Skip to content

Go library to validate PURLs using prebuilt FST #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
keshav-space merged 7 commits into from
Nov 18, 2025
Merged

Go library to validate PURLs using prebuilt FST #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
abb1bf2
Add script to generate FST from list of PURLs
keshav-space Nov 17, 2025
17a9bd3
Add library to validate PURLs using prebuilt FST
keshav-space Nov 17, 2025
eca10ce
Add test for validation library
keshav-space Nov 17, 2025
4dec32d
Add Makefile
keshav-space Nov 17, 2025
ac1d331
Add project README
keshav-space Nov 17, 2025
38b49cd
Add workflow to create release
keshav-space Nov 17, 2025
a05260d
Add workflow to run tests
keshav-space Nov 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: Test CI

on:
workflow_dispatch:
pull_request:
push:
branches:
- main

jobs:
build-test:
name: Run test and build
strategy:
fail-fast: false
matrix:
os:
- ubuntu-latest
- ubuntu-24.04-arm
- macos-14
- macos-15
- macos-15-intel

runs-on: ${{ matrix.os }}

steps:
- name: Checkout source
uses: actions/checkout@v4

- name: Install Go
uses: actions/setup-go@v6
with:
go-version: 'stable'

- name: Install dependencies
run: make dev

- name: Validate code format
run: make check

- name: Run tests
run: make test

- name: Build
run: make build-fst
18 changes: 18 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: Create GitHub release

on:
workflow_dispatch:
push:
tags:
- "v*.*.*"

jobs:
publish:
runs-on: ubuntu-latest

steps:
- name: Create a GitHub release
uses: softprops/action-gh-release@v2
with:
generate_release_notes: true
draft: false
69 changes: 69 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# SPDX-License-Identifier: Apache-2.0
#
# Copyright (c) nexB Inc. and others. All rights reserved.
# ScanCode is a trademark of nexB Inc.
# SPDX-License-Identifier: Apache-2.0
# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
# See https://github.com/aboutcode-org/purl-validator-go for support or download.
# See https://aboutcode.org for more information about nexB OSS projects.
#

GOCMD=go
GOFMT=gofmt
GOIMPORTS=goimports
GOLINT=golangci-lint
GOFMT_CMD = $(GOFMT) -l .
GOIMPORTS_CMD = $(GOIMPORTS) -l .
GOSEC=gosec

build-fst:
go run ./cmd/main.go

clean:
$(GOCMD) clean
rm -rf $(BUILD_DIR)

test:
$(GOCMD) test -v

dev:
$(GOCMD) install golang.org/x/tools/cmd/goimports@latest
$(GOCMD) install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
$(GOCMD) install github.com/securego/gosec/v2/cmd/gosec@latest
$(GOCMD) mod tidy

gofmt:
@echo "-> Apply gofmt code formatter"
$(GOFMT) -w .

goimports:
@echo "-> Apply goimports changes to ensure proper imports ordering"
$(GOIMPORTS) -w .

valid: goimports gofmt

check-gofmt:
@echo "-> Running gofmt for code formatting validation..."
@files=$$($(GOFMT_CMD)); \
if [ -n "$$files" ]; then \
echo "The following files are not properly formatted:"; \
echo "$$files"; \
exit 1; \
fi

check-goimports:
@echo "-> Running goimports for import ordering validation..."
@files=$$($(GOIMPORTS_CMD)); \
if [ -n "$$files" ]; then \
echo "The following files have incorrect imports:"; \
echo "$$files"; \
exit 1; \
fi

check: check-gofmt check-goimports
@echo "\n-> Running golangci-lint for linting..."
$(GOLINT) run --issues-exit-code=1 ./...
@echo "\n-> Running gosec for security checks..."
$(GOSEC) ./...

.PHONY: build-fst clean test dev gofmt goimports valid check-gofmt check-goimports check
83 changes: 82 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,82 @@
# purl-validator-go
# purlvalidator

[![License](https://img.shields.io/badge/License-Apache--2.0-blue.svg?style=for-the-badge)](https://opensource.org/licenses/Apache-2.0)
[![Version](https://img.shields.io/github/v/release/aboutcode-org/purlvalidator-go?style=for-the-badge)](https://github.com/aboutcode-org/purlvalidator-go/releases)
[![Test](https://img.shields.io/github/actions/workflow/status/aboutcode-org/purlvalidator-go/ci.yml?style=for-the-badge&logo=github)](https://github.com/aboutcode-org/purlvalidator-go/actions)

**purlvalidator** is a Go library for validating [Package URLs (PURLs)](https://github.com/package-url/purl-spec). It works fully offline, including in **air-gapped** or **restricted environments**, and answers one key question: **Does the package this PURL represents actually exist?**

## How It Works?

**purlvalidator** is shipped with a pre-built FST (Finite State Transducer), a set of compact automata containing latest Package URLs mined by the MineCode[^1]. Library uses this FST to perform lookups and confirm whether the **base PURL**[^2] exists.

## Currently Supported Ecosystems

- **nuget**: [https://www.nuget.org/](https://www.nuget.org/)

## Usage

Add `purlvalidator` as dependency in your go.mod

```bash
require github.com/aboutcode-org/purlvalidator-go v0.1.0
```

Use it in your code like this

```rust
import "github.com/aboutcode-org/purlvalidator-go"

var result bool = purlvalidator.Validate("pkg:nuget/FluentValidation");
```

## Contribution

We welcome contributions from the community! If you find a bug or have an idea for a new feature, please open an issue on the GitHub repository. If you want to contribute code, you can fork the repository, make your changes, and submit a pull request.

* Please try to write a good commit message, see [good commit message wiki](https://aboutcode.readthedocs.io/en/latest/contributing/writing_good_commit_messages.html).
* Add DCO `Sign Off` to your commits.

## Development Setup

Run these commands, starting from a git clone of [https://github.com/aboutcode-org/purl-validator-rust.git](https://github.com/aboutcode-org/purlvalidator-go.git)

Generate FST:

```bash
make build-fst
```

Run tests:

```bash
make test
```

Fix formatting and linting:

```bash
make valid
```

## License

SPDX-License-Identifier: Apache-2.0

purl-validator is licensed under Apache License version 2.0.

```text
You may not use this software except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
```

[^1]: MineCode continuously collects package metadata from various package ecosystems to maintain an up-to-date catalog of known packages.
[^2]: A Base Package URL is a Package URL without a version or subpath.
Loading