Make sure composer.lock dependency package version is a string (#1325)

composer.lock files may have a dependency package version as a number instead of a string (see: google/osv-scanner#1138). In that case `new PackageURL(...)` throws the following error: Error: Invalid purl: "versions" argument must be a string. Signed-off-by: Maxime Robert <[email protected]>
CycloneDX · Aug 26, 2024 · 82a55b5 · 82a55b5
1 parent f14c0fd
commit 82a55b5
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/utils.js b/utils.js
@@ -7874,7 +7874,7 @@ export function parseComposerLock(pkgLockFile, rootRequires) {
             "composer",
             group,
             name,
-            pkg.version,
+            pkg.version?.toString(),
             null,
             null,
           ).toString();
@@ -7883,7 +7883,7 @@ export function parseComposerLock(pkgLockFile, rootRequires) {
             name: name,
             purl,
             "bom-ref": decodeURIComponent(purl),
-            version: pkg.version,
+            version: pkg.version?.toString(),
             repository: pkg.source,
             license: pkg.license,
             description: pkg.description,