feat(vex): add PURL matching for CSAF VEX (#5890)

Signed-off-by: knqyf263 <knqyf263@gmail.com>

integration/testdata/conda-spdx.json.golden

@@ -22,7 +22,7 @@
     },
     {
       "name": "openssl",
-      "SPDXID": "SPDXRef-Package-38e5db7a21fc70a8",
+      "SPDXID": "SPDXRef-Package-20b95c21bfbf9fc4",
       "versionInfo": "1.1.1q",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -43,7 +43,7 @@
     },
     {
       "name": "pip",
-      "SPDXID": "SPDXRef-Package-f9844c873ead5dbe",
+      "SPDXID": "SPDXRef-Package-11a429ec3bd01d80",
       "versionInfo": "22.2.2",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -110,21 +110,21 @@
     },
     {
       "spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
-      "relatedSpdxElement": "SPDXRef-Package-38e5db7a21fc70a8",
+      "relatedSpdxElement": "SPDXRef-Package-20b95c21bfbf9fc4",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Package-38e5db7a21fc70a8",
+      "spdxElementId": "SPDXRef-Package-20b95c21bfbf9fc4",
       "relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
       "relationshipType": "CONTAINS"
     },
     {
       "spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
-      "relatedSpdxElement": "SPDXRef-Package-f9844c873ead5dbe",
+      "relatedSpdxElement": "SPDXRef-Package-11a429ec3bd01d80",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Package-f9844c873ead5dbe",
+      "spdxElementId": "SPDXRef-Package-11a429ec3bd01d80",
       "relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
       "relationshipType": "CONTAINS"
     }

pkg/fanal/analyzer/sbom/sbom.go

@@ -88,9 +88,6 @@ func handleBitnamiImages(componentPath string, bom types.SBOM) {
 			// If the file path is empty, the file path will be set to the component dir path.
 			filePath := path.Join(componentPath, pkg.FilePath)
 			bom.Applications[i].Libraries[j].FilePath = filePath
-			if pkg.Identifier.PURL != nil && pkg.Identifier.PURL.FilePath != "" {
-				bom.Applications[i].Libraries[j].Identifier.PURL.FilePath = filePath
-			}
 		}
 	}
 }

pkg/fanal/analyzer/sbom/sbom_test.go

@@ -35,8 +35,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 								Version:  "1.36.0",
 								FilePath: "opt/bitnami/elasticsearch",
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "co.elastic.apm",
 										Name:      "apm-agent",
@@ -44,14 +43,12 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 									},
 								},
 							},
-							},
 							{
 								Name:     "co.elastic.apm:apm-agent-cached-lookup-key",
 								Version:  "1.36.0",
 								FilePath: "opt/bitnami/elasticsearch",
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "co.elastic.apm",
 										Name:      "apm-agent-cached-lookup-key",
@@ -59,14 +56,12 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 									},
 								},
 							},
-							},
 							{
 								Name:     "co.elastic.apm:apm-agent-common",
 								Version:  "1.36.0",
 								FilePath: "opt/bitnami/elasticsearch",
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "co.elastic.apm",
 										Name:      "apm-agent-common",
@@ -74,14 +69,12 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 									},
 								},
 							},
-							},
 							{
 								Name:     "co.elastic.apm:apm-agent-core",
 								Version:  "1.36.0",
 								FilePath: "opt/bitnami/elasticsearch",
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "co.elastic.apm",
 										Name:      "apm-agent-core",
@@ -91,7 +84,6 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 							},
 						},
 					},
-					},
 					{
 						Type:     types.Bitnami,
 						FilePath: "opt/bitnami/elasticsearch",
@@ -102,8 +94,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 								Arch:     "arm64",
 								Licenses: []string{"Elastic-2.0"},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeBitnami,
 										Name:    "elasticsearch",
 										Version: "8.9.1",
@@ -120,7 +111,6 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 					},
 				},
 			},
-			},
 			wantErr: require.NoError,
 		},
 		{
@@ -137,15 +127,12 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 								Name:     "co.elastic.apm:apm-agent",
 								Version:  "1.36.0",
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "co.elastic.apm",
 										Name:      "apm-agent",
 										Version:   "1.36.0",
 									},
-										FilePath: "opt/bitnami/elasticsearch/modules/apm/elastic-apm-agent-1.36.0.jar",
-									},
 									BOMRef: "pkg:maven/co.elastic.apm/apm-agent@1.36.0",
 								},
 							},
@@ -154,15 +141,12 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 								Name:     "co.elastic.apm:apm-agent-cached-lookup-key",
 								Version:  "1.36.0",
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "co.elastic.apm",
 										Name:      "apm-agent-cached-lookup-key",
 										Version:   "1.36.0",
 									},
-										FilePath: "opt/bitnami/elasticsearch/modules/apm/elastic-apm-agent-1.36.0.jar",
-									},
 									BOMRef: "pkg:maven/co.elastic.apm/apm-agent-cached-lookup-key@1.36.0",
 								},
 							},
@@ -187,50 +171,43 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 								Version:  "3.7.1",
 								Licenses: []string{"MIT"},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeBitnami,
 										Name:    "gdal",
 										Version: "3.7.1",
 									},
 								},
 							},
-							},
 							{
 								Name:     "geos",
 								Version:  "3.8.3",
 								Licenses: []string{"LGPL-2.1-only"},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeBitnami,
 										Name:    "geos",
 										Version: "3.8.3",
 									},
 								},
 							},
-							},
 							{
 								Name:     "postgresql",
 								Version:  "15.3.0",
 								Licenses: []string{"PostgreSQL"},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeBitnami,
 										Name:    "postgresql",
 										Version: "15.3.0",
 									},
 								},
 							},
-							},
 							{
 								Name:     "proj",
 								Version:  "6.3.2",
 								Licenses: []string{"MIT"},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeBitnami,
 										Name:    "proj",
 										Version: "6.3.2",
@@ -241,7 +218,6 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 					},
 				},
 			},
-			},
 			wantErr: require.NoError,
 		},
 		{

pkg/fanal/applier/applier_test.go

@@ -151,8 +151,7 @@ func TestApplier_ApplyLayers(t *testing.T) {
 						SrcName:    "glibc",
 						SrcVersion: "2.24-11+deb9u4",
 						Identifier: types.PkgIdentifier{
-							PURL: &types.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeDebian,
 								Namespace: "debian",
 								Name:      "libc6",
@@ -165,7 +164,6 @@ func TestApplier_ApplyLayers(t *testing.T) {
 								},
 							},
 						},
-						},
 						Layer: types.Layer{
 							Digest: "sha256:dffd9992ca398466a663c87c92cfea2a2db0ae0cf33fcb99da60eec52addbfc5",
 							DiffID: "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819",
@@ -177,8 +175,7 @@ func TestApplier_ApplyLayers(t *testing.T) {
 						SrcName:    "tzdata",
 						SrcVersion: "2019a-0+deb9u1",
 						Identifier: types.PkgIdentifier{
-							PURL: &types.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeDebian,
 								Namespace: "debian",
 								Name:      "tzdata",
@@ -191,7 +188,6 @@ func TestApplier_ApplyLayers(t *testing.T) {
 								},
 							},
 						},
-						},
 						Layer: types.Layer{
 							Digest: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 							DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
@@ -211,8 +207,7 @@ func TestApplier_ApplyLayers(t *testing.T) {
 									DiffID: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
 								},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "guzzlehttp",
 										Name:      "guzzle",
@@ -220,7 +215,6 @@ func TestApplier_ApplyLayers(t *testing.T) {
 									},
 								},
 							},
-							},
 							{
 								Name:    "symfony/process",
 								Version: "v4.2.7",
@@ -229,8 +223,7 @@ func TestApplier_ApplyLayers(t *testing.T) {
 									DiffID: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
 								},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "symfony",
 										Name:      "process",
@@ -243,7 +236,6 @@ func TestApplier_ApplyLayers(t *testing.T) {
 				},
 			},
 		},
-		},
 		{
 			name: "happy path with history packages",
 			args: args{
@@ -353,8 +345,7 @@ func TestApplier_ApplyLayers(t *testing.T) {
 						Name:    "busybox",
 						Version: "1.30.1-r3",
 						Identifier: types.PkgIdentifier{
-							PURL: &types.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeApk,
 								Namespace: "alpine",
 								Name:      "busybox",
@@ -367,7 +358,6 @@ func TestApplier_ApplyLayers(t *testing.T) {
 								},
 							},
 						},
-						},
 						Layer: types.Layer{
 							Digest: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
 							DiffID: "sha256:531743b7098cb2aaf615641007a129173f63ed86ca32fe7b5a246a1c47286028",
@@ -377,8 +367,7 @@ func TestApplier_ApplyLayers(t *testing.T) {
 						Name:    "libcrypto1.1",
 						Version: "1.1.1d-r2",
 						Identifier: types.PkgIdentifier{
-							PURL: &types.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeApk,
 								Namespace: "alpine",
 								Name:      "libcrypto1.1",
@@ -391,7 +380,6 @@ func TestApplier_ApplyLayers(t *testing.T) {
 								},
 							},
 						},
-						},
 						Layer: types.Layer{
 							Digest: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
 							DiffID: "sha256:531743b7098cb2aaf615641007a129173f63ed86ca32fe7b5a246a1c47286028",
@@ -401,8 +389,7 @@ func TestApplier_ApplyLayers(t *testing.T) {
 						Name:    "libssl1.1",
 						Version: "1.1.1d-r2",
 						Identifier: types.PkgIdentifier{
-							PURL: &types.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeApk,
 								Namespace: "alpine",
 								Name:      "libssl1.1",
@@ -415,7 +402,6 @@ func TestApplier_ApplyLayers(t *testing.T) {
 								},
 							},
 						},
-						},
 						Layer: types.Layer{
 							Digest: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
 							DiffID: "sha256:531743b7098cb2aaf615641007a129173f63ed86ca32fe7b5a246a1c47286028",
@@ -425,8 +411,7 @@ func TestApplier_ApplyLayers(t *testing.T) {
 						Name:    "musl",
 						Version: "1.1.22-r3",
 						Identifier: types.PkgIdentifier{
-							PURL: &types.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeApk,
 								Namespace: "alpine",
 								Name:      "musl",
@@ -439,7 +424,6 @@ func TestApplier_ApplyLayers(t *testing.T) {
 								},
 							},
 						},
-						},
 						Layer: types.Layer{
 							Digest: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
 							DiffID: "sha256:531743b7098cb2aaf615641007a129173f63ed86ca32fe7b5a246a1c47286028",
@@ -450,8 +434,7 @@ func TestApplier_ApplyLayers(t *testing.T) {
 						Version: "1.1.1d-r2",
 						Identifier: types.PkgIdentifier{
 							//PURL: "pkg:apk/alpine/openssl@1.1.1d-r2?distro=3.10.4",
-							PURL: &types.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeApk,
 								Namespace: "alpine",
 								Name:      "openssl",
@@ -464,7 +447,6 @@ func TestApplier_ApplyLayers(t *testing.T) {
 								},
 							},
 						},
-						},
 						Layer: types.Layer{
 							Digest: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
 							DiffID: "sha256:531743b7098cb2aaf615641007a129173f63ed86ca32fe7b5a246a1c47286028",
@@ -684,8 +666,7 @@ func TestApplier_ApplyLayers(t *testing.T) {
 									DiffID: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
 								},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "guzzlehttp",
 										Name:      "guzzle",
@@ -693,7 +674,6 @@ func TestApplier_ApplyLayers(t *testing.T) {
 									},
 								},
 							},
-							},
 							{
 								Name:    "symfony/process",
 								Version: "v4.2.7",
@@ -702,8 +682,7 @@ func TestApplier_ApplyLayers(t *testing.T) {
 									DiffID: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
 								},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "symfony",
 										Name:      "process",
@@ -715,7 +694,6 @@ func TestApplier_ApplyLayers(t *testing.T) {
 					},
 				},
 			},
-			},
 			wantErr: "unknown OS",
 		},
 		{
@@ -896,8 +874,7 @@ func TestApplier_ApplyLayers(t *testing.T) {
 									DiffID: "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819",
 								},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "guzzlehttp",
 										Name:      "guzzle",
@@ -905,7 +882,6 @@ func TestApplier_ApplyLayers(t *testing.T) {
 									},
 								},
 							},
-							},
 							{
 								Name:    "symfony/process",
 								Version: "v4.2.7",
@@ -914,8 +890,7 @@ func TestApplier_ApplyLayers(t *testing.T) {
 									DiffID: "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819",
 								},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "symfony",
 										Name:      "process",
@@ -926,7 +901,6 @@ func TestApplier_ApplyLayers(t *testing.T) {
 						},
 					},
 				},
-				},
 				CustomResources: []types.CustomResource{
 					{
 						Type:     "type-A",

pkg/fanal/applier/docker.go

@@ -6,6 +6,7 @@ import (
 	"time"
 
 	"github.com/knqyf263/nested"
+	"github.com/package-url/packageurl-go"
 	"github.com/samber/lo"
 
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
@@ -249,12 +250,13 @@ func ApplyLayers(layers []ftypes.BlobInfo) ftypes.ArtifactDetail {
 	return mergedLayer
 }
 
-func newPURL(pkgType ftypes.TargetType, metadata types.Metadata, pkg ftypes.Package) *ftypes.PackageURL {
+func newPURL(pkgType ftypes.TargetType, metadata types.Metadata, pkg ftypes.Package) *packageurl.PackageURL {
 	p, err := purl.New(pkgType, metadata, pkg)
 	if err != nil {
 		log.Logger.Errorf("Failed to create PackageURL: %s", err)
+		return nil
 	}
-	return p
+	return p.Unwrap()
 }
 
 // aggregate merges all packages installed by pip/gem/npm/jar/conda into each application

pkg/fanal/applier/docker_test.go

@@ -1,10 +1,10 @@
 package applier_test
 
 import (
-	"github.com/package-url/packageurl-go"
 	"sort"
 	"testing"
 
