[BUG] PURL filtering for actions is case-sensitive #991
Description
Describe the bug
Specifying githubactions purls in allow-dependencies-licenses: is case-sensitive. The problem is that if the purl is provided with capitals, it is accepted. The match happens based on how the Action is referenced, so if the organization has a capital in the name by default, there is a high risk of using capitals in the Actions workflow and so the PURL needs to be specified in both lowercase and capitalized.
To Reproduce
- Scan a workflow that references an Action that violates the license policy.
- Try to allow-list the action using a config. Try different variants:
allow-dependencies-licenses:
## Try all lowercase (according to PURL spec default)
- pkg:githubactions/myorg/myaction
- pkg:githubactions/myorg/myworkflows/.github/workflows/general.yml
## Try capitalized
- pkg:githubactions/MyOrg/MyAction
- pkg:githubactions/MyOrg/MyWorkflows/.github/workflows/general.yml
## Try different capitalization
- pkg:githubactions/MYORG/myAction
- pkg:githubactions/MYORG/myWorkflows/.github/workflows/general.yml- Note that all configs are accepted.
- Note that the match depends on the correct capitalization.
Expected behavior
Two parts:
- Syntax error on input config if purl is not in lowercase.
- Correct match to lowercase purl, regardless of how the action or workflow is capitalized in the scanned source.
Screenshots
No screenshots available
Action version
v4.8.0
Examples
No public examples available
Additional context
The purl spec for githubactions never made it to the spec, so that still needs to be done package-url/purl-spec#698
Thanks to my colleague @jantiebot for diagnosing the issue.