Compare commits
393 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| f5b971718e | |||
| f51df6d455 | |||
| cffae74507 | |||
| 2031cfc080 | |||
| d02fa39f79 | |||
| 4038a34c4b | |||
| a632b8386b | |||
| 57a3d46a7b | |||
| 5ecdc4b578 | |||
| e8c2f9a12c | |||
| 0e129e113c | |||
| aa60746a92 | |||
| e404798400 | |||
| 24398f008e | |||
| 7863651912 | |||
| 17d14c08d9 | |||
| dea54b4342 | |||
| 8cf743c0ea | |||
| b49f407d39 | |||
| f68b94a696 | |||
| 05fe457637 | |||
| 2ced98cbe8 | |||
| 3a8496cb71 | |||
| 0f22a01592 | |||
| 58be34364d | |||
| 9284e0c621 | |||
| 8b766562f0 | |||
| 43f5f029f5 | |||
| f0033fc4d6 | |||
| a6c34d8785 | |||
| b379e2e05f | |||
| 2e1cf54a50 | |||
| 68e9887ce6 | |||
| a7c7f3b9b1 | |||
| 539c79be65 | |||
| ee66ea100d | |||
| 2af9bac14d | |||
| 98884d411b | |||
| 76bfce5cd7 | |||
| d45151f498 | |||
| 774d14bf50 | |||
| 20b998d4e2 | |||
| ad048f729f | |||
| 1d60e0d095 | |||
| 35ccfd2548 | |||
| a2014a181b | |||
| 1a0268586f | |||
| 14edcb1b2a | |||
| 805c0b2856 | |||
| 125b995082 | |||
| 289863a7c4 | |||
| 3c4e3dcb1a | |||
| 02930b2072 | |||
| 49ffd9f636 | |||
| 70cb25ec56 | |||
| ebabd31cea | |||
| 19f9360983 | |||
| 5fd2f98b4f | |||
| 28647f4804 | |||
| f620fd175c | |||
| 9b42b7e9a9 | |||
| 4004cfa3a2 | |||
| 94004c3444 | |||
| 75e65b4d81 | |||
| 355d25e5a7 | |||
| d456baec30 | |||
| 66054da10b | |||
| 247f07b0c8 | |||
| 5975520ad2 | |||
| b4849e7628 | |||
| 752c04656e | |||
| 4fa8b92807 | |||
| 3660056ed3 | |||
| 5f8348ab03 | |||
| 6b5a983daf | |||
| 8fd9b22286 | |||
| c4b82d3047 | |||
| 622445f2a8 | |||
| 3f464ea511 | |||
| 8e51299cdf | |||
| 7a990117b1 | |||
| 99ce29f02e | |||
| 140b44b7bf | |||
| 4603a62e00 | |||
| 07b91577a3 | |||
| 3084754c49 | |||
| 0f943b29ae | |||
| 40c09b7dc9 | |||
| 45529485b5 | |||
| e63da9a041 | |||
| 71365c76bc | |||
| 2440f520c8 | |||
| 56339e523c | |||
| 1688b745f3 | |||
| 31c9f175b9 | |||
| eacde7836e | |||
| 81510090e4 | |||
| b472ec914b | |||
| e0cedc52dc | |||
| e3fdf0f899 | |||
| 6fad417932 | |||
| e86e9692ad | |||
| 85c8e53ab7 | |||
| c6a7eb7252 | |||
| 595b5aeba7 | |||
| fc5fd661aa | |||
| d38d1a4f40 | |||
| 8d420b827c | |||
| bde01290d3 | |||
| ab524903e8 | |||
| ef00a0afbb | |||
| 74c8179d39 | |||
| bc41886e18 | |||
| 1c73553e36 | |||
| fac3d41a58 | |||
| d8073c4b76 | |||
| 77184c6339 | |||
| 5558c35bb3 | |||
| e85d57a50e | |||
| 3eb62794c5 | |||
| 7cf33ac2f2 | |||
| 493bee0560 | |||
| 659a1e1bd0 | |||
| 6e80be31cd | |||
| 3fb5c613f0 | |||
| 7d16ba5d7e | |||
| a92a9da9c8 | |||
| c1fa9df06b | |||
| 6e2bbef080 | |||
| 9ca24b6906 | |||
| 70e1d26338 | |||
| 89c7383074 | |||
| 40f2ab01b7 | |||
| 2bedf4a221 | |||
| 87052cdc7b | |||
| 47d790678f | |||
| 1e946feb37 | |||
| 8a1ad91c0a | |||
| 8296deda21 | |||
| 733ef0ab01 | |||
| da24556b54 | |||
| 9af0caf0e5 | |||
| d8f2df20d5 | |||
| 6e9307a3d4 | |||
| 8805179dc9 | |||
| 014300b08c | |||
| 34486f306e | |||
| 9b155d6432 | |||
| f199659a6a | |||
| 38ecb5b593 | |||
| 0e9e935cc8 | |||
| 69d2faa365 | |||
| 7e14978e0e | |||
| 8477905b0e | |||
| f3ff3564fa | |||
| c7565d44ec | |||
| 82299c3bbe | |||
| 2013ccccfe | |||
| 3a2b68706a | |||
| a87294d992 | |||
| 5a5d4df8ad | |||
| 4eb8182aba | |||
| 67d4f4bd7a | |||
| d2e453a37e | |||
| ce3cf9537a | |||
| 479b69732e | |||
| aee95908ea | |||
| 080ada6281 | |||
| 430e5f0bbf | |||
| 51699b6461 | |||
| ac9b193beb | |||
| d630451aa0 | |||
| c8dafca32b | |||
| bc858b5649 | |||
| cd1541ea8d | |||
| 7bce095f93 | |||
| 195b0c2e88 | |||
| cdee0bc8c3 | |||
| 0e562a634b | |||
| 3d00aed36d | |||
| 2c5ec1eea8 | |||
| bf0431a342 | |||
| c26b132baa | |||
| 3ffdd4d73e | |||
| ea2cae5127 | |||
| dfe560420d | |||
| e4033dcc29 | |||
| 92129e58e4 | |||
| bf9bc3f2a6 | |||
| d703cf58c3 | |||
| c80eb9894b | |||
| 5e7a6ffc7d | |||
| c665328b35 | |||
| 5370d75f36 | |||
| 7f3cd87ec0 | |||
| 67ca5cc413 | |||
| 8992b0e1c7 | |||
| 5e9a56c6de | |||
| 9cd1f01f7f | |||
| a0be92bfc2 | |||
| 6ec8e13b9a | |||
| c9bb42fdbf | |||
| b109bc8c95 | |||
| 5f24a51147 | |||
| ef281d4e24 | |||
| 67fc6dd646 | |||
| 2caab057ed | |||
| 3b139cfc5f | |||
| d6807b6643 | |||
| c89b41fdc6 | |||
| eee97d8b03 | |||
| 9d101822a3 | |||
| 9192be9c72 | |||
| 2fc8e23b12 | |||
| fb86db2043 | |||
| 0a198ab3ed | |||
| fc499fc13a | |||
| b02ea3a88b | |||
| 612e96e757 | |||
| 0adc9b8215 | |||
| 591cbf9044 | |||
| c0a5e20c51 | |||
| c82883d789 | |||
| 4081bf99e2 | |||
| 03e585eea7 | |||
| 08b4117924 | |||
| 9c3441f7ee | |||
| 304a544dca | |||
| e99353b1e1 | |||
| d8ae44e2a0 | |||
| a6993e2c61 | |||
| d92f08b3ff | |||
| 3e334b7ca7 | |||
| 32b7d886d5 | |||
| 14b94f8fbc | |||
| 6ea3b24563 | |||
| 05042db2b6 | |||
| 6aacbe0934 | |||
| 293ccdb6e9 | |||
| 83c7cc6aa7 | |||
| b3559aa82e | |||
| 8179e6abd6 | |||
| ac1d2d7d35 | |||
| fe833075f3 | |||
| 526b7f2f9b | |||
| e5cb30f678 | |||
| 90820aba8c | |||
| 7367319600 | |||
| affc3a4f15 | |||
| 07d3c7257a | |||
| a2dda6f539 | |||
| 45dc50cabe | |||
| 5a2ce3f5b9 | |||
| ac6a6adece | |||
| 3e2b91798f | |||
| d9ab9c8c45 | |||
| 8c152c7a0f | |||
| 0085d30a6f | |||
| 08b5bf2921 | |||
| 986fce9040 | |||
| 28743f8570 | |||
| d6f34c3a26 | |||
| 465867cec8 | |||
| b4ae47ca2c | |||
| d85edeb45d | |||
| f60d59372e | |||
| ed624dba72 | |||
| bbed6f340a | |||
| 2e4eaa490e | |||
| ecd706f525 | |||
| bc5b235cf6 | |||
| 154c1500f3 | |||
| 2115d9eeea | |||
| df5d74f5d3 | |||
| 1e5b2e69a2 | |||
| e69288dbec | |||
| 8285e75fb2 | |||
| 2224c7c05a | |||
| c0630c2a88 | |||
| 72eb03d02c | |||
| 137d8b42ce | |||
| e6b618ed05 | |||
| 3c42649204 | |||
| 8e6ea8d29b | |||
| 1b3d2772d0 | |||
| 220872c81a | |||
| 087d0f81a5 | |||
| 4531204be7 | |||
| df1ca890c5 | |||
| 97c6dd59c3 | |||
| 0bec1ca5b4 | |||
| 5460632ba9 | |||
| f7aca4f481 | |||
| 1988567896 | |||
| 1e26117d02 | |||
| b1e704b9d6 | |||
| 48fae2e703 | |||
| 8d625cd32e | |||
| 3afc0d4eaa | |||
| bc8dee91fe | |||
| 0669e2939d | |||
| fd46ab736e | |||
| 551e0b82bd | |||
| fbfa3f19c8 | |||
| 89204de987 | |||
| 6d4e634e06 | |||
| 4c5eeccebb | |||
| f6e67d2f8d | |||
| eb0576373a | |||
| 981e960c8c | |||
| 87b53ae475 | |||
| c601a5a741 | |||
| 5751523f41 | |||
| 3fe3159bb9 | |||
| 2d3c93c0e0 | |||
| 9770b8da2c | |||
| d5b8317942 | |||
| d3670a3e49 | |||
| f38966fbec | |||
| 9eb0dccbc9 | |||
| 258a2295c6 | |||
| 4c0a483c95 | |||
| 339e2e1bfc | |||
| 40cd879447 | |||
| d11eeb39d8 | |||
| 82ab8f69c7 | |||
| 432d8e7efe | |||
| 0c155c5e85 | |||
| f3dac32d35 | |||
| d0d5cc3ec4 | |||
| 49fbbe0acb | |||
| e58c696e52 | |||
| 9b7c72ddcd | |||
| 7dcfabfea2 | |||
| 5f0808ffb1 | |||
| fcc66c23b3 | |||
| 1dd418bcb3 | |||
| 640617990f | |||
| 2034babb6b | |||
| 7e773b1e98 | |||
| a3460920cc | |||
| 0659a74c94 | |||
| 28facf5722 | |||
| 5ab7b74146 | |||
| 2a28e93881 | |||
| 95b6fa4e6b | |||
| 2dba7fdde1 | |||
| 7d44c7c392 | |||
| ce31ee8325 | |||
| df1b3661fd | |||
| 71c57a6108 | |||
| 7e2c3c347b | |||
| f456418f6a | |||
| 19bd35e07b | |||
| ff97293707 | |||
| 5498b6c4c3 | |||
| 80116a4564 | |||
| 68488bcecb | |||
| 16a0212a77 | |||
| 6d3fba9bf2 | |||
| 671683931a | |||
| c6cc8585a0 | |||
| c32a0148b3 | |||
| 67d0214607 | |||
| 3ca15314ff | |||
| a318e62c6c | |||
| b0986c2fe0 | |||
| 061f471b83 | |||
| 012eca3d4d | |||
| 8739aa4bb3 | |||
| a323510dae | |||
| 7cebd9d64d | |||
| f8ca44e2de | |||
| 411e5ec44f | |||
| 72aedfc147 | |||
| 2ce029c676 | |||
| 1c949fbe77 | |||
| bddd13d857 | |||
| 0e665bf3ac | |||
| 5bbc3ba658 | |||
| c59184aa7f | |||
| 54c06574f4 | |||
| 21941b530b | |||
| 733dd5d4a5 | |||
| 9093495859 | |||
| 35b83b4207 | |||
| e057056594 | |||
| d684d038b2 | |||
| 2b0aaf1638 | |||
| d9209374af | |||
| 651d22c5d5 | |||
| 02b13f6b52 | |||
| 6e0fa26ac3 |
@@ -0,0 +1,37 @@
|
||||
---
|
||||
name: Bug report
|
||||
about: Create a bug report to help us improve
|
||||
title: "[BUG] "
|
||||
labels: bug
|
||||
assignees: ''
|
||||
|
||||
---
|
||||
|
||||
**Describe the bug**
|
||||
A clear and concise description of what the bug is.
|
||||
|
||||
**To Reproduce**
|
||||
Steps to reproduce the behavior:
|
||||
1. Go to '...'
|
||||
2. Click on '....'
|
||||
3. Scroll down to '....'
|
||||
4. See error
|
||||
|
||||
**Expected behavior**
|
||||
A clear and concise description of what you expected to happen.
|
||||
|
||||
**Screenshots**
|
||||
If applicable, add screenshots to help explain your problem.
|
||||
|
||||
**Action version**
|
||||
What version of the action are you using in your workflow?
|
||||
|
||||
_Note: if you're not running the [latest release](https://github.com/actions/dependency-review-action/releases/latest) please try that first!_
|
||||
|
||||
**Examples**
|
||||
If possible, please link to a public example of the issue that you're encountering, or a copy of the workflow that you're using to run the action.
|
||||
|
||||
If you have encountered a problem with a specific package (e.g. issue with license or attributions data) please share details about the package, as well as a link to the manifest where it's being referenced.
|
||||
|
||||
**Additional context**
|
||||
Add any other context about the problem here.
|
||||
@@ -0,0 +1,5 @@
|
||||
blank_issues_enabled: false
|
||||
contact_links:
|
||||
- name: GitHub Security Bug Bounty
|
||||
url: https://bounty.github.com/
|
||||
about: If you believe that you've found a security issue, please report security vulnerabilities here.
|
||||
@@ -0,0 +1,20 @@
|
||||
---
|
||||
name: Feature request
|
||||
about: Suggest an idea for this project
|
||||
title: ''
|
||||
labels: enhancement
|
||||
assignees: ''
|
||||
|
||||
---
|
||||
|
||||
**Is your feature request related to a problem? Please describe.**
|
||||
A clear and concise description of what the problem is. e.g. I'm always frustrated when [...]
|
||||
|
||||
**Describe the solution you'd like**
|
||||
A clear and concise description of what you want to happen.
|
||||
|
||||
**Describe alternatives you've considered**
|
||||
A clear and concise description of any alternative solutions or features you've considered.
|
||||
|
||||
**Additional context**
|
||||
Add any other context or screenshots about the feature request here.
|
||||
@@ -0,0 +1,7 @@
|
||||
## Purpose
|
||||
|
||||
_Describe the purpose of this pull request_
|
||||
|
||||
## Related Issues
|
||||
|
||||
_What issues does this PR close or relate to?_
|
||||
@@ -0,0 +1,111 @@
|
||||
# Copilot Coding Agent Instructions
|
||||
|
||||
Trust these instructions. Only search the codebase if information here is incomplete or found to be in error.
|
||||
|
||||
## Repository Overview
|
||||
|
||||
**dependency-review-action** is a GitHub Action (TypeScript/Node.js 20) that scans pull requests for dependency changes, raising errors for vulnerabilities or invalid licenses. It queries the GitHub Dependency Review API, evaluates changes against configured rules, and produces job summaries and PR comments. The action entry point is `dist/index.js` (bundled via `ncc`). The repo is small (~15 source files, ~15 test files).
|
||||
|
||||
## Build & Validation Commands
|
||||
|
||||
For CI-parity installs and local validation, run `npm ci --ignore-scripts` before other commands. This is the install step used in CI; release workflows may follow different install instructions (see CONTRIBUTING).
|
||||
|
||||
| Task | Command | Notes |
|
||||
| ------------ | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
|
||||
| Install | `npm ci --ignore-scripts` | ~45s. Use `--ignore-scripts` for CI-parity installs; release workflows may use `npm i` per CONTRIBUTING. |
|
||||
| Build | `npm run build` | Compiles `src/*.ts` → `lib/*.js` via `tsc -p tsconfig.build.json`. ~5s. |
|
||||
| Test | `npm test` | Runs Jest. ~8s. All tests should pass. |
|
||||
| Lint | `npm run lint` | ESLint on `src/**/*.ts`. Ignore the TS version warning—it still passes. |
|
||||
| Format check | `npm run format-check` | Prettier check on `**/*.ts`. |
|
||||
| Format fix | `npm run format` | Auto-fix formatting with Prettier. |
|
||||
| Package | `npm run package` | Bundles the action entrypoint (`package.json#main`) → `dist/index.js` via `ncc`. ~7s. Do NOT include `dist/` changes in non-release PRs. |
|
||||
| All | `npm run all` | Runs: build → format → lint → package → test (in that order). |
|
||||
|
||||
### Validation Sequence After Making Changes
|
||||
|
||||
Always run these commands in this order to validate changes:
|
||||
|
||||
```sh
|
||||
npm run build
|
||||
npm run format-check
|
||||
npm run lint
|
||||
npm test
|
||||
```
|
||||
|
||||
If format-check fails, run `npm run format` to auto-fix, then re-check.
|
||||
|
||||
### CI Checks (`.github/workflows/ci.yml`)
|
||||
|
||||
CI runs on PRs (excluding `**.md` changes) with Node 20:
|
||||
|
||||
1. **test** job: `npm ci --ignore-scripts` → `npm test`
|
||||
2. **lint** job: `npm ci --ignore-scripts` → `npm run format-check` → `npm run lint`
|
||||
|
||||
Additional workflows: `dependency-review.yml` (self-test), `codeql.yml` (CodeQL analysis), `stale.yaml` (stale issues).
|
||||
|
||||
## Project Layout
|
||||
|
||||
```
|
||||
src/ # TypeScript source (edit these files)
|
||||
main.ts # Entry point — orchestrates the action (532 lines)
|
||||
schemas.ts # Zod schemas & TypeScript types for all data structures
|
||||
config.ts # Reads action inputs + external YAML config
|
||||
dependency-graph.ts # GitHub API client for dependency diff
|
||||
filter.ts # Filters changes by severity, scope, allowed advisories
|
||||
licenses.ts # License validation against allow/deny lists
|
||||
deny.ts # Package/group deny-listing logic
|
||||
purl.ts # Package URL (PURL) parser
|
||||
spdx.ts # SPDX license expression handling
|
||||
scorecard.ts # OpenSSF Scorecard integration
|
||||
summary.ts # Summary/report generation (736 lines, largest module)
|
||||
comment-pr.ts # Posts/updates PR comments with results
|
||||
git-refs.ts # Resolves base/head git refs from event payload
|
||||
utils.ts # Shared utilities (Octokit client, grouping helpers)
|
||||
lib/ # Compiled JS output (from `npm run build`). Gitignored.
|
||||
dist/ # Bundled action (from `npm run package`). Committed but do NOT include changes in normal PRs - only pull requests which are creating new releases should have these files changed.
|
||||
__tests__/ # Jest test files (*.test.ts)
|
||||
test-helpers.ts # setInput()/clearInputs() helpers for test env vars
|
||||
fixtures/ # YAML config samples and factory helpers
|
||||
create-test-change.ts # Factory for mock Change objects
|
||||
create-test-vulnerability.ts # Factory for mock vulnerability objects
|
||||
scripts/ # Dev/debug utilities (scan_pr for manual testing, create_summary.ts for preview)
|
||||
action.yml # Action metadata — inputs, outputs, and `runs.main: dist/index.js`
|
||||
```
|
||||
|
||||
### Configuration Files
|
||||
|
||||
| File | Purpose |
|
||||
| --------------------- | ---------------------------------------------------------------------------- |
|
||||
| `tsconfig.json` | Base TypeScript config (ES6 target, CommonJS, strict mode) |
|
||||
| `tsconfig.build.json` | Build config — extends base, includes only `src/`, outputs to `lib/` |
|
||||
| `jest.config.js` | Jest config — uses `ts-jest`, matches `**/*.test.ts` |
|
||||
| `.eslintrc.json` | ESLint — `plugin:github/recommended`, strict TS rules, no semicolons |
|
||||
| `.prettierrc.json` | Prettier — no semis, single quotes, no bracket spacing, trailing comma: none |
|
||||
| `.prettierignore` | Ignores `dist/`, `lib/`, `node_modules/` |
|
||||
|
||||
### Key TypeScript/Style Rules
|
||||
|
||||
- No semicolons (enforced by ESLint and Prettier)
|
||||
- Single quotes, no trailing commas
|
||||
- `@typescript-eslint/no-explicit-any: error` — never use `any`
|
||||
- `@typescript-eslint/explicit-function-return-type: error` — all functions need return types (expressions exempt)
|
||||
- Unused function parameters/args must be prefixed with `_` (e.g. `_unused`); unused variables should be removed
|
||||
- Use Zod schemas (in `src/schemas.ts`) for all data validation and type definitions
|
||||
- Config option defaults belong in Zod schemas, NOT in `action.yml`
|
||||
|
||||
### Testing Patterns
|
||||
|
||||
- Tests use Jest with `ts-jest` transform — no build step needed before running tests
|
||||
- Use `__tests__/test-helpers.ts` `setInput(name, value)` to mock action inputs (sets `INPUT_*` env vars)
|
||||
- Use `__tests__/fixtures/create-test-change.ts` and `create-test-vulnerability.ts` for test data factories
|
||||
- Test files follow `__tests__/<module>.test.ts` naming convention
|
||||
- Tests run directly against TypeScript source (not compiled JS)
|
||||
|
||||
### Important Notes
|
||||
|
||||
- The action runs on `node20` (declared in `action.yml`)
|
||||
- Source imports often use relative `../src/` paths (e.g. `import {readConfig} from '../src/config'`)
|
||||
- Adding a new action input requires changes in: `action.yml` (input definition), `src/schemas.ts` (Zod schema with default), `src/config.ts` (reading the input), and relevant source/test files
|
||||
- `dist/index.js` is committed for GitHub Actions but PR contributors should NOT include `dist/` changes — maintainers handle rebuilding
|
||||
- The `lib/` directory is gitignored
|
||||
- Scorecard tests make real HTTP calls to `api.securityscorecards.dev` and `deps.dev`
|
||||
@@ -12,3 +12,14 @@ updates:
|
||||
ignore:
|
||||
- dependency-name: '@types/node'
|
||||
update-types: ['version-update:semver-major']
|
||||
groups:
|
||||
minor-updates:
|
||||
update-types:
|
||||
- 'minor'
|
||||
- 'patch'
|
||||
exclude-patterns:
|
||||
- '*spdx*'
|
||||
# Pull out any updates to spdx definitions and parsing as a priority PR
|
||||
spdx-licenses:
|
||||
patterns:
|
||||
- '*spdx*'
|
||||
|
||||
@@ -1,54 +0,0 @@
|
||||
# `dist/index.js` is a special file in Actions.
|
||||
# When you reference an action with `uses:` in a workflow,
|
||||
# `index.js` is the code that will run.
|
||||
# For our project, we generate this file through a build process from other source files.
|
||||
# We need to make sure the checked-in `index.js` actually matches what we expect it to be.
|
||||
name: Check dist/
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
paths-ignore:
|
||||
- '**.md'
|
||||
pull_request:
|
||||
paths-ignore:
|
||||
- '**.md'
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
check-dist:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set Node.js 20.x
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 20.x
|
||||
cache: npm
|
||||
|
||||
- name: Install dependencies
|
||||
run: npm ci
|
||||
|
||||
- name: Rebuild the dist/ directory
|
||||
run: |
|
||||
npm run build
|
||||
npm run package
|
||||
|
||||
- name: Compare the expected and actual dist/ directories
|
||||
run: |
|
||||
if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
|
||||
echo "Detected uncommitted changes after build. See status below:"
|
||||
git diff
|
||||
exit 1
|
||||
fi
|
||||
id: diff
|
||||
|
||||
# If index.js was different than expected, upload the expected version as an artifact
|
||||
- uses: actions/upload-artifact@v4
|
||||
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
|
||||
with:
|
||||
name: dist
|
||||
path: dist/
|
||||
@@ -10,12 +10,15 @@ on:
|
||||
paths-ignore:
|
||||
- '**.md'
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
test:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v4
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version: 20
|
||||
cache: npm
|
||||
@@ -27,8 +30,8 @@ jobs:
|
||||
lint:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v4
|
||||
- uses: actions/checkout@v6
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version: 20
|
||||
cache: npm
|
||||
|
||||
@@ -20,15 +20,15 @@ jobs:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
language: [ 'javascript-typescript' ]
|
||||
language: [ 'javascript-typescript', 'actions', 'ruby' ]
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v3
|
||||
uses: github/codeql-action/init@v4
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
# If you wish to specify custom queries, you can do so here or in a config file.
|
||||
@@ -38,11 +38,11 @@ jobs:
|
||||
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
|
||||
# queries: security-extended,security-and-quality
|
||||
config: |
|
||||
paths-ignore:
|
||||
paths-ignore:
|
||||
- dist/index.js
|
||||
- dist/sourcemap-register.js
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v3
|
||||
uses: github/codeql-action/analyze@v4
|
||||
with:
|
||||
category: "/language:${{matrix.language}}"
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
name: 'Dependency Review'
|
||||
|
||||
on: [pull_request]
|
||||
|
||||
permissions:
|
||||
@@ -9,6 +10,6 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
uses: actions/checkout@v6
|
||||
- name: Dependency Review
|
||||
uses: actions/dependency-review-action@main
|
||||
uses: ./
|
||||
|
||||
@@ -12,12 +12,15 @@ jobs:
|
||||
stale:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/stale@v9.0.0
|
||||
- uses: actions/stale@v10.2.0
|
||||
name: Clean up stale PRs and Issues
|
||||
with:
|
||||
stale-pr-message: "👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details."
