No vulnerabilities found for Go packages / Percent-Encoding in purl

[wkl3nk]

Hello,

I use ORT 34.0.0 in combination with VulnerableCode. The GoMod ORT package analzyer returned a dependency:

id: "Go::github.com/quic-go/quic-go:0.40.0"
purl: "pkg:golang/github.com%2Fquic-go%[email protected]"

On first sight, the purl looks strange, because it has both the slash character "/" and the percent-encoded equivalent of the "/" which is "%2F".

I think ORT is correct in the purl, because the purl specification states:

• namespace: Each namespace segment must be a percent-encoded string
• name: A name must be a percent-encoded string

I think we don't have a namespace here (See the id: "Go::gith..." And the name is github.com%2Fquic-go%2Fquic-go So name is completely percent-encoded. Correct???

The problem: When I do a bulk-search using the VulnerableCode API, I get no vulnerability records reported, although this component definitely has vulnerability records.

Can you please make a statement about usage of percent-encoding in purls and if this is supported in the API? What advice are you giving me? Will you fix it on your side?

Reference to ORT issue: https://github.com/oss-review-toolkit/ort/issues/9298