Build and updated README

This commit is contained in:
Stefan Petrushevski
2023-04-06 09:58:14 +02:00
parent 9ad7edb033
commit d3fdbc93c5
5 changed files with 344 additions and 38 deletions
+12 -15
View File
@@ -66,23 +66,21 @@ jobs:
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
| Option | Usage | Possible values | Default value |
| --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\*\* | Containts excluded packages per ecosystem for the licenses checks. | `ecosystemName: pkgName1, pkgName2` | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `true`, `false` | `false` |
| Option | Usage | Possible values | Default value |
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Containts excluded packages per ecosystem for the licenses checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `true`, `false` | `false` |
\*not supported for use with GitHub Enterprise Server
\*\*not supported for use with GitHub Enterprise Server and configuration must be provided in external configuration file
†will be supported with GitHub Enterprise Server 3.8
### Inline Configuration
@@ -146,7 +144,6 @@ allow-licenses:
- Checking for licenses is not supported on Enterprise Server.
- The action will only accept one of the two `license` parameters; an error will be raised if you provide both.
- We don't have license information for all of your dependents. If we can't detect the license for a dependency **we will inform you, but the action won't fail**.
- The `allow-dependencies-licenses` option cannot be configured with inline configurations. It must be configured using the `config-file`.
## Blocking pull requests
+3
View File
@@ -29,6 +29,9 @@ inputs:
deny-licenses:
description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
allow-dependencies-licenses:
description: Comma-separated list of allowed licenses for specific dependencies in purl format (e.g. "pkg:npm/express, pkg:pip/pycrypto")
required: false
allow-ghsas:
description: Comma-separated list of allowed GitHub Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")
required: false
Generated Vendored
+306 -22
View File
@@ -243,6 +243,29 @@ exports.getRefs = getRefs;
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
@@ -259,18 +282,31 @@ Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.getInvalidLicenseChanges = void 0;
const spdx_satisfies_1 = __importDefault(__nccwpck_require__(4424));
const utils_1 = __nccwpck_require__(918);
const packageurl_js_1 = __nccwpck_require__(8915);
const core = __importStar(__nccwpck_require__(2186));
function getInvalidLicenseChanges(changes, licenses) {
var _a;
return __awaiter(this, void 0, void 0, function* () {
const { allow, deny, exception } = licenses;
const { allow, deny } = licenses;
// licenseExclusions = licenseExclusions.map((pkgUrl: string) => {
// return PackageURL.fromString(pkgUrl)
// })
const licenseExclusions = (_a = licenses.licenseExclusions) === null || _a === void 0 ? void 0 : _a.map((pkgUrl) => {
return packageurl_js_1.PackageURL.fromString(pkgUrl);
});
const groupedChanges = yield groupChanges(changes);
// filter out changes that are part of exclusions list - config.allow_license_exceptions
core.info(`Grouped changes BEFORE filter size: ${groupedChanges.licensed.length}`);
// filter out changes that are part of exclusions list - config.allow_dependencies_licenses
groupedChanges.licensed = groupedChanges.licensed.filter(change => {
if ((0, utils_1.isDefined)(exception) &&
exception[change.ecosystem].includes(change.name)) {
const changeAsPackageURL = new packageurl_js_1.PackageURL(change.ecosystem, undefined, change.name, change.version, undefined, undefined);
if ((0, utils_1.isDefined)(licenseExclusions) &&
licenseExclusions.findIndex(exclusion => exclusion.type === changeAsPackageURL.type &&
exclusion.name === changeAsPackageURL.name) !== -1) {
return false;
}
return true;
});
core.info(`Grouped changes after filter size: ${groupedChanges.licensed.length}`);
const licensedChanges = groupedChanges.licensed;
const invalidLicenseChanges = {
unlicensed: groupedChanges.unlicensed,
@@ -479,7 +515,7 @@ function run() {
const invalidLicenseChanges = yield (0, licenses_1.getInvalidLicenseChanges)(filteredChanges, {
allow: config.allow_licenses,
deny: config.deny_licenses,
exception: config.allow_dependencies_licenses
licenseExclusions: config.allow_dependencies_licenses
});
summary.addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, config);
if (config.vulnerability_check) {
@@ -675,9 +711,7 @@ exports.ConfigurationOptionsSchema = z
fail_on_scopes: z.array(z.enum(exports.SCOPES)).default(['runtime']),
allow_licenses: z.array(z.string()).optional(),
deny_licenses: z.array(z.string()).optional(),
allow_dependencies_licenses: z
.record(z.string(), z.array(z.string()))
.optional(),
allow_dependencies_licenses: z.array(z.string()).optional(),
allow_ghsas: z.array(z.string()).default([]),
license_check: z.boolean().default(true),
vulnerability_check: z.boolean().default(true),
@@ -846,7 +880,7 @@ function addLicensesToSummary(invalidLicenseChanges, config) {
if (config.allow_dependencies_licenses) {
core.summary.addHeading('Allowed licensing exceptions', 3);
for (const [ecosystem, dependencies] of Object.entries(config.allow_dependencies_licenses)) {
core.summary.addRaw(`<li> ${ecosystem}</strong>: ${dependencies.join(', ')} </li>`);
core.summary.addRaw(`<li> ${ecosystem}</strong>: ${dependencies} </li>`);
}
}
core.debug(`found ${invalidLicenseChanges.unlicensed.length} unknown licenses`);
@@ -36445,6 +36479,251 @@ function onceStrict (fn) {
}
/***/ }),
/***/ 8915:
/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
/*!
