Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid URL for OpenSSF Scorecard Package #718

Closed
dupuy opened this issue Mar 21, 2024 · 3 comments · Fixed by #725
Closed

Invalid URL for OpenSSF Scorecard Package #718

dupuy opened this issue Mar 21, 2024 · 3 comments · Fixed by #725
Labels
bug Something isn't working

Comments

@dupuy
Copy link

dupuy commented Mar 21, 2024

In the latest update to this action, the OpenSSF Scorecard table generated by the dependency review action for the dependabot PR in my project's repo to update the version of that action, I get incorrect labels with invalid URLs:

actions/actions/dependency-review-action

[actions/actions/dependency-review-action](https://https//github.com/actions/dependency-review-action)

As you can see, actions/ is repeated in the anchor text. I'm not sure how or where in the code this is happening.

I suspect the invalid URL is due to a faulty URL in the data (so, not necessarily a bug in the code), but I'm not sure where in the data this mistake (missing : after https in URL) was made.

However, the code in src/scorecard.ts is already messing with the URL:

   //If the repository_url includes the protocol, remove it
    if (repositoryUrl?.startsWith('https://')) {
      repositoryUrl = repositoryUrl.replace('https://', '')
    }

The logic here could be enhanced to handle this not-uncommon error (as well as the possibility of an insecure http: prefix). This might best be done by using a regex like https?:?// for the check and replace.
@dupuy
Copy link
Author

dupuy commented Mar 21, 2024
edited

@jhutchings1 as this is your code, you may be the best person to address this issue

And looking at the table and the logs, I suspect the bad URL may also be causing failure to get the "Score" and "Details" column data (all show "Unknown").

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/actions/dependency-review-action 0fa40c3 UnknownUnknown
actions/actions/dependency-review-action 9129d7d UnknownUnknown

@jonjanego jonjanego added the bug Something isn't working label Mar 21, 2024
@jhutchings1 jhutchings1 mentioned this issue Mar 22, 2024
Merged
@jhutchings1
Copy link
Contributor

👋 @dupuy Thanks for reporting this. I did have a couple of bugs here around the way I was building the query URL.

The actions/actions piece in the UI is actually by design (one could question whether it's a good one or not!). That's trying to show dependencies as {ecosystem}/{package} and packages in Actions are nwo based, meaning the ones in the actions org are going to show with that actions/actions prefix.

It'll be fixed by #725

febuiles added a commit that referenced this issue Mar 24, 2024
@febuiles
Merge pull request #725 from actions/issue-718
9093495 
Bug fixes to #718
@febuiles
Copy link
Contributor

@jhutchings1 thank you for the fix, it's been released in 4.2.4.

@jonjanego jonjanego mentioned this issue Apr 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bug fixes to #718 actions/dependency-review-action
4 participants
@febuiles @dupuy @jonjanego @jhutchings1