Adding logic to filter by vulnerability severity.
This commit is contained in:
+4
-6
@@ -1,13 +1,12 @@
|
||||
import * as fs from 'fs'
|
||||
import * as core from '@actions/core'
|
||||
import YAML from 'yaml'
|
||||
import * as z from 'zod'
|
||||
import path from 'path'
|
||||
import { type } from 'os'
|
||||
|
||||
export type Severity = "critical" | "high" | "moderate" | "low"
|
||||
|
||||
const CONFIG_FILEPATH = "./.github/dep-review.yml"
|
||||
const SEVERITIES = ["critical", "high", "moderate", "low"] as const
|
||||
export const SEVERITIES = ["critical", "high", "moderate", "low"] as const
|
||||
export const CONFIG_FILEPATH = "./.github/dep-review.yml"
|
||||
|
||||
type ConfigurationOptions = {
|
||||
fail_on_severity: string,
|
||||
@@ -24,7 +23,6 @@ export function readConfigFile(filePath: string = CONFIG_FILEPATH): Configuratio
|
||||
}
|
||||
|
||||
try {
|
||||
console.log(path.resolve(filePath))
|
||||
var data = fs.readFileSync(path.resolve(filePath), "utf-8");
|
||||
|
||||
} catch (error: any) {
|
||||
@@ -47,4 +45,4 @@ export function readConfigFile(filePath: string = CONFIG_FILEPATH): Configuratio
|
||||
.parse(values)
|
||||
|
||||
return <ConfigurationOptions>parsed;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,25 @@
|
||||
import { Changes } from './schemas'
|
||||
import { Severity, SEVERITIES } from './config'
|
||||
|
||||
export function filterChangesBySeverity(severity: Severity, changes: Changes): Changes {
|
||||
const severityIdx = SEVERITIES.indexOf(severity)
|
||||
|
||||
for (let change of changes) {
|
||||
if (change === undefined ||
|
||||
change.vulnerabilities === undefined ||
|
||||
change.vulnerabilities.length === 0) {
|
||||
continue
|
||||
}
|
||||
change.vulnerabilities = change.vulnerabilities.filter((vuln: any) => {
|
||||
const vulnIdx = SEVERITIES.indexOf(vuln.severity)
|
||||
if (vulnIdx <= severityIdx) {
|
||||
return true
|
||||
}
|
||||
})
|
||||
|
||||
}
|
||||
|
||||
// don't want to deal with changes with no vulnerabilities
|
||||
changes = changes.filter((change: any) => change.vulnerabilities.length > 0)
|
||||
return changes
|
||||
}
|
||||
@@ -4,6 +4,8 @@ import * as github from '@actions/github'
|
||||
import styles from 'ansi-styles'
|
||||
import { RequestError } from '@octokit/request-error'
|
||||
import { Change, PullRequestSchema } from './schemas'
|
||||
import { Severity, readConfigFile } from '../src/config'
|
||||
import { filterChangesBySeverity } from '../src/filter'
|
||||
|
||||
async function run(): Promise<void> {
|
||||
try {
|
||||
@@ -24,8 +26,12 @@ async function run(): Promise<void> {
|
||||
headRef: pull_request.head.sha
|
||||
})
|
||||
|
||||
let config = readConfigFile()
|
||||
let minSeverity = config.fail_on_severity
|
||||
let failed = false
|
||||
|
||||
let filteredChanges = filterChangesBySeverity(minSeverity as Severity, changes)
|
||||
|
||||
for (const change of changes) {
|
||||
if (
|
||||
change.change_type === 'added' &&
|
||||
|
||||
Reference in New Issue
Block a user