This repository has been archived by the owner on Apr 10, 2023. It is now read-only.
generated from actions/javascript-action
-
Notifications
You must be signed in to change notification settings - Fork 1
/
index.js
104 lines (87 loc) · 3.08 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
const core = require('@actions/core');
const github = require('@actions/github');
const fs = require('fs');
const glob = require('glob');
import {
PackageCache,
BuildTarget,
Package,
Snapshot,
Manifest,
submitSnapshot
} from '@github/dependency-submission-toolkit'
async function run() {
let manifests = getManifestsFromSpdxFiles(searchFiles());
let snapshot = new Snapshot({
name: "spdx-to-dependency-graph-action",
version: "0.0.1",
url: "https://github.com/jhutchings1/spdx-to-dependency-graph-action",
},
github.context,
{
correlator:`${github.context.job}`,
id: github.context.runId.toString()
});
manifests?.forEach(manifest => {
snapshot.addManifest(manifest);
});
submitSnapshot(snapshot);
}
function getManifestFromSpdxFile(document, fileName) {
core.debug(`getManifestFromSpdxFile processing ${fileName}`);
let manifest = new Manifest(document.name, fileName);
core.debug(`Processing ${document.packages?.length} packages`);
document.packages?.forEach(pkg => {
let packageName = pkg.name;
let packageVersion = pkg.packageVersion;
let referenceLocator = pkg.externalRefs?.find(ref => ref.referenceCategory === "PACKAGE-MANAGER" && ref.referenceType === "purl")?.referenceLocator;
let genericPurl = `pkg:generic/${packageName}@${packageVersion}`;
// SPDX 2.3 defines a purl field
let purl;
if (pkg.purl != undefined) {
purl = pkg.purl;
} else if (referenceLocator != undefined) {
purl = referenceLocator;
} else {
purl = genericPurl;
}
// Working around weird encoding issues from an SBOM generator
// Find the last instance of %40 and replace it with @
purl = replaceVersionEscape(purl);
let relationships = document.relationships?.find(rel => rel.relatedSpdxElement == pkg.SPDXID && rel.relationshipType == "DEPENDS_ON" && rel.spdxElementId != "SPDXRef-RootPackage");
if (relationships != null && relationships.length > 0) {
manifest.addIndirectDependency(new Package(purl));
} else {
manifest.addDirectDependency(new Package(purl));
}
});
return manifest;
}
function getManifestsFromSpdxFiles(files) {
core.debug(`Processing ${files.length} files`);
let manifests = [];
files?.forEach(file => {
core.debug(`Processing ${file}`);
manifests.push(getManifestFromSpdxFile(JSON.parse(fs.readFileSync(file)), file));
});
return manifests;
}
function searchFiles() {
let filePath = core.getInput('filePath');
let filePattern = core.getInput('filePattern');
return glob.sync(`${filePath}/${filePattern}`, {});
}
// Fixes issues with an escaped version string
function replaceVersionEscape(purl) {
// Some tools are failing to escape the namespace, so we will escape it to work around that
purl = purl.replace("/@", "/%40");
//If there's an "@" in the purl, then we don't need to do anything.
if (purl != null && purl != undefined && !purl?.includes("@")) {
let index = purl.lastIndexOf("%40");
if (index > 0) {
purl = purl.substring(0, index) + "@" + purl.substring(index + 3);
}
}
return purl;
}
run();