Check if PURL is valid before adding it to queries (google#291)

This is also probably where having a verbosity level when reporting could be useful. By default we probably would not want to print out every invalid PURL, but this could be helpful if someone wants to find what invalid PURLs they have in their SBOM.
julieqiu · May 2, 2023 · e619f3a · e619f3a
1 parent 0a8246e
commit e619f3a
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go
@@ -237,7 +237,14 @@ func scanSBOMFile(r *output.Reporter, query *osv.BatchedQuery, path string) erro
 		defer file.Close()
 
 		count := 0
+		ignoredCount := 0
 		err = provider.GetPackages(file, func(id sbom.Identifier) error {
+			_, err := PURLToPackage(id.PURL)
+			if err != nil {
+				ignoredCount++
+				//nolint:nilerr
+				return nil
+			}
 			purlQuery := osv.MakePURLRequest(id.PURL)
 			purlQuery.Source = models.SourceInfo{
 				Path: path,
@@ -251,6 +258,10 @@ func scanSBOMFile(r *output.Reporter, query *osv.BatchedQuery, path string) erro
 		if err == nil {
 			// Found the right format.
 			r.PrintText(fmt.Sprintf("Scanned %s as %s SBOM and found %d packages\n", path, provider.Name(), count))
+			if ignoredCount > 0 {
+				r.PrintText(fmt.Sprintf("Ignored %d packages with invalid PURLs\n", ignoredCount))
+			}
+
 			return nil
 		}