Replace packageurl-js with our own implementation

__tests__/deny.test.ts

@@ -106,6 +106,25 @@ test('denies packages that match the deny group list exactly', async () => {
   expect(deniedChanges[0]).toBe(changes[1])
 })
 
+test(`denies packages using the namespace from the name when there's no package_url`, async () => {
+  const changes: Changes = [
+    createTestChange({
+      package_url: 'pkg:npm/org.test.pass/pass-this@1.0.0',
+      ecosystem: 'npm'
+    }),
+    createTestChange({
+      name: 'org.test:deny-this',
+      package_url: '',
+      ecosystem: 'maven'
+    })
+  ]
+  const deniedGroups = createTestPURLs(['pkg:maven/org.test/'])
+  const deniedChanges = await getDeniedChanges(changes, [], deniedGroups)
+
+  expect(deniedChanges.length).toEqual(1)
+  expect(deniedChanges[0]).toBe(changes[1])
+})
+
 test('allows packages not defined in the deny packages and groups list', async () => {
   const changes: Changes = [npmChange, pipChange]
   const deniedPackages = createTestPURLs([

__tests__/fixtures/create-test-change.ts

@@ -1,7 +1,6 @@
-import {PackageURL} from 'packageurl-js'
 import {Change} from '../../src/schemas'
 import {createTestVulnerability} from './create-test-vulnerability'
-import {parsePURL} from '../../src/utils'
+import {PackageURL, parsePURL} from '../../src/purl'
 
 const defaultNpmChange: Change = {
   change_type: 'added',

__tests__/purl.test.ts

@@ -0,0 +1,140 @@
+import {expect, test} from '@jest/globals'
+import {parsePURL} from '../src/purl'
+
+test('parsePURL returns an error if the purl does not start with "pkg:"', () => {
+  const purl = 'not-a-purl'
+  const result = parsePURL(purl)
+  expect(result.error).toEqual('purl must start with "pkg:"')
+})
+
+test('parsePURL returns an error if the purl does not contain an ecosystem', () => {
+  const purl = 'pkg:/'
+  const result = parsePURL(purl)
+  expect(result.error).toEqual('purl must contain an ecosystem')
+})
+
+test('parsePURL returns an error if the purl does not contain a namespace or name', () => {
+  const purl = 'pkg:ecosystem/'
+  const result = parsePURL(purl)
+  expect(result.type).toEqual('ecosystem')
+  expect(result.error).toEqual('purl must contain a namespace or name')
+})
+
+test('parsePURL returns a PURL with the correct values in the happy case', () => {
+  const purl = 'pkg:ecosystem/namespace/name@version'
+  const result = parsePURL(purl)
+  expect(result.type).toEqual('ecosystem')
+  expect(result.namespace).toEqual('namespace')
+  expect(result.name).toEqual('name')
+  expect(result.version).toEqual('version')
+  expect(result.original).toEqual(purl)
+  expect(result.error).toBeNull()
+})
+
+test('parsePURL table test', () => {
+  const examples = [
+    {
+      purl: 'pkg:npm/@n4m3SPACE/Name@^1.2.3',
+      expected: {
+        type: 'npm',
+        namespace: '@n4m3SPACE',
+        name: 'Name',
+        version: '^1.2.3',
+        original: 'pkg:npm/@n4m3SPACE/Name@^1.2.3',
+        error: null
+      }
+    },
+    {
+      purl: 'pkg:npm/%40ns%20foo/n%40me@1.%2f2.3',
+      expected: {
+        type: 'npm',
+        namespace: '@ns foo',
+        name: 'n@me',
+        version: '1./2.3',
+        original: 'pkg:npm/%40ns%20foo/n%40me@1.%2f2.3',
+        error: null
+      }
+    },
+    {
+      purl: 'pkg:ecosystem/name@version',
+      expected: {
+        type: 'ecosystem',
+        namespace: null,
+        name: 'name',
+        version: 'version',
+        original: 'pkg:ecosystem/name@version',
+        error: null
+      }
+    },
+    {
+      purl: 'pkg:npm/namespace/',
+      expected: {
+        type: 'npm',
+        namespace: 'namespace',
+        name: null,
+        version: null,
+        original: 'pkg:npm/namespace/',
+        error: null
+      }
+    },
+    {
+      purl: 'pkg:ecosystem/name',
+      expected: {
+        type: 'ecosystem',
+        namespace: null,
+        name: 'name',
+        version: null,
+        original: 'pkg:ecosystem/name',
+        error: null
+      }
+    },
+    {
+      purl: 'pkg:ecosystem/name@version#subpath?attributes=123',
+      expected: {
+        type: 'ecosystem',
+        namespace: null,
+        name: 'name',
+        version: 'version',
+        original: 'pkg:ecosystem/name@version#subpath?attributes=123',
+        error: null
+      }
+    },
+    {
+      purl: 'pkg:ecosystem/name@version#subpath',
+      expected: {
+        type: 'ecosystem',
+        namespace: null,
+        name: 'name',
+        version: 'version',
+        original: 'pkg:ecosystem/name@version#subpath',
+        error: null
+      }
+    },
+    {
+      purl: 'pkg:ecosystem/namespace/name@version?attributes',
+      expected: {
+        type: 'ecosystem',
+        namespace: 'namespace',
+        name: 'name',
+        version: 'version',
+        original: 'pkg:ecosystem/namespace/name@version?attributes',
+        error: null
+      }
+    },
+    {
+      purl: 'pkg:ecosystem/name#subpath?attributes',
+      expected: {
+        type: 'ecosystem',
+        namespace: null,
+        name: 'name',
+        version: null,
+        original: 'pkg:ecosystem/name#subpath?attributes',
+        error: null
+      }
+    }
+  ]
+  for (const example of examples) {
+    const result = parsePURL(example.purl)
+    expect(result).toEqual(example.expected)
+  }
+})

action.yml

@@ -59,7 +59,7 @@ inputs:
     description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). If version specified, only deny matching packages and version; else, deny all regardless of version.
     required: false
   deny-groups:
-    description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
+    description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express/, pkg:pypi/pycrypto/"). Please note that the group name must be followed by a `/`.
     required: false
   retry-on-snapshot-warnings:
     description: Whether to retry on snapshot warnings