Fix mismerged code

aegilops · aegilops · commit a79846097685 · 2025-12-09T11:07:11.000Z
diff --git a/src/malwareMatcher.ts b/src/malwareMatcher.ts
@@ -106,6 +106,8 @@ export interface MatchMalwareOptions {
   advisoryDateCutoff?: string;
 }
 
+const ecosystemsWithNamespace = new Set(['maven', 'nuget', 'composer', 'golang']);
+
 export function matchMalware(advisories: MalwareAdvisoryNode[], sboms: RepositorySbom[], opts?: MatchMalwareOptions): MalwareMatch[] {
   const matches: MalwareMatch[] = [];
 
@@ -159,13 +161,9 @@ export function matchMalware(advisories: MalwareAdvisoryNode[], sboms: Repositor
       }
     }
     // Annotate with default branch for reporting (if known)
-          // Some ecosystems require a namespace (e.g., Maven, NuGet)
-          const ecosystemsWithNamespace = new Set(['maven', 'nuget', 'composer', 'golang']);
-          if (ecosystemsWithNamespace.has(change.ecosystem) && change.namespace) {
-            p = `pkg:${change.ecosystem}/${change.namespace}/${change.name}${change.version ? '@' + change.version : ''}`;
-          } else {
-            p = `pkg:${change.ecosystem}/${change.name}${change.version ? '@' + change.version : ''}`;
-          }
+    const branchName = repo.defaultBranch || undefined;
+    return list.map(p => ({ ...p, __branch: branchName }));
+  }
 
   // Enumerate packages implied by branch diffs (added/updated head-side versions)
   const enumerateDiffPackages = (repo: RepositorySbom): Array<{ purl: string; name?: string; ecosystem?: string; version?: string; __branch: string }> => {
@@ -178,8 +176,11 @@ export function matchMalware(advisories: MalwareAdvisoryNode[], sboms: Repositor
         let p: string | undefined = (change as { purl?: string }).purl;
         if (!p && change.packageURL && change.packageURL.startsWith('pkg:')) p = change.packageURL;
         if (!p && change.ecosystem && change.name && change.version) {
-          // Dependency review ecosystems are lower-case purl types already (e.g. npm, maven, pip, gem)
-          p = `pkg:${change.ecosystem}/${change.name}${change.version ? '@' + change.version : ''}`;
+          if (ecosystemsWithNamespace.has(change.ecosystem) && change.namespace) {
+            p = `pkg:${change.ecosystem}/${change.namespace}/${change.name}${change.version ? '@' + change.version : ''}`;
+          } else {
+            p = `pkg:${change.ecosystem}/${change.name}${change.version ? '@' + change.version : ''}`;
+          }
         }
         if (!p) continue;
         out.push({ purl: p, name: change.name, ecosystem: change.ecosystem, version: change.version, __branch: branchName });
diff --git a/src/sbomCollector.ts b/src/sbomCollector.ts
@@ -38,6 +38,16 @@ export interface CollectorOptions {
   retryIngestionDelayMs?: number; // delay after snapshot submission before retrying dependency review on 404 (default: 3000ms)
 }
 
