Code review changes

Author: aegilops

src/cli.ts

@@ -69,7 +69,8 @@ async function main() {
 
   const token = argv.token as string | undefined || process.env.GITHUB_TOKEN;
 
-  if (argv.sbom || argv["sync-malware"] || argv.uploadSarif) {
+  // Require a token for any network operation (syncing SBOMs, malware advisories, or SARIF upload)
+  if (argv.syncSboms || argv["sync-malware"] || argv.uploadSarif) {
     if (!token) {
       console.error(chalk.red("GitHub token must be provided via --token or GITHUB_TOKEN environment variable"));
       process.exit(1);

src/malwareMatcher.ts

@@ -57,14 +57,17 @@ function parsePurl(p: string): ParsedPurl | null {
 
 function versionInRange(ecosystem: string, version: string | null, range: string | null): boolean {
   if (!version || !range) return false;
-  // try  semver logic on all ecosystems
   try {
-    return semver.satisfies(semver.coerce(version) || version, range, { includePrerelease: true });
+    const coerced = semver.coerce(version)?.version;
+    if (coerced && semver.valid(coerced) && semver.validRange(range)) {
+      return semver.satisfies(coerced, range, { includePrerelease: true });
+    }
   } catch {
-    // Fallback: simple equality if range is exact version (no operators)
-    if (/^[0-9A-Za-z._-]+$/.test(range)) return version === range;
-    return false;
+    // ignore and fall through
   }
+  // Fallback: if range looks like a plain version (no operators) do literal comparison
+  if (/^[0-9A-Za-z._-]+$/.test(range)) return version === range;
+  return false;
 }
 
 export function matchMalware(advisories: MalwareAdvisoryNode[], sboms: RepositorySbom[]): MalwareMatch[] {

src/sbomCollector.ts

@@ -26,7 +26,7 @@ export interface CollectorOptions {
 }
 
 export class SbomCollector {
-  private octokit; // typed by Octokit instance
+  private octokit: ReturnType<typeof createOctokit> | undefined; // explicit type
   private opts: Required<CollectorOptions>;
   private sboms: RepositorySbom[] = [];
   private summary: CollectionSummary;
@@ -37,19 +37,24 @@ export class SbomCollector {
     if (!options.loadFromDir && !options.enterprise && !options.org) {
       throw new Error("Either enterprise/org or loadFromDir must be specified");
     }
+    // Spread user options first then apply defaults via nullish coalescing so that
+    // passing undefined does not erase defaults
+    const o = { ...options };
     this.opts = {
-      concurrency: 5,
-      includePrivate: true,
-      delayMsBetweenRepos: options.delayMsBetweenRepos ?? 5000,
-      lightDelayMs: options.lightDelayMs ?? 500,
-      baseUrl: options.baseUrl ?? undefined,
-      autoEnableDependencyGraph: true,
-      loadFromDir: options.loadFromDir ?? undefined,
-      syncSboms: options.syncSboms ?? false,
-      showProgressBar: options.showProgressBar ?? false,
-      suppressSecondaryRateLimitLogs: options.suppressSecondaryRateLimitLogs ?? false,
-      quiet: options.quiet ?? false,
-      ...options
+      token: o.token,
+      enterprise: o.enterprise,
+      org: o.org,
+      baseUrl: o.baseUrl,
+      concurrency: o.concurrency ?? 5,
+      includePrivate: o.includePrivate ?? true,
+      delayMsBetweenRepos: o.delayMsBetweenRepos ?? 5000,
+      lightDelayMs: o.lightDelayMs ?? 500,
+      loadFromDir: o.loadFromDir,
+      syncSboms: o.syncSboms ?? false,
+      autoEnableDependencyGraph: o.autoEnableDependencyGraph ?? true,
+      showProgressBar: o.showProgressBar ?? false,
+      suppressSecondaryRateLimitLogs: o.suppressSecondaryRateLimitLogs ?? false,
+      quiet: o.quiet ?? false
     } as Required<CollectorOptions>;
 
     if (this.opts.token) {

src/serialization.ts

@@ -25,32 +25,69 @@ export function writeOne(sbom: RepositorySbom, { outDir, flatten = false }: Seri
   fs.writeFileSync(filePath, JSON.stringify(sbom, null, 2), "utf8");
 }
 
-export interface ReadOptions { flatten?: boolean }
+export interface ReadOptions {
+  /** Treat directory as flattened (owner-repo.json). */
+  flatten?: boolean;
+  /** Log parse errors (filename + message). */
+  logParseErrors?: boolean;
+  /** Stop after reading this many valid SBOMs (safety for huge trees). */
+  maxFiles?: number;
+}
 
-export function readAll(dir: string, _opts: ReadOptions = {}): RepositorySbom[] {
+/**
+ * Read all serialized SBOMs below a directory.
+ * Modes:
+ *  - Hierarchical (default): recurse and only accept files named exactly `sbom.json` (tightened from previous any *.json behavior).
+ *  - Flattened: do not recurse; accept top-level *.json where filename (without extension) contains at least one dash (owner-repo convention).
+ */
+export function readAll(dir: string, opts: ReadOptions = {}): RepositorySbom[] {
+  const { flatten = false, logParseErrors = false, maxFiles } = opts;
   const results: RepositorySbom[] = [];
   if (!fs.existsSync(dir)) throw new Error(`Directory not found: ${dir}`);
 
-  const visit = (current: string) => {
-    const stat = fs.statSync(current);
-    if (stat.isDirectory()) {
-      const entries = fs.readdirSync(current);
-      for (const e of entries) visit(path.join(current, e));
-    } else if (stat.isFile()) {
-      const base = path.basename(current);
-      if (base === "sbom.json" || base.endsWith(".json")) {
-        try {
-          const raw = fs.readFileSync(current, "utf8");
-          const obj = JSON.parse(raw);
-          if (obj && obj.repo && Array.isArray(obj.packages)) {
-            results.push(obj as RepositorySbom);
-          }
-        } catch (e) {
-          // skip malformed file
-        }
+  const pushIfValid = (filePath: string) => {
+    try {
+      const raw = fs.readFileSync(filePath, "utf8");
+      const obj = JSON.parse(raw);
+      if (obj && obj.repo && Array.isArray(obj.packages)) {
+        results.push(obj as RepositorySbom);
+      }
+    } catch (e) {
+      if (logParseErrors) {
+        // eslint-disable-next-line no-console
+        console.warn(`Skipping malformed SBOM JSON ${filePath}: ${(e as Error).message}`);
       }
     }
   };
-  visit(dir);
+
+  if (flatten) {
+    const entries = fs.readdirSync(dir, { withFileTypes: true });
+    for (const ent of entries) {
+      if (!ent.isFile()) continue;
+      if (!ent.name.endsWith('.json')) continue;
+      // Require at least one dash to loosely match owner-repo.json (avoid pulling unrelated JSON)
+      const baseName = ent.name.slice(0, -5); // remove .json
+      if (!baseName.includes('-')) continue;
+      pushIfValid(path.join(dir, ent.name));
+      if (maxFiles && results.length >= maxFiles) break;
+    }
+  } else {
+    const visit = (current: string) => {
+      const stat = fs.statSync(current);
+      if (stat.isDirectory()) {
+        const entries = fs.readdirSync(current);
+        for (const e of entries) {
+          visit(path.join(current, e));
+          if (maxFiles && results.length >= maxFiles) return; // early exit
+        }
+      } else if (stat.isFile()) {
+        const base = path.basename(current);
+        if (base === "sbom.json") {
+          pushIfValid(current);
+        }
+      }
+    };
+    visit(dir);
+  }
   return results;
 }