search

actions / dependency-review-action

A GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs
MIT License
616 stars 107 forks source link

Error: Invalid purl: version must be percent-encoded #613

Closed vanpelt closed 1 year ago

vanpelt commented 1 year ago

My review action is failing with this error. I've searched the codebase for "Invalid purl:" and I'm not finding it. I imagine this is coming from my allow-dependencies-licenses: however I've tried a number of different options and it's still happening. I've explicitly told the action to use v3.1.2. This is my config:

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: "Checkout Repository"
        uses: actions/checkout@v4
      - name: "Dependency Review"
        uses: actions/dependency-review-action@v3.1.2
        with:
          fail-on-severity: high
          deny-licenses: AFL-1.1, AFL-1.2, AFL-2.0, AFL-2.1, AFL-3.0, AGPL-1.0, AGPL-3.0, CC-BY-SA-1.0, CC-BY-SA-2.0, CC-BY-SA-2.0-UK, CC-BY-SA-2.1-JP, CC-BY-SA-2.5, CC-BY-SA-3.0, CC-BY-SA-3.0-AT, CC-BY-SA-3.0-DE, CC-BY-SA-4.0, GFDL-1.1, GFDL-1.2, GFDL-1.3, GPL-1.0, GPL-2.0, GPL-3.0, LGPL-2.1, LGPL-3.0, OSL-1.0, OSL-2.0, OSL-2.1, OSL-3.0, Sleepycat
          comment-summary-in-pr: on-failure
          allow-dependencies-licenses: pkg:npm/jsonify, pkg:golang/golang.org/x
spencerschrock commented 1 year ago

+1, I'm also on v3.1.2 (pinned by hash fde92acd0840415674c16b39c7d703fc28bc511e) and recently got this error. Although I don't use allow-dependencies-licenses (or any inputs). Re-running the failed job didn't help.

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@fde92acd0840415674c16b39c7d703fc28bc511e # v3.1.2

https://github.com/ossf/scorecard/actions/runs/6817882892/job/18542937995?pr=3660

vanpelt commented 1 year ago

My best guess is this is happening when the action is parsing the changes in go.mod. I noticed that @spencerschrock has a couple indirect deps in go.mod that look like:

github.com/docker/cli v24.0.7+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible

I also have a couple packages with +incompatible. The PUrl parser doesn't like the +.

mattpolicane commented 1 year ago

Also seeing the same issue, and don't use allow-dependencies-licenses either. 

  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: "Checkout Repository"
        uses: actions/checkout@v3
      - name: Dependency Review
        uses: actions/dependency-review-action@v3
        with:
          fail-on-severity: critical
theztefan commented 1 year ago

Looked at the mentioned repos and managed to replicate this myself. Submitted a fix with #617.

febuiles commented 1 year ago

@theztefan thanks a ton for the PR! I've released version 3.1.3 with the fix.