CycloneDX · nscuro · Dec 12, 2022 · Nov 22, 2022 · Nov 23, 2022 · Nov 23, 2022
@@ -23,6 +23,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"os"
 	"path/filepath"
 	"strings"
 
@@ -69,10 +70,14 @@ func (m Module) Hash() (string, error) {
 	return h1, nil
 }
 
-func (m Module) PackageURL() string {
+func (m Module) BOMRef() string {
 	return fmt.Sprintf("pkg:golang/%s?type=module", m.Coordinates())
 }
 
+func (m Module) PackageURL() string {
+	return fmt.Sprintf("pkg:golang/%s?type=module&goos=%s&goarch=%s", m.Coordinates(), os.Getenv("GOOS"), os.Getenv("GOARCH"))
+}
+
 // IsModule determines whether dir is a Go module.
 func IsModule(dir string) bool {
 	return util.FileExists(filepath.Join(dir, "go.mod"))

@@ -19,6 +19,7 @@ package gomod
 
 import (
 	"bytes"
+	"os"
 	"os/exec"
 	"path/filepath"
 	"strings"
@@ -66,13 +67,25 @@ func TestModule_Hash(t *testing.T) {
 	require.Equal(t, "h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs=", hash)
 }
 
+func TestModule_BOMRef(t *testing.T) {
+
+	module := Module{
+		Path:    "github.com/CycloneDX/cyclonedx-go",
+		Version: "v0.1.0",
+	}
+	assert.Equal(t, "pkg:golang/github.com/CycloneDX/cyclonedx-go@v0.1.0?type=module", module.BOMRef())
+}
+
 func TestModule_PackageURL(t *testing.T) {
+
 	module := Module{
 		Path:    "github.com/CycloneDX/cyclonedx-go",
 		Version: "v0.1.0",
 	}
+	goos := os.Getenv("GOOS")
+	goarch := os.Getenv("GOARCH")
 
-	assert.Equal(t, "pkg:golang/github.com/CycloneDX/cyclonedx-go@v0.1.0?type=module", module.PackageURL())
+	assert.Equal(t, "pkg:golang/github.com/CycloneDX/cyclonedx-go@v0.1.0?type=module&goos="+goos+"&goarch="+goarch, module.PackageURL())
 }
 
 func TestIsModule(t *testing.T) {

@@ -180,7 +180,7 @@ func ToComponent(logger zerolog.Logger, module gomod.Module, options ...Option)
 		Msg("converting module to component")
 
 	component := cdx.Component{
-		BOMRef:     module.PackageURL(),
+		BOMRef:     module.BOMRef(),
 		Type:       cdx.ComponentTypeLibrary,
 		Name:       module.Path,
 		Version:    module.Version,

@@ -20,6 +20,7 @@ package module
 import (
 	"bytes"
 	"errors"
+	"os"
 	"os/exec"
 	"path/filepath"
 	"testing"
@@ -184,6 +185,8 @@ func TestToComponent(t *testing.T) {
 			Path:    "path",
 			Version: "version",
 		}
+		goos := os.Getenv("GOOS")
+		goarch := os.Getenv("GOARCH")
 
 		component, err := ToComponent(zerolog.Nop(), module)
 		require.NoError(t, err)
@@ -193,7 +196,7 @@ func TestToComponent(t *testing.T) {
 		require.Equal(t, cdx.ComponentTypeLibrary, component.Type)
 		require.Equal(t, "path", component.Name)
 		require.Equal(t, "version", component.Version)
-		require.Equal(t, "pkg:golang/path@version?type=module", component.PackageURL)
+		require.Equal(t, "pkg:golang/path@version?type=module&goos="+goos+"&goarch="+goarch, component.PackageURL)
 		require.Equal(t, cdx.ScopeRequired, component.Scope)
 	})
 
@@ -203,6 +206,8 @@ func TestToComponent(t *testing.T) {
 			Version:  "version",
 			TestOnly: true,
 		}
+		goos := os.Getenv("GOOS")
+		goarch := os.Getenv("GOARCH")
 
 		component, err := ToComponent(zerolog.Nop(), module)
 		require.NoError(t, err)
@@ -212,7 +217,7 @@ func TestToComponent(t *testing.T) {
 		require.Equal(t, cdx.ComponentTypeLibrary, component.Type)
 		require.Equal(t, "path", component.Name)
 		require.Equal(t, "version", component.Version)
-		require.Equal(t, "pkg:golang/path@version?type=module", component.PackageURL)
+		require.Equal(t, "pkg:golang/path@version?type=module&goos="+goos+"&goarch="+goarch, component.PackageURL)
 		require.Equal(t, cdx.ScopeOptional, component.Scope)
 	})
 