+	"github.com/package-url/packageurl-go"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/aquasecurity/trivy/pkg/fanal/applier"
@@ -145,8 +145,7 @@ func TestApplyLayers(t *testing.T) {
 						Version: "1.2.4",
 						Release: "4.5.8",
 						Identifier: types.PkgIdentifier{
-							PURL: &types.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeApk,
 								Namespace: "alpine",
 								Name:      "musl",
@@ -159,7 +158,6 @@ func TestApplyLayers(t *testing.T) {
 								},
 							},
 						},
-						},
 						Layer: types.Layer{
 							Digest: "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4",
 							DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
@@ -170,8 +168,7 @@ func TestApplyLayers(t *testing.T) {
 						Version: "1.2.3",
 						Release: "4.5.6",
 						Identifier: types.PkgIdentifier{
-							PURL: &types.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeApk,
 								Namespace: "alpine",
 								Name:      "openssl",
@@ -184,7 +181,6 @@ func TestApplyLayers(t *testing.T) {
 								},
 							},
 						},
-						},
 						Layer: types.Layer{
 							Digest: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 							DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
@@ -204,14 +200,11 @@ func TestApplyLayers(t *testing.T) {
 									DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
 								},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "activesupport",
 										Version: "6.0.2.1",
 									},
-										FilePath: "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
-									},
 								},
 							},
 							{
@@ -223,14 +216,11 @@ func TestApplyLayers(t *testing.T) {
 									DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
 								},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "gon",
 										Version: "6.3.2",
 									},
-										FilePath: "usr/local/bundle/specifications/gon-6.3.2.gemspec",
-									},
 								},
 							},
 						},
@@ -247,8 +237,7 @@ func TestApplyLayers(t *testing.T) {
 									DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
 								},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "gemlibrary1",
 										Version: "1.2.3",
@@ -260,7 +249,6 @@ func TestApplyLayers(t *testing.T) {
 				},
 			},
 		},
-		},
 		{
 			name: "happy path with digests in libs/packages (as for SBOM)",
 			inputLayers: []types.BlobInfo{
@@ -474,15 +462,13 @@ func TestApplyLayers(t *testing.T) {
 									DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
 								},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "rack",
 										Version: "4.0.0",
 									},
 								},
 							},
-							},
 							{
 								Name:    "rails",
 								Version: "6.0.0",
@@ -491,8 +477,7 @@ func TestApplyLayers(t *testing.T) {
 									DiffID: "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819",
 								},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "rails",
 										Version: "6.0.0",
@@ -501,7 +486,6 @@ func TestApplyLayers(t *testing.T) {
 							},
 						},
 					},
-					},
 					{
 						Type:     types.Composer,
 						FilePath: "app/composer2.lock",
@@ -514,8 +498,7 @@ func TestApplyLayers(t *testing.T) {
 									DiffID: "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819",
 								},
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeComposer,
 										Name:    "phplibrary1",
 										Version: "6.6.6",
@@ -527,7 +510,6 @@ func TestApplyLayers(t *testing.T) {
 				},
 			},
 		},
-		},
 		{
 			name: "happy path with removed and updated secret",
 			inputLayers: []types.BlobInfo{
@@ -779,8 +761,7 @@ func TestApplyLayers(t *testing.T) {
 						Release:  "4.5.7",
 						Licenses: []string{"GPL-2"},
 						Identifier: types.PkgIdentifier{
-							PURL: &types.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeDebian,
 								Namespace: "debian",
 								Name:      "libc",
@@ -793,7 +774,6 @@ func TestApplyLayers(t *testing.T) {
 								},
 							},
 						},
-						},
 						Layer: types.Layer{
 							Digest: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 							DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
@@ -805,8 +785,7 @@ func TestApplyLayers(t *testing.T) {
 						Release:  "4.5.6",
 						Licenses: []string{"OpenSSL"},
 						Identifier: types.PkgIdentifier{
-							PURL: &types.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeDebian,
 								Namespace: "debian",
 								Name:      "openssl",
@@ -819,7 +798,6 @@ func TestApplyLayers(t *testing.T) {
 								},
 							},
 						},
-						},
 						Layer: types.Layer{
 							Digest: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
 							DiffID: "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819",
@@ -957,8 +935,7 @@ func TestApplyLayers(t *testing.T) {
 						Version: "5.6.7",
 						Release: "8",
 						Identifier: types.PkgIdentifier{
-							PURL: &types.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeRPM,
 								Namespace: "redhat",
 								Name:      "bash",
@@ -971,7 +948,6 @@ func TestApplyLayers(t *testing.T) {
 								},
 							},
 						},
-						},
 						Layer: types.Layer{
 							Digest: "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4",
 							DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
@@ -986,8 +962,7 @@ func TestApplyLayers(t *testing.T) {
 						Version: "1.2.4",
 						Release: "5",
 						Identifier: types.PkgIdentifier{
-							PURL: &types.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeRPM,
 								Namespace: "redhat",
 								Name:      "libc",
@@ -1000,7 +975,6 @@ func TestApplyLayers(t *testing.T) {
 								},
 							},
 						},
-						},
 						Layer: types.Layer{
 							Digest: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 							DiffID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
@@ -1017,8 +991,7 @@ func TestApplyLayers(t *testing.T) {
 						Version: "1.2.3",
 						Release: "4",
 						Identifier: types.PkgIdentifier{
-							PURL: &types.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeRPM,
 								Namespace: "redhat",
 								Name:      "openssl",
@@ -1031,7 +1004,6 @@ func TestApplyLayers(t *testing.T) {
 								},
 							},
 						},
-						},
 						Layer: types.Layer{
 							Digest: "sha256:24df0d4e20c0f42d3703bf1f1db2bdd77346c7956f74f423603d651e8e5ae8a7",
 							DiffID: "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819",

pkg/fanal/artifact/image/remote_sbom_test.go

@@ -84,8 +84,7 @@ func TestArtifact_InspectRekorAttestation(t *testing.T) {
 											Name:    "musl",
 											Version: "1.2.3-r0",
 											Identifier: types.PkgIdentifier{
-												PURL: &types.PackageURL{
+												PURL: &packageurl.PackageURL{
-													PackageURL: packageurl.PackageURL{
 													Type:      packageurl.TypeApk,
 													Namespace: "alpine",
 													Name:      "musl",
@@ -97,7 +96,6 @@ func TestArtifact_InspectRekorAttestation(t *testing.T) {
 														},
 													},
 												},
-												},
 												BOMRef: "pkg:apk/alpine/musl@1.2.3-r0?distro=3.16.2",
 											},
 											SrcName:    "musl",
@@ -235,14 +233,12 @@ func TestArtifact_inspectOCIReferrerSBOM(t *testing.T) {
 											Name:    "github.com/opencontainers/go-digest",
 											Version: "v1.0.0",
 											Identifier: types.PkgIdentifier{
-												PURL: &types.PackageURL{
+												PURL: &packageurl.PackageURL{
-													PackageURL: packageurl.PackageURL{
 													Type:      packageurl.TypeGolang,
 													Namespace: "github.com/opencontainers",
 													Name:      "go-digest",
 													Version:   "v1.0.0",
 												},
-												},
 												BOMRef: "pkg:golang/github.com/opencontainers/go-digest@v1.0.0",
 											},
 										},
@@ -250,14 +246,12 @@ func TestArtifact_inspectOCIReferrerSBOM(t *testing.T) {
 											Name:    "golang.org/x/sync",
 											Version: "v0.1.0",
 											Identifier: types.PkgIdentifier{
-												PURL: &types.PackageURL{
+												PURL: &packageurl.PackageURL{
-													PackageURL: packageurl.PackageURL{
 													Type:      packageurl.TypeGolang,
 													Namespace: "golang.org/x",
 													Name:      "sync",
 													Version:   "v0.1.0",
 												},
-												},
 												BOMRef: "pkg:golang/golang.org/x/sync@v0.1.0",
 											},
 										},

pkg/fanal/artifact/sbom/sbom_test.go

@@ -50,8 +50,7 @@ func TestArtifact_Inspect(t *testing.T) {
 											DiffID: "sha256:dd565ff850e7003356e2b252758f9bdc1ff2803f61e995e24c7844f6297f8fc3",
 										},
 										Identifier: types.PkgIdentifier{
-											PURL: &types.PackageURL{
+											PURL: &packageurl.PackageURL{
-												PackageURL: packageurl.PackageURL{
 												Type:      packageurl.TypeApk,
 												Namespace: "alpine",
 												Name:      "musl",
@@ -63,7 +62,6 @@ func TestArtifact_Inspect(t *testing.T) {
 													},
 												},
 											},
-											},
 											BOMRef: "pkg:apk/alpine/musl@1.2.3-r0?distro=3.16.0",
 										},
 									},
@@ -82,14 +80,12 @@ func TestArtifact_Inspect(t *testing.T) {
 											DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
 										},
 										Identifier: types.PkgIdentifier{
-											PURL: &types.PackageURL{
+											PURL: &packageurl.PackageURL{
-												PackageURL: packageurl.PackageURL{
 												Type:      packageurl.TypeComposer,
 												Namespace: "pear",
 												Name:      "log",
 												Version:   "1.13.1",
 											},
-											},
 											BOMRef: "pkg:composer/pear/log@1.13.1",
 										},
 									},
@@ -101,14 +97,12 @@ func TestArtifact_Inspect(t *testing.T) {
 											DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
 										},
 										Identifier: types.PkgIdentifier{
-											PURL: &types.PackageURL{
+											PURL: &packageurl.PackageURL{
-												PackageURL: packageurl.PackageURL{
 												Type:      packageurl.TypeComposer,
 												Namespace: "pear",
 												Name:      "pear_exception",
 												Version:   "v1.0.0",
 											},
-											},
 											BOMRef: "pkg:composer/pear/pear_exception@v1.0.0",
 										},
 									},
@@ -125,14 +119,12 @@ func TestArtifact_Inspect(t *testing.T) {
 											DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
 										},
 										Identifier: types.PkgIdentifier{
-											PURL: &types.PackageURL{
+											PURL: &packageurl.PackageURL{
-												PackageURL: packageurl.PackageURL{
 												Type:      packageurl.TypeGolang,
 												Namespace: "github.com/package-url",
 												Name:      "packageurl-go",
 												Version:   "v0.1.1-0.20220203205134-d70459300c8a",
 											},
-											},
 											BOMRef: "pkg:golang/github.com/package-url/packageurl-go@v0.1.1-0.20220203205134-d70459300c8a",
 										},
 									},
@@ -150,15 +142,12 @@ func TestArtifact_Inspect(t *testing.T) {
 										},
 										FilePath: "app/maven/target/child-project-1.0.jar",
 										Identifier: types.PkgIdentifier{
-											PURL: &types.PackageURL{
+											PURL: &packageurl.PackageURL{
-												PackageURL: packageurl.PackageURL{
 												Type:      packageurl.TypeMaven,
 												Namespace: "org.codehaus.mojo",
 												Name:      "child-project",
 												Version:   "1.0",
 											},
-												FilePath: "app/maven/target/child-project-1.0.jar",
-											},
 											BOMRef: "pkg:maven/org.codehaus.mojo/child-project@1.0?file_path=app%2Fmaven%2Ftarget%2Fchild-project-1.0.jar",
 										},
 									},
@@ -177,14 +166,11 @@ func TestArtifact_Inspect(t *testing.T) {
 										},
 										FilePath: "app/app/package.json",
 										Identifier: types.PkgIdentifier{
-											PURL: &types.PackageURL{
+											PURL: &packageurl.PackageURL{
-												PackageURL: packageurl.PackageURL{
 												Type:    packageurl.TypeNPM,
 												Name:    "bootstrap",
 												Version: "5.0.2",
 											},
-												FilePath: "app/app/package.json",
-											},
 											BOMRef: "pkg:npm/bootstrap@5.0.2?file_path=app%2Fapp%2Fpackage.json",
 										},
 									},
@@ -226,8 +212,7 @@ func TestArtifact_Inspect(t *testing.T) {
 										SrcVersion: "1.2.3-r0",
 										Licenses:   []string{"MIT"},
 										Identifier: types.PkgIdentifier{
-											PURL: &types.PackageURL{
+											PURL: &packageurl.PackageURL{
-												PackageURL: packageurl.PackageURL{
 												Type:      packageurl.TypeApk,
 												Namespace: "alpine",
 												Name:      "musl",
@@ -239,7 +224,6 @@ func TestArtifact_Inspect(t *testing.T) {
 													},
 												},
 											},
-											},
 											BOMRef: "pkg:apk/alpine/musl@1.2.3-r0?distro=3.16.0",
 										},
 										Layer: types.Layer{
@@ -258,14 +242,12 @@ func TestArtifact_Inspect(t *testing.T) {
 										Name:    "pear/log",
 										Version: "1.13.1",
 										Identifier: types.PkgIdentifier{
-											PURL: &types.PackageURL{
+											PURL: &packageurl.PackageURL{
-												PackageURL: packageurl.PackageURL{
 												Type:      packageurl.TypeComposer,
 												Namespace: "pear",
 												Name:      "log",
 												Version:   "1.13.1",
 											},
-											},
 											BOMRef: "pkg:composer/pear/log@1.13.1",
 										},
 										Layer: types.Layer{
@@ -277,14 +259,12 @@ func TestArtifact_Inspect(t *testing.T) {
 										Name:    "pear/pear_exception",
 										Version: "v1.0.0",
 										Identifier: types.PkgIdentifier{
-											PURL: &types.PackageURL{
+											PURL: &packageurl.PackageURL{
-												PackageURL: packageurl.PackageURL{
 												Type:      packageurl.TypeComposer,
 												Namespace: "pear",
 												Name:      "pear_exception",
 												Version:   "v1.0.0",
 											},
-											},
 											BOMRef: "pkg:composer/pear/pear_exception@v1.0.0",
 										},
 										Layer: types.Layer{
@@ -301,14 +281,12 @@ func TestArtifact_Inspect(t *testing.T) {
 										Name:    "github.com/package-url/packageurl-go",
 										Version: "v0.1.1-0.20220203205134-d70459300c8a",
 										Identifier: types.PkgIdentifier{
-											PURL: &types.PackageURL{
+											PURL: &packageurl.PackageURL{
-												PackageURL: packageurl.PackageURL{
 												Type:      packageurl.TypeGolang,
 												Namespace: "github.com/package-url",
 												Name:      "packageurl-go",
 												Version:   "v0.1.1-0.20220203205134-d70459300c8a",
 											},
-											},
 											BOMRef: "pkg:golang/github.com/package-url/packageurl-go@v0.1.1-0.20220203205134-d70459300c8a",
 										},
 										Layer: types.Layer{
@@ -325,15 +303,12 @@ func TestArtifact_Inspect(t *testing.T) {
 										Name:    "org.codehaus.mojo:child-project",
 										Version: "1.0",
 										Identifier: types.PkgIdentifier{
-											PURL: &types.PackageURL{
+											PURL: &packageurl.PackageURL{
-												PackageURL: packageurl.PackageURL{
 												Type:      packageurl.TypeMaven,
 												Namespace: "org.codehaus.mojo",
 												Name:      "child-project",
 												Version:   "1.0",
 											},
-												FilePath: "app/maven/target/child-project-1.0.jar",
-											},
 											BOMRef: "pkg:maven/org.codehaus.mojo/child-project@1.0?file_path=app%2Fmaven%2Ftarget%2Fchild-project-1.0.jar",
 										},
 										Layer: types.Layer{
@@ -351,14 +326,11 @@ func TestArtifact_Inspect(t *testing.T) {
 										Name:    "bootstrap",
 										Version: "5.0.2",
 										Identifier: types.PkgIdentifier{
-											PURL: &types.PackageURL{
+											PURL: &packageurl.PackageURL{
-												PackageURL: packageurl.PackageURL{
 												Type:    packageurl.TypeNPM,
 												Name:    "bootstrap",
 												Version: "5.0.2",
 											},
-												FilePath: "app/app/package.json",
-											},
 											BOMRef: "pkg:npm/bootstrap@5.0.2?file_path=app%2Fapp%2Fpackage.json",
 										},
 										Licenses: []string{"MIT"},

pkg/fanal/handler/unpackaged/unpackaged_test.go

@@ -46,14 +46,12 @@ func Test_unpackagedHook_Handle(t *testing.T) {
 								Name:    "github.com/spf13/cobra",
 								Version: "1.5.0",
 								Identifier: types.PkgIdentifier{
-									PURL: &types.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeGolang,
 										Namespace: "github.com/spf13",
 										Name:      "cobra",
 										Version:   "1.5.0",
 									},
-									},
 									BOMRef: "pkg:golang/github.com/spf13/cobra@1.5.0",
 								},
 							},

pkg/fanal/types/artifact.go

@@ -1,9 +1,11 @@
 package types
 
 import (
+	"encoding/json"
 	"time"
 
