From d9209374afffa5b855ed654f9736290f72698ba6 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Fri, 22 Mar 2024 21:00:38 +0000 Subject: [PATCH] Fix repositoryUrl issues around GitHub Actions --- __tests__/scorecard.test.ts | 21 +++++++++++++++++++++ src/scorecard.ts | 12 ++++++++++-- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/__tests__/scorecard.test.ts b/__tests__/scorecard.test.ts index 493a070..06e770d 100644 --- a/__tests__/scorecard.test.ts +++ b/__tests__/scorecard.test.ts @@ -22,6 +22,19 @@ const npmChange: Change = { ] } +const actionsChange: Change = { + manifest: 'workflow.yml', + change_type: 'added', + ecosystem: 'actions', + name: 'actions/checkout', + version: 'v3', + package_url: 'pkg:githubactions/actions@v3', + license: 'MIT', + source_repository_url: 'null', + scope: 'runtime', + vulnerabilities: [] +} + test('Get scorecard from API', async () => { const changes: Changes = [npmChange] const scorecard = await getScorecardLevels(changes) @@ -38,3 +51,11 @@ test('Get project URL from deps.dev API', async () => { ) expect(result).not.toBeNull() }) + +test('Handles Actions special case', async () => { + const changes: Changes = [actionsChange] + const result = await getScorecardLevels(changes) + expect(result).not.toBeNull() + expect(result.dependencies).toHaveLength(1) + expect(result.dependencies[0].scorecard?.score).toBeGreaterThan(0) +}) diff --git a/src/scorecard.ts b/src/scorecard.ts index 9411fc9..4f1e0cc 100644 --- a/src/scorecard.ts +++ b/src/scorecard.ts @@ -17,8 +17,16 @@ export async function getScorecardLevels( repositoryUrl = repositoryUrl.replace('https://', '') } + // Handle the special case for GitHub Actions, where the repository URL is null + if (ecosystem === 'actions') { + // The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL + // If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out + const parts = packageName.split('/') + repositoryUrl = `github.com/${parts[0]}/${parts[1]}` // e.g. github.com/actions/checkout + } + // If GitHub API doesn't have the repository URL, query deps.dev for it. - if (repositoryUrl) { + if (!repositoryUrl) { // Call the deps.dev API to get the repository URL from there repositoryUrl = await getProjectUrl(ecosystem, packageName, version) } @@ -70,4 +78,4 @@ export async function getProjectUrl( } } return '' -} +} \ No newline at end of file