@@ -48,9 +48,6 @@ def find_line_in_file(packagename: str, packageversion: str, manifest_file: str)
4848 file_type = Path (manifest_file ).name
4949 logging .debug ("Processing file for line lookup: %s" , manifest_file )
5050
51- # ----------------------------------------------------
52- # 1) JSON-based manifest files
53- # ----------------------------------------------------
5451 if file_type in ["package-lock.json" , "Pipfile.lock" , "composer.lock" ]:
5552 try :
5653 with open (manifest_file , "r" , encoding = "utf-8" ) as f :
@@ -72,7 +69,6 @@ def find_line_in_file(packagename: str, packageversion: str, manifest_file: str)
7269 found_key = key
7370 found_info = value
7471 break
75-
7672 if found_key and found_info :
7773 needle_key = f'"{ found_key }
7874 lines = raw_text .splitlines ()
@@ -88,13 +84,9 @@ def find_line_in_file(packagename: str, packageversion: str, manifest_file: str)
8884 logging .error ("Error reading %s: %s" , manifest_file , e )
8985 return 1 , f"Error reading { manifest_file }
9086
91- # ----------------------------------------------------
92- # 2) Text-based / line-based manifests
93- # ----------------------------------------------------
94- # For pnpm-lock.yaml, use a different pattern since its format is YAML.
87+ # For pnpm-lock.yaml, use a special regex pattern.
9588 if file_type .lower () == "pnpm-lock.yaml" :
96- # Example pattern: /bitget-main/19.4.9:
97- searchstring = rf'/{ re .escape (packagename )} { re .escape (packageversion )}
89+ searchstring = rf'^\s*/{ re .escape (packagename )} { re .escape (packageversion )}
9890 else :
9991 search_patterns = {
10092 "package.json" : rf'"{ packagename } { re .escape (packageversion )} ,
@@ -176,9 +168,9 @@ def create_security_comment_sarif(diff) -> dict:
176168 based on manifest type and improved <br/> formatting for GitHub SARIF display.
177169
178170 This function now:
179- - Accepts multiple manifest files from alert.introduced_by or alert.manifests .
180- - Generates an individual SARIF result for each manifest file.
181- - Appends the manifest file name to the rule ID and name for uniqueness .
171+ - Processes every alert in diff.new_alerts .
172+ - For alerts with multiple manifest files, generates an individual SARIF result for each file.
173+ - Appends the manifest file name to the rule ID and name to make each result unique .
182174 - Does NOT fall back to 'requirements.txt' if no manifest file is provided.
183175 - Adds detailed logging to validate our assumptions.
184176 """
@@ -211,9 +203,7 @@ def create_security_comment_sarif(diff) -> dict:
211203 base_rule_id = f"{ pkg_name } { pkg_version }
212204 severity = alert .severity
213205
214- # Log raw alert data for manifest extraction.
215206 logging .debug ("Alert %s - introduced_by: %s, manifests: %s" , base_rule_id , alert .introduced_by , getattr (alert , 'manifests' , None ))
216-
217207 manifest_files = []
218208 if alert .introduced_by and isinstance (alert .introduced_by , list ):
219209 for entry in alert .introduced_by :
@@ -232,7 +222,7 @@ def create_security_comment_sarif(diff) -> dict:
232222
233223 logging .debug ("Alert %s - using manifest_files for processing: %s" , base_rule_id , manifest_files )
234224
235- # For each manifest file, create an individual SARIF result.
225+ # Create an individual SARIF result for each manifest file .
236226 for mf in manifest_files :
237227 logging .debug ("Alert %s - Processing manifest file: %s" , base_rule_id , mf )
238228 socket_url = Messages .get_manifest_type_url (mf , pkg_name , pkg_version )
@@ -241,7 +231,7 @@ def create_security_comment_sarif(diff) -> dict:
241231 line_number = 1
242232 logging .debug ("Alert %s: Manifest %s, line %d: %s" , base_rule_id , mf , line_number , line_content )
243233
244- # Create a unique rule id and name by appending the file name .
234+ # Create a unique rule id and name by appending the manifest file .
245235 unique_rule_id = f"{ base_rule_id } { mf }
246236 rule_name = f"Alert { base_rule_id } { mf }
247237
0 commit comments