feat: add cloud-locators command and expand PURL ecosystem map

Add V2 cloud-locators command to retrieve AWS ARN, Azure Resource ID,
GCP Resource Name, Cloudflare, and Oracle OCID templates for vendor/product
pairs. Add V2CloudLocators() API client method. Expand PURL ecosystem map
with conda, conan, huggingface, julia, luarocks, opam, cpan, and others.

Author: chrisdlangton

cmd/vdb_v2.go

@@ -355,6 +355,53 @@ Examples:
 	},
 }
 
+// v2CloudLocatorsCmd retrieves cloud resource locator templates
+var v2CloudLocatorsCmd = &cobra.Command{
+	Use:   "cloud-locators",
+	Short: "Get cloud resource locator templates for a vendor/product (V2)",
+	Long: `Derive cloud-native resource identifier templates (AWS ARN, Azure Resource ID,
+GCP Resource Name, Cloudflare Locator, Oracle OCID) from vendor/product pairs.
+
+Templates contain placeholders for account-specific values that you fill in
+to match your infrastructure resources.
+
+Requires -V v2.
+
+Examples:
+  vulnetix vdb cloud-locators --vendor amazon --product s3 -V v2
+  vulnetix vdb cloud-locators --vendor microsoft --product storage -V v2
+  vulnetix vdb cloud-locators --vendor google --product compute -V v2
+  vulnetix vdb cloud-locators --vendor cloudflare --product workers -V v2
+  vulnetix vdb cloud-locators --vendor oracle --product compute -V v2
+  vulnetix vdb cloud-locators --vendor amazon --product cloudfront -V v2 --output json`,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		if err := requireV2("cloud-locators"); err != nil {
+			return err
+		}
+
+		vendor, _ := cmd.Flags().GetString("vendor")
+		product, _ := cmd.Flags().GetString("product")
+
+		if vendor == "" && product == "" {
+			return fmt.Errorf("at least one of --vendor or --product is required")
+		}
+
+		client := newVDBClient()
+		if vdbOutput == "json" {
+			fmt.Fprintf(os.Stderr, "Fetching cloud locators for vendor=%s product=%s...\n", vendor, product)
+		} else {
+			fmt.Printf("Fetching cloud locators for vendor=%s product=%s...\n", vendor, product)
+		}
+
+		result, err := client.V2CloudLocators(vendor, product)
+		if err != nil {
+			return fmt.Errorf("failed to get cloud locators: %w", err)
+		}
+		printRateLimit(client)
+		return printOutput(result, vdbOutput)
+	},
+}
+
 // v2FixesMerged handles the -V v2 case for the fixes command by calling
 // all three V2 fix endpoints in parallel and merging the results.
 func v2FixesMerged(identifier string, cmd *cobra.Command) (map[string]interface{}, error) {
@@ -417,6 +464,11 @@ func init() {
 	vdbCmd.AddCommand(v2AffectedCmd)
 	vdbCmd.AddCommand(v2ScorecardCmd)
 	vdbCmd.AddCommand(v2RemediationCmd)
+	vdbCmd.AddCommand(v2CloudLocatorsCmd)
+
+	// Cloud locators flags
+	v2CloudLocatorsCmd.Flags().String("vendor", "", "Vendor name (e.g. amazon, microsoft, google)")
+	v2CloudLocatorsCmd.Flags().String("product", "", "Product/service name (e.g. s3, ec2, cloudfront)")
 
 	// CWE subcommands
 	v2CweCmd.AddCommand(v2CweGuidanceCmd)

internal/purl/purl.go

@@ -150,18 +150,42 @@ func (p *PackageURL) String() string {
 }
 
 var ecosystemMap = map[string]string{
-	"npm":       "npm",
-	"maven":     "Maven",
-	"pypi":      "PyPI",
-	"golang":    "Go",
-	"cargo":     "crates.io",
-	"nuget":     "NuGet",
-	"gem":       "RubyGems",
-	"composer":  "Packagist",
-	"swift":     "SwiftURL",
-	"cocoapods": "CocoaPods",
-	"pub":       "Pub",
-	"hex":       "Hex",
+	"npm":              "npm",
+	"maven":            "Maven",
+	"pypi":             "PyPI",
+	"golang":           "Go",
+	"cargo":            "crates.io",
+	"nuget":            "NuGet",
+	"gem":              "RubyGems",
+	"composer":         "Packagist",
+	"swift":            "SwiftURL",
+	"cocoapods":        "CocoaPods",
+	"pub":              "Pub",
+	"hex":              "Hex",
+	"conda":            "Conda",
+	"conan":            "Conan",
+	"huggingface":      "HuggingFace",
+	"mlflow":           "MLflow",
+	"julia":            "Julia",
+	"luarocks":         "LuaRocks",
+	"opam":             "opam",
+	"cpan":             "CPAN",
+	"hackage":          "Hackage",
+	"cran":             "CRAN",
+	"yocto":            "Yocto",
+	"bitnami":          "Bitnami",
+	"bazel":            "Bazel",
+	"qpkg":             "QPKG",
+	"vscode-extension": "VSCode",
+	"deb":              "Debian",
+	"rpm":              "RPM",
+	"apk":              "Alpine",
+	"alpm":             "Arch Linux",
+	"docker":           "Docker",
+	"oci":              "OCI",
+	"github":           "GitHub",
+	"bitbucket":        "Bitbucket",
+	"generic":          "Generic",
 }
 
 // EcosystemForType maps a PURL type to the VDB ecosystem name.

internal/vdb/api_v2.go

@@ -285,6 +285,22 @@ func (c *Client) V2ScanStatus(scanID string) (map[string]interface{}, error) {
 	return doV2Get(c, path)
 }
 
+// V2CloudLocators retrieves cloud resource locator templates for a vendor/product pair.
+func (c *Client) V2CloudLocators(vendor, product string) (map[string]interface{}, error) {
+	q := url.Values{}
+	if vendor != "" {
+		q.Set("vendor", vendor)
+	}
+	if product != "" {
+		q.Set("product", product)
+	}
+	path := "/cloud-locators"
+	if encoded := q.Encode(); encoded != "" {
+		path += "?" + encoded
+	}
+	return doV2Get(c, path)
+}
+
 func readFileBytes(filePath string) ([]byte, error) {
 	data, err := os.ReadFile(filePath)
 	if err != nil {