2022-03-31 18:31:39 +02:00
import * as core from '@actions/core'
import * as dependencyGraph from './dependency-graph'
import * as github from '@actions/github'
import styles from 'ansi-styles'
2022-06-01 12:09:11 +02:00
import { RequestError } from '@octokit/request-error'
2023-08-02 16:17:51 +02:00
import { Change , Severity , Changes , ConfigurationOptions } from './schemas'
2022-06-13 19:55:08 +02:00
import { readConfig } from '../src/config'
2022-09-22 22:25:21 +00:00
import {
filterChangesBySeverity ,
filterChangesByScopes ,
2022-10-11 15:17:34 +02:00
filterAllowedAdvisories
2022-09-22 22:25:21 +00:00
} from '../src/filter'
2022-10-27 13:09:37 +00:00
import { getInvalidLicenseChanges } from './licenses'
2022-08-01 21:07:02 +01:00
import * as summary from './summary'
2022-07-21 15:47:05 -04:00
import { getRefs } from './git-refs'
2022-03-31 18:31:39 +02:00
2022-09-27 12:25:12 +02:00
import { groupDependenciesByManifest } from './utils'
2023-02-03 10:35:46 +00:00
import { commentPr } from './comment-pr'
2023-08-07 14:04:41 +02:00
import { getDeniedChanges } from './deny'
2022-09-27 12:25:12 +02:00
2022-03-31 18:31:39 +02:00
async function run () : Promise < void > {
try {
2022-11-04 14:51:41 +00:00
const config = await readConfig ()
2023-04-06 09:37:42 +02:00
2022-07-21 15:47:05 -04:00
const refs = getRefs ( config , github . context )
2022-03-31 18:31:39 +02:00
2023-03-22 21:13:20 +00:00
const comparison = await dependencyGraph . compare ({
2022-03-31 18:31:39 +02:00
owner : github.context.repo.owner ,
repo : github.context.repo.repo ,
2022-07-21 15:47:05 -04:00
baseRef : refs.base ,
headRef : refs.head
2022-03-31 18:31:39 +02:00
})
2023-03-22 21:13:20 +00:00
const changes = comparison . changes
const snapshot_warnings = comparison . snapshot_warnings
2022-03-31 18:31:39 +02:00
2023-03-02 07:47:09 +00:00
if ( ! changes ) {
core . info ( 'No Dependency Changes found. Skipping Dependency Review.' )
return
}
2022-11-07 17:08:00 +00:00
const minSeverity = config . fail_on_severity
2022-09-27 12:25:12 +02:00
const scopedChanges = filterChangesByScopes ( config . fail_on_scopes , changes )
2022-10-11 15:17:34 +02:00
const filteredChanges = filterAllowedAdvisories (
2022-09-27 12:25:12 +02:00
config . allow_ghsas ,
2022-09-22 22:25:21 +00:00
scopedChanges
)
2023-02-28 12:27:55 +00:00
const vulnerableChanges = filterChangesBySeverity (
2022-09-27 12:25:12 +02:00
minSeverity ,
2022-09-22 22:25:21 +00:00
filteredChanges
2022-08-01 21:07:02 +01:00
). filter (
change =>
2022-03-31 18:31:39 +02:00
change . change_type === 'added' &&
change . vulnerabilities !== undefined &&
change . vulnerabilities . length > 0
2022-08-01 21:07:02 +01:00
)
2022-03-31 18:31:39 +02:00
2022-10-27 13:09:37 +00:00
const invalidLicenseChanges = await getInvalidLicenseChanges (
2022-09-22 22:25:21 +00:00
filteredChanges ,
2022-09-27 12:25:12 +02:00
{
allow : config.allow_licenses ,
2023-03-08 12:38:34 +01:00
deny : config.deny_licenses ,
2023-04-06 09:37:42 +02:00
licenseExclusions : config.allow_dependencies_licenses
2022-09-27 12:25:12 +02:00
}
2022-06-14 13:54:27 +02:00
)
2023-08-08 16:51:40 +02:00
core . debug ( `Filtered Changes: ${ JSON . stringify ( filteredChanges ) } ` )
core . debug ( `Config Deny Packages: ${ JSON . stringify ( config ) } ` )
2023-08-02 15:48:28 +02:00
const deniedChanges = await getDeniedChanges (
filteredChanges ,
2023-08-07 14:04:41 +02:00
config . deny_packages ,
config . deny_groups
2023-08-02 15:48:28 +02:00
)
2023-02-28 12:27:55 +00:00
summary . addSummaryToSummary (
vulnerableChanges ,
invalidLicenseChanges ,
2023-08-02 15:48:28 +02:00
deniedChanges ,
2023-02-28 12:27:55 +00:00
config
)
2022-10-28 22:15:44 +02:00
2023-03-22 21:13:20 +00:00
if ( snapshot_warnings ) {
summary . addSnapshotWarnings ( snapshot_warnings )
}
2022-10-28 21:59:30 +02:00
if ( config . vulnerability_check ) {