|
||||
stale-pr-message: "👋 This pull request has been marked as stale because it has been open with no activity for 180 days. You can: comment on the PR or remove the stale label to hold stalebot off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details."
|
||||
stale-pr-label: "Stale"
|
||||
close-pr-message: "👋 This pull request has been closed by stalebot because it has been open with no activity for over 180 days. Please see CONTRIBUTING.md for more policy details."
|
||||
stale-issue-label: "Stale"
|
||||
stale-issue-message: "👋 This issue has been marked as stale because it has been open with no activity for 180 days. You can: comment on the issue or remove the stale label to hold stalebot off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details."
|
||||
close-issue-message: "👋 This issue has been closed by stalebot because it has been open with no activity for over 180 days. Please see CONTRIBUTING.md for more policy details."
|
||||
exempt-pr-labels: "Keep" # a "Keep" label will keep the PR from being closed as stale
|
||||
exempt-issue-labels: "Keep" # a "Keep" label will keep the issue from being closed as stale
|
||||
days-before-pr-stale: 180 # when the PR is considered stale
|
||||
|
||||
+81
-65
@@ -4,45 +4,55 @@
|
||||
[pr]: https://github.com/actions/dependency-review-action/compare
|
||||
[code-of-conduct]: CODE_OF_CONDUCT.md
|
||||
|
||||
Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
|
||||
Hi there! We're thrilled that you'd like to contribute to this project.
|
||||
|
||||
Contributions to this project are
|
||||
[released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license)
|
||||
to the public under the [project's open source license](LICENSE).
|
||||
Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE).
|
||||
|
||||
Please note that this project is released with a [Contributor Code of
|
||||
Conduct][code-of-conduct]. By participating in this project you agree
|
||||
to abide by its terms.
|
||||
Please note that this project is released with a [Contributor Code of Conduct][code-of-conduct]. By participating in this project you agree to abide by its terms.
|
||||
|
||||
### How it works
|
||||
## Bug reports and other issues
|
||||
|
||||
This Action makes an authenticated query to the Dependency Graph Diff
|
||||
API endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`)
|
||||
to find out the set of added and removed dependencies for each manifest.
|
||||
If you've encountered a problem, please let us know by [submitting an issue](https://github.com/actions/dependency-review-action/issues/new)!
|
||||
|
||||
### Bootstrapping the project
|
||||
## Enhancements and feature requests
|
||||
|
||||
```
|
||||
git clone https://github.com/actions/dependency-review-action.git
|
||||
cd dependency-review-action
|
||||
npm install
|
||||
```
|
||||
If you've got an idea for a new feature or a significant change to the code or its dependencies, please submit as [an issue](https://github.com/actions/dependency-review-action/issues/new) so that the community can see it, and we can discuss it there. We may not be able to respond to every single issue, but will make a best effort!
|
||||
|
||||
### Running the tests
|
||||
If you'd like to make a contribution yourself, we ask that before significant effort is put into code changes, that we have agreement that the change aligns with our strategy for the action. Since this is a verified Action owned by GitHub we want to make sure that contributions are high quality, and that they maintain consistency with the rest of the action's behavior.
|
||||
|
||||
```
|
||||
npm run test
|
||||
```
|
||||
1. Create an [issue discussing the idea](https://github.com/actions/dependency-review-action/issues/new), so that we can discuss it there.
|
||||
2. If we agree to incorporate the idea into the action, please write-up a high level summary of the approach that you plan to take so we can review
|
||||
|
||||
_Note_: We don't have any useful tests yet, contributions are welcome!
|
||||
## Stalebot
|
||||
|
||||
## Local Development
|
||||
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see [the configuration](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
|
||||
|
||||
It is recommended to have atleast [Node 18](https://nodejs.org/en/) installed.
|
||||
We have a script to scan a given PR for vulnerabilities, this will
|
||||
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
|
||||
## Development lifecycle
|
||||
|
||||
<img width="480" alt="Screenshot 2022-05-12 at 10 22 21" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
|
||||
Ready to contribute to `dependency-review-action`? Here is some information to help you get started.
|
||||
|
||||
### High level overview of the action
|
||||
|
||||
This action makes an authenticated query to the [Dependency Review API](https://docs.github.com/en/rest/dependency-graph/dependency-review) endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`) to find out the set of added and removed dependencies for each manifest.
|
||||
|
||||
The action then evaluates the differences between the pushes based on the rules defined in the action configuration, and summarizes the differences and any violations of the rules you have defined as a comment in the pull request that triggered it and the action outputs.
|
||||
|
||||
### Local Development
|
||||
|
||||
Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed, minimum version 20.
|
||||
|
||||
#### Bootstrapping the project
|
||||
|
||||
0. [Fork][fork] and clone the repository
|
||||
1. Change to the working directory: `cd dependency-review-action`
|
||||
2. Install the dependencies: `npm install`
|
||||
3. Make sure the tests pass on your machine: `npm run test`
|
||||
|
||||
#### Manually testing for vulnerabilities
|
||||
|
||||
We have a script to scan a given PR for vulnerabilities, which will help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
|
||||
|
||||
<img width="480" alt="Screen to create a PAT with a note of `dr-token`, 30 day duration (expiring Jun 11, 2022), with `repo` scopes selected" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
|
||||
|
||||
The syntax of the script is:
|
||||
|
||||
@@ -53,7 +63,7 @@ $ GITHUB_TOKEN=<token> ./scripts/scan_pr <pr_url>
|
||||
Like this:
|
||||
|
||||
```sh
|
||||
$ GITHUB_TOKEN=my-secret-token ./scripts/scan_pr https://github.com/actions/dependency-review-action/pull/3
|
||||
$ GITHUB_TOKEN=<token> ./scripts/scan_pr https://github.com/actions/dependency-review-action/pull/3
|
||||
```
|
||||
|
||||
[Configuration options](README.md#configuration-options) can be set by
|
||||
@@ -64,66 +74,72 @@ passing an external YAML [configuration file](README.md#configuration-file) to t
|
||||
$ GITHUB_TOKEN=<token> ./scripts/scan_pr --config-file my_custom_config.yml <pr_url>
|
||||
```
|
||||
|
||||
## Submitting a pull request
|
||||
#### Running unit tests
|
||||
|
||||
0. [Fork][fork] and clone the repository
|
||||
1. Configure and install the dependencies: `npm install`
|
||||
2. Make sure the tests pass on your machine: `npm run test`
|
||||
3. Create a new branch: `git checkout -b my-branch-name`
|
||||
4. Make your change, add tests, and make sure the tests still pass
|
||||
5. Make sure to build and package before pushing: `npm run build && npm run package`
|
||||
6. Push to your fork and [submit a pull request][pr]
|
||||
7. Pat your self on the back and wait for your pull request to be reviewed and merged.
|
||||
```
|
||||
npm run test
|
||||
```
|
||||
|
||||
_Note_: We don't have a very comprehensive test suite, so any contributions to the existing tests are welcome!
|
||||
|
||||
### Submitting a pull request
|
||||
|
||||
1. Create a new branch: `git checkout -b my-branch-name`
|
||||
2. Make your change, add tests, and make sure the tests still pass
|
||||
3. Push to your fork and [submit a pull request][pr]
|
||||
|
||||
(note: we don't recommend including changes to the `dist` directory in your pull request, because changes there have an increased likelihood of conflicts.)
|
||||
|
||||
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
|
||||
|
||||
- Add unit tests for new features.
|
||||
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
|
||||
- Write a [good commit message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
|
||||
- Add examples of the usage to [examples.md](examples.md)
|
||||
- Add examples of the usage to [examples.md](docs/examples.md)
|
||||
- Link to a sample PR in a custom repository running your version of the Action.
|
||||
- Please be responsive to any questions and feedback that you get from a maintainer of the repo!
|
||||
|
||||
## Cutting a new release
|
||||
|
||||
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json).
|
||||
1. Go to [Draft a new
|
||||
release](https://github.com/actions/dependency-review-action/releases/new)
|
||||
in the Releases page.
|
||||
1. Make sure that the `Publish this Action to the GitHub Marketplace`
|
||||
checkbox is enabled
|
||||
<details>
|
||||
|
||||
<img width="481" alt="Screenshot 2022-06-15 at 12 08 19" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
|
||||
_Note: these instructions are for maintainers_
|
||||
|
||||
3. Click "Choose a tag" and then "Create new tag", where the tag name
|
||||
will be your version prefixed by a `v` (e.g. `v1.2.3`).
|
||||
4. Use a version number for the release title (e.g. "1.2.3").
|
||||
- Create a local branch based on the `main` of the upstream repo.
|
||||
- Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
|
||||
- Update the dist files by running `npm run build` and `npm run package`
|
||||
- Submit a PR based on your branch and have another maintainer review/approve it.
|
||||
- Once merged, go to [Draft a new release](https://github.com/actions/dependency-review-action/releases/new) in the Releases page.
|
||||
- Make sure that the `Publish this Action to the GitHub Marketplace` checkbox is enabled
|
||||
|
||||
<img width="700" alt="Screenshot 2022-06-15 at 12 08 36" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
|
||||
<img width="481" alt="Screen showing Release Action with Publish this Action to the GitHub Marketplace checked" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
|
||||
|
||||
5. Add your release notes. If this is a major version make sure to
|
||||
include a small description of the biggest changes in the new version.
|
||||
6. Click "Publish Release".
|
||||
- Click "Choose a tag" and then "Create new tag", where the tag name
|
||||
will be your version prefixed by a `v` (e.g. `v1.2.3`).
|
||||
- Use a version number for the release title (e.g. "1.2.3").
|
||||
|
||||
You now have a tag and release using the semver version you used
|
||||
above. The last remaining thing to do is to move the dynamic version
|
||||
identifier to match the current SHA. This allows users to adopt a
|
||||
major version number (e.g. `v1`) in their workflows while
|
||||
automatically getting all the
|
||||
minor/patch updates.
|
||||
<img width="700" alt="Create an action release in categories Security + Dependency management from branch main creating tag v2.0.0 on publish" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
|
||||
|
||||
To do this just checkout `main`, force-create a new annotated tag, and push it:
|
||||
- Add your release notes. If this is a major version make sure to include details about any breaking changes in the new version.
|
||||
- Click "Publish Release".
|
||||
|
||||
You now have a tag and release using the semver version you used above. The last remaining thing to do is to update the major version branch to match the current release. This allows users to adopt a major version number (e.g. `v4`) in their workflows while automatically getting all the minor/patch updates.
|
||||
|
||||
As of v4.8.3, we use a **branch** (not a force-pushed tag) for the major version pointer. This is important because force-pushing tags breaks GitHub's auto-generated release changelog links (see [#1035](https://github.com/actions/dependency-review-action/issues/1035)) and violates git's (unenforced) expectation that tags are immutable.
|
||||
|
||||
To update the major version branch:
|
||||
|
||||
```
|
||||
git tag -fa v4 -m "Updating v4 to 4.0.1"
|
||||
git push origin v4 --force
|
||||
git checkout main
|
||||
git pull origin main
|
||||
git branch -f v4 HEAD
|
||||
git push origin v4
|
||||
```
|
||||
|
||||
## Stalebot
|
||||
|
||||
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see the configuration [here](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
|
||||
</details>
|
||||
|
||||
## Resources
|
||||
|
||||
- [Creating JavaScript GitHub actions](https://docs.github.com/en/actions/creating-actions/creating-a-javascript-action)
|
||||
- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
|
||||
- [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
|
||||
- [GitHub Help](https://help.github.com)
|
||||
|
||||
@@ -1,177 +1,261 @@
|
||||
# dependency-review-action
|
||||
|
||||
This action scans your pull requests for dependency changes, and will
|
||||
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/rest/dependency-graph/dependency-review) that diffs the dependencies between any two revisions on your default branch.
|
||||
- [dependency-review-action](#dependency-review-action)
|
||||
- [Overview](#overview)
|
||||
- [Viewing the results](#viewing-the-results)
|
||||
- [Installation](#installation)
|
||||
- [Installation (standard)](#installation-standard)
|
||||
- [Installation (GitHub Enterprise Server)](#installation-github-enterprise-server)
|
||||
- [Configuration](#configuration)
|
||||
- [Configuration options](#configuration-options)
|
||||
- [Configuration methods](#configuration-methods)
|
||||
- [Option 1: Using inline configuration](#option-1-using-inline-configuration)
|
||||
- [Option 2: Using an external configuration file](#option-2-using-an-external-configuration-file)
|
||||
- [`OTHER` in license strings](#other-in-license-strings)
|
||||
- [Further information](#further-information)
|
||||
- [Using dependency review action to block a pull request from being merged](#using-dependency-review-action-to-block-a-pull-request-from-being-merged)
|
||||
- [Outputs](#outputs)
|
||||
- [Getting help](#getting-help)
|
||||
- [Contributing](#contributing)
|
||||
- [License](#license)
|
||||
|
||||
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
|
||||
## Overview
|
||||
|
||||
You can see the results on the job logs:
|
||||
The dependency review action scans your pull requests for dependency changes, and will raise an error if any vulnerabilities or invalid licenses are being introduced.
|
||||
The action is supported by an [API endpoint](https://docs.github.com/en/rest/dependency-graph/dependency-review?apiVersion=2022-11-28) that diffs the dependencies between any two revisions on your default branch.
|
||||
|
||||
<img width="850" alt="GitHub workflow run log showing Dependency Review job output" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
|
||||
The action is available for:
|
||||
|
||||
or on the job summary:
|
||||
- Public repositories
|
||||
- Private repositories with a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license.
|
||||
|
||||
<img width="850" alt="GitHub job summary showing Dependency Review output" src="https://github.com/actions/dependency-review-action/assets/2161/42fbed1d-64a7-42bf-9b05-c416bc67493f">
|
||||
### Viewing the results
|
||||
|
||||
When the action runs, you can see the results on:
|
||||
|
||||
- The **job logs** page.
|
||||
1. Go to the **Actions** tab for the repository and select the relevant workflow run.
|
||||
1. Then under "Jobs", click **dependency review**.
|
||||
|
||||
<img width="850" alt="GitHub workflow run log showing Dependency Review job output" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
|
||||
|
||||
- The **job summary** page.
|
||||
1. Go to the **Actions** tab for the repository and select the relevant workflow run.
|
||||
1. Click **Summary**, then scroll to "dependency-review summary".
|
||||
|
||||
<img width="850" alt="GitHub job summary showing Dependency Review output" src="https://github.com/actions/dependency-review-action/assets/2161/42fbed1d-64a7-42bf-9b05-c416bc67493f">
|
||||
|
||||
## Installation
|
||||
|
||||
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
|
||||
- [Installation (standard)](#installation)
|
||||
- [Installation (GitHub Enterprise Server)](#installation-github-enterprise-server)
|
||||
|
||||
#### Installation (standard)
|
||||
|
||||
You can install the action on any public repository, or any organization-owned private repository, provided the organization has a GitHub Advanced Security license.
|
||||
|
||||
1. Add a new YAML workflow to your `.github/workflows` folder:
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
on: [pull_request]
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
on: [pull_request]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@v4
|
||||
```
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@v4
|
||||
```
|
||||
|
||||
### GitHub Enterprise Server
|
||||
#### Installation (GitHub Enterprise Server)
|
||||
|
||||
Make sure
|
||||
[GitHub Advanced
|
||||
Security](https://docs.github.com/enterprise-server@3.8/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
|
||||
and [GitHub
|
||||
Connect](https://docs.github.com/enterprise-server@3.8/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
|
||||
are enabled, and that you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
|
||||
You can install the action on repositories on GitHub Enterprise Server.
|
||||
|
||||
You can use the same workflow as above, replacing the `runs-on` value
|
||||
with the label of any of your runners (the default label
|
||||
is `self-hosted`):
|
||||
1. Ensure [GitHub Advanced Security](https://docs.github.com/en/enterprise-server@latest/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise) and [GitHub Connect](https://docs.github.com/en/enterprise-server@latest/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect) are enabled for the enterprise.
|
||||
2. Ensure you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
|
||||
3. Add a new YAML workflow to your `.github/workflows` folder:
|
||||
|
||||
```yaml
|
||||
# ...
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
on: [pull_request]
|
||||
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: self-hosted
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@v4
|
||||
```
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
## Configuration options
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: self-hosted
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@v4
|
||||
```
|
||||
|
||||
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
|
||||
4. In the workflow file, replace the `runs-on` value with the label of any of your runners. (The default value is `self-hosted`.)
|
||||
|
||||
| Option | Usage | Possible values | Default value |
|
||||
| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
|
||||
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
|
||||
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
|
||||
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
|
||||
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
|
||||
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
|
||||
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
|
||||
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
|
||||
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. | `always`, `on-failure`, `never` | `never` |
|
||||
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
|
||||
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
|
||||
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
|
||||
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
|
||||
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
|
||||
| `show-openssf-scorecard-levels` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
|
||||
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
|
||||
## Configuration
|
||||
|
||||
\*not supported for use with GitHub Enterprise Server
|
||||
- [Configuration options](#configuration-options)
|
||||
- [Configuration methods](#configuration-methods)
|
||||
|
||||
+when `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail.
|
||||
### Configuration options
|
||||
|
||||
### Inline Configuration
|
||||
There are various configuration options you can use to specify settings for the dependency review action.
|
||||
|
||||
You can pass options to the Dependency Review GitHub Action using your workflow file.
|
||||
All configuration options are optional.
|
||||
|
||||
#### Example
|
||||
| Option | Usage | Possible values | Default value |
|
||||
| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------ | ------------- |
|
||||
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
|
||||
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `deny-licenses`\* | ⚠️ This option is deprecated for possible removal in the next major release. See [Deprecate the deny-licenses option #938](https://github.com/actions/dependency-review-action/issues/938) for more information. <br> Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
|
||||
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
|
||||
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
|
||||
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
|
||||
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
|
||||
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
|
||||
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. With each execution, a new comment will overwrite the existing one. | `always`, `on-failure`, `never` | `never` |
|
||||
| `deny-packages` | Any number of packages to block in a PR. This option will match on the exact version provided. If no version is provided, the option will treat the specified package as a wildcard and deny all versions. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
|
||||
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
|
||||
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
|
||||
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
|
||||
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
|
||||
| `show-openssf-scorecard` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
|
||||
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
|
||||
| `show-patched-versions`\* | When set to `true`, the vulnerability summary table will include an additional column showing the first patched version for each vulnerability. This requires additional API calls to fetch advisory data. | `true`, `false` | `false` |
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
on: [pull_request]
|
||||
permissions:
|
||||
contents: read
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: Dependency Review
|
||||
uses: actions/dependency-review-action@v4
|
||||
with:
|
||||
fail-on-severity: moderate
|
||||
> [!NOTE]
|
||||
>
|
||||
> - \* Not supported for use with GitHub Enterprise Server. (Checking for licenses is not supported on GitHub Enterprise Server because the API does not return license information.)
|
||||
> - \+ When `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail.
|
||||
> - The `allow-licenses` and `deny-licenses` options are mutually exclusive; an error will be raised if you provide both.
|
||||
> - If we can't detect the license for a dependency **we will inform you, but the action won't fail**.
|
||||
|
||||
# Use comma-separated names to pass list arguments:
|
||||
deny-licenses: LGPL-2.0, BSD-2-Clause
|
||||
```
|
||||
### Configuration methods
|
||||
|
||||
### Configuration File
|
||||
To specify settings for the dependency review action, you can choose from two options:
|
||||
|
||||
You can use an external configuration file to specify the settings for this action. It can be a local file or a file in an external repository. Refer to the following options for the specification.
|
||||
- [Option 1: Inline the configuration options]() in your workflow file.
|
||||
- [Option 2: Reference an external configuration file]() in your workflow file.
|
||||
|
||||
| Option | Usage | Possible values |
|
||||
| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
| `config-file` | A path to a file in the current repository or an external repository. Use this syntax for external files: `OWNER/REPOSITORY/FILENAME@BRANCH` | **Local file**: `./.github/dependency-review-config.yml` <br> **External repo**: `github/octorepo/dependency-review-config.yml@main` |
|
||||
| `external-repo-token` | Specifies a token for fetching the configuration file. It is required if the file resides in a private external repository and for all GitHub Enterprise Server repositories. Create a token in [developer settings](https://github.com/settings/tokens). | Any token with `read` permissions to the repository hosting the config file. |
|
||||
#### Option 1: Using inline configuration
|
||||
|
||||
#### Example
|
||||
You can pass configuration options to the dependency review action using your workflow file.
|
||||
|
||||
Start by specifying that you will be using an external configuration file:
|
||||
1. In the same YAML workflow file you created during installation, use the `with:` key to specify your chosen settings:
|
||||
|
||||
```yaml
|
||||
- name: Dependency Review
|
||||
uses: actions/dependency-review-action@v4
|
||||
with:
|
||||
config-file: './.github/dependency-review-config.yml'
|
||||
```
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
on: [pull_request]
|
||||
permissions:
|
||||
contents: read
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: Dependency Review
|
||||
uses: actions/dependency-review-action@v4
|
||||
with:
|
||||
fail-on-severity: moderate
|
||||
|
||||
And then create the file in the path you just specified. Please note
|
||||
that the **option names in external files use underscores instead of dashes**:
|
||||
# Use comma-separated names to pass list arguments:
|
||||
deny-licenses: LGPL-2.0, BSD-2-Clause
|
||||
allow-dependencies-licenses: "pkg:npm/@myorg/mypackage, pkg:npm/packagename, pkg:githubactions/owner/repo@2.0.0"
|
||||
```
|
||||
|
||||
```yaml
|
||||
fail_on_severity: 'critical'
|
||||
allow_licenses:
|
||||
- 'GPL-3.0'
|
||||
- 'BSD-3-Clause'
|
||||
- 'MIT'
|
||||
```
|
||||
#### Option 2: Using an external configuration file
|
||||
|
||||
For more examples of how to use this action and its configuration options, see the [examples](docs/examples.md) page.
|
||||
You can use an external configuration file to specify settings for this action. The file can be a local file or a file in an external repository.
|
||||
|
||||
### Considerations
|
||||
1. In the same YAML workflow file you created during installation, use `config-file` to specify that you are using an external configuration file.
|
||||
|
||||
- Checking for licenses is not supported on Enterprise Server as the API does not return license information.
|
||||
- The `allow-licenses` and `deny-licenses` options are mutually exclusive; an error will be raised if you provide both.
|
||||
- We don't have license information for all of your dependents. If we can't detect the license for a dependency **we will inform you, but the action won't fail**.
