Feat/sp 4479 include oss file info annotation

[agustingroh]

Summary by CodeRabbit

• New Features
  • Pull request match comments now include richer “File” links (with snippet line ranges) for GitHub-hosted components, plus inline matched OSS line previews when available.
  • Registry-sourced components show an informational note when browsable source links can’t be generated.
• Bug Fixes
  • Improved match comment formatting (versions, similarity text, and warning/caution blocks) and refined duplicate-comment detection behavior.
• Documentation
  • Added a “Match Comments” section explaining what’s posted for snippet and full-file matches and how links/notes are shown.

[coderabbitai]

Warning

Review limit reached

@agustingroh, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 14 minutes and 20 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2ab097ce-104f-40ed-9f7a-79d3fd920900

📥 Commits

Reviewing files that changed from the base of the PR and between 6c5c7e3 and 514d799.

⛔ Files ignored due to path filters (1)

• dist/index.js is excluded by !**/dist/**

📒 Files selected for processing (7)

• CHANGELOG.md
• README.md
• __tests__/oss-file-contents.test.ts
• package.json
• src/types/annotations.ts
• src/utils/github-comment-api.ts
• src/utils/oss-file-contents.ts

📝 Walkthrough

Walkthrough

Adds OSS file-content fetching and inline snippet rendering, updates match comments to show GitHub-hosted file and line links or a registry fallback note, and refreshes tests, docs, changelog, and version metadata.

Changes

OSS match comment links and inline source fetching

Layer / File(s)	Summary
OSS file-content helpers and inlining src/utils/oss-file-contents.ts, src/types/annotations.ts	Adds file-content URL construction, language hint mapping, and snippet inlining from OSS file hashes and line ranges. Extends SnippetMatch with file_hash for file-content retrieval.
Match comment formatting src/utils/github-comment-api.ts	Imports snippet inlining, builds GitHub permalinks and line anchors, rewrites snippet and file annotation text, wraps commit comment bodies in admonitions, and changes file-match deduplication key formatting.
Tests for OSS file-content fetching __tests__/oss-file-contents.test.ts	Adds coverage for URL generation, fetch handling, line slicing, truncation, and fenced code-block output.
Version and release notes package.json, README.md, CHANGELOG.md	Bumps the package version, adds README documentation for match comments, and extends the changelog with the 1.7.0 release entry and compare link.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• scanoss/gha-code-scan#98: Modifies src/utils/github-comment-api.ts commit comment and deduplication logic in a related area.

Suggested reviewers

• eeisegn

Poem

🐰 I hopped through links from file to line,
And tucked the source inside the rhyme.
GitHub paths now shine so bright,
Registry notes keep things polite.
Version 1.7.0 rings clear —
A rabbit’s cheer for comment-tier!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title matches the main change: adding OSS file info annotations and related comment/link handling.
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/SP-4479-include-OSS-file-info-annotation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

🔍 SCANOSS Code Similarity Detected

📄 1 snippet matches found

🔗 View detailed findings on commit beb07d5

Files with similarities:

• dist/index.js

💡 Click the commit link above to see detailed annotations for each match.

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 3
• Undeclared components: 1
• Declared components: 2
• Detected files: 67
• Detected files undeclared: 1
• Detected files declared: 66
• Licenses detected: 2
• Licenses detected with copyleft: 0
• Policies: ❌ 1 fail ✅ 1 pass (2 total)

View more details on SCANOSS Action Summary

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/utils/github-comment-api.ts`:
- Around line 73-77: The prefix stripping logic at lines 76, 113, and 167
incorrectly uses indexOf('/') which finds the first slash in the string, but
this breaks for components containing slashes like 'owner/repo' or '`@scope/pkg`'.
Instead of searching for the first slash, construct the full expected prefix
pattern (combining match.component, '-', and match.ref) and search for that
complete pattern in the filePath, then extract everything after it. This ensures
the prefix is stripped correctly regardless of whether the component name
contains slashes.
- Line 275: The deduplicationKey construction uses the raw fileMatch.version
without normalization, while displayed versions are normalized elsewhere (line
147), causing semantically identical versions like v1.2.3 and 1.2.3 to generate
different dedup keys and result in duplicate comments. Apply the same version
normalization logic used on line 147 to the fileMatch.version when building the
deduplicationKey to ensure consistent deduplication across different version
formats.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 49a10ac4-9f82-4dce-9393-eaae42721888

📥 Commits

Reviewing files that changed from the base of the PR and between 821f15b and beb07d5.

