Defensively guard against dangling ? from qualifiers

Author: lseppala

componentDetection.test.ts

@@ -20,7 +20,7 @@ test("Parses CLI output", async () => {
 });
 
 describe("ComponentDetection.makePackageUrl", () => {
-  test("returns a valid package url", () => {
+  test("returns a valid package url from saturated object", () => {
     const packageUrl = ComponentDetection.makePackageUrl({
       Scheme: "pkg",
       Type: "npm",
@@ -36,4 +36,18 @@ describe("ComponentDetection.makePackageUrl", () => {
       "pkg:npm/github/component-detection-action@0.0.2?arch=amd64&os=linux"
     );
   });
+
+  test("returns valid package url without dangling ? with empty qualifers", () => {
+    const packageUrl = ComponentDetection.makePackageUrl({
+      Scheme: "pkg",
+      Type: "npm",
+      Namespace: "github",
+      Name: "component-detection-action",
+      Version: "0.0.2",
+      Qualifiers: { },
+    });
+    expect(packageUrl).toBe(
+      "pkg:npm/github/component-detection-action@0.0.2"
+    );
+  });
 });

componentDetection.ts

@@ -128,7 +128,9 @@ export default class ComponentDetection {
     if (packageUrlJson.Version) {
       packageUrl += `@${packageUrlJson.Version}`;
     }
-    if (packageUrlJson.Qualifiers !== null) {
+    if (typeof packageUrlJson.Qualifiers === "object"
+      && packageUrlJson.Qualifiers !== null
+      && Object.keys(packageUrlJson.Qualifiers).length > 0) {
       const qualifierString = Object.entries(packageUrlJson.Qualifiers)
         .map(([key, value]) => `${key}=${value}`)
         .join("&");