Skip to content

fix(hardened): remove PURL qualifier double-encoding and enable Hummingbird URL#636

Merged
ruromero merged 1 commit into
guacsec:mainfrom
ruromero:fix/purl-double-encoding
Jun 25, 2026
Merged

fix(hardened): remove PURL qualifier double-encoding and enable Hummingbird URL#636
ruromero merged 1 commit into
guacsec:mainfrom
ruromero:fix/purl-double-encoding

Conversation

@ruromero

@ruromero ruromero commented Jun 24, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Remove redundant URLEncoder.encode() in HardenedImageResponseHandler.containerRefToPackageRef() — the PackageURL constructor already encodes qualifier values, so this was causing double-encoding of the repository_url qualifier
  • Uncomment the trustedcontent.recommendation.hardened.url configuration property to enable Hummingbird integration

Test plan

  • Verify hardened image PURLs contain correctly-encoded repository_url qualifiers (no %25 double-encoding)
  • Verify Hummingbird URL config property is active and the provider initializes on startup
  • Run existing integration tests for hardened image recommendations

🤖 Generated with Claude Code

Summary by Sourcery

Fix hardened image recommendation integration by correcting PURL qualifier encoding and enabling the Hummingbird provider configuration.

Bug Fixes:

  • Prevent double-encoding of hardened image PURL repository_url qualifiers by avoiding redundant URL encoding.

Enhancements:

  • Enable the hardened (Hummingbird) recommendation provider via application configuration.
  • Update the generated UI report bundle to align with backend changes.

@sourcery-ai

sourcery-ai Bot commented Jun 24, 2026

Copy link
Copy Markdown
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Removes redundant URL encoding when building hardened image PackageURLs, enables the Hummingbird hardened recommendation provider by activating its URL config property, and updates the generated UI report bundle.

File-Level Changes

Change Details Files
Stop double-encoding the repository_url qualifier when constructing hardened image PackageURLs.
  • Replace URLEncoder.encode(path, UTF-8) with the raw path value when assigning the repository_url qualifier.
  • Rely on the PackageURL constructor to handle encoding of qualifier values instead of pre-encoding.
src/main/java/io/github/guacsec/trustifyda/integration/providers/trustify/hardened/HardenedImageResponseHandler.java
Enable the Hummingbird hardened recommendation provider via configuration.
  • Uncomment and activate the trustedcontent.recommendation.hardened.url property wired to HUMMINGBIRD_URL.
  • Keep existing refresh interval and lock TTL configuration for the hardened provider.
src/main/resources/application.properties
Update the generated UI report bundle.
  • Regenerate or update the main.js bundle for the UI reports template.
src/main/resources/freemarker/templates/generated/main.js

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • In containerRefToPackageRef, consider adding a brief comment explaining why repoUrl is left unencoded to avoid future double-encoding regressions when working with PackageURL.
  • Uncommenting trustedcontent.recommendation.hardened.url means the provider may now initialize even when HUMMINGBIRD_URL is empty; it may be worth adding a guard or validation to avoid starting the hardened provider without a valid URL.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- In `containerRefToPackageRef`, consider adding a brief comment explaining why `repoUrl` is left unencoded to avoid future double-encoding regressions when working with `PackageURL`.
- Uncommenting `trustedcontent.recommendation.hardened.url` means the provider may now initialize even when `HUMMINGBIRD_URL` is empty; it may be worth adding a guard or validation to avoid starting the hardened provider without a valid URL.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@codecov-commenter

codecov-commenter commented Jun 24, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.77%. Comparing base (9ec6185) to head (d525ac6).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff            @@
##               main     #636   +/-   ##
=========================================
  Coverage     56.77%   56.77%           
  Complexity      815      815           
=========================================
  Files            94       94           
  Lines          4793     4793           
  Branches        618      618           
=========================================
  Hits           2721     2721           
  Misses         1800     1800           
  Partials        272      272           
Flag Coverage Δ
integration-tests 56.77% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...rustify/hardened/HardenedImageResponseHandler.java 75.47% <100.00%> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

…ngbird URL

PackageURL constructor auto-encodes qualifier values, so manual
URLEncoder.encode() in containerRefToPackageRef() caused double-encoding
of the repository_url qualifier. This removes the redundant encoding and
uncomments the Hummingbird URL configuration property.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ruromero ruromero requested a review from a-oren June 25, 2026 00:07
@ruromero ruromero force-pushed the fix/purl-double-encoding branch from 52d1966 to d525ac6 Compare June 25, 2026 00:07

@a-oren a-oren left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ruromero ruromero merged commit 97fd6d6 into guacsec:main Jun 25, 2026
3 checks passed
@ruromero ruromero deleted the fix/purl-double-encoding branch June 25, 2026 09:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants