370 Commits

Author SHA1 Message Date
Eric Sorenson d02fa39f79 Updates for release 4.9.0
- Bumps dependencies to fix vulnerabilities, supersedes dependabot PRs
- New version in package.json
- Slight correction to the release process in CONTRIBUTING.md
- Rebuilds dist/ packaged files

Closes #1062 #1063 #1028 #972 #971 #970
2026-03-02 16:15:13 -08:00
Chad Bentz aa60746a92 Add 'show-patched-versions' option to configuration and update summary handling
- Introduced 'show-patched-versions' input in action.yml to control visibility of patched versions in vulnerability summaries.
- Updated default configuration and related functions to handle the new option.
- Enhanced tests to verify behavior with and without the patched version column.
2026-02-27 14:58:54 -05:00
Chad Bentz e404798400 Merge upstream actions/dependency-review-action main
Syncs fork with upstream, resolving conflicts in package.json
(keeping semver + upgrading spdx-expression-parse to ^4.0.0),
regenerating package-lock.json and dist/ folder.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-02-27 14:04:27 -05:00
Justin Holguín 8cf743c0ea Make purl comparisons case insensitive 2026-02-20 22:01:04 +00:00
Justin Holguín 2ced98cbe8 Compare normalized purls to account for encoding quirks 2026-02-20 00:02:42 +00:00
Copilot a6c34d8785 Address review feedback: deterministic tests, cached normalization, simplified promisePool (#9)
* Initial plan

* Apply PR review comments: deterministic delays, cached normalization, simplified promisePool

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Improve comment clarity for ecoLower field

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
2026-02-18 06:33:39 -05:00
Justin Holguín 2e1cf54a50 Properly truncate long summaries and catch errors 2026-02-17 22:46:59 +00:00
Copilot 539c79be65 Implement review feedback: concurrency limiting, semver coercion, logging improvements, and test coverage (#8)
* Initial plan

* Implement PR review comments: concurrency limiting, semver coerce, improved logging, test fixes

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Fix promise pool race condition and remove .then() usage

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Add tests for semver coercion and promise pool concurrency, simplify Map to Set

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
2026-02-09 14:28:09 -05:00
Copilot ee66ea100d Implement review fixes: semver library, scoping, case-insensitive matching, error logging, and configurable fail behavior (#7)
* Initial plan

* Implement PR review comment fixes: semver library, error handling, case-insensitive matching, and rows scoping

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Fix formatting and rebuild dist folder

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Fix fail-closed logic and remove redundant @types/semver

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Apply review feedback: fix empty range handling, add trimming, implement range check caching

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Apply review feedback: align fail-closed behavior for empty version, fix TypeScript typing, normalize cache keys

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Fix linter errors, optimize cache keys, and improve trimming logic

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Add fail-open option for patch selection and optimize with preTrimmed flag

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Enforce fail-closed with explicit validation, fix debug messages, normalize cache keys

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Fix unreachable ternary in debug message and eliminate duplicate trim operation

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Normalize eco comparison and add preNormalized option to avoid duplicate range conversion

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Remove unnecessary cache, fix function signature, and correct semver comment

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Make includePrerelease conditional based on version type to preserve range semantics

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Improve debug message to report both invalid version and range when applicable

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Convert to JSDoc, add explicit type annotation, and remove redundant initializer

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
2026-02-08 16:05:04 -05:00
Copilot 2af9bac14d Add patched version column to vulnerability summary with multi-range support (#5)
* Initial plan

* Initial plan for adding patched versions to vulnerability summary

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Add patched version column to vulnerability summary table

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Optimize API calls to use Set and Promise.all for better performance

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Remove type assertions and optimize ecosystem lookups with normalization

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Extract patch version type checking into helper function for clarity

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Support multiple version ranges per package in advisory lookup

Handle scenarios where the same package has multiple vulnerable version ranges
with different patched versions (e.g., GHSA-gwq6-fmvp-qp68 with .NET packages).

- Store all vulnerability entries with version ranges, not just one per ecosystem
- Implement version range matching to select correct patch version
- Match package by ecosystem, name, AND version range
- Add comprehensive test for multi-range scenario

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Fix first_patched_version extraction to handle string format

The GitHub Advisory API returns first_patched_version as a simple string
(e.g., "112.0.0"), not an object with an identifier field. Updated
extractPatchVersionId to handle string format primarily while maintaining
backward compatibility with object format.

