Fixed up Component Detection/Submission

Author: aegilops

src/componentDetection.ts

@@ -1,4 +1,4 @@
-import { Octokit } from "octokit"
+import { Octokit } from "@octokit/core";
 import {
   PackageCache,
   Package,
@@ -11,19 +11,30 @@ import path from 'path';
 import { tmpdir } from 'os';
 import { StringDecoder } from 'node:string_decoder';
 
-export default class ComponentDetection {
-  public static componentDetectionPath = process.platform === "win32" ? './component-detection.exe' : './component-detection';
-  public static outputPath = (() => {
-    const tmpDir = fs.mkdtempSync(path.join(tmpdir(), 'component-detection-'));
-    return path.join(tmpDir, 'output.json');
-  })();
+export default class ComponentDetection { 
+  public componentDetectionPath: string = process.platform === "win32" ? './component-detection.exe' : './component-detection';
+  public outputPath: string;
+  octokit: Octokit;
+  baseUrl: string;
 
-  // This is the default entry point for this class.
-  // If executablePath is provided, use it directly and skip download.
-  static async scanAndGetManifests(path: string, executablePath?: string): Promise<Manifest[] | undefined> {
+  constructor(octokit: Octokit, baseUrl: string, executablePath?: string) {
+    this.octokit = octokit;
+    this.baseUrl = baseUrl;
     if (executablePath) {
       this.componentDetectionPath = executablePath;
-    } else {
+    }
+
+    // Set the output path
+    this.outputPath = (() => {
+      const tmpDir = fs.mkdtempSync(path.join(tmpdir(), 'component-detection-'));
+      return path.join(tmpDir, 'output.json');
+    })();
+  }
+
+  // This is the default entry point for this class.
+  // If executablePath is provided, use it directly and skip download.
+  async scanAndGetManifests(path: string): Promise<Manifest[] | undefined> {
+    if (!this.componentDetectionPath) {
       await this.downloadLatestRelease();
     }
 
@@ -37,7 +48,7 @@ export default class ComponentDetection {
     return await this.getManifestsFromResults(this.outputPath, path);
   }
   // Get the latest release from the component-detection repo, download the tarball, and extract it
-  public static async downloadLatestRelease() {
+  public async downloadLatestRelease() {
     try {
       const statResult = fs.statSync(this.componentDetectionPath);
       if (statResult && statResult.isFile()) {
@@ -64,7 +75,7 @@ export default class ComponentDetection {
   }
 
   // Run the component-detection CLI on the path specified
-  public static runComponentDetection(path: string): Promise<boolean> {
+  public runComponentDetection(path: string): Promise<boolean> {
     console.debug(`Running component-detection on ${path}`);
 
     console.debug(`Writing to output file: ${this.outputPath}`);
@@ -105,7 +116,7 @@ export default class ComponentDetection {
     });
   }
 
-  public static async getManifestsFromResults(file: string, path: string): Promise<Manifest[] | undefined> {
+  public async getManifestsFromResults(file: string, path: string): Promise<Manifest[] | undefined> {
     console.debug(`Reading results from ${file}`);
     const results = await fs.readFileSync(file, 'utf8');
     const json: any = JSON.parse(results);
@@ -115,7 +126,7 @@ export default class ComponentDetection {
     return this.processComponentsToManifests(json.componentsFound, dependencyGraphs);
   }
 
-  public static processComponentsToManifests(componentsFound: any[], dependencyGraphs: DependencyGraphs): Manifest[] {
+  public processComponentsToManifests(componentsFound: any[], dependencyGraphs: DependencyGraphs): Manifest[] {
     // Parse the result file and add the packages to the package cache
     const packageCache = new PackageCache();
     const packages: Array<ComponentDetectionPackage> = [];
@@ -196,7 +207,7 @@ export default class ComponentDetection {
     return manifests;
   }
 
