Compare commits
53 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 374343effe | |||
| 5a79ab0fa4 | |||
| 0c3e582042 | |||
| d433c2f467 | |||
| 96c59aebfe | |||
| 6dd7b2dc55 | |||
| 496691092b | |||
| e6ad22924a | |||
| 0b0b651777 | |||
| 914cb6dc5e | |||
| 28905c6bc0 | |||
| f89d41905d | |||
| 4e2fbd91ff | |||
| 6d25ae13f5 | |||
| 7d147e8b5f | |||
| 5789c204e4 | |||
| 98b7e66125 | |||
| b2779b0030 | |||
| 876b304ec0 | |||
| 3104f6d51c | |||
| 5d8c040f29 | |||
| 64db6d9d15 | |||
| a44e08867f | |||
| fc216b239a | |||
| 5b2736e4f4 | |||
| bbe83e8988 | |||
| c936885d12 | |||
| 5f4db12f7b | |||
| 466989c808 | |||
| 67f3292117 | |||
| 3f420ae88d | |||
| b242ddf67a | |||
| 3349f8c032 | |||
| 2517c7a607 | |||
| 2efc7af7df | |||
| 6d56d2b42c | |||
| 0de0af1352 | |||
| 4daccf7142 | |||
| caa69e181f | |||
| ef571d5a84 | |||
| 0eb73668fa | |||
| 7a168cbdc4 | |||
| 04aaaf6193 | |||
| 0f3b6aecc6 | |||
| 348257c874 | |||
| 779e8387fd | |||
| d5fd67e101 | |||
| 27e6d82755 | |||
| 3d11e5a0f7 | |||
| e0dcc85667 | |||
| 51ef6b3995 | |||
| cfe815dd6d | |||
| 9db31129a3 |
@@ -0,0 +1,42 @@
|
||||
name: Sync Fork with Upstream
|
||||
on:
|
||||
schedule:
|
||||
- cron: '0 0 * * 1' # Runs at midnight UTC every Monday
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
|
||||
jobs:
|
||||
sync:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout Repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
token: ${{ secrets.GITHUB_TOKEN }}
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Fetch Upstream Remote
|
||||
run: |
|
||||
git remote add upstream https://github.com/advanced-security/component-detection-dependency-submission-action.git
|
||||
git fetch upstream
|
||||
- name: Set Git Config
|
||||
run: |
|
||||
git config user.name "github-actions[bot]"
|
||||
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
||||
- name: Create and Push Branch
|
||||
run: |
|
||||
git checkout -b weekly-sync-branch-${{ github.run_id }}
|
||||
git merge upstream/main --no-commit
|
||||
git reset -- ./.github
|
||||
git commit -m "Merge upstream:main"
|
||||
git commit --allow-empty -m "Empty commit to open PR"
|
||||
git push --set-upstream origin weekly-sync-branch-${{ github.run_id }}
|
||||
- name: Open Pull Request
|
||||
run: |
|
||||
gh repo set-default actions/component-detection-dependency-submission-action
|
||||
gh pr create -B main -H weekly-sync-branch-${{ github.run_id }} --title 'Sync Fork with Upstream' --body 'Weekly Cron. Created by GitHub Actions.'
|
||||
env:
|
||||
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
+1
-1
@@ -1 +1 @@
|
||||
* @advanced-security/advanced-security-dependency-graph @advanced-security/oss-maintainers
|
||||
* @advanced-security/advanced-security-dependency-graph
|
||||
|
||||
+15
@@ -27,6 +27,21 @@ inputs:
|
||||
correlator:
|
||||
description: 'An optional identifier to distinguish between multiple dependency snapshots of the same type.'
|
||||
required: false
|
||||
detector-name:
|
||||
description: 'The name of the detector. If provided, detector-version and detector-url must also be provided.'
|
||||
required: false
|
||||
detector-version:
|
||||
description: 'The version of the detector. If provided, detector-name and detector-url must also be provided.'
|
||||
required: false
|
||||
detector-url:
|
||||
description: 'The URL of the detector. If provided, detector-name and detector-version must also be provided.'
|
||||
required: false
|
||||
snapshot-sha:
|
||||
description: 'The SHA of the commit to associate with the snapshot. If provided, snapshot-ref must also be provided.'
|
||||
required: false
|
||||
snapshot-ref:
|
||||
description: 'The Git reference to associate with the snapshot. If provided, snapshot-sha must also be provided.'
|
||||
required: false
|
||||
runs:
|
||||
using: 'node20'
|
||||
main: 'dist/index.js'
|
||||
|
||||
+177
-1
@@ -1,4 +1,4 @@
|
||||
import ComponentDetection from "./componentDetection";
|
||||
import ComponentDetection, { DependencyGraphs } from "./componentDetection";
|
||||
import fs from "fs";
|
||||
|
||||
test("Downloads CLI", async () => {
|
||||
@@ -68,3 +68,179 @@ describe("ComponentDetection.makePackageUrl", () => {
|
||||
expect(packageUrl).toBe("");
|
||||
});
|
||||
});
|
||||
|
||||
describe("ComponentDetection.processComponentsToManifests", () => {
|
||||
test("adds package as direct dependency when it is listed as an explicitlyReferencedComponentIds", () => {
|
||||
const componentsFound = [
|
||||
{
|
||||
component: {
|
||||
name: "test-package",
|
||||
version: "1.0.0",
|
||||
packageUrl: {
|
||||
Scheme: "pkg",
|
||||
Type: "npm",
|
||||
Name: "test-package",
|
||||
Version: "1.0.0"
|
||||
},
|
||||
id: "test-package 1.0.0 - npm"
|
||||
},
|
||||
isDevelopmentDependency: false,
|
||||
topLevelReferrers: [], // Empty = direct dependency
|
||||
locationsFoundAt: ["package.json"]
|
||||
}
|
||||
];
|
||||
|
||||
const dependencyGraphs: DependencyGraphs = {
|
||||
"package.json": {
|
||||
graph: { "test-package": null },
|
||||
explicitlyReferencedComponentIds: ["test-package 1.0.0 - npm"],
|
||||
developmentDependencies: [],
|
||||
dependencies: []
|
||||
}
|
||||
};
|
||||
|
||||
const manifests = ComponentDetection.processComponentsToManifests(componentsFound, dependencyGraphs);
|
||||
|
||||
expect(manifests).toHaveLength(1);
|
||||
expect(manifests[0].name).toBe("package.json");
|
||||
expect(manifests[0].directDependencies()).toHaveLength(1);
|
||||
expect(manifests[0].indirectDependencies()).toHaveLength(0);
|
||||
expect(manifests[0].countDependencies()).toBe(1);
|
||||
});
|
||||
|
||||
test("adds package as indirect dependency when it is not in explicitlyReferencedComponentIds", () => {
|
||||
const componentsFound = [
|
||||
{
|
||||
component: {
|
||||
name: "test-package",
|
||||
version: "1.0.0",
|
||||
packageUrl: {
|
||||
Scheme: "pkg",
|
||||
Type: "npm",
|
||||
Name: "test-package",
|
||||
Version: "1.0.0"
|
||||
},
|
||||
id: "test-package 1.0.0 - npm"
|
||||
},
|
||||
isDevelopmentDependency: false,
|
||||
topLevelReferrers: [
|
||||
{
|
||||
name: "parent-package",
|
||||
version: "1.0.0",
|
||||
packageUrl: {
|
||||
Scheme: "pkg",
|
||||
Type: "npm",
|
||||
Name: "parent-package",
|
||||
Version: "1.0.0"
|
||||
}
|
||||
}
|
||||
],
|
||||
locationsFoundAt: ["package.json"]
|
||||
}
|
||||
];
|
||||
|
||||
const dependencyGraphs: DependencyGraphs = {
|
||||
"package.json": {
|
||||
graph: { "parent-package": null },
|
||||
explicitlyReferencedComponentIds: [],
|
||||
developmentDependencies: [],
|
||||
dependencies: []
|
||||
}
|
||||
};
|
||||
|
||||
const manifests = ComponentDetection.processComponentsToManifests(componentsFound, dependencyGraphs);
|
||||
|
||||
expect(manifests).toHaveLength(1);
|
||||
expect(manifests[0].name).toBe("package.json");
|
||||
expect(manifests[0].directDependencies()).toHaveLength(0);
|
||||
expect(manifests[0].indirectDependencies()).toHaveLength(1);
|
||||
expect(manifests[0].countDependencies()).toBe(1);
|
||||
});
|
||||
});
|
||||
|
||||
describe('normalizeDependencyGraphPaths', () => {
|
||||
test('converts absolute paths to relative paths based on filePath input', () => {
|
||||
// Simulate a repo at /repo and a scan root at /repo/packages
|
||||
const fakeCwd = '/workspaces';
|
||||
const filePathInput = 'my-super-cool-repo';
|
||||
const absBase = '/workspaces/my-super-cool-repo';
|
||||
const dependencyGraphs: DependencyGraphs = {
|
||||
'/workspaces/my-super-cool-repo/a/package.json': {
|
||||
graph: { 'foo': null },
|
||||
explicitlyReferencedComponentIds: [],
|
||||
developmentDependencies: [],
|
||||
dependencies: []
|
||||
},
|
||||
'/workspaces/my-super-cool-repo/b/package.json': {
|
||||
graph: { 'bar': null },
|
||||
explicitlyReferencedComponentIds: [],
|
||||
developmentDependencies: [],
|
||||
dependencies: []
|
||||
}
|
||||
};
|
||||
// Patch process.cwd for this test
|
||||
const originalCwd = process.cwd;
|
||||
(process as any).cwd = () => fakeCwd;
|
||||
const normalized = ComponentDetection.normalizeDependencyGraphPaths(dependencyGraphs, filePathInput);
|
||||
// Restore process.cwd
|
||||
(process as any).cwd = originalCwd;
|
||||
expect(Object.keys(normalized)).toContain('a/package.json');
|
||||
expect(Object.keys(normalized)).toContain('b/package.json');
|
||||
expect(normalized['a/package.json'].graph).toEqual({ 'foo': null });
|
||||
expect(normalized['b/package.json'].graph).toEqual({ 'bar': null });
|
||||
});
|
||||
});
|
||||
|
||||
describe('normalizeDependencyGraphPaths with real output.json', () => {
|
||||
test('converts absolute paths in output.json to relative paths using current cwd and filePath', () => {
|
||||
const output = JSON.parse(fs.readFileSync('./output.json', 'utf8'));
|
||||
const dependencyGraphs = output.dependencyGraphs;
|
||||
// Use the same filePath as the action default (".")
