Merge branch 'dependency-review' into copilot/sub-pr-21-one-more-time

Author: aegilops

.gitignore

@@ -4,4 +4,5 @@ dist/
 data/
 .vscode/
 .DS_Store
-component-detection
+component-detection
+tmp-branch-search-cache/

README.md

@@ -68,7 +68,6 @@ Flags:
 ```bash
 --branch-scan              # Fetch SBOMs for non-default branches
 --branch-limit <n>          # Max number of non-default branches per repo (default 10)
---dependency-review         # Fetch dependency review diffs (enabled by default)
 --diff-base <branch>        # Override base branch for diffs (default: repository default)
 ```
 
@@ -86,7 +85,7 @@ If a branch SBOM or diff retrieval fails, the error is recorded but does not sto
 
 #### Handling Missing Dependency Review Snapshots
 
-If the Dependency Review API returns a 404 for a branch diff (commonly due to a missing dependency snapshot on either the base or head commit), the toolkit can optionally attempt to generate and submit a snapshot using Component Detection and Dependency Submission. This is vendored-in and forked from the public [Component Detection Dependency Submission Action](https://github.com/your-org/component-detection-dependency-submission-action).
+If the Dependency Review API returns a 404 for a branch diff (commonly due to a missing dependency snapshot on either the base or head commit), the toolkit can optionally attempt to generate and submit a snapshot using Component Detection and Dependency Submission. This is vendored-in and forked from the public [Component Detection Dependency Submission Action](https://github.com/advanced-security/component-detection-dependency-submission-action).
 
 Enable automatic submission + retry with:
 
@@ -172,7 +171,7 @@ npm run start -- --sbom-cache sboms --purl-file queries.txt
 npm run start -- --sync-sboms --org my-org --sbom-cache sboms
 ```
 
-1. Later offline search (no API calls; uses previously written per‑repo JSON):
+2. Later offline search (no API calls; uses previously written per‑repo JSON):
 
 ```bash
 npm run start -- --sbom-cache sboms --purl pkg:npm/[email protected]
@@ -442,7 +441,7 @@ npm install
 npm run build
 ```
 
-1. Run the test harness script:
+2. Run the test harness script:
 
 ```bash
 node dist/test-fixture-match.js

package-lock.json

@@ -12,8 +12,7 @@
     "start": "node dist/cli.js",
     "dev": "tsx src/cli.ts",
     "lint": "eslint . --ext .ts --max-warnings=0",
-    "test": "node dist/test-fixture-match.js",
-    "test:branch-search": "node dist/test-branch-search.js"
+    "test": "node dist/test-fixture-match.js && node dist/test-branch-search.js"
   },
   "engines": {
     "node": ">=18.0.0"
@@ -28,7 +27,7 @@
     "@octokit/plugin-throttling": "^11.0.3",
     "chalk": "^5.6.2",
     "cross-fetch": "^4.1.0",
-    "inquirer": "^12.11.0",
+    "inquirer": "^12.11.1",
     "octokit": "^5.0.5",
     "p-limit": "^7.2.0",
     "packageurl-js": "^2.0.1",

package.json

@@ -58,7 +58,7 @@ async function main() {
         if (!args.enterprise && !args.org && !args.repo) throw new Error("Provide --enterprise, --org or --repo with --sync-sboms");
         if (args.enterprise && args.org) throw new Error("Specify only one of --enterprise or --org");
         if (args.repo && (args.enterprise || args.org)) throw new Error("Specify only one of --enterprise, --org, or --repo");
-        if (!args.sbomCache) throw new Error("--sync-sboms requires --sbom-cache to write updated SBOMs to disk");
+        if (syncing && !args.sbomCache) throw new Error("--sync-sboms requires --sbom-cache to write updated SBOMs to disk");
       } else {
         const malwareOnly = !!args["sync-malware"] && !args.sbomCache && !args.purl && !args["purl-file"] && !args["match-malware"] && !args.uploadSarif && !args.interactive;
         if (!malwareOnly && !args.sbomCache) throw new Error("Offline mode requires --sbom-cache unless running --sync-malware by itself");

src/cli.ts

@@ -1,4 +1,4 @@
-import { Octokit } from "octokit"
+import { Octokit } from "@octokit/core";
 import {
   PackageCache,
   Package,
@@ -11,16 +11,30 @@ import path from 'path';
 import { tmpdir } from 'os';
 import { StringDecoder } from 'node:string_decoder';
 
-export default class ComponentDetection {
-  public static componentDetectionPath = process.platform === "win32" ? './component-detection.exe' : './component-detection';
-  public static outputPath = path.join(tmpdir(), `component-detection-output-${Date.now()}.json`);
+export default class ComponentDetection { 
+  public componentDetectionPath: string = process.platform === "win32" ? './component-detection.exe' : './component-detection';
+  public outputPath: string;
+  octokit: Octokit;
+  baseUrl: string;
 
-  // This is the default entry point for this class.
-  // If executablePath is provided, use it directly and skip download.
-  static async scanAndGetManifests(path: string, executablePath?: string): Promise<Manifest[] | undefined> {
+  constructor(octokit: Octokit, baseUrl: string, executablePath?: string) {
+    this.octokit = octokit;
+    this.baseUrl = baseUrl;
     if (executablePath) {
       this.componentDetectionPath = executablePath;
-    } else {
+    }
+
+    // Set the output path
+    this.outputPath = (() => {
+      const tmpDir = fs.mkdtempSync(path.join(tmpdir(), 'component-detection-'));
+      return path.join(tmpDir, 'output.json');
+    })();
+  }
+
+  // This is the default entry point for this class.
+  // If executablePath is provided, use it directly and skip download.
+  async scanAndGetManifests(path: string): Promise<Manifest[] | undefined> {
+    if (!this.componentDetectionPath) {
       await this.downloadLatestRelease();
     }
 
@@ -34,7 +48,7 @@ export default class ComponentDetection {
     return await this.getManifestsFromResults(this.outputPath, path);
   }
   // Get the latest release from the component-detection repo, download the tarball, and extract it
-  public static async downloadLatestRelease() {
+  public async downloadLatestRelease() {
     try {
       const statResult = fs.statSync(this.componentDetectionPath);
       if (statResult && statResult.isFile()) {
@@ -54,14 +68,14 @@ export default class ComponentDetection {
 
       // Write the blob to a file
       console.debug(`Writing binary to file ${this.componentDetectionPath}`);
-      await fs.writeFileSync(this.componentDetectionPath, buffer, { mode: 0o777, flag: 'w' });
+      await fs.writeFileSync(this.componentDetectionPath, buffer, { mode: 0o755, flag: 'w' });
     } catch (error: any) {
       console.error(error);
     }
   }
 
   // Run the component-detection CLI on the path specified
-  public static runComponentDetection(path: string): Promise<boolean> {
+  public runComponentDetection(path: string): Promise<boolean> {
     console.debug(`Running component-detection on ${path}`);
 
     console.debug(`Writing to output file: ${this.outputPath}`);
@@ -102,7 +116,7 @@ export default class ComponentDetection {
     });
   }
 
-  public static async getManifestsFromResults(file: string, path: string): Promise<Manifest[] | undefined> {
+  public async getManifestsFromResults(file: string, path: string): Promise<Manifest[] | undefined> {
     console.debug(`Reading results from ${file}`);
     const results = await fs.readFileSync(file, 'utf8');
     const json: any = JSON.parse(results);
@@ -112,7 +126,7 @@ export default class ComponentDetection {
     return this.processComponentsToManifests(json.componentsFound, dependencyGraphs);
   }
 
-  public static processComponentsToManifests(componentsFound: any[], dependencyGraphs: DependencyGraphs): Manifest[] {
+  public processComponentsToManifests(componentsFound: any[], dependencyGraphs: DependencyGraphs): Manifest[] {
     // Parse the result file and add the packages to the package cache
     const packageCache = new PackageCache();
     const packages: Array<ComponentDetectionPackage> = [];
@@ -193,7 +207,7 @@ export default class ComponentDetection {
     return manifests;
   }
 
-  private static addPackagesToManifests(packages: Array<ComponentDetectionPackage>, manifests: Array<Manifest>, dependencyGraphs: DependencyGraphs): void {
+  private addPackagesToManifests(packages: Array<ComponentDetectionPackage>, manifests: Array<Manifest>, dependencyGraphs: DependencyGraphs): void {
     packages.forEach((pkg: ComponentDetectionPackage) => {
       pkg.locationsFoundAt.forEach((location: any) => {
         // Use the normalized path (remove leading slash if present)
@@ -250,7 +264,7 @@ export default class ComponentDetection {
     }
 
     try {
-      const packageUrl = `${packageUrlJson.Scheme}:${packageUrlJson.Type}/`;
+      let packageUrl = `${packageUrlJson.Scheme}:${packageUrlJson.Type}/`;
       if (packageUrlJson.Namespace) {
         packageUrl += `${packageUrlJson.Namespace.replaceAll("@", "%40")}/`;
       }
@@ -274,28 +288,23 @@ export default class ComponentDetection {
     }
   }
 
