Check if PURL is valid before adding it to queries (#291)

This is also probably where having a verbosity level when reporting could be useful. By default we probably would not want to print out every invalid PURL, but this could be helpful if someone wants to find what invalid PURLs they have in their SBOM.
google · Mar 14, 2023 · 3d7d6c5 · 3d7d6c5
1 parent 96a62e9
commit 3d7d6c5
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go
@@ -237,7 +237,14 @@ func scanSBOMFile(r *output.Reporter, query *osv.BatchedQuery, path string) erro
 		defer file.Close()
 
 		count := 0
+		ignoredCount := 0
 		err = provider.GetPackages(file, func(id sbom.Identifier) error {
+			_, err := PURLToPackage(id.PURL)
+			if err != nil {
+				ignoredCount++
+				//nolint:nilerr
+				return nil
+			}
 			purlQuery := osv.MakePURLRequest(id.PURL)
 			purlQuery.Source = models.SourceInfo{
 				Path: path,
@@ -251,6 +258,10 @@ func scanSBOMFile(r *output.Reporter, query *osv.BatchedQuery, path string) erro
 		if err == nil {
 			// Found the right format.
 			r.PrintText(fmt.Sprintf("Scanned %s as %s SBOM and found %d packages\n", path, provider.Name(), count))
+			if ignoredCount > 0 {
+				r.PrintText(fmt.Sprintf("Ignored %d packages with invalid PURLs\n", ignoredCount))
+			}
+
 			return nil
 		}