From 8323501457a45fedee403700155332e02ded7482 Mon Sep 17 00:00:00 2001 From: Monal-Reddy Date: Fri, 13 Mar 2026 20:06:26 +0530 Subject: [PATCH 1/3] Fix #613: avoid selecting unrelated repositories as source repo Signed-off-by: Monal-Reddy --- purl2vcs/src/purl2vcs/find_source_repo.py | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/purl2vcs/src/purl2vcs/find_source_repo.py b/purl2vcs/src/purl2vcs/find_source_repo.py index 58e9a9b2..72aea835 100644 --- a/purl2vcs/src/purl2vcs/find_source_repo.py +++ b/purl2vcs/src/purl2vcs/find_source_repo.py @@ -196,19 +196,35 @@ def get_source_repo(package: Package) -> PackageURL: repo_urls = list(get_repo_urls(package)) if not repo_urls: return + # dedupe repo urls repo_urls = list(set(repo_urls)) + source_purls = list(convert_repo_urls_to_purls(repo_urls)) if not source_purls: return + + # Filter out clearly unrelated repositories + pkg_name = package.name.lower() + filtered_source_purls = [] + + for purl in source_purls: + repo_name = (purl.name or "").lower() + if repo_name in pkg_name or pkg_name in repo_name: + filtered_source_purls.append(purl) + + if filtered_source_purls: + source_purls = filtered_source_purls + source_purls = list(set(source_purls)) + source_purl_with_tag = find_package_version_tag_and_commit( version=package.version, source_purls=source_purls ) + if source_purl_with_tag: return source_purl_with_tag - def get_repo_urls(package: Package) -> Generator[str, None, None]: """ Return the URL of the source repository of a package From 777352807eebf0bf2375c3283e8341cc91cbe08e Mon Sep 17 00:00:00 2001 From: Monal-Reddy Date: Fri, 13 Mar 2026 20:19:13 +0530 Subject: [PATCH 2/3] Clean up whitespace in get_source_repo Signed-off-by: Monal-Reddy --- purl2vcs/src/purl2vcs/find_source_repo.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/purl2vcs/src/purl2vcs/find_source_repo.py b/purl2vcs/src/purl2vcs/find_source_repo.py index 72aea835..672a0c5d 100644 --- a/purl2vcs/src/purl2vcs/find_source_repo.py +++ b/purl2vcs/src/purl2vcs/find_source_repo.py @@ -196,14 +196,11 @@ def get_source_repo(package: Package) -> PackageURL: repo_urls = list(get_repo_urls(package)) if not repo_urls: return - # dedupe repo urls repo_urls = list(set(repo_urls)) - source_purls = list(convert_repo_urls_to_purls(repo_urls)) if not source_purls: return - # Filter out clearly unrelated repositories pkg_name = package.name.lower() filtered_source_purls = [] @@ -217,11 +214,9 @@ def get_source_repo(package: Package) -> PackageURL: source_purls = filtered_source_purls source_purls = list(set(source_purls)) - source_purl_with_tag = find_package_version_tag_and_commit( version=package.version, source_purls=source_purls ) - if source_purl_with_tag: return source_purl_with_tag From 60bc340ae20d5e396682335f03f9240e0745cada Mon Sep 17 00:00:00 2001 From: Monal-Reddy Date: Sat, 14 Mar 2026 18:36:03 +0530 Subject: [PATCH 3/3] addin unit tests Signed-off-by: Monal-Reddy --- purl2vcs/tests/test_find_source_repo.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/purl2vcs/tests/test_find_source_repo.py b/purl2vcs/tests/test_find_source_repo.py index 53722576..4014a1a4 100644 --- a/purl2vcs/tests/test_find_source_repo.py +++ b/purl2vcs/tests/test_find_source_repo.py @@ -311,3 +311,25 @@ def test_from_purl_to_git(self): ) expected = "pkg:bitbucket/connect2id/oauth-2.0-sdk-with-openid-connect-extensions@9.36?commit=e86fb3431972d302fcb615aca0baed4d8ab89791" self.assertEqual(expected, response.data["git_repo"]) + + def test_filter_unrelated_repo_candidates(self): + """ + Ensure unrelated repository candidates are filtered when + detecting the source repository. + """ + + pkg_name = "inherits" + + source_purls = [ + PackageURL(type="github", namespace="substack", name="node-browserify"), + PackageURL(type="github", namespace="isaacs", name="inherits"), + ] + + filtered = [] + for purl in source_purls: + repo_name = (purl.name or "").lower() + if repo_name in pkg_name or pkg_name in repo_name: + filtered.append(purl) + + self.assertTrue(any(p.name == "inherits" for p in filtered)) + self.assertFalse(any(p.name == "node-browserify" for p in filtered))