|
||||
const normalized = ComponentDetection.normalizeDependencyGraphPaths(dependencyGraphs, 'test');
|
||||
|
||||
// Should contain root level manifests without leading slashes
|
||||
expect(Object.keys(normalized)).toContain('package.json');
|
||||
expect(Object.keys(normalized)).toContain('package-lock.json');
|
||||
|
||||
// Should contain nested manifests with relative paths (no leading slashes)
|
||||
expect(Object.keys(normalized)).toContain('nested/package.json');
|
||||
expect(Object.keys(normalized)).toContain('nested/package-lock.json');
|
||||
|
||||
// All keys should be relative paths without leading slashes
|
||||
for (const key of Object.keys(normalized)) {
|
||||
expect(key.startsWith('/')).toBe(false); // No leading slashes
|
||||
expect(key).not.toMatch(/^\w:\\|^\/\/|^\.{1,2}\//); // Not windows absolute, not network, not relative
|
||||
}
|
||||
});
|
||||
});
|
||||
|
||||
test('full action scan creates manifests with correct names and file source locations', async () => {
|
||||
await ComponentDetection.downloadLatestRelease();
|
||||
const manifests = await ComponentDetection.scanAndGetManifests('./test');
|
||||
|
||||
expect(manifests).toBeDefined();
|
||||
expect(manifests!.length).toBeGreaterThan(0);
|
||||
|
||||
for (const manifest of manifests!) {
|
||||
expect(manifest.name.startsWith('/')).toBe(false);
|
||||
}
|
||||
|
||||
const expectedManifestNames = [
|
||||
'package.json',
|
||||
'package-lock.json',
|
||||
'nested/package.json',
|
||||
'nested/package-lock.json',
|
||||
];
|
||||
|
||||
const manifestsByName = manifests!.reduce((acc, manifest) => {
|
||||
acc[manifest.name] = manifest;
|
||||
return acc;
|
||||
}, {} as Record<string, any>);
|
||||
|
||||
for (const expectedName of expectedManifestNames) {
|
||||
const manifest = manifestsByName[expectedName];
|
||||
expect(manifest).toBeDefined();
|
||||
expect(manifest.name).toBe(expectedName);
|
||||
expect(manifest.file?.source_location).toBe(expectedName);
|
||||
}
|
||||
}, 15000);
|
||||
|
||||
+99
-13
@@ -7,7 +7,7 @@ import {
|
||||
Package,
|
||||
Snapshot,
|
||||
Manifest,
|
||||
submitSnapshot
|
||||
submitSnapshot,
|
||||
} from '@github/dependency-submission-toolkit'
|
||||
import fetch from 'cross-fetch'
|
||||
import tar from 'tar'
|
||||
@@ -16,6 +16,7 @@ import * as exec from '@actions/exec';
|
||||
import dotenv from 'dotenv'
|
||||
import { Context } from '@actions/github/lib/context'
|
||||
import { unmockedModulePathPatterns } from './jest.config'
|
||||
import path from 'path';
|
||||
dotenv.config();
|
||||
|
||||
export default class ComponentDetection {
|
||||
@@ -68,14 +69,18 @@ export default class ComponentDetection {
|
||||
|
||||
public static async getManifestsFromResults(): Promise<Manifest[] | undefined> {
|
||||
core.info("Getting manifests from results");
|
||||
const results = await fs.readFileSync(this.outputPath, 'utf8');
|
||||
var json: any = JSON.parse(results);
|
||||
let dependencyGraphs: DependencyGraphs = this.normalizeDependencyGraphPaths(json.dependencyGraphs, core.getInput('filePath'));
|
||||
return this.processComponentsToManifests(json.componentsFound, dependencyGraphs);
|
||||
}
|
||||
|
||||
public static processComponentsToManifests(componentsFound: any[], dependencyGraphs: DependencyGraphs): Manifest[] {
|
||||
// Parse the result file and add the packages to the package cache
|
||||
const packageCache = new PackageCache();
|
||||
const packages: Array<ComponentDetectionPackage> = [];
|
||||
|
||||
const results = await fs.readFileSync(this.outputPath, 'utf8');
|
||||
|
||||
var json: any = JSON.parse(results);
|
||||
json.componentsFound.forEach(async (component: any) => {
|
||||
componentsFound.forEach(async (component: any) => {
|
||||
// Skip components without packageUrl
|
||||
if (!component.component.packageUrl) {
|
||||
core.debug(`Skipping component detected without packageUrl: ${JSON.stringify({
|
||||
@@ -113,6 +118,7 @@ export default class ComponentDetection {
|
||||
}
|
||||
|
||||
const referrerUrl = ComponentDetection.makePackageUrl(referrer.packageUrl);
|
||||
referrer.packageUrlString = referrerUrl
|
||||
|
||||
// Skip if the generated packageUrl is empty
|
||||
if (!referrerUrl) {
|
||||
@@ -122,6 +128,10 @@ export default class ComponentDetection {
|
||||
|
||||
try {
|
||||
const referrerPackage = packageCache.lookupPackage(referrerUrl);
|
||||
if (referrerPackage === pkg) {
|
||||
core.debug(`Skipping self-reference for package: ${pkg.id}`);
|
||||
return; // Skip self-references
|
||||
}
|
||||
if (referrerPackage) {
|
||||
referrerPackage.dependsOn(pkg);
|
||||
}
|
||||
@@ -135,20 +145,46 @@ export default class ComponentDetection {
|
||||
const manifests: Array<Manifest> = [];
|
||||
|
||||
// Check the locationsFoundAt for every package and add each as a manifest
|
||||
packages.forEach(async (pkg: ComponentDetectionPackage) => {
|
||||
pkg.locationsFoundAt.forEach(async (location: any) => {
|
||||
if (!manifests.find((manifest: Manifest) => manifest.name == location)) {
|
||||
const manifest = new Manifest(location, location);
|
||||
this.addPackagesToManifests(packages, manifests, dependencyGraphs);
|
||||
|
||||
return manifests;
|
||||
}
|
||||
|
||||
private static addPackagesToManifests(packages: Array<ComponentDetectionPackage>, manifests: Array<Manifest>, dependencyGraphs: DependencyGraphs): void {
