Fix lookup of golang packages with major versions

alexg-axis · alexg-axis · commit f29bdf620190 · 2025-10-02T11:51:53.000+02:00
Fix a bug causing to false positives for all golang packages with a
major version.

The bug is caused by the name of golang packages not including the major
version. This leads the osv query to look up vulnerabilities to look up
the right version, but for the wrong major. E.g. go-jose@v4.0.1 instead
of go-jose/v4@v4.0.1.

Solve this issue by using the PURL to all requests to osv.dev, which
correctly seems to resolve such versions.
diff --git a/internal/clients/clientimpl/osvmatcher/osvmatcher.go b/internal/clients/clientimpl/osvmatcher/osvmatcher.go
@@ -113,10 +113,8 @@ func pkgToQuery(pkg imodels.PackageInfo) *osvdev.Query {
 	if pkg.Name() != "" && !pkg.Ecosystem().IsEmpty() && pkg.Version() != "" {
 		return &osvdev.Query{
 			Package: osvdev.Package{
-				Name:      pkg.Name(),
-				Ecosystem: pkg.Ecosystem().String(),
+				PURL: pkg.PURL().String(),
 			},
-			Version: pkg.Version(),
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -113,10 +113,8 @@ func pkgToQuery(pkg imodels.PackageInfo) *osvdev.Query {`
`113`	`113`	`if pkg.Name() != "" && !pkg.Ecosystem().IsEmpty() && pkg.Version() != "" {`
`114`	`114`	`return &osvdev.Query{`
`115`	`115`	`Package: osvdev.Package{`
`116`		`- Name: pkg.Name(),`
`117`		`- Ecosystem: pkg.Ecosystem().String(),`
	`116`	`+ PURL: pkg.PURL().String(),`
`118`	`117`	`},`
`119`		`- Version: pkg.Version(),`
`120`	`118`	`}`
`121`	`119`	`}`
`122`	`120`