Merge branch 'main' into dependency-review

Author: aegilops

src/malwareMatcher.ts

@@ -6,6 +6,15 @@ import path from "path";
 import zlib from "zlib";
 import * as semver from "semver";
 
+// Type alias to improve readability for complex package shape
+type PkgLike = {
+  purl?: string;
+  externalRefs?: Array<{ referenceType?: string; referenceLocator?: string }>;
+  name?: string;
+  version?: string;
+  versionInfo?: string;
+};
+
 const our_tool_name = "SBOM Toolkit";
 const our_tool_url = "https://github.com/advanced-security/github-sbom-toolkit";
 
@@ -24,6 +33,12 @@ export interface MalwareMatch {
   reason: string;
 }
 
+// Type alias for packages used in enumeratePackages
+export type EnumeratedPackage = SbomPackage & {
+  externalRefs?: { referenceType?: string; referenceLocator?: string }[];
+  versionInfo?: string;
+};
+
 // Map GitHub ecosystem enums to purl types
 const ecosystemToPurlType: Record<string, string> = {
   ACTIONS: "githubactions",
@@ -113,11 +128,11 @@ export function matchMalware(advisories: MalwareAdvisoryNode[], sboms: Repositor
   const index = new Map<string, MalwareAdvisoryNode[]>();
   for (const adv of advisories) {
     // Ignore advisories that have been withdrawn
-    if ((adv as unknown as { withdrawnAt?: string | null }).withdrawnAt) continue;
+    if (adv.withdrawnAt) continue;
     // Ignore advisories older than cutoff (must be before cutoff in BOTH publishedAt & updatedAt to be excluded)
     if (cutoffDate) {
-      const pub = new Date((adv as unknown as { publishedAt?: string }).publishedAt || 0);
-      const upd = new Date((adv as unknown as { updatedAt?: string }).updatedAt || 0);
+      const pub = new Date(adv.publishedAt || 0);
+      const upd = new Date(adv.updatedAt || 0);
       if (pub < cutoffDate && upd < cutoffDate) continue;
     }
     for (const vuln of adv.vulnerabilities) {