Is it possible to represent a Go stdlib package with a purl?

[chmeliik]

I would like to identify all the dependencies of a Go package, both external and from the standard library, via purls. Is this possible?

Let's say I use archive/tar as a dependency. I could think of 2 ways to represent this with a purl, but both seem questionable at best.

• pkg:golang/golang.org/pkg/archive/tar
• pkg:golang/archive/tar

The first one uses golang.org/pkg as the "namespace" for stdlib packages. However, this does not pass the go get test. The second one uses only the package name. Interestingly, go get archive/tar does work - at least in the sense that the command does nothing and returns 0.

Would either of the two formats (or some other format) be an acceptable way to identify a stdlib package? Is identifying stdlib packages a misuse of purl?

[jasinner]

I think the 2nd one is better. It looks like the osv.dev project is not using purl for stdlib things yet, but they way the represent GO-2021-0068 seems to look closer to the 2nd suggestion here pkg:golang/cmd/go to me.

$ curl -s "https://api.osv.dev/v1/vulns/GO-2021-0068" | jq '.package'
{
  "name": "cmd/go",
  "ecosystem": "Go"
}

@pombredanne any thoughts?

[pombredanne]

@chmeliik I agree with @jasinner: pkg:golang/archive/tar feels more natural and aligned with how a one would refer to the package.
Please close if you think this answers your question!
You could also send a PR to clarify this with an example too.

[chmeliik]

This does answer my question, thanks!