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
on: [pull_request]
|
||||
permissions:
|
||||
contents: read
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: Dependency Review
|
||||
uses: actions/dependency-review-action@v4
|
||||
with:
|
||||
config-file: './.github/dependency-review-config.yml'
|
||||
```
|
||||
|
||||
## Blocking pull requests
|
||||
| Option | Usage | Possible values |
|
||||
| ------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
| `config-file` | A path to a file in the current repository or an external repository. Use this syntax for external files: `OWNER/REPOSITORY/FILENAME@BRANCH` | **Local file**: `./.github/dependency-review-config.yml` <br> **External repo**: `github/octorepo/dependency-review-config.yml@main` |
|
||||
|
||||
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
|
||||
2. Optionally, if the file resides in a private external repository, and for all GitHub Enterprise Server repositories, use `external-repo-token` to specify a token for fetching the file.
|
||||
|
||||
```yaml
|
||||
- name: Dependency Review
|
||||
uses: actions/dependency-review-action@v4
|
||||
with:
|
||||
config-file: 'github/octorepo/dependency-review-config.yml@main'
|
||||
external-repo-token: 'ghp_123456789abcde'
|
||||
```
|
||||
|
||||
| Option | Usage | Possible values |
|
||||
| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
|
||||
| `external-repo-token` | Specifies a token for fetching the configuration file. It is required if the file resides in a private external repository and for all GitHub Enterprise Server repositories. Create a token in [developer settings](https://github.com/settings/tokens). | Any token with `read` permissions to the repository hosting the config file. |
|
||||
|
||||
3. Create the configuration file in the path you specified for `config-file`.
|
||||
4. In the configuration file, specify your chosen settings.
|
||||
|
||||
```yaml
|
||||
fail-on-severity: 'critical'
|
||||
allow-licenses:
|
||||
- 'GPL-3.0'
|
||||
- 'BSD-3-Clause'
|
||||
- 'MIT'
|
||||
```
|
||||
|
||||
#### `OTHER` in license strings
|
||||
|
||||
License data comes from [ClearlyDefined](https://clearlydefined.io) and you may sometimes see licenses displayed with the string `OTHER` in them. ClearlyDefined [defines OTHER](https://docs.clearlydefined.io/docs/curation/curation-guidelines) as:
|
||||
|
||||
> This indicates that a human confirmed that there is license information in the file but that the license is not an SPDX-identified license.
|
||||
|
||||
`OTHER` is not a valid [SPDX license identifier](https://spdx.org/licenses/), so we convert `OTHER` in a license string into `LicenseRef-clearlydefined-OTHER`, which _is_ valid in SPDX. If you want to add that to the deny or allow list, be sure to add `LicenseRef-clearlydefined-OTHER` to this list, because that is what we'll actually be comparing.
|
||||
|
||||
#### Further information
|
||||
|
||||
- For more examples of how to use this action and its configuration options, see the [examples](docs/examples.md) page.
|
||||
- For general information about dependency review on GitHub, see "[About dependency review](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)" in the GitHub Docs documentation.
|
||||
|
||||
## Using dependency review action to block a pull request from being merged
|
||||
|
||||
You can configure your repository to block a pull request from being merged if the pull request fails the dependency review action check. To do this, the repository owner must configure branch protection settings that require the check to pass before merging. For more information, see "[Require status checks before merging](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging)" in GitHub Docs documentation.
|
||||
|
||||
## Outputs
|
||||
|
||||
Dependency review action can create [outputs](https://docs.github.com/en/actions/using-jobs/defining-outputs-for-jobs), so that data from its execution can be used by other jobs in a workflow.
|
||||
|
||||
- `comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
|
||||
- `dependency-changes` holds all dependency changes in a JSON format. The following outputs are subsets of `dependency-changes` filtered based on the configuration:
|
||||
- `vulnerable-changes` holds information about dependency changes with vulnerable dependencies in a JSON format.
|
||||
- `invalid-license-changes` holds information about invalid or non-compliant license dependency changes in a JSON format.
|
||||
- `denied-changes` holds information about denied dependency changes in a JSON format.
|
||||
- `vulnerable-changes` holds information about dependency changes with vulnerable dependencies in a JSON format.
|
||||
- `invalid-license-changes` holds information about invalid or non-compliant license dependency changes in a JSON format.
|
||||
- `denied-changes` holds information about denied dependency changes in a JSON format.
|
||||
|
||||
> [!NOTE]
|
||||
> Action outputs are unicode strings [with a 1MB size limit](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions).
|
||||
|
||||
> [!IMPORTANT]
|
||||
> If you use these outputs in a run-step, you must store the ouput data in an envrioment variable instead of using the output directly. Using an output directly might break shell scripts. For example:
|
||||
>
|
||||
> If you use these outputs in a run-step, you must store the output data in an environment variable instead of using the output directly. Using an output directly might break shell scripts. For example:
|
||||
>
|
||||
> ```yaml
|
||||
> env:
|
||||
@@ -180,7 +264,8 @@ The Dependency Review GitHub Action check will only block a pull request from be
|
||||
> echo "$VULNERABLE_CHANGES" | jq
|
||||
> ```
|
||||
>
|
||||
> instead of direct `echo '${{ steps.review.outputs.vulnerable-changes }}'`. See [examples](docs/examples.md) for more.
|
||||
> instead of direct `echo '${{ steps.review.outputs.vulnerable-changes }}'`.
|
||||
> See [examples](docs/examples.md) for more.
|
||||
|
||||
## Getting help
|
||||
|
||||
|
||||
+1
-1
@@ -1,3 +1,3 @@
|
||||
If you discover a security issue in this repo, please submit it through the [GitHub Security Bug Bounty](https://hackerone.com/github)
|
||||
If you discover a security issue in this repo, please submit it through the [GitHub Security Bug Bounty](https://bounty.github.com/)
|
||||
|
||||
Thanks for helping make GitHub Actions safe for everyone.
|
||||
|
||||
+125
-16
@@ -1,13 +1,8 @@
|
||||
import {expect, test, beforeEach} from '@jest/globals'
|
||||
import {readConfig} from '../src/config'
|
||||
import {getRefs} from '../src/git-refs'
|
||||
import * as Utils from '../src/utils'
|
||||
import {setInput, clearInputs} from './test-helpers'
|
||||
|
||||
beforeAll(() => {
|
||||
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
|
||||
})
|
||||
|
||||
beforeEach(() => {
|
||||
clearInputs()
|
||||
})
|
||||
@@ -19,11 +14,11 @@ test('it defaults to low severity', async () => {
|
||||
|
||||
test('it reads custom configs', async () => {
|
||||
setInput('fail-on-severity', 'critical')
|
||||
setInput('allow-licenses', ' BSD, GPL 2')
|
||||
setInput('allow-licenses', 'ISC, GPL-2.0')
|
||||
|
||||
const config = await readConfig()
|
||||
expect(config.fail_on_severity).toEqual('critical')
|
||||
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
|
||||
expect(config.allow_licenses).toEqual(['ISC', 'GPL-2.0'])
|
||||
})
|
||||
|
||||
test('it defaults to false for warn-only', async () => {
|
||||
@@ -40,7 +35,7 @@ test('it defaults to empty allow/deny lists ', async () => {
|
||||
|
||||
test('it raises an error if both an allow and denylist are specified', async () => {
|
||||
setInput('allow-licenses', 'MIT')
|
||||
setInput('deny-licenses', 'BSD')
|
||||
setInput('deny-licenses', 'BSD-3-Clause')
|
||||
|
||||
await expect(readConfig()).rejects.toThrow(
|
||||
'You cannot specify both allow-licenses and deny-licenses'
|
||||
@@ -54,6 +49,52 @@ test('it raises an error if an empty allow list is specified', async () => {
|
||||
)
|
||||
})
|
||||
|
||||
test('it successfully parses allow-dependencies-licenses', async () => {
|
||||
setInput(
|
||||
'allow-dependencies-licenses',
|
||||
'pkg:npm/@test/package@1.2.3,pkg:npm/example'
|
||||
)
|
||||
const config = await readConfig()
|
||||
expect(config.allow_dependencies_licenses).toEqual([
|
||||
'pkg:npm/@test/package@1.2.3',
|
||||
'pkg:npm/example'
|
||||
])
|
||||
})
|
||||
|
||||
test('it raises an error when an invalid package-url is used for allow-dependencies-licenses', async () => {
|
||||
setInput('allow-dependencies-licenses', 'not-a-purl')
|
||||
await expect(readConfig()).rejects.toThrow(`Error parsing package-url`)
|
||||
})
|
||||
|
||||
test('it raises an error when a nameless package-url is used for allow-dependencies-licenses', async () => {
|
||||
setInput('allow-dependencies-licenses', 'pkg:npm/@namespace/')
|
||||
await expect(readConfig()).rejects.toThrow(
|
||||
`Error parsing package-url: name is required`
|
||||
)
|
||||
})
|
||||
|
||||
test('it raises an error when an invalid package-url is used for deny-packages', async () => {
|
||||
setInput('deny-packages', 'not-a-purl')
|
||||
|
||||
await expect(readConfig()).rejects.toThrow(`Error parsing package-url`)
|
||||
})
|
||||
|
||||
test('it raises an error when a nameless package-url is used for deny-packages', async () => {
|
||||
setInput('deny-packages', 'pkg:npm/@namespace/')
|
||||
|
||||
await expect(readConfig()).rejects.toThrow(
|
||||
`Error parsing package-url: name is required`
|
||||
)
|
||||
})
|
||||
|
||||
test('it raises an error when an argument to deny-groups is missing a namespace', async () => {
|
||||
setInput('deny-groups', 'pkg:npm/my-fun-org')
|
||||
|
||||
await expect(readConfig()).rejects.toThrow(
|
||||
`package-url must have a namespace`
|
||||
)
|
||||
})
|
||||
|
||||
test('it raises an error when given an unknown severity', async () => {
|
||||
setInput('fail-on-severity', 'zombies')
|
||||
|
||||
@@ -82,6 +123,78 @@ test('it raises an error when no refs are provided and the event is not a pull r
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
const pullRequestLikeEvents = ['pull_request', 'pull_request_target']
|
||||
|
||||
test.each(pullRequestLikeEvents)(
|
||||
'it uses the given refs even when the event is %s',
|
||||
async eventName => {
|
||||
setInput('base-ref', 'a-custom-base-ref')
|
||||
setInput('head-ref', 'a-custom-head-ref')
|
||||
|
||||
const refs = getRefs(await readConfig(), {
|
||||
payload: {
|
||||
pull_request: {
|
||||
number: 42,
|
||||
base: {sha: 'pr-base-ref'},
|
||||
head: {sha: 'pr-head-ref'}
|
||||
}
|
||||
},
|
||||
eventName
|
||||
})
|
||||
expect(refs.base).toEqual('a-custom-base-ref')
|
||||
expect(refs.head).toEqual('a-custom-head-ref')
|
||||
}
|
||||
)
|
||||
|
||||
test.each(pullRequestLikeEvents)(
|
||||
'it uses the event refs when the event is %s and no refs are provided in config',
|
||||
async eventName => {
|
||||
const refs = getRefs(await readConfig(), {
|
||||
payload: {
|
||||
pull_request: {
|
||||
number: 42,
|
||||
base: {sha: 'pr-base-ref'},
|
||||
head: {sha: 'pr-head-ref'}
|
||||
}
|
||||
},
|
||||
eventName
|
||||
})
|
||||
expect(refs.base).toEqual('pr-base-ref')
|
||||
expect(refs.head).toEqual('pr-head-ref')
|
||||
}
|
||||
)
|
||||
|
||||
test('it uses the given refs even when the event is merge_group', async () => {
|
||||
setInput('base-ref', 'a-custom-base-ref')
|
||||
setInput('head-ref', 'a-custom-head-ref')
|
||||
|
||||
const refs = getRefs(await readConfig(), {
|
||||
payload: {
|
||||
merge_group: {
|
||||
base_sha: 'pr-base-ref',
|
||||
head_sha: 'pr-head-ref'
|
||||
}
|
||||
},
|
||||
eventName: 'merge_group'
|
||||
})
|
||||
expect(refs.base).toEqual('a-custom-base-ref')
|
||||
expect(refs.head).toEqual('a-custom-head-ref')
|
||||
})
|
||||
|
||||
test('it uses the event refs when the event is merge_group and no refs are provided in config', async () => {
|
||||
const refs = getRefs(await readConfig(), {
|
||||
payload: {
|
||||
merge_group: {
|
||||
base_sha: 'pr-base-ref',
|
||||
head_sha: 'pr-head-ref'
|
||||
}
|
||||
},
|
||||
eventName: 'merge_group'
|
||||
})
|
||||
expect(refs.base).toEqual('pr-base-ref')
|
||||
expect(refs.head).toEqual('pr-head-ref')
|
||||
})
|
||||
|
||||
test('it defaults to runtime scope', async () => {
|
||||
const config = await readConfig()
|
||||
expect(config.fail_on_scopes).toEqual(['runtime'])
|
||||
@@ -158,21 +271,17 @@ test('it is not possible to disable both checks', async () => {
|
||||
})
|
||||
|
||||
describe('licenses that are not valid SPDX licenses', () => {
|
||||
beforeAll(() => {
|
||||
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(false)
|
||||
})
|
||||
|
||||
test('it raises an error for invalid licenses in allow-licenses', async () => {
|
||||
setInput('allow-licenses', ' BSD, GPL 2')
|
||||
setInput('allow-licenses', ' BSD-YOLO, GPL-2.0')
|
||||
await expect(readConfig()).rejects.toThrow(
|
||||
'Invalid license(s) in allow-licenses: BSD,GPL 2'
|
||||
'Invalid license(s) in allow-licenses: BSD-YOLO'
|
||||
)
|
||||
})
|
||||
|
||||
test('it raises an error for invalid licenses in deny-licenses', async () => {
|
||||
setInput('deny-licenses', ' BSD, GPL 2')
|
||||
setInput('deny-licenses', ' GPL-2.0, BSD-YOLO, Apache-2.0, ToIll')
|
||||
await expect(readConfig()).rejects.toThrow(
|
||||
'Invalid license(s) in deny-licenses: BSD,GPL 2'
|
||||
'Invalid license(s) in deny-licenses: BSD-YOLO, ToIll'
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
+144
-115
@@ -1,100 +1,7 @@
|
||||
import {expect, jest, test} from '@jest/globals'
|
||||
import {Change, Changes} from '../src/schemas'
|
||||
|
||||
let getDeniedChanges: Function
|
||||
|
||||
const npmChange: Change = {
|
||||
manifest: 'package.json',
|
||||
change_type: 'added',
|
||||
ecosystem: 'npm',
|
||||
name: 'Reeuhq',
|
||||
version: '1.0.2',
|
||||
package_url: 'pkg:npm/reeuhq@1.0.2',
|
||||
license: 'MIT',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'critical',
|
||||
advisory_ghsa_id: 'first-random_string',
|
||||
advisory_summary: 'very dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const rubyChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'Gemfile.lock',
|
||||
ecosystem: 'rubygems',
|
||||
name: 'actionsomething',
|
||||
version: '3.2.0',
|
||||
package_url: 'pkg:gem/actionsomething@3.2.0',
|
||||
license: 'BSD',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'moderate',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
},
|
||||
{
|
||||
severity: 'low',
|
||||
advisory_ghsa_id: 'third-random_string',
|
||||
advisory_summary: 'dont page me',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const pipChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'requirements.txt',
|
||||
ecosystem: 'pip',
|
||||
name: 'package-1',
|
||||
version: '1.1.1',
|
||||
package_url: 'pkg:pypi/package-1@1.1.1',
|
||||
license: 'MIT',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'moderate',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
},
|
||||
{
|
||||
severity: 'low',
|
||||
advisory_ghsa_id: 'third-random_string',
|
||||
advisory_summary: 'dont page me',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const mvnChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'pom.xml',
|
||||
ecosystem: 'maven',
|
||||
name: 'org.apache.logging.log4j:log4j-core',
|
||||
version: '2.15.0',
|
||||
package_url: 'pkg:maven/org.apache.logging.log4j/log4j-core@2.14.7',
|
||||
license: 'Apache-2.0',
|
||||
source_repository_url:
|
||||
'https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core',
|
||||
scope: 'unknown',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'critical',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
import {createTestChange, createTestPURLs} from './fixtures/create-test-change'
|
||||
import {getDeniedChanges} from '../src/deny'
|
||||
|
||||
jest.mock('@actions/core')
|
||||
|
||||
@@ -108,6 +15,11 @@ const mockOctokit = {
|
||||
}
|
||||
}
|
||||
|
||||
let npmChange: Change
|
||||
let rubyChange: Change
|
||||
let pipChange: Change
|
||||
let mvnChange: Change
|
||||
|
||||
jest.mock('octokit', () => {
|
||||
return {
|
||||
// eslint-disable-next-line @typescript-eslint/no-extraneous-class
|
||||
@@ -121,46 +33,163 @@ jest.mock('octokit', () => {
|
||||
|
||||
beforeEach(async () => {
|
||||
jest.resetModules()
|
||||
jest.doMock('spdx-satisfies', () => {
|
||||
// mock spdx-satisfies return value
|
||||
// true for BSD, false for all others
|
||||
return jest.fn((license: string, _: string): boolean => license === 'BSD')
|
||||
})
|
||||
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
||||
;({getDeniedChanges} = require('../src/deny'))
|
||||
|
||||
npmChange = createTestChange({ecosystem: 'npm'})
|
||||
rubyChange = createTestChange({ecosystem: 'rubygems'})
|
||||
pipChange = createTestChange({ecosystem: 'pip'})
|
||||
mvnChange = createTestChange({ecosystem: 'maven'})
|
||||
})
|
||||
|
||||
test('it adds packages in the deny packages list', async () => {
|
||||
test('denies packages from the deny packages list', async () => {
|
||||
const changes: Changes = [npmChange, rubyChange]
|
||||
const deniedChanges = await getDeniedChanges(
|
||||
changes,
|
||||
['pkg:gem/actionsomething'],
|
||||
[]
|
||||
)
|
||||
const deniedPackages = createTestPURLs(['pkg:gem/actionsomething@3.2.0'])
|
||||
const deniedChanges = await getDeniedChanges(changes, deniedPackages)
|
||||
|
||||
expect(deniedChanges[0]).toBe(rubyChange)
|
||||
expect(deniedChanges.length).toEqual(1)
|
||||
})
|
||||
|
||||
test('it adds packages in the deny group list', async () => {
|
||||
const changes: Changes = [mvnChange, rubyChange]
|
||||
test('denies packages only for the specified version from deny packages list', async () => {
|
||||
const deniedPackageWithDifferentVersion = createTestPURLs([
|
||||
'pkg:npm/lodash@1.2.3'
|
||||
])
|
||||
const changes: Changes = [npmChange]
|
||||
const deniedChanges = await getDeniedChanges(
|
||||
changes,
|
||||
[],
|
||||
['pkg:maven/org.apache.logging.log4j']
|
||||
deniedPackageWithDifferentVersion
|
||||
)
|
||||
|
||||
expect(deniedChanges.length).toEqual(0)
|
||||
})
|
||||
|
||||
test('if no specified version from deny packages list, it will treat package as wildcard and deny all versions', async () => {
|
||||
const changes: Changes = [
|
||||
createTestChange({name: 'lodash', version: '1.2.3'}),
|
||||
createTestChange({name: 'lodash', version: '4.5.6'}),
|
||||
createTestChange({name: 'lodash', version: '7.8.9'})
|
||||
]
|
||||
const denyAllLodashVersions = createTestPURLs(['pkg:npm/lodash'])
|
||||
const deniedChanges = await getDeniedChanges(changes, denyAllLodashVersions)
|
||||
|
||||
expect(deniedChanges.length).toEqual(3)
|
||||
})
|
||||
|
||||
test('denies packages from the deny group list', async () => {
|
||||
const changes: Changes = [mvnChange, rubyChange]
|
||||
const deniedGroups = createTestPURLs(['pkg:maven/org.apache.logging.log4j/'])
|
||||
const deniedChanges = await getDeniedChanges(changes, [], deniedGroups)
|
||||
|
||||
expect(deniedChanges[0]).toBe(mvnChange)
|
||||
expect(deniedChanges.length).toEqual(1)
|
||||
})
|
||||
|
||||
test('it adds packages outside of the deny lists', async () => {
|
||||
test('denies packages that match the deny group list exactly', async () => {
|
||||
const changes: Changes = [
|
||||
createTestChange({
|
||||
package_url: 'pkg:npm/org.test.pass/pass-this@1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
package_url: 'pkg:npm/org.test/deny-this@1.0.0',
|
||||
ecosystem: 'npm'
|
||||
})
|
||||
]
|
||||
const deniedGroups = createTestPURLs(['pkg:npm/org.test/'])
|
||||
const deniedChanges = await getDeniedChanges(changes, [], deniedGroups)
|
||||
|
||||
expect(deniedChanges.length).toEqual(1)
|
||||
expect(deniedChanges[0]).toBe(changes[1])
|
||||
})
|
||||
|
||||
test(`denies packages using the namespace from the name when there's no package_url`, async () => {
|
||||
const changes: Changes = [
|
||||
createTestChange({
|
||||
package_url: 'pkg:npm/org.test.pass/pass-this@1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
name: 'org.test:deny-this',
|
||||
package_url: '',
|
||||
ecosystem: 'maven'
|
||||
})
|
||||
]
|
||||
const deniedGroups = createTestPURLs(['pkg:maven/org.test/'])
|
||||
const deniedChanges = await getDeniedChanges(changes, [], deniedGroups)
|
||||
|
||||
expect(deniedChanges.length).toEqual(1)
|
||||
expect(deniedChanges[0]).toBe(changes[1])
|
||||
})
|
||||
|
||||
test('allows packages not defined in the deny packages and groups list', async () => {
|
||||
const changes: Changes = [npmChange, pipChange]
|
||||
const deniedPackages = createTestPURLs([
|
||||
'pkg:gem/package-not-in-changes@1.0.0'
|
||||
])
|
||||
const deniedGroups = createTestPURLs(['pkg:maven/group.not.in.changes/'])
|
