Merge branch 'dependency-review' into copilot/sub-pr-21-another-one

Author: aegilops

.gitignore

@@ -4,4 +4,5 @@ dist/
 data/
 .vscode/
 .DS_Store
-component-detection
+component-detection
+tmp-branch-search-cache/

README.md

@@ -68,7 +68,6 @@ Flags:
 ```bash
 --branch-scan              # Fetch SBOMs for non-default branches
 --branch-limit <n>          # Max number of non-default branches per repo (default 10)
---dependency-review         # Fetch dependency review diffs (enabled by default)
 --diff-base <branch>        # Override base branch for diffs (default: repository default)
 ```
 
@@ -172,7 +171,7 @@ npm run start -- --sbom-cache sboms --purl-file queries.txt
 npm run start -- --sync-sboms --org my-org --sbom-cache sboms
 ```
 
-1. Later offline search (no API calls; uses previously written per‑repo JSON):
+2. Later offline search (no API calls; uses previously written per‑repo JSON):
 
 ```bash
 npm run start -- --sbom-cache sboms --purl pkg:npm/[email protected]
@@ -442,7 +441,7 @@ npm install
 npm run build
 ```
 
-1. Run the test harness script:
+2. Run the test harness script:
 
 ```bash
 node dist/test-fixture-match.js

package-lock.json

@@ -12,8 +12,7 @@
     "start": "node dist/cli.js",
     "dev": "tsx src/cli.ts",
     "lint": "eslint . --ext .ts --max-warnings=0",
-    "test": "node dist/test-fixture-match.js",
-    "test:branch-search": "node dist/test-branch-search.js"
+    "test": "node dist/test-fixture-match.js && node dist/test-branch-search.js"
   },
   "engines": {
     "node": ">=18.0.0"
@@ -28,7 +27,7 @@
     "@octokit/plugin-throttling": "^11.0.3",
     "chalk": "^5.6.2",
     "cross-fetch": "^4.1.0",
-    "inquirer": "^12.11.0",
+    "inquirer": "^12.11.1",
     "octokit": "^5.0.5",
     "p-limit": "^7.2.0",
     "packageurl-js": "^2.0.1",

package.json

@@ -58,7 +58,7 @@ async function main() {
         if (!args.enterprise && !args.org && !args.repo) throw new Error("Provide --enterprise, --org or --repo with --sync-sboms");
         if (args.enterprise && args.org) throw new Error("Specify only one of --enterprise or --org");
         if (args.repo && (args.enterprise || args.org)) throw new Error("Specify only one of --enterprise, --org, or --repo");
-        if (!args.sbomCache) throw new Error("--sync-sboms requires --sbom-cache to write updated SBOMs to disk");
+        if (syncing && !args.sbomCache) throw new Error("--sync-sboms requires --sbom-cache to write updated SBOMs to disk");
       } else {
         const malwareOnly = !!args["sync-malware"] && !args.sbomCache && !args.purl && !args["purl-file"] && !args["match-malware"] && !args.uploadSarif && !args.interactive;
         if (!malwareOnly && !args.sbomCache) throw new Error("Offline mode requires --sbom-cache unless running --sync-malware by itself");

src/cli.ts

@@ -1,4 +1,4 @@
-import { Octokit } from "octokit"
+import { Octokit } from "@octokit/core";
 import {
   PackageCache,
   Package,
@@ -11,16 +11,30 @@ import path from 'path';
 import { tmpdir } from 'os';
 import { StringDecoder } from 'node:string_decoder';
 
-export default class ComponentDetection {
-  public static componentDetectionPath = process.platform === "win32" ? './component-detection.exe' : './component-detection';
-  public static outputPath = path.join(tmpdir(), `component-detection-output-${Date.now()}.json`);
+export default class ComponentDetection { 
+  public componentDetectionPath: string = process.platform === "win32" ? './component-detection.exe' : './component-detection';
+  public outputPath: string;
+  octokit: Octokit;
+  baseUrl: string;
 
