXED IN  TYPE       VULNERABILITY        SEVERITY  EPSS           RISK
github.com/hashicorp/vault  v0.9.0     1.2.5     go-module  GHSA-fp52-qw33-mfmw  High      1.0% (76th)    0.8
github.com/hashicorp/vault  v0.9.0     1.2.5     go-module  GHSA-4mp7-2m29-gqxf  High      0.9% (74th)    0.7
github.com/hashicorp/vault  v0.9.0     1.6.6     go-module  GHSA-6239-28c2-9mrm  Medium    0.6% (68th)    0.3
github.com/hashicorp/vault  v0.9.0     1.13.5    go-module  GHSA-9v3w-w2jh-4hff  Medium    0.6% (67th)    0.3
github.com/hashicorp/vault  v0.9.0     1.11.11   go-module  GHSA-gq98-53rq-qr5h  Medium    0.5% (64th)    0.2
github.com/hashicorp/vault  v0.9.0     1.13.10   go-module  GHSA-4qhc-v8r6-8vwm  High      0.3% (51st)    0.2
github.com/hashicorp/vault  v0.9.0     1.18.0    go-module  GHSA-rr8j-7w34-xp5j  High      0.2% (37th)    0.1
github.com/hashicorp/vault  v0.9.0     1.3.4     go-module  GHSA-m979-w9wj-qfj9  Medium    0.2% (44th)    0.1
github.com/hashicorp/vault  v0.9.0     1.13.0    go-module  GHSA-86c6-3g63-5w64  High      0.1% (34th)    0.1
github.com/hashicorp/vault  v0.9.0     1.10.11   go-module  GHSA-wmg5-g953-qqfw  High      0.1% (29th)    < 0.1
github.com/hashicorp/vault  v0.9.0     1.11.9    go-module  GHSA-v3hp-mcj5-pg39  Medium    < 0.1% (26th)  < 0.1
github.com/hashicorp/vault  v0.9.0     1.9.10    go-module  GHSA-9mh8-9j64-443f  Medium    < 0.1% (27th)  < 0.1
github.com/hashicorp/vault  v0.9.0     1.7.5     go-module  GHSA-qv95-g3gm-x542  Low       0.1% (36th)    < 0.1
github.com/hashicorp/vault  v0.9.0     1.11.9    go-module  GHSA-hwc3-3qh6-r4gg  Medium    < 0.1% (18th)  < 0.1
github.com/hashicorp/vault  v0.9.0     1.11.9    go-module  GHSA-vq4h-9ghm-qmrr  Medium    < 0.1% (7th)   < 0.1
github.com/hashicorp/vault  v0.9.0     1.16.0    go-module  GHSA-j2rp-gmqv-frhv  Medium    < 0.1% (5th)   < 0.1
github.com/hashicorp/vault  v0.9.0     1.14.10   go-module  GHSA-r3w7-mfpm-c2vw  High      < 0.1% (2nd)   < 0.1
github.com/hashicorp/vault  v0.9.0     1.19.3    go-module  GHSA-gcqf-f89c-68hv  Medium    < 0.1% (1st)   < 0.1`

It does not handle the subpath, interpreted it as name github.com/hashicorp/vault and version v0.9.0, therefore report vulnerabilities such as CVE-2020-16250.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (please discuss with the team first; Syft is 1.0 software and we won't accept breaking changes without going to 2.0)
  • Documentation (updates the documentation)
  • Chore (improve the developer experience, fix a test flake, etc, without changing the visible behavior of Syft)
  • Performance (make Syft run faster or use less memory, without changing visible behavior much)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@goatwu1993 goatwu1993 force-pushed the fix/fix-go-purl-with-subpath-to-syft-package-name-error branch 4 times, most recently from 580d144 to 8779f8e Compare July 31, 2025 07:55
@goatwu1993
Copy link
Author

goatwu1993 commented Aug 11, 2025
edited
Loading

@kzantow any chance this get view/merge?

@goatwu1993 goatwu1993 force-pushed the fix/fix-go-purl-with-subpath-to-syft-package-name-error branch from 8779f8e to dddce0e Compare August 11, 2025 03:24
@spiffcs
Copy link
Contributor

spiffcs commented Aug 13, 2025

TY for the PR @goatwu1993 - I added a comment here on the original issue:
anchore/grype#2838 (comment)

Could you follow up there and show me how you got an SBOM that produced this PURL pkg:golang/github.com/hashicorp/[email protected]#api/auth/kubernetes

I don't think that PURL is correct and I would expect just two separate syft packages (go modules) to be in the SBOM:

github.com/hashicorp/vault
github.com/hashicorp/vault/api/auth/kubernetes

@goatwu1993
Copy link
Author

@spiffcs how to reproduce

# init a minimal go dir
go mod init app
go get github.com/hashicorp/vault/api/auth/[email protected]

# use syft to scan the dir
syft . -o json=syft.json
cat syft.json

@spiffcs
minimal example here
https://github.com/goatwu1993/syft-go-submodule-example

@goatwu1993 goatwu1993 force-pushed the fix/fix-go-purl-with-subpath-to-syft-package-name-error branch from ef31469 to dddce0e Compare August 22, 2025 03:59
@goatwu1993
Copy link
Author

@spiffcs i found the original pr why there is subpath.

#2547

@goatwu1993
Copy link
Author

goatwu1993 commented Aug 27, 2025
edited
Loading

@spiffcs so is the go purl subpath valid?

I think #2547 expect the purl name to be the project/repo name. Also the purl spec said that go may have subpath.

So i think there is two options

1. grype support purl with sbpath

keep syft behavior and generate purl like pkg:golang/github.com/hashicorp/vault/@v0.9.0#api/auth/kubernetes

grype support

  1. pkg:golang/github.com/hashicorp/[email protected]#api/auth/kubernetes
  2. pkg:golang/github.com/hashicorp/vault/api/auth/[email protected]

Which is this pr

2. syft generate purl without subpath

syft generate purl like

  1. pkg:golang/github.com/hashicorp/vault/api/auth/[email protected]

instead of

  1. pkg:golang/github.com/hashicorp/[email protected]#api/auth/kubernetes

grype support

  1. pkg:golang/github.com/hashicorp/vault/api/auth/[email protected]

this kind of purl only(which is already done). This means revert #2547

I personaaly prefer 1. since

  1. subpath is also in purl spec

  2. it keep backward compatibility (old purl with subpath works)

@goatwu1993
Copy link
Author

@spiffcs any chance this get merged? the subpath seems to be an expected feature of syft

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs-investigation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

False positive scanning purl pkg:golang/github.com/hashicorp/[email protected]#api/auth/kubernetes

2 participants

@goatwu1993 @spiffcs