Add Dependency Review and Submission

[aegilops]

Adds branch scanning, dependency submission, and more robustness.

• fetching SBOM diffs for non-default branches
• automatic dependency snapshot submission using Component Detection
• better CLI options and documentation
• improved advisory sync reliability
• support for org listing with Enterprise Server

[Copilot]

Pull request overview

Copilot reviewed 15 out of 18 changed files in this pull request and generated 15 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 15 out of 18 changed files in this pull request and generated 12 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The magic number 1500 (milliseconds) for the delay after snapshot submission is hardcoded. This delay allows time for snapshot ingestion before retrying the dependency review diff. Consider:

1. Extracting this as a named constant (e.g., SNAPSHOT_INGESTION_DELAY_MS) to make its purpose clear
2. Making it configurable through options if different GitHub instances have different ingestion times
3. Adding a comment explaining why this specific duration was chosen

The same applies to the 3000ms delay on line 539.

[aegilops]

@copilot open a new pull request to apply changes based on this feedback

[Copilot]

@aegilops I've opened a new pull request, #28, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 15 out of 18 changed files in this pull request and generated 12 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 15 out of 18 changed files in this pull request and generated 10 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

[nitpick] The CHANGELOG.md file shows a date of [2025-12-04] on line 3, but the current date is December 8, 2025. This appears to be a date in the past (4 days ago). While this could be intentional if the work was completed then, typically changelogs reflect the actual release date. Verify this is the intended date.

Suggested change

	## [2025-12-04] – 0.2.0 - Branch scanning and dependency submission
	## [2025-12-08] – 0.2.0 - Branch scanning and dependency submission

[Copilot]

In the malwareMatcher.ts file, lines 162-169 appear to be orphaned code that doesn't belong to any function. These lines seem to be constructing a purl for Maven/NuGet ecosystems with namespaces, but they are placed outside of any function context. This code should either be removed or properly integrated into the enumerateDiffPackages function where it logically belongs.

[Copilot]

The enumerateBasePackages function is annotated to return packages with __branch property (line 150), but the code at line 161 doesn't actually set this property on any returned packages. The comment at line 161 mentions "Annotate with default branch for reporting (if known)" but no annotation code follows. Either the code to set __branch is missing, or the return type annotation should not include __branch for base packages.

Suggested change

	// Some ecosystems require a namespace (e.g., Maven, NuGet)
	const ecosystemsWithNamespace = new Set(['maven', 'nuget', 'composer', 'golang']);
	if (ecosystemsWithNamespace.has(change.ecosystem) && change.namespace) {
	p = `pkg:${change.ecosystem}/${change.namespace}/${change.name}${change.version ? '@' + change.version : ''}`;
	} else {
	p = `pkg:${change.ecosystem}/${change.name}${change.version ? '@' + change.version : ''}`;
	}
	const branch = (repo as any).defaultBranch || undefined;
	return list.map(pkg => ({
	...pkg,
	__branch: branch
	}));

[Copilot]

The applyQueries function at line 595-635 in sbomCollector.ts is declared at module scope (outside the class), which breaks the expected encapsulation. This function appears to be extracted from inside the searchByPurlsWithReasons method but is placed incorrectly. The comment at line 594 says "// Move applyQueries to module scope" which suggests this was intentional, but it's placed in the middle of the class definition rather than before or after it, making the code structure confusing and potentially breaking the class context.

[Copilot]

Pull request overview

Copilot reviewed 15 out of 18 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

At line 168, when this.opts.repo is specified, the code attempts to access this.opts.repo.split("/")[0] without first checking if this.opts.repo is defined. While the constructor validates the repo format (lines 54-61), TypeScript may still treat this.opts.repo as potentially undefined here. The code should handle the case where repo is undefined more explicitly, or the ternary expression should be restructured to avoid this potential runtime error.

Suggested change

	const orgs = this.opts.org ? [this.opts.org] : this.opts.enterprise ? await this.listEnterpriseOrgs(this.opts.enterprise, this.opts.ghes) : [this.opts.repo.split("/")[0]];
	const orgs = this.opts.org
	? [this.opts.org]
	: this.opts.enterprise
	? await this.listEnterpriseOrgs(this.opts.enterprise, this.opts.ghes)
	: this.opts.repo
	? [this.opts.repo.split("/")[0]]
	: (() => { throw new Error("No org, enterprise, or repo specified in options."); })();

[Copilot]

Line 187 sets this.summary.orgs = orgs redundantly since orgs was already assigned to this.summary.orgs at line 169. This duplicate assignment serves no purpose and should be removed.

Suggested change

this.summary.orgs = orgs;

[Copilot]

The applyQueries function is defined inside the searchByPurlsWithReasons method but the comment on line 601 says "Move applyQueries to module scope". This function is currently nested within the method, making it inaccessible to other methods and created anew on each call. The function should be moved to module scope (outside the class) as the comment indicates, both for reusability and performance.

[Copilot]

The success/fail counting logic at line 344 is only executed when this.opts.includeBranches && sbom && sbom.sbom is true (inside the branch scanning block), but it should be executed for all SBOM fetches. When branch scanning is disabled or conditions aren't met, newly fetched SBOMs won't be counted in the summary statistics. This logic should be moved outside the branch scanning conditional block (after line 350) so it runs for all newly fetched SBOMs.

See below for a potential fix:

          // Write freshly fetched SBOM immediately if a cache directory is configured
          if (this.opts.loadFromDir && this.opts.syncSboms && this.opts.loadFromDir.length) {
            try { writeOne(sbom, { outDir: this.opts.loadFromDir }); } catch { /* ignore write errors */ }
          }
        }
        if (sbom) {
          if (sbom.error) this.summary.failedCount++; else this.summary.successCount++;

[Copilot]

Overriding console.debug globally (line 99) to disable debug logging can cause issues if other libraries or parts of the code rely on console.debug for their own purposes. A better approach would be to use a custom logger function or wrap console.debug in a conditional check throughout the codebase.

Suggested change

	if (debug) {
	console.debug(chalk.blue("Debug logging enabled"));
	} else {
	console.debug = () => { };
	}
	// Custom debug logger to avoid overriding console.debug globally
	const logDebug = (...args: any[]) => {
	if (debug) {
	console.debug(chalk.blue(...args));
	}
	};
	logDebug("Debug logging enabled");