|
||||
packages.forEach((pkg: ComponentDetectionPackage) => {
|
||||
pkg.locationsFoundAt.forEach((location: any) => {
|
||||
// Use the normalized path (remove leading slash if present)
|
||||
const normalizedLocation = location.startsWith('/') ? location.substring(1) : location;
|
||||
|
||||
if (!manifests.find((manifest: Manifest) => manifest.name == normalizedLocation)) {
|
||||
const manifest = new Manifest(normalizedLocation, normalizedLocation);
|
||||
manifests.push(manifest);
|
||||
}
|
||||
if (pkg.topLevelReferrers.length == 0) {
|
||||
manifests.find((manifest: Manifest) => manifest.name == location)?.addDirectDependency(pkg, ComponentDetection.getDependencyScope(pkg));
|
||||
|
||||
const depGraphEntry = dependencyGraphs[normalizedLocation];
|
||||
if (!depGraphEntry) {
|
||||
core.warning(`No dependency graph entry found for manifest location: ${normalizedLocation}`);
|
||||
return; // Skip this location if not found in dependencyGraphs
|
||||
}
|
||||
|
||||
const directDependencies = depGraphEntry.explicitlyReferencedComponentIds;
|
||||
if (directDependencies.includes(pkg.id)) {
|
||||
manifests
|
||||
.find((manifest: Manifest) => manifest.name == normalizedLocation)
|
||||
?.addDirectDependency(
|
||||
pkg,
|
||||
ComponentDetection.getDependencyScope(pkg)
|
||||
);
|
||||
} else {
|
||||
manifests.find((manifest: Manifest) => manifest.name == location)?.addIndirectDependency(pkg, ComponentDetection.getDependencyScope(pkg));
|
||||
manifests
|
||||
.find((manifest: Manifest) => manifest.name == normalizedLocation)
|
||||
?.addIndirectDependency(
|
||||
pkg,
|
||||
ComponentDetection.getDependencyScope(pkg)
|
||||
);
|
||||
}
|
||||
});
|
||||
});
|
||||
return manifests;
|
||||
}
|
||||
|
||||
private static getDependencyScope(pkg: ComponentDetectionPackage) {
|
||||
@@ -233,16 +269,66 @@ export default class ComponentDetection {
|
||||
throw new Error("Failed to download latest release");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Normalizes the keys of a DependencyGraphs object to be relative paths from the resolved filePath input.
|
||||
* @param dependencyGraphs The DependencyGraphs object to normalize.
|
||||
* @param filePathInput The filePath input (relative or absolute) from the action configuration.
|
||||
* @returns A new DependencyGraphs object with relative path keys.
|
||||
*/
|
||||
public static normalizeDependencyGraphPaths(
|
||||
dependencyGraphs: DependencyGraphs,
|
||||
filePathInput: string
|
||||
): DependencyGraphs {
|
||||
// Resolve the base directory from filePathInput (relative to cwd if not absolute)
|
||||
const baseDir = path.resolve(process.cwd(), filePathInput);
|
||||
const normalized: DependencyGraphs = {};
|
||||
for (const absPath in dependencyGraphs) {
|
||||
// Make the path relative to the baseDir
|
||||
let relPath = path.relative(baseDir, absPath).replace(/\\/g, '/');
|
||||
normalized[relPath] = dependencyGraphs[absPath];
|
||||
}
|
||||
return normalized;
|
||||
}
|
||||
}
|
||||
|
||||
class ComponentDetectionPackage extends Package {
|
||||
public packageUrlString: string;
|
||||
|
||||
constructor(packageUrl: string, public id: string, public isDevelopmentDependency: boolean, public topLevelReferrers: [],
|
||||
public locationsFoundAt: [], public containerDetailIds: [], public containerLayerIds: []) {
|
||||
super(packageUrl);
|
||||
this.packageUrlString = packageUrl;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Types for the dependencyGraphs section of output.json
|
||||
*/
|
||||
export type DependencyGraph = {
|
||||
/**
|
||||
* The dependency graph: keys are component IDs, values are either null (no dependencies) or an array of component IDs (dependencies)
|
||||
*/
|
||||
graph: Record<string, string[] | null>;
|
||||
/**
|
||||
* Explicitly referenced component IDs
|
||||
*/
|
||||
explicitlyReferencedComponentIds: string[];
|
||||
/**
|
||||
* Development dependencies
|
||||
*/
|
||||
developmentDependencies: string[];
|
||||
/**
|
||||
* Regular dependencies
|
||||
*/
|
||||
dependencies: string[];
|
||||
};
|
||||
|
||||
/**
|
||||
* The top-level dependencyGraphs object: keys are manifest file paths, values are DependencyGraph objects
|
||||
*/
|
||||
export type DependencyGraphs = Record<string, DependencyGraph>;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
+34
@@ -7,7 +7,41 @@ export default class ComponentDetection {
|
||||
static runComponentDetection(path: string): Promise<void>;
|
||||
private static getComponentDetectionParameters;
|
||||
static getManifestsFromResults(): Promise<Manifest[] | undefined>;
|
||||
static processComponentsToManifests(componentsFound: any[], dependencyGraphs: DependencyGraphs): Manifest[];
|
||||
private static addPackagesToManifests;
|
||||
private static getDependencyScope;
|
||||
static makePackageUrl(packageUrlJson: any): string;
|
||||
private static getLatestReleaseURL;
|
||||
/**
|
||||
* Normalizes the keys of a DependencyGraphs object to be relative paths from the resolved filePath input.
|
||||
* @param dependencyGraphs The DependencyGraphs object to normalize.
|
||||
* @param filePathInput The filePath input (relative or absolute) from the action configuration.
|
||||
* @returns A new DependencyGraphs object with relative path keys.