2023-02-28 12:27:55 +00:00
summary . addChangeVulnerabilitiesToSummary ( vulnerableChanges , minSeverity )
printVulnerabilitiesBlock ( vulnerableChanges , minSeverity )
2022-10-28 21:59:30 +02:00
}
if ( config . license_check ) {
summary . addLicensesToSummary ( invalidLicenseChanges , config )
printLicensesBlock ( invalidLicenseChanges )
}
2023-08-07 14:04:41 +02:00
if ( config . deny_packages || config . deny_groups ) {
2023-08-02 16:17:51 +02:00
summary . addDeniedToSummary ( deniedChanges )
printDeniedDependencies ( deniedChanges , config )
}
2022-08-01 21:07:02 +01:00
2022-10-28 21:59:30 +02:00
summary . addScannedDependencies ( changes )
2022-09-26 12:21:24 +02:00
printScannedDependencies ( changes )
2023-02-03 10:35:46 +00:00
if ( config . comment_summary_in_pr ) {
await commentPr ( core . summary )
}
2022-03-31 18:31:39 +02:00
} catch ( error ) {
if ( error instanceof RequestError && error . status === 404 ) {
2022-05-11 19:53:29 +00:00
core . setFailed (
`Dependency review could not obtain dependency data for the specified owner, repository, or revision range.`
)
} else if ( error instanceof RequestError && error . status === 403 ) {
2022-03-31 18:31:39 +02:00
core . setFailed (
2023-01-05 17:26:46 +00:00
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see https://github.com/ ${ github . context . repo . owner } / ${ github . context . repo . repo } /settings/security_analysis`
2022-03-31 18:31:39 +02:00
)
2022-05-23 11:45:36 -07:00
} else {
if ( error instanceof Error ) {
core . setFailed ( error . message )
} else {
core . setFailed ( 'Unexpected fatal error' )
}
2022-03-31 18:31:39 +02:00
}
2022-08-01 21:07:02 +01:00
} finally {
await core . summary . write ()
2022-03-31 18:31:39 +02:00
}
}
2022-09-26 12:21:24 +02:00
function printVulnerabilitiesBlock (
2022-10-27 13:09:37 +00:00
addedChanges : Changes ,
2022-09-26 12:21:24 +02:00
minSeverity : Severity
) : void {
let failed = false
core . group ( 'Vulnerabilities' , async () => {
if ( addedChanges . length > 0 ) {
for ( const change of addedChanges ) {
printChangeVulnerabilities ( change )
}
failed = true
}
if ( failed ) {
core . setFailed ( 'Dependency review detected vulnerable packages.' )
} else {
core . info (
`Dependency review did not detect any vulnerable packages with severity level " ${ minSeverity } " or higher.`
)
}
})
}
2022-07-04 20:09:44 +09:00
function printChangeVulnerabilities ( change : Change ) : void {
2022-06-01 05:36:46 +02:00
for ( const vuln of change . vulnerabilities ) {
2022-05-31 06:03:42 +02:00
core . info (
2022-06-01 12:09:11 +02:00
` ${ styles . bold . open }${ change . manifest } » ${ change . name } @ ${
change . version
2022-05-31 06:03:42 +02:00
}${ styles . bold . close } – ${ vuln . advisory_summary } ${ renderSeverity (
vuln . severity
) } `
)
core . info ( ` ↪ ${ vuln . advisory_url } ` )
}
}
2022-09-27 12:25:12 +02:00
function printLicensesBlock (
2022-10-27 13:09:37 +00:00
invalidLicenseChanges : Record < string , Changes >
2022-09-27 12:25:12 +02:00
) : void {
core . group ( 'Licenses' , async () => {
2022-10-27 13:09:37 +00:00
if ( invalidLicenseChanges . forbidden . length > 0 ) {
2022-10-27 16:24:30 +00:00
core . info ( '\nThe following dependencies have incompatible licenses:' )
2022-10-27 13:09:37 +00:00
printLicensesError ( invalidLicenseChanges . forbidden )
2022-09-27 12:25:12 +02:00
core . setFailed ( 'Dependency review detected incompatible licenses.' )
}
2022-10-27 13:09:37 +00:00
if ( invalidLicenseChanges . unresolved . length > 0 ) {
core . warning (
2022-10-28 11:23:05 +02:00
'\nThe validity of the licenses of the dependencies below could not be determined. Ensure that they are valid SPDX licenses:'
2022-10-27 13:09:37 +00:00
)
printLicensesError ( invalidLicenseChanges . unresolved )
core . setFailed (
'Dependency review could not detect the validity of all licenses.'
