actions
[BUG] Vulnerability, License and ScoreCard Info missing for API Dependency Submission
Describe the bug
When submitting dependencies via the Dependency Submission API, License and ScoreCard Info is empty.
To Reproduce Steps to reproduce the behavior:
- Report Dependencies via API. Example Snapshot: https://api.github.com/repos/erlef/mix-dependency-submission/dependency-graph/snapshots/25157313
// ...
"nimble_parsec": {
"package_url": "pkg:hex/[email protected]?checksum=sha256:4b21398942dda052b403bbe1da991ccd03a053668d147d53fb8c4e0efe09c973&download_url=https:%2F%2Frepo.hex.pm%2Ftarballs%2Fnimble_parsec-1.4.2.tar.gz&vcs_url=https:%2F%2Fgithub.com%2Fdashbitco%2Fnimble_parsec",
"metadata": {
"license": "Apache-2.0"
},
"relationship": "indirect",
"scope": "runtime"
},
// ...
As you can see, we provided a vcs_url qualifier with the Package URL as well as an SPDX License Expression in metadata.license.
- Run this action
When calling the the dependency graph compare API by hand, we can see:
https://api.github.com/repos/erlef/mix-dependency-submission/dependency-graph/compare/a534dacf276a29a6cf9cb4e989496b0c3c380c1f...81ba5ac7847ad5cd8df6f8d40709b9be4de70f94
// ...
{
"change_type": "added",
"manifest": "mix.exs",
"ecosystem": "unknown",
"name": "nimble_parsec",
"version": "1.4.2",
"package_url": "pkg:hex/[email protected]?checksum=sha256:4b21398942dda052b403bbe1da991ccd03a053668d147d53fb8c4e0efe09c973&download_url=https:%2F%2Frepo.hex.pm%2Ftarballs%2Fnimble_parsec-1.4.2.tar.gz&vcs_url=https:%2F%2Fgithub.com%2Fdashbitco%2Fnimble_parsec",
"license": null,
"source_repository_url": null,
"scope": "runtime",
"vulnerabilities": [
]
},
// ...
Expected behavior
GitHub should be able to detect the source repository backing the purl based on the vcs_url. Based on that it should be able to defer both the license and also the ScoreCard Score.
It works for neither hex and github purl types.
Screenshots
https://github.com/erlef/mix-dependency-submission/actions/runs/14682945374?pr=118
Action version
4.6.0
Examples
- Dependency Submission: https://github.com/erlef/mix-dependency-submission/blob/81ba5ac7847ad5cd8df6f8d40709b9be4de70f94/action.yml
- Dependency Review: https://github.com/erlef/mix-dependency-submission/blob/81ba5ac7847ad5cd8df6f8d40709b9be4de70f94/.github/workflows/pr.yml#L56-L72
Additional context
- Snapshot: https://api.github.com/repos/erlef/mix-dependency-submission/dependency-graph/snapshots/25157313
- Compare API: https://api.github.com/repos/erlef/mix-dependency-submission/dependency-graph/compare/a534dacf276a29a6cf9cb4e989496b0c3c380c1f...81ba5ac7847ad5cd8df6f8d40709b9be4de70f94
vcs_url and the license metadat were introduced in #118. The latest release (v1.1.0) does not yet contain the functionality.
Same with Vulnerabilities:
(This test project is using the latest stable release which does not yet contain vcs_url and license metadata. I specifically created it to test the vulnerability part.)
This PR introduces pkg:hex/[email protected]. The vulnerability is however not detected by this action.
- Vulnerability: https://osv.dev/vulnerability/GHSA-mj35-2rgf-cv8p
- PR: https://github.com/maennchen/test_dep_submission/pull/2
- Submission: https://github.com/maennchen/test_dep_submission/actions/runs/14683405298/job/41208923293
{
"version": 0,
"metadata": {},
"ref": "refs/pull/2/merge",
"manifests": {
"mix.exs": {
"name": "mix.exs",
"file": {
"source_location": "mix.exs"
},
"metadata": {},
"resolved": {
"expo": {
"scope": "runtime",
"metadata": {},
"package_url": "pkg:hex/[email protected]",
"relationship": "direct"
},
"jose": {
"metadata": {},
"package_url": "pkg:hex/[email protected]"
},
"oidcc": {
"scope": "runtime",
"metadata": {},
"dependencies": [
"pkg:hex/[email protected]",
"pkg:hex/[email protected]",
"pkg:hex/[email protected]"
],
"package_url": "pkg:hex/[email protected]",
"relationship": "direct"
},
"telemetry": {
"metadata": {},
"package_url": "pkg:hex/[email protected]"
},
"telemetry_registry": {
"metadata": {},
"dependencies": [
"pkg:hex/[email protected]"
],
"package_url": "pkg:hex/[email protected]"
}
}
}
},
"sha": "b5b451cfdbc5865e88ded5c454fcd32102efe0b7",
"job": {
"id": "report_mix_deps",
"correlator": "Mix Dependency Submission report_mix_deps"
},
"detector": {
"name": "mix_dependency_submission",
"version": "1.1.0",
"url": "https://github.com/erlef/mix-dependency-submission"
},
"scanned": "2025-04-26T17:14:59.887069Z"
}
- Compare API: https://api.github.com/repos/maennchen/test_dep_submission/dependency-graph/compare/a7266fdd1c6c2057af7f5ce9cc1c62c482f77078...b5b451cfdbc5865e88ded5c454fcd32102efe0b7
[
{
"change_type": "added",
"manifest": "mix.exs",
"ecosystem": "unknown",
"name": "jose",
"version": "1.11.10",
"package_url": "pkg:hex/[email protected]",
"license": null,
"source_repository_url": null,
"scope": "runtime",
"vulnerabilities": [
]
},
{
"change_type": "added",
"manifest": "mix.exs",
"ecosystem": "unknown",
"name": "oidcc",
"version": "3.0.1",
"package_url": "pkg:hex/[email protected]",
"license": null,
"source_repository_url": null,
"scope": "runtime",
"vulnerabilities": [
// We should have something in here!
]
},
{
"change_type": "added",
"manifest": "mix.exs",
"ecosystem": "unknown",
"name": "telemetry",
"version": "1.3.0",
"package_url": "pkg:hex/[email protected]",
"license": null,
"source_repository_url": null,
"scope": "runtime",
"vulnerabilities": [
]
},
{
"change_type": "added",
"manifest": "mix.exs",
"ecosystem": "unknown",
"name": "telemetry_registry",
"version": "0.3.2",
"package_url": "pkg:hex/[email protected]",
"license": null,
"source_repository_url": null,
"scope": "runtime",
"vulnerabilities": [
]
}
]
- Output:
👋 This issue has been marked as stale because it has been open with no activity for 180 days. You can: comment on the issue or remove the stale label to hold stalebot off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}