|
||||
*/
|
||||
static normalizeDependencyGraphPaths(dependencyGraphs: DependencyGraphs, filePathInput: string): DependencyGraphs;
|
||||
}
|
||||
/**
|
||||
* Types for the dependencyGraphs section of output.json
|
||||
*/
|
||||
export type DependencyGraph = {
|
||||
/**
|
||||
* The dependency graph: keys are component IDs, values are either null (no dependencies) or an array of component IDs (dependencies)
|
||||
*/
|
||||
graph: Record<string, string[] | null>;
|
||||
/**
|
||||
* Explicitly referenced component IDs
|
||||
*/
|
||||
explicitlyReferencedComponentIds: string[];
|
||||
/**
|
||||
* Development dependencies
|
||||
*/
|
||||
developmentDependencies: string[];
|
||||
/**
|
||||
* Regular dependencies
|
||||
*/
|
||||
dependencies: string[];
|
||||
};
|
||||
/**
|
||||
* The top-level dependencyGraphs object: keys are manifest file paths, values are DependencyGraph objects
|
||||
*/
|
||||
export type DependencyGraphs = Record<string, DependencyGraph>;
|
||||
|
||||
+143
-74
@@ -36002,6 +36002,7 @@ const cross_fetch_1 = __importDefault(__nccwpck_require__(3304));
|
||||
const fs_1 = __importDefault(__nccwpck_require__(9896));
|
||||
const exec = __importStar(__nccwpck_require__(5236));
|
||||
const dotenv_1 = __importDefault(__nccwpck_require__(8889));
|
||||
const path_1 = __importDefault(__nccwpck_require__(6928));
|
||||
dotenv_1.default.config();
|
||||
class ComponentDetection {
|
||||
// This is the default entry point for this class.
|
||||
@@ -36054,78 +36055,100 @@ class ComponentDetection {
|
||||
static getManifestsFromResults() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
core.info("Getting manifests from results");
|
||||
// Parse the result file and add the packages to the package cache
|
||||
const packageCache = new dependency_submission_toolkit_1.PackageCache();
|
||||
const packages = [];
|
||||
const results = yield fs_1.default.readFileSync(this.outputPath, 'utf8');
|
||||
var json = JSON.parse(results);
|
||||
json.componentsFound.forEach((component) => __awaiter(this, void 0, void 0, function* () {
|
||||
// Skip components without packageUrl
|
||||
if (!component.component.packageUrl) {
|
||||
core.debug(`Skipping component detected without packageUrl: ${JSON.stringify({
|
||||
id: component.component.id,
|
||||
name: component.component.name || 'unnamed',
|
||||
type: component.component.type || 'unknown'
|
||||
}, null, 2)}`);
|
||||
let dependencyGraphs = this.normalizeDependencyGraphPaths(json.dependencyGraphs, core.getInput('filePath'));
|
||||
return this.processComponentsToManifests(json.componentsFound, dependencyGraphs);
|
||||
});
|
||||
}
|
||||
static processComponentsToManifests(componentsFound, dependencyGraphs) {
|
||||
// Parse the result file and add the packages to the package cache
|
||||
const packageCache = new dependency_submission_toolkit_1.PackageCache();
|
||||
const packages = [];
|
||||
componentsFound.forEach((component) => __awaiter(this, void 0, void 0, function* () {
|
||||
// Skip components without packageUrl
|
||||
if (!component.component.packageUrl) {
|
||||
core.debug(`Skipping component detected without packageUrl: ${JSON.stringify({
|
||||
id: component.component.id,
|
||||
name: component.component.name || 'unnamed',
|
||||
type: component.component.type || 'unknown'
|
||||
}, null, 2)}`);
|
||||
return;
|
||||
}
|
||||
const packageUrl = ComponentDetection.makePackageUrl(component.component.packageUrl);
|
||||
// Skip if the packageUrl is empty (indicates an invalid or missing packageUrl)
|
||||
if (!packageUrl) {
|
||||
core.debug(`Skipping component with invalid packageUrl: ${component.component.id}`);
|
||||
return;
|
||||
}
|
||||
if (!packageCache.hasPackage(packageUrl)) {
|
||||
const pkg = new ComponentDetectionPackage(packageUrl, component.component.id, component.isDevelopmentDependency, component.topLevelReferrers, component.locationsFoundAt, component.containerDetailIds, component.containerLayerIds);
|
||||
packageCache.addPackage(pkg);
|
||||
packages.push(pkg);
|
||||
}
|
||||
}));
|
||||
// Set the transitive dependencies
|
||||
core.debug("Sorting out transitive dependencies");
|
||||
packages.forEach((pkg) => __awaiter(this, void 0, void 0, function* () {
|
||||
pkg.topLevelReferrers.forEach((referrer) => __awaiter(this, void 0, void 0, function* () {
|
||||
// Skip if referrer doesn't have a valid packageUrl
|
||||
if (!referrer.packageUrl) {
|
||||
core.debug(`Skipping referrer without packageUrl for component: ${pkg.id}`);
|
||||
return;
|
||||
}
|
||||
const packageUrl = ComponentDetection.makePackageUrl(component.component.packageUrl);
|
||||
// Skip if the packageUrl is empty (indicates an invalid or missing packageUrl)
|
||||
if (!packageUrl) {
|
||||
core.debug(`Skipping component with invalid packageUrl: ${component.component.id}`);
|
||||
const referrerUrl = ComponentDetection.makePackageUrl(referrer.packageUrl);
|
||||
referrer.packageUrlString = referrerUrl;
|
||||
// Skip if the generated packageUrl is empty
|
||||