- Fixed extractPatchVersionId to check for string first
- Updated test mocks to match actual API response format
- Added specific test for RestSharp GHSA-4rr6-2v9v-wcpc case
- Verified with actual API responses from multiple advisories

Fixes issue where patched versions were showing as "N/A" instead of
the actual version number.

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Rebuild dist with patched version fix

The previous fix to extractPatchVersionId wasn't deployed because the dist/
folder (compiled JavaScript) wasn't rebuilt. This commit rebuilds and packages
the action with npm run build && npm run package to include the fix.

Changes in dist/:
- Updated extractPatchVersionId to handle string format first
- Includes all async vulnerability summary logic with API calls
- Properly extracts patched versions from GitHub Advisory API

This should resolve the issue where patched versions showed as "N/A" in
actual GitHub Actions runs.

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

* Add comprehensive debug logging for patch version lookup

Added detailed debug logging to help troubleshoot patch version issues:
- Log when fetching advisory data from API
- Log number of vulnerability entries found
- Log each patch info entry added with details
- Log when no patch version is found
- Log during lookup phase with package details
- Log when patch version is found vs not found
- Log available entries when no match is found

This will make it much easier to diagnose issues in GitHub Actions debug mode.

Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: felickz <1760475+felickz@users.noreply.github.com>
2026-02-06 18:12:20 -05:00
ahmed3lmallah 76bfce5cd7 optimize import 2026-01-05 15:50:21 -08:00
ahmed3lmallah d45151f498 Addressing vulnerabilities 2026-01-05 15:39:34 -08:00
Kevin Dangoor 70cb25ec56 4.8.2 release 2025-11-10 14:44:24 -05:00
Josh Soref 247f07b0c8 spelling: summary
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2025-11-04 21:39:50 -05:00
Art Leo 7a990117b1 Add dist files 2025-10-27 17:41:42 +11:00
Josh Soref 3084754c49 Scope warning about private repositories 2025-10-15 14:16:01 -04:00
Eric Sorenson 71365c76bc (bug) Fix spamming link test in deprecation warning (again)
We'd thought that the syntax in #974 would avoid auto-linking
but didn't check closely enough, and now the deprecation issue
it links to cannot be loaded due to having too many references.

This updates the text to point to a new issue in a way that...
I hope... will not be auto-linked.
2025-10-10 09:37:13 -07:00
Matt Mencel e0cedc52dc feat: add large summary handling with artifact upload
When the dependency review summary exceeds GitHub's size limit (1024k), upload it as an artifact and provide a link in the comment. This ensures users can still access the full review details even when the summary is too large to display directly.
2025-09-26 12:55:14 +01:00
Jasper Kamerling e3fdf0f899 This ensures large allow or deny lists don't create huge comments 2025-09-26 12:49:38 +01:00
Claire Song fc5fd661aa Claire153/fix spamming mentioned issue (#974)
* Keep the issue number and remove the url to avoid linking every PR running the action to that issue
2025-08-26 12:46:02 -07:00
Claire Song bc41886e18 Cut 4.7.2 version release (#964)
* Cut 4.7.2 version release

* Bump dependency minor versions
2025-08-18 11:17:54 -07:00
Claire Song 3eb62794c5 Re-add test package. Only show warning in summary if option is used. Update copy. 2025-08-15 15:49:35 +00:00
Claire Song 659a1e1bd0 Update copy and styling 2025-08-14 17:44:34 +00:00
Claire Song 6e80be31cd Add one more line break 2025-08-14 16:39:53 +00:00
Claire Song 3fb5c613f0 Add one more line break 2025-08-14 16:32:20 +00:00
Claire Song 7d16ba5d7e Add one more line break 2025-08-14 15:43:03 +00:00
Claire Song a92a9da9c8 Add one more line break 2025-08-14 15:39:37 +00:00
Claire Song c1fa9df06b Build 2025-08-14 14:43:45 +00:00
Roman Iakovlev 40f2ab01b7 Update dist 2025-07-22 14:06:49 +00:00
Roman Iakovlev 2bedf4a221 Update dist 2025-07-22 14:01:55 +00:00
Roman Iakovlev 1e946feb37 Update dist 2025-07-21 13:53:37 +00:00
Kevin Dangoor 6e9307a3d4 Discard allow list entries that are not SPDX IDs
The allow-licenses list is expected (and documented) to be a list of
SPDX license IDs (LicenseRefs are also valid). If someone puts an
expression in the list (e.g. "GPL-3.0-only OR MIT"), it should be
discarded so that the whole list does not become invalid.

