Skip to content

Improve missing package URL handling #109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
May 14, 2025
Merged

Improve missing package URL handling #109

merged 13 commits into from
May 14, 2025

Conversation

felickz
Copy link
Contributor

@felickz felickz commented May 9, 2025
edited
Loading

This pull request enhances the robustness of the ComponentDetection class by adding defensive programming measures to handle invalid or missing packageUrl values gracefully. The changes improve error handling and debugging capabilities to ensure the system can handle edge cases without crashing. The dependency submission API is keyed by package url so this scenario will prevent the dependency graph from having any information about this package.

Fixes TypeError: Cannot read properties of null (reading 'Scheme')

Seems to be a highly visible issue introduced with component detection V5.2.16 that introduced a new detector: microsoft/component-detection#1388

Before:

2025-05-09T04:41:52.6402315Z ##[notice]Submitting snapshot...
2025-05-09T04:41:52.7223924Z 
2025-05-09T04:41:52.7225614Z /home/runner/work/_actions/advanced-security/component-detection-dependency-submission-action/v0.0.3/webpack:/component-detection-action/componentDetection.ts:124
2025-05-09T04:41:52.7227254Z     var packageUrl = `${packageUrlJson.Scheme}:${packageUrlJson.Type}/`;
2025-05-09T04:41:52.7227944Z ^
2025-05-09T04:41:52.7228418Z TypeError: Cannot read properties of null (reading 'Scheme')
2025-05-09T04:41:52.7230034Z     at Function.makePackageUrl (/home/runner/work/_actions/advanced-security/component-detection-dependency-submission-action/v0.0.3/webpack:/component-detection-action/componentDetection.ts:124:1)
2025-05-09T04:41:52.7232136Z     at Function.<anonymous> (/home/runner/work/_actions/advanced-security/component-detection-dependency-submission-action/v0.0.3/webpack:/component-detection-action/componentDetection.ts:78:1)
2025-05-09T04:41:52.7232956Z     at Generator.next (<anonymous>)
2025-05-09T04:41:52.7233520Z     at /home/runner/work/_actions/advanced-security/component-detection-dependency-submission-action/v0.0.3/dist/index.js:24837:71
2025-05-09T04:41:52.7234088Z     at new Promise (<anonymous>)
2025-05-09T04:41:52.7234783Z     at __webpack_modules__.4878.__awaiter (/home/runner/work/_actions/advanced-security/component-detection-dependency-submission-action/v0.0.3/dist/index.js:24833:12)
2025-05-09T04:41:52.7236261Z     at /home/runner/work/_actions/advanced-security/component-detection-dependency-submission-action/v0.0.3/webpack:/component-detection-action/componentDetection.ts:77:1
2025-05-09T04:41:52.7237489Z     at Array.forEach (<anonymous>)
2025-05-09T04:41:52.7238779Z     at Function.<anonymous> (/home/runner/work/_actions/advanced-security/component-detection-dependency-submission-action/v0.0.3/webpack:/component-detection-action/componentDetection.ts:77:1)
2025-05-09T04:41:52.7240288Z     at Generator.next (<anonymous>)

After (debug test):

##[debug]Skipping component detected without packageUrl: {
##[debug]  "id": "8.0.115 net8.0 unknown - DotNet",
##[debug]  "name": "unnamed",
##[debug]  "type": "DotNet"
##[debug]}

Test 2:

##[debug]Skipping component detected without packageUrl: {
##[debug]  "id": "8.0.115 netcoreapp2.0 unknown - DotNet",
##[debug]  "name": "unnamed",
##[debug]  "type": "DotNet"
##[debug]}
##[debug]Sorting out transitive dependencies
##[debug]Manifests: 1

@felickz felickz changed the title Add debug logging for missing packageUrl and improve package URL handling Improve package URL handling May 9, 2025
@felickz felickz added the enhancement New feature or request label May 9, 2025
@felickz felickz marked this pull request as ready for review May 9, 2025 05:41
@felickz felickz requested review from a team as code owners May 9, 2025 05:41
@felickz felickz requested review from GeekMasher and aegilops and removed request for a team May 9, 2025 05:41
@felickz
Copy link
Contributor Author

felickz commented May 9, 2025

Impacted by #104

@felickz
Copy link
Contributor Author

felickz commented May 9, 2025

Fixes #107

@GeekMasher
Copy link
Contributor

The tests are failing. Are you going to update then before merging?

