Prevent crash when using unknown hex repo (#127)

Author: maennchen

lib/mix_dependency_submission/scm/hex/scm.ex

@@ -40,6 +40,9 @@ defmodule MixDependencySubmission.SCM.Hex.SCM do
     qualifiers =
       case repository_url do
         "https://repo.hex.pm" -> %{}
+        # Unknown repository URL, do not include it in the qualifiers
+        # to avoid exposing it in the PURL.
+        nil -> %{}
         ^repository_url -> %{"repository_url" => repository_url}
       end
 
@@ -102,16 +105,31 @@ defmodule MixDependencySubmission.SCM.Hex.SCM do
       end
 
     qualifiers = %{
-      "checksum" => "sha256:#{outer_checksum}",
-      "download_url" => "#{repository_url}/tarballs/#{package_name}-#{version}.tar.gz"
+      "checksum" => "sha256:#{outer_checksum}"
     }
 
     qualifiers =
       case repository_url do
         "https://repo.hex.pm" -> qualifiers
+        # Unknown repository URL, do not include it in the qualifiers
+        # to avoid exposing it in the PURL.
+        nil -> qualifiers
         ^repository_url -> Map.put(qualifiers, "repository_url", repository_url)
       end
 
+    qualifiers =
+      case repository_url do
+        nil ->
+          qualifiers
+
+        ^repository_url ->
+          Map.put(
+            qualifiers,
+            "download_url",
+            "#{repository_url}/tarballs/#{package_name}-#{version}.tar.gz"
+          )
+      end
+
     Purl.new!(%Purl{
       type: "hex",
       namespace: hex_namespace(repo),

test/fixtures/private_repo/mix.exs

@@ -0,0 +1,14 @@
+defmodule AppNameToReplace.MixProject do
+  use Mix.Project
+
+  def project do
+    [
+      app: :app_name_to_replace,
+      version: "0.0.0-dev",
+      deps: [
+        # Using 0ban instead of oban to not confuse actual oban users
+        {:oban_pro, "~> 1.5", repo: "0ban"}
+      ]
+    ]
+  end
+end

test/fixtures/private_repo/mix.lock

@@ -0,0 +1,10 @@
+%{
+  "db_connection": {:hex, :db_connection, "2.7.0", "b99faa9291bb09892c7da373bb82cba59aefa9b36300f6145c5f201c7adf48ec", [:mix], [{:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "dcf08f31b2701f857dfc787fbad78223d61a32204f217f15e881dd93e4bdd3ff"},
+  "decimal": {:hex, :decimal, "2.3.0", "3ad6255aa77b4a3c4f818171b12d237500e63525c2fd056699967a3e7ea20f62", [:mix], [], "hexpm", "a4d66355cb29cb47c3cf30e71329e58361cfcb37c34235ef3bf1d7bf3773aeac"},
+  "ecto": {:hex, :ecto, "3.12.5", "4a312960ce612e17337e7cefcf9be45b95a3be6b36b6f94dfb3d8c361d631866", [:mix], [{:decimal, "~> 2.0", [hex: :decimal, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "6eb18e80bef8bb57e17f5a7f068a1719fbda384d40fc37acb8eb8aeca493b6ea"},
+  "ecto_sql": {:hex, :ecto_sql, "3.12.1", "c0d0d60e85d9ff4631f12bafa454bc392ce8b9ec83531a412c12a0d415a3a4d0", [:mix], [{:db_connection, "~> 2.4.1 or ~> 2.5", [hex: :db_connection, repo: "hexpm", optional: false]}, {:ecto, "~> 3.12", [hex: :ecto, repo: "hexpm", optional: false]}, {:myxql, "~> 0.7", [hex: :myxql, repo: "hexpm", optional: true]}, {:postgrex, "~> 0.19 or ~> 1.0", [hex: :postgrex, repo: "hexpm", optional: true]}, {:tds, "~> 2.1.1 or ~> 2.2", [hex: :tds, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4.0 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "aff5b958a899762c5f09028c847569f7dfb9cc9d63bdb8133bff8a5546de6bf5"},
+  "jason": {:hex, :jason, "1.4.4", "b9226785a9aa77b6857ca22832cffa5d5011a667207eb2a0ad56adb5db443b8a", [:mix], [{:decimal, "~> 1.0 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm", "c5eb0cab91f094599f94d55bc63409236a8ec69a21a67814529e8d5f6cc90b3b"},
+  "oban": {:hex, :oban, "2.19.4", "045adb10db1161dceb75c254782f97cdc6596e7044af456a59decb6d06da73c1", [:mix], [{:ecto_sql, "~> 3.10", [hex: :ecto_sql, repo: "hexpm", optional: false]}, {:ecto_sqlite3, "~> 0.9", [hex: :ecto_sqlite3, repo: "hexpm", optional: true]}, {:igniter, "~> 0.5", [hex: :igniter, repo: "hexpm", optional: true]}, {:jason, "~> 1.1", [hex: :jason, repo: "hexpm", optional: true]}, {:myxql, "~> 0.7", [hex: :myxql, repo: "hexpm", optional: true]}, {:postgrex, "~> 0.16", [hex: :postgrex, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "5fcc6219e6464525b808d97add17896e724131f498444a292071bf8991c99f97"},
+  "oban_pro": {:hex, :oban_pro, "1.5.4", "15421189431d1d9d1c0bb614ea7a153a36b3036febfcb24f766deb9c725bcfab", [:mix], [{:ecto_sql, "~> 3.10", [hex: :ecto_sql, repo: "hexpm", optional: false]}, {:oban, "~> 2.19", [hex: :oban, repo: "hexpm", optional: false]}, {:postgrex, "~> 0.16", [hex: :postgrex, repo: "hexpm", optional: true]}], "0ban", "f4e57237b17110f9ec55d332aa0c090e17137d2328d8a787350b1772ae64eb57"},
+  "telemetry": {:hex, :telemetry, "1.3.0", "fedebbae410d715cf8e7062c96a1ef32ec22e764197f70cda73d82778d61e7a2", [:rebar3], [], "hexpm", "7015fc8919dbe63764f4b4b87a95b7c0996bd539e0d499be6ec9d7f3875b79e6"},
+}