if (!referrerUrl) {
|
||||
core.debug(`Skipping referrer with invalid packageUrl for component: ${pkg.id}`);
|
||||
return;
|
||||
}
|
||||
if (!packageCache.hasPackage(packageUrl)) {
|
||||
const pkg = new ComponentDetectionPackage(packageUrl, component.component.id, component.isDevelopmentDependency, component.topLevelReferrers, component.locationsFoundAt, component.containerDetailIds, component.containerLayerIds);
|
||||
packageCache.addPackage(pkg);
|
||||
packages.push(pkg);
|
||||
try {
|
||||
const referrerPackage = packageCache.lookupPackage(referrerUrl);
|
||||
if (referrerPackage === pkg) {
|
||||
core.debug(`Skipping self-reference for package: ${pkg.id}`);
|
||||
return; // Skip self-references
|
||||
}
|
||||
if (referrerPackage) {
|
||||
referrerPackage.dependsOn(pkg);
|
||||
}
|
||||
}
|
||||
catch (error) {
|
||||
core.debug(`Error looking up referrer package: ${error}`);
|
||||
}
|
||||
}));
|
||||
// Set the transitive dependencies
|
||||
core.debug("Sorting out transitive dependencies");
|
||||
packages.forEach((pkg) => __awaiter(this, void 0, void 0, function* () {
|
||||
pkg.topLevelReferrers.forEach((referrer) => __awaiter(this, void 0, void 0, function* () {
|
||||
// Skip if referrer doesn't have a valid packageUrl
|
||||
if (!referrer.packageUrl) {
|
||||
core.debug(`Skipping referrer without packageUrl for component: ${pkg.id}`);
|
||||
return;
|
||||
}
|
||||
const referrerUrl = ComponentDetection.makePackageUrl(referrer.packageUrl);
|
||||
// Skip if the generated packageUrl is empty
|
||||
if (!referrerUrl) {
|
||||
core.debug(`Skipping referrer with invalid packageUrl for component: ${pkg.id}`);
|
||||
return;
|
||||
}
|
||||
try {
|
||||
const referrerPackage = packageCache.lookupPackage(referrerUrl);
|
||||
if (referrerPackage) {
|
||||
referrerPackage.dependsOn(pkg);
|
||||
}
|
||||
}
|
||||
catch (error) {
|
||||
core.debug(`Error looking up referrer package: ${error}`);
|
||||
}
|
||||
}));
|
||||
}));
|
||||
// Create manifests
|
||||
const manifests = [];
|
||||
// Check the locationsFoundAt for every package and add each as a manifest
|
||||
packages.forEach((pkg) => __awaiter(this, void 0, void 0, function* () {
|
||||
pkg.locationsFoundAt.forEach((location) => __awaiter(this, void 0, void 0, function* () {
|
||||
var _a, _b;
|
||||
if (!manifests.find((manifest) => manifest.name == location)) {
|
||||
const manifest = new dependency_submission_toolkit_1.Manifest(location, location);
|
||||
manifests.push(manifest);
|
||||
}
|
||||
if (pkg.topLevelReferrers.length == 0) {
|
||||
(_a = manifests.find((manifest) => manifest.name == location)) === null || _a === void 0 ? void 0 : _a.addDirectDependency(pkg, ComponentDetection.getDependencyScope(pkg));
|
||||
}
|
||||
else {
|
||||
(_b = manifests.find((manifest) => manifest.name == location)) === null || _b === void 0 ? void 0 : _b.addIndirectDependency(pkg, ComponentDetection.getDependencyScope(pkg));
|
||||
}
|
||||
}));
|
||||
}));
|
||||
return manifests;
|
||||
}));
|
||||
// Create manifests
|
||||
const manifests = [];
|
||||
// Check the locationsFoundAt for every package and add each as a manifest
|
||||
this.addPackagesToManifests(packages, manifests, dependencyGraphs);
|
||||
return manifests;
|
||||
}
|
||||
static addPackagesToManifests(packages, manifests, dependencyGraphs) {
|
||||
packages.forEach((pkg) => {
|
||||
pkg.locationsFoundAt.forEach((location) => {
|
||||
var _a, _b;
|
||||
// Use the normalized path (remove leading slash if present)
|
||||
const normalizedLocation = location.startsWith('/') ? location.substring(1) : location;
|
||||
if (!manifests.find((manifest) => manifest.name == normalizedLocation)) {
|
||||
const manifest = new dependency_submission_toolkit_1.Manifest(normalizedLocation, normalizedLocation);
|
||||
manifests.push(manifest);
|
||||
}
|
||||
const depGraphEntry = dependencyGraphs[normalizedLocation];
|
||||
if (!depGraphEntry) {
|
||||
core.warning(`No dependency graph entry found for manifest location: ${normalizedLocation}`);
|
||||
return; // Skip this location if not found in dependencyGraphs
|
||||
}
|
||||
const directDependencies = depGraphEntry.explicitlyReferencedComponentIds;
|
||||
if (directDependencies.includes(pkg.id)) {
|
||||
(_a = manifests
|
||||
.find((manifest) => manifest.name == normalizedLocation)) === null || _a === void 0 ? void 0 : _a.addDirectDependency(pkg, ComponentDetection.getDependencyScope(pkg));
|
||||
}
|
||||
else {
|
||||
(_b = manifests
|
||||
.find((manifest) => manifest.name == normalizedLocation)) === null || _b === void 0 ? void 0 : _b.addIndirectDependency(pkg, ComponentDetection.getDependencyScope(pkg));
|
||||
}
|
||||
});
|
||||
});
|
||||
}
|
||||
static getDependencyScope(pkg) {
|
||||
@@ -36203,6 +36226,23 @@ class ComponentDetection {
|
||||
}
|
||||
});
|
||||
}
|
||||
/**
|
||||
* Normalizes the keys of a DependencyGraphs object to be relative paths from the resolved filePath input.
|
||||
* @param dependencyGraphs The DependencyGraphs object to normalize.