||||
const deniedChanges = await getDeniedChanges(
|
||||
changes,
|
||||
['pkg:gem/actionsomething'],
|
||||
['pkg:maven:org.apache.logging.log4j']
|
||||
deniedPackages,
|
||||
deniedGroups
|
||||
)
|
||||
|
||||
expect(deniedChanges.length).toEqual(0)
|
||||
})
|
||||
|
||||
test('deny packages does not prevent removal of denied packages', async () => {
|
||||
const changes: Changes = [
|
||||
createTestChange({
|
||||
change_type: 'added',
|
||||
name: 'deny-by-name-and-version',
|
||||
version: '1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
change_type: 'removed',
|
||||
name: 'pass-by-name-and-version',
|
||||
version: '1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
change_type: 'added',
|
||||
name: 'deny-by-name',
|
||||
version: '1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
change_type: 'removed',
|
||||
name: 'pass-by-name',
|
||||
version: '1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
change_type: 'added',
|
||||
package_url: 'pkg:npm/org.test.deny.by.namespace/only@1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
change_type: 'removed',
|
||||
package_url: 'pkg:npm/org.test.pass.by.namespace/only@1.0.0',
|
||||
ecosystem: 'npm'
|
||||
})
|
||||
]
|
||||
const deniedPackages = createTestPURLs([
|
||||
'pkg:npm/org.test.deny.by/deny-by-name-and-version@1.0.0',
|
||||
'pkg:npm/org.test.pass.by/pass-by-name-and-version@1.0.0',
|
||||
'pkg:npm/org.test.deny.by/deny-by-name',
|
||||
'pkg:npm/org.test.pass.by/pass-by-name'
|
||||
])
|
||||
const deniedGroups = createTestPURLs([
|
||||
'pkg:npm/org.test.deny.by.namespace/',
|
||||
'pkg:npm/org.test.pass.by.namespace/'
|
||||
])
|
||||
const deniedChanges = await getDeniedChanges(
|
||||
changes,
|
||||
deniedPackages,
|
||||
deniedGroups
|
||||
)
|
||||
|
||||
expect(deniedChanges.length).toEqual(3)
|
||||
expect(deniedChanges[0]).toBe(changes[0])
|
||||
expect(deniedChanges[1]).toBe(changes[2])
|
||||
expect(deniedChanges[2]).toBe(changes[4])
|
||||
})
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import {expect, test, beforeEach} from '@jest/globals'
|
||||
import {readConfig} from '../src/config'
|
||||
import * as Utils from '../src/utils'
|
||||
import * as spdx from '../src/spdx'
|
||||
import {setInput, clearInputs} from './test-helpers'
|
||||
|
||||
const externalConfig = `fail_on_severity: 'high'
|
||||
@@ -25,10 +25,6 @@ jest.mock('octokit', () => {
|
||||
}
|
||||
})
|
||||
|
||||
beforeAll(() => {
|
||||
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
|
||||
})
|
||||
|
||||
beforeEach(() => {
|
||||
clearInputs()
|
||||
})
|
||||
@@ -38,7 +34,7 @@ test('it reads an external config file', async () => {
|
||||
|
||||
const config = await readConfig()
|
||||
expect(config.fail_on_severity).toEqual('critical')
|
||||
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
|
||||
expect(config.allow_licenses).toEqual(['BSD-3-Clause', 'GPL-2.0'])
|
||||
})
|
||||
|
||||
test('raises an error when the config file was not found', async () => {
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
fail_on_severity: critical
|
||||
allow_licenses:
|
||||
- "BSD"
|
||||
- "GPL 2"
|
||||
- 'BSD-3-Clause'
|
||||
- 'GPL-2.0'
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
import {Change} from '../../src/schemas'
|
||||
import {createTestVulnerability} from './create-test-vulnerability'
|
||||
import {PackageURL, parsePURL} from '../../src/purl'
|
||||
|
||||
const defaultChange: Change = {
|
||||
const defaultNpmChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'package.json',
|
||||
ecosystem: 'npm',
|
||||
@@ -28,9 +29,98 @@ const defaultChange: Change = {
|
||||
]
|
||||
}
|
||||
|
||||
const createTestChange = (overwrites: Partial<Change> = {}): Change => ({
|
||||
...defaultChange,
|
||||
...overwrites
|
||||
})
|
||||
const defaultRubyChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'Gemfile.lock',
|
||||
ecosystem: 'rubygems',
|
||||
name: 'actionsomething',
|
||||
version: '3.2.0',
|
||||
package_url: 'pkg:gem/actionsomething@3.2.0',
|
||||
license: 'BSD',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'moderate',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
},
|
||||
{
|
||||
severity: 'low',
|
||||
advisory_ghsa_id: 'third-random_string',
|
||||
advisory_summary: 'dont page me',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
export {createTestChange}
|
||||
const defaultPipChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'requirements.txt',
|
||||
ecosystem: 'pip',
|
||||
name: 'package-1',
|
||||
version: '1.1.1',
|
||||
package_url: 'pkg:pypi/package-1@1.1.1',
|
||||
license: 'MIT',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'moderate',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
},
|
||||
{
|
||||
severity: 'low',
|
||||
advisory_ghsa_id: 'third-random_string',
|
||||
advisory_summary: 'dont page me',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const defaultMavenChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'pom.xml',
|
||||
ecosystem: 'maven',
|
||||
name: 'org.apache.logging.log4j:log4j-core',
|
||||
version: '2.15.0',
|
||||
package_url: 'pkg:maven/org.apache.logging.log4j/log4j-core@2.14.7',
|
||||
license: 'Apache-2.0',
|
||||
source_repository_url:
|
||||
'https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core',
|
||||
scope: 'unknown',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'critical',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const ecosystemToDefaultChange: {[key: string]: Change} = {
|
||||
npm: defaultNpmChange,
|
||||
rubygems: defaultRubyChange,
|
||||
pip: defaultPipChange,
|
||||
maven: defaultMavenChange
|
||||
}
|
||||
|
||||
const createTestChange = (overwrites: Partial<Change> = {}): Change => {
|
||||
const ecosystem = overwrites.ecosystem || 'npm'
|
||||
return {
|
||||
...ecosystemToDefaultChange[ecosystem],
|
||||
...overwrites
|
||||
}
|
||||
}
|
||||
|
||||
const createTestPURLs = (list: string[]): PackageURL[] => {
|
||||
return list.map(purl => {
|
||||
return parsePURL(purl)
|
||||
})
|
||||
}
|
||||
|
||||
export {createTestChange, createTestPURLs}
|
||||
|
||||
@@ -1 +1 @@
|
||||
allow-licenses: "MIT, GPL-2.0-only"
|
||||
allow-licenses: 'MIT, GPL-2.0-only'
|
||||
|
||||
+155
-30
@@ -1,7 +1,6 @@
|
||||
import {expect, jest, test} from '@jest/globals'
|
||||
import {Change, Changes} from '../src/schemas'
|
||||
|
||||
let getInvalidLicenseChanges: Function
|
||||
import {getInvalidLicenseChanges} from '../src/licenses'
|
||||
|
||||
const npmChange: Change = {
|
||||
manifest: 'package.json',
|
||||
@@ -30,7 +29,7 @@ const rubyChange: Change = {
|
||||
name: 'actionsomething',
|
||||
version: '3.2.0',
|
||||
package_url: 'pkg:gem/actionsomething@3.2.0',
|
||||
license: 'BSD',
|
||||
license: 'BSD-3-Clause',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
@@ -75,6 +74,46 @@ const pipChange: Change = {
|
||||
]
|
||||
}
|
||||
|
||||
const complexLicenseChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'requirements.txt',
|
||||
ecosystem: 'pip',
|
||||
name: 'package-1',
|
||||
version: '1.1.1',
|
||||
package_url: 'pkg:pypi/package-1@1.1.1',
|
||||
license: 'MIT AND Apache-2.0',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'moderate',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
},
|
||||
{
|
||||
severity: 'low',
|
||||
advisory_ghsa_id: 'third-random_string',
|
||||
advisory_summary: 'dont page me',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const unlicensedChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: '.github/workflows/ci.yml',
|
||||
ecosystem: 'actions',
|
||||
name: 'foo-org/actions-repo/.github/workflows/some-action.yml',
|
||||
version: '1.1.1',
|
||||
package_url:
|
||||
'pkg:githubactions/foo-org/actions-repo/.github/workflows/some-action.yml@1.1.1',
|
||||
license: null,
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'development',
|
||||
vulnerabilities: []
|
||||
}
|
||||
|
||||
jest.mock('@actions/core')
|
||||
|
||||
const mockOctokit = {
|
||||
@@ -100,40 +139,67 @@ jest.mock('octokit', () => {
|
||||
|
||||
beforeEach(async () => {
|
||||
jest.resetModules()
|
||||
jest.doMock('spdx-satisfies', () => {
|
||||
// mock spdx-satisfies return value
|
||||
// true for BSD, false for all others
|
||||
return jest.fn((license: string, _: string): boolean => license === 'BSD')
|
||||
})
|
||||
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
||||
;({getInvalidLicenseChanges} = require('../src/licenses'))
|
||||
})
|
||||
|
||||
test('it adds license outside the allow list to forbidden changes', async () => {
|
||||
const changes: Changes = [npmChange, rubyChange]
|
||||
const changes: Changes = [
|
||||
npmChange, // MIT license
|
||||
rubyChange // BSD license
|
||||
]
|
||||
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
allow: ['BSD']
|
||||
allow: ['BSD-3-Clause']
|
||||
})
|
||||
|
||||
expect(forbidden[0]).toBe(npmChange)
|
||||
expect(forbidden.length).toEqual(1)
|
||||
})
|
||||
|
||||
test('it adds license inside the deny list to forbidden changes', async () => {
|
||||
const changes: Changes = [npmChange, rubyChange]
|
||||
const changes: Changes = [
|
||||
npmChange, // MIT license
|
||||
rubyChange // BSD license
|
||||
]
|
||||
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
deny: ['BSD']
|
||||
deny: ['BSD-3-Clause']
|
||||
})
|
||||
|
||||
expect(forbidden[0]).toBe(rubyChange)
|
||||
expect(forbidden.length).toEqual(1)
|
||||
})
|
||||
|
||||
test('it handles allowed complex licenses', async () => {
|
||||
const changes: Changes = [
|
||||
complexLicenseChange // MIT AND Apache-2.0 license
|
||||
]
|
||||
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
allow: ['MIT', 'Apache-2.0']
|
||||
})
|
||||
|
||||
expect(forbidden.length).toEqual(0)
|
||||
})
|
||||
|
||||
test('it handles complex licenses not all on the allow list', async () => {
|
||||
const changes: Changes = [
|
||||
complexLicenseChange // MIT AND Apache-2.0 license
|
||||
]
|
||||
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
allow: ['MIT']
|
||||
})
|
||||
|
||||
expect(forbidden.length).toEqual(1)
|
||||
})
|
||||
|
||||
test('it does not add license outside the allow list to forbidden changes if it is in removed changes', async () => {
|
||||
const changes: Changes = [
|
||||
{...npmChange, change_type: 'removed'},
|
||||
{...rubyChange, change_type: 'removed'}
|
||||
]
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
allow: ['BSD']
|
||||
allow: ['BSD-3-Clause']
|
||||
})
|
||||
expect(forbidden).toStrictEqual([])
|
||||
})
|
||||
@@ -144,7 +210,7 @@ test('it does not add license inside the deny list to forbidden changes if it is
|
||||
{...rubyChange, change_type: 'removed'}
|
||||
]
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
deny: ['BSD']
|
||||
deny: ['BSD-3-Clause']
|
||||
})
|
||||
expect(forbidden).toStrictEqual([])
|
||||
})
|
||||
@@ -156,23 +222,18 @@ test('it adds license outside the allow list to forbidden changes if it is in bo
|
||||
{...rubyChange, change_type: 'removed'}
|
||||
]
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
allow: ['BSD']
|
||||
allow: ['BSD-3-Clause']
|
||||
})
|
||||
expect(forbidden).toStrictEqual([npmChange])
|
||||
})
|
||||
|
||||
test('it adds all licenses to unresolved if it is unable to determine the validity', async () => {
|
||||
jest.resetModules() // reset module set in before
|
||||
jest.doMock('spdx-satisfies', () => {
|
||||
return jest.fn((_first: string, _second: string) => {
|
||||
throw new Error('Some Error')
|
||||
})
|
||||
})
|
||||
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
||||
;({getInvalidLicenseChanges} = require('../src/licenses'))
|
||||
const changes: Changes = [npmChange, rubyChange]
|
||||
const changes: Changes = [
|
||||
{...npmChange, license: 'Foo'},
|
||||
{...rubyChange, license: 'Bar'}
|
||||
]
|
||||
const invalidLicenses = await getInvalidLicenseChanges(changes, {
|
||||
allow: ['BSD']
|
||||
allow: ['Apache-2.0']
|
||||
})
|
||||
expect(invalidLicenses.forbidden.length).toEqual(0)
|
||||
expect(invalidLicenses.unlicensed.length).toEqual(0)
|
||||
@@ -182,7 +243,7 @@ test('it adds all licenses to unresolved if it is unable to determine the validi
|
||||
test('it does not filter out changes that are on the exclusions list', async () => {
|
||||
const changes: Changes = [pipChange, npmChange, rubyChange]
|
||||
const licensesConfig = {
|
||||
allow: ['BSD'],
|
||||
allow: ['BSD-3-Clause'],
|
||||
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
|
||||
}
|
||||
const invalidLicenses = await getInvalidLicenseChanges(
|
||||
@@ -192,13 +253,40 @@ test('it does not filter out changes that are on the exclusions list', async ()
|
||||
expect(invalidLicenses.forbidden.length).toEqual(0)
|
||||
})
|
||||
|
||||
test('it excludes scoped npm packages when namespace separator is percent-encoded', async () => {
|
||||
const scopedNpmChange: Change = {
|
||||
manifest: 'package.json',
|
||||
change_type: 'added',
|
||||
ecosystem: 'npm',
|
||||
name: '@lancedb/lancedb',
|
||||
version: '0.14.3',
|
||||
package_url: 'pkg:npm/%40lancedb/lancedb@0.14.3',
|
||||
license: 'Apache-2.0',
|
||||
source_repository_url: 'github.com/lancedb/lancedb',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: []
|
||||
}
|
||||
const changes: Changes = [scopedNpmChange, rubyChange]
|
||||
const licensesConfig = {
|
||||
allow: ['BSD-3-Clause'],
|
||||
// user provides %2F-encoded version
|
||||
licenseExclusions: ['pkg:npm/%40lancedb%2Flancedb']
|
||||
}
|
||||
const invalidLicenses = await getInvalidLicenseChanges(
|
||||
changes,
|
||||
licensesConfig
|
||||
)
|
||||
// scoped package should be excluded, only rubyChange remains (allowed)
|
||||
expect(invalidLicenses.forbidden.length).toEqual(0)
|
||||
})
|
||||
|
||||
test('it does not fail when the packages dont have a valid PURL', async () => {
|
||||
const emptyPurlChange = pipChange
|
||||
emptyPurlChange.package_url = ''
|
||||
|
||||
const changes: Changes = [emptyPurlChange, npmChange, rubyChange]
|
||||
const licensesConfig = {
|
||||
allow: ['BSD'],
|
||||
allow: ['BSD-3-Clause'],
|
||||
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
|
||||
}
|
||||
|
||||
@@ -212,21 +300,36 @@ test('it does not fail when the packages dont have a valid PURL', async () => {
|
||||
test('it does filters out changes if they are not on the exclusions list', async () => {
|
||||
const changes: Changes = [pipChange, npmChange, rubyChange]
|
||||
const licensesConfig = {
|
||||
allow: ['BSD'],
|
||||
allow: ['BSD-3-Clause'],
|
||||
licenseExclusions: [
|
||||
'pkg:pypi/notmypackage-1@1.1.1',
|
||||
'pkg:npm/alsonot@1.0.2'
|
||||
]
|
||||
}
|
||||
|
||||
const invalidLicenses = await getInvalidLicenseChanges(
|
||||
changes,
|
||||
licensesConfig
|
||||
)
|
||||
|
||||
expect(invalidLicenses.forbidden.length).toEqual(2)
|
||||
expect(invalidLicenses.forbidden[0]).toBe(pipChange)
|
||||
expect(invalidLicenses.forbidden[1]).toBe(npmChange)
|
||||
})
|
||||
|
||||
test('it does not fail if there is a license expression in the allow list', async () => {
|
||||
const changes: Changes = [
|
||||
{...npmChange, license: 'MIT AND Apache-2.0'},
|
||||
{...rubyChange, license: 'BSD-3-Clause'}
|
||||
]
|
||||
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
allow: ['BSD-3-Clause', 'MIT AND Apache-2.0', 'MIT', 'Apache-2.0']
|
||||
})
|
||||
|
||||
expect(forbidden.length).toEqual(0)
|
||||
})
|
||||
|
||||
describe('GH License API fallback', () => {
|
||||
test('it calls licenses endpoint if atleast one of the changes has null license and valid source_repository_url', async () => {
|
||||
const nullLicenseChange = {
|
||||
@@ -264,4 +367,26 @@ describe('GH License API fallback', () => {
|
||||
expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
|
||||
expect(unlicensed.length).toEqual(0)
|
||||
})
|
||||
|
||||
test('it does not call licenses API if the package is excluded', async () => {
|
||||
const {unlicensed} = await getInvalidLicenseChanges([unlicensedChange], {
|
||||
licenseExclusions: [
|
||||
'pkg:githubactions/foo-org/actions-repo/.github/workflows/some-action.yml'
|
||||
]
|
||||
})
|
||||
|
||||
expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
|
||||
expect(unlicensed.length).toEqual(0)
|
||||
})
|
||||
|
||||
test('it checks namespaces when doing exclusions', async () => {
|
||||
const {unlicensed} = await getInvalidLicenseChanges([unlicensedChange], {
|
||||
licenseExclusions: [
|
||||
'pkg:githubactions/bar-org/actions-repo/.github/workflows/some-action.yml'
|
||||
]
|
||||
})
|
||||
|
||||
expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
|
||||
expect(unlicensed.length).toEqual(1)
|
||||
})
|
||||
})
|
||||
|
||||
@@ -0,0 +1,164 @@
|
||||
import {
|
||||
afterEach,
|
||||
beforeEach,
|
||||
describe,
|
||||
expect,
|
||||
jest,
|
||||
test
|
||||
} from '@jest/globals'
|
||||
import * as fs from 'fs'
|
||||
import * as core from '@actions/core'
|
||||
import {DefaultArtifactClient} from '@actions/artifact'
|
||||
import type {SpyInstance} from 'jest-mock'
|
||||
import {handleLargeSummary} from '../src/main'
|
||||
|
||||
jest.mock('ansi-styles', () => ({
|
||||
__esModule: true,
|
||||
default: {
|
||||
color: {
|
||||
red: {open: '', close: ''},
|
||||
yellow: {open: '', close: ''},
|
||||
grey: {open: '', close: ''},
|
||||
green: {open: '', close: ''}
|
||||
},
|
||||
bold: {open: '', close: ''}
|
||||
}
|
||||
}))
|
||||
jest.mock('../src/dependency-graph', () => ({}))
|
||||
jest.mock('@actions/core', () => {
|
||||
const summary = {
|
||||
addRaw: jest.fn().mockReturnThis(),
|
||||
addHeading: jest.fn().mockReturnThis(),
|
||||
addTable: jest.fn().mockReturnThis(),
|
||||
addSeparator: jest.fn().mockReturnThis(),
|
||||
addImage: jest.fn().mockReturnThis(),
|
||||
addList: jest.fn().mockReturnThis(),
|
||||
addBreak: jest.fn().mockReturnThis(),
|
||||
addLink: jest.fn().mockReturnThis(),
|
||||
addDetails: jest.fn().mockReturnThis(),
|
||||
addSection: jest.fn().mockReturnThis(),
|
||||
addCodeBlock: jest.fn().mockReturnThis(),
|
||||
addFields: jest.fn().mockReturnThis(),
|
||||
addEol: jest.fn().mockReturnThis(),
|
||||
write: jest.fn(async () => undefined),
|
||||
emptyBuffer: jest.fn(),
|
||||
stringify: jest.fn(() => '')
|
||||
}
|
||||
return {
|
||||
__esModule: true,
|
||||
getInput: jest.fn((name: string) =>
|
||||
name === 'repo-token' ? 'gh_test_token' : ''
|
||||
),
|
||||
setOutput: jest.fn(),
|
||||
setFailed: jest.fn(),
|
||||
warning: jest.fn(),
|
||||
info: jest.fn(),
|
||||
debug: jest.fn(),
|
||||
startGroup: jest.fn(),
|
||||
endGroup: jest.fn(),
|
||||
group: jest.fn(async (_name: string, fn: () => Promise<unknown>) => fn()),
|
||||
summary
|
||||
}
|
||||
})
|
||||
jest.mock('@actions/artifact', () => ({
|
||||
DefaultArtifactClient: jest.fn()
|
||||
}))
|
||||
|
||||
const ORIGINAL_ENV = {...process.env}
|
||||
|
||||
type ArtifactClientInstance = {
|
||||
uploadArtifact: jest.Mock
|
||||
}
|
||||
|
||||
const DefaultArtifactClientMock = DefaultArtifactClient as unknown as jest.Mock
|
||||
|
||||
const createArtifactClient = (): ArtifactClientInstance => ({
|
||||
uploadArtifact: jest.fn(async () => undefined)
|
||||
})
|
||||
|
||||
describe('handleLargeSummary', () => {
|
||||
let writeFileSpy: SpyInstance<typeof fs.promises.writeFile>
|
||||
|
||||
beforeEach(() => {
|
||||
process.env = {...ORIGINAL_ENV}
|
||||
writeFileSpy = jest
|
||||
.spyOn(fs.promises, 'writeFile')
|
||||
.mockImplementation(async () => undefined)
|
||||
DefaultArtifactClientMock.mockClear()
|
||||
DefaultArtifactClientMock.mockImplementation(() => createArtifactClient())
|
||||
})
|
||||
|
||||
afterEach(() => {
|
||||
writeFileSpy.mockRestore()
|
||||
jest.clearAllMocks()
|
||||
process.env = {...ORIGINAL_ENV}
|
||||
})
|
||||
|
||||
test('returns original summary when under size threshold', async () => {
|
||||
const summaryContent = 'short summary'
|
||||
|
||||
const result = await handleLargeSummary(summaryContent)
|
||||
|
||||
expect(result).toBe(summaryContent)
|
||||
expect(writeFileSpy).not.toHaveBeenCalled()
|
||||
expect(DefaultArtifactClientMock).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
test('uploads artifact and returns minimal summary when summary is too large', async () => {
|
||||
process.env.GITHUB_SERVER_URL = 'https://github.com'
|
||||
process.env.GITHUB_REPOSITORY = 'owner/repo'
|
||||
process.env.GITHUB_RUN_ID = '12345'
|
||||
|
||||
const largeSummary = 'a'.repeat(1024 * 1024 + 1)
|
||||
|
||||
const result = await handleLargeSummary(largeSummary)
|
||||
|
||||
expect(writeFileSpy).toHaveBeenCalledTimes(1)
|
||||
expect(writeFileSpy).toHaveBeenCalledWith('summary.md', largeSummary)
|
||||
expect(DefaultArtifactClientMock).toHaveBeenCalledTimes(1)
|
||||
|
||||
const artifactInstance = DefaultArtifactClientMock.mock.results[0]
|
||||
?.value as ArtifactClientInstance
|
||||
|
||||