 	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/package-url/packageurl-go"
 	"github.com/samber/lo"
 
 	"github.com/aquasecurity/trivy/pkg/digest"
@@ -102,10 +104,53 @@ type Package struct {
 
 // PkgIdentifier represents a software identifiers in one of more of the supported formats.
 type PkgIdentifier struct {
-	PURL   *PackageURL `json:",omitempty"`
+	PURL   *packageurl.PackageURL `json:"-"`
 	BOMRef string                 `json:",omitempty"` // For CycloneDX
 }
 
+// MarshalJSON customizes the JSON encoding of PkgIdentifier.
+func (id *PkgIdentifier) MarshalJSON() ([]byte, error) {
+	var p string
+	if id.PURL != nil {
+		p = id.PURL.String()
+	}
+
+	type Alias PkgIdentifier
+	return json.Marshal(&struct {
+		PURL string `json:",omitempty"`
+		*Alias
+	}{
+		PURL:  p,
+		Alias: (*Alias)(id),
+	})
+}
+
+// UnmarshalJSON customizes the JSON decoding of PkgIdentifier.
+func (id *PkgIdentifier) UnmarshalJSON(data []byte) error {
+	type Alias PkgIdentifier
+	aux := &struct {
+		PURL string `json:",omitempty"`
+		*Alias
+	}{
+		Alias: (*Alias)(id),
+	}
+	if err := json.Unmarshal(data, &aux); err != nil {
+		return err
+	}
+
+	if aux.PURL != "" {
+		p, err := packageurl.FromString(aux.PURL)
+		if err != nil {
+			return err
+		} else if len(p.Qualifiers) == 0 {
+			p.Qualifiers = nil
+		}
+		id.PURL = &p
+	}
+
+	return nil
+}
+
 func (id *PkgIdentifier) Empty() bool {
 	return id.PURL == nil && id.BOMRef == ""
 }

pkg/fanal/types/purl.go

@@ -1,78 +0,0 @@
-package types
-
-import (
-	"encoding/json"
-
-	"github.com/package-url/packageurl-go"
-	"golang.org/x/xerrors"
-)
-
-type PackageURL struct {
-	packageurl.PackageURL
-	FilePath string
-}
-
-func (p *PackageURL) BOMRef() string {
-	// 'bom-ref' must be unique within BOM, but PURLs may conflict
-	// when the same packages are installed in an artifact.
-	// In that case, we prefer to make PURLs unique by adding file paths,
-	// rather than using UUIDs, even if it is not PURL technically.
-	// ref. https://cyclonedx.org/use-cases/#dependency-graph
-	purl := p.PackageURL // so that it will not override the qualifiers below
-	if p.FilePath != "" {
-		purl.Qualifiers = append(purl.Qualifiers,
-			packageurl.Qualifier{
-				Key:   "file_path",
-				Value: p.FilePath,
-			},
-		)
-	}
-	return purl.String()
-}
-
-func (p *PackageURL) MarshalJSON() ([]byte, error) {
-	if p == nil {
-		return nil, nil
-	}
-	return json.Marshal(p.String())
-}
-
-func (p *PackageURL) UnmarshalJSON(b []byte) error {
-	var s string
-	if err := json.Unmarshal(b, &s); err != nil {
-		return err
-	}
-	purl, err := NewPackageURL(s)
-	if err != nil {
-		return xerrors.Errorf("failed to parse purl(%s): %w", string(b), err)
-	}
-	*p = *purl
-	return nil
-}
-
-func NewPackageURL(s string) (*PackageURL, error) {
-	p, err := packageurl.FromString(s)
-	if err != nil {
-		return nil, xerrors.Errorf("failed to parse purl(%s): %w", s, err)
-	}
-
-	// Take out and delete the file path from qualifiers
-	var filePath string
-	for i, q := range p.Qualifiers {
-		if q.Key != "file_path" {
-			continue
-		}
-		filePath = q.Value
-		p.Qualifiers = append(p.Qualifiers[:i], p.Qualifiers[i+1:]...)
-		break
-	}
-
-	if len(p.Qualifiers) == 0 {
-		p.Qualifiers = nil
-	}
-
-	return &PackageURL{
-		PackageURL: p,
-		FilePath:   filePath,
-	}, nil
-}

pkg/k8s/scanner/scanner.go

@@ -577,7 +577,7 @@ func nodeComponent(nf bom.NodeInfo) *core.Component {
 								Namespace: k8sCoreComponentNamespace,
 							},
 						},
-						PackageURL: &ftypes.PackageURL{
+						PackageURL: &purl.PackageURL{
 							PackageURL: *packageurl.NewPackageURL(golang, "", runtimeName, runtimeVersion, packageurl.Qualifiers{}, ""),
 						},
 					},
@@ -601,7 +601,7 @@ func toProperties(props map[string]string, namespace string) []core.Property {
 	return properties
 }
 
-func generatePURL(name, ver, nodeName string) *ftypes.PackageURL {
+func generatePURL(name, ver, nodeName string) *purl.PackageURL {
 
 	var namespace string
 	// Identify k8s distribution. An empty namespace means upstream.
@@ -611,7 +611,7 @@ func generatePURL(name, ver, nodeName string) *ftypes.PackageURL {
 		namespace = ""
 	}
 
-	return &ftypes.PackageURL{
+	return &purl.PackageURL{
 		PackageURL: *packageurl.NewPackageURL(purl.TypeK8s, namespace, name, ver, nil, ""),
 	}
 }

pkg/k8s/scanner/scanner_test.go

@@ -2,7 +2,6 @@ package scanner
 
 import (
 	"context"
-	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"sort"
 	"testing"
 
@@ -98,7 +97,7 @@ func TestScanner_Scan(t *testing.T) {
 						Namespace: k8sCoreComponentNamespace,
 					},
 				},
-				PackageURL: &ftypes.PackageURL{
+				PackageURL: &purl.PackageURL{
 					PackageURL: packageurl.PackageURL{
 						Type:    purl.TypeK8s,
 						Name:    "k8s.io/kubernetes",
@@ -110,7 +109,7 @@ func TestScanner_Scan(t *testing.T) {
 						Type:    cdx.ComponentTypeApplication,
 						Name:    "k8s.io/apiserver",
 						Version: "1.21.1",
-						PackageURL: &ftypes.PackageURL{
+						PackageURL: &purl.PackageURL{
 							PackageURL: packageurl.PackageURL{
 								Type:    purl.TypeK8s,
 								Name:    "k8s.io/apiserver",
@@ -123,7 +122,7 @@ func TestScanner_Scan(t *testing.T) {
 								Type:    cdx.ComponentTypeContainer,
 								Name:    "k8s.gcr.io/kube-apiserver",
 								Version: "sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f",
-								PackageURL: &ftypes.PackageURL{
+								PackageURL: &purl.PackageURL{
 									PackageURL: packageurl.PackageURL{
 										Type:    "oci",
 										Name:    "kube-apiserver",
@@ -234,7 +233,7 @@ func TestScanner_Scan(t *testing.T) {
 												Namespace: k8sCoreComponentNamespace,
 											},
 										},
-										PackageURL: &ftypes.PackageURL{
+										PackageURL: &purl.PackageURL{
 											PackageURL: packageurl.PackageURL{
 												Type:    "k8s",
 												Name:    "k8s.io/kubelet",
@@ -258,7 +257,7 @@ func TestScanner_Scan(t *testing.T) {
 												Namespace: k8sCoreComponentNamespace,
 											},
 										},
-										PackageURL: &ftypes.PackageURL{
+										PackageURL: &purl.PackageURL{
 											PackageURL: packageurl.PackageURL{
 												Type:       "golang",
 												Name:       "github.com/containerd/containerd",

pkg/module/serialize/types_easyjson.go

@@ -1617,7 +1617,9 @@ func easyjson6601e8cdDecodeGithubComAquasecurityTrivyPkgTypes(in *jlexer.Lexer,
 		case "PkgPath":
 			out.PkgPath = string(in.String())
 		case "PkgIdentifier":
-			easyjson6601e8cdDecodeGithubComAquasecurityTrivyPkgFanalTypes9(in, &out.PkgIdentifier)
+			if data := in.Raw(); in.Ok() {
+				in.AddError((out.PkgIdentifier).UnmarshalJSON(data))
+			}
 		case "InstalledVersion":
 			out.InstalledVersion = string(in.String())
 		case "FixedVersion":
@@ -1843,7 +1845,7 @@ func easyjson6601e8cdEncodeGithubComAquasecurityTrivyPkgTypes(out *jwriter.Write
 		} else {
 			out.RawString(prefix)
 		}
-		easyjson6601e8cdEncodeGithubComAquasecurityTrivyPkgFanalTypes9(out, in.PkgIdentifier)
+		out.Raw((in.PkgIdentifier).MarshalJSON())
 	}
 	if in.InstalledVersion != "" {
 		const prefix string = ",\"InstalledVersion\":"
@@ -2215,71 +2217,6 @@ func easyjson6601e8cdEncodeGithubComAquasecurityTrivyDbPkgTypes(out *jwriter.Wri
 	}
 	out.RawByte('}')
 }
-func easyjson6601e8cdDecodeGithubComAquasecurityTrivyPkgFanalTypes9(in *jlexer.Lexer, out *types1.PkgIdentifier) {
-	isTopLevel := in.IsStart()
-	if in.IsNull() {
-		if isTopLevel {
-			in.Consumed()
-		}
-		in.Skip()
-		return
-	}
-	in.Delim('{')
-	for !in.IsDelim('}') {
-		key := in.UnsafeFieldName(false)
-		in.WantColon()
-		if in.IsNull() {
-			in.Skip()
-			in.WantComma()
-			continue
-		}
-		switch key {
-		case "PURL":
-			if in.IsNull() {
-				in.Skip()
-				out.PURL = nil
-			} else {
-				if out.PURL == nil {
-					out.PURL = new(types1.PackageURL)
-				}
-				if data := in.Raw(); in.Ok() {
-					in.AddError((*out.PURL).UnmarshalJSON(data))
-				}
-			}
-		case "BOMRef":
-			out.BOMRef = string(in.String())
-		default:
-			in.SkipRecursive()
-		}
-		in.WantComma()
-	}
-	in.Delim('}')
-	if isTopLevel {
-		in.Consumed()
-	}
-}
-func easyjson6601e8cdEncodeGithubComAquasecurityTrivyPkgFanalTypes9(out *jwriter.Writer, in types1.PkgIdentifier) {
-	out.RawByte('{')
-	first := true
-	_ = first
-	if in.PURL != nil {
-		const prefix string = ",\"PURL\":"
-		first = false
-		out.RawString(prefix[1:])
-		out.Raw((*in.PURL).MarshalJSON())
-	}
-	if in.BOMRef != "" {
-		const prefix string = ",\"BOMRef\":"
-		if first {
-			first = false
-			out.RawString(prefix[1:])
-		} else {
-			out.RawString(prefix)
-		}
-		out.String(string(in.BOMRef))
-	}
-	out.RawByte('}')
-}
 func easyjson6601e8cdDecodeGithubComAquasecurityTrivyPkgFanalTypes(in *jlexer.Lexer, out *types1.Package) {
 	isTopLevel := in.IsStart()
 	if in.IsNull() {
@@ -2304,7 +2241,9 @@ func easyjson6601e8cdDecodeGithubComAquasecurityTrivyPkgFanalTypes(in *jlexer.Le
 		case "Name":
 			out.Name = string(in.String())
 		case "Identifier":
-			easyjson6601e8cdDecodeGithubComAquasecurityTrivyPkgFanalTypes9(in, &out.Identifier)
+			if data := in.Raw(); in.Ok() {
+				in.AddError((out.Identifier).UnmarshalJSON(data))
+			}
 		case "Version":
 			out.Version = string(in.String())
 		case "Release":
@@ -2358,7 +2297,7 @@ func easyjson6601e8cdDecodeGithubComAquasecurityTrivyPkgFanalTypes(in *jlexer.Le
 				if out.BuildInfo == nil {
 					out.BuildInfo = new(types1.BuildInfo)
 				}
-				easyjson6601e8cdDecodeGithubComAquasecurityTrivyPkgFanalTypes10(in, out.BuildInfo)
+				easyjson6601e8cdDecodeGithubComAquasecurityTrivyPkgFanalTypes9(in, out.BuildInfo)
 			}
 		case "Indirect":
 			out.Indirect = bool(in.Bool())
@@ -2475,7 +2414,7 @@ func easyjson6601e8cdEncodeGithubComAquasecurityTrivyPkgFanalTypes(out *jwriter.
 		} else {
 			out.RawString(prefix)
 		}
-		easyjson6601e8cdEncodeGithubComAquasecurityTrivyPkgFanalTypes9(out, in.Identifier)
+		out.Raw((in.Identifier).MarshalJSON())
 	}
 	if in.Version != "" {
 		const prefix string = ",\"Version\":"
@@ -2614,7 +2553,7 @@ func easyjson6601e8cdEncodeGithubComAquasecurityTrivyPkgFanalTypes(out *jwriter.
 		} else {
 			out.RawString(prefix)
 		}
-		easyjson6601e8cdEncodeGithubComAquasecurityTrivyPkgFanalTypes10(out, *in.BuildInfo)
+		easyjson6601e8cdEncodeGithubComAquasecurityTrivyPkgFanalTypes9(out, *in.BuildInfo)
 	}
 	if in.Indirect {
 		const prefix string = ",\"Indirect\":"
@@ -2715,7 +2654,7 @@ func easyjson6601e8cdEncodeGithubComAquasecurityTrivyPkgFanalTypes(out *jwriter.
 	}
 	out.RawByte('}')
 }
-func easyjson6601e8cdDecodeGithubComAquasecurityTrivyPkgFanalTypes10(in *jlexer.Lexer, out *types1.BuildInfo) {
+func easyjson6601e8cdDecodeGithubComAquasecurityTrivyPkgFanalTypes9(in *jlexer.Lexer, out *types1.BuildInfo) {
 	isTopLevel := in.IsStart()
 	if in.IsNull() {
 		if isTopLevel {
@@ -2771,7 +2710,7 @@ func easyjson6601e8cdDecodeGithubComAquasecurityTrivyPkgFanalTypes10(in *jlexer.
 		in.Consumed()
 	}
 }
-func easyjson6601e8cdEncodeGithubComAquasecurityTrivyPkgFanalTypes10(out *jwriter.Writer, in types1.BuildInfo) {
+func easyjson6601e8cdEncodeGithubComAquasecurityTrivyPkgFanalTypes9(out *jwriter.Writer, in types1.BuildInfo) {
 	out.RawByte('{')
 	first := true
 	_ = first

pkg/purl/purl.go

@@ -43,13 +43,135 @@ const (
 	TypeUnknown = "unknown"
 )
 