|
||||
* @param filePathInput The filePath input (relative or absolute) from the action configuration.
|
||||
* @returns A new DependencyGraphs object with relative path keys.
|
||||
*/
|
||||
static normalizeDependencyGraphPaths(dependencyGraphs, filePathInput) {
|
||||
// Resolve the base directory from filePathInput (relative to cwd if not absolute)
|
||||
const baseDir = path_1.default.resolve(process.cwd(), filePathInput);
|
||||
const normalized = {};
|
||||
for (const absPath in dependencyGraphs) {
|
||||
// Make the path relative to the baseDir
|
||||
let relPath = path_1.default.relative(baseDir, absPath).replace(/\\/g, '/');
|
||||
normalized[relPath] = dependencyGraphs[absPath];
|
||||
}
|
||||
return normalized;
|
||||
}
|
||||
}
|
||||
exports["default"] = ComponentDetection;
|
||||
ComponentDetection.componentDetectionPath = process.platform === "win32" ? './component-detection.exe' : './component-detection';
|
||||
@@ -36216,6 +36256,7 @@ class ComponentDetectionPackage extends dependency_submission_toolkit_1.Package
|
||||
this.locationsFoundAt = locationsFoundAt;
|
||||
this.containerDetailIds = containerDetailIds;
|
||||
this.containerLayerIds = containerLayerIds;
|
||||
this.packageUrlString = packageUrl;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -36267,23 +36308,51 @@ const github = __importStar(__nccwpck_require__(3228));
|
||||
const dependency_submission_toolkit_1 = __nccwpck_require__(3323);
|
||||
const componentDetection_1 = __importDefault(__nccwpck_require__(3202));
|
||||
function run() {
|
||||
var _a;
|
||||
var _a, _b, _c, _d, _e, _f;
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
let manifests = yield componentDetection_1.default.scanAndGetManifests(core.getInput('filePath'));
|
||||
const correlatorInput = ((_a = core.getInput('correlator')) === null || _a === void 0 ? void 0 : _a.trim()) || github.context.job;
|
||||
let snapshot = new dependency_submission_toolkit_1.Snapshot({
|
||||
name: "Component Detection",
|
||||
version: "0.0.1",
|
||||
url: "https://github.com/advanced-security/component-detection-dependency-submission-action",
|
||||
}, github.context, {
|
||||
let manifests = yield componentDetection_1.default.scanAndGetManifests(core.getInput("filePath"));
|
||||
const correlatorInput = ((_a = core.getInput("correlator")) === null || _a === void 0 ? void 0 : _a.trim()) || github.context.job;
|
||||
// Get detector configuration inputs
|
||||
const detectorName = (_b = core.getInput("detector-name")) === null || _b === void 0 ? void 0 : _b.trim();
|
||||
const detectorVersion = (_c = core.getInput("detector-version")) === null || _c === void 0 ? void 0 : _c.trim();
|
||||
const detectorUrl = (_d = core.getInput("detector-url")) === null || _d === void 0 ? void 0 : _d.trim();
|
||||
// Validate that if any detector config is provided, all must be provided
|
||||
const hasAnyDetectorInput = detectorName || detectorVersion || detectorUrl;
|
||||
const hasAllDetectorInputs = detectorName && detectorVersion && detectorUrl;
|
||||
if (hasAnyDetectorInput && !hasAllDetectorInputs) {
|
||||
core.setFailed("If any detector configuration is provided (detector-name, detector-version, detector-url), all three must be provided.");
|
||||
return;
|
||||
}
|
||||
// Use provided detector config or defaults
|
||||
const detector = hasAllDetectorInputs
|
||||
? {
|
||||
name: detectorName,
|
||||
version: detectorVersion,
|
||||
url: detectorUrl,
|
||||
}
|
||||
: {
|
||||
name: "Component Detection",
|
||||
version: "0.0.1",
|
||||
url: "https://github.com/advanced-security/component-detection-dependency-submission-action",
|
||||
};
|
||||
let snapshot = new dependency_submission_toolkit_1.Snapshot(detector, github.context, {
|
||||
correlator: correlatorInput,
|
||||
id: github.context.runId.toString()
|
||||
id: github.context.runId.toString(),
|
||||
});
|
||||
core.debug(`Manifests: ${manifests === null || manifests === void 0 ? void 0 : manifests.length}`);
|
||||
manifests === null || manifests === void 0 ? void 0 : manifests.forEach(manifest => {
|
||||
manifests === null || manifests === void 0 ? void 0 : manifests.forEach((manifest) => {
|
||||
core.debug(`Manifest: ${JSON.stringify(manifest)}`);
|
||||
snapshot.addManifest(manifest);
|
||||
});
|
||||
// Override snapshot ref and sha if provided
|
||||
const snapshotSha = (_e = core.getInput("snapshot-sha")) === null || _e === void 0 ? void 0 : _e.trim();
|
||||
const snapshotRef = (_f = core.getInput("snapshot-ref")) === null || _f === void 0 ? void 0 : _f.trim();
|
||||
if (snapshotSha) {
|
||||
snapshot.sha = snapshotSha;
|
||||
}
|
||||
if (snapshotRef) {
|
||||
snapshot.ref = snapshotRef;
|
||||
}
|
||||
(0, dependency_submission_toolkit_1.submitSnapshot)(snapshot);
|
||||
});
|
||||
}
|
||||
|
||||
+1
-1
File diff suppressed because one or more lines are too long
@@ -13,27 +13,65 @@ import {
|
||||
import ComponentDetection from './componentDetection';
|
||||
|
||||
async function run() {
|
||||
let manifests = await ComponentDetection.scanAndGetManifests(core.getInput('filePath'));
|
||||
const correlatorInput = core.getInput('correlator')?.trim() || github.context.job;
|
||||
|
||||
let snapshot = new Snapshot({
|
||||
name: "Component Detection",
|
||||
version: "0.0.1",
|
||||
url: "https://github.com/advanced-security/component-detection-dependency-submission-action",
|
||||
},
|
||||
github.context,
|
||||
{
|
||||
let manifests = await ComponentDetection.scanAndGetManifests(
|
||||
core.getInput("filePath")
|
||||
);
|
||||
const correlatorInput =
|
||||
core.getInput("correlator")?.trim() || github.context.job;
|
||||
|
||||
// Get detector configuration inputs
|
||||
const detectorName = core.getInput("detector-name")?.trim();
|
||||
const detectorVersion = core.getInput("detector-version")?.trim();
|
||||
const detectorUrl = core.getInput("detector-url")?.trim();
|
||||
|
||||
// Validate that if any detector config is provided, all must be provided
|
||||
const hasAnyDetectorInput = detectorName || detectorVersion || detectorUrl;
|
||||
const hasAllDetectorInputs = detectorName && detectorVersion && detectorUrl;
|
||||
|
||||
if (hasAnyDetectorInput && !hasAllDetectorInputs) {
|
||||
core.setFailed(
|
||||
"If any detector configuration is provided (detector-name, detector-version, detector-url), all three must be provided."