⛔ Files ignored due to path filters (2)

• dist/index.js is excluded by !**/dist/**
• dist/licenses.txt is excluded by !**/dist/**

📒 Files selected for processing (4)

• CHANGELOG.md
• README.md
• package.json
• src/utils/github-comment-api.ts

[github-actions]

🔍 SCANOSS Code Similarity Detected

📄 1 snippet matches found

🔗 View detailed findings on commit 6c5c7e3

Files with similarities:

• dist/index.js

💡 Click the commit link above to see detailed annotations for each match.

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 3
• Undeclared components: 1
• Declared components: 2
• Detected files: 67
• Detected files undeclared: 1
• Detected files declared: 66
• Licenses detected: 2
• Licenses detected with copyleft: 0
• Policies: ❌ 1 fail ✅ 1 pass (2 total)

View more details on SCANOSS Action Summary

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/utils/oss-file-contents.ts`:
- Around line 167-171: The fenced block in oss-file-contents.ts can break when
selected contains triple backticks, so update the block construction to use a
dynamic fence that is longer than any backtick run in selected before building
the Markdown string. Keep the existing behavior in the logic around
languageFromPath, selected, and MAX_INLINE_LINES, but compute a safe fence
length from the snippet contents and use it instead of a fixed ``` fence when
assembling block.
- Around line 126-141: The fetch in oss-file-contents should be bounded so a
stalled SCANOSS file_contents request can’t hang indefinitely. Update the
request logic in the snippet around the fetch(url, ...) call to use a native
AbortController timeout, pass its signal into fetch, and ensure the timeout is
cleared in both success and error paths. Keep the existing response/error
handling in place and preserve the current core.debug logging in this helper.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 325eb194-69dc-4b61-a255-c18a301d3e7b

📥 Commits

Reviewing files that changed from the base of the PR and between beb07d5 and 6c5c7e3.

⛔ Files ignored due to path filters (2)

• dist/index.js is excluded by !**/dist/**
• dist/licenses.txt is excluded by !**/dist/**

📒 Files selected for processing (7)

• CHANGELOG.md
• README.md
• __tests__/oss-file-contents.test.ts
• package.json
• src/types/annotations.ts
• src/utils/github-comment-api.ts
• src/utils/oss-file-contents.ts

✅ Files skipped from review due to trivial changes (2)

• tests/oss-file-contents.test.ts
• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• src/utils/github-comment-api.ts

[coderabbitai]

🩺 Stability & Availability | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
fd -H -t f 'package.json|action.yml|action.yaml|.nvmrc|.tool-versions' --max-depth 2 \
  --exec sh -c 'echo "== {} =="; cat "{}"'
rg -n '"node"|runs:|using:|node-version' -g 'package.json' -g 'action.y*ml' .

Repository: scanoss/gha-code-scan

Length of output: 6955

---

Add a timeout to the fetch call to prevent indefinite hangs.

The fetch request in src/utils/oss-file-contents.ts lacks a timeout mechanism. A slow or stalled response from the SCANOSS file_contents API will cause the Action to hang indefinitely rather than failing over gracefully.

Since the project targets Node 24, native AbortController support is available and requires no additional dependencies.

