From d47fa16aeef13e3f7c740469515392c8f2b5b8b5 Mon Sep 17 00:00:00 2001
From: Nejc Zupan <nejc.zupan@siemens.com>
Date: Wed, 13 Nov 2024 21:36:58 +0100
Subject: [PATCH 1/2] fix: override logic of sw360 urls and rework prevention
 of .git upload

---
 capycli/bom/create_components.py  | 10 +++---
 tests/test_bom_create_releases.py | 59 +++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+), 6 deletions(-)

diff --git a/capycli/bom/create_components.py b/capycli/bom/create_components.py
index 43c341e..4219aae 100644
--- a/capycli/bom/create_components.py
+++ b/capycli/bom/create_components.py
@@ -299,8 +299,6 @@ def update_release(self, cx_comp: Component, release_data: Dict[str, Any]) -> No
                 print_yellow(
                     "    WARNING: SW360 source URL", release_data["sourceCodeDownloadurl"],
                     "differs from BOM URL", data["sourceCodeDownloadurl"])
-                if data["sourceCodeDownloadurl"].endswith(('zip', 'tgz', 'tar.gz', 'tar')):
-                    update_data["sourceCodeDownloadurl"] = data["sourceCodeDownloadurl"]
 
         if "binaryDownloadurl" in data and data["binaryDownloadurl"]:
             if not release_data.get("binaryDownloadurl", ""):
@@ -363,15 +361,15 @@ def upload_file(
             filename = str(CycloneDxSupport.get_ext_ref_source_file(cx_comp))
             filehash = str(CycloneDxSupport.get_source_file_hash(cx_comp))
 
+            if filename is not None and filename.endswith('.git'):
+                print_red("    WARNING: resetting filename to prevent uploading .git file")
+                filename = None
+
         if filetype in ["BINARY", "BINARY_SELF"]:
             url = str(CycloneDxSupport.get_ext_ref_binary_url(cx_comp))
             filename = str(CycloneDxSupport.get_ext_ref_binary_file(cx_comp))
             filehash = str(CycloneDxSupport.get_binary_file_hash(cx_comp))
 
-        if filename is not None and filename.endswith('.git'):
-            print_red("    WARNING: resetting filename to prevent uploading .git file")
-            filename = None
-
         # Note that we retrieve the SHA1 has from the CycloneDX data.
         # But there is no guarantee that this *IS* really a SHA1 hash!
 
diff --git a/tests/test_bom_create_releases.py b/tests/test_bom_create_releases.py
index 1ad4f61..31549b7 100644
--- a/tests/test_bom_create_releases.py
+++ b/tests/test_bom_create_releases.py
@@ -668,6 +668,64 @@ def test_upload_file_local(self) -> None:
         assert "Error" not in captured.out
         assert captured.err == ""
 
+    @responses.activate
+    def test_upload_file_prevent_git_source_upload(self) -> None:
+        """Prevent uploading SOURCE, SOURCE_SELF file with .git file type
+        """
+        responses.add(
+            responses.GET, 'https://github.com/babel/babel.git',
+            body="content")
+        responses.add(
+            responses.POST, SW360_BASE_URL + 'releases/06a6e7/attachments',
+            match=[upload_matcher("babel.git")])
+
+        self.app.download = True
+        item = Component(
+            name="activemodel",
+            version="5.2.1"
+        )
+        CycloneDxSupport.update_or_set_ext_ref(
+            item, ExternalReferenceType.DISTRIBUTION,
+            CaPyCliBom.SOURCE_URL_COMMENT, "https://github.com/babel/babel.git")
+        CycloneDxSupport.update_or_set_ext_ref(
+            item, ExternalReferenceType.DISTRIBUTION,
+            CaPyCliBom.SOURCE_FILE_COMMENT, "babel.git")
+
+        self.app.upload_file(item, {}, "06a6e7", "SOURCE", "")
+        captured = self.capsys.readouterr()  # type: ignore
+        assert len(responses.calls) == 2
+        assert "WARNING: resetting filename to prevent uploading .git file" in captured.out
+        assert captured.err == ""
+
+    @responses.activate
+    def test_upload_file_allow_git_binary_upload(self) -> None:
+        """Allow uploading BINARY file with .git file type
+        """
+        responses.add(
+            responses.GET, 'https://github.com/babel/babel.git',
+            body="content")
+        responses.add(
+            responses.POST, SW360_BASE_URL + 'releases/06a6e7/attachments',
+            match=[upload_matcher("babel.git")])
+
+        self.app.download = True
+        item = Component(
+            name="activemodel",
+            version="5.2.1"
+        )
+        CycloneDxSupport.update_or_set_ext_ref(
+            item, ExternalReferenceType.DISTRIBUTION,
+            CaPyCliBom.BINARY_URL_COMMENT, "https://github.com/babel/babel.git")
+        CycloneDxSupport.update_or_set_ext_ref(
+            item, ExternalReferenceType.DISTRIBUTION,
+            CaPyCliBom.BINARY_FILE_COMMENT, "babel.git")
+
+        self.app.upload_file(item, {}, "06a6e7", "BINARY", "")
+        captured = self.capsys.readouterr()  # type: ignore
+        assert len(responses.calls) == 2
+        assert "WARNING: resetting filename to prevent uploading .git file" not in captured.out
+        assert captured.err == ""
+
     @responses.activate
     def test_upload_binary_file_local(self) -> None:
         """Upload local file
@@ -783,6 +841,7 @@ def test_update_release_SourceUrl(self) -> None:
         self.app.update_release(item2, release_data)
         captured = self.capsys.readouterr()  # type: ignore
         assert "differs from BOM URL" in captured.out
+        assert len(responses.calls) == 0  # assure data in SW360 is not changed
 
