fix: oss-fuzz source links using double Git links (#4036)

Author: jess-lowe

gcp/api/integration_tests.py

@@ -532,9 +532,9 @@ def test_query_purl(self):
     self.assert_results_equal({'vulns': another_expected}, response.json())
 
     expected_deb = [
-        self._get('CVE-2018-25047'),
-        self._get('CVE-2023-28447'),
-        self._get('CVE-2024-35226'),
+        self._get('DEBIAN-CVE-2018-25047'),
+        self._get('DEBIAN-CVE-2023-28447'),
+        self._get('DEBIAN-CVE-2024-35226'),
         self._get('DSA-5830-1'),
     ]
 
@@ -581,7 +581,6 @@ def test_query_purl(self):
             }
         }),
         timeout=_TIMEOUT)
-
     self.assert_results_equal({'vulns': expected_deb}, response.json())
 
   def test_query_purl_with_version_trailing_zeroes(self):

osv/sources.py

@@ -346,7 +346,10 @@ def source_path(source_repo, bug):
   """Get the source path for an osv.Bug."""
   source_name, source_id = parse_source_id(bug.source_id)
   if source_name == 'oss-fuzz' and len(bug.project) > 0:
-    path = os.path.join(bug.project[0], bug.id() + source_repo.extension)
+    # Because we populate the Github link for matching, the shortest
+    # name is the package name.
+    project = sorted(bug.project, key=len)[0]
+    path = os.path.join(project, bug.id() + source_repo.extension)
     if source_repo.directory_path:
       path = os.path.join(source_repo.directory_path, path)