@@ -225,6 +230,8 @@ func TestToComponent(t *testing.T) {
 				Version: "versionReplace",
 			},
 		}
+		goos := os.Getenv("GOOS")
+		goarch := os.Getenv("GOARCH")
 
 		component, err := ToComponent(zerolog.Nop(), module)
 		require.NoError(t, err)
@@ -234,7 +241,7 @@ func TestToComponent(t *testing.T) {
 		require.Equal(t, cdx.ComponentTypeLibrary, component.Type)
 		require.Equal(t, "pathReplace", component.Name)
 		require.Equal(t, "versionReplace", component.Version)
-		require.Equal(t, "pkg:golang/pathReplace@versionReplace?type=module", component.PackageURL)
+		require.Equal(t, "pkg:golang/pathReplace@versionReplace?type=module&goos="+goos+"&goarch="+goarch, component.PackageURL)
 		require.Equal(t, cdx.ScopeRequired, component.Scope)
 	})
 

@@ -82,15 +82,15 @@ func BuildDependencyGraph(modules []gomod.Module) []cdx.Dependency {
 		if module.Replace != nil {
 			module = *module.Replace
 		}
-		cdxDependant := cdx.Dependency{Ref: module.PackageURL()}
+		cdxDependant := cdx.Dependency{Ref: module.BOMRef()}
 
 		if module.Dependencies != nil {
 			cdxDependencies := make([]string, len(module.Dependencies))
 			for i := range module.Dependencies {
 				if module.Dependencies[i].Replace != nil {
-					cdxDependencies[i] = module.Dependencies[i].Replace.PackageURL()
+					cdxDependencies[i] = module.Dependencies[i].Replace.BOMRef()
 				} else {
-					cdxDependencies[i] = module.Dependencies[i].PackageURL()
+					cdxDependencies[i] = module.Dependencies[i].BOMRef()
 				}
 			}
 			if len(cdxDependencies) > 0 {

@@ -77,21 +77,23 @@ func RequireMatchingPropertyToBeRedacted(t *testing.T, properties []cdx.Property
 // If files are expected, their correlating components will be removed and replaced by an empty slice.
 func RequireStdlibComponentToBeRedacted(t *testing.T, bom *cdx.BOM, expectPackages, expectFiles bool) {
 	var (
-		version string
-		oldPURL string
-		newPURL string
+		version   string
+		oldBOMRef string
+		newBOMRef string
+		newPURL   string
 	)
 
 	for i, component := range *bom.Components {
 		if component.Name == "std" {
 			require.Regexp(t, `^go1\.`, component.Version)
 
 			version = component.Version
-			oldPURL = component.PackageURL
+			oldBOMRef = component.BOMRef
+			newBOMRef = strings.ReplaceAll((*bom.Components)[i].BOMRef, version, Redacted)
 			newPURL = strings.ReplaceAll((*bom.Components)[i].PackageURL, version, Redacted)
 
 			(*bom.Components)[i].Version = Redacted
-			(*bom.Components)[i].BOMRef = newPURL
+			(*bom.Components)[i].BOMRef = newBOMRef
 			(*bom.Components)[i].PackageURL = newPURL
 
 			// Redact all packages and files, as they may differ from one go version to another.
@@ -110,21 +112,20 @@ func RequireStdlibComponentToBeRedacted(t *testing.T, bom *cdx.BOM, expectPackag
 			} else if expectPackages {
 				t.Fatalf("stdlib is missing packages")
 			}
-
 			break
 		}
 	}
-	if newPURL == "" {
+	if newPURL == "" && newBOMRef == "" {
 		t.Fatalf("stdlib component not found")
 	}
 
 	for i, dependency := range *bom.Dependencies {
-		if dependency.Ref == oldPURL { // Dependant
-			(*bom.Dependencies)[i].Ref = newPURL
+		if dependency.Ref == oldBOMRef { // Dependant
+			(*bom.Dependencies)[i].Ref = newBOMRef
 		} else if dependency.Dependencies != nil { // Dependencies
 			for j, dependency2 := range *(*bom.Dependencies)[i].Dependencies {
-				if dependency2 == oldPURL {
-					(*(*bom.Dependencies)[i].Dependencies)[j] = newPURL
+				if dependency2 == oldBOMRef {
+					(*(*bom.Dependencies)[i].Dependencies)[j] = newBOMRef
 				}
 			}
 		}

@@ -232,19 +232,24 @@ func (g generator) includeAppPathInMainComponentPURL(bom *cdx.BOM) error {
 		oldPURL := bom.Metadata.Component.PackageURL
 		newPURL := oldPURL + "#" + filepath.ToSlash(mainDirRel)
 
+		oldBOMRef := bom.Metadata.Component.BOMRef
+		newBOMRef := oldBOMRef + "#" + filepath.ToSlash(mainDirRel)
+
 		g.logger.Debug().
-			Str("old", oldPURL).
-			Str("new", newPURL).
+			Str("oldpurl", oldPURL).
+			Str("newpurl", newPURL).
+			Str("oldbomref", oldBOMRef).
+			Str("newbomref", newBOMRef).
 			Msg("updating purl of main component")
 
