Merge branch 'dependency-review' of https://github.com/advanced-security/github-sbom-toolkit into dependency-review

aegilops · aegilops · commit 5ac59f74fab9 · 2025-12-08T18:08:56.000Z
diff --git a/src/componentDetection.ts b/src/componentDetection.ts
@@ -34,7 +34,7 @@ export default class ComponentDetection {
   // This is the default entry point for this class.
   // If executablePath is provided, use it directly and skip download.
   async scanAndGetManifests(path: string): Promise<Manifest[] | undefined> {
-    if (!this.componentDetectionPath) {
+    if (!fs.existsSync(this.componentDetectionPath)) {
       await this.downloadLatestRelease();
     }
 
@@ -272,9 +272,7 @@ export default class ComponentDetection {
       if (packageUrlJson.Version) {
         packageUrl += `@${packageUrlJson.Version}`;
       }
-      if (typeof packageUrlJson.Qualifiers === "object"
-        && packageUrlJson.Qualifiers !== null
-        && Object.keys(packageUrlJson.Qualifiers).length > 0) {
+      if (packageUrlJson.Qualifiers && Object.keys(packageUrlJson.Qualifiers).length > 0) {
         const qualifierString = Object.entries(packageUrlJson.Qualifiers)
           .map(([key, value]) => `${key}=${value}`)
           .join("&");
diff --git a/src/sbomCollector.ts b/src/sbomCollector.ts
@@ -260,7 +260,7 @@ export class SbomCollector {
             this.decisions[fullName] = `Fetching because error comparing pushed_at (${baseline.repoPushedAt} / ${repo.pushed_at})`;
           }
         } else {
-          this.decisions[fullName] = baseline ? `Fetching because missing pushed_at (${baseline.repoPushedAt} / ${repo.pushed_at})` : "Fetching because no baseline";
+          this.decisions[fullName] = baseline ? `Fetching because of missing pushed_at (${baseline.repoPushedAt} / ${repo.pushed_at})` : "Fetching because no baseline";
         }
 
         let sbom: RepositorySbom | undefined = undefined;
@@ -540,7 +540,7 @@ export class SbomCollector {
             if (ok) {
               console.log(chalk.blue(`Snapshot submission attempted; waiting 3 seconds before retrying dependency review diff for ${org}/${repo} ${base}...${head}...`));
               await new Promise(r => setTimeout(r, 3000));
-              return await this.fetchDependencyReviewDiff(org, repo, base, head, --retries, latestCommit);
+              return await this.fetchDependencyReviewDiff(org, repo, base, head, retries - 1, latestCommit);
             }
           } catch (subErr) {
             console.error(chalk.red(`Snapshot submission failed for ${org}/${repo} branch ${head}: ${(subErr as Error).message}`));

Original file line number	Diff line number	Diff line change
`@@ -260,7 +260,7 @@ export class SbomCollector {`
`260`	`260`	this.decisions[fullName] = `Fetching because error comparing pushed_at (${baseline.repoPushedAt} / ${repo.pushed_at})`;
`261`	`261`	`}`
`262`	`262`	`} else {`
`263`		- this.decisions[fullName] = baseline ? `Fetching because missing pushed_at (${baseline.repoPushedAt} / ${repo.pushed_at})` : "Fetching because no baseline";
	`263`	+ this.decisions[fullName] = baseline ? `Fetching because of missing pushed_at (${baseline.repoPushedAt} / ${repo.pushed_at})` : "Fetching because no baseline";
`264`	`264`	`}`
`265`	`265`
`266`	`266`	`let sbom: RepositorySbom \| undefined = undefined;`
`@@ -540,7 +540,7 @@ export class SbomCollector {`
`540`	`540`	`if (ok) {`
`541`	`541`	console.log(chalk.blue(`Snapshot submission attempted; waiting 3 seconds before retrying dependency review diff for ${org}/${repo} ${base}...${head}...`));
`542`	`542`	`await new Promise(r => setTimeout(r, 3000));`
`543`		`- return await this.fetchDependencyReviewDiff(org, repo, base, head, --retries, latestCommit);`
	`543`	`+ return await this.fetchDependencyReviewDiff(org, repo, base, head, retries - 1, latestCommit);`
`544`	`544`	`}`
`545`	`545`	`} catch (subErr) {`
`546`	`546`	console.error(chalk.red(`Snapshot submission failed for ${org}/${repo} branch ${head}: ${(subErr as Error).message}`));