Merge branch 'dependency-review' of https://github.com/advanced-security/github-sbom-toolkit into dependency-review

Author: aegilops

src/cli.ts

@@ -58,7 +58,7 @@ async function main() {
         if (!args.enterprise && !args.org && !args.repo) throw new Error("Provide --enterprise, --org or --repo with --sync-sboms");
         if (args.enterprise && args.org) throw new Error("Specify only one of --enterprise or --org");
         if (args.repo && (args.enterprise || args.org)) throw new Error("Specify only one of --enterprise, --org, or --repo");
-         if (!args.sbomCache) throw new Error("--sync-sboms requires --sbom-cache to write updated SBOMs to disk");
+        if (!args.sbomCache) throw new Error("--sync-sboms requires --sbom-cache to write updated SBOMs to disk");
       } else {
         const malwareOnly = !!args["sync-malware"] && !args.sbomCache && !args.purl && !args["purl-file"] && !args["match-malware"] && !args.uploadSarif && !args.interactive;
         if (!malwareOnly && !args.sbomCache) throw new Error("Offline mode requires --sbom-cache unless running --sync-malware by itself");

src/componentDetection.ts

@@ -105,7 +105,7 @@ export default class ComponentDetection {
   public static async getManifestsFromResults(file: string, path: string): Promise<Manifest[] | undefined> {
     console.debug(`Reading results from ${file}`);
     const results = await fs.readFileSync(file, 'utf8');
-    var json: any = JSON.parse(results);
+    const json: any = JSON.parse(results);
 
     let dependencyGraphs: DependencyGraphs = this.normalizeDependencyGraphPaths(json.dependencyGraphs, path);
 
@@ -300,7 +300,7 @@ export default class ComponentDetection {
     try {
       const latestRelease = await octokit.request("GET /repos/{owner}/{repo}/releases/latest", { owner, repo });
 
-      var downloadURL: string = "";
+      let downloadURL: string = "";
       // TODO: do we need to handle different architectures here?
       // can we allow x64 on MacOS? We could allow an input parameter to override?
       const assetName = process.platform === "win32" ? "component-detection-win-x64.exe" : process.platform === "linux" ? "component-detection-linux-x64" : "component-detection-osx-arm64";

src/componentSubmission.ts

@@ -83,7 +83,7 @@ export async function submitSnapshotIfPossible(opts: SubmitOpts): Promise<boolea
         return false;
     }
 
-    return false;
+    return true;
 }
 
 function buildSparsePatterns(langs: string[]): string[] {

src/test-branch-search.ts

@@ -19,10 +19,6 @@ async function main() {
     { name: 'chalk', version: '5.6.1', purl: 'pkg:npm/[email protected]' },
     { name: 'react', version: '18.2.0', purl: 'pkg:npm/[email protected]' }
   ];
-  const featurePackages = [
-    { name: 'react', version: '18.3.0-beta', purl: 'pkg:npm/[email protected]' },
-    { name: 'lodash', version: '4.17.21', purl: 'pkg:npm/[email protected]' }
-  ];
   const diffChanges = [
     { changeType: 'added', name: 'lodash', ecosystem: 'npm', purl: 'pkg:npm/[email protected]', version: '4.17.21' },
     { changeType: 'updated', name: 'react', ecosystem: 'npm', purl: 'pkg:npm/[email protected]', version: '18.2.0', newVersion: '18.3.0-beta' }

src/types.ts

@@ -122,7 +122,7 @@ export interface DependencyReviewPackageChange {
 }
 
 export interface BranchDependencyDiff {
-  latestCommitDate: any;
+  latestCommitDate: string;
   base: string; // base branch
   head: string; // head branch
   retrievedAt: string;