Fixes #907
2025-05-12 18:58:58 -04:00
Kevin Dangoor 014300b08c Update build 2025-05-08 17:19:56 -04:00
Kevin Dangoor 9b155d6432 Update build 2025-05-08 16:37:11 -04:00
Kevin Dangoor f3ff3564fa Update dist 2025-05-06 12:26:28 -04:00
Kevin Dangoor 3a2b68706a Handle complex licenses (e.g. X AND Y)
There are many packages that are dual-licensed, offering a choice
of licenses (e.g. `MIT OR Apache-2.0`). There are some that include
code from multiple sources and require multiple licenses
(e.g. `MIT AND Apache-2.0`). There are also complex combinations that
can exist for a variety of reasons, such as
`MIT AND (Apache-2.0 OR BSD-3-Clause)`.

The most straightforward approach to handle these is to have an
allow list. As long as the licenses on the allow list can satisfy
the license expression of the package in question, it should pass.

To implement this, I the newest release of spdx-satisfies
which changed the interface to be exactly as described
`satisfies(license, allowList)` (see
https://github.com/jslicense/spdx-satisfies.js/pull/17).

Fixes https://github.com/actions/dependency-review-action/issues/263
2025-05-05 19:06:50 -04:00
Kevin Dangoor a87294d992 Revert "Merge pull request #916 from jebeaudet/spdx-support"
This reverts commit 5a5d4df8ad, reversing
changes made to 67d4f4bd7a.
2025-05-05 18:43:46 -04:00
Jacques-Etienne Beaudet 4eb8182aba Support SPDX expressions in allow/deny lists
This change updates license validation to support full SPDX expressions
(such as 'EPL-1.0 AND LGPL-2.1') in both allow-lists and deny-lists. This
enables the action to correctly validate packages that declare multiple
licenses using SPDX conjunctions like AND/OR, which are common in complex
open-source projects.

Previously, only simple license identifiers were supported, which caused
multi-licensed packages to be improperly flagged as invalid even when
they matched the intent of the allow-list.

The new logic uses `spdx.satisfies()` to evaluate whether a package’s
declared license satisfies any expression in the allow/deny list, and
comprehensive tests have been added to verify behavior for various SPDX
combinations.

This improves compatibility with projects using compound SPDX license
expressions and ensures more accurate license policy enforcement.
2025-04-09 12:19:46 -04:00
Barry Gordon 479b69732e Prepare 4.6.0 2025-04-01 12:22:08 +01:00
Barry Gordon 51699b6461 Merge pull request #855 from ailox/ailox/fix/invalid-new-licenses
Update transitive dependency spdx-license-ids
2025-04-01 11:33:12 +01:00
Roman Iakovlev d630451aa0 Pin @octokit/types version for compatibility 2025-03-13 14:34:23 +00:00
Roman Iakovlev c8dafca32b Add dist for @octokit/plugin-paginate-rest version bump 2025-03-12 16:55:30 +00:00
Roman Iakovlev cdee0bc8c3 Bump octokit and related dependencies 2025-03-12 10:57:15 +00:00
Nathan Ellenfield dfe560420d fix formatting and dist 2025-02-05 15:50:50 -05:00
Nathan Ellenfield e4033dcc29 Merge remote-tracking branch 'origin/main' into allow-deny-package-removal 2025-02-04 13:33:03 -05:00
Ashely Tenesaca bf9bc3f2a6 generate dist code 2025-02-03 17:25:46 +00:00
Nathan Ellenfield c80eb9894b fixit 2025-01-27 16:01:10 -05:00
Nathan Ellenfield 5e7a6ffc7d fix: Allow removal denied packages 2025-01-27 16:00:09 -05:00
Ahmed ElMallah 8992b0e1c7 updating dist code 2025-01-24 20:01:21 +00:00
Ahmed ElMallah 5f24a51147 Updating dist folder 2025-01-23 21:07:48 +00:00