diff --git a/src/macaron/slsa_analyzer/analyzer.py b/src/macaron/slsa_analyzer/analyzer.py index 67ef156c1..5489d5bf5 100644 --- a/src/macaron/slsa_analyzer/analyzer.py +++ b/src/macaron/slsa_analyzer/analyzer.py @@ -570,14 +570,6 @@ def add_component( repository = self.add_repository(input_req_branch, git_obj) - if repository: - final_purl = PackageURL( - type=repository.type, - namespace=repository.owner, - name=repository.name, - version=repository.commit_sha, - ) - case (_, None, _, _): git_obj = self._prepare_repo( os.path.join(self.output_path, self.GIT_REPOS_DIR), @@ -606,6 +598,32 @@ def add_component( version=repository.commit_sha, ) + case (_, _, _, _): + try: + final_purl = PackageURL.from_string(input_purl_str) + except ValueError as error: + raise PURLNotFoundError(f"Cannot validate purl string {input_purl_str}") from error + + # Note that we don't try to resolve the repo path here because the user already provide it. + git_obj = self._prepare_repo( + os.path.join(self.output_path, self.GIT_REPOS_DIR), + input_repo_path, + input_req_branch, + input_req_digest, + ) + if not git_obj: + raise RepoNotFoundError("Failed to prepare the corresponding repository for analysis.") + + # TODO: use both the repo URL and the commit hash to check. + if ( + existing_records + and (existing_record := existing_records.get(git_url.get_remote_origin_of_local_repo(git_obj))) + is not None + ): + raise DuplicateCmpError(f"{final_repo_path} is already analyzed.", context=existing_record.context) + + repository = self.add_repository(input_req_branch, git_obj) + # If PURL is not found, raise an exception. if not final_purl: logger.debug(