Copyright (c) the purl authors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
*/
const PackageURL = __nccwpck_require__(8749);
module.exports = {
PackageURL
};
/***/ }),
/***/ 8749:
/***/ ((module) => {
/*!
Copyright (c) the purl authors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
*/
const KnownQualifierNames = Object.freeze({
// known qualifiers as defined here:
// https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#known-qualifiers-keyvalue-pairs
RepositoryUrl: 'repository_url',
DownloadUrl: 'download_url',
VcsUrl: 'vcs_url',
FileName: 'file_name',
Checksum: 'checksum'
});
class PackageURL {
static get KnownQualifierNames() {
return KnownQualifierNames;
}
constructor(type, namespace, name, version, qualifiers, subpath) {
let required = { 'type': type, 'name': name };
Object.keys(required).forEach(key => {
if (!required[key]) {
throw new Error('Invalid purl: "' + key + '" is a required field.');
}
});
let strings = { 'type': type, 'namespace': namespace, 'name': name, 'versions': version, 'subpath': subpath };
Object.keys(strings).forEach(key => {
if (strings[key] && typeof strings[key] === 'string' || !strings[key]) {
return;
}
throw new Error('Invalid purl: "' + key + '" argument must be a string.');
});
if (qualifiers) {
if (typeof qualifiers !== 'object') {
throw new Error('Invalid purl: "qualifiers" argument must be a dictionary.');
}
Object.keys(qualifiers).forEach(key => {
if (!/^[a-z]+$/i.test(key) && !/[\.-_]/.test(key)) {
throw new Error('Invalid purl: qualifier "' + key + '" contains an illegal character.');
}
});
}
this.type = type;
this.name = name;
this.namespace = namespace;
this.version = version;
this.qualifiers = qualifiers;
this.subpath = subpath;
}
_handlePyPi() {
this.name = this.name.toLowerCase().replace(/_/g, '-');
}
toString() {
var purl = ['pkg:', encodeURIComponent(this.type), '/'];
if (this.type === 'pypi') {
this._handlePyPi();
}
if (this.namespace) {
purl.push(
encodeURIComponent(this.namespace)
.replace(/%3A/g, ':')
.replace(/%2F/g, '/')
);
purl.push('/');
}
purl.push(encodeURIComponent(this.name).replace(/%3A/g, ':'));
if (this.version) {
purl.push('@');
purl.push(encodeURIComponent(this.version).replace(/%3A/g, ':'));
}
if (this.qualifiers) {
purl.push('?');
let qualifiers = this.qualifiers;
let qualifierString = [];
Object.keys(qualifiers).sort().forEach(key => {
qualifierString.push(
encodeURIComponent(key).replace(/%3A/g, ':')
+ '='
+ encodeURIComponent(qualifiers[key]).replace(/%2F/g, '/')
);
});
purl.push(qualifierString.join('&'));
}
if (this.subpath) {
purl.push('#');
purl.push(encodeURIComponent(this.subpath)
.replace(/%3A/g, ':')
.replace(/%2F/g, '/'));
}
return purl.join('');
}
static fromString(purl) {
if (!purl || typeof purl !== 'string' || !purl.trim()) {
throw new Error('A purl string argument is required.');
}
let [scheme, remainder] = purl.split(':', 2);
if (scheme !== 'pkg') {
throw new Error('purl is missing the required "pkg" scheme component.');
}
// this strip '/, // and /// as possible in :// or :///
// from https://gist.github.com/refo/47632c8a547f2d9b6517#file-remove-leading-slash
remainder = remainder.trim().replace(/^\/+/g, '');
let type
[type, remainder] = remainder.split('/', 2);
if (!type || !remainder) {
throw new Error('purl is missing the required "type" component.');
}
type = decodeURIComponent(type)
let url = new URL(purl);
let qualifiers = null;
url.searchParams.forEach((value, key) => {
if (!qualifiers) {
qualifiers = {};
}
qualifiers[key] = value;
});
let subpath = url.hash;
if (subpath.indexOf('#') === 0) {
subpath = subpath.substring(1);
}
subpath = subpath.length === 0
? null
: decodeURIComponent(subpath)
if (url.username !== '' || url.password !== '') {
throw new Error('Invalid purl: cannot contain a "user:pass@host:port"');
}
// this strip '/, // and /// as possible in :// or :///
// from https://gist.github.com/refo/47632c8a547f2d9b6517#file-remove-leading-slash
let path = url.pathname.trim().replace(/^\/+/g, '');
// version is optional - check for existence
let version = null;
if (path.includes('@')) {
let index = path.indexOf('@');
version = decodeURIComponent(path.substring(index + 1));
