Reclassify go.sum as supplement instead of lockfile

README.md

@@ -58,7 +58,7 @@ func main() {
 | elm | elm.json, elm-package.json | |
 | gem | Gemfile, gems.rb, *.gemspec | Gemfile.lock, gems.locked |
 | github-actions | .github/workflows/*.yml | |
-| golang | go.mod, Godeps, glide.yaml, Gopkg.toml | go.sum, Godeps.json, glide.lock, Gopkg.lock, vendor.json, go-resolved-dependencies.json, vendor/manifest |
+| golang | go.mod, Godeps, glide.yaml, Gopkg.toml | Godeps.json, glide.lock, Gopkg.lock, vendor.json, go-resolved-dependencies.json, vendor/manifest |
 | hackage | *.cabal | stack.yaml.lock, cabal.config, cabal.project.freeze |
 | haxelib | haxelib.json | |
 | hex | mix.exs, gleam.toml | mix.lock, rebar.lock |
@@ -88,7 +88,6 @@ func main() {
 | deno.lock | | ✓ | | |
 | Gemfile.lock | ✓ | ✓ | | ✓ |
 | Cargo.lock | ✓ | ✓ | | |
-| go.sum | | ✓ | | |
 | poetry.lock | ✓ | ✓ | ✓ | |
 | Pipfile.lock | ✓ | ✓ | ✓ | |
 | pdm.lock | | ✓ | ✓ | |
@@ -115,6 +114,8 @@ func main() {
 | flake.lock | | | | |
 | Brewfile.lock.json | | ✓ | | ✓ |
 
+**Supplement files:** go.sum is parsed as a supplement rather than a lockfile. It provides integrity hashes that can be matched against go.mod dependencies by name and version, but it doesn't represent a standalone dependency tree.
+
 ## API
 
 ### Parse
@@ -172,7 +173,7 @@ When a dependency comes from a non-default registry, the PURL includes a `reposi
 ```go
 type ParseResult struct {
     Ecosystem    string       // npm, gem, pypi, golang, cargo, etc.
-    Kind         Kind         // manifest or lockfile
+    Kind         Kind         // manifest, lockfile, or supplement
     Dependencies []Dependency
 }
 ```
@@ -181,8 +182,9 @@ type ParseResult struct {
 
 ```go
 const (
-    Manifest Kind = "manifest" // Declared dependencies with version constraints
-    Lockfile Kind = "lockfile" // Resolved dependencies with exact versions
+    Manifest   Kind = "manifest"   // Declared dependencies with version constraints
+    Lockfile   Kind = "lockfile"   // Resolved dependencies with exact versions
+    Supplement Kind = "supplement" // Provides extra data (e.g. integrity hashes) for a manifest's dependencies
 )
 ```
 

internal/core/types.go

@@ -5,8 +5,9 @@ package core
 type Kind string
 
 const (
-	Manifest Kind = "manifest"
-	Lockfile Kind = "lockfile"
+	Manifest   Kind = "manifest"
+	Lockfile   Kind = "lockfile"
+	Supplement Kind = "supplement"
 )
 
 // Scope indicates when a dependency is required.

internal/golang/golang.go

@@ -10,8 +10,8 @@ func init() {
 	// go.mod - manifest
 	core.Register("golang", core.Manifest, &goModParser{}, core.ExactMatch("go.mod"))
 
-	// go.sum - lockfile
-	core.Register("golang", core.Lockfile, &goSumParser{}, core.ExactMatch("go.sum"))
+	// go.sum - supplement (provides integrity hashes for go.mod dependencies)
+	core.Register("golang", core.Supplement, &goSumParser{}, core.ExactMatch("go.sum"))
 
 	// go.graph - lockfile (go mod graph output)
 	core.Register("golang", core.Lockfile, &goGraphParser{}, core.ExactMatch("go.graph"))

manifests.go

@@ -29,8 +29,9 @@ type (
 
 // Re-export constants.
 const (
-	Manifest Kind = core.Manifest
-	Lockfile Kind = core.Lockfile
+	Manifest   Kind = core.Manifest
+	Lockfile   Kind = core.Lockfile
+	Supplement Kind = core.Supplement
 
 	Runtime     Scope = core.Runtime
 	Development Scope = core.Development
@@ -61,7 +62,7 @@ func Parse(filename string, content []byte) (*ParseResult, error) {
 	// Generate PURLs for all dependencies
 	for i := range deps {
 		version := ""
-		if kind == Lockfile {
+		if kind == Lockfile || kind == Supplement {
 			version = deps[i].Version
 		}
 		deps[i].PURL = makePURL(eco, deps[i].Name, version, deps[i].RegistryURL)

manifests_test.go

@@ -24,7 +24,7 @@ func TestParseAllEcosystems(t *testing.T) {
 		{"cargo Cargo.toml", "testdata/cargo/Cargo.toml", "cargo", Manifest},
 		{"cargo Cargo.lock", "testdata/cargo/Cargo.lock", "cargo", Lockfile},
 		{"golang go.mod", "testdata/golang/go.mod", "golang", Manifest},
-		{"golang go.sum", "testdata/golang/go.sum", "golang", Lockfile},
+		{"golang go.sum", "testdata/golang/go.sum", "golang", Supplement},
 		{"pypi requirements.txt", "testdata/pypi/requirements.txt", "pypi", Manifest},
 		{"maven pom.xml", "testdata/maven/pom.xml", "maven", Manifest},
 		{"composer composer.json", "testdata/composer/composer.json", "composer", Manifest},
@@ -83,7 +83,7 @@ func TestIdentifyFiles(t *testing.T) {
 
 		// golang
 		{"go.mod", "golang", Manifest, true},
-		{"go.sum", "golang", Lockfile, true},
+		{"go.sum", "golang", Supplement, true},
 
 		// pypi
 		{"requirements.txt", "pypi", Manifest, true},