fix Ref and PURL calc

attiasas · attiasas · commit 94de8540b594 · 2025-11-05T15:34:40.000+02:00
diff --git a/policy/enforcer/policyenforcer.go b/policy/enforcer/policyenforcer.go
@@ -202,11 +202,11 @@ func getScaViolationType(violation services.XrayViolation) violationutils.Violat
 }
 
 func locateBomComponentInfo(cmdResults *results.SecurityCommandResults, impactedComponentXrayId string, violation services.XrayViolation) (impactedComponent *cyclonedx.Component, directComponents []formats.ComponentRow, impactPaths [][]formats.ComponentRow) {
+	ref := techutils.XrayComponentIdToCdxComponentRef(impactedComponentXrayId)
 	for _, target := range cmdResults.Targets {
 		if target.ScaResults == nil || target.ScaResults.Sbom == nil || target.ScaResults.Sbom.Components == nil {
 			continue
 		}
-		ref := techutils.XrayComponentIdToCdxComponentRef(impactedComponentXrayId)
 		for _, component := range *target.ScaResults.Sbom.Components {
 			if strings.HasPrefix(component.BOMRef, ref) {
 				// Found the relevant component
diff --git a/utils/techutils/techutils.go b/utils/techutils/techutils.go
@@ -3,7 +3,6 @@ package techutils
 import (
 	"errors"
 	"fmt"
-	"net/url"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -899,26 +898,20 @@ func ToPackageUrl(compName, version, packageType string, properties ...packageur
 	if packageType == "" {
 		packageType = "generic"
 	}
-	purl := packageurl.NewPackageURL(packageType, "", compName, version, properties, "").String()
-	// Unescape the output
-	output, err := url.QueryUnescape(purl)
-	if err != nil {
-		log.Debug(fmt.Sprintf("Failed to unescape package URL: %s", err))
-		// Return the original output
-		return purl
+	// Check if compName contains a namespace
+	namespace := ""
+	if lastIndex := strings.LastIndex(compName, "/"); lastIndex != -1 {
+		namespace = compName[:lastIndex]
+		compName = compName[lastIndex+1:]
 	}
-	return
+	return packageurl.NewPackageURL(packageType, namespace, compName, version, properties, "").String()
 }
 
 func ToPackageRef(compName, version, packageType string) (output string) {
 	if packageType == "" {
 		packageType = "generic"
 	}
-	output = fmt.Sprintf("pkg:%s/%s", packageType, strings.ReplaceAll(compName, ":", "/"))
-	if version != "" {
-		output += fmt.Sprintf("@%s", version)
-	}
-	return output
+	return ToPackageUrl(compName, version, packageType)
 }
 
 // Extract the component name, version and type from PackageUrl and translate it to an Xray component id

Original file line number	Diff line number	Diff line change
`@@ -202,11 +202,11 @@ func getScaViolationType(violation services.XrayViolation) violationutils.Violat`
`202`	`202`	`}`
`203`	`203`
`204`	`204`	`func locateBomComponentInfo(cmdResults results.SecurityCommandResults, impactedComponentXrayId string, violation services.XrayViolation) (impactedComponent cyclonedx.Component, directComponents []formats.ComponentRow, impactPaths [][]formats.ComponentRow) {`
	`205`	`+ ref := techutils.XrayComponentIdToCdxComponentRef(impactedComponentXrayId)`
`205`	`206`	`for _, target := range cmdResults.Targets {`
`206`	`207`	`if target.ScaResults == nil \|\| target.ScaResults.Sbom == nil \|\| target.ScaResults.Sbom.Components == nil {`
`207`	`208`	`continue`
`208`	`209`	`}`
`209`		`- ref := techutils.XrayComponentIdToCdxComponentRef(impactedComponentXrayId)`
`210`	`210`	`for _, component := range *target.ScaResults.Sbom.Components {`
`211`	`211`	`if strings.HasPrefix(component.BOMRef, ref) {`
`212`	`212`	`// Found the relevant component`