Thanks to visit codestin.com
Credit goes to github.com

Skip to content

🐛 Ensure % character in the artifactLocation in sarif output are escaped #4619

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 9, 2025
Merged

🐛 Ensure % character in the artifactLocation in sarif output are escaped #4619

merged 4 commits into from
May 9, 2025

Conversation

xhochy
Copy link
Contributor

@xhochy xhochy commented May 9, 2025
edited
Loading

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

What is the current behavior?

Currently if a filename contains a % character it is passed through in plain text in the result in sarif file. If the location is later parsed again, an URL-decoder will stumble upon it as it tries decode the escape sequence.

As an example see the following scorecard-action where the SARIF upload failed: https://github.com/Quantco/copier-template-python-open-source/actions/runs/14924466359

What is the new behavior (if this is a feature change)?**

% characters are escaped in the SARIF output.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

NONE

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

NONE

@xhochy xhochy changed the title Add a failing test case 🐛 Ensure % character in the artifactLocation in sarif output are escaped May 9, 2025
@xhochy xhochy force-pushed the urlencode-path branch 2 times, most recently from e9eda85 to d1a8b1a Compare May 9, 2025 15:23
@xhochy xhochy marked this pull request as ready for review May 9, 2025 15:23
@xhochy xhochy requested a review from a team as a code owner May 9, 2025 15:24
@xhochy xhochy requested review from spencerschrock and raghavkaul and removed request for a team May 9, 2025 15:24
spencerschrock
spencerschrock reviewed May 9, 2025
View reviewed changes
@xhochy xhochy temporarily deployed to integration-test May 9, 2025 16:21 — with GitHub Actions Inactive
@codecov Codecov
Copy link

codecov bot commented May 9, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.37%. Comparing base (353ed60) to head (477f9d4).
Report is 161 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4619      +/-   ##
==========================================
+ Coverage   66.80%   68.37%   +1.56%     
==========================================
  Files         230      249      +19     
  Lines       16602    18814    +2212     
==========================================
+ Hits        11091    12864    +1773     
- Misses       4808     5097     +289     
- Partials      703      853     +150
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

spencerschrock
spencerschrock approved these changes May 9, 2025
View reviewed changes
Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Could you please correct your last commit for DCO?
https://github.com/ossf/scorecard/pull/4619/checks?check_run_id=41958169840

xhochy added 3 commits May 9, 2025 21:33
@xhochy
Add a failing test case
3dad147 
Signed-off-by: Uwe L. Korn <[email protected]>
@xhochy
Escape %-characters in artifactLocation
9cc8fe7 
Signed-off-by: Uwe L. Korn <[email protected]>
@xhochy
Use URL.EscapedPath
0723b7b 
Signed-off-by: Uwe L. Korn <[email protected]>
@xhochy xhochy force-pushed the urlencode-path branch from c486d2b to 0723b7b Compare May 9, 2025 19:33
@xhochy
Copy link
Contributor Author

xhochy commented May 9, 2025

Thank you! Could you please correct your last commit for DCO? https://github.com/ossf/scorecard/pull/4619/checks?check_run_id=41958169840

Done! Sorry, I'm not used to that.

@spencerschrock spencerschrock enabled auto-merge (squash) May 9, 2025 20:44
@spencerschrock
Copy link
Member

Done! Sorry, I'm not used to that.

No worries, thanks for sending the patch. It's common for contributors to need to fix DCO.

Keep an eye out for the next scorecard-action release. We are probably due for one soon.

@spencerschrock spencerschrock merged commit 9dcec9a into ossf:main May 9, 2025
38 checks passed
@xhochy xhochy deleted the urlencode-path branch May 10, 2025 05:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spencerschrock spencerschrock spencerschrock approved these changes

@raghavkaul raghavkaul Awaiting requested review from raghavkaul raghavkaul is a code owner automatically assigned from ossf/scorecard-maintainers

Assignees
No one assigned
Labels
None yet
Projects
OpenSSF Scorecard
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@xhochy @spencerschrock