google
feat(vulnfeeds): populate package.purl for GIT ranges
This change automatically generates pkg:generic pURLs from Git repository URLs found in vulnerability data.
A new BuildGenericRepoPURL() helper converts URLs from common forges (e.g., GitHub, GitLab, self‑hosted) into the pkg:generic/{host}/{namespace}/{name} format and enriches records that contain GIT-type ranges; existing pURLs are not overwritten.
For example,
https://github.com/user/repo would generate the pURL: pkg:generic/github.com/user/repo
In addition, when packaging directly from source, versioned repo pURLs derived from tags (e.g., pkg:generic/github.com/org/repo@repo-x-y-z) are exposed under affected.database_specific.repo_purls;
the standard affected.package.purl remains the base (unversioned) identifier as per OSV schema.
Unit tests validate the conversion logic and enrichment behavior, and module files are updated accordingly.
Some changes are still needed, especially for frontend display and backfilling historical Git ranges, but I think those can be added in a follow-up pull request.
Fixes #3807
Hey @ashmod, thanks for this contribution! We're currently working on a refactor behind the scenes that is blocking this being merged - might take a couple of weeks, but we'll get back to it!
This pull request has not had any activity for 60 days and will be automatically closed in two weeks
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}