use url parsing instead of string matching (#1068)

* use url parsing instead of string matching * make sure relevant section of url is at the end of the hostname * force an exact hostname check * use both correct hostnames * Do not attempt to sort the URL if it is invalid * Use strict equality, rename parameter, log invalid URL * remove comment as it's made redundant by log line
guardian · Jun 14, 2024 · 524e0d0 · 524e0d0
1 parent d54e196
commit 524e0d0
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 7 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/repocop/src/evaluation/repository.ts b/packages/repocop/src/evaluation/repository.ts
@@ -1,3 +1,4 @@
+import { URL } from 'url';
 import type {
 	github_languages,
 	github_repository_branches,
@@ -400,13 +401,23 @@ export function evaluateOneRepo(
 }
 
 //create a predicate that orders a list of urls by whether they contain snyk.io first, and then github.com second
-const urlSortPredicate = (url: string) => {
-	if (url.includes('snyk.io')) {
-		return -2;
-	} else if (url.includes('github.com') && url.includes('advisories')) {
-		return -1;
+const urlSortPredicate = (maybeUrl: string) => {
+	try {
+		const url = new URL(maybeUrl);
+
+		if (url.hostname === 'snyk.io' || url.hostname === 'security.snyk.io') {
+			return -2;
+		} else if (
+			url.hostname === 'github.com' &&
+			url.pathname.includes('advisories')
+		) {
+			return -1;
+		}
+		return 0;
+	} catch {
+		console.debug(`Invalid url: ${maybeUrl}`);
+		return 0;
 	}
-	return 0;
 };
 
 export function dependabotAlertToRepocopVulnerability(