Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v4.3.0 Causing PURL Processing Errors #752

Closed
watercable76 opened this issue Apr 26, 2024 · 6 comments · Fixed by #753
Closed

v4.3.0 Causing PURL Processing Errors #752

watercable76 opened this issue Apr 26, 2024 · 6 comments · Fixed by #753
Assignees
@juxtin

Comments

@watercable76
Copy link

My project is referencing the v4 of dependency review action, and as of the most recent release, there is an error where it won't run anymore due to a 'Error: Invalid purl: version must be percent-encoded'. Nothing else has changed in my code, but the most recent changes to the dependency review action

Looking through the commit history, this was the most recent change, and it was included in the release today -> https://github.com/actions/dependency-review-action/blob/main/src/utils.ts#L73

Is there some way to get this reverted temporarily @juxtin, especially on a Friday afternoon?
@rajsite
Copy link

rajsite commented Apr 26, 2024
edited

Was just about to report the same issue. Had to pin to actions/dependency-review-action@v4.2.5 to prevent a build issue.
Example build: https://github.com/ni/nimble/actions/runs/8853178015

Edit: I get a slightly different error with v4.3 is Error: A purl string argument is required.

@rajsite rajsite mentioned this issue Apr 26, 2024
Merged
1 task
@juxtin
Copy link
Contributor

juxtin commented Apr 26, 2024

Thanks for the report, @watercable76! Sorry for the bother, I've reset the v4 tag to point to the previous release while we figure this out.

@juxtin
Copy link
Contributor

juxtin commented Apr 26, 2024
edited

I'm having a hard time reproducing this in my test repo(s). @watercable76, can you share (a possibly redacted version of) your dependency review config?

@juxtin juxtin mentioned this issue Apr 26, 2024
Merged
@juxtin
Copy link
Contributor

juxtin commented Apr 26, 2024

I've narrowed down the cause of this to the handling of @ symbols in NPM namespaces. These weren't a problem before because we weren't using a packageurl-js, but it has a somewhat pedantic insistence that the namespace be URL-encoded. To be fair, that is what the spec dictates.

Nonetheless, I've seen many implementations that tolerate @ symbols there, and I think there's a practical purpose to that. In this case, not only are user configs likely to have things like pkg:npm/@namespace/name, but even internally we tend to represent namespaces in purls with the literal @ rather than %40.

Given the amount of monkeying around we've already had to do to get this library working, and our modest needs for parsing in the first place, I'm tempted to just hand-roll our own purl parser and be done with it.

@juxtin juxtin self-assigned this Apr 26, 2024
@watercable76
Copy link
Author

Just double checked, and we are not using any configurations besides the default settings. Here's the build process, which is the same as the documentation example:

dependency-review:
    name: Dependency Review
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v4
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v4

@juxtin
Copy link
Contributor

juxtin commented Apr 29, 2024

@watercable76 thanks again for the report, this should be fixed now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@juxtin juxtin

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Parse purls cautiously in getDeniedChanges actions/dependency-review-action
3 participants
@rajsite @juxtin @watercable76