Files
dependency-review-action/src/main.ts
T

274 lines
8.0 KiB
TypeScript
Raw Normal View History

2022-03-31 18:31:39 +02:00
import * as core from '@actions/core'
import * as dependencyGraph from './dependency-graph'
import * as github from '@actions/github'
import styles from 'ansi-styles'
2022-06-01 12:09:11 +02:00
import {RequestError} from '@octokit/request-error'
2023-08-02 16:17:51 +02:00
import {Change, Severity, Changes, ConfigurationOptions} from './schemas'
2022-06-13 19:55:08 +02:00
import {readConfig} from '../src/config'
2022-09-22 22:25:21 +00:00
import {
filterChangesBySeverity,
filterChangesByScopes,
2022-10-11 15:17:34 +02:00
filterAllowedAdvisories
2022-09-22 22:25:21 +00:00
} from '../src/filter'
2022-10-27 13:09:37 +00:00
import {getInvalidLicenseChanges} from './licenses'
import * as summary from './summary'
import {getRefs} from './git-refs'
2022-03-31 18:31:39 +02:00
2022-09-27 12:25:12 +02:00
import {groupDependenciesByManifest} from './utils'
import {commentPr} from './comment-pr'
2023-08-07 14:04:41 +02:00
import {getDeniedChanges} from './deny'
2022-09-27 12:25:12 +02:00
2022-03-31 18:31:39 +02:00
async function run(): Promise<void> {
try {
const config = await readConfig()
2023-04-06 09:37:42 +02:00
const refs = getRefs(config, github.context)
2022-03-31 18:31:39 +02:00
2023-03-22 21:13:20 +00:00
const comparison = await dependencyGraph.compare({
2022-03-31 18:31:39 +02:00
owner: github.context.repo.owner,
repo: github.context.repo.repo,
baseRef: refs.base,
headRef: refs.head
2022-03-31 18:31:39 +02:00
})
2023-03-22 21:13:20 +00:00
const changes = comparison.changes
const snapshot_warnings = comparison.snapshot_warnings
2022-03-31 18:31:39 +02:00
if (!changes) {
core.info('No Dependency Changes found. Skipping Dependency Review.')
return
}
const minSeverity = config.fail_on_severity
2022-09-27 12:25:12 +02:00
const scopedChanges = filterChangesByScopes(config.fail_on_scopes, changes)
2022-10-11 15:17:34 +02:00
const filteredChanges = filterAllowedAdvisories(
2022-09-27 12:25:12 +02:00
config.allow_ghsas,
2022-09-22 22:25:21 +00:00
scopedChanges
)
2023-02-28 12:27:55 +00:00
const vulnerableChanges = filterChangesBySeverity(
2022-09-27 12:25:12 +02:00
minSeverity,
2022-09-22 22:25:21 +00:00
filteredChanges
).filter(
change =>
2022-03-31 18:31:39 +02:00
change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
change.vulnerabilities.length > 0
)
2022-03-31 18:31:39 +02:00
2022-10-27 13:09:37 +00:00
const invalidLicenseChanges = await getInvalidLicenseChanges(
2022-09-22 22:25:21 +00:00
filteredChanges,
2022-09-27 12:25:12 +02:00
{
allow: config.allow_licenses,
2023-03-08 12:38:34 +01:00
deny: config.deny_licenses,
2023-04-06 09:37:42 +02:00
licenseExclusions: config.allow_dependencies_licenses
2022-09-27 12:25:12 +02:00
}
2022-06-14 13:54:27 +02:00
)
2023-08-08 16:51:40 +02:00
core.debug(`Filtered Changes: ${JSON.stringify(filteredChanges)}`)
core.debug(`Config Deny Packages: ${JSON.stringify(config)}`)
2023-08-02 15:48:28 +02:00
const deniedChanges = await getDeniedChanges(
filteredChanges,
2023-08-07 14:04:41 +02:00
config.deny_packages,
config.deny_groups
2023-08-02 15:48:28 +02:00
)
2023-02-28 12:27:55 +00:00
summary.addSummaryToSummary(
vulnerableChanges,
invalidLicenseChanges,
2023-08-02 15:48:28 +02:00
deniedChanges,
2023-02-28 12:27:55 +00:00
config
)
2023-03-22 21:13:20 +00:00
if (snapshot_warnings) {
summary.addSnapshotWarnings(snapshot_warnings)
}
if (config.vulnerability_check) {
2023-02-28 12:27:55 +00:00
summary.addChangeVulnerabilitiesToSummary(vulnerableChanges, minSeverity)
printVulnerabilitiesBlock(vulnerableChanges, minSeverity)
}
if (config.license_check) {
summary.addLicensesToSummary(invalidLicenseChanges, config)
printLicensesBlock(invalidLicenseChanges)
}
2023-08-07 14:04:41 +02:00
if (config.deny_packages || config.deny_groups) {
2023-08-02 16:17:51 +02:00
summary.addDeniedToSummary(deniedChanges)
printDeniedDependencies(deniedChanges, config)
}
summary.addScannedDependencies(changes)
2022-09-26 12:21:24 +02:00
printScannedDependencies(changes)
if (config.comment_summary_in_pr) {
await commentPr(core.summary)
}
2022-03-31 18:31:39 +02:00
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
core.setFailed(
`Dependency review could not obtain dependency data for the specified owner, repository, or revision range.`
)
} else if (error instanceof RequestError && error.status === 403) {
2022-03-31 18:31:39 +02:00
core.setFailed(
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see https://github.com/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
2022-03-31 18:31:39 +02:00
)
2022-05-23 11:45:36 -07:00
} else {
if (error instanceof Error) {
core.setFailed(error.message)
} else {
core.setFailed('Unexpected fatal error')
}
2022-03-31 18:31:39 +02:00
}
} finally {
await core.summary.write()
2022-03-31 18:31:39 +02:00
}
}
2022-09-26 12:21:24 +02:00
function printVulnerabilitiesBlock(
2022-10-27 13:09:37 +00:00
addedChanges: Changes,
2022-09-26 12:21:24 +02:00
minSeverity: Severity
): void {
let failed = false
core.group('Vulnerabilities', async () => {
if (addedChanges.length > 0) {
for (const change of addedChanges) {
printChangeVulnerabilities(change)
}
failed = true
}
if (failed) {
core.setFailed('Dependency review detected vulnerable packages.')