expect(artifactInstance.uploadArtifact).toHaveBeenCalledWith(
|
||||
'dependency-review-summary',
|
||||
['summary.md'],
|
||||
'.',
|
||||
{retentionDays: 1}
|
||||
)
|
||||
|
||||
expect(result).toContain('# Dependency Review Summary')
|
||||
expect(result).toContain('dependency-review-summary')
|
||||
expect(result).toContain('actions/runs/12345')
|
||||
})
|
||||
|
||||
test('returns truncated summary and replaces buffer when artifact upload fails', async () => {
|
||||
const warningMock = core.warning as jest.Mock
|
||||
const emptyBufferMock = core.summary.emptyBuffer as jest.Mock
|
||||
const addRawMock = core.summary.addRaw as jest.Mock
|
||||
warningMock.mockClear()
|
||||
emptyBufferMock.mockClear()
|
||||
addRawMock.mockClear()
|
||||
const largeSummary = 'b'.repeat(1024 * 1024 + 1)
|
||||
|
||||
DefaultArtifactClientMock.mockImplementation(() => ({
|
||||
uploadArtifact: jest.fn(async () => {
|
||||
throw new Error('upload failed')
|
||||
})
|
||||
}))
|
||||
|
||||
const result = await handleLargeSummary(largeSummary)
|
||||
|
||||
// Should NOT return the original oversized content
|
||||
expect(result).not.toBe(largeSummary)
|
||||
// Should return a truncated summary
|
||||
expect(result).toContain('Dependency Review Summary')
|
||||
expect(result).toContain('too large to display')
|
||||
// Should replace the core.summary buffer to prevent write() from failing
|
||||
expect(emptyBufferMock).toHaveBeenCalled()
|
||||
expect(addRawMock).toHaveBeenCalledWith(result)
|
||||
expect(warningMock).toHaveBeenCalledWith(
|
||||
expect.stringContaining('Failed to upload large summary as artifact')
|
||||
)
|
||||
})
|
||||
})
|
||||
@@ -0,0 +1,249 @@
|
||||
import {expect, test} from '@jest/globals'
|
||||
import {parsePURL, purlsMatch} from '../src/purl'
|
||||
|
||||
test('parsePURL returns an error if the purl does not start with "pkg:"', () => {
|
||||
const purl = 'not-a-purl'
|
||||
const result = parsePURL(purl)
|
||||
expect(result.error).toEqual('package-url must start with "pkg:"')
|
||||
})
|
||||
|
||||
test('parsePURL returns an error if the purl does not contain a type', () => {
|
||||
const purl = 'pkg:/'
|
||||
const result = parsePURL(purl)
|
||||
expect(result.error).toEqual('package-url must contain a type')
|
||||
})
|
||||
|
||||
test('parsePURL returns an error if the purl does not contain a namespace or name', () => {
|
||||
const purl = 'pkg:ecosystem/'
|
||||
const result = parsePURL(purl)
|
||||
expect(result.type).toEqual('ecosystem')
|
||||
expect(result.error).toEqual('package-url must contain a namespace or name')
|
||||
})
|
||||
|
||||
test('parsePURL returns a PURL with the correct values in the happy case', () => {
|
||||
const purl = 'pkg:ecosystem/namespace/name@version'
|
||||
const result = parsePURL(purl)
|
||||
expect(result.type).toEqual('ecosystem')
|
||||
expect(result.namespace).toEqual('namespace')
|
||||
expect(result.name).toEqual('name')
|
||||
expect(result.version).toEqual('version')
|
||||
expect(result.original).toEqual(purl)
|
||||
expect(result.error).toBeNull()
|
||||
})
|
||||
|
||||
test('parsePURL table test', () => {
|
||||
const examples = [
|
||||
{
|
||||
purl: 'pkg:npm/@n4m3SPACE/Name@^1.2.3',
|
||||
expected: {
|
||||
type: 'npm',
|
||||
namespace: '@n4m3SPACE',
|
||||
name: 'Name',
|
||||
version: '^1.2.3',
|
||||
original: 'pkg:npm/@n4m3SPACE/Name@^1.2.3',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:golang/gopkg.in/DataDog/dd-trace-go.v1@1.63.1',
|
||||
// Note: this purl is technically invalid, but we can still parse it
|
||||
expected: {
|
||||
type: 'golang',
|
||||
namespace: 'gopkg.in',
|
||||
name: 'DataDog/dd-trace-go.v1',
|
||||
version: '1.63.1',
|
||||
original: 'pkg:golang/gopkg.in/DataDog/dd-trace-go.v1@1.63.1',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:golang/github.com/pelletier/go-toml/v2',
|
||||
// Note: this purl is technically invalid, but we can still parse it
|
||||
expected: {
|
||||
type: 'golang',
|
||||
namespace: 'github.com',
|
||||
name: 'pelletier/go-toml/v2',
|
||||
version: null,
|
||||
original: 'pkg:golang/github.com/pelletier/go-toml/v2',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:npm/%40ns%20foo/n%40me@1.%2f2.3',
|
||||
expected: {
|
||||
type: 'npm',
|
||||
namespace: '@ns foo',
|
||||
name: 'n@me',
|
||||
version: '1./2.3',
|
||||
original: 'pkg:npm/%40ns%20foo/n%40me@1.%2f2.3',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:ecosystem/name@version',
|
||||
expected: {
|
||||
type: 'ecosystem',
|
||||
namespace: null,
|
||||
name: 'name',
|
||||
version: 'version',
|
||||
original: 'pkg:ecosystem/name@version',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:npm/namespace/',
|
||||
expected: {
|
||||
type: 'npm',
|
||||
namespace: 'namespace',
|
||||
name: null,
|
||||
version: null,
|
||||
original: 'pkg:npm/namespace/',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:ecosystem/name',
|
||||
expected: {
|
||||
type: 'ecosystem',
|
||||
namespace: null,
|
||||
name: 'name',
|
||||
version: null,
|
||||
original: 'pkg:ecosystem/name',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:/?',
|
||||
expected: {
|
||||
type: '',
|
||||
namespace: null,
|
||||
name: null,
|
||||
version: null,
|
||||
original: 'pkg:/?',
|
||||
error: 'package-url must contain a type'
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:ecosystem/#',
|
||||
expected: {
|
||||
type: 'ecosystem',
|
||||
namespace: null,
|
||||
name: null,
|
||||
version: null,
|
||||
original: 'pkg:ecosystem/#',
|
||||
error: 'package-url must contain a namespace or name'
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:ecosystem/name@version#subpath?attributes=123',
|
||||
expected: {
|
||||
type: 'ecosystem',
|
||||
namespace: null,
|
||||
name: 'name',
|
||||
version: 'version',
|
||||
original: 'pkg:ecosystem/name@version#subpath?attributes=123',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:ecosystem/name@version#subpath',
|
||||
expected: {
|
||||
type: 'ecosystem',
|
||||
namespace: null,
|
||||
name: 'name',
|
||||
version: 'version',
|
||||
original: 'pkg:ecosystem/name@version#subpath',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:ecosystem/namespace/name@version?attributes',
|
||||
expected: {
|
||||
type: 'ecosystem',
|
||||
namespace: 'namespace',
|
||||
name: 'name',
|
||||
version: 'version',
|
||||
original: 'pkg:ecosystem/namespace/name@version?attributes',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:ecosystem/name#subpath?attributes',
|
||||
expected: {
|
||||
type: 'ecosystem',
|
||||
namespace: null,
|
||||
name: 'name',
|
||||
version: null,
|
||||
original: 'pkg:ecosystem/name#subpath?attributes',
|
||||
error: null
|
||||
}
|
||||
}
|
||||
]
|
||||
for (const example of examples) {
|
||||
const result = parsePURL(example.purl)
|
||||
expect(result).toEqual(example.expected)
|
||||
}
|
||||
})
|
||||
|
||||
test('purlsMatch matches identical PURLs', () => {
|
||||
const a = parsePURL('pkg:npm/@scope/name@1.0.0')
|
||||
const b = parsePURL('pkg:npm/@scope/name@2.0.0')
|
||||
expect(purlsMatch(a, b)).toBe(true)
|
||||
})
|
||||
|
||||
test('purlsMatch matches when namespace separator is percent-encoded', () => {
|
||||
// %2F-encoded separator puts everything in name with no namespace
|
||||
const encoded = parsePURL('pkg:npm/%40lancedb%2Flancedb')
|
||||
// literal / splits into namespace + name
|
||||
const literal = parsePURL('pkg:npm/%40lancedb/lancedb')
|
||||
expect(purlsMatch(encoded, literal)).toBe(true)
|
||||
})
|
||||
|
||||
test('purlsMatch matches scoped npm packages regardless of encoding', () => {
|
||||
const a = parsePURL('pkg:npm/%40lancedb%2Flancedb')
|
||||
const b = parsePURL('pkg:npm/@lancedb/lancedb')
|
||||
const c = parsePURL('pkg:npm/%40lancedb/lancedb@0.14.3')
|
||||
expect(purlsMatch(a, b)).toBe(true)
|
||||
expect(purlsMatch(a, c)).toBe(true)
|
||||
expect(purlsMatch(b, c)).toBe(true)
|
||||
})
|
||||
|
||||
test('purlsMatch does not match different packages', () => {
|
||||
const a = parsePURL('pkg:npm/@scope/foo')
|
||||
const b = parsePURL('pkg:npm/@scope/bar')
|
||||
expect(purlsMatch(a, b)).toBe(false)
|
||||
})
|
||||
|
||||
test('purlsMatch does not match different types', () => {
|
||||
const a = parsePURL('pkg:npm/@scope/name')
|
||||
const b = parsePURL('pkg:pypi/@scope/name')
|
||||
expect(purlsMatch(a, b)).toBe(false)
|
||||
})
|
||||
|
||||
test('purlsMatch matches packages without namespaces', () => {
|
||||
const a = parsePURL('pkg:npm/lodash@4.0.0')
|
||||
const b = parsePURL('pkg:npm/lodash@5.0.0')
|
||||
expect(purlsMatch(a, b)).toBe(true)
|
||||
})
|
||||
|
||||
test('purlsMatch is case-insensitive for GitHub Actions', () => {
|
||||
const a = parsePURL('pkg:githubactions/MyOrg/MyAction@1.0.0')
|
||||
const b = parsePURL('pkg:githubactions/myorg/myaction@1.0.0')
|
||||
expect(purlsMatch(a, b)).toBe(true)
|
||||
})
|
||||
|
||||
test('purlsMatch is case-insensitive for scoped npm packages', () => {
|
||||
const a = parsePURL('pkg:npm/@MyScope/MyPackage')
|
||||
const b = parsePURL('pkg:npm/@myscope/mypackage')
|
||||
expect(purlsMatch(a, b)).toBe(true)
|
||||
})
|
||||
|
||||
test('purlsMatch is case-insensitive for GitHub Actions with file paths', () => {
|
||||
const a = parsePURL(
|
||||
'pkg:githubactions/MyOrg/MyWorkflows/.github/workflows/general.yml'
|
||||
)
|
||||
const b = parsePURL(
|
||||
'pkg:githubactions/myorg/myworkflows/.github/workflows/general.yml'
|
||||
)
|
||||
expect(purlsMatch(a, b)).toBe(true)
|
||||
})
|
||||
@@ -22,6 +22,19 @@ const npmChange: Change = {
|
||||
]
|
||||
}
|
||||
|
||||
const actionsChange: Change = {
|
||||
manifest: 'workflow.yml',
|
||||
change_type: 'added',
|
||||
ecosystem: 'actions',
|
||||
name: 'actions/checkout/',
|
||||
version: 'v3',
|
||||
package_url: 'pkg:githubactions/actions@v3',
|
||||
license: 'MIT',
|
||||
source_repository_url: 'null',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: []
|
||||
}
|
||||
|
||||
test('Get scorecard from API', async () => {
|
||||
const changes: Changes = [npmChange]
|
||||
const scorecard = await getScorecardLevels(changes)
|
||||
@@ -38,3 +51,11 @@ test('Get project URL from deps.dev API', async () => {
|
||||
)
|
||||
expect(result).not.toBeNull()
|
||||
})
|
||||
|
||||
test('Handles Actions special case', async () => {
|
||||
const changes: Changes = [actionsChange]
|
||||
const result = await getScorecardLevels(changes)
|
||||
expect(result).not.toBeNull()
|
||||
expect(result.dependencies).toHaveLength(1)
|
||||
expect(result.dependencies[0].scorecard?.score).toBeGreaterThan(0)
|
||||
})
|
||||
|
||||
@@ -0,0 +1,326 @@
|
||||
import {expect, test, describe} from '@jest/globals'
|
||||
import * as spdx from '../src/spdx'
|
||||
|
||||
describe('satisfiesAny', () => {
|
||||
const units = [
|
||||
{
|
||||
candidate: 'MIT',
|
||||
licenses: ['MIT'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: '(MIT AND ISC) OR Apache-2.0',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND Apache-2.0',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND BSD-3-Clause',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
|
||||
// missing params, case sensitivity, syntax problems,
|
||||
// or unknown licenses will return 'false'
|
||||
{
|
||||
candidate: 'MIT OR',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: '',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR (Apache-2.0 AND ISC)',
|
||||
licenses: [],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND (ISC',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR ISC',
|
||||
licenses: ['MiT'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND OTHER',
|
||||
licenses: ['MIT'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR OTHER',
|
||||
licenses: ['MIT', 'LicenseRef-clearlydefined-OTHER'],
|
||||
expected: true
|
||||
}
|
||||
]
|
||||
|
||||
for (const unit of units) {
|
||||
const got: boolean = spdx.satisfiesAny(unit.candidate, unit.licenses)
|
||||
test(`should return ${unit.expected} for ("${unit.candidate}", "${unit.licenses}")`, () => {
|
||||
expect(got).toBe(unit.expected)
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
describe('satisfiesAll', () => {
|
||||
const units = [
|
||||
{
|
||||
candidate: 'MIT',
|
||||
licenses: ['MIT'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'Apache-2.0',
|
||||
licenses: ['MIT', 'ISC', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND Apache-2.0',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: '(MIT OR ISC) AND Apache-2.0',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR BSD-3-Clause',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'BSD-3-Clause OR ISC',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: '(MIT AND ISC) OR Apache-2.0',
|
||||
licenses: ['MIT', 'ISC'],
|
||||
expected: true
|
||||
},
|
||||
|
||||
// missing params, case sensitivity, syntax problems,
|
||||
// or unknown licenses will return 'false'
|
||||
{
|
||||
candidate: 'MIT OR',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: '',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR (Apache-2.0 AND ISC)',
|
||||
licenses: [],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND (ISC',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR ISC',
|
||||
licenses: ['MiT'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND OTHER',
|
||||
licenses: ['MIT'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND OTHER',
|
||||
licenses: ['MIT', 'LicenseRef-clearlydefined-OTHER'],
|
||||
expected: true
|
||||
}
|
||||
]
|
||||
|
||||
for (const unit of units) {
|
||||
const got: boolean = spdx.satisfiesAll(unit.candidate, unit.licenses)
|
||||
test(`should return ${unit.expected} for ("${unit.candidate}", "${unit.licenses}")`, () => {
|
||||
expect(got).toBe(unit.expected)
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
describe('satisfies', () => {
|
||||
const units = [
|
||||
{
|
||||
candidate: 'MIT',
|
||||
allowList: ['MIT'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'Apache-2.0',
|
||||
allowList: ['MIT'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
allowList: ['MIT'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
allowList: ['Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
allowList: ['BSD-3-Clause'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
allowList: ['Apache-2.0', 'BSD-3-Clause'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND Apache-2.0',
|
||||
allowList: ['MIT', 'Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
allowList: ['MIT', 'Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'ISC OR (MIT AND Apache-2.0)',
|
||||
allowList: ['MIT', 'Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
|
||||
// missing params, case sensitivity, syntax problems,
|
||||
// or unknown licenses will return 'false'
|
||||
{
|
||||
candidate: 'MIT',
|
||||
allowList: ['MiT'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND (ISC OR',
|
||||
allowList: ['MIT'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR ISC OR Apache-2.0',
|
||||
allowList: [],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: '',
|
||||
allowList: ['BSD-3-Clause', 'ISC', 'MIT'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR OTHER',
|
||||
allowList: ['MIT', 'LicenseRef-clearlydefined-OTHER'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: '(Apache-2.0 AND OTHER) OR (MIT AND OTHER)',
|
||||
allowList: ['Apache-2.0', 'LicenseRef-clearlydefined-OTHER'],
|
||||
expected: true
|
||||
}
|
||||
]
|
||||
|
||||
for (const unit of units) {
|
||||
const got: boolean = spdx.satisfies(unit.candidate, unit.allowList)
|
||||
test(`should return ${unit.expected} for ("${unit.candidate}", "${unit.allowList}")`, () => {
|
||||
expect(got).toBe(unit.expected)
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
describe('isValid', () => {
|
||||
const units = [
|
||||
{
|
||||
candidate: 'MIT',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND BSD-3-Clause',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: '(MIT AND ISC) OR BSD-3-Clause',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'NOASSERTION',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'Foobar',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: '',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND OTHER',
|
||||
expected: true
|
||||
}
|
||||
]
|
||||
for (const unit of units) {
|
||||
const got: boolean = spdx.isValid(unit.candidate)
|
||||
test(`should return ${unit.expected} for ("${unit.candidate}")`, () => {
|
||||
expect(got).toBe(unit.expected)
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
describe('cleanInvalidSPDX', () => {
|
||||
const units = [
|
||||
{
|
||||
candidate: 'MIT',
|
||||
expected: 'MIT'
|
||||
},
|
||||
{
|
||||
candidate: 'OTHER',
|
||||
expected: 'LicenseRef-clearlydefined-OTHER'
|
||||
},
|
||||
{
|
||||
candidate: 'LicenseRef-clearlydefined-OTHER',
|
||||
expected: 'LicenseRef-clearlydefined-OTHER'
|
||||
},
|
||||
{
|
||||
candidate: 'OTHER AND MIT',
|
||||
expected: 'LicenseRef-clearlydefined-OTHER AND MIT'
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND OTHER',
|
||||
expected: 'MIT AND LicenseRef-clearlydefined-OTHER'
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND SomethingElse-OTHER',
|
||||
expected: 'MIT AND SomethingElse-OTHER'
|
||||
}
|
||||
]
|
||||
for (const unit of units) {
|
||||
const got: string = spdx.cleanInvalidSPDX(unit.candidate)
|
||||
test(`should return ${unit.expected} for ("${unit.candidate}")`, () => {
|
||||
expect(got).toBe(unit.expected)
|
||||
})
|
||||
}
|
||||
})
|
||||
+479
-25
@@ -1,12 +1,25 @@
|
||||
import {expect, jest, test} from '@jest/globals'
|
||||
import {expect, jest, test, beforeEach} from '@jest/globals'
|
||||
import {Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
|
||||
import * as summary from '../src/summary'
|
||||
import * as core from '@actions/core'
|
||||
import {createTestChange} from './fixtures/create-test-change'
|
||||
import {createTestVulnerability} from './fixtures/create-test-vulnerability'
|
||||
import * as utils from '../src/utils'
|
||||
|
||||
const mockOctokitRequest = jest.fn<any>()
|
||||
|
||||
beforeEach(() => {
|
||||
jest.spyOn(utils, 'octokitClient').mockReturnValue({
|
||||
request: mockOctokitRequest
|
||||
} as any)
|
||||
|
||||
mockOctokitRequest.mockResolvedValue({
|
||||
data: {vulnerabilities: []}
|
||||
})
|
||||
})
|
||||
|
||||
afterEach(() => {
|
||||
jest.clearAllMocks()
|
||||
jest.restoreAllMocks()
|
||||
core.summary.emptyBuffer()
|
||||
})
|
||||
|
||||
@@ -34,7 +47,8 @@ const defaultConfig: ConfigurationOptions = {
|
||||
retry_on_snapshot_warnings_timeout: 120,
|
||||
warn_only: false,
|
||||
warn_on_openssf_scorecard_level: 3,
|
||||
show_openssf_scorecard: false
|
||||
show_openssf_scorecard: false,
|
||||
show_patched_versions: false
|
||||
}
|
||||
|
||||
const changesWithEmptyManifests: Changes = [
|
||||
@@ -109,6 +123,72 @@ test('prints headline as h1', () => {
|
||||
expect(text).toContain('<h1>Dependency Review</h1>')
|
||||
})
|
||||
|
||||
test('does not add deprecation warning for deny-licenses option if not set', () => {
|
||||
summary.addSummaryToSummary(
|
||||
emptyChanges,
|
||||
emptyInvalidLicenseChanges,
|
||||
emptyChanges,
|
||||
scorecard,
|
||||
defaultConfig
|
||||
)
|
||||
const text = core.summary.stringify()
|
||||
|
||||
expect(text).not.toContain('deny-licenses')
|
||||
})
|
||||
|
||||
test('adds deprecation warning for deny-licenses option if set', () => {
|
||||
const config = {...defaultConfig, deny_licenses: ['MIT']}
|
||||
|
||||
summary.addSummaryToSummary(
|
||||
emptyChanges,
|
||||
emptyInvalidLicenseChanges,
|
||||
emptyChanges,
|
||||
scorecard,
|
||||
config
|
||||
)
|
||||
const text = core.summary.stringify()
|
||||
|
||||
expect(text).toContain('deny-licenses')
|
||||
})
|
||||
|
||||
test('returns minimal summary formatted for posting as a PR comment', () => {
|
||||
const OLD_ENV = process.env
|
||||
|
||||
const changes: Changes = [
|
||||
createTestChange({name: 'lodash', version: '1.2.3'}),
|
||||
createTestChange({name: 'colors', version: '2.3.4'}),
|
||||
createTestChange({name: '@foo/bar', version: '*'})
|
||||
]
|
||||
|
||||
process.env.GITHUB_SERVER_URL = 'https://github.com'
|
||||
process.env.GITHUB_REPOSITORY = 'owner/repo'
|
||||
process.env.GITHUB_RUN_ID = 'abc-123-xyz'
|
||||
|
||||
const minSummary: string = summary.addSummaryToSummary(
|
||||
changes,
|
||||
emptyInvalidLicenseChanges,
|
||||
emptyChanges,
|
||||
scorecard,
|
||||
defaultConfig
|
||||
)
|
||||
|
||||
process.env = OLD_ENV
|
||||
|
||||
// note: no Actions context values in unit test env
|
||||
const expected = `
|
||||
# Dependency Review
|
||||
The following issues were found:
|
||||
* ❌ 3 vulnerable package(s)
|
||||
* ✅ 0 package(s) with incompatible licenses
|
||||
* ✅ 0 package(s) with invalid SPDX license definitions
|
||||
* ✅ 0 package(s) with unknown licenses.
