advanced-security / component-detection-dependency-submission-action Goto Github PK

Error on windows runners

Error: Error: Unable to locate executable file: D:\a\Automapper.Sample\Automapper.Sample\component-detection. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also verify the file has a valid extension for an executable file.
Getting manifests from results
Error: ENOENT: no such file or directory, open './output.json'
    at Object.openSync (node:fs:585:3)
    at Object.readFileSync (node:fs:453:35)
    at Function.<anonymous> (D:\a\_actions\advanced-security\component-detection-dependency-submission-action\v0.0.1\webpack:\component-detection-action\componentDetection.ts:73:1)
    at Generator.next (<anonymous>)
    at D:\a\_actions\advanced-security\component-detection-dependency-submission-action\v0.0.1\dist\index.js:23307:71
    at new Promise (<anonymous>)
    at __webpack_modules__.4878.__awaiter (D:\a\_actions\advanced-security\component-detection-dependency-submission-action\v0.0.1\dist\index.js:23303:[12](https://github.com/octodemo/Automapper.Sample/actions/runs/4889284343/jobs/8727665843#step:6:13))
    at Function.getManifestsFromResults (D:\a\_actions\advanced-security\component-detection-dependency-submission-action\v0.0.1\dist\index.js:23370:[16](https://github.com/octodemo/Automapper.Sample/actions/runs/4889284343/jobs/8727665843#step:6:17))
    at Function.<anonymous> (D:\a\_actions\advanced-security\component-detection-dependency-submission-action\v0.0.1\webpack:\component-detection-action\componentDetection.ts:28:1)
    at Generator.next (<anonymous>)

When using this action (or more specifically, microsoft/component-detection), the generated manifests have a location that mismatches the GitHub auto-detection. This causes duplicate entries in the GitHub dependency graph. For example, please see this screenshot:

Note how this screenshot shows a discrepancy between the two paths for the same artifact - the one found by this action has a leading / character while the one auto-detected by GitHub does not, and therefore GitHub continues to think I have 2 different manifests. I used microsoft/component-detection to confirm the JSON details:

I believe that these lines of code in this repository could be touched to remove the leading / from every locationsFoundAt value:

While microsoft/component-detection is the software that's producing the initial manifest, I believe this repository is bridging the gap between general dependency manifest generation and specific uploading to GitHub. I believe either this repository should handle this discrepancy, or GitHub's dependency submission API should (but I wouldn't know where to submit such a request).

The Action uses Octokit to download microsoft/component-detection but does not specify that it should be from github.com. This means use on GitHub Enterprise Server leads to trying to resolve that org/repo on the local server, which fails with a 404.

You can work around this by manually downloading the appropriate release binary in the Actions workflow before running this Action, e.g. with wget.

It then attempts to submit using the Dependency Submission Toolkit. I haven't worked out precisely why, but this fails with a Cannot read properties of null (reading 'toString') error in the toolkit.