Conversation
![korbit-ai[bot]](https://avatars.githubusercontent.com/in/322216?s=60&v=4){kind=small}
There was a problem hiding this comment.
Review by Korbit AI
Korbit automatically attempts to detect when you fix issues in new commits.
| Category | Issue | Status |
|---|---|---|
 |
Hardcoded domain list without explanation ▹ view | |
|
Hardcoded fallback string 'unknown' ▹ view | |
 |
Invalid empty VCS reference creation ▹ view | |
 |
Credential leakage via VCS URL in SBOM ▹ view | |
 |
Lack of error handling around PURL creation ▹ view | |
 |
Rigid handler registry (Open-Closed violation) ▹ view | |
 |
Internal helper docstrings lack return value details ▹ view |
Files scanned
| File Path | Reviewed |
|---|---|
| dfetch/reporting/sbom_reporter.py | ✅ |
| dfetch/util/purl.py | ✅ |
Explore our documentation to understand the languages and file types we support and the files we ignore.
Check out our docs on how you can make Korbit work best for you and your team.
spoorcc
force-pushed
the
spoorcc/issue780
branch
from
6d1873a to
088fbac
Compare
|
/korbit-review |
There was a problem hiding this comment.
Review by Korbit AI
Korbit automatically attempts to detect when you fix issues in new commits.
| Category | Issue | Status |
|---|---|---|
|
Undocumented Complex Regex Pattern ▹ view | ✅ Fix detected |
Files scanned
| File Path | Reviewed |
|---|---|
| dfetch/util/purl.py | ✅ |
| dfetch/reporting/sbom_reporter.py | ✅ |
Explore our documentation to understand the languages and file types we support and the files we ignore.
Check out our docs on how you can make Korbit work best for you and your team.
|
Using https://github.com/CycloneDX/sbom-utility with $ sbom-utility validate --input-file my-sbom.jsonshows that PURL seems ok, but externalReferences url still uses ssh {
"type": "format",
"field": "components.0.externalReferences.0.url",
"context": "(root).components.0.externalReferences.0.url",
"description": "Does not match format 'iri-reference'",
"value": "git@git.mycompany.com:mycompany/some-repo"
} |
|
Verified SBoM with: wget https://github.com/CycloneDX/sbom-utility/releases/download/v0.18.1/sbom-utility-v0.18.1-linux-amd64.tar.gz
tar -xvzf sbom-utility-v0.18.1-linux-amd64.tar.gz
./sbom-utility validate --input-file report.json |
|
/korbit-review |
There was a problem hiding this comment.
Review by Korbit AI
Korbit automatically attempts to detect when you fix issues in new commits.
| Category | Issue | Status |
|---|---|---|
 |
Inefficient TLD extraction without caching ▹ view | |
|
Unexplained SSH URL exclusion ▹ view | |
|
Python version compatibility issue with removeprefix ▹ view | |
|
Incorrect unpacking of actual_content in assertion message ▹ view |
Files scanned
| File Path | Reviewed |
|---|---|
| dfetch/reporting/sbom_reporter.py | ✅ |
| dfetch/util/purl.py | ✅ |
| features/steps/generic_steps.py | ✅ |
Explore our documentation to understand the languages and file types we support and the files we ignore.
Check out our docs on how you can make Korbit work best for you and your team.
| from packageurl import PackageURL | ||
| from tldextract import TLDExtract | ||
|
|
||
| NO_FETCH_EXTRACT = TLDExtract(suffix_list_urls=(), extra_suffixes=("local",)) |
There was a problem hiding this comment.
Inefficient TLD extraction without caching 
Tell me more
What is the issue?
TLDExtract is instantiated at module level with network-disabled configuration, creating a global object that performs domain parsing on every call.
Why this matters
This creates unnecessary overhead when the same domains are parsed repeatedly, and the object could be reused more efficiently or cached results could be stored.
Suggested change ∙ Feature Preview
Consider caching the results of domain extraction or using a lazy initialization pattern if the TLDExtract object is expensive to create. Alternatively, cache the results of NO_FETCH_EXTRACT(domain).domain calls within the _namespace_and_name_from_domain_and_path function using functools.lru_cache.
Provide feedback to improve future suggestions
💬 Looking for more details? Reply to this comment to chat with Korbit.
| component.group = purl.namespace | ||
|
|
||
| vcs_url = purl.qualifiers.get("vcs_url", "") | ||
| if vcs_url and "ssh://" not in vcs_url: |
There was a problem hiding this comment.
Unexplained SSH URL exclusion 
Tell me more
What is the issue?
The string literal 'ssh://' is hardcoded in the condition without explanation of why SSH URLs are excluded.
Why this matters
Without context, developers need to guess why SSH URLs are being filtered out, making the code harder to maintain.
Suggested change ∙ Feature Preview
# Define a constant at module level
SSH_URL_PREFIX = 'ssh://'
# Add a comment explaining the exclusion
# Skip SSH URLs as they are not publicly accessible
if vcs_url and SSH_URL_PREFIX not in vcs_url:Provide feedback to improve future suggestions
💬 Looking for more details? Reply to this comment to chat with Korbit.
|
|
||
| if "svn" in parsed.scheme or "svn." in parsed.netloc: | ||
| namespace, name = _namespace_and_name_from_domain_and_path(parsed.netloc, path) | ||
| namespace = namespace.replace("/svn/", "/").removeprefix("p/") |
There was a problem hiding this comment.
Python version compatibility issue with removeprefix 
Tell me more
What is the issue?
The removeprefix method is only available in Python 3.9+, but the code doesn't specify this requirement.
Why this matters
This will cause AttributeError on Python versions below 3.9, making the code incompatible with older Python versions.
Suggested change ∙ Feature Preview
Use compatible string slicing or add version requirement:
# Option 1: Compatible approach
namespace = namespace.replace("/svn/", "/")
if namespace.startswith("p/"):
namespace = namespace[2:]
# Option 2: Or ensure Python 3.9+ requirement is documentedProvide feedback to improve future suggestions
💬 Looking for more details? Reply to this comment to chat with Korbit.
|
SBoM is now accepted by Dependency track. A thing to document or be aware of is that the name used is the project name in the manifest and not necessarily the authoritative name |
Move out the purl logic and add tests for it. Also add support for Bitbucket PURLs
spoorcc
force-pushed
the
spoorcc/issue780
branch
from
174d9fc to
0e39681
Compare
spoorcc
force-pushed
the
spoorcc/issue780
branch
4 times, most recently
from
629c622 to
6bf70cd
Compare
spoorcc
force-pushed
the
spoorcc/issue780
branch
from
6bf70cd to
3224239
Compare
2 participants
Move out the purl logic and add tests for it. Also add support for Bitbucket PURLs
To be tested on dependency-track
Description by Korbit AI
What change is being made?
Improve PURL creation logic for SBoM by centralizing remote URL to PURL conversion, enriching SBOM components with accurate VCS references, and expanding support for various VCS styles (GitHub, Bitbucket, SVN, SSH paths, and generic VCS URLs); add tests and minor workflow/readme updates to reflect the changes.
Why are these changes being made?
Provide a robust, consistent mapping from remote URLs to PURLs, ensuring accurate type, namespace, name, and external VCS references across common VCS providers and edge cases; align SBOM generation with the new PURL logic and expand test coverage.