|
||||
|
||||
[View full job summary](https://github.com/owner/repo/actions/runs/abc-123-xyz)
|
||||
`.trim()
|
||||
|
||||
expect(minSummary).toEqual(expected)
|
||||
})
|
||||
|
||||
test('only includes "No vulnerabilities or license issues found"-message if both are configured and nothing was found', () => {
|
||||
summary.addSummaryToSummary(
|
||||
emptyChanges,
|
||||
@@ -158,14 +238,10 @@ test('groups dependencies with empty manifest paths together', () => {
|
||||
emptyScorecard,
|
||||
defaultConfig
|
||||
)
|
||||
summary.addScannedDependencies(changesWithEmptyManifests)
|
||||
summary.addScannedFiles(changesWithEmptyManifests)
|
||||
const text = core.summary.stringify()
|
||||
|
||||
expect(text).toContain('<summary>Unnamed Manifest</summary>')
|
||||
expect(text).toContain('castore')
|
||||
expect(text).toContain('connection')
|
||||
expect(text).toContain('<summary>python/dist-info/METADATA</summary>')
|
||||
expect(text).toContain('pygments')
|
||||
expect(text).toContain('Unnamed Manifest')
|
||||
expect(text).toContain('python/dist-info/METADATA')
|
||||
})
|
||||
|
||||
test('does not include status section if nothing was found', () => {
|
||||
@@ -253,19 +329,19 @@ test('uses checkmarks for vulnerabilities if only license issues were found', ()
|
||||
expect(text).toContain('✅ 0 package(s) with unknown licenses')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - only includes section if any vulnerabilites found', () => {
|
||||
summary.addChangeVulnerabilitiesToSummary(emptyChanges, 'low')
|
||||
test('addChangeVulnerabilitiesToSummary() - only includes section if any vulnerabilities found', async () => {
|
||||
await summary.addChangeVulnerabilitiesToSummary(emptyChanges, 'low')
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toEqual('')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - includes all vulnerabilities', () => {
|
||||
test('addChangeVulnerabilitiesToSummary() - includes all vulnerabilities', async () => {
|
||||
const changes = [
|
||||
createTestChange({name: 'lodash'}),
|
||||
createTestChange({name: 'underscore', package_url: 'test-url'})
|
||||
]
|
||||
|
||||
summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
await summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain('<h2>Vulnerabilities</h2>')
|
||||
@@ -273,7 +349,7 @@ test('addChangeVulnerabilitiesToSummary() - includes all vulnerabilities', () =>
|
||||
expect(text).toContain('underscore')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - includes advisory url if available', () => {
|
||||
test('addChangeVulnerabilitiesToSummary() - includes advisory url if available', async () => {
|
||||
const changes = [
|
||||
createTestChange({
|
||||
name: 'underscore',
|
||||
@@ -286,14 +362,14 @@ test('addChangeVulnerabilitiesToSummary() - includes advisory url if available',
|
||||
})
|
||||
]
|
||||
|
||||
summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
await summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain('lodash')
|
||||
expect(text).toContain('<a href="test-url">test-summary</a>')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - groups vulnerabilities of a single package', () => {
|
||||
test('addChangeVulnerabilitiesToSummary() - groups vulnerabilities of a single package', async () => {
|
||||
const changes = [
|
||||
createTestChange({
|
||||
name: 'package-with-multiple-vulnerabilities',
|
||||
@@ -304,7 +380,7 @@ test('addChangeVulnerabilitiesToSummary() - groups vulnerabilities of a single p
|
||||
})
|
||||
]
|
||||
|
||||
summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
await summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text.match('package-with-multiple-vulnerabilities')).toHaveLength(1)
|
||||
@@ -312,10 +388,10 @@ test('addChangeVulnerabilitiesToSummary() - groups vulnerabilities of a single p
|
||||
expect(text).toContain('test-summary-2')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - prints severity statement if above low', () => {
|
||||
test('addChangeVulnerabilitiesToSummary() - prints severity statement if above low', async () => {
|
||||
const changes = [createTestChange()]
|
||||
|
||||
summary.addChangeVulnerabilitiesToSummary(changes, 'medium')
|
||||
await summary.addChangeVulnerabilitiesToSummary(changes, 'medium')
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain(
|
||||
@@ -323,15 +399,79 @@ test('addChangeVulnerabilitiesToSummary() - prints severity statement if above l
|
||||
)
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - does not print severity statment if it is set to "low"', () => {
|
||||
test('addChangeVulnerabilitiesToSummary() - does not print severity statement if it is set to "low"', async () => {
|
||||
const changes = [createTestChange()]
|
||||
|
||||
summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
await summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).not.toContain('Only included vulnerabilities')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - does not include patched version column by default', async () => {
|
||||
const changes = [createTestChange()]
|
||||
|
||||
await summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).not.toContain('Patched Version')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - includes patched version column when enabled', async () => {
|
||||
const changes = [createTestChange()]
|
||||
|
||||
await summary.addChangeVulnerabilitiesToSummary(changes, 'low', true)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain('Patched Version')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - skips patched version on GHES even when enabled', async () => {
|
||||
const originalUrl = process.env.GITHUB_SERVER_URL
|
||||
process.env.GITHUB_SERVER_URL = 'https://ghes.example.com'
|
||||
const warnSpy = jest.spyOn(core, 'warning')
|
||||
|
||||
const changes = [createTestChange()]
|
||||
await summary.addChangeVulnerabilitiesToSummary(changes, 'low', true)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).not.toContain('Patched Version')
|
||||
expect(warnSpy).toHaveBeenCalledWith(
|
||||
'show-patched-versions is not supported on GitHub Enterprise Server. The Patched Version column will be omitted.'
|
||||
)
|
||||
expect(mockOctokitRequest).not.toHaveBeenCalled()
|
||||
|
||||
process.env.GITHUB_SERVER_URL = originalUrl
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - works normally on GHES when patched versions disabled', async () => {
|
||||
const originalUrl = process.env.GITHUB_SERVER_URL
|
||||
process.env.GITHUB_SERVER_URL = 'https://ghes.example.com'
|
||||
|
||||
const changes = [createTestChange()]
|
||||
await summary.addChangeVulnerabilitiesToSummary(changes, 'low', false)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).not.toContain('Patched Version')
|
||||
expect(mockOctokitRequest).not.toHaveBeenCalled()
|
||||
|
||||
process.env.GITHUB_SERVER_URL = originalUrl
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - works normally on GHES with default (no third arg)', async () => {
|
||||
const originalUrl = process.env.GITHUB_SERVER_URL
|
||||
process.env.GITHUB_SERVER_URL = 'https://ghes.example.com'
|
||||
|
||||
const changes = [createTestChange()]
|
||||
await summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).not.toContain('Patched Version')
|
||||
expect(mockOctokitRequest).not.toHaveBeenCalled()
|
||||
|
||||
process.env.GITHUB_SERVER_URL = originalUrl
|
||||
})
|
||||
|
||||
test('addLicensesToSummary() - does not include entire section if no license issues found', () => {
|
||||
summary.addLicensesToSummary(emptyInvalidLicenseChanges, defaultConfig)
|
||||
const text = core.summary.stringify()
|
||||
@@ -402,7 +542,9 @@ test('addLicensesToSummary() - includes list of configured allowed licenses', ()
|
||||
summary.addLicensesToSummary(licenseIssues, config)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain('<strong>Allowed Licenses</strong>: MIT, Apache-2.0')
|
||||
expect(text).toContain(
|
||||
'<details><summary><strong>Allowed Licenses</strong>:</summary> MIT, Apache-2.0</details>'
|
||||
)
|
||||
})
|
||||
|
||||
test('addLicensesToSummary() - includes configured denied license', () => {
|
||||
@@ -414,11 +556,323 @@ test('addLicensesToSummary() - includes configured denied license', () => {
|
||||
|
||||
const config: ConfigurationOptions = {
|
||||
...defaultConfig,
|
||||
deny_licenses: ['MIT']
|
||||
deny_licenses: ['MIT', 'Apache-2.0']
|
||||
}
|
||||
|
||||
summary.addLicensesToSummary(licenseIssues, config)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain('<strong>Denied Licenses</strong>: MIT')
|
||||
expect(text).toContain(
|
||||
'<details><summary><strong>Denied Licenses</strong>:</summary> MIT, Apache-2.0</details>'
|
||||
)
|
||||
})
|
||||
|
||||
test('addLicensesToSummary() - includes allowed dependency licences', () => {
|
||||
const licenseIssues = {
|
||||
forbidden: [createTestChange()],
|
||||
unresolved: [],
|
||||
unlicensed: []
|
||||
}
|
||||
|
||||
const config: ConfigurationOptions = {
|
||||
...defaultConfig,
|
||||
allow_dependencies_licenses: ['MIT', 'Apache-2.0']
|
||||
}
|
||||
|
||||
summary.addLicensesToSummary(licenseIssues, config)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain(
|
||||
'<details><summary><strong>Excluded from license check</strong>:</summary> MIT, Apache-2.0</details>'
|
||||
)
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - handles multiple version ranges for same package', async () => {
|
||||
// Simulates GHSA-gwq6-fmvp-qp68 scenario with multiple version ranges
|
||||
const pkg8 = createTestChange({
|
||||
ecosystem: 'nuget',
|
||||
name: 'Microsoft.NetCore.App.Runtime.linux-arm',
|
||||
version: '8.0.1',
|
||||
vulnerabilities: [
|
||||
createTestVulnerability({
|
||||
advisory_ghsa_id: 'GHSA-test-multi',
|
||||
advisory_summary: 'Test Multi-Range Advisory',
|
||||
severity: 'high'
|
||||
})
|
||||
]
|
||||
})
|
||||
|
||||
const pkg9 = createTestChange({
|
||||
ecosystem: 'nuget',
|
||||
name: 'Microsoft.NetCore.App.Runtime.linux-arm',
|
||||
version: '9.0.1',
|
||||
vulnerabilities: [
|
||||
createTestVulnerability({
|
||||
advisory_ghsa_id: 'GHSA-test-multi',
|
||||
advisory_summary: 'Test Multi-Range Advisory',
|
||||
severity: 'high'
|
||||
})
|
||||
]
|
||||
})
|
||||
|
||||
// Mock API response with multiple version ranges for same package
|
||||
mockOctokitRequest.mockResolvedValueOnce({
|
||||
data: {
|
||||
vulnerabilities: [
|
||||
{
|
||||
package: {
|
||||
ecosystem: 'NuGet',
|
||||
name: 'Microsoft.NetCore.App.Runtime.linux-arm'
|
||||
},
|
||||
vulnerable_version_range: '>= 8.0.0, <= 8.0.20',
|
||||
first_patched_version: '8.0.21'
|
||||
},
|
||||
{
|
||||
package: {
|
||||
ecosystem: 'NuGet',
|
||||
name: 'Microsoft.NetCore.App.Runtime.linux-arm'
|
||||
},
|
||||
vulnerable_version_range: '>= 9.0.0, <= 9.0.9',
|
||||
first_patched_version: '9.0.10'
|
||||
}
|
||||
]
|
||||
}
|
||||
})
|
||||
|
||||
const changes = [pkg8, pkg9]
|
||||
await summary.addChangeVulnerabilitiesToSummary(changes, 'low', true)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
|
||||
// Both packages should have correct patched versions based on their version ranges
|
||||
expect(text).toContain('8.0.21')
|
||||
expect(text).toContain('9.0.10')
|
||||
expect(mockOctokitRequest).toHaveBeenCalledWith('GET /advisories/{ghsa_id}', {
|
||||
ghsa_id: 'GHSA-test-multi'
|
||||
})
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - handles RestSharp GHSA-4rr6-2v9v-wcpc case', async () => {
|
||||
const pkg = createTestChange({
|
||||
ecosystem: 'nuget',
|
||||
name: 'RestSharp',
|
||||
version: '111.4.1',
|
||||
vulnerabilities: [
|
||||
createTestVulnerability({
|
||||
advisory_ghsa_id: 'GHSA-4rr6-2v9v-wcpc',
|
||||
advisory_summary:
|
||||
"CRLF Injection in RestSharp's `RestRequest.AddHeader` method",
|
||||
severity: 'moderate'
|
||||
})
|
||||
]
|
||||
})
|
||||
|
||||
// Mock API response matching actual GitHub Advisory Database response
|
||||
mockOctokitRequest.mockResolvedValueOnce({
|
||||
data: {
|
||||
vulnerabilities: [
|
||||
{
|
||||
package: {
|
||||
ecosystem: 'nuget',
|
||||
name: 'RestSharp'
|
||||
},
|
||||
vulnerable_version_range: '>= 107.0.0-preview.1, < 112.0.0',
|
||||
first_patched_version: '112.0.0'
|
||||
}
|
||||
]
|
||||
}
|
||||
})
|
||||
|
||||
const changes = [pkg]
|
||||
await summary.addChangeVulnerabilitiesToSummary(changes, 'low', true)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
|
||||
// Should show the correct patched version
|
||||
expect(text).toContain('112.0.0')
|
||||
expect(text).not.toContain('N/A')
|
||||
expect(mockOctokitRequest).toHaveBeenCalledWith('GET /advisories/{ghsa_id}', {
|
||||
ghsa_id: 'GHSA-4rr6-2v9v-wcpc'
|
||||
})
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - handles version coercion for non-strict semver versions', async () => {
|
||||
// Test that versions like "8.0" (without patch version) can be coerced to "8.0.0"
|
||||
// for successful range matching in fail-open mode (patch selection)
|
||||
const pkg = createTestChange({
|
||||
ecosystem: 'npm',
|
||||
name: 'test-package',
|
||||
version: '8.0', // Non-strict semver version
|
||||
vulnerabilities: [
|
||||
createTestVulnerability({
|
||||
advisory_ghsa_id: 'GHSA-test-1234',
|
||||
advisory_summary: 'Test vulnerability',
|
||||
severity: 'high'
|
||||
})
|
||||
]
|
||||
})
|
||||
|
||||
mockOctokitRequest.mockResolvedValueOnce({
|
||||
data: {
|
||||
vulnerabilities: [
|
||||
{
|
||||
package: {
|
||||
ecosystem: 'npm',
|
||||
name: 'test-package'
|
||||
},
|
||||
vulnerable_version_range: '>= 8.0.0, < 9.0.0',
|
||||
first_patched_version: '9.0.0'
|
||||
}
|
||||
]
|
||||
}
|
||||
})
|
||||
|
||||
const changes = [pkg]
|
||||
await summary.addChangeVulnerabilitiesToSummary(changes, 'low', true)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
|
||||
// Should coerce "8.0" to "8.0.0" and successfully match the range,
|
||||
// showing the patched version instead of N/A
|
||||
expect(text).toContain('9.0.0')
|
||||
expect(text).not.toContain('N/A')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - handles invalid versions in fail-open mode', async () => {
|
||||
// Test that completely invalid versions that can't be coerced
|
||||
// still return N/A gracefully in fail-open mode
|
||||
const pkg = createTestChange({
|
||||
ecosystem: 'npm',
|
||||
name: 'test-package',
|
||||
version: 'invalid-version-string',
|
||||
vulnerabilities: [
|
||||
createTestVulnerability({
|
||||
advisory_ghsa_id: 'GHSA-test-5678',
|
||||
advisory_summary: 'Test vulnerability',
|
||||
severity: 'high'
|
||||
})
|
||||
]
|
||||
})
|
||||
|
||||
mockOctokitRequest.mockResolvedValueOnce({
|
||||
data: {
|
||||
vulnerabilities: [
|
||||
{
|
||||
package: {
|
||||
ecosystem: 'npm',
|
||||
name: 'test-package'
|
||||
},
|
||||
vulnerable_version_range: '>= 1.0.0, < 2.0.0',
|
||||
first_patched_version: '2.0.0'
|
||||
}
|
||||
]
|
||||
}
|
||||
})
|
||||
|
||||
const changes = [pkg]
|
||||
await summary.addChangeVulnerabilitiesToSummary(changes, 'low', true)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
|
||||
// Should show N/A since version can't be coerced or matched
|
||||
expect(text).toContain('N/A')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - respects concurrency limit for API calls', async () => {
|
||||
// Create 15 packages with different vulnerabilities to test concurrency limiting
|
||||
const packages = Array.from({length: 15}, (_, i) =>
|
||||
createTestChange({
|
||||
ecosystem: 'npm',
|
||||
name: `package-${i}`,
|
||||
version: '1.0.0',
|
||||
vulnerabilities: [
|
||||
createTestVulnerability({
|
||||
advisory_ghsa_id: `GHSA-test-${i.toString().padStart(4, '0')}`,
|
||||
advisory_summary: `Vulnerability ${i}`,
|
||||
severity: 'high'
|
||||
})
|
||||
]
|
||||
})
|
||||
)
|
||||
|
||||
// Track concurrent calls
|
||||
let maxConcurrent = 0
|
||||
let currentConcurrent = 0
|
||||
|
||||
mockOctokitRequest.mockImplementation(async () => {
|
||||
currentConcurrent++
|
||||
maxConcurrent = Math.max(maxConcurrent, currentConcurrent)
|
||||
|
||||
// Simulate async API call with a small deterministic delay
|
||||
await new Promise(resolve => setTimeout(resolve, 5))
|
||||
|
||||
currentConcurrent--
|
||||
|
||||
return {
|
||||
data: {
|
||||
vulnerabilities: [
|
||||
{
|
||||
package: {ecosystem: 'npm', name: 'test'},
|
||||
vulnerable_version_range: '>= 1.0.0, < 2.0.0',
|
||||
first_patched_version: '2.0.0'
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
await summary.addChangeVulnerabilitiesToSummary(packages, 'low', true)
|
||||
|
||||
// Verify that concurrency limit (10) was respected
|
||||
expect(maxConcurrent).toBeLessThanOrEqual(10)
|
||||
// Verify all 15 unique advisories were fetched
|
||||
expect(mockOctokitRequest).toHaveBeenCalledTimes(15)
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - completes all tasks even with varying durations', async () => {
|
||||
// Test that promise pool doesn't lose tasks when some complete faster than others
|
||||
const packages = Array.from({length: 20}, (_, i) =>
|
||||
createTestChange({
|
||||
ecosystem: 'npm',
|
||||
name: `package-${i}`,
|
||||
version: '1.0.0',
|
||||
vulnerabilities: [
|
||||
createTestVulnerability({
|
||||
advisory_ghsa_id: `GHSA-vary-${i.toString().padStart(4, '0')}`,
|
||||
advisory_summary: `Vulnerability ${i}`,
|
||||
severity: 'high'
|
||||
})
|
||||
]
|
||||
})
|
||||
)
|
||||
|
||||
const completedAdvisories = new Set<string>()
|
||||
|
||||
mockOctokitRequest.mockImplementation(
|
||||
async (path: string, params: {ghsa_id: string}) => {
|
||||
// Variable delay to simulate real-world API response times
|
||||
const delay = Math.random() * 50
|
||||
await new Promise(resolve => setTimeout(resolve, delay))
|
||||
|
||||
completedAdvisories.add(params.ghsa_id)
|
||||
|
||||
return {
|
||||
data: {
|
||||
vulnerabilities: [
|
||||
{
|
||||
package: {ecosystem: 'npm', name: 'test'},
|
||||
vulnerable_version_range: '>= 1.0.0, < 2.0.0',
|
||||
first_patched_version: '2.0.0'
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
)
|
||||
|
||||
await summary.addChangeVulnerabilitiesToSummary(packages, 'low', true)
|
||||
|
||||
// Verify all 20 unique advisories were fetched and completed
|
||||
expect(completedAdvisories.size).toBe(20)
|
||||
expect(mockOctokitRequest).toHaveBeenCalledTimes(20)
|
||||
})
|
||||
|
||||
@@ -11,6 +11,7 @@ export function clearInputs(): void {
|
||||
'FAIL-ON-SEVERITY',
|
||||
'FAIL-ON-SCOPES',
|
||||
'ALLOW-LICENSES',
|
||||
'ALLOW-DEPENDENCIES-LICENSES',
|
||||
'DENY-LICENSES',
|
||||
'ALLOW-GHSAS',
|
||||
'LICENSE-CHECK',
|
||||
@@ -19,7 +20,9 @@ export function clearInputs(): void {
|
||||
'BASE-REF',
|
||||
'HEAD-REF',
|
||||
'COMMENT-SUMMARY-IN-PR',
|
||||
'WARN-ONLY'
|
||||
'WARN-ONLY',
|
||||
'DENY-GROUPS',
|
||||
'DENY-PACKAGES'
|
||||
]
|
||||
|
||||
// eslint-disable-next-line github/array-foreach
|
||||
|
||||
+16
-10
@@ -1,5 +1,13 @@
|
||||
# Avoid using default values for options here since they will
|
||||
# end up overriding external configurations.
|
||||
# IMPORTANT
|
||||
#
|
||||
# Avoid setting default values for configuration options in
|
||||
# this file, they will overwrite external configurations.
|
||||
#
|
||||
# If you are trying to find out the default value for a config
|
||||
# option please take a look at the README or src/schemas.ts.
|
||||
#
|
||||
# If you are adding an option, make sure the Zod definition
|
||||
# contains a default value.
|
||||
name: 'Dependency Review'
|
||||
description: 'Prevent the introduction of dependencies with known vulnerabilities'
|
||||
author: 'GitHub'
|
||||
@@ -45,34 +53,32 @@ inputs:
|
||||
description: A boolean to determine if vulnerability checks should be performed
|
||||
required: false
|
||||
comment-summary-in-pr:
|
||||
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
|
||||
description: "Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow `pull-requests: write` permissions"
|
||||
required: false
|
||||
deny-packages:
|
||||
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
|
||||
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). If version specified, only deny matching packages and version; else, deny all regardless of version.
|
||||
required: false
|
||||
deny-groups:
|
||||
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
|
||||
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express/, pkg:pypi/pycrypto/"). Please note that the group name must be followed by a `/`.
|
||||
required: false
|
||||
retry-on-snapshot-warnings:
|
||||
description: Whether to retry on snapshot warnings
|
||||
required: false
|
||||
default: false
|
||||
retry-on-snapshot-warnings-timeout:
|
||||
description: Number of seconds to wait before stopping snapshot retries.
|
||||
required: false
|
||||
default: 120
|
||||
warn-only:
|
||||
description: When set to `true` this action will always complete with success, overriding the `fail-on-severity` parameter.
|
||||
required: false
|
||||
default: false
|
||||
show-openssf-scorecard:
|
||||
description: Show a summary of the OpenSSF Scorecard scores.
|
||||
required: false
|
||||
default: true
|
||||
warn-on-openssf-scorecard-level:
|
||||
description: Numeric threshold for the OpenSSF Scorecard score. If the score is below this threshold, the action will warn you.
|
||||
required: false
|
||||
default: 3
|
||||
show-patched-versions:
|
||||
description: When set to `true`, the vulnerability summary table will include a column showing the first patched version for each vulnerability.
|
||||
required: false
|
||||
outputs:
|
||||
comment-content:
|
||||
description: Prepared dependency report comment
|
||||
|
||||
+130873
-4265
File diff suppressed because one or more lines are too long
+1
-1
File diff suppressed because one or more lines are too long
+2863
-41
File diff suppressed because it is too large
Load Diff
+1
-1
File diff suppressed because one or more lines are too long
+13
-12
@@ -1,10 +1,10 @@
|
||||
# Examples on how to use the Dependency Review Action
|
||||
# Examples of how to use the Dependency Review Action
|
||||
|
||||
## Basic Usage
|
||||
|
||||
A very basic example of how to use the action. This will run the action with the default configuration.
|
||||
|
||||
The full list of configuration options can be found [here](../README.md#configuration-options).
|
||||
See the [full list of configuration options](../README.md#configuration-options).
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
@@ -89,7 +89,7 @@ The following example will use a configuration file from an external public GitH
|
||||
|
||||
Let's say that the configuration file is located in `github/octorepo/dependency-review-config.yml@main`
|
||||
|
||||
The Dependancy Review Action workflow file will then look like this:
|
||||
The Dependency Review Action workflow file will then look like this:
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
@@ -112,11 +112,11 @@ jobs:
|
||||
|
||||
## Using a configuration file from an external repository with a personal access token
|
||||
|
||||
The following example will use a configuration file from an external private GtiHub repository to configure the action.
|
||||
The following example will use a configuration file from an external private GitHub repository to configure the action.
|
||||
|
||||
Let's say that the configuration file is located in `github/octorepo-private/dependency-review-config.yml@main`
|
||||
|
||||
The Dependancy Review Action workflow file will then look like this:
|
||||
The Dependency Review Action workflow file will then look like this:
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
@@ -167,7 +167,7 @@ jobs:
|
||||
## Getting the results of the action in a later step
|
||||
|
||||
- `comment-content` contains the output of the results comment for the entire run.
|
||||
`dependency-changes`, `vulnerable-changes`, `invalid-license-changes` and `denied-changes` are all JSON objects that allow you to access individual sets of changes.
|
||||
`dependency-changes`, `vulnerable-changes`, `invalid-license-changes` and `denied-changes` are all JSON objects that allow you to access individual sets of changes.
