Update purl-spec submodule and fix failing tests

Stop stripping trailing slashes and default registry from bazel
repository_url qualifiers. Add otp and vscode-extension type
validation: otp prohibits namespace, vscode-extension requires it.

Author: andrew

packageurl.go

@@ -111,41 +111,47 @@ var (
 	TypeSWID = "swid"
 	// TypeSwift is pkg:swift purl
 	TypeSwift = "swift"
+	// TypeOTP is a pkg:otp purl.
+	TypeOTP = "otp"
+	// TypeVSCodeExtension is a pkg:vscode-extension purl.
+	TypeVSCodeExtension = "vscode-extension"
 
 	// KnownTypes is a map of types that are officially supported by the spec.
 	// See https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#known-purl-types
 	KnownTypes = map[string]struct{}{
-		TypeAlpm:        {},
-		TypeApk:         {},
-		TypeBitbucket:   {},
-		TypeBitnami:     {},
-		TypeCargo:       {},
-		TypeCocoapods:   {},
-		TypeComposer:    {},
-		TypeConan:       {},
-		TypeConda:       {},
-		TypeCpan:        {},
-		TypeCran:        {},
-		TypeDebian:      {},
-		TypeDocker:      {},
-		TypeGem:         {},
-		TypeGeneric:     {},
-		TypeGithub:      {},
-		TypeGolang:      {},
-		TypeHackage:     {},
-		TypeHex:         {},
-		TypeHuggingface: {},
-		TypeMaven:       {},
-		TypeMLFlow:      {},
-		TypeNPM:         {},
-		TypeNuget:       {},
-		TypeOCI:         {},
-		TypePub:         {},
-		TypePyPi:        {},
-		TypeQpkg:        {},
-		TypeRPM:         {},
-		TypeSWID:        {},
-		TypeSwift:       {},
+		TypeAlpm:            {},
+		TypeApk:             {},
+		TypeBitbucket:       {},
+		TypeBitnami:         {},
+		TypeCargo:           {},
+		TypeCocoapods:       {},
+		TypeComposer:        {},
+		TypeConan:           {},
+		TypeConda:           {},
+		TypeCpan:            {},
+		TypeCran:            {},
+		TypeDebian:          {},
+		TypeDocker:          {},
+		TypeGem:             {},
+		TypeGeneric:         {},
+		TypeGithub:          {},
+		TypeGolang:          {},
+		TypeHackage:         {},
+		TypeHex:             {},
+		TypeHuggingface:     {},
+		TypeMaven:           {},
+		TypeMLFlow:          {},
+		TypeNPM:             {},
+		TypeNuget:           {},
+		TypeOCI:             {},
+		TypePub:             {},
+		TypePyPi:            {},
+		TypeQpkg:            {},
+		TypeRPM:             {},
+		TypeSWID:            {},
+		TypeSwift:           {},
+		TypeOTP:             {},
+		TypeVSCodeExtension: {},
 	}
 
 	TypeApache      = "apache"
@@ -773,36 +779,10 @@ func typeAdjustVersion(purlType, version string) string {
 }
 
 // Make any purl type-specific adjustments to qualifiers.
-func typeAdjustQualifiers(purlType string, qualifiers Qualifiers) Qualifiers {
-	switch purlType {
-	case "bazel":
-		return adjustBazelQualifiers(qualifiers)
-	}
+func typeAdjustQualifiers(_ string, qualifiers Qualifiers) Qualifiers {
 	return qualifiers
 }
 
-// adjustBazelQualifiers normalizes bazel qualifiers:
-// - Removes default repository_url (https://bcr.bazel.build)
-// - Strips trailing slashes from repository_url
-func adjustBazelQualifiers(qualifiers Qualifiers) Qualifiers {
-	const defaultRegistry = "https://bcr.bazel.build"
-	result := make(Qualifiers, 0, len(qualifiers))
-	for _, q := range qualifiers {
-		if q.Key == "repository_url" {
-			// Strip trailing slash
-			val := strings.TrimSuffix(q.Value, "/")
-			// Skip if it's the default registry
-			if val == defaultRegistry {
-				continue
-			}
-			result = append(result, Qualifier{Key: q.Key, Value: val})
-		} else {
-			result = append(result, q)
-		}
-	}
-	return result
-}
-
 // https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#mlflow
 func adjustMlflowName(name string, qualifiers map[string]string) string {
 	if repo, ok := qualifiers["repository_url"]; ok {
@@ -917,6 +897,14 @@ func validCustomRules(p PackageURL) error {
 		if p.Version == "" {
 			return errors.New("version is required")
 		}
+	case TypeOTP:
+		if p.Namespace != "" {
+			return errors.New("namespace is not allowed for otp purls")
+		}
+	case TypeVSCodeExtension:
+		if p.Namespace == "" {
+			return errors.New("namespace is required for vscode-extension purls")
+		}
 	}
 	return nil
 }

packageurl_bench_test.go

@@ -6,12 +6,12 @@ import (
 
 // Sample purls of varying complexity
 var (
-	simplePurl       = "pkg:npm/lodash@4.17.21"
-	namespacePurl    = "pkg:maven/org.apache.commons/commons-lang3@3.12.0"
-	qualifiersPurl   = "pkg:npm/%40angular/core@16.0.0?repository_url=https://registry.npmjs.org"
-	complexPurl      = "pkg:rpm/fedora/curl@7.50.3-1.fc25?arch=i386&distro=fedora-25&repository_url=http://example.com"
-	subpathPurl      = "pkg:github/package-url/purl-spec@244fd47e07d1004f0aed9c#src/main/java"
-	fullPurl         = "pkg:deb/debian/dpkg@1.19.0.4?arch=amd64&distro=stretch&repository_url=http://deb.debian.org#subpath/to/file"
+	simplePurl     = "pkg:npm/lodash@4.17.21"
+	namespacePurl  = "pkg:maven/org.apache.commons/commons-lang3@3.12.0"
+	qualifiersPurl = "pkg:npm/%40angular/core@16.0.0?repository_url=https://registry.npmjs.org"
+	complexPurl    = "pkg:rpm/fedora/curl@7.50.3-1.fc25?arch=i386&distro=fedora-25&repository_url=http://example.com"
+	subpathPurl    = "pkg:github/package-url/purl-spec@244fd47e07d1004f0aed9c#src/main/java"
+	fullPurl       = "pkg:deb/debian/dpkg@1.19.0.4?arch=amd64&distro=stretch&repository_url=http://deb.debian.org#subpath/to/file"
 )
 
 // Pre-parsed PackageURL structs for ToString benchmarks
@@ -86,6 +86,12 @@ func BenchmarkFromString_Complex(b *testing.B) {
 	}
 }
 
+func BenchmarkFromString_Subpath(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		_, _ = FromString(subpathPurl)
+	}
+}
+
 func BenchmarkFromString_Full(b *testing.B) {
 	for i := 0; i < b.N; i++ {
 		_, _ = FromString(fullPurl)