-  private static async getLatestReleaseURL(): Promise<string> {
-    let githubToken = process.env.GITHUB_TOKEN || "";
-
-    const githubAPIURL = process.env.GITHUB_API_URL || 'https://api.github.com';
-
-    let ghesMode = process.env.GITHUB_API_URL != githubAPIURL;
-    // If the we're running in GHES, then use an empty string as the token
-    if (ghesMode) {
-      githubToken = "";
+  private async getLatestReleaseURL(): Promise<string> {
+    let octokit: Octokit = this.octokit;
+
+    if (this.baseUrl !== 'https://api.github.com') {
+      octokit = new Octokit({
+        auth: "", request: { fetch: fetch }, log: {
+          debug: console.debug,
+          info: console.info,
+          warn: console.warn,
+          error: console.error
+        },
+      });
     }
-    const octokit = new Octokit({
-      auth: githubToken, baseUrl: githubAPIURL, request: { fetch: fetch }, log: {
-        debug: console.debug,
-        info: console.info,
-        warn: console.warn,
-        error: console.error
-      },
-    });
 
     const owner = "microsoft";
     const repo = "component-detection";
-    console.debug("Attempting to download latest release from " + githubAPIURL);
+    console.debug(`Attempting to download latest release from ${owner}/${repo}`);
 
     try {
       const latestRelease = await octokit.request("GET /repos/{owner}/{repo}/releases/latest", { owner, repo });
@@ -325,7 +334,7 @@ export default class ComponentDetection {
    * @param filePathInput The filePath input (relative or absolute) from the action configuration.
    * @returns A new DependencyGraphs object with relative path keys.
    */
-  public static normalizeDependencyGraphPaths(
+  public normalizeDependencyGraphPaths(
     dependencyGraphs: DependencyGraphs,
     filePathInput: string
   ): DependencyGraphs {

src/componentDetection.ts

@@ -25,7 +25,7 @@ export interface SubmitOpts {
     componentDetectionBinPath?: string; // optional path to component-detection executable
 }
 
-export async function getLanguageIntersection(octokit: any, owner: string, repo: string, languages: string[] | undefined, quiet: boolean = false): Promise<string[]> {
+export async function getLanguageIntersection(octokit: Octokit, owner: string, repo: string, languages: string[] | undefined, quiet: boolean = false): Promise<string[]> {
     const langResp = await octokit.request('GET /repos/{owner}/{repo}/languages', { owner, repo });
     const repoLangs = Object.keys(langResp.data || {});
     const wanted = languages;
@@ -63,10 +63,15 @@ export async function submitSnapshotIfPossible(opts: SubmitOpts): Promise<boolea
         throw new Error('Octokit instance is required in opts.octokit');
     }
 
+    const tmp = await fs.promises.mkdtemp(path.join(os.tmpdir(), 'cd-submission-'));
+
     try {
         const intersect = await getLanguageIntersection(opts.octokit, opts.owner, opts.repo, opts.languages);
         // Create temp dir and sparse checkout only manifest files according to selected languages
-        const tmp = fs.mkdtempSync(path.join(os.tmpdir(), 'cd-submission-'));
+        if (!intersect.length) {
+            // No matching languages, skip submission
+            return false;
+        }
         console.debug(chalk.green(`Sparse checkout into ${tmp} for languages: ${intersect.join(', ')}`));
 
         const sha = await sparseCheckout(opts.owner, opts.repo, opts.branch, tmp, intersect, opts.baseUrl);
@@ -76,14 +81,15 @@ export async function submitSnapshotIfPossible(opts: SubmitOpts): Promise<boolea
             if (!opts.quiet) console.error(chalk.red(`Failed to determine SHA for ${opts.owner}/${opts.repo} on branch ${opts.branch}`));
             return false;
         }
-        await run(opts.octokit, tmp, opts.owner, opts.repo, sha, opts.branch, opts.componentDetectionBinPath);
+        return await run(opts.octokit, tmp, opts.owner, opts.repo, sha, opts.branch, opts.componentDetectionBinPath);
 