🛡️ Proposed fix to bound the request

   let content: string;
   try {
-    const response = await fetch(url, {
-      headers: { 'X-Session': inputs.API_KEY }
-    });
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 10_000);
+    let response: Response;
+    try {
+      response = await fetch(url, {
+        headers: { 'X-Session': inputs.API_KEY },
+        signal: controller.signal
+      });
+    } finally {
+      clearTimeout(timeout);
+    }
 
     if (!response.ok) {
       core.debug(`OSS file contents request failed for ${snippet.file_hash}: HTTP ${response.status}`);
       return null;
     }
 
     content = await response.text();
   } catch (error) {
     core.debug(`OSS file contents request errored for ${snippet.file_hash}: ${error}`);
     return null;
   }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	let content: string;
	try {
	const response = await fetch(url, {
	headers: { 'X-Session': inputs.API_KEY }
	});
	if (!response.ok) {
	core.debug(`OSS file contents request failed for ${snippet.file_hash}: HTTP ${response.status}`);
	return null;
	}
	content = await response.text();
	} catch (error) {
	core.debug(`OSS file contents request errored for ${snippet.file_hash}: ${error}`);
	return null;
	}
	let content: string;
	try {
	const controller = new AbortController();
	const timeout = setTimeout(() => controller.abort(), 10_000);
	let response: Response;
	try {
	response = await fetch(url, {
	headers: { 'X-Session': inputs.API_KEY },
	signal: controller.signal
	});
	} finally {
	clearTimeout(timeout);
	}
	if (!response.ok) {
	core.debug(`OSS file contents request failed for ${snippet.file_hash}: HTTP ${response.status}`);
	return null;
	}
	content = await response.text();
	} catch (error) {
	core.debug(`OSS file contents request errored for ${snippet.file_hash}: ${error}`);
	return null;
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/utils/oss-file-contents.ts` around lines 126 - 141, The fetch in
oss-file-contents should be bounded so a stalled SCANOSS file_contents request
can’t hang indefinitely. Update the request logic in the snippet around the
fetch(url, ...) call to use a native AbortController timeout, pass its signal
into fetch, and ensure the timeout is cleared in both success and error paths.
Keep the existing response/error handling in place and preserve the current
core.debug logging in this helper.

[github-actions]

🔍 SCANOSS Code Similarity Detected

📄 1 snippet matches found

🔗 View detailed findings on commit aca2cb4

Files with similarities:

• dist/index.js

💡 Click the commit link above to see detailed annotations for each match.

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 3
• Undeclared components: 1
• Declared components: 2
• Detected files: 67
• Detected files undeclared: 1
• Detected files declared: 66
• Licenses detected: 2
• Licenses detected with copyleft: 0
• Policies: ❌ 1 fail ✅ 1 pass (2 total)

View more details on SCANOSS Action Summary

[github-actions]

🔍 SCANOSS Code Similarity Detected

📄 1 snippet matches found

🔗 View detailed findings on commit 1e10df2

Files with similarities:

• dist/index.js

💡 Click the commit link above to see detailed annotations for each match.

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 3
• Undeclared components: 1
• Declared components: 2
• Detected files: 67
• Detected files undeclared: 1
• Detected files declared: 66
• Licenses detected: 2
• Licenses detected with copyleft: 0
• Policies: ❌ 1 fail ✅ 1 pass (2 total)

View more details on SCANOSS Action Summary

[github-actions]

🔍 SCANOSS Code Similarity Detected

📄 1 snippet matches found

🔗 View detailed findings on commit add2970

Files with similarities:

• dist/index.js

💡 Click the commit link above to see detailed annotations for each match.

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 3
• Undeclared components: 1
• Declared components: 2
• Detected files: 67
• Detected files undeclared: 1
• Detected files declared: 66
• Licenses detected: 2
• Licenses detected with copyleft: 0
• Policies: ❌ 1 fail ✅ 1 pass (2 total)

View more details on SCANOSS Action Summary

[github-actions]

🔍 SCANOSS Code Similarity Detected

📄 1 snippet matches found

🔗 View detailed findings on commit 514d799

Files with similarities:

• dist/index.js

💡 Click the commit link above to see detailed annotations for each match.

[github-actions]

SCANOSS SCAN Completed 🚀

• Detected components: 3
• Undeclared components: 1
• Declared components: 2
• Detected files: 67
• Detected files undeclared: 1
• Detected files declared: 66
• Licenses detected: 2
• Licenses detected with copyleft: 0
• Policies: ❌ 1 fail ✅ 1 pass (2 total)

View more details on SCANOSS Action Summary