Fix PURLToPackage function and move it (#439)

another-rex · web-flow · commit 36e5ed8119ce · 2023-07-13T11:24:49.000+10:00
Turns out our `PURLToPackage` function was returning incorrect results
for ecosystems that contain a namespace like golang, the returned result
was simply missing the full namespace (github.com/author/...). When
adding the namespace, there's also some exceptions with some ecosystems
(e.g. Maven uses `:`, debian and alpine repeats their name in their
namespace, etc).

This also moves the `PURLToPackage` to the `models` package instead of
`osvscanner`, deprecating the existing one in `osvscanner` because:
- Makes more sense, it actually has nothing to do with the scanner
itself, but is converting between PURLs and a structure under `model`.
- Prevents cyclic imports when used elsewhere (in the offline scanning
PR, and in the upcoming PURL parsing PR that I'm currently working on)

Also added additional tests to clarify behavior and prevent regressions
in the future.
diff --git a/cmd/osv-scanner/main_test.go b/cmd/osv-scanner/main_test.go
@@ -144,22 +144,22 @@ func TestRun(t *testing.T) {
 			wantStdout: `
 				Scanning dir ./fixtures/sbom-insecure/postgres-stretch.cdx.xml
 				Scanned %%/fixtures/sbom-insecure/postgres-stretch.cdx.xml as CycloneDX SBOM and found 136 packages
-				+-------------------------------------+------+-----------+---------+------------------------------------+-------------------------------------------------+
-				| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE | VERSION                            | SOURCE                                          |
-				+-------------------------------------+------+-----------+---------+------------------------------------+-------------------------------------------------+
-				| https://osv.dev/DLA-3022-1          |      | Debian    | dpkg    | 1.18.25                            | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
-				| https://osv.dev/GHSA-v95c-p5hm-xq8f | 6    | Go        | runc    | v1.0.1                             | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
-				| https://osv.dev/GO-2022-0274        |      |           |         |                                    |                                                 |
-				| https://osv.dev/GHSA-f3fp-gc8g-vw66 | 5.9  | Go        | runc    | v1.0.1                             | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
-				| https://osv.dev/GHSA-g2j6-57v7-gm8c | 6.1  | Go        | runc    | v1.0.1                             | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
-				| https://osv.dev/GHSA-m8cg-xc2p-r3fc | 2.5  | Go        | runc    | v1.0.1                             | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
-				| https://osv.dev/GHSA-vpvm-3wq2-2wvm | 7    | Go        | runc    | v1.0.1                             | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
-				| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3  | Go        | sys     | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
-				| https://osv.dev/GO-2022-0493        |      |           |         |                                    |                                                 |
-				| https://osv.dev/DLA-3012-1          |      | Debian    | libxml2 | 2.9.4+dfsg1-2.2+deb9u6             | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
-				| https://osv.dev/DLA-3008-1          |      | Debian    | openssl | 1.1.0l-1~deb9u5                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
-				| https://osv.dev/DLA-3051-1          |      | Debian    | tzdata  | 2021a-0+deb9u3                     | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
-				+-------------------------------------+------+-----------+---------+------------------------------------+-------------------------------------------------+
+				+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
+				| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE                        | VERSION                            | SOURCE                                          |
+				+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
+				| https://osv.dev/DLA-3022-1          |      | Debian    | dpkg                           | 1.18.25                            | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+				| https://osv.dev/GHSA-v95c-p5hm-xq8f | 6    | Go        | github.com/opencontainers/runc | v1.0.1                             | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+				| https://osv.dev/GO-2022-0274        |      |           |                                |                                    |                                                 |