test/mix_dependency_submission_test.exs

@@ -59,6 +59,82 @@ defmodule MixDependencySubmissionTest do
                )
     end
 
+    @tag :tmp_dir
+    @tag fixture_app: "private_repo"
+    test "generates valid submission for 'private_repo' fixture", %{app_path: app_path} do
+      Mix.Task.rerun("hex.repo", ["remove", "0ban"])
+
+      assert %Submission{manifests: %{"mix.exs" => %Submission.Manifest{resolved: resolved}}} =
+               MixDependencySubmission.submission(
+                 github_job_id: "github_job_id",
+                 github_workflow: "github_workflow",
+                 sha: "sha",
+                 ref: "ref",
+                 project_path: app_path,
+                 paths_relative_to: app_path,
+                 install_deps?: false
+               )
+
+      assert %{
+               "oban_pro" => %Dependency{
+                 scope: :runtime,
+                 metadata: %{},
+                 dependencies: _deps,
+                 relationship: :direct,
+                 package_url: %Purl{
+                   type: "hex",
+                   namespace: ["0ban"],
+                   name: "oban_pro",
+                   version: "1.5.4",
+                   qualifiers: %{
+                     "checksum" => "sha256:f4e57237b17110f9ec55d332aa0c090e17137d2328d8a787350b1772ae64eb57"
+                   }
+                 }
+               }
+             } = resolved
+
+      Mix.Task.rerun("hex.repo", [
+        "add",
+        "0ban",
+        "https://getoban.pro/repo",
+        "--fetch-public-key",
+        "SHA256:4/OSKi0NRF91QVVXlGAhb/BIMLnK8NHcx/EWs+aIWPc",
+        "--auth-key",
+        "invalid"
+      ])
+
+      assert %Submission{manifests: %{"mix.exs" => %Submission.Manifest{resolved: resolved}}} =
+               MixDependencySubmission.submission(
+                 github_job_id: "github_job_id",
+                 github_workflow: "github_workflow",
+                 sha: "sha",
+                 ref: "ref",
+                 project_path: app_path,
+                 paths_relative_to: app_path,
+                 install_deps?: false
+               )
+
+      assert %{
+               "oban_pro" => %Dependency{
+                 scope: :runtime,
+                 metadata: %{},
+                 dependencies: _deps,
+                 relationship: :direct,
+                 package_url: %Purl{
+                   type: "hex",
+                   namespace: ["0ban"],
+                   name: "oban_pro",
+                   version: "1.5.4",
+                   qualifiers: %{
+                     "checksum" => "sha256:f4e57237b17110f9ec55d332aa0c090e17137d2328d8a787350b1772ae64eb57",
+                     "download_url" => "https://getoban.pro/repo/tarballs/oban_pro-1.5.4.tar.gz",
+                     "repository_url" => "https://getoban.pro/repo"
+                   }
+                 }
+               }
+             } = resolved
+    end
+
     @tag :tmp_dir
     test "empty submission for project without mix.exs", %{tmp_dir: tmp_dir} do
       Util.in_project(tmp_dir, fn _mix_module ->