The user wanted to find Go equivalents for several Ruby supply chain security tools they had previously written. After confirming existing Go implementations for most tools, the user decided to create a Go version of a changelog parser originally in Ruby. The assistant reviewed the Ruby parser and Go conventions to design a plan for the new Go implementation.
see https://nesbitt.io/2025/12/14/supply-chain-security-tools-for-ruby.html do we have equiveltn in go for each one of these? I know I've written some in git-pkgs but maybe there are existing well maintained go tools for others?
Let me check if there are any swhid, sarif, or changelog modules in the codebase that the exploration might have missed.
Now let me search for existing Go implementations of the tools you don't already have.
Here's the breakdown. The blog post lists seven Ruby gems, all of which you wrote:
| Ruby gem | What it does | Go equivalent |
|---|---|---|
| purl | Parse/generate Package URLs | You already wrote this in git-pkgs |
| vers | Version range spec (VERS format) | You already wrote this in git-pkgs |
| sbom | Parse/generate SPDX & CycloneDX | You already wrote this in git-pkgs (generation at least) |
| swhid | Software Hash IDentifiers | You already wrote this -- andrew/swhid-go on GitHub |
| changelog-parser | Structured release notes from changelogs | Nothing good exists |
| diffoscope | Deep comparison of files/archives | Nothing exists |
| sarif | SARIF static analysis format | owenrumney/go-sarif covers this well |
So you've already got Go versions of four out of seven. For the remaining three:
SARIF -- owenrumney/go-sarif (80 stars, v3.3.0, Apache-2.0, actively maintained) is solid. It handles parsing, generation, and validation for both SARIF v2.1.0 and v2.2. It's packaged in Fedora and Debian. Unless you need something the library doesn't do, this one doesn't need a from-scratch rewrite.
Changelog parsing -- the Go ecosystem is thin here. anton-yurchenko/go-changelog (3 stars) is the most capable, with typed dates and Keep a Changelog scoped categories (Added/Changed/Fixed etc.). parkr/changelog (33 stars) is simpler but more established. Neither is widely adopted. Given the low quality of options, writing your own might make more sense, especially if you want to handle the variety of changelog formats your Ruby gem handles.
Diffoscope -- nothing in Go does recursive structural comparison across arbitrary archive formats. diffoci (551 stars) does this for container images specifically, and you already have an archives module in git-pkgs that reads zip/tar/gem formats. But a general-purpose diffoscope equivalent that unpacks nested archives and does format-aware diffing doesn't exist. This would be the biggest lift to build.
ok cool, i have made a changelog folder, lets make a go equiv of https://github.com/andrew/changelog-parser
Let me explore the Ruby gem and the local codebase in parallel.
Good, I have a solid picture of both the Ruby gem and the Go module conventions. Let me read a couple of representative files to confirm patterns, then design the implementation.
Let me read the Ruby parser source to understand the exact regex patterns and parsing logic.
Good, I have everything I need. Let me also check the vandamme compatibility and CLI files quickly, then write the plan.
Now I have a thorough understanding of both sides. Let me write the plan.