Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: Invalid purl: version must be percent-encoded #613

Closed
vanpelt opened this issue Nov 9, 2023 · 5 comments · Fixed by #617
Closed

Error: Invalid purl: version must be percent-encoded #613

vanpelt opened this issue Nov 9, 2023 · 5 comments · Fixed by #617

Comments

@vanpelt
Copy link

vanpelt commented Nov 9, 2023

My review action is failing with this error. I've searched the codebase for "Invalid purl:" and I'm not finding it. I imagine this is coming from my allow-dependencies-licenses: however I've tried a number of different options and it's still happening. I've explicitly told the action to use v3.1.2. This is my config:

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: "Checkout Repository"
        uses: actions/checkout@v4
      - name: "Dependency Review"
        uses: actions/dependency-review-action@v3.1.2
        with:
          fail-on-severity: high
          deny-licenses: AFL-1.1, AFL-1.2, AFL-2.0, AFL-2.1, AFL-3.0, AGPL-1.0, AGPL-3.0, CC-BY-SA-1.0, CC-BY-SA-2.0, CC-BY-SA-2.0-UK, CC-BY-SA-2.1-JP, CC-BY-SA-2.5, CC-BY-SA-3.0, CC-BY-SA-3.0-AT, CC-BY-SA-3.0-DE, CC-BY-SA-4.0, GFDL-1.1, GFDL-1.2, GFDL-1.3, GPL-1.0, GPL-2.0, GPL-3.0, LGPL-2.1, LGPL-3.0, OSL-1.0, OSL-2.0, OSL-2.1, OSL-3.0, Sleepycat
          comment-summary-in-pr: on-failure
          allow-dependencies-licenses: pkg:npm/jsonify, pkg:golang/golang.org/x
@spencerschrock
Copy link

+1, I'm also on v3.1.2 (pinned by hash fde92ac) and recently got this error. Although I don't use allow-dependencies-licenses (or any inputs). Re-running the failed job didn't help.

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@fde92acd0840415674c16b39c7d703fc28bc511e # v3.1.2

https://github.com/ossf/scorecard/actions/runs/6817882892/job/18542937995?pr=3660

@vanpelt
Copy link
Author

vanpelt commented Nov 10, 2023

My best guess is this is happening when the action is parsing the changes in go.mod. I noticed that @spencerschrock has a couple indirect deps in go.mod that look like:

github.com/docker/cli v24.0.7+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible

I also have a couple packages with +incompatible. The PUrl parser doesn't like the +.

@mattpolicane
Copy link

Also seeing the same issue, and don't use allow-dependencies-licenses either.

  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: "Checkout Repository"
        uses: actions/checkout@v3
      - name: Dependency Review
        uses: actions/dependency-review-action@v3
        with:
          fail-on-severity: critical

@theztefan theztefan mentioned this issue Nov 13, 2023
Merged
@theztefan
Copy link
Contributor

Looked at the mentioned repos and managed to replicate this myself. Submitted a fix with #617.

@febuiles
Copy link
Contributor

@theztefan thanks a ton for the PR! I've released version 3.1.3 with the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes purl "version must be percent-encoded" theztefan/dependency-review-action
5 participants
@vanpelt @febuiles @spencerschrock @theztefan @mattpolicane