Feat/sp 3755 configurable scan path

[agustingroh]

Summary by CodeRabbit

• New Features

  • Added scanPath input to specify a relative repository path to scan (default "."); path validation added and unit tests included.
  • New configuration inputs for dependency tracking and API settings (optional).

• Changed

  • Updated runtime container to v1.46.0.
  • Package and extension version bumped to 1.7.0.

• Documentation

  • Changelog and metadata updated for 1.7.0.

[coderabbitai]

Warning

Rate limit exceeded

@agustingroh has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 9 minutes and 55 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cdf954d2-144f-4408-81be-dc030996d50e

📥 Commits

Reviewing files that changed from the base of the PR and between 4b7d503 and fa821b9.

⛔ Files ignored due to path filters (1)

• codescantask/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (10)

• CHANGELOG.md
• OVERVIEW.md
• codescantask/app.input.ts
• codescantask/package.json
• codescantask/services/scan.service.ts
• codescantask/task.json
• codescantask/tests/path-utils.test.ts
• codescantask/utils/path.utils.ts
• vss-extension-dev.json
• vss-extension.json

📝 Walkthrough

Walkthrough

This PR bumps the extension to 1.7.0, adds a new scanPath input (validated and used at runtime), upgrades the runtime container to v1.46.0, exposes multiple new task inputs (Dependency Track and license/dependency options), and adds unit tests for path validation.

Changes

Cohort / File(s)	Summary
Version & Manifests codescantask/package.json, vss-extension.json, vss-extension-dev.json	Bumped extension/package versions from 1.6.0 → 1.7.0.
Task metadata codescantask/task.json	Added new scanPath string input (default ".", relative-only) and updated runtimeContainer default to ghcr.io/scanoss/scanoss-py:v1.46.0; bumped task minor version to 1.7.
Inputs & Exports codescantask/app.input.ts	Added SCAN_PATH (validated via validateScanPath) and many new exported inputs (Dependency Track flags/fields, license/dependency filters, API settings, SETTINGS_FILE_PATH, EXECUTABLE, DEBUG, PAT) plus setters for Dependency Track tokens/IDs. Updated default RUNTIME_CONTAINER to v1.46.0.
Runtime usage codescantask/services/scan.service.ts	Replaced static scan target . with imported SCAN_PATH in Docker run/build argument construction.
Path validation util & tests codescantask/utils/path.utils.ts, codescantask/tests/path-utils.test.ts	Added validateScanPath utility (normalizes, rejects absolute or parent-traversal paths, defaults to ".") and comprehensive unit tests covering valid/invalid inputs and normalization behavior.
Docs / Changelog / Overview CHANGELOG.md, OVERVIEW.md	Added v1.7.0 Unreleased entry documenting scanPath and runtime container upgrade; updated OVERVIEW default container and described new scanPath input.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat(scan):SP-4027 add support for scan tuning parameters #54 — Also changes the default runtime container image/version (RUNTIME_CONTAINER/task.json).

Suggested labels

enhancement

Suggested reviewers

• eeisegn

Poem

🐰 I sniff the paths and tidy each trail,

"./src" trimmed, ".." sent to jail.
With v1.7 I bound and hop — hooray!
ScanPath guides the scanner's way. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: adding a configurable scan path feature, which aligns with the primary additions across multiple files (new SCAN_PATH input, validation logic, and integration).
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/SP-3755-configurable-scan-path

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

codescantask/services/scan.service.ts (1)

299-301: Prefer scanPath in Options over module-global SCAN_PATH.

Line 300 currently reads from a global input constant, which makes ScanService harder to unit-test/configure via constructor options.

♻️ Suggested refactor

 export interface Options {
@@
     /**
      * Absolute path of the folder or file to scan. Required.
      */
     inputFilepath: string;
+    /**
+     * Relative path inside the mounted repository to scan. Default [.]
+     */
+    scanPath: string;
@@
         this.options = options || {
@@
             inputFilepath: REPO_DIR,
+            scanPath: SCAN_PATH,
             runtimeContainer: RUNTIME_CONTAINER,
@@
-        return ['run','-v',`${this.options.inputFilepath}:/scanoss`,
-            this.options.runtimeContainer, 'scan', SCAN_PATH, '--output', `./${OUTPUT_FILEPATH}`,
+        return ['run','-v',`${this.options.inputFilepath}:/scanoss`,
+            this.options.runtimeContainer, 'scan', this.options.scanPath, '--output', `./${OUTPUT_FILEPATH}`,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@codescantask/services/scan.service.ts` around lines 299 - 301, The command
builder uses the module-global SCAN_PATH instead of the instance configuration;
update the code in ScanService that constructs the docker args (the function
returning ['run','-v',... this.options.runtimeContainer, 'scan', SCAN_PATH,
...]) to use this.options.scanPath (or add scanPath to the Options type if
missing) so the service reads the scan path from its constructor options rather
than the global SCAN_PATH; ensure Options interface/type includes scanPath and
adjust any callers/tests to pass the new option and keep buildDependenciesArgs()
usage unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@codescantask/services/scan.service.ts`:
- Around line 299-301: The command builder uses the module-global SCAN_PATH
instead of the instance configuration; update the code in ScanService that
constructs the docker args (the function returning ['run','-v',...
this.options.runtimeContainer, 'scan', SCAN_PATH, ...]) to use
this.options.scanPath (or add scanPath to the Options type if missing) so the
service reads the scan path from its constructor options rather than the global
SCAN_PATH; ensure Options interface/type includes scanPath and adjust any
callers/tests to pass the new option and keep buildDependenciesArgs() usage
unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d69b0247-f445-4c48-94ec-265df7a1199b

📥 Commits

Reviewing files that changed from the base of the PR and between 20ab468 and 9a79bcb.