-  // This is the default entry point for this class.
-  // If executablePath is provided, use it directly and skip download.
-  static async scanAndGetManifests(path: string, executablePath?: string): Promise<Manifest[] | undefined> {
+  constructor(octokit: Octokit, baseUrl: string, executablePath?: string) {
+    this.octokit = octokit;
+    this.baseUrl = baseUrl;
     if (executablePath) {
       this.componentDetectionPath = executablePath;
-    } else {
+    }
+
+    // Set the output path
+    this.outputPath = (() => {
+      const tmpDir = fs.mkdtempSync(path.join(tmpdir(), 'component-detection-'));
+      return path.join(tmpDir, 'output.json');
+    })();
+  }
+
+  // This is the default entry point for this class.
+  // If executablePath is provided, use it directly and skip download.
+  async scanAndGetManifests(path: string): Promise<Manifest[] | undefined> {
+    if (!this.componentDetectionPath) {
       await this.downloadLatestRelease();
     }
 
@@ -34,7 +48,7 @@ export default class ComponentDetection {
     return await this.getManifestsFromResults(this.outputPath, path);
   }
   // Get the latest release from the component-detection repo, download the tarball, and extract it
-  public static async downloadLatestRelease() {
+  public async downloadLatestRelease() {
     try {
       const statResult = fs.statSync(this.componentDetectionPath);
       if (statResult && statResult.isFile()) {
@@ -54,14 +68,14 @@ export default class ComponentDetection {
 
       // Write the blob to a file
       console.debug(`Writing binary to file ${this.componentDetectionPath}`);
-      await fs.writeFileSync(this.componentDetectionPath, buffer, { mode: 0o777, flag: 'w' });
+      await fs.writeFileSync(this.componentDetectionPath, buffer, { mode: 0o755, flag: 'w' });
     } catch (error: any) {
       console.error(error);
     }
   }
 
   // Run the component-detection CLI on the path specified
-  public static runComponentDetection(path: string): Promise<boolean> {
+  public runComponentDetection(path: string): Promise<boolean> {
     console.debug(`Running component-detection on ${path}`);
 
     console.debug(`Writing to output file: ${this.outputPath}`);
@@ -102,7 +116,7 @@ export default class ComponentDetection {
     });
   }
 
-  public static async getManifestsFromResults(file: string, path: string): Promise<Manifest[] | undefined> {
+  public async getManifestsFromResults(file: string, path: string): Promise<Manifest[] | undefined> {
     console.debug(`Reading results from ${file}`);
     const results = await fs.readFileSync(file, 'utf8');
     const json: any = JSON.parse(results);
@@ -112,7 +126,7 @@ export default class ComponentDetection {
     return this.processComponentsToManifests(json.componentsFound, dependencyGraphs);
   }
 
-  public static processComponentsToManifests(componentsFound: any[], dependencyGraphs: DependencyGraphs): Manifest[] {
+  public processComponentsToManifests(componentsFound: any[], dependencyGraphs: DependencyGraphs): Manifest[] {
     // Parse the result file and add the packages to the package cache
     const packageCache = new PackageCache();
     const packages: Array<ComponentDetectionPackage> = [];
@@ -193,7 +207,7 @@ export default class ComponentDetection {
     return manifests;
   }
 
-  private static addPackagesToManifests(packages: Array<ComponentDetectionPackage>, manifests: Array<Manifest>, dependencyGraphs: DependencyGraphs): void {
+  private addPackagesToManifests(packages: Array<ComponentDetectionPackage>, manifests: Array<Manifest>, dependencyGraphs: DependencyGraphs): void {
     packages.forEach((pkg: ComponentDetectionPackage) => {
       pkg.locationsFoundAt.forEach((location: any) => {
         // Use the normalized path (remove leading slash if present)
@@ -250,7 +264,7 @@ export default class ComponentDetection {
     }
 
     try {
-      var packageUrl = `${packageUrlJson.Scheme}:${packageUrlJson.Type}/`;
+      let packageUrl = `${packageUrlJson.Scheme}:${packageUrlJson.Type}/`;
       if (packageUrlJson.Namespace) {
         packageUrl += `${packageUrlJson.Namespace.replaceAll("@", "%40")}/`;
       }
@@ -274,28 +288,23 @@ export default class ComponentDetection {
     }
   }
 