remainder = path.substring(0, index);
} else {
remainder = path;
}
// The 'remainder' should now consist of an optional namespace and the name
let remaining = remainder.split('/').slice(1);
let name = null;
let namespace = null;
if (remaining.length > 1) {
let nameIndex = remaining.length - 1;
let namespaceComponents = remaining.slice(0, nameIndex);
name = decodeURIComponent(remaining[nameIndex]);
namespace = decodeURIComponent(namespaceComponents.join('/'));
} else if (remaining.length === 1) {
name = decodeURIComponent(remaining[0]);
}
if (name === '') {
throw new Error('purl is missing the required "name" component.');
}
return new PackageURL(type, namespace, name, version, qualifiers, subpath);
}
};
module.exports = PackageURL;
/***/ }),
/***/ 1867:
@@ -44970,6 +45249,7 @@ const core = __importStar(__nccwpck_require__(2186));
const z = __importStar(__nccwpck_require__(3301));
const schemas_1 = __nccwpck_require__(1129);
const utils_1 = __nccwpck_require__(1314);
const packageurl_js_1 = __nccwpck_require__(8915);
function readConfig() {
return __awaiter(this, void 0, void 0, function* () {
const inlineConfig = readInlineConfig();
@@ -44987,12 +45267,14 @@ function readInlineConfig() {
const fail_on_scopes = parseList(getOptionalInput('fail-on-scopes'));
const allow_licenses = parseList(getOptionalInput('allow-licenses'));
const deny_licenses = parseList(getOptionalInput('deny-licenses'));
const allow_dependencies_licenses = parseList(getOptionalInput('allow-dependencies-licenses'));
const allow_ghsas = parseList(getOptionalInput('allow-ghsas'));
const license_check = getOptionalBoolean('license-check');
const vulnerability_check = getOptionalBoolean('vulnerability-check');
const base_ref = getOptionalInput('base-ref');
const head_ref = getOptionalInput('head-ref');
const comment_summary_in_pr = getOptionalBoolean('comment-summary-in-pr');
validatepurl(allow_dependencies_licenses);
validateLicenses('allow-licenses', allow_licenses);
validateLicenses('deny-licenses', deny_licenses);
const keys = {
@@ -45000,6 +45282,7 @@ function readInlineConfig() {
fail_on_scopes,
allow_licenses,
deny_licenses,
allow_dependencies_licenses,
allow_ghsas,
license_check,
vulnerability_check,
@@ -45084,17 +45367,9 @@ function parseConfigFile(configData) {
if (key === 'allow-licenses' || key === 'deny-licenses') {
validateLicenses(key, data[key]);
}
// parse the allow-dependencies-licenses configs value
// per-ecosystem: ['pkg1', 'pkg2']
// validate purls from the allow-dependencies-licenses
if (key === 'allow-dependencies-licenses') {
const val = data[key];
for (const ecosystem of Object.keys(val)) {
const pkgs = val[ecosystem];
if (typeof pkgs === 'string') {
val[ecosystem] = pkgs.split(',').map(x => x.trim());
}
}
data[key] = val;
validatepurl(data[key]);
}
// get rid of the ugly dashes from the actions conventions
if (key.includes('-')) {
@@ -45131,6 +45406,17 @@ function getRemoteConfig(configOpts) {
}
});
}
function validatepurl(allow_dependencies_licenses) {
//validate that the provided elements of the string are in valid purl format
if (allow_dependencies_licenses === undefined) {
return;
}
const invalid_purls = allow_dependencies_licenses.filter(purl => !packageurl_js_1.PackageURL.fromString(purl));
if (invalid_purls.length > 0) {
throw new Error(`Invalid purl(s) in allow-dependencies-licenses: ${invalid_purls}`);
}
return;
}
/***/ }),
@@ -45278,9 +45564,7 @@ exports.ConfigurationOptionsSchema = z
fail_on_scopes: z.array(z.enum(exports.SCOPES)).default(['runtime']),
allow_licenses: z.array(z.string()).optional(),
deny_licenses: z.array(z.string()).optional(),
allow_dependencies_licenses: z
.record(z.string(), z.array(z.string()))
.optional(),
allow_dependencies_licenses: z.array(z.string()).optional(),
allow_ghsas: z.array(z.string()).default([]),
license_check: z.boolean().default(true),
vulnerability_check: z.boolean().default(true),
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+22
View File
@@ -1340,6 +1340,28 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
packageurl-js
MIT
Copyright (c) the purl authors
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
safe-buffer
MIT
The MIT License (MIT)