fix: Vendor packageurl-go internally for PURL builtins

- Vendor packageurl-go library in internal/purl/ instead of using external dependency
- Fix test syntax to use correct function signatures
- Update imports to use internal package

This follows the same pattern as semver vendoring in open-policy-agent#2538 as suggested by @charlieegan3

Fixes failing CI tests in open-policy-agent#7852

Signed-off-by: Anivar A Aravind <[email protected]>

Author: anivar

go.mod

@@ -23,7 +23,6 @@ require (
 	github.com/olekukonko/tablewriter v1.1.0
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
-	github.com/package-url/packageurl-go v0.1.3
 	github.com/peterh/liner v1.2.2
 	github.com/prometheus/client_golang v1.23.2
 	github.com/prometheus/client_model v0.6.2

go.sum

@@ -148,8 +148,6 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
-github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs=
-github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/peterh/liner v1.2.2 h1:aJ4AOodmL+JxOZZEL2u9iJf8omNRpqHc/EbrK+3mAXw=

vendor/github.com/package-url/packageurl-go/packageurl.go renamed to internal/purl/packageurl.go

@@ -20,8 +20,11 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
 */
 
-// Package packageurl implements the package-url spec
-package packageurl
+// Package purl implements the package-url spec
+// This package has been vendored from:
+// https://github.com/package-url/packageurl-go
+// Only the required functions for OPA built-ins have been retained.
+package purl
 
 import (
 	"errors"
@@ -125,6 +128,7 @@ var (
 		TypeComposer:    {},
 		TypeConan:       {},
 		TypeConda:       {},
+		TypeCpan:        {},
 		TypeCran:        {},
 		TypeDebian:      {},
 		TypeDocker:      {},
@@ -212,7 +216,6 @@ var (
 		TypeChocolatey:  {},
 		TypeClojars:     {},
 		TypeCoreos:      {},
-		TypeCpan:        {},
 		TypeCtan:        {},
 		TypeCrystal:     {},
 		TypeDrupal:      {},
@@ -566,7 +569,6 @@ func typeAdjustNamespace(purlType, ns string) string {
 		TypeDebian,
 		TypeGithub,
 		TypeGolang,
-		TypeNPM,
 		TypeRPM,
 		TypeQpkg:
 		return strings.ToLower(ns)
@@ -586,8 +588,7 @@ func typeAdjustName(purlType, name string, qualifiers Qualifiers) string {
 		TypeComposer,
 		TypeDebian,
 		TypeGithub,
-		TypeGolang,
-		TypeNPM:
+		TypeGolang:
 		return strings.ToLower(name)
 	case TypePyPi:
 		return strings.ToLower(strings.ReplaceAll(name, "_", "-"))
@@ -657,6 +658,24 @@ func validCustomRules(p PackageURL) error {
 				}
 			}
 		}
+	case TypeCpan:
+		if p.Namespace != "" {
+			// The purl refers to a CPAN distribution.
+			publisher := p.Namespace
+			if publisher != strings.ToUpper(publisher) {
+				return errors.New("a cpan distribution namespace must be all uppercase")
+			}
+			distName := p.Name
+			if strings.Contains(distName, "::") {
+				return errors.New("a cpan distribution name must not contain '::'")
+			}
+		} else {
+			// The purl refers to a CPAN module.
+			moduleName := p.Name
+			if strings.Contains(moduleName, "-") {
+				return errors.New("a cpan module name may not contain dashes")
+			}
+		}
 	case TypeSwift:
 		if p.Namespace == "" {
 			return errors.New("namespace is required")

v1/test/cases/testdata/v1/purlbuiltins/test-purl-is-valid.yaml

@@ -6,7 +6,7 @@ cases:
       - |
         package generated
         p := x if {
-          purl.is_valid("pkg:npm/[email protected]", x)
+          x := purl.is_valid("pkg:npm/[email protected]")
         }
     want_result:
       - x: true
@@ -17,7 +17,7 @@ cases:
       - |
         package generated
         p := x if {
-          purl.is_valid("pkg:maven/org.apache.xmlgraphics/[email protected]", x)
+          x := purl.is_valid("pkg:maven/org.apache.xmlgraphics/[email protected]")
         }
     want_result:
       - x: true
@@ -28,7 +28,7 @@ cases:
       - |
         package generated
         p := x if {
-          purl.is_valid("not-a-purl", x)
+          x := purl.is_valid("not-a-purl")
         }
     want_result:
       - x: false
@@ -39,7 +39,7 @@ cases:
       - |
         package generated
         p := x if {
-          purl.is_valid("", x)
+          x := purl.is_valid("")
         }
     want_result:
       - x: false