)
}
printNullLicenses ( invalidLicenseChanges . unlicensed )
2022-09-27 12:25:12 +02:00
})
}
2022-10-27 13:09:37 +00:00
function printLicensesError ( changes : Changes ) : void {
2022-09-27 12:25:12 +02:00
for ( const change of changes ) {
core . info (
` ${ styles . bold . open }${ change . manifest } » ${ change . name } @ ${ change . version }${ styles . bold . close } – License: ${ styles . color . red . open }${ change . license }${ styles . color . red . close } `
)
}
}
2022-10-27 13:09:37 +00:00
function printNullLicenses ( changes : Changes ) : void {
2022-09-27 12:25:12 +02:00
if ( changes . length === 0 ) {
return
}
2022-10-27 16:24:30 +00:00
core . info ( '\nWe could not detect a license for the following dependencies:' )
2022-09-27 12:25:12 +02:00
for ( const change of changes ) {
core . info (
` ${ styles . bold . open }${ change . manifest } » ${ change . name } @ ${ change . version }${ styles . bold . close } `
)
}
}
2022-03-31 18:31:39 +02:00
function renderSeverity (
severity : 'critical' | 'high' | 'moderate' | 'low'
) : string {
const color = (
{
critical : 'red' ,
high : 'red' ,
moderate : 'yellow' ,
low : 'grey'
} as const
)[ severity ]
return ` ${ styles . color [ color ]. open } ( ${ severity } severity) ${ styles . color [ color ]. close } `
}
2022-09-26 12:01:39 +02:00
function renderScannedDependency ( change : Change ) : string {
const changeType : string = change . change_type
if ( changeType !== 'added' && changeType !== 'removed' ) {
throw new Error ( `Unexpected change type: ${ changeType } ` )
}
2022-09-26 11:35:05 +02:00
const color = (
{
added : 'green' ,
removed : 'red'
} as const
2022-09-26 12:01:39 +02:00
)[ changeType ]
const icon = (
{
added : '+' ,
removed : '-'
} as const
)[ changeType ]
2022-10-11 14:50:55 +02:00
return ` ${ styles . color [ color ]. open }${ icon } ${ change . name } @ ${ change . version }${ styles . color [ color ]. close } `
2022-09-26 11:35:05 +02:00
}
2022-09-26 19:13:25 +02:00
function printScannedDependencies ( changes : Changes ) : void {
2022-09-26 12:41:16 +02:00
core . group ( 'Dependency Changes' , async () => {
2022-09-27 12:25:12 +02:00
const dependencies = groupDependenciesByManifest ( changes )
2022-09-26 12:21:24 +02:00
2022-09-26 12:41:16 +02:00
for ( const manifestName of dependencies . keys ()) {
const manifestChanges = dependencies . get ( manifestName ) || []
2022-09-26 12:21:24 +02:00
core . info ( `File: ${ styles . bold . open }${ manifestName }${ styles . bold . close } ` )
for ( const change of manifestChanges ) {
core . info ( ` ${ renderScannedDependency ( change ) } ` )
}
}
})
}
2023-08-02 16:17:51 +02:00
function printDeniedDependencies (
changes : Change [],
config : ConfigurationOptions
) : void {
core . group ( 'Denied' , async () => {
2023-08-07 14:04:41 +02:00
for ( const denied of config . deny_packages ) {
2023-08-02 16:17:51 +02:00
core . info ( `Config: ${ denied } ` )
}
for ( const change of changes ) {
core . info ( `Change: ${ change . name } @ ${ change . version } is denied` )
core . info ( `Change: ${ change . package_url } is denied` )
}
})
}
2022-03-31 18:31:39 +02:00
run ()