+interface ParsedQuery {
+  raw: string;
+  lower: string;
+  isPrefixWildcard: boolean;
+  exact?: string;
+  type?: string;
+  name?: string;
+  versionConstraint?: string;
+}
+
 export class SbomCollector {
   private octokit: ReturnType<typeof createOctokit> | undefined; // explicit type
   private opts: Required<CollectorOptions>;
@@ -562,15 +572,7 @@ export class SbomCollector {
   // New method including the query that produced each match
   searchByPurlsWithReasons(purls: string[]): Map<string, { purl: string; reason: string }[]> {
     purls = purls.map(q => q.startsWith("pkg:") ? q : `pkg:${q}`);
-    interface ParsedQuery {
-      raw: string;
-      lower: string;
-      isPrefixWildcard: boolean;
-      exact?: string;
-      type?: string;
-      name?: string;
-      versionConstraint?: string;
-    }
+
     const looksLikeSemverRange = (v: string) => /[\^~><=]|\|\|/.test(v.trim());
     const parseQuery = (raw: string): ParsedQuery | null => {
       const trimmed = raw.trim();
@@ -598,7 +600,37 @@ export class SbomCollector {
     const queries: ParsedQuery[] = purls.map(parseQuery).filter((q): q is ParsedQuery => !!q);
     const results = new Map<string, { purl: string; reason: string }[]>();
     if (!queries.length) return results;
-// Move applyQueries to module scope
+
+    for (const repoSbom of this.sboms) {
+      if (repoSbom.error) continue;
+      interface ExtRef { referenceType: string; referenceLocator: string }
+      const found = new Map<string, string>(); // purl -> query
+      for (const pkg of repoSbom.packages as Array<SbomPackage & { externalRefs?: ExtRef[] }>) {
+        const refs = pkg.externalRefs;
+        const candidatePurls: string[] = [];
+        if (refs) for (const r of refs) if (r.referenceType === "purl" && r.referenceLocator) candidatePurls.push(r.referenceLocator);
+        if ((pkg as { purl?: string }).purl) candidatePurls.push((pkg as { purl?: string }).purl as string);
+        applyQueries(candidatePurls, queries, found, undefined, (pkg.version as string | undefined) || undefined);
+      }
+      // Include dependency review diff additions/updates (head packages only)
+      if (repoSbom.branchDiffs) {
+        const diffs = repoSbom.branchDiffs.values();
+        for (const diff of diffs) {
+          for (const change of diff.changes) {
+            if (change.changeType !== "added" && change.changeType !== "updated") continue;
+            const candidatePurls: string[] = [];
+            if ((change as { purl?: string }).purl) candidatePurls.push((change as { purl?: string }).purl as string);
+            if (change.packageURL) candidatePurls.push(change.packageURL);
+            applyQueries(candidatePurls, queries, found, diff.head, change.version);
+          }
+        }
+      }
+      if (found.size) results.set(repoSbom.repo, Array.from(found.entries()).map(([purl, reason]) => ({ purl, reason })));
+    }
+    return results;
+  }
+}
+
 function applyQueries(
   candidatePurls: string[],
   queries: ParsedQuery[],
@@ -639,33 +671,4 @@ function applyQueries(
       }
     }
   }
-}
-    for (const repoSbom of this.sboms) {
-      if (repoSbom.error) continue;
-      interface ExtRef { referenceType: string; referenceLocator: string }
-      const found = new Map<string, string>(); // purl -> query
-      for (const pkg of repoSbom.packages as Array<SbomPackage & { externalRefs?: ExtRef[] }>) {
-        const refs = pkg.externalRefs;
-        const candidatePurls: string[] = [];
-        if (refs) for (const r of refs) if (r.referenceType === "purl" && r.referenceLocator) candidatePurls.push(r.referenceLocator);
-        if ((pkg as { purl?: string }).purl) candidatePurls.push((pkg as { purl?: string }).purl as string);
-        applyQueries(candidatePurls, queries, found, undefined, (pkg.version as string | undefined) || undefined);
-      }
-      // Include dependency review diff additions/updates (head packages only)
-      if (repoSbom.branchDiffs) {
-        const diffs = repoSbom.branchDiffs.values();
-        for (const diff of diffs) {
-          for (const change of diff.changes) {
-            if (change.changeType !== "added" && change.changeType !== "updated") continue;
-            const candidatePurls: string[] = [];
-            if ((change as { purl?: string }).purl) candidatePurls.push((change as { purl?: string }).purl as string);
-            if (change.packageURL) candidatePurls.push(change.packageURL);
-            applyQueries(candidatePurls, queries, found, diff.head, change.version);
-          }
-        }
-      }
-      if (found.size) results.set(repoSbom.repo, Array.from(found.entries()).map(([purl, reason]) => ({ purl, reason })));
-    }
-    return results;
-  }
 }