} else {
core.info(
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
)
}
})
}
2022-07-04 20:09:44 +09:00
function printChangeVulnerabilities(change: Change): void {
2022-06-01 05:36:46 +02:00
for (const vuln of change.vulnerabilities) {
2022-05-31 06:03:42 +02:00
core.info(
2022-06-01 12:09:11 +02:00
`${styles.bold.open}${change.manifest} » ${change.name}@${
change.version
2022-05-31 06:03:42 +02:00
}${styles.bold.close} ${vuln.advisory_summary} ${renderSeverity(
vuln.severity
)}`
)
core.info(` ↪ ${vuln.advisory_url}`)
}
}
2022-09-27 12:25:12 +02:00
function printLicensesBlock(
2022-10-27 13:09:37 +00:00
invalidLicenseChanges: Record<string, Changes>
2022-09-27 12:25:12 +02:00
): void {
core.group('Licenses', async () => {
2022-10-27 13:09:37 +00:00
if (invalidLicenseChanges.forbidden.length > 0) {
2022-10-27 16:24:30 +00:00
core.info('\nThe following dependencies have incompatible licenses:')
2022-10-27 13:09:37 +00:00
printLicensesError(invalidLicenseChanges.forbidden)
2022-09-27 12:25:12 +02:00
core.setFailed('Dependency review detected incompatible licenses.')
}
2022-10-27 13:09:37 +00:00
if (invalidLicenseChanges.unresolved.length > 0) {
core.warning(
2022-10-28 11:23:05 +02:00
'\nThe validity of the licenses of the dependencies below could not be determined. Ensure that they are valid SPDX licenses:'
2022-10-27 13:09:37 +00:00
)
printLicensesError(invalidLicenseChanges.unresolved)
core.setFailed(
'Dependency review could not detect the validity of all licenses.'
)
}
printNullLicenses(invalidLicenseChanges.unlicensed)
2022-09-27 12:25:12 +02:00
})
}
2022-10-27 13:09:37 +00:00
function printLicensesError(changes: Changes): void {
2022-09-27 12:25:12 +02:00
for (const change of changes) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${change.version}${styles.bold.close} License: ${styles.color.red.open}${change.license}${styles.color.red.close}`
)
}
}
2022-10-27 13:09:37 +00:00
function printNullLicenses(changes: Changes): void {
2022-09-27 12:25:12 +02:00
if (changes.length === 0) {
return
}
2022-10-27 16:24:30 +00:00
core.info('\nWe could not detect a license for the following dependencies:')
2022-09-27 12:25:12 +02:00
for (const change of changes) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${change.version}${styles.bold.close}`
)
}
}
2022-03-31 18:31:39 +02:00
function renderSeverity(
severity: 'critical' | 'high' | 'moderate' | 'low'
): string {
const color = (
{
critical: 'red',
high: 'red',
moderate: 'yellow',
low: 'grey'
} as const
)[severity]
return `${styles.color[color].open}(${severity} severity)${styles.color[color].close}`
}
2022-09-26 12:01:39 +02:00
function renderScannedDependency(change: Change): string {
const changeType: string = change.change_type
if (changeType !== 'added' && changeType !== 'removed') {
throw new Error(`Unexpected change type: ${changeType}`)
}
2022-09-26 11:35:05 +02:00
const color = (
{
added: 'green',
removed: 'red'
} as const
2022-09-26 12:01:39 +02:00
)[changeType]
const icon = (
{
added: '+',
removed: '-'
} as const
)[changeType]
return `${styles.color[color].open}${icon} ${change.name}@${change.version}${styles.color[color].close}`
2022-09-26 11:35:05 +02:00
}
2022-09-26 19:13:25 +02:00
function printScannedDependencies(changes: Changes): void {
2022-09-26 12:41:16 +02:00
core.group('Dependency Changes', async () => {
2022-09-27 12:25:12 +02:00
const dependencies = groupDependenciesByManifest(changes)
2022-09-26 12:21:24 +02:00
2022-09-26 12:41:16 +02:00
for (const manifestName of dependencies.keys()) {
const manifestChanges = dependencies.get(manifestName) || []
2022-09-26 12:21:24 +02:00
core.info(`File: ${styles.bold.open}${manifestName}${styles.bold.close}`)
for (const change of manifestChanges) {
core.info(`${renderScannedDependency(change)}`)
}
}
})
}
2023-08-02 16:17:51 +02:00
function printDeniedDependencies(
changes: Change[],
config: ConfigurationOptions
): void {
core.group('Denied', async () => {
2023-08-07 14:04:41 +02:00
for (const denied of config.deny_packages) {
2023-08-02 16:17:51 +02:00
core.info(`Config: ${denied}`)
}
for (const change of changes) {
core.info(`Change: ${change.name}@${change.version} is denied`)
core.info(`Change: ${change.package_url} is denied`)
}
})
}
2022-03-31 18:31:39 +02:00
run()