-
Bug
-
Resolution: Done
-
Normal
-
None
-
False
-
-
False
-
Very Likely
-
0
Current Behavior
The PURL (Package URL) for the go-git/v5 package in the CSAF/VEX data is incorrectly formatted as pkg:github.com/go-git/go-git/v5.
This uses "github.com" as the PURL type, which is non-standard for Go modules. Furthermore, the Red Hat Security Data Guidelines for PURL does not list or define "github" or "golang" as supported types, creating a discrepancy between the data and the documentation.
Expected Behavior
- PURL Format: The PURL should follow the standard convention for Go packages by using the golang type. It should be formatted as:
pkg:golang/github.com/go-git/go-git/v5
- Documentation: The Security Data Guidelines should be updated to include the golang PURL type to ensure clarity for automated tools and end-users.
Steps to reproduce
- Access the Red Hat CSAF/VEX JSON file for CVE-2023-49568:
https://security.access.redhat.com/data/csaf/v2/vex/2023/cve-2023-49568.json
- Search for the product entry with the name "v5" (associated with go-git).
- Observe the product_identification_helper -> purl field.
Impact Statement
The use of an incorrect/non-standard PURL type hinders interoperability with the wider security ecosystem. Automated SBOM (Software Bill of Materials) tools, vulnerability scanners (such as Grype or Trivy), and policy engines that rely on standard PURL types may fail to correctly identify the package or match it against known vulnerabilities. This could lead to false negatives in security audits.
Attachments & Links
- Red Hat Security Data Guidelines (PURL): https://redhatproductsecurity.github.io/security-data-guidelines/purl/
- PURL Specification for Go: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#golang