-		// Update PURL of main component
-		bom.Metadata.Component.BOMRef = newPURL
+		// Update BOMRef and PURL of main component
+		bom.Metadata.Component.BOMRef = newBOMRef
 		bom.Metadata.Component.PackageURL = newPURL
 
-		// Update PURL in dependency graph
+		// Update PURL in dependency graph (without GOOS and GOARCH)
 		for i, dep := range *bom.Dependencies {
-			if dep.Ref == oldPURL {
-				(*bom.Dependencies)[i].Ref = newPURL
+			if dep.Ref == oldBOMRef {
+				(*bom.Dependencies)[i].Ref = newBOMRef
 				break
 			}
 		}

@@ -4,7 +4,7 @@
     <component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module" type="application">
       <name>testmod-simple</name>
       <version>v0.0.0-20210716183230-c7ea7c975ab8</version>
-      <purl>pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module</purl>
+      <purl>pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module&amp;goos=&amp;goarch=</purl>
       <properties>
         <property name="cdx:gomod:build:env:CGO_ENABLED">REDACTED</property>
         <property name="cdx:gomod:build:env:GOARCH">REDACTED</property>
@@ -21,7 +21,7 @@
       <hashes>
         <hash alg="SHA-256">a8962d5e72515a6a5eee6ff75e5ca1aec2eb11446a1d1336931ce8c57ab2503b</hash>
       </hashes>
-      <purl>pkg:golang/github.com/google/uuid@v1.2.0?type=module</purl>
+      <purl>pkg:golang/github.com/google/uuid@v1.2.0?type=module&amp;goos=&amp;goarch=</purl>
       <externalReferences>
         <reference type="vcs">
           <url>https://github.com/google/uuid</url>
@@ -39,7 +39,7 @@
       <name>std</name>
       <version>REDACTED</version>
       <scope>required</scope>
-      <purl>pkg:golang/std@REDACTED?type=module</purl>
+      <purl>pkg:golang/std@REDACTED?type=module&amp;goos=&amp;goarch=</purl>
     </component>
   </components>
   <dependencies>

@@ -4,7 +4,7 @@
     <component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210901192510-dc2d14d2351d?type=module#cmd/purl" type="application">
       <name>testmod-simple</name>
       <version>v0.0.0-20210901192510-dc2d14d2351d</version>
-      <purl>pkg:golang/testmod-simple@v0.0.0-20210901192510-dc2d14d2351d?type=module#cmd/purl</purl>
+      <purl>pkg:golang/testmod-simple@v0.0.0-20210901192510-dc2d14d2351d?type=module&amp;goos=&amp;goarch=#cmd/purl</purl>
       <properties>
         <property name="cdx:gomod:build:env:CGO_ENABLED">REDACTED</property>
         <property name="cdx:gomod:build:env:GOARCH">REDACTED</property>
@@ -21,7 +21,7 @@
       <hashes>
         <hash alg="SHA-256">79f58173df0efdd059460d69c36c620f3a2f9e532309af4d3e77da88176e87c2</hash>
       </hashes>
-      <purl>pkg:golang/github.com/package-url/packageurl-go@v0.1.0?type=module</purl>
+      <purl>pkg:golang/github.com/package-url/packageurl-go@v0.1.0?type=module&amp;goos=&amp;goarch=</purl>
       <externalReferences>
         <reference type="vcs">
           <url>https://github.com/package-url/packageurl-go</url>
@@ -32,7 +32,7 @@
       <name>std</name>
       <version>REDACTED</version>
       <scope>required</scope>
-      <purl>pkg:golang/std@REDACTED?type=module</purl>
+      <purl>pkg:golang/std@REDACTED?type=module&amp;goos=&amp;goarch=</purl>
     </component>
   </components>
   <dependencies>