     } catch (e) {
         if (!opts.quiet) console.error(chalk.red(`Component Detection failed: ${(e as Error).message}`));
         return false;
+    } finally {
+        // Clean up temp dir
+        await fs.promises.rm(tmp, { recursive: true, force: true });
     }
-
-    return true;
 }
 
 function buildSparsePatterns(langs: string[]): string[] {
@@ -124,8 +130,10 @@ function buildSparsePatterns(langs: string[]): string[] {
             add('**/*.sln');
         }
     }
-    // Always include root lockfiles just in case
-    add('package.json'); add('package-lock.json'); add('yarn.lock'); add('pnpm-lock.yaml');
+    // Include root lockfiles only if JavaScript/TypeScript is among selected languages
+    if (langs.some(l => ['javascript', 'typescript', 'node', 'js', 'ts'].includes(l.toLowerCase()))) {
+        add('package.json'); add('package-lock.json'); add('yarn.lock'); add('pnpm-lock.yaml');
+    }
     return Array.from(set);
 }
 
@@ -142,12 +150,11 @@ async function execGit(args: string[], opts: { cwd: string, quiet?: boolean }):
     });
 }
 
-export async function run(octokit: Octokit, tmpDir: string, owner: string, repo: string, sha: string, ref: string, componentDetectionBinPath?: string) {
+export async function run(octokit: Octokit, tmpDir: string, owner: string, repo: string, sha: string, ref: string, componentDetectionBinPath?: string): Promise<boolean> {
+
+    const componentDetection = new ComponentDetection(octokit, '', componentDetectionBinPath);
 
-    let manifests = await ComponentDetection.scanAndGetManifests(
-        tmpDir,
-        componentDetectionBinPath
-    );
+    let manifests = await componentDetection.scanAndGetManifests(tmpDir);
 
     // Get detector configuration inputs
     const detectorName = "Component Detection in GitHub SBOM Toolkit: advanced-security/github-sbom-toolkit";
@@ -161,9 +168,11 @@ export async function run(octokit: Octokit, tmpDir: string, owner: string, repo:
         url: detectorUrl,
     };
 
+    const date = new Date().toISOString();
+
     const job: Job = {
         correlator: 'github-sbom-toolkit',
-        id: Math.floor(Math.random() * Number.MAX_SAFE_INTEGER).toString()
+        id: `${owner}-${repo}-${ref}-${date}-${Math.floor(Math.random() * Number.MAX_SAFE_INTEGER).toString()}`
     };
 
     let snapshot = new Snapshot(detector, undefined, job);
@@ -176,20 +185,22 @@ export async function run(octokit: Octokit, tmpDir: string, owner: string, repo:
         snapshot.addManifest(manifest);
     });
 
-    submitSnapshot(octokit, snapshot, { owner, repo });
+    return await submitSnapshot(octokit, snapshot, { owner, repo });
 }
 
 /**
  * submitSnapshot submits a snapshot to the Dependency Submission API - vendored in from @github/dependency-submission-toolkit, to make it work at the CLI, vs in Actions.
  *
- * @param {Snapshot} snapshot
- * @param {Repo} repo
+ * @param {Octokit} octokit - The Octokit instance for GitHub API requests
+ * @param {Snapshot} snapshot - The dependency snapshot to submit
+ * @param {Repo} repo - The repository owner and name
+ * @returns {Promise<boolean>} true if submission was successful, false otherwise
  */
 export async function submitSnapshot(
     octokit: Octokit,
     snapshot: Snapshot,
     repo: { owner: string; repo: string }
-) {
+): Promise<boolean> {
     console.debug('Submitting snapshot...')
     console.debug(snapshot.prettyJSON())
 
@@ -198,7 +209,7 @@ export async function submitSnapshot(
             'POST /repos/{owner}/{repo}/dependency-graph/snapshots',
             {
                 headers: {
-                    accept: 'application/vnd.github.foo-bar-preview+json'
+                    accept: 'application/vnd.github+json'
                 },
                 owner: repo.owner,
                 repo: repo.repo,
@@ -211,10 +222,12 @@ export async function submitSnapshot(
                 `Snapshot successfully created at ${response.data.created_at.toString()}` +
                 ` with id ${response.data.id}`
             )
+            return true
         } else {
             console.error(
                 `Snapshot creation failed with result: "${result}: ${response.data.message}"`
             )
+            return false
         }
     } catch (error) {
         if (error instanceof RequestError) {
@@ -231,6 +244,6 @@ export async function submitSnapshot(
             console.error(error.message)
             if (error.stack) console.error(error.stack)
         }
-        throw new Error(`Failed to submit snapshot: ${error}`)
+        return false
     }
 }