+				| https://osv.dev/GHSA-f3fp-gc8g-vw66 | 5.9  | Go        | github.com/opencontainers/runc | v1.0.1                             | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+				| https://osv.dev/GHSA-g2j6-57v7-gm8c | 6.1  | Go        | github.com/opencontainers/runc | v1.0.1                             | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+				| https://osv.dev/GHSA-m8cg-xc2p-r3fc | 2.5  | Go        | github.com/opencontainers/runc | v1.0.1                             | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+				| https://osv.dev/GHSA-vpvm-3wq2-2wvm | 7    | Go        | github.com/opencontainers/runc | v1.0.1                             | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+				| https://osv.dev/GHSA-p782-xgp4-8hr8 | 5.3  | Go        | golang.org/x/sys               | v0.0.0-20210817142637-7d9622a276b7 | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+				| https://osv.dev/GO-2022-0493        |      |           |                                |                                    |                                                 |
+				| https://osv.dev/DLA-3012-1          |      | Debian    | libxml2                        | 2.9.4+dfsg1-2.2+deb9u6             | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+				| https://osv.dev/DLA-3008-1          |      | Debian    | openssl                        | 1.1.0l-1~deb9u5                    | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+				| https://osv.dev/DLA-3051-1          |      | Debian    | tzdata                         | 2021a-0+deb9u3                     | fixtures/sbom-insecure/postgres-stretch.cdx.xml |
+				+-------------------------------------+------+-----------+--------------------------------+------------------------------------+-------------------------------------------------+
 			`,
 			wantStderr: "",
 		},
diff --git a/pkg/models/purl_to_package.go b/pkg/models/purl_to_package.go
@@ -0,0 +1,52 @@
+package models
+
+import (
+	"github.com/package-url/packageurl-go"
+)
+
+var purlEcosystems = map[string]Ecosystem{
+	"cargo":    EcosystemCratesIO,
+	"deb":      EcosystemDebian,
+	"hex":      EcosystemHex,
+	"golang":   EcosystemGo,
+	"maven":    EcosystemMaven,
+	"nuget":    EcosystemNuGet,
+	"npm":      EcosystemNPM,
+	"composer": EcosystemPackagist,
+	"generic":  EcosystemOSSFuzz,
+	"pypi":     EcosystemPyPI,
+	"gem":      EcosystemRubyGems,
+}
+
+// PURLToPackage converts a Package URL string to models.PackageInfo
+func PURLToPackage(purl string) (PackageInfo, error) {
+	parsedPURL, err := packageurl.FromString(purl)
+	if err != nil {
+		return PackageInfo{}, err
+	}
+	ecosystem, ok := purlEcosystems[parsedPURL.Type]
+	if !ok {
+		ecosystem = Ecosystem(parsedPURL.Type)
+	}
+
+	// PackageInfo expects the full namespace in the name for ecosystems that specify it.
+	name := parsedPURL.Name
+	if parsedPURL.Namespace != "" {
+		switch ecosystem { //nolint:exhaustive
+		case EcosystemMaven:
+			// Maven uses : to separate namespace and package
+			name = parsedPURL.Namespace + ":" + parsedPURL.Name
+		case EcosystemDebian, EcosystemAlpine:
+			// Debian and Alpine repeats their namespace in PURL, so don't add it to the name
+			name = parsedPURL.Name
+		default:
+			name = parsedPURL.Namespace + "/" + parsedPURL.Name
+		}
+	}
+
+	return PackageInfo{
+		Name:      name,
+		Ecosystem: string(ecosystem),
+		Version:   parsedPURL.Version,
+	}, nil
+}
diff --git a/pkg/models/purl_to_package_test.go b/pkg/models/purl_to_package_test.go
@@ -0,0 +1,88 @@
+package models_test
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/google/osv-scanner/pkg/models"
+)
+
+func TestPURLToPackage(t *testing.T) {
+	t.Parallel()
+	type args struct {
+		purl string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    models.PackageInfo
+		wantErr bool
+	}{
+		{
+			name: "valid PURL",
+			args: args{
+				purl: "pkg:cargo/memoffset@0.6.1",
+			},
+			want: models.PackageInfo{
+				Name:      "memoffset",
+				Version:   "0.6.1",
+				Ecosystem: string(models.EcosystemCratesIO),
+			},
+		},
+		{
+			name: "valid PURL golang",
+			args: args{
+				purl: "pkg:golang/github.com/gogo/protobuf@5.6.0",
+			},
+			want: models.PackageInfo{
+				Name:      "github.com/gogo/protobuf",
+				Version:   "5.6.0",
+				Ecosystem: string(models.EcosystemGo),
+			},
+		},
+		{
+			name: "valid PURL maven",
+			args: args{
+				purl: "pkg:maven/org.hdrhistogram/HdrHistogram@2.1.12",
+			},
+			want: models.PackageInfo{
+				Name:      "org.hdrhistogram:HdrHistogram",
+				Version:   "2.1.12",
+				Ecosystem: string(models.EcosystemMaven),
+			},
+		},
+		{
+			name: "valid Debian maven",
+			args: args{
+				purl: "pkg:deb/debian/nginx@2.36.1-8+deb11u1",
+			},
+			want: models.PackageInfo{
+				Name:      "nginx",
+				Version:   "2.36.1-8+deb11u1",
+				Ecosystem: string(models.EcosystemDebian),
+			},
+		},
+		{
+			name: "invalid PURL",
+			args: args{
+				purl: "pkg-golang/github.com/gogo/protobuf.0",
+			},
+			want:    models.PackageInfo{},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got, err := models.PURLToPackage(tt.args.purl)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("PURLToPackage() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("PURLToPackage() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go
@@ -244,7 +244,7 @@ func scanSBOMFile(r reporter.Reporter, query *osv.BatchedQuery, path string, fro
 		count := 0
 		ignoredCount := 0
 		err = provider.GetPackages(file, func(id sbom.Identifier) error {
-			_, err := PURLToPackage(id.PURL)
+			_, err := models.PURLToPackage(id.PURL)
 			if err != nil {
 				ignoredCount++
 				//nolint:nilerr
diff --git a/pkg/osvscanner/purl_to_package.go b/pkg/osvscanner/purl_to_package.go
@@ -2,36 +2,11 @@ package osvscanner
 
