DependencyTrack · nscuro · Nov 20, 2024 · Nov 20, 2024
diff --git a/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java b/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java
@@ -204,7 +204,11 @@ public void analyze(final List<Component> components) {
                 var name = component.getPurl().getName();
 
                 if (component.getPurl().getNamespace() != null) {
-                    name = component.getPurl().getNamespace() + ":" + name;
+                    if (PackageURL.StandardTypes.GOLANG.equals(component.getPurl().getType())) {
+                        name = component.getPurl().getNamespace() + "/" + name;
+                    } else {
+                        name = component.getPurl().getNamespace() + ":" + name;
+                    }
                 }
 
                 if (!PurlType.UNKNOWN.getAppType().equals(appType)) {

diff --git a/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskIntegrationTest.java b/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskIntegrationTest.java
@@ -252,7 +252,7 @@ public void testWithPackageWithoutTrivyProperties() {
         assertThat(qm.getAllVulnerabilities(component)).isEmpty();
     }
 
-     /**
+    /**
      * This test documents the case where Trivy is able to correlate a package with vulnerabilities
      * when additional properties provided. When including libc6 in an SBOM,
      * Trivy adds metadata to the component, which among other things includes alternative package names.
@@ -346,7 +346,7 @@ public void testWithPackageWithTrivyProperties() {
         });
     }
 
-     /**
+    /**
      * This test documents the case where Trivy generates a sbom and operative system is not entirely on distro qualifier.
      * <p>
      * Here's an excerpt of the properties included:
@@ -436,4 +436,25 @@ public void testWithPackageWithTrivyPropertiesWithDistroWithoutOS() {
             assertThat(vuln.getReferences()).isNotBlank();
         });
     }
+
+    @Test // https://github.com/DependencyTrack/dependency-track/issues/4376
+    public void testWithGoPackage() {
+        final var project = new Project();
+        project.setName("acme-app");
+        qm.persist(project);
+
+        final var component = new Component();
+        component.setProject(project);
+        component.setName("golang/github.com/nats-io/nkeys");
+        component.setVersion("0.4.4");
+        component.setClassifier(Classifier.LIBRARY);
+        component.setPurl("pkg:golang/github.com/nats-io/nkeys@0.4.4");
+        qm.persist(component);
+
+        final var analysisEvent = new TrivyAnalysisEvent(List.of(component));
+        new TrivyAnalysisTask().inform(analysisEvent);
+
+        assertThat(qm.getAllVulnerabilities(component)).hasSizeGreaterThanOrEqualTo(1);
+    }
+
 }