@felickz
Copy link
Contributor Author

felickz commented May 9, 2025
edited
Loading

The tests are failing. Are you going to update then before merging?

Tests are failing due to #104 so wasn't planning on delaying this fix (hard failures on every dotnet project) to refactor those

@felickz
Copy link
Contributor Author

felickz commented May 9, 2025
edited
Loading

The tests are failing. Are you going to update then before merging?

Tests are failing due to #104 so wasn't planning on delaying this fix (hard failures on every dotnet project) to refactor those

Fixing jest/eslint with major version bump: #111

@felickz felickz changed the title Improve package URL handling Improve missing package URL handling May 12, 2025
@felickz felickz requested a review from Copilot May 12, 2025 21:32
Copilot
Copilot AI reviewed May 12, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances the ComponentDetection class to skip invalid or missing packageUrl values and adds defensive checks in makePackageUrl to prevent runtime errors. It also includes new unit tests to cover null inputs.

  • Added early returns and debug logs when a component or referrer lacks a valid packageUrl.
  • Wrapped URL construction in a try-catch and added a null/undefined guard.
  • Introduced tests for makePackageUrl handling of null arguments and properties.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
componentDetection.ts Added defensive checks for missing/invalid packageUrl and wrapped URL creation in try-catch with debug logging.
componentDetection.test.ts Added tests for makePackageUrl to verify behavior on null inputs.
Comments suppressed due to low confidence (3)

componentDetection.ts:157

  • makePackageUrl currently only guards against null or undefined packageUrlJson, but allows objects with null Scheme or Type to produce strings like 'null:null/'. Add checks to return an empty string when Scheme or Type are missing or not valid strings.
public static makePackageUrl(packageUrlJson: any): string {

componentDetection.ts:77

  • [nitpick] The loop variable 'component' shadows the nested 'component.component' property, which can be confusing. Consider renaming the iterator variable (e.g., to 'detectedComponent') for clarity.
json.componentsFound.forEach(async (component: any) => {

componentDetection.ts:157

  • [nitpick] Consider adding a JSDoc comment for makePackageUrl to describe its parameters, behavior, and the meaning of an empty-string return for invalid inputs.
public static makePackageUrl(packageUrlJson: any): string {

@felickz felickz requested a review from Copilot May 12, 2025 21:37
Copilot
Copilot AI reviewed May 12, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Enhance ComponentDetection to gracefully handle missing or invalid packageUrl values and prevent runtime errors by adding defensive checks and improving debugging output.

  • Skip processing components and referrers when packageUrl is missing or invalid, with explanatory debug logs
  • Wrap URL construction in makePackageUrl with null checks and try/catch to return an empty string on failure
  • Add unit tests covering null and undefined packageUrlJson inputs

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
componentDetection.ts Added guards for missing/invalid packageUrl and enhanced makePackageUrl with null checks and error handling
componentDetection.test.ts Introduced tests for makePackageUrl handling of null/undefined inputs and added negative test cases

dangoor
dangoor approved these changes May 14, 2025
View reviewed changes
Copy link

@dangoor dangoor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That looks much more robust. Thanks!

@felickz felickz merged commit 1874d0f into main May 14, 2025
5 of 6 checks passed
@felickz felickz deleted the feature/handle-null-purls branch May 14, 2025 18:14
This was referenced May 14, 2025
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@dangoor dangoor dangoor approved these changes

@GeekMasher GeekMasher Awaiting requested review from GeekMasher GeekMasher is a code owner automatically assigned from advanced-security/oss-maintainers

@aegilops aegilops Awaiting requested review from aegilops aegilops is a code owner automatically assigned from advanced-security/oss-maintainers

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@felickz @GeekMasher @dangoor