⛔ Files ignored due to path filters (1)

• codescantask/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (8)

• CHANGELOG.md
• OVERVIEW.md
• codescantask/app.input.ts
• codescantask/package.json
• codescantask/services/scan.service.ts
• codescantask/task.json
• vss-extension-dev.json
• vss-extension.json

[coderabbitai]

♻️ Duplicate comments (1)

codescantask/utils/path.utils.ts (1)

36-50: ⚠️ Potential issue | 🟠 Major

scanPath validation can be bypassed after normalization.
On Line 47, checking normalizedPath.includes('..') after path.normalize allows inputs like src/../pkg to pass, despite the contract forbidding any .. segment. Also, absolute checks should run on normalized slash form, not only raw input.

🛠️ Proposed fix

 export function validateScanPath(scanPath: string | undefined): string {
-    if (!scanPath) {
+    const raw = scanPath?.trim();
+    if (!raw) {
         return '.';
     }

-    // Normalize and convert to forward slashes for consistency
-    const normalizedPath = path.normalize(scanPath).replace(/\\/g, '/');
+    // Normalize separators first, then normalize as posix for stable checks
+    const slashPath = raw.replace(/\\/g, '/');
+    const normalizedPath = path.posix.normalize(slashPath);

     // Reject absolute paths (Unix-style and Windows-style)
-    const windowsAbsolutePattern = /^[a-zA-Z]:/;
-    if (path.isAbsolute(scanPath) || windowsAbsolutePattern.test(normalizedPath)) {
+    const windowsAbsolutePattern = /^[a-zA-Z]:\//;
+    if (
+        path.posix.isAbsolute(normalizedPath) ||
+        windowsAbsolutePattern.test(slashPath) ||
+        slashPath.startsWith('//')
+    ) {
         console.warn(`Absolute scan paths not allowed: ${scanPath}. Using default: .`);
         return '.';
     }

     // Reject directory traversal attempts
-    if (normalizedPath.includes('..')) {
+    const hasParentSegment = slashPath.split('/').includes('..');
+    if (hasParentSegment || normalizedPath === '..' || normalizedPath.startsWith('../')) {
         console.warn(`Invalid scan path detected: "${scanPath}". Using default: .`);
         return '.';
     }

#!/bin/bash
# Verifies current behavior against known bypass/edge cases.
node - <<'NODE'
const path = require('path');

function currentValidate(scanPath) {
  if (!scanPath) return '.';
  const normalizedPath = path.normalize(scanPath).replace(/\\/g, '/');
  const windowsAbsolutePattern = /^[a-zA-Z]:/;
  if (path.isAbsolute(scanPath) || windowsAbsolutePattern.test(normalizedPath)) return '.';
  if (normalizedPath.includes('..')) return '.';
  const cleaned = normalizedPath.startsWith('./') ? normalizedPath.slice(2) : normalizedPath;
  return cleaned || '.';
}

[
  'src/../pkg',
  './a/../b',
  '../outside',
  '\\etc',
  '/etc/passwd',
  'C:\\Windows\\System32'
].forEach(p => console.log(`${JSON.stringify(p)} => ${currentValidate(p)}`));
NODE

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@codescantask/utils/path.utils.ts` around lines 36 - 50, The current
validation examines the raw input and then inspects normalizedPath with
string.includes, which lets inputs like "src/../pkg" bypass the rule; update the
logic to operate on the normalized form for all checks: compute const normalized
= path.normalize(scanPath).replace(/\\/g, '/'), then run
path.isAbsolute(normalized) and test the windows drive pattern
(windowsAbsolutePattern) against normalized; split normalized by '/' and reject
if any segment === '..' (instead of using includes); finally strip a leading
'./' from the normalized result and return '.' for empty/invalid cases. Use the
existing symbols normalizedPath (or normalized), windowsAbsolutePattern,
path.isAbsolute and the '..' segment check to locate and replace the current
checks.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@codescantask/utils/path.utils.ts`:
- Around line 36-50: The current validation examines the raw input and then
inspects normalizedPath with string.includes, which lets inputs like
"src/../pkg" bypass the rule; update the logic to operate on the normalized form
for all checks: compute const normalized =
path.normalize(scanPath).replace(/\\/g, '/'), then run
path.isAbsolute(normalized) and test the windows drive pattern
(windowsAbsolutePattern) against normalized; split normalized by '/' and reject
if any segment === '..' (instead of using includes); finally strip a leading
'./' from the normalized result and return '.' for empty/invalid cases. Use the
existing symbols normalizedPath (or normalized), windowsAbsolutePattern,
path.isAbsolute and the '..' segment check to locate and replace the current
checks.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 60c14f16-15d6-4d50-be16-fd9437375b3d

📥 Commits

Reviewing files that changed from the base of the PR and between 9a79bcb and 4b7d503.

⛔ Files ignored due to path filters (1)

• codescantask/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (10)

• CHANGELOG.md
• OVERVIEW.md
• codescantask/app.input.ts
• codescantask/package.json
• codescantask/services/scan.service.ts
• codescantask/task.json
• codescantask/tests/path-utils.test.ts
• codescantask/utils/path.utils.ts
• vss-extension-dev.json
• vss-extension.json

🚧 Files skipped from review as they are similar to previous changes (3)

• codescantask/package.json
• vss-extension-dev.json
• codescantask/services/scan.service.ts