fix: include namespace in deduplicated purl construction

dacoburn · dacoburn · commit 3a8b3e83d2af · 2025-08-23T16:33:39.000-07:00
Fix purl deduplication logic to properly handle namespace and inputPurl fields.
Previously, Maven packages were missing namespace in the returned purl field.

- Use inputPurl when available and complete
- Append version to incomplete inputPurl
- Construct proper purl with namespace when building from scratch
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "socketdev"
-version = "3.0.0"
+version = "3.0.1"
 requires-python = ">= 3.9"
 dependencies = [
     'requests',
diff --git a/socketdev/core/dedupe.py b/socketdev/core/dedupe.py
@@ -61,7 +61,29 @@ def alert_identity(alert: dict) -> tuple:
         base = package_group[0]
         base["releases"] = sorted(releases)
         base["alerts"] = list(alert_map.values())
-        base["purl"] = f"pkg:{base.get('type', 'unknown')}/{base.get('name', 'unknown')}@{base.get('version', '0.0.0')}"
+        
+        # Use inputPurl if available and complete, otherwise construct proper purl with namespace
+        if "inputPurl" in base and "@" in base["inputPurl"]:
+            # inputPurl has version, use it as-is
+            base["purl"] = base["inputPurl"]
+        else:
+            # Construct purl properly with namespace and version
+            purl_type = base.get('type', 'unknown')
+            namespace = base.get('namespace')
+            name = base.get('name', 'unknown')
+            version = base.get('version', '0.0.0')
+            
+            # Start with inputPurl if available (without version) or construct from scratch
+            if "inputPurl" in base and not "@" in base["inputPurl"]:
+                # inputPurl exists but lacks version, append it
+                base["purl"] = f"{base['inputPurl']}@{version}"
+            else:
+                # Construct complete purl from components
+                if namespace:
+                    base["purl"] = f"pkg:{purl_type}/{namespace}/{name}@{version}"
+                else:
+                    base["purl"] = f"pkg:{purl_type}/{name}@{version}"
+        
         return base
 
     @staticmethod
diff --git a/socketdev/version.py b/socketdev/version.py
@@ -1 +1 @@
-__version__ = "3.0.0"
+__version__ = "3.0.1"

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-__version__ = "3.0.0"`
	`1`	`+__version__ = "3.0.1"`