-  private static async getLatestReleaseURL(): Promise<string> {
-    let githubToken = process.env.GITHUB_TOKEN || "";
-
-    const githubAPIURL = process.env.GITHUB_API_URL || 'https://api.github.com';
-
-    let ghesMode = process.env.GITHUB_API_URL != githubAPIURL;
-    // If the we're running in GHES, then use an empty string as the token
-    if (ghesMode) {
-      githubToken = "";
+  private async getLatestReleaseURL(): Promise<string> {
+    let octokit: Octokit = this.octokit;
+
+    if (this.baseUrl !== 'https://api.github.com') {
+      octokit = new Octokit({
+        auth: "", request: { fetch: fetch }, log: {
+          debug: console.debug,
+          info: console.info,
+          warn: console.warn,
+          error: console.error
+        },
+      });
     }
-    const octokit = new Octokit({
-      auth: githubToken, baseUrl: githubAPIURL, request: { fetch: fetch }, log: {
-        debug: console.debug,
-        info: console.info,
-        warn: console.warn,
-        error: console.error
-      },
-    });
 
     const owner = "microsoft";
     const repo = "component-detection";
-    console.debug("Attempting to download latest release from " + githubAPIURL);
+    console.debug(`Attempting to download latest release from ${owner}/${repo}`);
 
     try {
       const latestRelease = await octokit.request("GET /repos/{owner}/{repo}/releases/latest", { owner, repo });
@@ -325,7 +334,7 @@ export default class ComponentDetection {
    * @param filePathInput The filePath input (relative or absolute) from the action configuration.
    * @returns A new DependencyGraphs object with relative path keys.
    */
-  public static normalizeDependencyGraphPaths(
+  public normalizeDependencyGraphPaths(
     dependencyGraphs: DependencyGraphs,
     filePathInput: string
   ): DependencyGraphs {

src/componentDetection.ts

@@ -25,7 +25,7 @@ export interface SubmitOpts {
     componentDetectionBinPath?: string; // optional path to component-detection executable
 }
 
-export async function getLanguageIntersection(octokit: any, owner: string, repo: string, languages: string[] | undefined, quiet: boolean = false): Promise<string[]> {
+export async function getLanguageIntersection(octokit: Octokit, owner: string, repo: string, languages: string[] | undefined, quiet: boolean = false): Promise<string[]> {
     const langResp = await octokit.request('GET /repos/{owner}/{repo}/languages', { owner, repo });
     const repoLangs = Object.keys(langResp.data || {});
     const wanted = languages;
@@ -63,10 +63,15 @@ export async function submitSnapshotIfPossible(opts: SubmitOpts): Promise<boolea
         throw new Error('Octokit instance is required in opts.octokit');
     }
 
+    const tmp = await fs.promises.mkdtemp(path.join(os.tmpdir(), 'cd-submission-'));
+
     try {
         const intersect = await getLanguageIntersection(opts.octokit, opts.owner, opts.repo, opts.languages);
         // Create temp dir and sparse checkout only manifest files according to selected languages
-        const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'cd-submission-'));
+        if (!intersect.length) {
+            // No matching languages, skip submission
+            return false;
+        }
         console.debug(chalk.green(`Sparse checkout into ${tmp} for languages: ${intersect.join(', ')}`));
 
         const sha = await sparseCheckout(opts.owner, opts.repo, opts.branch, tmp, intersect, opts.baseUrl);
@@ -81,6 +86,9 @@ export async function submitSnapshotIfPossible(opts: SubmitOpts): Promise<boolea
     } catch (e) {
         if (!opts.quiet) console.error(chalk.red(`Component Detection failed: ${(e as Error).message}`));
         return false;
+    } finally {
+        // Clean up temp dir
+        await fs.promises.rm(tmp, { recursive: true, force: true });
     }
 }
 
@@ -122,8 +130,10 @@ function buildSparsePatterns(langs: string[]): string[] {
             add('**/*.sln');
         }
     }
-    // Always include root lockfiles just in case
-    add('package.json'); add('package-lock.json'); add('yarn.lock'); add('pnpm-lock.yaml');
+    // Include root lockfiles only if JavaScript/TypeScript is among selected languages
+    if (langs.some(l => ['javascript', 'typescript', 'node', 'js', 'ts'].includes(l.toLowerCase()))) {
+        add('package.json'); add('package-lock.json'); add('yarn.lock'); add('pnpm-lock.yaml');
+    }
     return Array.from(set);
 }
 
