Merge pull request #14 from lseppala/lsep/purl-qualifiers

Fix encoding of PURL qualifiers
advanced-security · Jun 2, 2023 · d05bcf1 · d05bcf1
2 parents 5a8ce4a + 5961fd4
commit d05bcf1
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 15 deletions.
diff --git a/componentDetection.test.ts b/componentDetection.test.ts
@@ -1,20 +1,53 @@
-import ComponentDetection from './componentDetection';
-import fs from 'fs';
+import ComponentDetection from "./componentDetection";
+import fs from "fs";
 
-test('Downloads CLI', async () => {
+test("Downloads CLI", async () => {
   await ComponentDetection.downloadLatestRelease();
   expect(fs.existsSync(ComponentDetection.componentDetectionPath));
 });
 
-test('Runs CLI', async () => {
+test("Runs CLI", async () => {
   await ComponentDetection.downloadLatestRelease();
-  await ComponentDetection.runComponentDetection('./test');
+  await ComponentDetection.runComponentDetection("./test");
   expect(fs.existsSync(ComponentDetection.outputPath));
 });
 
-test('Parses CLI output', async () => {
+test("Parses CLI output", async () => {
   await ComponentDetection.downloadLatestRelease();
-  await ComponentDetection.runComponentDetection('./test');
+  await ComponentDetection.runComponentDetection("./test");
   var manifests = await ComponentDetection.getManifestsFromResults();
   expect(manifests?.length == 2);
-});
+});
+
+describe("ComponentDetection.makePackageUrl", () => {
+  test("returns a valid package url from saturated object", () => {
+    const packageUrl = ComponentDetection.makePackageUrl({
+      Scheme: "pkg",
+      Type: "npm",
+      Namespace: "github",
+      Name: "component-detection-action",
+      Version: "0.0.2",
+      Qualifiers: {
+        arch: "amd64",
+        os: "linux",
+      },
+    });
+    expect(packageUrl).toBe(
+      "pkg:npm/github/[email protected]?arch=amd64&os=linux"
+    );
+  });
+
+  test("returns valid package url without dangling ? with empty qualifers", () => {
+    const packageUrl = ComponentDetection.makePackageUrl({
+      Scheme: "pkg",
+      Type: "npm",
+      Namespace: "github",
+      Name: "component-detection-action",
+      Version: "0.0.2",
+      Qualifiers: { },
+    });
+    expect(packageUrl).toBe(
+      "pkg:npm/github/[email protected]"
+    );
+  });
+});
diff --git a/componentDetection.ts b/componentDetection.ts
@@ -119,7 +119,7 @@ export default class ComponentDetection {
     return pkg.isDevelopmentDependency ? 'development' : 'runtime'
   }
 
-  private static makePackageUrl(packageUrlJson: any): string {
+  public static makePackageUrl(packageUrlJson: any): string {
     var packageUrl = `${packageUrlJson.Scheme}:${packageUrlJson.Type}/`;
     if (packageUrlJson.Namespace) {
       packageUrl += `${packageUrlJson.Namespace.replaceAll("@", "%40")}/`;
@@ -128,8 +128,13 @@ export default class ComponentDetection {
     if (packageUrlJson.Version) {
       packageUrl += `@${packageUrlJson.Version}`;
     }
-    if (packageUrlJson.Qualifiers) {
-      packageUrl += `?${packageUrlJson.Qualifiers}`;
+    if (typeof packageUrlJson.Qualifiers === "object"
+      && packageUrlJson.Qualifiers !== null
+      && Object.keys(packageUrlJson.Qualifiers).length > 0) {
+      const qualifierString = Object.entries(packageUrlJson.Qualifiers)
+        .map(([key, value]) => `${key}=${value}`)
+        .join("&");
+      packageUrl += `?${qualifierString}`;
     }
     return packageUrl;
   }

diff --git a/dist/componentDetection.d.ts b/dist/componentDetection.d.ts
diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map