@@ -45,13 +45,10 @@ def find_line_in_file(packagename: str, packageversion: str, manifest_file: str)
4545 2) Text-based (requirements.txt, package.json, yarn.lock, etc.)
4646 - Uses compiled regex patterns to detect a match line by line
4747 """
48- # Extract just the file name to detect manifest type
4948 file_type = Path (manifest_file ).name
50- logging .debug ("Processing file: %s" , manifest_file )
49+ logging .debug ("Processing file for line lookup : %s" , manifest_file )
5150
52- # ----------------------------------------------------
53- # 1) JSON-based manifest files
54- # ----------------------------------------------------
51+ # (Existing logic remains unchanged, with logs added where necessary)
5552 if file_type in ["package-lock.json" , "Pipfile.lock" , "composer.lock" ]:
5653 try :
5754 with open (manifest_file , "r" , encoding = "utf-8" ) as f :
@@ -64,7 +61,7 @@ def find_line_in_file(packagename: str, packageversion: str, manifest_file: str)
6461 or data .get ("dependencies" )
6562 or {}
6663 )
67- logging .debug ("Found package keys: %s" , list (packages_dict .keys ()))
64+ logging .debug ("Found package keys in %s : %s" , manifest_file , list (packages_dict .keys ()))
6865 found_key = None
6966 found_info = None
7067 for key , value in packages_dict .items ():
@@ -81,7 +78,7 @@ def find_line_in_file(packagename: str, packageversion: str, manifest_file: str)
8178 logging .debug ("Total lines in %s: %d" , manifest_file , len (lines ))
8279 for i , line in enumerate (lines , start = 1 ):
8380 if (needle_key in line ) or (needle_version in line ):
84- logging .debug ("Match found at line %d in %s: %s" , i , manifest_file , line .strip ())
81+ logging .debug ("Found match at line %d in %s: %s" , i , manifest_file , line .strip ())
8582 return i , line .strip ()
8683 return 1 , f'"{ found_key } { found_info }
8784 else :
@@ -90,9 +87,7 @@ def find_line_in_file(packagename: str, packageversion: str, manifest_file: str)
9087 logging .error ("Error reading %s: %s" , manifest_file , e )
9188 return 1 , f"Error reading { manifest_file }
9289
93- # ----------------------------------------------------
94- # 2) Text-based / line-based manifests
95- # ----------------------------------------------------
90+ # Text-based manifests
9691 search_patterns = {
9792 "package.json" : rf'"{ packagename } { packageversion } ,
9893 "yarn.lock" : rf'{ packagename } { packageversion } ,
@@ -176,6 +171,7 @@ def create_security_comment_sarif(diff) -> dict:
176171 - Accepts multiple manifest files from alert.introduced_by or alert.manifests.
177172 - Generates one SARIF location per manifest file.
178173 - Does NOT fall back to 'requirements.txt' if no manifest file is provided.
174+ - Adds detailed logging to validate assumptions.
179175 """
180176 if len (diff .new_alerts ) == 0 :
181177 for alert in diff .new_alerts :
@@ -206,27 +202,31 @@ def create_security_comment_sarif(diff) -> dict:
206202 rule_id = f"{ pkg_name } { pkg_version }
207203 severity = alert .severity
208204
209- # --- Extract manifest files from alert data ---
205+ # Log raw alert data for manifest extraction.
210206 logging .debug ("Alert %s - introduced_by: %s, manifests: %s" , rule_id , alert .introduced_by , getattr (alert , 'manifests' , None ))
207+
211208 manifest_files = []
212209 if alert .introduced_by and isinstance (alert .introduced_by , list ):
213210 for entry in alert .introduced_by :
214- # Accept lists or tuples
215211 if isinstance (entry , (list , tuple )) and len (entry ) >= 2 :
216- # Split the second element if it contains semicolons
212+ # Split semicolon-separated file names.
217213 files = [f .strip () for f in entry [1 ].split (";" ) if f .strip ()]
218214 manifest_files .extend (files )
219215 elif isinstance (entry , str ):
220216 manifest_files .extend ([m .strip () for m in entry .split (";" ) if m .strip ()])
221217 elif hasattr (alert , 'manifests' ) and alert .manifests :
222218 manifest_files = [mf .strip () for mf in alert .manifests .split (";" ) if mf .strip ()]
223219
220+ logging .debug ("Alert %s - extracted manifest_files: %s" , rule_id , manifest_files )
221+
224222 if not manifest_files :
225223 logging .error ("Alert %s: No manifest file found; cannot determine file location." , rule_id )
226224 continue # Skip this alert if no manifest is provided
227225
228- logging .debug ("Alert %s using manifest_files: %s" , rule_id , manifest_files )
226+ logging .debug ("Alert %s - using manifest_files for processing: %s" , rule_id , manifest_files )
227+
229228 # Use the first manifest for URL generation.
229+ logging .debug ("Alert %s - Using file for URL generation: %s" , rule_id , manifest_files [0 ])
230230 socket_url = Messages .get_manifest_type_url (manifest_files [0 ], pkg_name , pkg_version )
231231 short_desc = (f"{ alert .props .get ('note' , '' )} { alert .suggestion }
232232 f"<br/><a href=\" { socket_url } \" >{ socket_url } )
@@ -244,9 +244,10 @@ def create_security_comment_sarif(diff) -> dict:
244244 },
245245 }
246246
247- # Create a SARIF location for each manifest file .
247+ # For each manifest file, attempt to find the package declaration .
248248 locations = []
249249 for mf in manifest_files :
250+ logging .debug ("Alert %s - Processing manifest file: %s" , rule_id , mf )
250251 line_number , line_content = Messages .find_line_in_file (pkg_name , pkg_version , mf )
251252 if line_number < 1 :
252253 line_number = 1 # Ensure SARIF compliance.
0 commit comments