Merge pull request #3315 from nscuro/backport-pr-3313

Backport: Improve Error handling and add default version type
DependencyTrack · Dec 18, 2023 · 2f1135a · 2f1135a
2 parents 485c982 + 46187e4
commit 2f1135a
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 17 deletions.
diff --git a/src/main/java/org/dependencytrack/tasks/repositories/GithubMetaAnalyzer.java b/src/main/java/org/dependencytrack/tasks/repositories/GithubMetaAnalyzer.java
@@ -30,7 +30,6 @@
 import org.kohsuke.github.GitHub;
 
 import java.io.IOException;
-import java.util.regex.Pattern;
 
 import static org.apache.commons.lang3.StringUtils.isBlank;
 import static org.apache.commons.lang3.StringUtils.isNotBlank;
@@ -45,9 +44,11 @@ public class GithubMetaAnalyzer extends AbstractMetaAnalyzer {
 
     private static final Logger LOGGER = Logger.getLogger(GithubMetaAnalyzer.class);
 
-    private static final int VERSION_TYPE_RELEASE = 1;
-    private static final int VERSION_TYPE_COMMIT = 2;
-    private static final String VERSION_TYPE_PATTERN = "[a-f0-9]{6,40}";
+    private enum VersionType {
+        RELEASE,
+        COMMIT;
+    }
+    private static final VersionType DEFAULT_VERSION_TYPE = VersionType.RELEASE;
     private static final String REPOSITORY_DEFAULT_URL = "https://github.com";
     private String repositoryUrl;
     private String repositoryUser;
@@ -88,6 +89,27 @@ public RepositoryType supportedRepositoryType() {
         return RepositoryType.GITHUB;
     }
 
+    /**
+     * Checks whether the pURL version is a release or commit
+     * @param component Component Object
+     * @param repository The GH Repository Object defined by the pURL
+     * @return VersionType
+     * @throws IOException when GitHub API Calls fail
+     */
+    private VersionType get_version_type(final Component component, GHRepository repository) throws IOException {
+        if (component.getPurl().getVersion() == null){
+            LOGGER.debug(String.format("Version is not set, assuming %s", DEFAULT_VERSION_TYPE.name()));
+            return DEFAULT_VERSION_TYPE;
+        }
+        if (repository.getReleaseByTagName(component.getPurl().getVersion()) != null){
+            LOGGER.debug("Version is release");
+            return VersionType.RELEASE;
+        } else {
+            LOGGER.debug("Version is commit");
+            return VersionType.COMMIT;
+        }
+    }
+
     /**
      * {@inheritDoc}
      */
@@ -104,19 +126,12 @@ public MetaModel analyze(final Component component) {
                     github = GitHub.connectAnonymously();
                 }
 
-                Pattern version_pattern = Pattern.compile(VERSION_TYPE_PATTERN);
-                final int version_type;
-                if (version_pattern.matcher(component.getPurl().getVersion()).find()) {
-                    LOGGER.debug("Version is commit");
-                    version_type = VERSION_TYPE_COMMIT;
-                } else {
-                    LOGGER.debug("Version is release");
-                    version_type = VERSION_TYPE_RELEASE;
-                }
-
                 GHRepository repository = github.getRepository(String.format("%s/%s", component.getPurl().getNamespace(), component.getPurl().getName()));
                 LOGGER.debug(String.format("Repos is at %s", repository.getUrl()));
-                if (version_type == VERSION_TYPE_RELEASE) {
+
+                final VersionType version_type = get_version_type(component, repository);
+
+                if (version_type == VersionType.RELEASE) {
                     GHRelease latest_release = repository.getLatestRelease();
                     if (latest_release != null) {
                         meta.setLatestVersion(latest_release.getTagName());
@@ -127,12 +142,14 @@ public MetaModel analyze(final Component component) {
                         meta.setPublishedTimestamp(current_release.getPublished_at());
                         LOGGER.debug(String.format("Current version published at: %s", meta.getPublishedTimestamp()));
                     }
-                } else {
+                }
+
+                if (version_type == VersionType.COMMIT) {
                     GHBranch default_branch = repository.getBranch(repository.getDefaultBranch());
                     GHCommit latest_release = repository.getCommit(default_branch.getSHA1());
-                    GHCommit current_release = repository.getCommit(component.getPurl().getVersion());
                     meta.setLatestVersion(latest_release.getSHA1());
                     LOGGER.debug(String.format("Latest version: %s", meta.getLatestVersion()));
+                    GHCommit current_release = repository.getCommit(component.getPurl().getVersion());
                     meta.setPublishedTimestamp(current_release.getCommitDate());
                     LOGGER.debug(String.format("Current version published at: %s", meta.getPublishedTimestamp()));
                 }

diff --git a/src/test/java/org/dependencytrack/tasks/repositories/GitHubMetaAnalyzerTest.java b/src/test/java/org/dependencytrack/tasks/repositories/GitHubMetaAnalyzerTest.java
@@ -74,4 +74,46 @@ public void testAnalyzerShortCommit() throws Exception{
         Assert.assertTrue(version_pattern.matcher(metaModel.getLatestVersion()).find());
         Assert.assertNotNull(metaModel.getPublishedTimestamp());
     }
+
+    @Test
+    public void testAnalyzerNoVersion() throws Exception{
+        final var component = new Component();
+        component.setPurl(new PackageURL("pkg:github/CycloneDX/cdxgen"));
+
+        final var analyzer = new GithubMetaAnalyzer();
+        Assert.assertTrue(analyzer.isApplicable(component));
+        Assert.assertEquals(RepositoryType.GITHUB, analyzer.supportedRepositoryType());
+
+        MetaModel metaModel = analyzer.analyze(component);
+        Assert.assertNotNull(metaModel.getLatestVersion());
+        Assert.assertTrue(metaModel.getLatestVersion().startsWith("v"));
+        Assert.assertNull(metaModel.getPublishedTimestamp());
+    }
+    @Test
+    public void testAnalyzerInvalidCommit() throws Exception{
+        final var component = new Component();
+        component.setPurl(new PackageURL("pkg:github/CycloneDX/cdxgen@0000000"));
+
+        final var analyzer = new GithubMetaAnalyzer();
+        Assert.assertTrue(analyzer.isApplicable(component));
+        Assert.assertEquals(RepositoryType.GITHUB, analyzer.supportedRepositoryType());
+
+        MetaModel metaModel = analyzer.analyze(component);
+        Assert.assertNotNull(metaModel.getLatestVersion());
+        Assert.assertNull(metaModel.getPublishedTimestamp());
+    }
+
+        @Test
+    public void testAnalyzerInvalidRelease() throws Exception{
+        final var component = new Component();
+        component.setPurl(new PackageURL("pkg:github/CycloneDX/cdxgen@invalid-release"));
+
+        final var analyzer = new GithubMetaAnalyzer();
+        Assert.assertTrue(analyzer.isApplicable(component));
+        Assert.assertEquals(RepositoryType.GITHUB, analyzer.supportedRepositoryType());
+
+        MetaModel metaModel = analyzer.analyze(component);
+        Assert.assertNotNull(metaModel.getLatestVersion());
+        Assert.assertNull(metaModel.getPublishedTimestamp());
+    }
 }