chore: improve commit finder and input handling (#741)

Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>

Author: benmss

scripts/dev_scripts/integration_tests.sh

@@ -262,9 +262,9 @@ echo "apache/maven: Analyzing using a CycloneDx SBOM file of a software componen
 echo -e "----------------------------------------------------------------------------------\n"
 SBOM_FILE=$WORKSPACE/tests/dependency_analyzer/cyclonedx/resources/private_mirror_apache_maven.json
 DEP_EXPECTED=$WORKSPACE/tests/dependency_analyzer/expected_results/private_mirror_apache_maven.json
-DEP_RESULT=$WORKSPACE/output/reports/private_domain_com/apache/maven/dependencies.json
+DEP_RESULT=$WORKSPACE/output/reports/private-domain_com/apache/maven/dependencies.json
 
-$RUN_MACARON analyze -purl pkg:private_domain.com/apache/maven -sbom "$SBOM_FILE" || log_fail
+$RUN_MACARON analyze -purl pkg:private-domain.com/apache/maven -sbom "$SBOM_FILE" || log_fail
 
 check_or_update_expected_output $COMPARE_DEPS $DEP_RESULT $DEP_EXPECTED || log_fail
 

src/macaron/repo_finder/commit_finder.py

@@ -101,6 +101,7 @@
 hex_only_pattern = re.compile("^[0-9a-f]+$", flags=re.IGNORECASE)
 numeric_only_pattern = re.compile("^[0-9]+$")
 versioned_string = re.compile("^([a-z]+)(0*)([1-9]+[0-9]*)$", flags=re.IGNORECASE)  # e.g. RC1, M5, etc.
+multiple_zero_pattern = re.compile("^0+$")
 
 
 class AbstractPurlType(Enum):
@@ -307,6 +308,7 @@ def _build_version_pattern(name: str, version: str) -> tuple[Pattern | None, lis
     if not version:
         return None, []
 
+    # Escape input to prevent it being treated as regex.
     name = re.escape(name)
 
     # The version is split on non-alphanumeric characters to separate the version parts from the non-version parts.
@@ -328,8 +330,8 @@ def _build_version_pattern(name: str, version: str) -> tuple[Pattern | None, lis
 
     this_version_pattern = ""
     has_non_numeric_suffix = False
-    # Detect versions that end with a zero, so the zero can be made optional.
-    has_trailing_zero = len(split) > 2 and split[-1] == "0"
+    # Detect versions that end with a zero number (0, 00, 000, etc.), so that part can be made optional.
+    has_trailing_zero = len(split) > 2 and multiple_zero_pattern.match(split[-1])
     for count, part in enumerate(parts):
         numeric_only = numeric_only_pattern.match(part)
 
@@ -344,7 +346,7 @@ def _build_version_pattern(name: str, version: str) -> tuple[Pattern | None, lis
         # This part will be made optional in the regex if it matches the correct requirements:
         # - There is more than one version part, e.g. 1.2 (2), 1.2.3 (3)
         # - AND either of:
-        #   - This is the last version part and it has a trailing zero, e.g. 10
+        #   - This is the last version part, and it has a trailing zero, e.g. 10
         #   - OR has_non_numeric_suffix is True (See its comments above for more details)
         optional = len(split) > 1 and ((count == len(split) - 1 and has_trailing_zero) or has_non_numeric_suffix)
 
@@ -356,6 +358,10 @@ def _build_version_pattern(name: str, version: str) -> tuple[Pattern | None, lis
         elif count > 1:
             this_version_pattern = this_version_pattern + INFIX_3
 
+        if numeric_only:
+            # Allow for any number of preceding zeros when the part is numeric only. E.g. 000 + 1, 0 + 20
+            this_version_pattern = this_version_pattern + "0*"
+
         # Add the current part to the pattern.
         this_version_pattern = this_version_pattern + part
 

src/macaron/slsa_analyzer/analyzer.py

@@ -4,6 +4,7 @@
 """This module handles the cloning and analyzing a Git repo."""
 import logging
 import os
+import re
 import sys
 from datetime import datetime, timezone
 from pathlib import Path
@@ -304,6 +305,9 @@ def run_single(
         repo_id = config.get_value("id")
         try:
             parsed_purl = Analyzer.parse_purl(config)
+            # Validate PURL type as per https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst
+            if parsed_purl and not re.match(r"^[a-z.+-][a-z0-9.+-]*$", parsed_purl.type):
+                raise InvalidPURLError(f"Invalid purl type: {parsed_purl.type}")
         except InvalidPURLError as error:
             logger.error(error)
             return Record(

tests/e2e/repo_finder/resources/tags.json

@@ -303726,5 +303726,77 @@
                 "comment": ""
             }
         ]
+    },
+    {
+        "tags": [
+            "2015.04.28",
+            "2015.09.06",
+            "2015.09.06.1",
+            "2015.09.06.2",
+            "2015.11.20",
+            "2015.11.20.1",
+            "2016.02.28",
+            "2016.08.02",
+            "2016.08.08",
+            "2016.08.31",
+            "2016.09.26",
+            "2017.01.23",
+            "2017.04.17",
+            "2017.07.27",
+            "2017.07.27.1",
+            "2017.11.05",
+            "2018.01.18",
+            "2018.04.16",
+            "2018.08.13",
+            "2018.08.24",
+            "2018.10.15",
+            "2018.11.29",
+            "2019.03.09",
+            "2019.06.16",
+            "2019.09.11",
+            "2019.11.28",
+            "2020.04.05",
+            "2020.04.05.1",
+            "2020.04.05.2",
+            "2020.06.20",
+            "2020.11.08",
+            "2020.12.05",
+            "2021.05.30",
+            "2021.10.08",
+            "2022.05.18",
+            "2022.05.18.1",
+            "2022.06.15",
+            "2022.06.15.1",
+            "2022.06.15.2",
+            "2022.09.14",
+            "2022.09.24",
+            "2022.12.07",
+            "2023.05.07",
+            "2023.07.22",
+            "2023.11.17",
+            "2024.02.02",
+            "v1.0.0",
+            "v1.0.1"
+        ],
+        "artifacts": [
+            {
+                "purl": "pkg:pypi/certifi@2024.2.2",
+                "repo": "https://github.com/certifi/python-certifi",
+                "match": "2024.02.02",
+                "comment": ""
+            },
+            {
+                "purl": "pkg:pypi/certifi@2022.5.18",
+                "repo": "https://github.com/certifi/python-certifi",
+                "match": "2022.05.18",
+                "comment": ""
+            },
+            {
+                "purl": "pkg:pypi/certifi@1.0.1",
+                "repo": "https://github.com/certifi/python-certifi",
+                "match": "v1.0.1",
+                "comment": ""
+            }
+        ]
     }
 ]