v1/test/cases/testdata/v1/purlbuiltins/test-purl-parse.yaml

@@ -6,7 +6,7 @@ cases:
       - |
         package generated
         p := x if {
-          purl.parse("pkg:npm/[email protected]", x)
+          x := purl.parse("pkg:npm/[email protected]")
         }
     want_result:
       - x:
@@ -20,7 +20,7 @@ cases:
       - |
         package generated
         p := x if {
-          purl.parse("pkg:maven/org.apache.xmlgraphics/[email protected]", x)
+          x := purl.parse("pkg:maven/org.apache.xmlgraphics/[email protected]")
         }
     want_result:
       - x:
@@ -35,7 +35,7 @@ cases:
       - |
         package generated
         p := x if {
-          purl.parse("pkg:rpm/fedora/[email protected]?arch=i386&distro=fedora-25", x)
+          x := purl.parse("pkg:rpm/fedora/[email protected]?arch=i386&distro=fedora-25")
         }
     want_result:
       - x:
@@ -53,7 +53,7 @@ cases:
       - |
         package generated
         p := x if {
-          purl.parse("pkg:github/owner/[email protected]#path/to/file.js", x)
+          x := purl.parse("pkg:github/owner/[email protected]#path/to/file.js")
         }
     want_result:
       - x:
@@ -69,7 +69,7 @@ cases:
       - |
         package generated
         p := x if {
-          purl.parse("pkg:npm/lodash", x)
+          x := purl.parse("pkg:npm/lodash")
         }
     want_result:
       - x:
@@ -82,7 +82,7 @@ cases:
       - |
         package generated
         p := x if {
-          purl.parse("not-a-purl", x)
+          x := purl.parse("not-a-purl")
         }
     want_error: 'purl.parse: invalid PURL'
     strict_error: true

v1/topdown/purl.go

@@ -7,8 +7,7 @@ package topdown
 import (
 	"fmt"
 
-	"github.com/package-url/packageurl-go"
-
+	"github.com/open-policy-agent/opa/internal/purl"
 	"github.com/open-policy-agent/opa/v1/ast"
 	"github.com/open-policy-agent/opa/v1/topdown/builtins"
 )
@@ -19,7 +18,7 @@ func builtinPurlIsValid(_ BuiltinContext, operands []*ast.Term, iter func(*ast.T
 		return iter(ast.InternedTerm(false))
 	}
 
-	_, err = packageurl.FromString(string(str))
+	_, err = purl.FromString(string(str))
 	return iter(ast.InternedTerm(err == nil))
 }
 
@@ -29,32 +28,32 @@ func builtinPurlParse(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Ter
 		return err
 	}
 
-	purl, err := packageurl.FromString(string(str))
+	parsedPurl, err := purl.FromString(string(str))
 	if err != nil {
 		return fmt.Errorf("invalid PURL %q: %w", str, err)
 	}
 
 	// Create object with required fields
 	obj := ast.NewObject(
-		[2]*ast.Term{ast.InternedTerm("type"), ast.StringTerm(purl.Type)},
-		[2]*ast.Term{ast.InternedTerm("name"), ast.StringTerm(purl.Name)},
+		[2]*ast.Term{ast.InternedTerm("type"), ast.StringTerm(parsedPurl.Type)},
+		[2]*ast.Term{ast.InternedTerm("name"), ast.StringTerm(parsedPurl.Name)},
 	)
 
 	// Add optional fields only if present
-	if purl.Namespace != "" {
-		obj.Insert(ast.InternedTerm("namespace"), ast.StringTerm(purl.Namespace))
+	if parsedPurl.Namespace != "" {
+		obj.Insert(ast.InternedTerm("namespace"), ast.StringTerm(parsedPurl.Namespace))
 	}
-	if purl.Version != "" {
-		obj.Insert(ast.InternedTerm("version"), ast.StringTerm(purl.Version))
+	if parsedPurl.Version != "" {
+		obj.Insert(ast.InternedTerm("version"), ast.StringTerm(parsedPurl.Version))
 	}
-	if purl.Subpath != "" {
-		obj.Insert(ast.InternedTerm("subpath"), ast.StringTerm(purl.Subpath))
+	if parsedPurl.Subpath != "" {
+		obj.Insert(ast.InternedTerm("subpath"), ast.StringTerm(parsedPurl.Subpath))
 	}
 
 	// Add qualifiers only if present
-	if len(purl.Qualifiers) > 0 {
+	if len(parsedPurl.Qualifiers) > 0 {
 		qualifiers := ast.NewObject()
-		for _, q := range purl.Qualifiers {
+		for _, q := range parsedPurl.Qualifiers {
 			qualifiers.Insert(ast.StringTerm(q.Key), ast.StringTerm(q.Value))
 		}
 		obj.Insert(ast.InternedTerm("qualifiers"), ast.NewTerm(qualifiers))