@@ -142,10 +152,9 @@ async function execGit(args: string[], opts: { cwd: string, quiet?: boolean }):
 
 export async function run(octokit: Octokit, tmpDir: string, owner: string, repo: string, sha: string, ref: string, componentDetectionBinPath?: string): Promise<boolean> {
 
-    let manifests = await ComponentDetection.scanAndGetManifests(
-        tmpDir,
-        componentDetectionBinPath
-    );
+    const componentDetection = new ComponentDetection(octokit, '', componentDetectionBinPath);
+
+    let manifests = await componentDetection.scanAndGetManifests(tmpDir);
 
     // Get detector configuration inputs
     const detectorName = "Component Detection in GitHub SBOM Toolkit: advanced-security/github-sbom-toolkit";
@@ -198,7 +207,7 @@ export async function submitSnapshot(
             'POST /repos/{owner}/{repo}/dependency-graph/snapshots',
             {
                 headers: {
-                    accept: 'application/vnd.github.foo-bar-preview+json'
+                    accept: 'application/vnd.github+json'
                 },
                 owner: repo.owner,
                 repo: repo.repo,

src/componentSubmission.ts

@@ -157,12 +157,12 @@ export function matchMalware(advisories: MalwareAdvisoryNode[], sboms: Repositor
         if (change.changeType !== 'added' && change.changeType !== 'updated') continue;
         let p: string | undefined = (change as { purl?: string }).purl;
         if (!p && change.packageURL && change.packageURL.startsWith('pkg:')) p = change.packageURL;
-        if (!p && change.ecosystem && change.name && change.newVersion) {
+        if (!p && change.ecosystem && change.name && change.version) {
           // Dependency review ecosystems are lower-case purl types already (e.g. npm, maven, pip, gem)
-          p = `pkg:${change.ecosystem}/${change.name}${change.newVersion ? '@' + change.newVersion : ''}`;
+          p = `pkg:${change.ecosystem}/${change.name}${change.version ? '@' + change.version : ''}`;
         }
         if (!p) continue;
-        out.push({ purl: p, name: change.name, ecosystem: change.ecosystem, version: change.newVersion, __branch: branchName });
+        out.push({ purl: p, name: change.name, ecosystem: change.ecosystem, version: change.version, __branch: branchName });
       }
     }
     return out;

src/malwareMatcher.ts

@@ -48,6 +48,16 @@ export class SbomCollector {
     if (!options.loadFromDir && !options.enterprise && !options.org && !options.repo) {
       throw new Error("One of enterprise/org/repo or loadFromDir must be specified");
     }
+    // Validate repo format if provided
+    if (options.repo) {
+      if (typeof options.repo !== "string" || !options.repo.includes("/")) {
+        throw new Error('If specifying "repo", it must be in the format "org/repo".');
+      }
+      const [orgPart, repoPart] = options.repo.split("/");
+      if (!orgPart || !repoPart) {
+        throw new Error('If specifying "repo", it must be in the format "org/repo" with both parts non-empty.');
+      }
+    }
     // Spread user options first then apply defaults via nullish coalescing so that
     // passing undefined does not erase defaults
     const o = { ...options };
@@ -528,7 +538,7 @@ export class SbomCollector {
           }
         }
       }
-      return { latestCommitDate: new Date().toISOString(), base, head, retrievedAt: new Date().toISOString(), changes: [], error: reason };
+      return { latestCommitDate: undefined, base, head, retrievedAt: new Date().toISOString(), changes: [], error: reason };
     }
   }
 
@@ -627,7 +637,7 @@ export class SbomCollector {
             const candidatePurls: string[] = [];
             if ((change as { purl?: string }).purl) candidatePurls.push((change as { purl?: string }).purl as string);
             if (change.packageURL) candidatePurls.push(change.packageURL);
-            applyQueries(candidatePurls, queries, found, diff.head, (change as any).newVersion);
+            applyQueries(candidatePurls, queries, found, diff.head, (change as any).version);
           }
         }
       }