-func FromString(s string) (*ftypes.PackageURL, error) {
+type PackageURL struct {
-	return ftypes.NewPackageURL(s)
+	packageurl.PackageURL
+	FilePath string
+}
+
+func FromString(s string) (*PackageURL, error) {
+	p, err := packageurl.FromString(s)
+	if err != nil {
+		return nil, xerrors.Errorf("failed to parse purl(%s): %w", s, err)
+	}
+
+	// Take out and delete the file path from qualifiers
+	var filePath string
+	for i, q := range p.Qualifiers {
+		if q.Key != "file_path" {
+			continue
+		}
+		filePath = q.Value
+		p.Qualifiers = append(p.Qualifiers[:i], p.Qualifiers[i+1:]...)
+		break
+	}
+
+	if len(p.Qualifiers) == 0 {
+		p.Qualifiers = nil
+	}
+
+	return &PackageURL{
+		PackageURL: p,
+		FilePath:   filePath,
+	}, nil
+}
+
+// nolint: gocyclo
+func New(t ftypes.TargetType, metadata types.Metadata, pkg ftypes.Package) (*PackageURL, error) {
+	qualifiers := parseQualifier(pkg)
+	pkg.Epoch = 0 // we moved Epoch to qualifiers so we don't need it in version
+
+	ptype := purlType(t)
+	name := pkg.Name
+	ver := utils.FormatVersion(pkg)
+	namespace := ""
+	subpath := ""
+
+	switch ptype {
+	case packageurl.TypeRPM:
+		ns, qs := parseRPM(metadata.OS, pkg.Modularitylabel)
+		namespace = string(ns)
+		qualifiers = append(qualifiers, qs...)
+	case packageurl.TypeDebian:
+		qualifiers = append(qualifiers, parseDeb(metadata.OS)...)
+		if metadata.OS != nil {
+			namespace = string(metadata.OS.Family)
+		}
+	case packageurl.TypeApk:
+		var qs packageurl.Qualifiers
+		name, namespace, qs = parseApk(name, metadata.OS)
+		qualifiers = append(qualifiers, qs...)
+	case packageurl.TypeMaven, string(ftypes.Gradle): // TODO: replace with packageurl.TypeGradle once they add it.
+		namespace, name = parseMaven(name)
+	case packageurl.TypePyPi:
+		name = parsePyPI(name)
+	case packageurl.TypeComposer:
+		namespace, name = parseComposer(name)
+	case packageurl.TypeGolang:
+		namespace, name = parseGolang(name)
+		if name == "" {
+			return nil, nil
+		}
+	case packageurl.TypeNPM:
+		namespace, name = parseNpm(name)
+	case packageurl.TypeSwift:
+		namespace, name = parseSwift(name)
+	case packageurl.TypeCocoapods:
+		name, subpath = parseCocoapods(name)
+	case packageurl.TypeOCI:
+		purl, err := parseOCI(metadata)
+		if err != nil {
+			return nil, err
+		} else if purl.Type == "" {
+			return nil, nil
+		}
+		return &PackageURL{PackageURL: purl}, nil
+	}
+
+	return &PackageURL{
+		PackageURL: *packageurl.NewPackageURL(ptype, namespace, name, ver, qualifiers, subpath),
+		FilePath:   pkg.FilePath,
+	}, nil
+}
+
+// WithPath wraps packageurl.PackageURL with the given file path
+func WithPath(purl *packageurl.PackageURL, filePath string) *PackageURL {
+	if purl == nil {
+		return nil
+	}
+	return &PackageURL{
+		PackageURL: *purl,
+		FilePath:   filePath,
+	}
+}
+
+func (p *PackageURL) BOMRef() string {
+	// 'bom-ref' must be unique within BOM, but PURLs may conflict
+	// when the same packages are installed in an artifact.
+	// In that case, we prefer to make PURLs unique by adding file paths,
+	// rather than using UUIDs, even if it is not PURL technically.
+	// ref. https://cyclonedx.org/use-cases/#dependency-graph
+	purl := p.PackageURL // so that it will not override the qualifiers below
+	if p.FilePath != "" {
+		purl.Qualifiers = append(purl.Qualifiers,
+			packageurl.Qualifier{
+				Key:   "file_path",
+				Value: p.FilePath,
+			},
+		)
+	}
+	return purl.String()
+}
+
+func (p *PackageURL) Unwrap() *packageurl.PackageURL {
+	if p == nil {
+		return nil
+	}
+	return &p.PackageURL
 }
 
 // LangType returns an application type in Trivy
 // nolint: gocyclo
-func LangType(p *ftypes.PackageURL) ftypes.LangType {
+func (p *PackageURL) LangType() ftypes.LangType {
 	switch p.Type {
 	case packageurl.TypeComposer:
 		return ftypes.Composer
@@ -102,13 +224,13 @@ func LangType(p *ftypes.PackageURL) ftypes.LangType {
 	}
 }
 
-func Class(p *ftypes.PackageURL) types.ResultClass {
+func (p *PackageURL) Class() types.ResultClass {
 	switch p.Type {
 	case packageurl.TypeApk, packageurl.TypeDebian, packageurl.TypeRPM:
 		// OS packages
 		return types.ClassOSPkg
 	default:
-		if LangType(p) == TypeUnknown {
+		if p.LangType() == TypeUnknown {
 			return types.ClassUnknown
 		}
 		// Language-specific packages
@@ -116,10 +238,13 @@ func Class(p *ftypes.PackageURL) types.ResultClass {
 	}
 }
 
-func ToPackage(p *ftypes.PackageURL) *ftypes.Package {
+func (p *PackageURL) Package() *ftypes.Package {
 	pkg := &ftypes.Package{
 		Name:    p.Name,
 		Version: p.Version,
+		Identifier: ftypes.PkgIdentifier{
+			PURL: p.Unwrap(),
+		},
 	}
 	for _, q := range p.Qualifiers {
 		switch q.Key {
@@ -151,11 +276,10 @@ func ToPackage(p *ftypes.PackageURL) *ftypes.Package {
 
 	// Return packages without namespace.
 	// OS packages are not supposed to have namespace.
-	if p.Namespace == "" || Class(p) == types.ClassOSPkg {
+	if p.Namespace == "" || p.Class() == types.ClassOSPkg {
 		return pkg
 	}
 
-	// TODO: replace with packageurl.TypeGradle once they add it.
 	if p.Type == packageurl.TypeMaven || p.Type == packageurl.TypeGradle {
 		// Maven and Gradle packages separate ":"
 		// e.g. org.springframework:spring-core
@@ -167,63 +291,34 @@ func ToPackage(p *ftypes.PackageURL) *ftypes.Package {
 	return pkg
 }
 
-// nolint: gocyclo
+// Match returns true if the given PURL "target" satisfies the constraint PURL "p".
-func New(t ftypes.TargetType, metadata types.Metadata, pkg ftypes.Package) (*ftypes.PackageURL, error) {
+// - If the constraint does not have a version, it will match any version in the target.
-	qualifiers := parseQualifier(pkg)
+// - If the constraint has qualifiers, the target must have the same set of qualifiers to match.
-	pkg.Epoch = 0 // we moved Epoch to qualifiers so we don't need it in version
+func (p *PackageURL) Match(target *packageurl.PackageURL) bool {
-
+	if target == nil {
-	ptype := purlType(t)
+		return false
-	name := pkg.Name
-	ver := utils.FormatVersion(pkg)
-	namespace := ""
-	subpath := ""
-
-	switch ptype {
-	case packageurl.TypeRPM:
-		ns, qs := parseRPM(metadata.OS, pkg.Modularitylabel)
-		namespace = string(ns)
-		qualifiers = append(qualifiers, qs...)
-	case packageurl.TypeDebian:
-		qualifiers = append(qualifiers, parseDeb(metadata.OS)...)
-		if metadata.OS != nil {
-			namespace = string(metadata.OS.Family)
 	}
-	case packageurl.TypeApk:
+	switch {
-		var qs packageurl.Qualifiers
+	case p.Type != target.Type:
-		name, namespace, qs = parseApk(name, metadata.OS)
+		return false
-		qualifiers = append(qualifiers, qs...)
+	case p.Namespace != target.Namespace:
-	case packageurl.TypeMaven, string(ftypes.Gradle): // TODO: replace with packageurl.TypeGradle once they add it.
+		return false
-		namespace, name = parseMaven(name)
+	case p.Name != target.Name:
-	case packageurl.TypePyPi:
+		return false
-		name = parsePyPI(name)
+	case p.Version != "" && p.Version != target.Version:
-	case packageurl.TypeComposer:
+		return false
-		namespace, name = parseComposer(name)
+	case p.Subpath != "" && p.Subpath != target.Subpath:
-	case packageurl.TypeGolang:
+		return false
-		namespace, name = parseGolang(name)
-		if name == "" {
-			return nil, nil
-		}
-	case packageurl.TypeNPM:
-		namespace, name = parseNpm(name)
-	case packageurl.TypeSwift:
-		namespace, name = parseSwift(name)
-	case packageurl.TypeCocoapods:
-		name, subpath = parseCocoapods(name)
-	case packageurl.TypeOCI:
-		purl, err := parseOCI(metadata)
-		if err != nil {
-			return nil, err
-		}
-		if purl.Type == "" {
-			return nil, nil
-		}
-		return &ftypes.PackageURL{PackageURL: purl}, nil
 	}
 
-	return &ftypes.PackageURL{
+	// All qualifiers in the constraint must be in the target to match
-		PackageURL: *packageurl.NewPackageURL(ptype, namespace, name, ver, qualifiers, subpath),
+	q := target.Qualifiers.Map()
-		FilePath:   pkg.FilePath,
+	for k, v1 := range p.Qualifiers.Map() {
-	}, nil
+		if v2, ok := q[k]; !ok || v1 != v2 {
+			return false
+		}
+	}
+	return true
 }
 
 // ref. https://github.com/package-url/purl-spec/blob/a748c36ad415c8aeffe2b8a4a5d8a50d16d6d85f/PURL-TYPES.rst#oci

