advanced-security / component-detection-dependency-submission-action Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
Error on windows runners
Error: Error: Unable to locate executable file: D:\a\Automapper.Sample\Automapper.Sample\component-detection. Please verify either the file path exists or the file can be found within a directory specified by the PATH environment variable. Also verify the file has a valid extension for an executable file.
Getting manifests from results
Error: ENOENT: no such file or directory, open './output.json'
at Object.openSync (node:fs:585:3)
at Object.readFileSync (node:fs:453:35)
at Function.<anonymous> (D:\a\_actions\advanced-security\component-detection-dependency-submission-action\v0.0.1\webpack:\component-detection-action\componentDetection.ts:73:1)
at Generator.next (<anonymous>)
at D:\a\_actions\advanced-security\component-detection-dependency-submission-action\v0.0.1\dist\index.js:23307:71
at new Promise (<anonymous>)
at __webpack_modules__.4878.__awaiter (D:\a\_actions\advanced-security\component-detection-dependency-submission-action\v0.0.1\dist\index.js:23303:[12](https://github.com/octodemo/Automapper.Sample/actions/runs/4889284343/jobs/8727665843#step:6:13))
at Function.getManifestsFromResults (D:\a\_actions\advanced-security\component-detection-dependency-submission-action\v0.0.1\dist\index.js:23370:[16](https://github.com/octodemo/Automapper.Sample/actions/runs/4889284343/jobs/8727665843#step:6:17))
at Function.<anonymous> (D:\a\_actions\advanced-security\component-detection-dependency-submission-action\v0.0.1\webpack:\component-detection-action\componentDetection.ts:28:1)
at Generator.next (<anonymous>)
When using this action (or more specifically, microsoft/component-detection
), the generated manifests have a location that mismatches the GitHub auto-detection. This causes duplicate entries in the GitHub dependency graph. For example, please see this screenshot:
Note how this screenshot shows a discrepancy between the two paths for the same artifact - the one found by this action has a leading /
character while the one auto-detected by GitHub does not, and therefore GitHub continues to think I have 2 different manifests. I used microsoft/component-detection
to confirm the JSON details:
I believe that these lines of code in this repository could be touched to remove the leading /
from every locationsFoundAt
value:
While microsoft/component-detection
is the software that's producing the initial manifest, I believe this repository is bridging the gap between general dependency manifest generation and specific uploading to GitHub. I believe either this repository should handle this discrepancy, or GitHub's dependency submission API should (but I wouldn't know where to submit such a request).
The Action uses Octokit to download microsoft/component-detection
but does not specify that it should be from github.com
. This means use on GitHub Enterprise Server leads to trying to resolve that org/repo on the local server, which fails with a 404.
You can work around this by manually downloading the appropriate release binary in the Actions workflow before running this Action, e.g. with wget
.
It then attempts to submit using the Dependency Submission Toolkit. I haven't worked out precisely why, but this fails with a Cannot read properties of null (reading 'toString')
error in the toolkit.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.