feat: Github fallback for empty PURL for license exclusion

actions · jscaltreto · Nov 5, 2024 · Nov 5, 2024 · Nov 5, 2024 · 6d4c4cc8413236cbbb504e4e33776da8a93e3d83
commit 6d4c4cc8413236cbbb504e4e33776da8a93e3d83
@@ -206,6 +206,29 @@ test('it does not fail when the packages dont have a valid PURL', async () => {
   expect(invalidLicenses.forbidden.length).toEqual(1)
 })
 
+test('it does not filter out changes that are on the exclusions list with empty PURL fallback', async () => {
+  const emptyPurlChange = {
+    ...pipChange,
+    package_url: '',
+    source_repository_url: 'https://github.com/some-owner/some-repo'
+  }
+
+  const changes: Changes = [emptyPurlChange, npmChange, rubyChange]
+  const licensesConfig = {
+    allow: ['BSD-3-Clause'],
+    licenseExclusions: [
+      'pkg:npm/reeuhq@1.0.2',
+      'pkg:github/some-owner/some-repo'
+    ]
+  }
+
+  const invalidLicenses = await getInvalidLicenseChanges(
+    changes,
+    licensesConfig
+  )
+  expect(invalidLicenses.forbidden.length).toEqual(0)
+})
+
 test('it does filters out changes if they are not on the exclusions list', async () => {
   const changes: Changes = [pipChange, npmChange, rubyChange]
   const licensesConfig = {

@@ -1,3 +1,4 @@
+import * as core from '@actions/core'
 import {Change, Changes} from './schemas'
 import {octokitClient} from './utils'
 import {parsePURL} from './purl'
@@ -29,6 +30,12 @@ export async function getInvalidLicenseChanges(
     licenseExclusions?: string[]
   }
 ): Promise<InvalidLicenseChanges> {
+  interface packageInfo {
+    type: string
+    namespace: string | null
+    name: string | null
+  }
+
   const {allow, deny} = licenses
   const licenseExclusions = licenses.licenseExclusions?.map(
     (pkgUrl: string) => {
@@ -41,12 +48,30 @@ export async function getInvalidLicenseChanges(
   // Takes the changes from the groupedChanges object and filters out the ones that are part of the exclusions list
   // It does by creating a new PackageURL object from the change and comparing it to the exclusions list
   groupedChanges.licensed = groupedChanges.licensed.filter(change => {
+    let changeAsPackageURL: packageInfo
     if (change.package_url.length === 0) {
-      return true
+      if (change.source_repository_url === null) {
+        return true
+      }
+      core.debug(
+        `Package URL is empty, attempt to fallback to github. Change: ${JSON.stringify(change)}`
+      )
+      const githubUrl = parseGitHubURL(change.source_repository_url)
+      if (githubUrl === null) {
+        core.debug(
+          `Couldn't parse GitHub URL from ${change.source_repository_url}`
+        )
+        return true
+      }
+      changeAsPackageURL = {
+        type: 'github',
+        namespace: githubUrl.owner,
+        name: githubUrl.repo
+      }
+    } else {
+      changeAsPackageURL = parsePURL(encodeURI(change.package_url))
     }
 
-    const changeAsPackageURL = parsePURL(encodeURI(change.package_url))
-
     // We want to find if the licenseExclusion list contains the PackageURL of the Change
     // If it does, we want to filter it out and therefore return false
     // If it doesn't, we want to keep it and therefore return true