@@ -4,7 +4,7 @@
     <component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210901192510-dc2d14d2351d?type=module#cmd/uuid" type="application">
       <name>testmod-simple</name>
       <version>v0.0.0-20210901192510-dc2d14d2351d</version>
-      <purl>pkg:golang/testmod-simple@v0.0.0-20210901192510-dc2d14d2351d?type=module#cmd/uuid</purl>
+      <purl>pkg:golang/testmod-simple@v0.0.0-20210901192510-dc2d14d2351d?type=module&amp;goos=&amp;goarch=#cmd/uuid</purl>
       <properties>
         <property name="cdx:gomod:build:env:CGO_ENABLED">REDACTED</property>
         <property name="cdx:gomod:build:env:GOARCH">REDACTED</property>
@@ -21,7 +21,7 @@
       <hashes>
         <hash alg="SHA-256">a8962d5e72515a6a5eee6ff75e5ca1aec2eb11446a1d1336931ce8c57ab2503b</hash>
       </hashes>
-      <purl>pkg:golang/github.com/google/uuid@v1.2.0?type=module</purl>
+      <purl>pkg:golang/github.com/google/uuid@v1.2.0?type=module&amp;goos=&amp;goarch=</purl>
       <externalReferences>
         <reference type="vcs">
           <url>https://github.com/google/uuid</url>
@@ -39,7 +39,7 @@
       <name>std</name>
       <version>REDACTED</version>
       <scope>required</scope>
-      <purl>pkg:golang/std@REDACTED?type=module</purl>
+      <purl>pkg:golang/std@REDACTED?type=module&amp;goos=&amp;goarch=</purl>
     </component>
   </components>
   <dependencies>

@@ -4,7 +4,7 @@
     <component bom-ref="pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module" type="application">
       <name>testmod-vendored</name>
       <version>v0.0.0-20210716185931-5c9f3d791930</version>
-      <purl>pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module</purl>
+      <purl>pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module&amp;goos=&amp;goarch=</purl>
       <properties>
         <property name="cdx:gomod:build:env:CGO_ENABLED">REDACTED</property>
         <property name="cdx:gomod:build:env:GOARCH">REDACTED</property>
@@ -18,7 +18,7 @@
       <name>github.com/google/uuid</name>
       <version>v1.2.0</version>
       <scope>required</scope>
-      <purl>pkg:golang/github.com/google/uuid@v1.2.0?type=module</purl>
+      <purl>pkg:golang/github.com/google/uuid@v1.2.0?type=module&amp;goos=&amp;goarch=</purl>
       <externalReferences>
         <reference type="vcs">
           <url>https://github.com/google/uuid</url>
@@ -36,7 +36,7 @@
       <name>std</name>
       <version>REDACTED</version>
       <scope>required</scope>
-      <purl>pkg:golang/std@REDACTED?type=module</purl>
+      <purl>pkg:golang/std@REDACTED?type=module&amp;goos=&amp;goarch=</purl>
     </component>
   </components>
   <dependencies>

@@ -4,7 +4,7 @@
     <component bom-ref="pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module" type="application">
       <name>testmod-vendored</name>
       <version>v0.0.0-20210716185931-5c9f3d791930</version>
-      <purl>pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module</purl>
+      <purl>pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module&amp;goos=&amp;goarch=</purl>
       <properties>
         <property name="cdx:gomod:build:env:CGO_ENABLED">REDACTED</property>
         <property name="cdx:gomod:build:env:GOARCH">REDACTED</property>
@@ -39,7 +39,7 @@
       <name>github.com/google/uuid</name>
       <version>v1.2.0</version>
       <scope>required</scope>
-      <purl>pkg:golang/github.com/google/uuid@v1.2.0?type=module</purl>
+      <purl>pkg:golang/github.com/google/uuid@v1.2.0?type=module&amp;goos=&amp;goarch=</purl>
       <externalReferences>
         <reference type="vcs">
           <url>https://github.com/google/uuid</url>
@@ -210,7 +210,7 @@
       <name>std</name>
       <version>REDACTED</version>
       <scope>required</scope>
-      <purl>pkg:golang/std@REDACTED?type=module</purl>
+      <purl>pkg:golang/std@REDACTED?type=module&amp;goos=&amp;goarch=</purl>
       <components></components>
     </component>
   </components>

@@ -4,7 +4,7 @@
     <component bom-ref="pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module" type="application">
       <name>testmod-vendored</name>
       <version>v0.0.0-20210716185931-5c9f3d791930</version>
-      <purl>pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module</purl>
+      <purl>pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module&amp;goos=&amp;goarch=</purl>
       <properties>
         <property name="cdx:gomod:build:env:CGO_ENABLED">REDACTED</property>
         <property name="cdx:gomod:build:env:GOARCH">REDACTED</property>
@@ -25,7 +25,7 @@
       <name>github.com/google/uuid</name>
       <version>v1.2.0</version>
       <scope>required</scope>
-      <purl>pkg:golang/github.com/google/uuid@v1.2.0?type=module</purl>
+      <purl>pkg:golang/github.com/google/uuid@v1.2.0?type=module&amp;goos=&amp;goarch=</purl>
       <externalReferences>
         <reference type="vcs">
           <url>https://github.com/google/uuid</url>
@@ -50,7 +50,7 @@
       <name>std</name>
       <version>REDACTED</version>
       <scope>required</scope>
-      <purl>pkg:golang/std@REDACTED?type=module</purl>
+      <purl>pkg:golang/std@REDACTED?type=module&amp;goos=&amp;goarch=</purl>
       <components></components>
     </component>
   </components>