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
// Use provided detector config or defaults
|
||||
const detector = hasAllDetectorInputs
|
||||
? {
|
||||
name: detectorName,
|
||||
version: detectorVersion,
|
||||
url: detectorUrl,
|
||||
}
|
||||
: {
|
||||
name: "Component Detection",
|
||||
version: "0.0.1",
|
||||
url: "https://github.com/advanced-security/component-detection-dependency-submission-action",
|
||||
};
|
||||
|
||||
let snapshot = new Snapshot(detector, github.context, {
|
||||
correlator: correlatorInput,
|
||||
id: github.context.runId.toString()
|
||||
id: github.context.runId.toString(),
|
||||
});
|
||||
|
||||
core.debug(`Manifests: ${manifests?.length}`);
|
||||
|
||||
manifests?.forEach(manifest => {
|
||||
manifests?.forEach((manifest) => {
|
||||
core.debug(`Manifest: ${JSON.stringify(manifest)}`);
|
||||
snapshot.addManifest(manifest);
|
||||
});
|
||||
|
||||
// Override snapshot ref and sha if provided
|
||||
const snapshotSha = core.getInput("snapshot-sha")?.trim();
|
||||
const snapshotRef = core.getInput("snapshot-ref")?.trim();
|
||||
|
||||
if (snapshotSha) {
|
||||
snapshot.sha = snapshotSha;
|
||||
}
|
||||
|
||||
if (snapshotRef) {
|
||||
snapshot.ref = snapshotRef;
|
||||
}
|
||||
|
||||
submitSnapshot(snapshot);
|
||||
}
|
||||
|
||||
|
||||
Generated
+2
-2
@@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "component-detection-action",
|
||||
"version": "1.0.0",
|
||||
"version": "0.0.7",
|
||||
"lockfileVersion": 2,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "component-detection-action",
|
||||
"version": "1.0.0",
|
||||
"version": "0.0.7",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.0",
|
||||
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "component-detection-action",
|
||||
"version": "1.0.0",
|
||||
"version": "0.1.0",
|
||||
"description": "Component detection action",
|
||||
"main": "dist/index.js",
|
||||
"type": "module",
|
||||
|
||||
Generated
+45
@@ -0,0 +1,45 @@
|
||||
{
|
||||
"name": "nested-test-package",
|
||||
"version": "1.0.0",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "nested-test-package",
|
||||
"version": "1.0.0",
|
||||
"dependencies": {
|
||||
"lodash": "^4.17.21"
|
||||
},
|
||||
"devDependencies": {
|
||||
"jest": "^29.0.0"
|
||||
}
|
||||
},
|
||||
"node_modules/lodash": {
|
||||
"version": "4.17.21",
|
||||
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
|
||||
"integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
|
||||
},
|
||||
"node_modules/jest": {
|
||||
"version": "29.7.0",
|
||||
"resolved": "https://registry.npmjs.org/jest/-/jest-29.7.0.tgz",
|
||||
"integrity": "sha512-NIy3oAFp9shda19hy4HK0HRTWKtPJmGdnvywu01nOqNC2vZg+Z+fvJDxpMQA88eb2I9EcafcdjYgsDthnYTvGw==",
|
||||
"dev": true,
|
||||
"bin": {
|
||||
"jest": "bin/jest.js"
|
||||
}
|
||||
}
|
||||
},
|
||||
"dependencies": {
|
||||
"lodash": {
|
||||
"version": "4.17.21",
|
||||
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
|
||||
"integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg=="
|
||||
},
|
||||
"jest": {
|
||||
"version": "29.7.0",
|
||||
"resolved": "https://registry.npmjs.org/jest/-/jest-29.7.0.tgz",
|
||||
"integrity": "sha512-NIy3oAFp9shda19hy4HK0HRTWKtPJmGdnvywu01nOqNC2vZg+Z+fvJDxpMQA88eb2I9EcafcdjYgsDthnYTvGw==",
|
||||
"dev": true
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,12 @@
|
||||
{
|
||||
"name": "nested-test-package",
|
||||
"version": "1.0.0",
|
||||
"description": "A nested test package for component detection testing",
|
||||
"main": "index.js",
|
||||
"dependencies": {
|
||||
"lodash": "^4.17.21"
|
||||
},
|
||||
"devDependencies": {
|
||||
"jest": "^29.0.0"
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user