         # no existing URL, set new URL
         responses.add(

From aa7b3927bd316b166096104bb1e15c035d63757c Mon Sep 17 00:00:00 2001
From: Nejc Zupan <nejc.zupan@siemens.com>
Date: Tue, 19 Nov 2024 20:53:37 +0100
Subject: [PATCH 2/2] fix: actually preventing .git attachment upload on source

---
 capycli/bom/create_components.py  | 8 ++++----
 tests/test_bom_create_releases.py | 5 +----
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/capycli/bom/create_components.py b/capycli/bom/create_components.py
index 4219aae..6eafaad 100644
--- a/capycli/bom/create_components.py
+++ b/capycli/bom/create_components.py
@@ -361,10 +361,6 @@ def upload_file(
             filename = str(CycloneDxSupport.get_ext_ref_source_file(cx_comp))
             filehash = str(CycloneDxSupport.get_source_file_hash(cx_comp))
 
-            if filename is not None and filename.endswith('.git'):
-                print_red("    WARNING: resetting filename to prevent uploading .git file")
-                filename = None
-
         if filetype in ["BINARY", "BINARY_SELF"]:
             url = str(CycloneDxSupport.get_ext_ref_binary_url(cx_comp))
             filename = str(CycloneDxSupport.get_ext_ref_binary_file(cx_comp))
@@ -378,6 +374,10 @@ def upload_file(
             if filename_parsed:
                 filename = os.path.basename(filename_parsed.path)
 
+        if filetype in ["SOURCE", "SOURCE_SELF"] and filename is not None and filename.endswith('.git'):
+            print_red("    WARNING: resetting filename to prevent uploading .git file")
+            filename = None
+
         if not filename:
             print_red("    Unable to identify filename from url!")
             return
diff --git a/tests/test_bom_create_releases.py b/tests/test_bom_create_releases.py
index 31549b7..3cf6e79 100644
--- a/tests/test_bom_create_releases.py
+++ b/tests/test_bom_create_releases.py
@@ -675,9 +675,6 @@ def test_upload_file_prevent_git_source_upload(self) -> None:
         responses.add(
             responses.GET, 'https://github.com/babel/babel.git',
             body="content")
-        responses.add(
-            responses.POST, SW360_BASE_URL + 'releases/06a6e7/attachments',
-            match=[upload_matcher("babel.git")])
 
         self.app.download = True
         item = Component(
@@ -693,7 +690,7 @@ def test_upload_file_prevent_git_source_upload(self) -> None:
 
         self.app.upload_file(item, {}, "06a6e7", "SOURCE", "")
         captured = self.capsys.readouterr()  # type: ignore
-        assert len(responses.calls) == 2
+        assert len(responses.calls) == 0
         assert "WARNING: resetting filename to prevent uploading .git file" in captured.out
         assert captured.err == ""