`purlbatch` fails for valid Go PURLs but `versionbatch` works

[roi-orca]

Hi deps.dev team 👋

I’ve run into an inconsistency between the purlbatch endpoint and the versionbatch endpoint.

---

Problem

When querying a valid Go module version via purlbatch, I get nothing.

Failing request (purlbatch):

curl -X POST 'https://api.deps.dev/v3alpha/purlbatch' \
  -H 'Content-Type: application/json' \
  -d '{
    "requests": [
      {"purl": "pkg:golang/github.com/cyclonedx/cyclonedx-go@v0.9.2"}
    ]
  }'

Response:

{
    "responses": [
        {
            "request": {
                "purl": "pkg:golang/github.com/cyclonedx/cyclonedx-go@v0.9.2"
            }
        }
    ],
    "nextPageToken": ""
}

---

Expected behavior

The above purlbatch call should return metadata for cyclonedx-go v0.9.2, which exists in deps.dev.

---

Actual behavior

purlbatch returns nothing, but the same package works with versionbatch.

Working request (versionbatch):

curl -X POST 'https://api.deps.dev/v3alpha/versionbatch' \
  -H 'Content-Type: application/json' \
  -d '{
    "requests":[
      {
        "versionKey":{
          "system":"GO",
          "name":"github.com/CycloneDX/cyclonedx-go",
          "version":"v0.9.2"
        }
      }
    ]
  }'

Response:

{
    "responses": [
        {
            "request": {
                "versionKey": {
                    "system": "GO",
                    "name": "github.com/CycloneDX/cyclonedx-go",
                    "version": "v0.9.2"
                }
            },
            "version": {
                "versionKey": {
                    "system": "GO",
                    "name": "github.com/CycloneDX/cyclonedx-go",
                    "version": "v0.9.2"
                },
                "purl": "pkg:golang/github.com/cyclonedx/cyclonedx-go@v0.9.2",
                "publishedAt": "2024-12-13T14:41:43Z",
                "isDefault": true,
                "isDeprecated": false,
                "licenses": [
                    "Apache-2.0"
                ],
                "licenseDetails": [
                    {
                        "license": "Apache-2.0",
                        "spdx": "Apache-2.0"
                    }
                ],
                "advisoryKeys": [],
                "links": [
                    {
                        "label": "SOURCE_REPO",
                        "url": "https://github.com/CycloneDX/cyclonedx-go"
                    }
                ],
                "slsaProvenances": [],
                "attestations": [],
                "registries": [],
                "relatedProjects": [
                    {
                        "projectKey": {
                            "id": "github.com/cyclonedx/cyclonedx-go"
                        },
                        "relationProvenance": "GO_ORIGIN",
                        "relationType": "SOURCE_REPO"
                    }
                ],
                "upstreamIdentifiers": [
                    {
                        "packageName": "github.com/CycloneDX/cyclonedx-go",
                        "versionString": "v0.9.2",
                        "source": "GO_MODULE_PROXY"
                    }
                ]
            }
        }
    ],
    "nextPageToken": ""
}

---

Observations

• The package does exist in BigQuery with PURL:

  pkg:golang/github.com/cyclonedx/cyclonedx-go@v0.9.2
  

• versionbatch resolves correctly with canonical module name (github.com/CycloneDX/cyclonedx-go).

• purlbatch seems to mishandle Go PURLs which is the same purl returned in the version batch api.

---

Impact

• It’s currently impossible to reliably fetch certain Go packages via PURL (purlbatch)

---

Workaround

• Use versionbatch with system=GO and the canonical module path.

[sgustafsson]

I see the same behaviour when using https://docs.deps.dev/api/v3alpha/#purllookup

https://api.deps.dev/v3alpha/purl/pkg%3Agolang%2Fgithub.com%2FSAP%2Fjenkins-library%40v1.448.0 gives me version not found , while it does exist in deps.dev https://deps.dev/go/github.com%2FSAP%2Fjenkins-library/v1.448.0

For another pk:golang/ purl, I do get a proper response

https://api.deps.dev/v3alpha/purl/pkg%3Agolang%2Fcloud.google.com%2Fgo%2Fauth%40v0.16.5
https://deps.dev/go/cloud.google.com%2Fgo%2Fauth/v0.16.5

{
  "version": {
    "versionKey": {
      "system": "GO",
      "name": "cloud.google.com/go/auth",
      "version": "v0.16.5"
    },
    "purl": "pkg:golang/cloud.google.com/go/auth@v0.16.5",
    "publishedAt": "2025-08-14T18:54:51Z",
    "isDefault": true,
    "isDeprecated": false,
    "licenses": [
      "Apache-2.0"
    ],
    "licenseDetails": [
      {
        "license": "Apache-2.0",
        "spdx": "Apache-2.0"
      }
    ],
    "advisoryKeys": [],
    "links": [
      {
        "label": "SOURCE_REPO",
        "url": "https://github.com/googleapis/google-cloud-go"
      }
    ],
    "slsaProvenances": [],
    "attestations": [],
    "registries": [],
    "relatedProjects": [
      {
        "projectKey": {
          "id": "github.com/googleapis/google-cloud-go"
        },
        "relationProvenance": "GO_ORIGIN",
        "relationType": "SOURCE_REPO"
      }
    ],
    "upstreamIdentifiers": [
      {
        "packageName": "cloud.google.com/go/auth",
        "versionString": "v0.16.5",
        "source": "GO_MODULE_PROXY"
      }
    ]
  }
}