pkg/purl/purl_test.go

@@ -20,7 +20,7 @@ func TestNewPackageURL(t *testing.T) {
 		typ      ftypes.TargetType
 		pkg      ftypes.Package
 		metadata types.Metadata
-		want     *ftypes.PackageURL
+		want     *purl.PackageURL
 		wantErr  string
 	}{
 		{
@@ -30,7 +30,7 @@ func TestNewPackageURL(t *testing.T) {
 				Name:    "org.springframework:spring-core",
 				Version: "5.3.14",
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeMaven,
 					Namespace: "org.springframework",
@@ -46,7 +46,7 @@ func TestNewPackageURL(t *testing.T) {
 				Name:    "org.springframework:spring-core",
 				Version: "5.3.14",
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeMaven,
 					Namespace: "org.springframework",
@@ -62,7 +62,7 @@ func TestNewPackageURL(t *testing.T) {
 				Name:    "@xtuc/ieee754",
 				Version: "1.2.0",
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeNPM,
 					Namespace: "@xtuc",
@@ -78,7 +78,7 @@ func TestNewPackageURL(t *testing.T) {
 				Name:    "lodash",
 				Version: "4.17.21",
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:    packageurl.TypeNPM,
 					Name:    "lodash",
@@ -93,7 +93,7 @@ func TestNewPackageURL(t *testing.T) {
 				Name:    "@xtuc/ieee754",
 				Version: "1.2.0",
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeNPM,
 					Namespace: "@xtuc",
@@ -109,7 +109,7 @@ func TestNewPackageURL(t *testing.T) {
 				Name:    "lodash",
 				Version: "4.17.21",
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:    packageurl.TypeNPM,
 					Name:    "lodash",
@@ -124,7 +124,7 @@ func TestNewPackageURL(t *testing.T) {
 				Name:    "Django_test",
 				Version: "1.2.0",
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:    packageurl.TypePyPi,
 					Name:    "django-test",
@@ -139,7 +139,7 @@ func TestNewPackageURL(t *testing.T) {
 				Name:    "absl-py",
 				Version: "0.4.1",
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:    packageurl.TypeConda,
 					Name:    "absl-py",
@@ -154,7 +154,7 @@ func TestNewPackageURL(t *testing.T) {
 				Name:    "symfony/contracts",
 				Version: "v1.0.2",
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeComposer,
 					Namespace: "symfony",
@@ -170,7 +170,7 @@ func TestNewPackageURL(t *testing.T) {
 				Name:    "github.com/go-sql-driver/Mysql",
 				Version: "v1.5.0",
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeGolang,
 					Namespace: "github.com/go-sql-driver",
@@ -202,7 +202,7 @@ func TestNewPackageURL(t *testing.T) {
 					},
 				},
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:    packageurl.TypeHex,
 					Name:    "bunt",
@@ -217,7 +217,7 @@ func TestNewPackageURL(t *testing.T) {
 				Name:    "http",
 				Version: "0.13.2",
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:    packageurl.TypePub,
 					Name:    "http",
@@ -233,7 +233,7 @@ func TestNewPackageURL(t *testing.T) {
 				Name:    "github.com/apple/swift-atomics",
 				Version: "1.1.0",
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeSwift,
 					Namespace: "github.com/apple",
@@ -250,7 +250,7 @@ func TestNewPackageURL(t *testing.T) {
 				Name:    "GoogleUtilities/NSData+zlib",
 				Version: "7.5.2",
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:    packageurl.TypeCocoapods,
 					Name:    "GoogleUtilities",
@@ -267,7 +267,7 @@ func TestNewPackageURL(t *testing.T) {
 				Name:    "abomination",
 				Version: "0.7.3",
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:    packageurl.TypeCargo,
 					Name:    "abomination",
@@ -283,7 +283,7 @@ func TestNewPackageURL(t *testing.T) {
 				Name:    "Newtonsoft.Json",
 				Version: "9.0.1",
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:    packageurl.TypeNuget,
 					Name:    "Newtonsoft.Json",
@@ -313,7 +313,7 @@ func TestNewPackageURL(t *testing.T) {
 					Name:   "8",
 				},
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeRPM,
 					Namespace: "redhat",
@@ -351,7 +351,7 @@ func TestNewPackageURL(t *testing.T) {
 					Architecture: "amd64",
 				},
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeOCI,
 					Namespace: "",
@@ -399,7 +399,7 @@ func TestNewPackageURL(t *testing.T) {
 					Architecture: "amd64",
 				},
 			},
-			want: &ftypes.PackageURL{
+			want: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeOCI,
 					Namespace: "",
@@ -451,13 +451,13 @@ func TestFromString(t *testing.T) {
 	testCases := []struct {
 		name    string
 		purl    string
-		want    ftypes.PackageURL
+		want    purl.PackageURL
 		wantErr string
 	}{
 		{
 			name: "happy path for maven",
 			purl: "pkg:maven/org.springframework/spring-core@5.0.4.RELEASE",
-			want: ftypes.PackageURL{
+			want: purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeMaven,
 					Namespace: "org.springframework",
@@ -470,7 +470,7 @@ func TestFromString(t *testing.T) {
 		{
 			name: "happy path for npm",
 			purl: "pkg:npm/bootstrap@5.0.2?file_path=app%2Fapp%2Fpackage.json",
-			want: ftypes.PackageURL{
+			want: purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:    packageurl.TypeNPM,
 					Name:    "bootstrap",
@@ -482,7 +482,7 @@ func TestFromString(t *testing.T) {
 		{
 			name: "happy path for coocapods",
 			purl: "pkg:cocoapods/GoogleUtilities@7.5.2#NSData+zlib",
-			want: ftypes.PackageURL{
+			want: purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:    packageurl.TypeCocoapods,
 					Name:    "GoogleUtilities",
@@ -494,7 +494,7 @@ func TestFromString(t *testing.T) {
 		{
 			name: "happy path for hex",
 			purl: "pkg:hex/plug@1.14.0",
-			want: ftypes.PackageURL{
+			want: purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:    packageurl.TypeHex,
 					Name:    "plug",
@@ -505,7 +505,7 @@ func TestFromString(t *testing.T) {
 		{
 			name: "happy path for dart",
 			purl: "pkg:pub/http@0.13.2",
-			want: ftypes.PackageURL{
+			want: purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:    packageurl.TypePub,
 					Name:    "http",
@@ -516,7 +516,7 @@ func TestFromString(t *testing.T) {
 		{
 			name: "happy path for apk",
 			purl: "pkg:apk/alpine/alpine-baselayout@3.2.0-r16?distro=3.14.2&epoch=1",
-			want: ftypes.PackageURL{
+			want: purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      string(analyzer.TypeApk),
 					Namespace: "alpine",
@@ -538,7 +538,7 @@ func TestFromString(t *testing.T) {
 		{
 			name: "happy path for rpm",
 			purl: "pkg:rpm/redhat/containers-common@0.1.14",
-			want: ftypes.PackageURL{
+			want: purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeRPM,
 					Namespace: "redhat",
@@ -550,7 +550,7 @@ func TestFromString(t *testing.T) {
 		{
 			name: "happy path for conda",
 			purl: "pkg:conda/absl-py@0.4.1",
-			want: ftypes.PackageURL{
+			want: purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:    packageurl.TypeConda,
 					Name:    "absl-py",
@@ -561,7 +561,7 @@ func TestFromString(t *testing.T) {
 		{
 			name: "bad rpm",
 			purl: "pkg:rpm/redhat/a--@1.0.0",
-			want: ftypes.PackageURL{
+			want: purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeRPM,
 					Namespace: "redhat",
@@ -585,15 +585,15 @@ func TestFromString(t *testing.T) {
 	}
 }
 
-func TestToPackage(t *testing.T) {
+func TestPackageURL_Package(t *testing.T) {
 	tests := []struct {
 		name    string
-		pkgURL  *ftypes.PackageURL
+		pkgURL  *purl.PackageURL
 		wantPkg *ftypes.Package
 	}{
 		{
 			name: "rpm + Qualifiers",
-			pkgURL: &ftypes.PackageURL{
+			pkgURL: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeRPM,
 					Namespace: "redhat",
@@ -626,26 +626,60 @@ func TestToPackage(t *testing.T) {
 				Arch:            "x86_64",
 				Epoch:           1,
 				Modularitylabel: "nodejs:10:8020020200707141642:6a468ee4",
+				Identifier: ftypes.PkgIdentifier{
+					PURL: &packageurl.PackageURL{
+						Type:      packageurl.TypeRPM,
+						Namespace: "redhat",
+						Name:      "nodejs-full-i18n",
+						Version:   "10.21.0-3.module_el8.2.0+391+8da3adc6",
+						Qualifiers: packageurl.Qualifiers{
+							{
+								Key:   "arch",
+								Value: "x86_64",
+							},
+							{
+								Key:   "epoch",
+								Value: "1",
+							},
+							{
+								Key:   "modularitylabel",
+								Value: "nodejs:10:8020020200707141642:6a468ee4",
+							},
+							{
+								Key:   "distro",
+								Value: "redhat-8",
+							},
+						},
+					},
+				},
 			},
 		},
 		{
 			name: "composer with namespace",
-			pkgURL: &ftypes.PackageURL{
+			pkgURL: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeComposer,
 					Namespace: "symfony",
 					Name:      "contracts",
-					Version:   "v1.0.2",
+					Version:   "1.0.2",
 				},
 			},
 			wantPkg: &ftypes.Package{
 				Name:    "symfony/contracts",
-				Version: "v1.0.2",
+				Version: "1.0.2",
+				Identifier: ftypes.PkgIdentifier{
+					PURL: &packageurl.PackageURL{
+						Type:      packageurl.TypeComposer,
+						Namespace: "symfony",
+						Name:      "contracts",
+						Version:   "1.0.2",
+					},
+				},
 			},
 		},
 		{
 			name: "maven with namespace",
-			pkgURL: &ftypes.PackageURL{
+			pkgURL: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeMaven,
 					Namespace: "org.springframework",
@@ -656,11 +690,19 @@ func TestToPackage(t *testing.T) {
 			wantPkg: &ftypes.Package{
 				Name:    "org.springframework:spring-core",
 				Version: "5.0.4.RELEASE",
+				Identifier: ftypes.PkgIdentifier{
+					PURL: &packageurl.PackageURL{
+						Type:      packageurl.TypeMaven,
+						Namespace: "org.springframework",
+						Name:      "spring-core",
+						Version:   "5.0.4.RELEASE",
+					},
+				},
 			},
 		},
 		{
 			name: "cocoapods with subpath",
-			pkgURL: &ftypes.PackageURL{
+			pkgURL: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:    packageurl.TypeCocoapods,
 					Version: "4.2.0",
@@ -671,11 +713,19 @@ func TestToPackage(t *testing.T) {
 			wantPkg: &ftypes.Package{
 				Name:    "AppCenter/Analytics",
 				Version: "4.2.0",
+				Identifier: ftypes.PkgIdentifier{
+					PURL: &packageurl.PackageURL{
+						Type:    packageurl.TypeCocoapods,
+						Version: "4.2.0",
+						Name:    "AppCenter",
+						Subpath: "Analytics",
+					},
+				},
 			},
 		},
 		{
 			name: "wrong epoch",
-			pkgURL: &ftypes.PackageURL{
+			pkgURL: &purl.PackageURL{
 				PackageURL: packageurl.PackageURL{
 					Type:      packageurl.TypeRPM,
 					Namespace: "redhat",
@@ -693,19 +743,33 @@ func TestToPackage(t *testing.T) {
 				Name:    "acl",
 				Version: "2.2.53",
 				Release: "1.el8",
+				Identifier: ftypes.PkgIdentifier{
+					PURL: &packageurl.PackageURL{
+						Type:      packageurl.TypeRPM,
+						Namespace: "redhat",
+						Name:      "acl",
+						Version:   "2.2.53-1.el8",
+						Qualifiers: packageurl.Qualifiers{
+							{
+								Key:   "epoch",
+								Value: "wrong",
+							},
+						},
+					},
+				},
 			},
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got := purl.ToPackage(tt.pkgURL)
+			got := tt.pkgURL.Package()
 			assert.Equal(t, tt.wantPkg, got)
 		})
 	}
 }
 
-func TestLangType(t *testing.T) {
+func TestPackageURL_LangType(t *testing.T) {
 	tests := []struct {
 		name string
 		purl packageurl.PackageURL
@@ -743,8 +807,77 @@ func TestLangType(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			p := &ftypes.PackageURL{PackageURL: tt.purl}
+			p := &purl.PackageURL{PackageURL: tt.purl}
-			assert.Equalf(t, tt.want, purl.LangType(p), "LangType()")
+			assert.Equalf(t, tt.want, p.LangType(), "LangType()")
+		})
+	}
+}
+
+func TestPackageURL_Match(t *testing.T) {
+	tests := []struct {
+		name       string
+		constraint string
+		target     string
+		want       bool
+	}{
+		{
+			name:       "same purl",
+			constraint: "pkg:golang/github.com/aquasecurity/trivy@0.49.0",
+			target:     "pkg:golang/github.com/aquasecurity/trivy@0.49.0",
+			want:       true,
+		},
+		{
+			name:       "different type",
+			constraint: "pkg:golang/github.com/aquasecurity/trivy@0.49.0",
+			target:     "pkg:maven/github.com/aquasecurity/trivy@0.49.0",
+			want:       false,
+		},
+		{
+			name:       "different namespace",
+			constraint: "pkg:golang/github.com/aquasecurity/trivy@0.49.0",
+			target:     "pkg:golang/github.com/aquasecurity2/trivy@0.49.0",
+			want:       false,
+		},
+		{
+			name:       "different name",
+			constraint: "pkg:golang/github.com/aquasecurity/trivy@0.49.0",
+			target:     "pkg:golang/github.com/aquasecurity/tracee@0.49.0",
+			want:       false,
+		},
+		{
+			name:       "different version",
+			constraint: "pkg:golang/github.com/aquasecurity/trivy@0.49.0",
+			target:     "pkg:golang/github.com/aquasecurity/trivy@0.49.1",
+			want:       false,
+		},
+		{
+			name:       "version wildcard",
+			constraint: "pkg:golang/github.com/aquasecurity/trivy",
+			target:     "pkg:golang/github.com/aquasecurity/trivy@0.50.0",
+			want:       true,
+		},
+		{
+			name:       "different qualifier",
+			constraint: "pkg:bitnami/wordpress@6.2.0?arch=arm64&distro=debian-12",
+			target:     "pkg:bitnami/wordpress@6.2.0?arch=arm64&distro=debian-13",
+			want:       false,
+		},
+		{
+			name:       "target more qualifiers",
+			constraint: "pkg:bitnami/wordpress@6.2.0?arch=arm64",
+			target:     "pkg:bitnami/wordpress@6.2.0?arch=arm64&distro=debian-13",
+			want:       true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c, err := purl.FromString(tt.constraint)
+			require.NoError(t, err)
+
+			p, err := purl.FromString(tt.target)
+			require.NoError(t, err)
+
+			assert.Equalf(t, tt.want, c.Match(p.Unwrap()), "Match()")
 		})
 	}
 }

pkg/result/filter_test.go

@@ -154,15 +154,13 @@ func TestFilter(t *testing.T) {
 									VulnerabilityID: "CVE-2019-0001",
 									PkgName:         "foo",
 									PkgIdentifier: ftypes.PkgIdentifier{
-										PURL: &ftypes.PackageURL{
+										PURL: &packageurl.PackageURL{
-											PackageURL: packageurl.PackageURL{
 											Type:      packageurl.TypeGolang,
 											Namespace: "github.com/aquasecurity",
 											Name:      "foo",
 											Version:   "1.2.3",
 										},
 									},
-									},
 									InstalledVersion: "1.2.3",
 									FixedVersion:     "1.2.4",
 									Vulnerability: dbTypes.Vulnerability{
@@ -173,15 +171,13 @@ func TestFilter(t *testing.T) {
 									VulnerabilityID: "CVE-2019-0001",
 									PkgName:         "bar",
 									PkgIdentifier: ftypes.PkgIdentifier{
-										PURL: &ftypes.PackageURL{
+										PURL: &packageurl.PackageURL{
-											PackageURL: packageurl.PackageURL{
 											Type:      packageurl.TypeGolang,
 											Namespace: "github.com/aquasecurity",
 											Name:      "bar",
 											Version:   "4.5.6",
 										},
 									},
-									},
 									InstalledVersion: "4.5.6",
 									FixedVersion:     "4.5.7",
 									Vulnerability: dbTypes.Vulnerability{
@@ -209,15 +205,13 @@ func TestFilter(t *testing.T) {
 								VulnerabilityID: "CVE-2019-0001",
 								PkgName:         "bar",
 								PkgIdentifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeGolang,
 										Namespace: "github.com/aquasecurity",
 										Name:      "bar",
 										Version:   "4.5.6",
 									},
 								},
-								},
 								InstalledVersion: "4.5.6",
 								FixedVersion:     "4.5.7",
 								Vulnerability: dbTypes.Vulnerability{

pkg/rpc/convert.go

@@ -3,6 +3,7 @@ package rpc
 import (
 	"time"
 