 import (
 	"github.com/google/osv-scanner/pkg/models"
-	"github.com/package-url/packageurl-go"
 )
 
-var purlEcosystems = map[string]string{
-	"cargo":    "crates.io",
-	"deb":      "Debian",
-	"hex":      "Hex",
-	"golang":   "Go",
-	"maven":    "Maven",
-	"nuget":    "NuGet",
-	"npm":      "npm",
-	"composer": "Packagist",
-	"generic":  "OSS-Fuzz",
-	"pypi":     "PyPI",
-	"gem":      "RubyGems",
-}
-
+// PURLToPackage converts a Package URL string to models.PackageInfo
+//
+// Deprecated: Use the PURLToPackage in the models package instead.
 func PURLToPackage(purl string) (models.PackageInfo, error) {
-	parsedPURL, err := packageurl.FromString(purl)
-	if err != nil {
-		return models.PackageInfo{}, err
-	}
-	ecosystem := purlEcosystems[parsedPURL.Type]
-	if ecosystem == "" {
-		ecosystem = parsedPURL.Type
-	}
-
-	return models.PackageInfo{
-		Name:      parsedPURL.Name,
-		Ecosystem: ecosystem,
-		Version:   parsedPURL.Version,
-	}, nil
+	return models.PURLToPackage(purl)
 }
diff --git a/pkg/osvscanner/vulnerability_result.go b/pkg/osvscanner/vulnerability_result.go
@@ -30,7 +30,7 @@ func groupResponseBySource(r reporter.Reporter, query osv.BatchedQuery, resp *os
 			pkg.Package.Ecosystem = "GIT"
 		} else if query.Package.PURL != "" {
 			var err error
-			pkg.Package, err = PURLToPackage(query.Package.PURL)
+			pkg.Package, err = models.PURLToPackage(query.Package.PURL)
 			if err != nil {
 				r.PrintError(fmt.Sprintf("Failed to parse purl: %s, with error: %s",
 					query.Package.PURL, err))