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
@@ -233,7 +233,7 @@ jobs:
|
||||
fail-on-severity: critical
|
||||
deny-licenses: LGPL-2.0, BSD-2-Clause
|
||||
comment-summary-in-pr: always
|
||||
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pypi/requests'
|
||||
allow-dependencies-licenses: 'pkg:npm/lodash, pkg:pypi/requests'
|
||||
```
|
||||
|
||||
If we were to use configuration file, the configuration would look like this:
|
||||
@@ -244,7 +244,7 @@ allow-licenses:
|
||||
- 'LGPL-2.0'
|
||||
- 'BSD-2-Clause'
|
||||
allow-dependencies-licenses:
|
||||
- 'pkg:npm/loadash'
|
||||
- 'pkg:npm/lodash'
|
||||
- 'pkg:pypi/requests'
|
||||
```
|
||||
|
||||
@@ -276,10 +276,11 @@ jobs:
|
||||
|
||||
## Exclude dependencies from their name or groups
|
||||
|
||||
Using the `deny-packages` option you can exclude dependencies by their PURL. You can add multiple values separated by a commas.
|
||||
With the `deny-packages` option, you can exclude dependencies based on their PURL (Package URL). If a specific version is provided, the action will deny packages matching that version. When no version is specified, the action treats it as a wildcard, denying all matching packages regardless of version. Multiple values can be added, separated by commas.
|
||||
|
||||
Using the `deny-groups` option you can exclude dependencies by their group name/namespace. You can add multiple values separated by a comma.
|
||||
|
||||
In this example, we are excluding `pkg:maven/org.apache.logging.log4j:log4j-api` and `pkg:maven/org.apache.logging.log4j/log4j-core` from `maven` and all packages in the group `pkg:maven/com.bazaarvoice.maven`
|
||||
In this example, we are excluding all versions of `pkg:maven/org.apache.logging.log4j:log4j-api` and only `2.23.0` of log4j-core `pkg:maven/org.apache.logging.log4j/log4j-core@2.23.0` from `maven` and all packages in the group `pkg:maven/com.bazaarvoice.maven/`
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
@@ -298,8 +299,8 @@ jobs:
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@v4
|
||||
with:
|
||||
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core'
|
||||
deny-groups: 'pkg:maven/com.bazaarvoice.jolt'
|
||||
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core@2.23.0'
|
||||
deny-groups: 'pkg:maven/com.bazaarvoice.jolt/'
|
||||
```
|
||||
|
||||
## Waiting for dependency submission jobs to complete
|
||||
|
||||
Generated
+2442
-931
File diff suppressed because it is too large
Load Diff
+30
-24
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.2.3",
|
||||
"version": "4.9.0",
|
||||
"private": true,
|
||||
"description": "A GitHub Action for Dependency Review",
|
||||
"main": "lib/main.js",
|
||||
@@ -25,37 +25,43 @@
|
||||
"author": "GitHub",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
"@actions/github": "^6.0.0",
|
||||
"@octokit/plugin-retry": "^6.0.1",
|
||||
"@octokit/request-error": "^5.0.1",
|
||||
"@types/jest": "^29.5.12",
|
||||
"@actions/artifact": "^5.0.1",
|
||||
"@actions/core": "^1.11.1",
|
||||
"@actions/github": "^6.0.1",
|
||||
"@octokit/plugin-retry": "^6.1.0",
|
||||
"@octokit/request-error": "^5.1.1",
|
||||
"@octokit/types": "12.5.0",
|
||||
"@onebeyond/spdx-license-satisfies": "^1.0.1",
|
||||
"ansi-styles": "^6.2.1",
|
||||
"got": "^14.2.0",
|
||||
"got": "^14.4.7",
|
||||
"jest": "^29.7.0",
|
||||
"octokit": "^3.1.2",
|
||||
"packageurl-js": "^1.2.0",
|
||||
"spdx-expression-parse": "^3.0.1",
|
||||
"spdx-satisfies": "^5.0.1",
|
||||
"ts-jest": "^29.1.2",
|
||||
"yaml": "^2.3.4",
|
||||
"zod": "^3.22.3"
|
||||
"semver": "^7.7.4",
|
||||
"spdx-expression-parse": "^4.0.0",
|
||||
"spdx-satisfies": "^6.0.0",
|
||||
"ts-jest": "^29.4.1",
|
||||
"yaml": "^2.8.1",
|
||||
"zod": "^3.24.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/jest": "^29.5.14",
|
||||
"@types/node": "^20",
|
||||
"@types/spdx-expression-parse": "^3.0.4",
|
||||
"@types/spdx-satisfies": "^0.1.1",
|
||||
"@typescript-eslint/eslint-plugin": "^6.21.0",
|
||||
"@typescript-eslint/parser": "^6.21.0",
|
||||
"@vercel/ncc": "^0.38.0",
|
||||
"esbuild-register": "^3.5.0",
|
||||
"eslint": "^8.56.0",
|
||||
"eslint-plugin-github": "^4.10.1",
|
||||
"eslint-plugin-jest": "^27.9.0",
|
||||
"eslint-plugin-prettier": "^5.1.3",
|
||||
"js-yaml": "^4.1.0",
|
||||
"nodemon": "^3.1.0",
|
||||
"prettier": "3.2.5",
|
||||
"typescript": "^5.3.3"
|
||||
"@vercel/ncc": "^0.38.3",
|
||||
"esbuild-register": "^3.6.0",
|
||||
"eslint": "^8.57.0",
|
||||
"eslint-plugin-github": "^4.10.2",
|
||||
"eslint-plugin-jest": "^28.8.3",
|
||||
"eslint-plugin-prettier": "^5.5.4",
|
||||
"js-yaml": "^4.1.1",
|
||||
"nodemon": "^3.1.10",
|
||||
"prettier": "3.6.2",
|
||||
"typescript": "^5.9.2"
|
||||
},
|
||||
"overrides": {
|
||||
"cross-spawn": ">=7.0.5",
|
||||
"@octokit/request-error@5.0.1": "5.1.1"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -35,7 +35,8 @@ const defaultConfig: ConfigurationOptions = {
|
||||
retry_on_snapshot_warnings_timeout: 120,
|
||||
warn_only: false,
|
||||
warn_on_openssf_scorecard_level: 3,
|
||||
show_openssf_scorecard: true
|
||||
show_openssf_scorecard: true,
|
||||
show_patched_versions: false
|
||||
}
|
||||
|
||||
const scorecard: Scorecard = {
|
||||
@@ -130,7 +131,7 @@ async function createSummary(
|
||||
scorecard,
|
||||
config
|
||||
)
|
||||
summary.addChangeVulnerabilitiesToSummary(
|
||||
await summary.addChangeVulnerabilitiesToSummary(
|
||||
vulnerabilities,
|
||||
config.fail_on_severity
|
||||
)
|
||||
@@ -143,7 +144,7 @@ async function createSummary(
|
||||
...licenseIssues.unlicensed
|
||||
]
|
||||
|
||||
summary.addScannedDependencies(allChanges)
|
||||
summary.addScannedFiles(allChanges)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
await fs.promises.writeFile(path.resolve(tmpDir, fileName), text, {
|
||||
|
||||
+5
-84
@@ -1,87 +1,8 @@
|
||||
#!/usr/bin/env ruby
|
||||
require 'json'
|
||||
require 'tempfile'
|
||||
require 'open3'
|
||||
require 'bundler/inline'
|
||||
require 'optparse'
|
||||
|
||||
gemfile do
|
||||
source 'https://rubygems.org'
|
||||
gem 'octokit'
|
||||
end
|
||||
# Load the scan_pr library
|
||||
require_relative 'scan_pr_lib'
|
||||
|
||||
config_file = nil
|
||||
github_token = ENV["GITHUB_TOKEN"]
|
||||
|
||||
if !github_token || github_token.empty?
|
||||
puts "Please set the GITHUB_TOKEN environment variable"
|
||||
exit -1
|
||||
end
|
||||
|
||||
op = OptionParser.new do |opts|
|
||||
usage = <<EOF
|
||||
Run Dependency Review on a repository.
|
||||
|
||||
\e[1mUsage:\e[22m
|
||||
scripts/scan_pr [options] <pr_url>
|
||||
|
||||
\e[1mExample:\e[22m
|
||||
scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294
|
||||
|
||||
EOF
|
||||
|
||||
opts.banner = usage
|
||||
|
||||
opts.on('-c', '--config-file <FILE>', 'Use an external configuration file') do |cf|
|
||||
config_file = cf
|
||||
end
|
||||
|
||||
opts.on("-h", "--help", "Prints this help") do
|
||||
puts opts
|
||||
exit
|
||||
end
|
||||
end
|
||||
|
||||
op.parse!
|
||||
|
||||
# make sure we have a NWO somewhere in the parameters
|
||||
arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(ARGV.join(" "))
|
||||
|
||||
if arg.nil?
|
||||
puts op
|
||||
exit -1
|
||||
end
|
||||
|
||||
repo_nwo = arg[:repo_nwo]
|
||||
pr_number = arg[:pr_number]
|
||||
|
||||
octo = Octokit::Client.new(access_token: github_token)
|
||||
pr = octo.pull_request(repo_nwo, pr_number)
|
||||
|
||||
event_file = Tempfile.new
|
||||
event_file.write("{ \"pull_request\": #{pr.to_h.to_json}}")
|
||||
event_file.close
|
||||
|
||||
action_inputs = {
|
||||
"repo-token": github_token,
|
||||
"config-file": config_file
|
||||
}
|
||||
|
||||
dev_cmd_env = {
|
||||
"GITHUB_REPOSITORY" => repo_nwo,
|
||||
"GITHUB_EVENT_NAME" => "pull_request",
|
||||
"GITHUB_EVENT_PATH" => event_file.path,
|
||||
"GITHUB_STEP_SUMMARY" => "/dev/null"
|
||||
}
|
||||
|
||||
# bash does not like variable names with dashes like the ones Actions
|
||||
# uses (e.g. INPUT_REPO-TOKEN). Passing them through `env` instead of
|
||||
# manually setting them does the job.
|
||||
action_inputs_env_str = action_inputs.map { |name, value| "\"INPUT_#{name.upcase}=#{value}\"" }.join(" ")
|
||||
dev_cmd = "./node_modules/.bin/nodemon --exec \"env #{action_inputs_env_str} node -r esbuild-register\" src/main.ts"
|
||||
|
||||
Open3.popen2e(dev_cmd_env, dev_cmd) do |stdin, out|
|
||||
while line = out.gets
|
||||
puts line.gsub(github_token, "<REDACTED>")
|
||||
end
|
||||
end
|
||||
# Create and run the scanner
|
||||
scanner = ScanPr.new
|
||||
scanner.run(ARGV)
|
||||
|
||||
@@ -0,0 +1,128 @@
|
||||
require 'json'
|
||||
require 'tempfile'
|
||||
require 'open3'
|
||||
require 'bundler/inline'
|
||||
require 'optparse'
|
||||
|
||||
gemfile do
|
||||
source 'https://rubygems.org'
|
||||
gem 'octokit'
|
||||
end
|
||||
|
||||
class ScanPr
|
||||
def initialize
|
||||
@config_file = nil
|
||||
@github_token = ENV["GITHUB_TOKEN"]
|
||||
|
||||
validate_token
|
||||
end
|
||||
|
||||
def run(args)
|
||||
parse_options(args)
|
||||
repo_nwo, pr_number = extract_repo_and_pr(args)
|
||||
|
||||
pr = fetch_pull_request(repo_nwo, pr_number)
|
||||
event_file = create_event_file(pr)
|
||||
|
||||
execute_dependency_review(repo_nwo, event_file)
|
||||
ensure
|
||||
event_file&.unlink
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def validate_token
|
||||
if !@github_token || @github_token.empty?
|
||||
puts "Please set the GITHUB_TOKEN environment variable"
|
||||
exit -1
|
||||
end
|
||||
end
|
||||
|
||||
def parse_options(args)
|
||||
op = OptionParser.new do |opts|
|
||||
usage = <<EOF
|
||||
Run Dependency Review on a repository.
|
||||
|
||||
\e[1mUsage:\e[22m
|
||||
scripts/scan_pr [options] <pr_url>
|
||||
|
||||
\e[1mExample:\e[22m
|
||||
scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294
|
||||
|
||||
EOF
|
||||
|
||||
opts.banner = usage
|
||||
|
||||
opts.on('-c', '--config-file <FILE>', 'Use an external configuration file') do |cf|
|
||||
@config_file = cf
|
||||
end
|
||||
|
||||
opts.on("-h", "--help", "Prints this help") do
|
||||
puts opts
|
||||
exit
|
||||
end
|
||||
end
|
||||
|
||||
op.parse!(args)
|
||||
@option_parser = op
|
||||
end
|
||||
|
||||
def extract_repo_and_pr(args)
|
||||
# make sure we have a NWO somewhere in the parameters
|
||||
arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(args.join(" "))
|
||||
|
||||
if arg.nil?
|
||||
puts @option_parser
|
||||
exit -1
|
||||
end
|
||||
|
||||
[arg[:repo_nwo], arg[:pr_number]]
|
||||
end
|
||||
|
||||
def fetch_pull_request(repo_nwo, pr_number)
|
||||
octo = Octokit::Client.new(access_token: @github_token)
|
||||
octo.pull_request(repo_nwo, pr_number)
|
||||
end
|
||||
|
||||
def create_event_file(pr)
|
||||
event_file = Tempfile.new
|
||||
event_file.write("{ \"pull_request\": #{pr.to_h.to_json}}")
|
||||
event_file.close
|
||||
event_file
|
||||
end
|
||||
|
||||
def execute_dependency_review(repo_nwo, event_file)
|
||||
action_inputs = {
|
||||
"repo-token": @github_token,
|
||||
"config-file": @config_file
|
||||
}
|
||||
|
||||
dev_cmd_env = {
|
||||
"GITHUB_REPOSITORY" => repo_nwo,
|
||||
"GITHUB_EVENT_NAME" => "pull_request",
|
||||
"GITHUB_EVENT_PATH" => event_file.path,
|
||||
"GITHUB_STEP_SUMMARY" => "/dev/null"
|
||||
}
|
||||
|
||||
# Merge action inputs into environment, formatting keys as INPUT_...
|
||||
action_inputs_env = action_inputs.each_with_object({}) do |(name, value), h|
|
||||
h["INPUT_#{name.to_s.upcase}"] = value unless value.nil?
|
||||
end
|
||||
env = dev_cmd_env.merge(action_inputs_env)
|
||||
|
||||
dev_cmd = [
|
||||
"./node_modules/.bin/nodemon",
|
||||
"--exec",
|
||||
"node",
|
||||
"-r",
|
||||
"esbuild-register",
|
||||
"src/main.ts"
|
||||
]
|
||||
|
||||
Open3.popen2e(env, *dev_cmd) do |stdin, out|
|
||||
while line = out.gets
|
||||
puts line.gsub(@github_token, "<REDACTED>")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
+6
-8
@@ -5,6 +5,8 @@ import * as retry from '@octokit/plugin-retry'
|
||||
import {RequestError} from '@octokit/request-error'
|
||||
import {ConfigurationOptions} from './schemas'
|
||||
|
||||
export const MAX_COMMENT_LENGTH = 65536
|
||||
|
||||
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
|
||||
const octo = new retryingOctokit(
|
||||
githubUtils.getOctokitOptions(core.getInput('repo-token', {required: true}))
|
||||
@@ -14,18 +16,14 @@ const octo = new retryingOctokit(
|
||||
const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
|
||||
|
||||
export async function commentPr(
|
||||
summary: typeof core.summary,
|
||||
config: ConfigurationOptions
|
||||
commentContent: string,
|
||||
config: ConfigurationOptions,
|
||||
issueFound: boolean
|
||||
): Promise<void> {
|
||||
const commentContent = summary.stringify()
|
||||
|
||||
core.setOutput('comment-content', commentContent)
|
||||
|
||||
if (
|
||||
!(
|
||||
config.comment_summary_in_pr === 'always' ||
|
||||
(config.comment_summary_in_pr === 'on-failure' &&
|
||||
process.exitCode === core.ExitCode.Failure)
|
||||
(config.comment_summary_in_pr === 'on-failure' && issueFound)
|
||||
)
|
||||
) {
|
||||
return
|
||||
|
||||
+9
-27
@@ -4,8 +4,8 @@ import YAML from 'yaml'
|
||||
import * as core from '@actions/core'
|
||||
import * as z from 'zod'
|
||||
import {ConfigurationOptions, ConfigurationOptionsSchema} from './schemas'
|
||||
import {isSPDXValid, octokitClient} from './utils'
|
||||
import {PackageURL} from 'packageurl-js'
|
||||
import {octokitClient} from './utils'
|
||||
import {isValid} from './spdx'
|
||||
|
||||
type ConfigurationOptionsPartial = Partial<ConfigurationOptions>
|
||||
|
||||
@@ -52,8 +52,8 @@ function readInlineConfig(): ConfigurationOptionsPartial {
|
||||
const warn_on_openssf_scorecard_level = getOptionalNumber(
|
||||
'warn-on-openssf-scorecard-level'
|
||||
)
|
||||
const show_patched_versions = getOptionalBoolean('show-patched-versions')
|
||||
|
||||
validatePURL(allow_dependencies_licenses)
|
||||
validateLicenses('allow-licenses', allow_licenses)
|
||||
validateLicenses('deny-licenses', deny_licenses)
|
||||
|
||||
@@ -75,7 +75,8 @@ function readInlineConfig(): ConfigurationOptionsPartial {
|
||||
retry_on_snapshot_warnings_timeout,
|
||||
warn_only,
|
||||
show_openssf_scorecard,
|
||||
warn_on_openssf_scorecard_level
|
||||
warn_on_openssf_scorecard_level,
|
||||
show_patched_versions
|
||||
}
|
||||
|
||||
return Object.fromEntries(
|
||||
@@ -115,10 +116,12 @@ function validateLicenses(
|
||||
return
|
||||
}
|
||||
|
||||
const invalid_licenses = licenses.filter(license => !isSPDXValid(license))
|
||||
const invalid_licenses = licenses.filter(license => !isValid(license))
|
||||
|
||||
if (invalid_licenses.length > 0) {
|
||||
throw new Error(`Invalid license(s) in ${key}: ${invalid_licenses}`)
|
||||
throw new Error(
|
||||
`Invalid license(s) in ${key}: ${invalid_licenses.join(', ')}`
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -184,11 +187,6 @@ function parseConfigFile(configData: string): ConfigurationOptionsPartial {
|
||||
validateLicenses(key, data[key])
|
||||
}
|
||||
|
||||
// validate purls from the allow-dependencies-licenses
|
||||
if (key === 'allow-dependencies-licenses') {
|
||||
validatePURL(data[key])
|
||||
}
|
||||
|
||||
// get rid of the ugly dashes from the actions conventions
|
||||
if (key.includes('-')) {
|
||||
data[key.replace(/-/g, '_')] = data[key]
|
||||
@@ -227,19 +225,3 @@ async function getRemoteConfig(configOpts: {
|
||||
throw new Error('Error fetching remote config file')
|
||||
}
|
||||
}
|
||||
function validatePURL(allow_dependencies_licenses: string[] | undefined): void {
|
||||
//validate that the provided elements of the string are in valid purl format
|
||||
if (allow_dependencies_licenses === undefined) {
|
||||
return
|
||||
}
|
||||
const invalid_purls = allow_dependencies_licenses.filter(
|
||||
purl => !PackageURL.fromString(purl)
|
||||
)
|
||||
|
||||
if (invalid_purls.length > 0) {
|
||||
throw new Error(
|
||||
`Invalid purl(s) in allow-dependencies-licenses: ${invalid_purls}`
|
||||
)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
+33
-24
@@ -1,42 +1,51 @@
|
||||
import {Change} from './schemas'
|
||||
import * as core from '@actions/core'
|
||||
import {Change} from './schemas'
|
||||
import {PackageURL, parsePURL} from './purl'
|
||||
|
||||
export async function getDeniedChanges(
|
||||
changes: Change[],
|
||||
deniedPackages: string[],
|
||||
deniedGroups: string[]
|
||||
deniedPackages: PackageURL[] = [],
|
||||
deniedGroups: PackageURL[] = []
|
||||
): Promise<Change[]> {
|
||||
const changesDenied: Change[] = []
|
||||
|
||||
let failed = false
|
||||
for (const change of changes) {
|
||||
change.name = change.name.toLowerCase()
|
||||
const packageUrl = change.package_url.toLowerCase().split('@')[0]
|
||||
if (change.change_type === 'removed') {
|
||||
continue
|
||||
}
|
||||
|
||||
if (deniedPackages) {
|
||||
for (const denied of deniedPackages) {
|
||||
if (packageUrl === denied.split('@')[0].toLowerCase()) {
|
||||
changesDenied.push(change)
|
||||
failed = true
|
||||
}
|
||||
for (const denied of deniedPackages) {
|
||||
if (
|
||||
(!denied.version || change.version === denied.version) &&
|
||||
change.name === denied.name
|
||||
) {
|
||||
changesDenied.push(change)
|
||||
}
|
||||
}
|
||||
|
||||
if (deniedGroups) {
|
||||
for (const denied of deniedGroups) {
|
||||
if (packageUrl.startsWith(denied.toLowerCase())) {
|
||||
changesDenied.push(change)
|
||||
failed = true
|
||||
}
|
||||
for (const denied of deniedGroups) {
|
||||
const namespace = getNamespace(change)
|
||||
if (!denied.namespace) {
|
||||
core.error(
|
||||
`Denied group represented by '${denied.original}' does not have a namespace. The format should be 'pkg:<type>/<namespace>/'.`
|
||||
)
|
||||
}
|
||||
if (namespace && namespace === denied.namespace) {
|
||||
changesDenied.push(change)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (failed) {
|
||||
core.setFailed('Dependency review detected denied packages.')
|
||||
} else {
|
||||
core.info('Dependency review did not detect any denied packages')
|
||||
}
|
||||
|
||||
return changesDenied
|
||||
}
|
||||
|
||||
export const getNamespace = (change: Change): string | null => {
|
||||
if (change.package_url) {
|
||||
return parsePURL(change.package_url).namespace
|
||||
}
|
||||
const matches = change.name.match(/([^:/]+)[:/]/)
|
||||
if (matches && matches.length > 1) {
|
||||
return matches[1]
|
||||
}
|
||||
return null
|
||||
}
|
||||
|
||||
+25
-12
@@ -1,40 +1,53 @@
|
||||
import {PullRequestSchema, ConfigurationOptions} from './schemas'
|
||||
import {
|
||||
PullRequestSchema,
|
||||
ConfigurationOptions,
|
||||
MergeGroupSchema
|
||||
} from './schemas'
|
||||
|
||||
export function getRefs(
|
||||
config: ConfigurationOptions,
|
||||
context: {payload: {pull_request?: unknown}; eventName: string}
|
||||
context: {
|
||||
payload: {pull_request?: unknown; merge_group?: unknown}
|
||||
eventName: string
|
||||
}
|
||||
): {base: string; head: string} {
|
||||
let base_ref = config.base_ref
|
||||
let head_ref = config.head_ref
|
||||
|
||||
// If possible, source default base & head refs from the GitHub event.
|
||||
// The base/head ref from the config take priority, if provided.
|
||||
if (
|
||||
context.eventName === 'pull_request' ||
|
||||
context.eventName === 'pull_request_target'
|
||||
) {
|
||||
const pull_request = PullRequestSchema.parse(context.payload.pull_request)
|
||||
base_ref = base_ref || pull_request.base.sha
|
||||
head_ref = head_ref || pull_request.head.sha
|
||||
if (!base_ref && !head_ref) {
|
||||
if (
|
||||
context.eventName === 'pull_request' ||
|
||||
context.eventName === 'pull_request_target'
|
||||
) {
|
||||
const pull_request = PullRequestSchema.parse(context.payload.pull_request)
|
||||
base_ref = base_ref || pull_request.base.sha
|
||||
head_ref = head_ref || pull_request.head.sha
|
||||
} else if (context.eventName === 'merge_group') {
|
||||
const merge_group = MergeGroupSchema.parse(context.payload.merge_group)
|
||||
base_ref = base_ref || merge_group.base_sha
|
||||
head_ref = head_ref || merge_group.head_sha
|
||||
}
|
||||
}
|
||||
|
||||
if (!base_ref && !head_ref) {
|
||||
throw new Error(
|
||||
'Both a base ref and head ref must be provided, either via the `base_ref`/`head_ref` ' +
|
||||
'config options, `base-ref`/`head-ref` workflow action options, or by running a ' +
|
||||
'`pull_request`/`pull_request_target` workflow.'
|
||||
'`pull_request`/`pull_request_target`/`merge_group` workflow.'
|
||||
)
|
||||
} else if (!base_ref) {
|
||||
throw new Error(
|
||||
'A base ref must be provided, either via the `base_ref` config option, ' +
|
||||
'`base-ref` workflow action option, or by running a ' +
|
||||
'`pull_request`/`pull_request_target` workflow.'
|
||||
'`pull_request`/`pull_request_target`/`merge_group` workflow.'
|
||||
)
|
||||
} else if (!head_ref) {
|
||||
throw new Error(
|
||||
'A head ref must be provided, either via the `head_ref` config option, ' +
|
||||
'`head-ref` workflow action option, or by running a ' +
|
||||
'or by running a `pull_request`/`pull_request_target` workflow.'
|
||||
'or by running a `pull_request`/`pull_request_target`/`merge_group` workflow.'
