Conversation
christophetd
commented
Feb 13, 2026
christophetd
commented
- Fix gopkg strategy crash on unexpected git ls-remote output
- Add --branch CLI option to override the analyzed branch
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1967ccc0d8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if branch: | ||
| source_code_manager.set_branch_override_target(package) |
There was a problem hiding this comment.
When --branch is provided, this code only configures SourceCodeManager, but GitHubSbomMetadataCollectionStrategy is still enabled and its __get_github_generated_sbom call fetches SBOM by owner/repo without any branch/ref input. In repositories where the selected branch differs from default, the run can mix default-branch SBOM dependencies with branch-specific source scans, which breaks the new CLI contract to analyze the chosen branch; consider disabling SBOM strategy (or making it ref-aware) when --branch is set.
Useful? React with 👍 / 👎.
| and self._branch_override_repo_key | ||
| and (owner, repo) == self._branch_override_repo_key | ||
| ): | ||
| branch = self.branch_override |
There was a problem hiding this comment.
This assignment accepts raw --branch input and later feeds it into git clone ... --branch={effective_branch} executed through run_command (os.system), so shell metacharacters in the branch value can execute arbitrary commands. The new CLI option introduces a direct user-controlled path into a shell command; validate the ref format and avoid shell-string execution for clone arguments.
Useful? React with 👍 / 👎.
|
Thanks @christophetd ! Pointing to a branch is already possible through the mirrors.json option, that also supports forks, for example: https://github.com/DataDog/dd-license-attribution?tab=readme-ov-file#manual-repository-override-configuration If you missed it, probably we need to improve the documentation. What do you think? |
2 participants