-  private static addPackagesToManifests(packages: Array<ComponentDetectionPackage>, manifests: Array<Manifest>, dependencyGraphs: DependencyGraphs): void {
+  private addPackagesToManifests(packages: Array<ComponentDetectionPackage>, manifests: Array<Manifest>, dependencyGraphs: DependencyGraphs): void {
     packages.forEach((pkg: ComponentDetectionPackage) => {
       pkg.locationsFoundAt.forEach((location: any) => {
         // Use the normalized path (remove leading slash if present)
@@ -277,28 +288,23 @@ export default class ComponentDetection {
     }
   }
 
-  private static async getLatestReleaseURL(): Promise<string> {
-    let githubToken = process.env.GITHUB_TOKEN || "";
-
-    const githubAPIURL = process.env.GITHUB_API_URL || 'https://api.github.com';
-
-    let ghesMode = process.env.GITHUB_API_URL != githubAPIURL;
-    // If the we're running in GHES, then use an empty string as the token
-    if (ghesMode) {
-      githubToken = "";
+  private async getLatestReleaseURL(): Promise<string> {
+    let octokit: Octokit = this.octokit;
+
+    if (this.baseUrl != 'https://api.github.com') {
+      octokit = new Octokit({
+        auth: "", request: { fetch: fetch }, log: {
+          debug: console.debug,
+          info: console.info,
+          warn: console.warn,
+          error: console.error
+        },
+      });
     }
-    const octokit = new Octokit({
-      auth: githubToken, baseUrl: githubAPIURL, request: { fetch: fetch }, log: {
-        debug: console.debug,
-        info: console.info,
-        warn: console.warn,
-        error: console.error
-      },
-    });
 
     const owner = "microsoft";
     const repo = "component-detection";
-    console.debug("Attempting to download latest release from " + githubAPIURL);
+    console.debug(`Attempting to download latest release from ${owner}/${repo}`);
 
     try {
       const latestRelease = await octokit.request("GET /repos/{owner}/{repo}/releases/latest", { owner, repo });
@@ -328,7 +334,7 @@ export default class ComponentDetection {
    * @param filePathInput The filePath input (relative or absolute) from the action configuration.
    * @returns A new DependencyGraphs object with relative path keys.
    */
-  public static normalizeDependencyGraphPaths(
+  public normalizeDependencyGraphPaths(
     dependencyGraphs: DependencyGraphs,
     filePathInput: string
   ): DependencyGraphs {

src/componentSubmission.ts

@@ -63,10 +63,12 @@ export async function submitSnapshotIfPossible(opts: SubmitOpts): Promise<boolea
         throw new Error('Octokit instance is required in opts.octokit');
     }
 
+    const tmp = await fs.promises.mkdtemp(path.join(os.tmpdir(), 'cd-submission-'));
+
     try {
         const intersect = await getLanguageIntersection(opts.octokit, opts.owner, opts.repo, opts.languages);
         // Create temp dir and sparse checkout only manifest files according to selected languages
-        const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'cd-submission-'));
+
         console.debug(chalk.green(`Sparse checkout into ${tmp} for languages: ${intersect.join(', ')}`));
 
         const sha = await sparseCheckout(opts.owner, opts.repo, opts.branch, tmp, intersect, opts.baseUrl);
@@ -81,6 +83,9 @@ export async function submitSnapshotIfPossible(opts: SubmitOpts): Promise<boolea
     } catch (e) {
         if (!opts.quiet) console.error(chalk.red(`Component Detection failed: ${(e as Error).message}`));
         return false;
+    } finally {
+        // Clean up temp dir
+        await fs.promises.rm(tmp, { recursive: true, force: true });
     }
 }
 
@@ -142,10 +147,9 @@ async function execGit(args: string[], opts: { cwd: string, quiet?: boolean }):
 
 export async function run(octokit: Octokit, tmpDir: string, owner: string, repo: string, sha: string, ref: string, componentDetectionBinPath?: string) {
 
-    let manifests = await ComponentDetection.scanAndGetManifests(
-        tmpDir,
-        componentDetectionBinPath
-    );
+    const componentDetection = new ComponentDetection(octokit, '', componentDetectionBinPath);
+
+    let manifests = await componentDetection.scanAndGetManifests(tmpDir);
 
     // Get detector configuration inputs
     const detectorName = "Component Detection in GitHub SBOM Toolkit: advanced-security/github-sbom-toolkit";