+	"github.com/package-url/packageurl-go"
 	"github.com/samber/lo"
 	"google.golang.org/protobuf/types/known/structpb"
 	"google.golang.org/protobuf/types/known/timestamppb"
@@ -11,7 +12,6 @@ import (
 	"github.com/aquasecurity/trivy/pkg/digest"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/log"
-	"github.com/aquasecurity/trivy/pkg/purl"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/rpc/cache"
 	"github.com/aquasecurity/trivy/rpc/common"
@@ -82,7 +82,7 @@ func ConvertToRPCPkgIdentifier(pkg ftypes.PkgIdentifier) *common.PkgIdentifier {
 
 	var p string
 	if pkg.PURL != nil {
-		p = pkg.PURL.BOMRef() // Use BOMRef() instead of String() so that we won't lose file_path
+		p = pkg.PURL.String()
 	}
 	return &common.PkgIdentifier{
 		Purl:   p,
@@ -227,11 +227,11 @@ func ConvertFromRPCPkgIdentifier(pkg *common.PkgIdentifier) ftypes.PkgIdentifier
 	}
 
 	if pkg.Purl != "" {
-		pu, err := purl.FromString(pkg.Purl)
+		pu, err := packageurl.FromString(pkg.Purl)
 		if err != nil {
 			log.Logger.Error("Failed to parse PURL (%s): %s", pkg.Purl, err)
 		}
-		pkgID.PURL = pu
+		pkgID.PURL = &pu
 	}
 
 	return pkgID

pkg/sbom/cyclonedx/core/cyclonedx.go

@@ -15,8 +15,8 @@ import (
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
 	"github.com/aquasecurity/trivy/pkg/clock"
 	"github.com/aquasecurity/trivy/pkg/digest"
-	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/purl"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/uuid"
 )
@@ -39,7 +39,7 @@ type Component struct {
 	Name       string
 	Group      string
 	Version    string
-	PackageURL *ftypes.PackageURL
+	PackageURL *purl.PackageURL
 	Licenses   []string
 	Hashes     []digest.Digest
 	Supplier   string
@@ -232,7 +232,7 @@ func (c *CycloneDX) Vulnerabilities(uniq map[string]*cdx.Vulnerability) *[]cdx.V
 	return &vulns
 }
 
-func (c *CycloneDX) PackageURL(p *ftypes.PackageURL) string {
+func (c *CycloneDX) PackageURL(p *purl.PackageURL) string {
 	if p == nil {
 		return ""
 	}

pkg/sbom/cyclonedx/core/cyclonedx_test.go

@@ -2,6 +2,7 @@ package core_test
 
 import (
 	"context"
+	"github.com/aquasecurity/trivy/pkg/purl"
 	"testing"
 	"time"
 
@@ -11,7 +12,6 @@ import (
 
 	"github.com/aquasecurity/trivy/pkg/clock"
 	"github.com/aquasecurity/trivy/pkg/digest"
-	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/sbom/cyclonedx/core"
 	"github.com/aquasecurity/trivy/pkg/uuid"
 )
@@ -43,7 +43,7 @@ func TestMarshaler_CoreComponent(t *testing.T) {
 								Type:    cdx.ComponentTypeContainer,
 								Name:    "k8s.gcr.io/kube-apiserver",
 								Version: "sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f",
-								PackageURL: &ftypes.PackageURL{
+								PackageURL: &purl.PackageURL{
 									PackageURL: packageurl.PackageURL{
 										Type:    "oci",
 										Name:    "kube-apiserver",
@@ -138,7 +138,7 @@ func TestMarshaler_CoreComponent(t *testing.T) {
 												Value: "golang",
 											},
 										},
-										PackageURL: &ftypes.PackageURL{
+										PackageURL: &purl.PackageURL{
 											PackageURL: packageurl.PackageURL{
 												Type:       "golang",
 												Name:       "kubelet",
@@ -157,7 +157,7 @@ func TestMarshaler_CoreComponent(t *testing.T) {
 												Value: "golang",
 											},
 										},
-										PackageURL: &ftypes.PackageURL{
+										PackageURL: &purl.PackageURL{
 											PackageURL: packageurl.PackageURL{
 												Type:       "golang",
 												Name:       "containerd",

pkg/sbom/cyclonedx/marshal.go

@@ -378,7 +378,7 @@ func pkgComponent(pkg Package) (*core.Component, error) {
 		Name:            name,
 		Group:           group,
 		Version:         version,
-		PackageURL:      pkg.Identifier.PURL,
+		PackageURL:      purl.WithPath(pkg.Identifier.PURL, pkg.FilePath),
 		Supplier:        pkg.Maintainer,
 		Licenses:        pkg.Licenses,
 		Hashes:          lo.Ternary(pkg.Digest == "", nil, []digest.Digest{pkg.Digest}),

pkg/sbom/cyclonedx/marshal_test.go

@@ -63,8 +63,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Epoch:   0,
 								Arch:    "aarch64",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeRPM,
 										Namespace: "centos",
 										Name:      "binutils",
@@ -81,7 +80,6 @@ func TestMarshaler_Marshal(t *testing.T) {
 										},
 									},
 								},
-								},
 								SrcName:         "binutils",
 								SrcVersion:      "2.30",
 								SrcRelease:      "93.el8",
@@ -145,14 +143,12 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "actionpack",
 								Version: "7.0.0",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "actionpack",
 										Version: "7.0.0",
 									},
 								},
-								},
 								Indirect: false,
 							},
 							{
@@ -160,14 +156,12 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "actioncontroller",
 								Version: "7.0.0",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "actioncontroller",
 										Version: "7.0.0",
 									},
 								},
-								},
 								Indirect: false,
 								DependsOn: []string{
 									"actionpack@7.0.0",
@@ -185,8 +179,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "actionpack",
 								Version: "7.0.0",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "actionpack",
 										Version: "7.0.0",
@@ -195,7 +188,6 @@ func TestMarshaler_Marshal(t *testing.T) {
 							},
 						},
 					},
-					},
 					{
 						Target: "app/datacollector.deps.json",
 						Class:  types.ClassLangPkg,
@@ -206,8 +198,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "Newtonsoft.Json",
 								Version: "9.0.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeNuget,
 										Name:    "Newtonsoft.Json",
 										Version: "9.0.1",
@@ -216,7 +207,6 @@ func TestMarshaler_Marshal(t *testing.T) {
 							},
 						},
 					},
-					},
 					{
 						Target: "usr/local/bin/tfsec",
 						Class:  types.ClassLangPkg,
@@ -226,8 +216,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "golang.org/x/crypto",
 								Version: "v0.0.0-20210421170649-83a5a9bb288b",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeGolang,
 										Namespace: "golang.org/x",
 										Name:      "crypto",
@@ -235,7 +224,6 @@ func TestMarshaler_Marshal(t *testing.T) {
 									},
 								},
 							},
-							},
 							// dependency has been replaced with local directory
 							{
 								Name:    "./api",
@@ -667,8 +655,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Epoch:   1,
 								Arch:    "aarch64",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeRPM,
 										Namespace: "centos",
 										Name:      "acl",
@@ -689,7 +676,6 @@ func TestMarshaler_Marshal(t *testing.T) {
 										},
 									},
 								},
-								},
 								SrcName:         "acl",
 								SrcVersion:      "2.2.53",
 								SrcRelease:      "1.el8",
@@ -709,8 +695,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Epoch:   0,
 								Arch:    "aarch64",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeRPM,
 										Namespace: "centos",
 										Name:      "glibc",
@@ -727,7 +712,6 @@ func TestMarshaler_Marshal(t *testing.T) {
 										},
 									},
 								},
-								},
 								SrcName:         "glibc",
 								SrcVersion:      "2.28",
 								SrcRelease:      "151.el8",
@@ -748,14 +732,11 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "actionpack",
 								Version: "7.0.0",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "actionpack",
 										Version: "7.0.0",
 									},
-										FilePath: "tools/project-john/specifications/actionpack.gemspec",
-									},
 								},
 								Layer: ftypes.Layer{
 									DiffID: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488",
@@ -767,14 +748,11 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "actionpack",
 								Version: "7.0.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "actionpack",
 										Version: "7.0.1",
 									},
-										FilePath: "tools/project-doe/specifications/actionpack.gemspec",
-									},
 								},
 								Layer: ftypes.Layer{
 									DiffID: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488",
@@ -789,14 +767,12 @@ func TestMarshaler_Marshal(t *testing.T) {
 								PkgName:         "actionpack",
 								PkgPath:         "tools/project-john/specifications/actionpack.gemspec",
 								PkgIdentifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "actionpack",
 										Version: "7.0.0",
 									},
 								},
-								},
 								InstalledVersion: "7.0.0",
 								FixedVersion:     "~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2",
 								SeveritySource:   vulnerability.RubySec,
@@ -841,14 +817,12 @@ func TestMarshaler_Marshal(t *testing.T) {
 								PkgName:         "actionpack",
 								PkgPath:         "tools/project-doe/specifications/actionpack.gemspec",
 								PkgIdentifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "actionpack",
 										Version: "7.0.1",
 									},
 								},
-								},
 								InstalledVersion: "7.0.1",
 								FixedVersion:     "~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2",
 								SeveritySource:   vulnerability.RubySec,
@@ -1221,8 +1195,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "actioncable",
 								Version: "6.1.4.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "actioncable",
 										Version: "6.1.4.1",
@@ -1231,7 +1204,6 @@ func TestMarshaler_Marshal(t *testing.T) {
 							},
 						},
 					},
-					},
 					{
 						Target: "Java",
 						Class:  types.ClassLangPkg,
@@ -1241,15 +1213,12 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "org.springframework:spring-web",
 								Version: "5.3.22",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "org.springframework",
 										Name:      "spring-web",
 										Version:   "5.3.22",
 									},
-										FilePath: "spring-web-5.3.22.jar",
-									},
 								},
 								FilePath: "spring-web-5.3.22.jar",
 							},
@@ -1375,15 +1344,12 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "org.apache.nifi:nifi-dbcp-base",
 								Version: "1.20.0",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "org.apache.nifi",
 										Name:      "nifi-dbcp-base",
 										Version:   "1.20.0",
 									},
-										FilePath: "nifi-dbcp-base-1.20.0.jar",
-									},
 								},
 								FilePath: "nifi-dbcp-base-1.20.0.jar",
 							},
@@ -1391,15 +1357,12 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "org.apache.nifi:nifi-hikari-dbcp-service",
 								Version: "1.20.0",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "org.apache.nifi",
 										Name:      "nifi-hikari-dbcp-service",
 										Version:   "1.20.0",
 									},
-										FilePath: "nifi-hikari-dbcp-service-1.20.0.jar",
-									},
 								},
 								FilePath: "nifi-hikari-dbcp-service-1.20.0.jar",
 							},
@@ -1410,15 +1373,13 @@ func TestMarshaler_Marshal(t *testing.T) {
 								PkgName:         "org.apache.nifi:nifi-dbcp-base",
 								PkgPath:         "nifi-dbcp-base-1.20.0.jar",
 								PkgIdentifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "org.apache.nifi",
 										Name:      "nifi-dbcp-base",
 										Version:   "1.20.0",
 									},
 								},
-								},
 								InstalledVersion: "1.20.0",
 								FixedVersion:     "1.22.0",
 								SeveritySource:   vulnerability.GHSA,
@@ -1462,15 +1423,13 @@ func TestMarshaler_Marshal(t *testing.T) {
 								PkgName:         "org.apache.nifi:nifi-hikari-dbcp-service",
 								PkgPath:         "nifi-hikari-dbcp-service-1.20.0.jar",
 								PkgIdentifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "org.apache.nifi",
 										Name:      "nifi-hikari-dbcp-service",
 										Version:   "1.20.0",
 									},
 								},
-								},
 								InstalledVersion: "1.20.0",
 								FixedVersion:     "1.22.0",
 								SeveritySource:   vulnerability.GHSA,
@@ -1680,14 +1639,11 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "ruby-typeprof",
 								Version: "0.20.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeNPM,
 										Name:    "ruby-typeprof",
 										Version: "0.20.1",
 									},
-										FilePath: "usr/local/lib/ruby/gems/3.1.0/gems/typeprof-0.21.1/vscode/package.json",
-									},
 								},
 								Licenses: []string{"MIT"},
 								Layer: ftypes.Layer{

pkg/sbom/cyclonedx/unmarshal.go

@@ -202,7 +202,7 @@ func parsePkgs(components []cdx.Component, seen map[string]struct{}) ([]ftypes.P
 		}
 
 		// Skip unsupported package types
-		if purl.Class(pkgURL) == types.ClassUnknown {
+		if pkgURL.Class() == types.ClassUnknown {
 			continue
 		}
 		pkgs = append(pkgs, *pkg)
@@ -290,11 +290,11 @@ func aggregatePkgs(libs []cdx.Component) ([]ftypes.PackageInfo, []ftypes.Applica
 			return nil, nil, xerrors.Errorf("failed to parse the component: %w", err)
 		}
 
-		switch purl.Class(pkgURL) {
+		switch pkgURL.Class() {
 		case types.ClassOSPkg:
 			osPkgMap[pkgURL.Type] = append(osPkgMap[pkgURL.Type], *pkg)
 		case types.ClassLangPkg:
-			langType := purl.LangType(pkgURL)
+			langType := pkgURL.LangType()
 			langPkgMap[langType] = append(langPkgMap[langType], *pkg)
 		}
 	}
@@ -337,7 +337,7 @@ func toApplication(component cdx.Component) *ftypes.Application {
 	}
 }
 
-func toPackage(component cdx.Component) (*ftypes.PackageURL, *ftypes.Package, error) {
+func toPackage(component cdx.Component) (*purl.PackageURL, *ftypes.Package, error) {
 	if component.PackageURL == "" {
 		log.Logger.Warnf("Skip the component (BOM-Ref: %s) as the PURL is empty", component.BOMRef)
 		return nil, nil, ErrPURLEmpty
@@ -347,7 +347,7 @@ func toPackage(component cdx.Component) (*ftypes.PackageURL, *ftypes.Package, er
 		return nil, nil, xerrors.Errorf("failed to parse purl: %w", err)
 	}
 
-	pkg := purl.ToPackage(p)
+	pkg := p.Package()
 	// Trivy's marshall loses case-sensitivity in PURL used in SBOM for packages (Go, Npm, PyPI),
 	// so we have to use an original package name
 	pkg.Name = packageName(p.Type, pkg.Name, component)
@@ -382,12 +382,9 @@ func toPackage(component cdx.Component) (*ftypes.PackageURL, *ftypes.Package, er
 	if pkg.FilePath != "" {
 		p.FilePath = pkg.FilePath
 	}
-	pkg.Identifier = ftypes.PkgIdentifier{
+	pkg.Identifier.BOMRef = component.BOMRef
-		PURL:   p,
-		BOMRef: component.BOMRef,
-	}
 
