Merge pull request #494 from actions/fix-purl-bug

Empty PURLs should not block the action from running
actions · May 31, 2023 · 1360a34 · 1360a34
2 parents 554aaf5 + 123b587
commit 1360a34
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 7 deletions.
diff --git a/__tests__/licenses.test.ts b/__tests__/licenses.test.ts
@@ -192,6 +192,23 @@ test('it does not filter out changes that are on the exclusions list', async ()
   expect(invalidLicenses.forbidden.length).toEqual(0)
 })
 
+test('it does not fail when the packages dont have a valid PURL', async () => {
+  const emptyPurlChange = pipChange
+  emptyPurlChange.package_url = ''
+
+  const changes: Changes = [emptyPurlChange, npmChange, rubyChange]
+  const licensesConfig = {
+    allow: ['BSD'],
+    licenseExclusions: ['pkg:pip/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
+  }
+
+  const invalidLicenses = await getInvalidLicenseChanges(
+    changes,
+    licensesConfig
+  )
+  expect(invalidLicenses.forbidden.length).toEqual(1)
+})
+
 test('it does filters out changes if they are not on the exclusions list', async () => {
   const changes: Changes = [pipChange, npmChange, rubyChange]
   const licensesConfig = {

diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "dependency-review-action",
-  "version": "3.0.5",
+  "version": "3.0.6",
   "private": true,
   "description": "A GitHub Action for Dependency Review",
   "main": "lib/main.js",
@@ -60,4 +60,4 @@
     "ts-jest": "^27.1.4",
     "typescript": "^4.9.5"
   }
-}
+}
diff --git a/src/licenses.ts b/src/licenses.ts
@@ -41,6 +41,10 @@ export async function getInvalidLicenseChanges(
   // Takes the changes from the groupedChanges object and filters out the ones that are part of the exclusions list
   // It does by creating a new PackageURL object from the change and comparing it to the exclusions list
   groupedChanges.licensed = groupedChanges.licensed.filter(change => {
+    if (change.package_url.length === 0) {
+      return true
+    }
+
     const changeAsPackageURL = PackageURL.fromString(change.package_url)
 
     // We want to find if the licenseExclussion list contains the PackageURL of the Change
@@ -56,8 +60,9 @@ export async function getInvalidLicenseChanges(
       ) !== -1
     ) {
       return false
+    } else {
+      return true
     }
-    return true
   })
   const licensedChanges: Changes = groupedChanges.licensed