fix: consider purl subpath when validating golang package

Author: mcombuechen

src/core/validate-graph.ts

@@ -60,8 +60,16 @@ export function validatePackageURL(pkg: types.PkgInfo): void {
         );
         break;
 
+      case 'golang': {
+        let expected = purlPkg.namespace
+          ? `${purlPkg.namespace}/${purlPkg.name}`
+          : purlPkg.name;
+        if (purlPkg.subpath) expected += `/${purlPkg.subpath}`;
+        assert(pkg.name === expected, `name and packageURL name do not match`);
+        break;
+      }
+
       case 'composer':
-      case 'golang':
       case 'npm':
       case 'swift':
         assert(

test/core/validate-graph.test.ts

@@ -158,6 +158,14 @@ describe('validatePackageURL', () => {
           purl: 'pkg:golang/[email protected]',
         },
       ],
+      [
+        'golang package with subpath',
+        {
+          name: 'github.com/foo/bar/pkg/baz',
+          version: '1.2.3',
+          purl: 'pkg:golang/github.com/foo/[email protected]#pkg/baz',
+        },
+      ],
     ])('validates golang Purls: %s', (name, pkg) => {
       expect(() => validatePackageURL(pkg)).not.toThrow();
     });
@@ -179,6 +187,14 @@ describe('validatePackageURL', () => {
           purl: 'pkg:golang/google.golang.org/[email protected]',
         },
       ],
+      [
+        'package name does not match purl subpath',
+        {
+          name: 'bar/baz',
+          version: '1.2.3',
+          purl: 'pkg:golang/[email protected]#pkg/baz',
+        },
+      ],
       [
         'package name does not include purl namespace',
         {
@@ -187,6 +203,14 @@ describe('validatePackageURL', () => {
           purl: 'pkg:golang/google.golang.org/[email protected]',
         },
       ],
+      [
+        'package name does not include purl subpath',
+        {
+          name: 'bar',
+          version: '1.2.3',
+          purl: 'pkg:golang/[email protected]#pkg/baz',
+        },
+      ],
     ])('should throw on invalid purl: %s', (name, pkg) => {
       expect(() => validatePackageURL(pkg)).toThrow();
     });