-	if purl.Class(p) == types.ClassOSPkg {
+	if p.Class() == types.ClassOSPkg {
 		fillSrcPkg(pkg)
 	}
 

pkg/sbom/cyclonedx/unmarshal_test.go

@@ -40,8 +40,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								SrcVersion: "1.2.3-r0",
 								Licenses:   []string{"MIT"},
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeApk,
 										Namespace: "alpine",
 										Name:      "musl",
@@ -53,7 +52,6 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 											},
 										},
 									},
-									},
 									BOMRef: "pkg:apk/alpine/musl@1.2.3-r0?distro=3.16.0",
 								},
 								Layer: ftypes.Layer{
@@ -72,14 +70,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "pear/log",
 								Version: "1.13.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "pear",
 										Name:      "log",
 										Version:   "1.13.1",
 									},
-									},
 									BOMRef: "pkg:composer/pear/log@1.13.1",
 								},
 								Layer: ftypes.Layer{
@@ -91,14 +87,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "pear/pear_exception",
 								Version: "v1.0.0",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "pear",
 										Name:      "pear_exception",
 										Version:   "v1.0.0",
 									},
-									},
 									BOMRef: "pkg:composer/pear/pear_exception@v1.0.0",
 								},
 								Layer: ftypes.Layer{
@@ -115,14 +109,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "github.com/package-url/packageurl-go",
 								Version: "v0.1.1-0.20220203205134-d70459300c8a",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeGolang,
 										Namespace: "github.com/package-url",
 										Name:      "packageurl-go",
 										Version:   "v0.1.1-0.20220203205134-d70459300c8a",
 									},
-									},
 									BOMRef: "pkg:golang/github.com/package-url/packageurl-go@v0.1.1-0.20220203205134-d70459300c8a",
 								},
 								Layer: ftypes.Layer{
@@ -138,14 +130,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 							{
 								Name: "com.example:example",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "com.example",
 										Name:      "example",
 										Version:   "0.0.1",
 									},
-									},
 									BOMRef: "pkg:maven/com.example/example@0.0.1",
 								},
 								Version: "0.0.1",
@@ -161,15 +151,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 							{
 								Name: "org.codehaus.mojo:child-project",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "org.codehaus.mojo",
 										Name:      "child-project",
 										Version:   "1.0",
 									},
-										FilePath: "app/maven/target/child-project-1.0.jar",
-									},
 									BOMRef: "pkg:maven/org.codehaus.mojo/child-project@1.0?file_path=app%2Fmaven%2Ftarget%2Fchild-project-1.0.jar",
 								},
 								Version: "1.0",
@@ -188,14 +175,11 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "bootstrap",
 								Version: "5.0.2",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeNPM,
 										Name:    "bootstrap",
 										Version: "5.0.2",
 									},
-										FilePath: "app/app/package.json",
-									},
 									BOMRef: "pkg:npm/bootstrap@5.0.2?file_path=app%2Fapp%2Fpackage.json",
 								},
 								Licenses: []string{"MIT"},
@@ -230,13 +214,11 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "docker",
 								Version: "24.0.4",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGolang,
 										Name:    "docker",
 										Version: "24.0.4",
 									},
-									},
 									BOMRef: "pkg:golang/docker@24.0.4",
 								},
 							},
@@ -253,13 +235,11 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "k8s.io/apiserver",
 								Version: "1.27.4",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    purl.TypeK8s,
 										Name:    "k8s.io/apiserver",
 										Version: "1.27.4",
 									},
-									},
 									BOMRef: "pkg:k8s/k8s.io%2Fapiserver@1.27.4",
 								},
 							},
@@ -267,13 +247,11 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "k8s.io/controller-manager",
 								Version: "1.27.4",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    purl.TypeK8s,
 										Name:    "k8s.io/controller-manager",
 										Version: "1.27.4",
 									},
-									},
 									BOMRef: "pkg:k8s/k8s.io%2Fcontroller-manager@1.27.4",
 								},
 							},
@@ -281,13 +259,11 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "k8s.io/kube-proxy",
 								Version: "1.27.4",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    purl.TypeK8s,
 										Name:    "k8s.io/kube-proxy",
 										Version: "1.27.4",
 									},
-									},
 									BOMRef: "pkg:k8s/k8s.io%2Fkube-proxy@1.27.4",
 								},
 							},
@@ -295,13 +271,11 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "k8s.io/kube-scheduler",
 								Version: "1.27.4",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    purl.TypeK8s,
 										Name:    "k8s.io/kube-scheduler",
 										Version: "1.27.4",
 									},
-									},
 									BOMRef: "pkg:k8s/k8s.io%2Fkube-scheduler@1.27.4",
 								},
 							},
@@ -309,13 +283,11 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "k8s.io/kubelet",
 								Version: "1.27.4",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    purl.TypeK8s,
 										Name:    "k8s.io/kubelet",
 										Version: "1.27.4",
 									},
-									},
 									BOMRef: "pkg:k8s/k8s.io%2Fkubelet@1.27.4",
 								},
 							},
@@ -323,13 +295,11 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "k8s.io/kubernetes",
 								Version: "1.27.4",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    purl.TypeK8s,
 										Name:    "k8s.io/kubernetes",
 										Version: "1.27.4",
 									},
-									},
 									BOMRef: "pkg:k8s/k8s.io%2Fkubernetes@1.27.4",
 								},
 							},
@@ -362,8 +332,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 									"GFDL-1.3",
 								},
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeDebian,
 										Namespace: "ubuntu",
 										Name:      "libc6",
@@ -375,7 +344,6 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 											},
 										},
 									},
-									},
 									BOMRef: "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.1?distro=ubuntu-22.04",
 								},
 								Layer: ftypes.Layer{
@@ -393,8 +361,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								SrcRelease: "1",
 								SrcEpoch:   1,
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeDebian,
 										Namespace: "ubuntu",
 										Name:      "libcrypt1",
@@ -410,7 +377,6 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 											},
 										},
 									},
-									},
 									BOMRef: "pkg:deb/ubuntu/libcrypt1@4.4.27-1?epoch=1&distro=ubuntu-22.04",
 								},
 								Layer: ftypes.Layer{
@@ -441,8 +407,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								SrcVersion: "1.2.3-r0",
 								Licenses:   []string{"MIT"},
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeApk,
 										Namespace: "alpine",
 										Name:      "musl",
@@ -454,7 +419,6 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 											},
 										},
 									},
-									},
 									BOMRef: "pkg:apk/alpine/musl@1.2.3-r0?distro=3.16.0",
 								},
 							},
@@ -470,14 +434,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "pear/log",
 								Version: "1.13.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "pear",
 										Name:      "log",
 										Version:   "1.13.1",
 									},
-									},
 									BOMRef: "pkg:composer/pear/log@1.13.1",
 								},
 								Licenses: []string{"MIT"},
@@ -487,14 +449,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "pear/pear_exception",
 								Version: "v1.0.0",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "pear",
 										Name:      "pear_exception",
 										Version:   "v1.0.0",
 									},
-									},
 									BOMRef: "pkg:composer/pear/pear_exception@v1.0.0",
 								},
 							},
@@ -516,14 +476,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "pear/log",
 								Version: "1.13.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "pear",
 										Name:      "log",
 										Version:   "1.13.1",
 									},
-									},
 									BOMRef: "pkg:composer/pear/log@1.13.1",
 								},
 							},
@@ -545,14 +503,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "pear/log",
 								Version: "1.13.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "pear",
 										Name:      "log",
 										Version:   "1.13.1",
 									},
-									},
 									BOMRef: "pkg:composer/pear/log@1.13.1",
 								},
 							},
@@ -561,14 +517,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "pear/pear_exception",
 								Version: "v1.0.0",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "pear",
 										Name:      "pear_exception",
 										Version:   "v1.0.0",
 									},
-									},
 									BOMRef: "pkg:composer/pear/pear_exception@v1.0.0",
 								},
 							},
@@ -590,14 +544,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "pear/core",
 								Version: "1.13.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "pear",
 										Name:      "core",
 										Version:   "1.13.1",
 									},
-									},
 									BOMRef: "pkg:composer/pear/core@1.13.1",
 								},
 							},
@@ -605,14 +557,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "pear/log",
 								Version: "1.13.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "pear",
 										Name:      "log",
 										Version:   "1.13.1",
 									},
-									},
 									BOMRef: "pkg:composer/pear/log@1.13.1",
 								},
 							},
@@ -621,14 +571,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "pear/pear_exception",
 								Version: "v1.0.0",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "pear",
 										Name:      "pear_exception",
 										Version:   "v1.0.0",
 									},
-									},
 									BOMRef: "pkg:composer/pear/pear_exception@v1.0.0",
 								},
 							},
@@ -649,15 +597,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "org.springframework:spring-web",
 								Version: "5.3.22",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "org.springframework",
 										Name:      "spring-web",
 										Version:   "5.3.22",
 									},
-										FilePath: "spring-web-5.3.22.jar",
-									},
 									BOMRef: "pkg:maven/org.springframework/spring-web@5.3.22?file_path=spring-web-5.3.22.jar",
 								},
 								FilePath: "spring-web-5.3.22.jar",

pkg/sbom/spdx/marshal_test.go

@@ -62,8 +62,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Epoch:   0,
 								Arch:    "aarch64",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeRPM,
 										Namespace: "centos",
 										Name:      "binutils",
@@ -80,7 +79,6 @@ func TestMarshaler_Marshal(t *testing.T) {
 										},
 									},
 								},
-								},
 								SrcName:         "binutils",
 								SrcVersion:      "2.30",
 								SrcRelease:      "93.el8",
@@ -101,21 +99,18 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "actionpack",
 								Version: "7.0.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "actionpack",
 										Version: "7.0.1",
 									},
 								},
 							},
-							},
 							{
 								Name:    "actioncontroller",
 								Version: "7.0.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "actioncontroller",
 										Version: "7.0.1",
@@ -124,7 +119,6 @@ func TestMarshaler_Marshal(t *testing.T) {
 							},
 						},
 					},
-					},
 					{
 						Target: "app/Gemfile.lock",
 						Class:  types.ClassLangPkg,
@@ -134,8 +128,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "actionpack",
 								Version: "7.0.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "actionpack",
 										Version: "7.0.1",
@@ -146,7 +139,6 @@ func TestMarshaler_Marshal(t *testing.T) {
 					},
 				},
 			},
-			},
 			wantSBOM: &spdx.Document{
 				SPDXVersion:       spdx.Version,
 				DataLicense:       spdx.DataLicense,
@@ -351,8 +343,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Epoch:   1,
 								Arch:    "aarch64",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeRPM,
 										Namespace: "centos",
 										Name:      "acl",
@@ -373,7 +364,6 @@ func TestMarshaler_Marshal(t *testing.T) {
 										},
 									},
 								},
-								},
 								SrcName:         "acl",
 								SrcVersion:      "2.2.53",
 								SrcRelease:      "1.el8",
@@ -393,14 +383,12 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "actionpack",
 								Version: "7.0.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "actionpack",
 										Version: "7.0.1",
 									},
 								},
-								},
 								Layer: ftypes.Layer{
 									DiffID: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488",
 								},
@@ -411,14 +399,12 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "actionpack",
 								Version: "7.0.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "actionpack",
 										Version: "7.0.1",
 									},
 								},
-								},
 								Layer: ftypes.Layer{
 									DiffID: "sha256:ccb64cf0b7ba2e50741d0b64cae324eb5de3b1e2f580bbf177e721b67df38488",
 								},
@@ -634,8 +620,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "actioncable",
 								Version: "6.1.4.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeGem,
 										Name:    "actioncable",
 										Version: "6.1.4.1",
@@ -646,7 +631,6 @@ func TestMarshaler_Marshal(t *testing.T) {
 					},
 				},
 			},
-			},
 			wantSBOM: &spdx.Document{
 				SPDXVersion:       spdx.Version,
 				DataLicense:       spdx.DataLicense,
@@ -736,14 +720,12 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "ruby-typeprof",
 								Version: "0.20.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeNPM,
 										Name:    "ruby-typeprof",
 										Version: "0.20.1",
 									},
 								},
-								},
 								Licenses: []string{"MIT"},
 								Layer: ftypes.Layer{
 									DiffID: "sha256:661c3fd3cc16b34c070f3620ca6b03b6adac150f9a7e5d0e3c707a159990f88e",
@@ -976,8 +958,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 								Name:    "golang.org/x/crypto",
 								Version: "v0.0.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeGolang,
 										Namespace: "golang.org/x",
 										Name:      "crypto",
@@ -989,7 +970,6 @@ func TestMarshaler_Marshal(t *testing.T) {
 					},
 				},
 			},
-			},
 			wantSBOM: &spdx.Document{
 				SPDXVersion:       spdx.Version,
 				DataLicense:       spdx.DataLicense,

pkg/sbom/spdx/unmarshal.go

@@ -177,12 +177,12 @@ func (s *SPDX) parsePackages(pkgs map[common.ElementID]*spdx.Package) error {
 		} else if err != nil {
 			return xerrors.Errorf("failed to parse package: %w", err)
 		}
-		switch purl.Class(pkgURL) {
+		switch pkgURL.Class() {
 		case types.ClassOSPkg:
 			osPkgs = append(osPkgs, *pkg)
 		case types.ClassLangPkg:
 			// Language-specific packages
-			pkgType := purl.LangType(pkgURL)
+			pkgType := pkgURL.LangType()
 			app, ok := apps[pkgType]
 			if !ok {
 				app.Type = pkgType
@@ -246,12 +246,13 @@ func parseOS(pkg spdx.Package) ftypes.OS {
 	}
 }
 
-func parsePkg(spdxPkg spdx.Package, packageFilePaths map[string]string) (*ftypes.Package, *ftypes.PackageURL, error) {
+func parsePkg(spdxPkg spdx.Package, packageFilePaths map[string]string) (*ftypes.Package, *purl.PackageURL, error) {
-	pkg, pkgURL, err := parseExternalReferences(spdxPkg.PackageExternalReferences)
+	pkgURL, err := parseExternalReferences(spdxPkg.PackageExternalReferences)
 	if err != nil {
 		return nil, nil, xerrors.Errorf("external references error: %w", err)
 	}
 
+	pkg := pkgURL.Package()
 	if spdxPkg.PackageLicenseDeclared != "NONE" {
 		pkg.Licenses = strings.Split(spdxPkg.PackageLicenseDeclared, ",")
 	}
@@ -278,7 +279,7 @@ func parsePkg(spdxPkg spdx.Package, packageFilePaths map[string]string) (*ftypes
 	return pkg, pkgURL, nil
 }
 
