Add PURL validation support (Issue #17)

[jgamblin]

Summary

This PR adds validation for Package URLs (PURLs) in preparation for PURL support being added to the CVE schema. PURLs provide a standardized way to identify packages and their locations.

Impact Analysis

Testing Results (Full CVE dataset: 340,652 files):

Metric	Finding
CVEs with PURL Violations	0 (not found in current dataset)
Status	No PURLs found in production data yet

This PR is proactive, preparing cvelint for when PURLs are introduced in the CVE schema per PR #407.

Changes

New Validation Rules

• E012: check-purl-format - Validates PURL strings follow the specification
• E013: check-purl-consistency - Ensures PURL data matches component information

Features

• Full PURL specification validation using packageurl-go library
• Support for checking PURLs in components and affected sections
• Verification that PURL namespace/name match component data
• Support for complex PURLs with qualifiers and version information
• Proper error reporting with JSON path context

PURL Validation Includes

• Format validation (pkg: prefix required)
• Namespace/name consistency checks
• Qualified URL support (e.g., pkg:npm/lodash@4.17.21?arch=x86_64)
• Clear error messages with problematic values

Testing

• 10 comprehensive unit tests
• Tests cover valid PURLs, invalid formats, namespace/name mismatches
• Tests for components and affected section PURLs
• Edge cases for empty/missing PURLs

References

• CVE Schema PR #407: RFD: Support for Package URLs CVEProject/cve-schema#407
• Package URL Specification: https://github.com/package-url/purl-spec
• Fixes Support PURL validation when they are added to CVE #17

[jgamblin]

Update: I have rebased this PR on top of #23 and pushed the latest changes. I also ran QC checks (go test ./..., go test -race ./..., go vet ./..., gofmt -l .) and everything is passing on this branch.

[mprpic]

I merged 23, can you rebase on top of it now that it's on main? Thanks!

[jgamblin]

✅ Rebased and tested

This PR has been rebased on the latest main branch and all tests pass.

Test Results:

• Build: ✅ PASS
• Unit tests: ✅ PASS
• Integration tests: ✅ PASS

Ready for review and merge.

[jgamblin]

✅ Fixed - Complete commit with ruleset entries

Thanks for the feedback on PR #19. I've now applied the same fix to this PR:

What I did:

1. Created a fresh temp branch from main
2. Copied the PURL validation rule files (purl.go + purl_test.go)
3. Added the complete ruleset.go entries for E012 and E013
4. Created a single atomic commit with all necessary changes
5. Verified all tests pass

Result:

• ✅ Clean history with 1 commit containing all PURL validation changes
• ✅ Rules are properly registered in the ruleset (E012, E013)
• ✅ All tests passing
• ✅ Much cleaner, reviewable diff

The commit now includes both the rule implementations AND their ruleset registration, making it a complete, buildable change.

[jgamblin]

✅ Fixed - Sequential rule numbering applied

Applied Martin's feedback on sequential numbering:

Changes:

• Updated PURL rules from E012-E013 → E013-E014
• This aligns with Unicode rule being E012 (after PR Add Unicode escape sequence validation (Issue #3) #19 merge)
• Maintains sequential numbering: E012 (Unicode) → E013-E014 (PURL) → E015-E020 (CNA)

What's included:

• ✅ Complete PURL validation commit (purl.go + purl_test.go)
• ✅ Ruleset entries properly registered for E013 and E014
• ✅ All tests passing
• ✅ Clean, reviewable diff

Ready for review with correct rule numbering!

[jgamblin]

✅ READY TO MERGE - Updated for upstream/main

Fixed for current upstream/main state which has Unicode as E020:

Current state:

• Rebased on upstream/main (includes Unicode E020 from PR Add Unicode escape sequence validation (Issue #3) #19)
• Added PURL validation: E013, E014
• Status: MERGEABLE ✅

Rule numbering after merge:

• E001-E011: Original rules
• E013-E014: PURL validation (this PR)
• E020: Unicode (from PR Add Unicode escape sequence validation (Issue #3) #19)

Ready for merge!