Merge pull request #17 from GHAS-Exercises/fix-normalize-purl-format

aegilops · web-flow · commit da958e2a3045 · 2025-11-25T15:58:50.000Z
Add package name normalization function
diff --git a/src/malwareMatcher.ts b/src/malwareMatcher.ts
@@ -41,6 +41,19 @@ const ecosystemToPurlType: Record<string, string> = {
 
 interface ParsedPurl { type: string; name: string; version: string | null }
 
+/**
+ * Normalize a package name by decoding URL-encoded characters.
+ * This ensures that both @scope/package and %40scope/package are treated identically.
+ */
+function normalizePackageName(name: string): string {
+  try {
+    return decodeURIComponent(name);
+  } catch {
+    // If decoding fails, return as-is
+    return name;
+  }
+}
+
 function parsePurl(p: string): ParsedPurl | null {
   // Basic PURL format: pkg:type/name@version (ignore qualifiers/subpath for matching)
   if (!p.startsWith("pkg:")) return null;
@@ -53,7 +66,8 @@ function parsePurl(p: string): ParsedPurl | null {
   const type = main.slice(0, slashIdx).toLowerCase();
   const name = main.slice(slashIdx + 1);
   if (!type || !name) return null;
-  return { type, name, version };
+  // Normalize the name to handle URL-encoded characters like %40 -> @
+  return { type, name: normalizePackageName(name), version };
 }
 
 function versionInRange(ecosystem: string, version: string | null, range: string | null): boolean {
@@ -107,7 +121,9 @@ export function matchMalware(advisories: MalwareAdvisoryNode[], sboms: Repositor
     }
     for (const vuln of adv.vulnerabilities) {
       if (!vuln.name || !vuln.ecosystem) continue;
-      const key = `${vuln.ecosystem}::${vuln.name}`.toLowerCase();
+      // Normalize the advisory name to handle both @scope/package and %40scope/package
+      const normalizedName = normalizePackageName(vuln.name);
+      const key = `${vuln.ecosystem}::${normalizedName}`.toLowerCase();
       const arr = index.get(key) || [];
       if (!arr.includes(adv)) arr.push(adv);
       index.set(key, arr);
@@ -156,7 +172,9 @@ export function matchMalware(advisories: MalwareAdvisoryNode[], sboms: Repositor
         for (const adv of candidateAdvisories) {
           for (const vuln of adv.vulnerabilities) {
             if (vuln.ecosystem !== ecosystem) continue;
-            if (vuln.name?.toLowerCase() !== parsed.name.toLowerCase()) continue;
+            // Normalize both names before comparison to handle URL encoding differences
+            const normalizedVulnName = normalizePackageName(vuln.name || "");
+            if (normalizedVulnName.toLowerCase() !== parsed.name.toLowerCase()) continue;
             if (!versionInRange(ecosystem, version, vuln.vulnerableVersionRange)) continue;
             const dedupeKey = `${adv.ghsaId}@@${purlStr}`;
             if (seen.has(dedupeKey)) continue;