-func parseExternalReferences(refs []*spdx.PackageExternalReference) (*ftypes.Package, *ftypes.PackageURL, error) {
+func parseExternalReferences(refs []*spdx.PackageExternalReference) (*purl.PackageURL, error) {
 	for _, ref := range refs {
 		// Extract the package information from PURL
 		if ref.RefType != RefTypePurl || ref.Category != CategoryPackageManager {
@@ -287,15 +288,11 @@ func parseExternalReferences(refs []*spdx.PackageExternalReference) (*ftypes.Pac
 
 		packageURL, err := purl.FromString(ref.Locator)
 		if err != nil {
-			return nil, nil, xerrors.Errorf("failed to parse purl from string: %w", err)
+			return nil, xerrors.Errorf("failed to parse purl from string: %w", err)
 		}
-		pkg := purl.ToPackage(packageURL)
+		return packageURL, nil
-		pkg.Identifier = ftypes.PkgIdentifier{
-			PURL: packageURL,
 	}
-		return pkg, packageURL, nil
+	return nil, errUnknownPackageFormat
-	}
-	return nil, nil, errUnknownPackageFormat
 }
 
 func lookupAttributionTexts(attributionTexts []string, key string) string {

pkg/sbom/spdx/unmarshal_test.go

@@ -40,8 +40,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								SrcVersion: "1.2.3-r0",
 								Licenses:   []string{"MIT"},
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeApk,
 										Namespace: "alpine",
 										Name:      "musl",
@@ -54,7 +53,6 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										},
 									},
 								},
-								},
 								Layer: ftypes.Layer{
 									DiffID: "sha256:dd565ff850e7003356e2b252758f9bdc1ff2803f61e995e24c7844f6297f8fc3",
 								},
@@ -71,15 +69,13 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "pear/log",
 								Version: "1.13.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "pear",
 										Name:      "log",
 										Version:   "1.13.1",
 									},
 								},
-								},
 								Layer: ftypes.Layer{
 									DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
 								},
@@ -89,15 +85,13 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "pear/pear_exception",
 								Version: "v1.0.0",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "pear",
 										Name:      "pear_exception",
 										Version:   "v1.0.0",
 									},
 								},
-								},
 								Layer: ftypes.Layer{
 									DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
 								},
@@ -112,15 +106,13 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "github.com/package-url/packageurl-go",
 								Version: "v0.1.1-0.20220203205134-d70459300c8a",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeGolang,
 										Namespace: "github.com/package-url",
 										Name:      "packageurl-go",
 										Version:   "v0.1.1-0.20220203205134-d70459300c8a",
 									},
 								},
-								},
 								Layer: ftypes.Layer{
 									DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
 								},
@@ -133,15 +125,13 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 							{
 								Name: "org.codehaus.mojo:child-project",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "org.codehaus.mojo",
 										Name:      "child-project",
 										Version:   "1.0",
 									},
 								},
-								},
 								Version: "1.0",
 								Layer: ftypes.Layer{
 									DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
@@ -156,14 +146,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "bootstrap",
 								Version: "5.0.2",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeNPM,
 										Name:    "bootstrap",
 										Version: "5.0.2",
 									},
 								},
-								},
 								Licenses: []string{"MIT"},
 								Layer: ftypes.Layer{
 									DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
@@ -188,14 +176,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Version:  "21.1.1",
 								Licenses: []string{"ISC"},
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeNPM,
 										Name:    "yargs-parser",
 										Version: "21.1.1",
 									},
 								},
-								},
 								FilePath: "node_modules/yargs-parser/package.json",
 							},
 						},
@@ -217,14 +203,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Version:  "21.1.1",
 								Licenses: []string{"ISC"},
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:    packageurl.TypeNPM,
 										Name:    "yargs-parser",
 										Version: "21.1.1",
 									},
 								},
-								},
 								FilePath: "node_modules/yargs-parser/package.json",
 							},
 						},
@@ -245,8 +229,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:    "pear/log",
 								Version: "1.13.1",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "pear",
 										Name:      "log",
@@ -254,14 +237,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 									},
 								},
 							},
-							},
 							{
 
 								Name:    "pear/pear_exception",
 								Version: "v1.0.0",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeComposer,
 										Namespace: "pear",
 										Name:      "pear_exception",
@@ -274,7 +255,6 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 				},
 			},
 		},
-		},
 		{
 			name:      "happy path with no relationship",
 			inputFile: "testdata/happy/no-relationship.json",
@@ -288,8 +268,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								Name:     "co.elastic.apm:apm-agent",
 								Version:  "1.36.0",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "co.elastic.apm",
 										Name:      "apm-agent",
@@ -297,14 +276,12 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 									},
 								},
 							},
-							},
 							{
 								FilePath: "modules/apm/elastic-apm-agent-1.36.0.jar",
 								Name:     "co.elastic.apm:apm-agent-cached-lookup-key",
 								Version:  "1.36.0",
 								Identifier: ftypes.PkgIdentifier{
-									PURL: &ftypes.PackageURL{
+									PURL: &packageurl.PackageURL{
-										PackageURL: packageurl.PackageURL{
 										Type:      packageurl.TypeMaven,
 										Namespace: "co.elastic.apm",
 										Name:      "apm-agent-cached-lookup-key",
@@ -317,7 +294,6 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 				},
 			},
 		},
-		},
 		{
 			name:      "happy path only os component",
 			inputFile: "testdata/happy/os-only-bom.json",

pkg/vex/csaf.go

@@ -2,12 +2,12 @@ package vex
 
 import (
 	csaf "github.com/csaf-poc/csaf_distribution/v3/csaf"
+	"github.com/package-url/packageurl-go"
 	"github.com/samber/lo"
 	"go.uber.org/zap"
-	"golang.org/x/exp/slices"
 
-	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/purl"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 
@@ -36,16 +36,16 @@ func (v *CSAF) Filter(vulns []types.DetectedVulnerability) []types.DetectedVulne
 	})
 }
 
-func (v *CSAF) affected(vuln *csaf.Vulnerability, purl *ftypes.PackageURL) bool {
+func (v *CSAF) affected(vuln *csaf.Vulnerability, pkgURL *packageurl.PackageURL) bool {
-	if purl == nil || vuln.ProductStatus == nil {
+	if pkgURL == nil || vuln.ProductStatus == nil {
 		return true
 	}
 
 	var status Status
 	switch {
-	case v.matchPURL(purl, vuln.ProductStatus.KnownNotAffected):
+	case v.matchPURL(vuln.ProductStatus.KnownNotAffected, pkgURL):
 		status = StatusNotAffected
-	case v.matchPURL(purl, vuln.ProductStatus.Fixed):
+	case v.matchPURL(vuln.ProductStatus.Fixed, pkgURL):
 		status = StatusFixed
 	}
 
@@ -60,19 +60,26 @@ func (v *CSAF) affected(vuln *csaf.Vulnerability, purl *ftypes.PackageURL) bool
 }
 
 // matchPURL returns true if the given PackageURL is found in the ProductTree.
-func (v *CSAF) matchPURL(purl *ftypes.PackageURL, products *csaf.Products) bool {
+func (v *CSAF) matchPURL(products *csaf.Products, pkgURL *packageurl.PackageURL) bool {
 	for _, product := range lo.FromPtr(products) {
 		helpers := v.advisory.ProductTree.CollectProductIdentificationHelpers(lo.FromPtr(product))
-		purls := lo.FilterMap(helpers, func(helper *csaf.ProductIdentificationHelper, _ int) (string, bool) {
+		purls := lo.FilterMap(helpers, func(helper *csaf.ProductIdentificationHelper, _ int) (*purl.PackageURL, bool) {
 			if helper == nil || helper.PURL == nil {
-				return "", false
+				return nil, false
 			}
-			return string(*helper.PURL), true
+			p, err := purl.FromString(string(*helper.PURL))
+			if err != nil {
+				v.logger.Errorw("Invalid PURL", zap.String("purl", string(*helper.PURL)), zap.Error(err))
+				return nil, false
+			}
+			return p, true
 		})
-		if slices.Contains(purls, purl.String()) {
+		for _, p := range purls {
+			if p.Match(pkgURL) {
 				return true
 			}
 		}
+	}
 
 	return false
 }

pkg/vex/vex_test.go

@@ -47,8 +47,7 @@ func TestVEX_Filter(t *testing.T) {
 						PkgName:          "spring-boot",
 						InstalledVersion: "2.6.0",
 						PkgIdentifier: ftypes.PkgIdentifier{
-							PURL: &ftypes.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeMaven,
 								Namespace: "org.springframework.boot",
 								Name:      "spring-boot",
@@ -58,7 +57,6 @@ func TestVEX_Filter(t *testing.T) {
 					},
 				},
 			},
-			},
 			want: []types.DetectedVulnerability{},
 		},
 		{
@@ -73,8 +71,7 @@ func TestVEX_Filter(t *testing.T) {
 						PkgName:          "spring-boot",
 						InstalledVersion: "2.6.0",
 						PkgIdentifier: ftypes.PkgIdentifier{
-							PURL: &ftypes.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeMaven,
 								Namespace: "org.springframework.boot",
 								Name:      "spring-boot",
@@ -82,14 +79,12 @@ func TestVEX_Filter(t *testing.T) {
 							},
 						},
 					},
-					},
 					{
 						VulnerabilityID:  "CVE-2021-0001",
 						PkgName:          "spring-boot",
 						InstalledVersion: "2.6.0",
 						PkgIdentifier: ftypes.PkgIdentifier{
-							PURL: &ftypes.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeMaven,
 								Namespace: "org.springframework.boot",
 								Name:      "spring-boot",
@@ -99,15 +94,13 @@ func TestVEX_Filter(t *testing.T) {
 					},
 				},
 			},
-			},
 			want: []types.DetectedVulnerability{
 				{
 					VulnerabilityID:  "CVE-2021-0001",
 					PkgName:          "spring-boot",
 					InstalledVersion: "2.6.0",
 					PkgIdentifier: ftypes.PkgIdentifier{
-						PURL: &ftypes.PackageURL{
+						PURL: &packageurl.PackageURL{
-							PackageURL: packageurl.PackageURL{
 							Type:      packageurl.TypeMaven,
 							Namespace: "org.springframework.boot",
 							Name:      "spring-boot",
@@ -117,7 +110,6 @@ func TestVEX_Filter(t *testing.T) {
 				},
 			},
 		},
-		},
 		{
 			name: "CycloneDX SBOM with CycloneDX VEX",
 			fields: fields{
@@ -136,8 +128,7 @@ func TestVEX_Filter(t *testing.T) {
 						PkgName:          "jackson-databind",
 						InstalledVersion: "2.8.0",
 						PkgIdentifier: ftypes.PkgIdentifier{
-							PURL: &ftypes.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeMaven,
 								Namespace: "com.fasterxml.jackson.core",
 								Name:      "jackson-databind",
@@ -145,14 +136,12 @@ func TestVEX_Filter(t *testing.T) {
 							},
 						},
 					},
-					},
 					{
 						VulnerabilityID:  "CVE-2018-7490",
 						PkgName:          "jackson-databind",
 						InstalledVersion: "2.8.0",
 						PkgIdentifier: ftypes.PkgIdentifier{
-							PURL: &ftypes.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeMaven,
 								Namespace: "com.fasterxml.jackson.core",
 								Name:      "jackson-databind",
@@ -162,15 +151,13 @@ func TestVEX_Filter(t *testing.T) {
 					},
 				},
 			},
-			},
 			want: []types.DetectedVulnerability{
 				{
 					VulnerabilityID:  "CVE-2018-7490",
 					PkgName:          "jackson-databind",
 					InstalledVersion: "2.8.0",
 					PkgIdentifier: ftypes.PkgIdentifier{
-						PURL: &ftypes.PackageURL{
+						PURL: &packageurl.PackageURL{
-							PackageURL: packageurl.PackageURL{
 							Type:      packageurl.TypeMaven,
 							Namespace: "com.fasterxml.jackson.core",
 							Name:      "jackson-databind",
@@ -180,7 +167,6 @@ func TestVEX_Filter(t *testing.T) {
 				},
 			},
 		},
-		},
 		{
 			name: "CycloneDX VEX wrong URN",
 			fields: fields{
@@ -199,8 +185,7 @@ func TestVEX_Filter(t *testing.T) {
 						PkgName:          "jackson-databind",
 						InstalledVersion: "2.8.0",
 						PkgIdentifier: ftypes.PkgIdentifier{
-							PURL: &ftypes.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeMaven,
 								Namespace: "com.fasterxml.jackson.core",
 								Name:      "jackson-databind",
@@ -210,15 +195,13 @@ func TestVEX_Filter(t *testing.T) {
 					},
 				},
 			},
-			},
 			want: []types.DetectedVulnerability{
 				{
 					VulnerabilityID:  "CVE-2018-7489",
 					PkgName:          "jackson-databind",
 					InstalledVersion: "2.8.0",
 					PkgIdentifier: ftypes.PkgIdentifier{
-						PURL: &ftypes.PackageURL{
+						PURL: &packageurl.PackageURL{
-							PackageURL: packageurl.PackageURL{
 							Type:      packageurl.TypeMaven,
 							Namespace: "com.fasterxml.jackson.core",
 							Name:      "jackson-databind",
@@ -228,7 +211,6 @@ func TestVEX_Filter(t *testing.T) {
 				},
 			},
 		},
-		},
 		{
 			name: "CSAF (not affected vuln)",
 			fields: fields{
@@ -241,8 +223,7 @@ func TestVEX_Filter(t *testing.T) {
 						PkgName:          "spring-boot",
 						InstalledVersion: "2.6.0",
 						PkgIdentifier: ftypes.PkgIdentifier{
-							PURL: &ftypes.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeMaven,
 								Namespace: "org.springframework.boot",
 								Name:      "spring-boot",
@@ -252,7 +233,6 @@ func TestVEX_Filter(t *testing.T) {
 					},
 				},
 			},
-			},
 			want: []types.DetectedVulnerability{},
 		},
 		{
@@ -267,8 +247,7 @@ func TestVEX_Filter(t *testing.T) {
 						PkgName:          "def",
 						InstalledVersion: "1.0",
 						PkgIdentifier: ftypes.PkgIdentifier{
-							PURL: &ftypes.PackageURL{
+							PURL: &packageurl.PackageURL{
-								PackageURL: packageurl.PackageURL{
 								Type:      packageurl.TypeMaven,
 								Namespace: "org.example.company",
 								Name:      "def",
@@ -278,15 +257,13 @@ func TestVEX_Filter(t *testing.T) {
 					},
 				},
 			},
-			},
 			want: []types.DetectedVulnerability{
 				{
 					VulnerabilityID:  "CVE-2021-44228",
 					PkgName:          "def",
 					InstalledVersion: "1.0",
 					PkgIdentifier: ftypes.PkgIdentifier{
-						PURL: &ftypes.PackageURL{
+						PURL: &packageurl.PackageURL{
-							PackageURL: packageurl.PackageURL{
 							Type:      packageurl.TypeMaven,
 							Namespace: "org.example.company",
 							Name:      "def",
@@ -296,7 +273,6 @@ func TestVEX_Filter(t *testing.T) {
 				},
 			},
 		},
-		},
 		{
 			name: "unknown format",
 			fields: fields{