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
+60
-45
@@ -1,7 +1,7 @@
|
||||
import spdxSatisfies from 'spdx-satisfies'
|
||||
import {Change, Changes} from './schemas'
|
||||
import {isSPDXValid, octokitClient} from './utils'
|
||||
import {PackageURL} from 'packageurl-js'
|
||||
import {octokitClient} from './utils'
|
||||
import {parsePURL, PackageURL, purlsMatch} from './purl'
|
||||
import * as spdx from './spdx'
|
||||
|
||||
/**
|
||||
* Loops through a list of changes, filtering and returning the
|
||||
@@ -29,43 +29,24 @@ export async function getInvalidLicenseChanges(
|
||||
licenseExclusions?: string[]
|
||||
}
|
||||
): Promise<InvalidLicenseChanges> {
|
||||
const {allow, deny} = licenses
|
||||
const deny = licenses.deny
|
||||
let allow = licenses.allow
|
||||
|
||||
// Filter out elements of the allow list that include AND
|
||||
// or OR because the list should be simple license IDs and
|
||||
// not expressions.
|
||||
allow = allow?.filter(license => {
|
||||
return !license.includes(' AND ') && !license.includes(' OR ')
|
||||
})
|
||||
|
||||
const licenseExclusions = licenses.licenseExclusions?.map(
|
||||
(pkgUrl: string) => {
|
||||
return PackageURL.fromString(encodeURI(pkgUrl))
|
||||
return parsePURL(pkgUrl)
|
||||
}
|
||||
)
|
||||
|
||||
const groupedChanges = await groupChanges(changes)
|
||||
const groupedChanges = await groupChanges(changes, licenseExclusions)
|
||||
|
||||
// Takes the changes from the groupedChanges object and filters out the ones that are part of the exclusions list
|
||||
// It does by creating a new PackageURL object from the change and comparing it to the exclusions list
|
||||
groupedChanges.licensed = groupedChanges.licensed.filter(change => {
|
||||
if (change.package_url.length === 0) {
|
||||
return true
|
||||
}
|
||||
|
||||
const changeAsPackageURL = PackageURL.fromString(
|
||||
encodeURI(change.package_url)
|
||||
)
|
||||
|
||||
// We want to find if the licenseExclussion list contains the PackageURL of the Change
|
||||
// If it does, we want to filter it out and therefore return false
|
||||
// If it doesn't, we want to keep it and therefore return true
|
||||
if (
|
||||
licenseExclusions !== null &&
|
||||
licenseExclusions !== undefined &&
|
||||
licenseExclusions.findIndex(
|
||||
exclusion =>
|
||||
exclusion.type === changeAsPackageURL.type &&
|
||||
exclusion.name === changeAsPackageURL.name
|
||||
) !== -1
|
||||
) {
|
||||
return false
|
||||
} else {
|
||||
return true
|
||||
}
|
||||
})
|
||||
const licensedChanges: Changes = groupedChanges.licensed
|
||||
|
||||
const invalidLicenseChanges: InvalidLicenseChanges = {
|
||||
@@ -89,15 +70,19 @@ export async function getInvalidLicenseChanges(
|
||||
} else if (validityCache.get(license) === undefined) {
|
||||
try {
|
||||
if (allow !== undefined) {
|
||||
const found = allow.find(spdxExpression =>
|
||||
spdxSatisfies(license, spdxExpression)
|
||||
)
|
||||
validityCache.set(license, found !== undefined)
|
||||
if (spdx.isValid(license)) {
|
||||
const found = spdx.satisfies(license, allow)
|
||||
validityCache.set(license, found)
|
||||
} else {
|
||||
invalidLicenseChanges.unresolved.push(change)
|
||||
}
|
||||
} else if (deny !== undefined) {
|
||||
const found = deny.find(spdxExpression =>
|
||||
spdxSatisfies(license, spdxExpression)
|
||||
)
|
||||
validityCache.set(license, found === undefined)
|
||||
if (spdx.isValid(license)) {
|
||||
const found = spdx.satisfiesAny(license, deny)
|
||||
validityCache.set(license, !found)
|
||||
} else {
|
||||
invalidLicenseChanges.unresolved.push(change)
|
||||
}
|
||||
}
|
||||
} catch (err) {
|
||||
invalidLicenseChanges.unresolved.push(change)
|
||||
@@ -163,22 +148,52 @@ const setGHLicenses = async (changes: Change[]): Promise<Change[]> => {
|
||||
|
||||
return Promise.all(updatedChanges)
|
||||
}
|
||||
|
||||
// Currently Dependency Graph licenses are truncated to 255 characters
|
||||
// This possibly makes them invalid spdx ids
|
||||
const truncatedDGLicense = (license: string): boolean =>
|
||||
license.length === 255 && !isSPDXValid(license)
|
||||
license.length === 255 && !spdx.isValid(license)
|
||||
|
||||
async function groupChanges(
|
||||
changes: Changes
|
||||
changes: Changes,
|
||||
licenseExclusions: PackageURL[] | null = null
|
||||
): Promise<Record<string, Changes>> {
|
||||
const result: Record<string, Changes> = {
|
||||
licensed: [],
|
||||
unlicensed: []
|
||||
}
|
||||
|
||||
let candidateChanges = changes
|
||||
|
||||
// If a package is excluded from license checking, we don't bother trying to
|
||||
// fetch the license for it and we leave it off of the `licensed` and
|
||||
// `unlicensed` lists.
|
||||
if (licenseExclusions !== null && licenseExclusions !== undefined) {
|
||||
candidateChanges = candidateChanges.filter(change => {
|
||||
if (change.package_url.length === 0) {
|
||||
return true
|
||||
}
|
||||
|
||||
const changeAsPackageURL = parsePURL(change.package_url)
|
||||
|
||||
// We want to find if the licenseExclusion list contains the PackageURL of the Change
|
||||
// If it does, we want to filter it out and therefore return false
|
||||
// If it doesn't, we want to keep it and therefore return true
|
||||
if (
|
||||
licenseExclusions.findIndex(exclusion =>
|
||||
purlsMatch(exclusion, changeAsPackageURL)
|
||||
) !== -1
|
||||
) {
|
||||
return false
|
||||
} else {
|
||||
return true
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
const ghChanges = []
|
||||
|
||||
for (const change of changes) {
|
||||
for (const change of candidateChanges) {
|
||||
if (change.change_type === 'removed') {
|
||||
continue
|
||||
}
|
||||
|
||||
+169
-31
@@ -22,8 +22,12 @@ import * as summary from './summary'
|
||||
import {getRefs} from './git-refs'
|
||||
|
||||
import {groupDependenciesByManifest} from './utils'
|
||||
import {commentPr} from './comment-pr'
|
||||
import {commentPr, MAX_COMMENT_LENGTH} from './comment-pr'
|
||||
import {getDeniedChanges} from './deny'
|
||||
import {DefaultArtifactClient} from '@actions/artifact'
|
||||
import * as fs from 'fs'
|
||||
|
||||
import type {PayloadRepository} from '@actions/github/lib/interfaces.d'
|
||||
|
||||
async function delay(ms: number): Promise<void> {
|
||||
return new Promise(resolve => setTimeout(resolve, ms))
|
||||
@@ -61,6 +65,62 @@ async function getComparison(
|
||||
return comparison
|
||||
}
|
||||
|
||||
export async function handleLargeSummary(
|
||||
summaryContent: string
|
||||
): Promise<string> {
|
||||
const MAX_SUMMARY_SIZE = 1024 * 1024 // 1024k in bytes
|
||||
if (Buffer.byteLength(summaryContent, 'utf8') <= MAX_SUMMARY_SIZE) {
|
||||
return summaryContent
|
||||
}
|
||||
|
||||
const summarySize = Math.round(
|
||||
Buffer.byteLength(summaryContent, 'utf8') / 1024
|
||||
)
|
||||
const truncatedSummary = `# Dependency Review Summary
|
||||
|
||||
The full dependency review summary was too large to display here (${summarySize}KB, limit is 1024KB).`
|
||||
|
||||
const artifactClient = new DefaultArtifactClient()
|
||||
const artifactName = 'dependency-review-summary'
|
||||
const files = ['summary.md']
|
||||
|
||||
try {
|
||||
// Write the summary to a file
|
||||
await fs.promises.writeFile('summary.md', summaryContent)
|
||||
|
||||
// Upload the artifact
|
||||
await artifactClient.uploadArtifact(artifactName, files, '.', {
|
||||
retentionDays: 1
|
||||
})
|
||||
|
||||
// Return a shorter summary with a link to the artifact
|
||||
const shortSummary = `${truncatedSummary}
|
||||
|
||||
Please download the artifact named "${artifactName}" to view the complete report.
|
||||
|
||||
[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`
|
||||
|
||||
// Set core.summary to the shorter summary value to avoid exceeding MAX_SUMMARY_SIZE
|
||||
core.summary.emptyBuffer()
|
||||
core.summary.addRaw(shortSummary)
|
||||
return shortSummary
|
||||
} catch (error) {
|
||||
core.warning(
|
||||
`Failed to upload large summary as artifact: ${error instanceof Error ? error.message : 'Unknown error'}`
|
||||
)
|
||||
// Even though artifact upload failed, we must still replace the buffer
|
||||
// with a truncated summary to prevent core.summary.write() from failing
|
||||
// with the oversized content (see issue #867)
|
||||
core.summary.emptyBuffer()
|
||||
core.summary.addRaw(truncatedSummary)
|
||||
return truncatedSummary
|
||||
}
|
||||
}
|
||||
|
||||
interface RepoWithPrivate extends PayloadRepository {
|
||||
private: boolean
|
||||
}
|
||||
|
||||
async function run(): Promise<void> {
|
||||
try {
|
||||
const config = await readConfig()
|
||||
@@ -125,9 +185,14 @@ async function run(): Promise<void> {
|
||||
config.deny_groups
|
||||
)
|
||||
|
||||
const scorecard = await getScorecardLevels(filteredChanges)
|
||||
// generate informational scorecard entries for all added changes in the PR
|
||||
let scorecard: Scorecard = {dependencies: []}
|
||||
if (config.show_openssf_scorecard) {
|
||||
const scorecardChanges = getScorecardChanges(changes)
|
||||
scorecard = await getScorecardLevels(scorecardChanges)
|
||||
}
|
||||
|
||||
summary.addSummaryToSummary(
|
||||
const minSummary = summary.addSummaryToSummary(
|
||||
vulnerableChanges,
|
||||
invalidLicenseChanges,
|
||||
deniedChanges,
|
||||
@@ -139,10 +204,20 @@ async function run(): Promise<void> {
|
||||
summary.addSnapshotWarnings(config, snapshot_warnings)
|
||||
}
|
||||
|
||||
let issueFound = false
|
||||
|
||||
if (config.vulnerability_check) {
|
||||
core.setOutput('vulnerable-changes', JSON.stringify(vulnerableChanges))
|
||||
summary.addChangeVulnerabilitiesToSummary(vulnerableChanges, minSeverity)
|
||||
printVulnerabilitiesBlock(vulnerableChanges, minSeverity, warnOnly)
|
||||
await summary.addChangeVulnerabilitiesToSummary(
|
||||
vulnerableChanges,
|
||||
minSeverity,
|
||||
config.show_patched_versions
|
||||
)
|
||||
issueFound ||= await printVulnerabilitiesBlock(
|
||||
vulnerableChanges,
|
||||
minSeverity,
|
||||
warnOnly
|
||||
)
|
||||
}
|
||||
if (config.license_check) {
|
||||
core.setOutput(
|
||||
@@ -150,12 +225,12 @@ async function run(): Promise<void> {
|
||||
JSON.stringify(invalidLicenseChanges)
|
||||
)
|
||||
summary.addLicensesToSummary(invalidLicenseChanges, config)
|
||||
printLicensesBlock(invalidLicenseChanges, warnOnly)
|
||||
issueFound ||= await printLicensesBlock(invalidLicenseChanges, warnOnly)
|
||||
}
|
||||
if (config.deny_packages || config.deny_groups) {
|
||||
core.setOutput('denied-changes', JSON.stringify(deniedChanges))
|
||||
summary.addDeniedToSummary(deniedChanges)
|
||||
printDeniedDependencies(deniedChanges, config)
|
||||
issueFound ||= await printDeniedDependencies(deniedChanges, config)
|
||||
}
|
||||
if (config.show_openssf_scorecard) {
|
||||
summary.addScorecardToSummary(scorecard, config)
|
||||
@@ -164,18 +239,46 @@ async function run(): Promise<void> {
|
||||
}
|
||||
|
||||
core.setOutput('dependency-changes', JSON.stringify(changes))
|
||||
summary.addScannedDependencies(changes)
|
||||
summary.addScannedFiles(changes)
|
||||
printScannedDependencies(changes)
|
||||
await commentPr(core.summary, config)
|
||||
|
||||
// include full summary in output; Actions will truncate if oversized
|
||||
let rendered = core.summary.stringify()
|
||||
core.setOutput('comment-content', rendered)
|
||||
|
||||
// Handle large summaries by uploading as artifact
|
||||
rendered = await handleLargeSummary(rendered)
|
||||
|
||||
// if the summary is oversized, replace with minimal version
|
||||
if (rendered.length >= MAX_COMMENT_LENGTH) {
|
||||
core.debug(
|
||||
'The comment was too big for the GitHub API. Falling back on a minimum comment'
|
||||
)
|
||||
rendered = minSummary
|
||||
}
|
||||
|
||||
// update the PR comment if needed with the right-sized summary
|
||||
await commentPr(rendered, config, issueFound)
|
||||
} catch (error) {
|
||||
if (error instanceof RequestError && error.status === 404) {
|
||||
core.setFailed(
|
||||
`Dependency review could not obtain dependency data for the specified owner, repository, or revision range.`
|
||||
)
|
||||
} else if (error instanceof RequestError && error.status === 403) {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see https://github.com/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
let repoIsPrivate = false
|
||||
if ('repository' in github.context.payload) {
|
||||
const repo = github.context.payload.repository as RepoWithPrivate
|
||||
repoIsPrivate = repo.private
|
||||
}
|
||||
if (repoIsPrivate) {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
} else {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
}
|
||||
} else {
|
||||
if (error instanceof Error) {
|
||||
core.setFailed(error.message)
|
||||
@@ -184,25 +287,29 @@ async function run(): Promise<void> {
|
||||
}
|
||||
}
|
||||
} finally {
|
||||
await core.summary.write()
|
||||
try {
|
||||
await core.summary.write()
|
||||
} catch (error) {
|
||||
core.warning(
|
||||
`Failed to write job summary: ${error instanceof Error ? error.message : 'Unknown error'}`
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function printVulnerabilitiesBlock(
|
||||
async function printVulnerabilitiesBlock(
|
||||
addedChanges: Changes,
|
||||
minSeverity: Severity,
|
||||
warnOnly: boolean
|
||||
): void {
|
||||
let vulFound = false
|
||||
core.group('Vulnerabilities', async () => {
|
||||
if (addedChanges.length > 0) {
|
||||
for (const change of addedChanges) {
|
||||
printChangeVulnerabilities(change)
|
||||
}
|
||||
vulFound = true
|
||||
): Promise<boolean> {
|
||||
return core.group('Vulnerabilities', async () => {
|
||||
let vulnFound = false
|
||||
|
||||
for (const change of addedChanges) {
|
||||
vulnFound ||= printChangeVulnerabilities(change)
|
||||
}
|
||||
|
||||
if (vulFound) {
|
||||
if (vulnFound) {
|
||||
const msg = 'Dependency review detected vulnerable packages.'
|
||||
if (warnOnly) {
|
||||
core.warning(msg)
|
||||
@@ -214,10 +321,12 @@ function printVulnerabilitiesBlock(
|
||||
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
|
||||
)
|
||||
}
|
||||
|
||||
return vulnFound
|
||||
})
|
||||
}
|
||||
|
||||
function printChangeVulnerabilities(change: Change): void {
|
||||
function printChangeVulnerabilities(change: Change): boolean {
|
||||
for (const vuln of change.vulnerabilities) {
|
||||
core.info(
|
||||
`${styles.bold.open}${change.manifest} » ${change.name}@${
|
||||
@@ -228,14 +337,18 @@ function printChangeVulnerabilities(change: Change): void {
|
||||
)
|
||||
core.info(` ↪ ${vuln.advisory_url}`)
|
||||
}
|
||||
return change.vulnerabilities.length > 0
|
||||
}
|
||||
|
||||
function printLicensesBlock(
|
||||
async function printLicensesBlock(
|
||||
invalidLicenseChanges: Record<string, Changes>,
|
||||
warnOnly: boolean
|
||||
): void {
|
||||
core.group('Licenses', async () => {
|
||||
): Promise<boolean> {
|
||||
return core.group('Licenses', async () => {
|
||||
let issueFound = false
|
||||
|
||||
if (invalidLicenseChanges.forbidden.length > 0) {
|
||||
issueFound = true
|
||||
core.info('\nThe following dependencies have incompatible licenses:')
|
||||
printLicensesError(invalidLicenseChanges.forbidden)
|
||||
const msg = 'Dependency review detected incompatible licenses.'
|
||||
@@ -246,6 +359,7 @@ function printLicensesBlock(
|
||||
}
|
||||
}
|
||||
if (invalidLicenseChanges.unresolved.length > 0) {
|
||||
issueFound = true
|
||||
core.warning(
|
||||
'\nThe validity of the licenses of the dependencies below could not be determined. Ensure that they are valid SPDX licenses:'
|
||||
)
|
||||
@@ -255,6 +369,8 @@ function printLicensesBlock(
|
||||
)
|
||||
}
|
||||
printNullLicenses(invalidLicenseChanges.unlicensed)
|
||||
|
||||
return issueFound
|
||||
})
|
||||
}
|
||||
|
||||
@@ -354,11 +470,13 @@ function printScannedDependencies(changes: Changes): void {
|
||||
})
|
||||
}
|
||||
|
||||
function printDeniedDependencies(
|
||||
changes: Change[],
|
||||
async function printDeniedDependencies(
|
||||
changes: Changes,
|
||||
config: ConfigurationOptions
|
||||
): void {
|
||||
core.group('Denied', async () => {
|
||||
): Promise<boolean> {
|
||||
return core.group('Denied', async () => {
|
||||
let issueFound = false
|
||||
|
||||
for (const denied of config.deny_packages) {
|
||||
core.info(`Config: ${denied}`)
|
||||
}
|
||||
@@ -367,9 +485,29 @@ function printDeniedDependencies(
|
||||
core.info(`Change: ${change.name}@${change.version} is denied`)
|
||||
core.info(`Change: ${change.package_url} is denied`)
|
||||
}
|
||||
|
||||
if (changes.length > 0) {
|
||||
issueFound = true
|
||||
core.setFailed('Dependency review detected denied packages.')
|
||||
} else {
|
||||
core.info('Dependency review did not detect any denied packages')
|
||||
}
|
||||
|
||||
return issueFound
|
||||
})
|
||||
}
|
||||
|
||||
function getScorecardChanges(changes: Changes): Changes {
|
||||
const out: Changes = []
|
||||
for (const change of changes) {
|
||||
if (change.change_type === 'added') {
|
||||
out.push(change)
|
||||
}
|
||||
}
|
||||
|
||||
return out
|
||||
}
|
||||
|
||||
async function createScorecardWarnings(
|
||||
scorecards: Scorecard,
|
||||
config: ConfigurationOptions
|
||||
|
||||
+97
@@ -0,0 +1,97 @@
|
||||
import * as z from 'zod'
|
||||
|
||||
// the basic purl type, containing type, namespace, name, and version.
|
||||
// other than type, all fields are nullable. this is for maximum flexibility
|
||||
// at the cost of strict adherence to the package-url spec.
|
||||
export const PurlSchema = z.object({
|
||||
type: z.string(),
|
||||
namespace: z.string().nullable(),
|
||||
name: z.string().nullable(), // name is nullable for deny-groups
|
||||
version: z.string().nullable(),
|
||||
original: z.string(),
|
||||
error: z.string().nullable()
|
||||
})
|
||||
|
||||
export type PackageURL = z.infer<typeof PurlSchema>
|
||||
|
||||
const PURL_TYPE = /pkg:([a-zA-Z0-9-_]+)\/.*/
|
||||
|
||||
export function parsePURL(purl: string): PackageURL {
|
||||
const result: PackageURL = {
|
||||
type: '',
|
||||
namespace: null,
|
||||
name: null,
|
||||
version: null,
|
||||
original: purl,
|
||||
error: null
|
||||
}
|
||||
if (!purl.startsWith('pkg:')) {
|
||||
result.error = 'package-url must start with "pkg:"'
|
||||
return result
|
||||
}
|
||||
const type = purl.match(PURL_TYPE)
|
||||
if (!type) {
|
||||
result.error = 'package-url must contain a type'
|
||||
return result
|
||||
}
|
||||
result.type = type[1]
|
||||
const parts = purl.split('/')
|
||||
// the first 'part' should be 'pkg:ecosystem'
|
||||
if (parts.length < 2 || !parts[1]) {
|
||||
result.error = 'package-url must contain a namespace or name'
|
||||
return result
|
||||
}
|
||||
let namePlusRest: string
|
||||
if (parts.length === 2) {
|
||||
namePlusRest = parts[1]
|
||||
} else {
|
||||
result.namespace = decodeURIComponent(parts[1])
|
||||
// Add back the '/'s to the rest of the parts, in case there are any more.
|
||||
// This may violate the purl spec, but people do it and it can be parsed
|
||||
// without ambiguity.
|
||||
namePlusRest = parts.slice(2).join('/')
|
||||
}
|
||||
const name = namePlusRest.match(/([^@#?]+)[@#?]?.*/)
|
||||
if (!result.namespace && !name) {
|
||||
result.error = 'package-url must contain a namespace or name'
|
||||
return result
|
||||
}
|
||||
if (!name) {
|
||||
// we're done here
|
||||
return result
|
||||
}
|
||||
result.name = decodeURIComponent(name[1])
|
||||
const version = namePlusRest.match(/@([^#?]+)[#?]?.*/)
|
||||
if (!version) {
|
||||
return result
|
||||
}
|
||||
result.version = decodeURIComponent(version[1])
|
||||
|
||||
// we don't parse subpath or attributes, so we're done here
|
||||
return result
|
||||
}
|
||||
|
||||
// Returns the full name of a package, combining namespace and name.
|
||||
// This normalizes PURLs where the namespace separator '/' may have been
|
||||
// percent-encoded as '%2F', causing it to be parsed as part of the name
|
||||
// rather than splitting namespace and name.
|
||||
function fullName(purl: PackageURL): string | null {
|
||||
if (purl.namespace && purl.name) {
|
||||
return `${purl.namespace}/${purl.name}`
|
||||
}
|
||||
return purl.name ?? purl.namespace
|
||||
}
|
||||
|
||||
// Compare two PackageURLs for equality, ignoring version and normalizing
|
||||
// namespace/name splits. This handles the case where a PURL like
|
||||
// 'pkg:npm/%40scope%2Fname' is parsed as {namespace: null, name: '@scope/name'}
|
||||
// while 'pkg:npm/%40scope/name' is parsed as {namespace: '@scope', name: 'name'}.
|
||||
//
|
||||
// The comparison is case-insensitive because most ecosystems and registries
|
||||
// treat names that way (npm, PyPI, GitHub org/repo names, etc.).
|
||||
export function purlsMatch(a: PackageURL, b: PackageURL): boolean {
|
||||
if (a.type.toLowerCase() !== b.type.toLowerCase()) {
|
||||
return false
|
||||
}
|
||||
return fullName(a)?.toLowerCase() === fullName(b)?.toLowerCase()
|
||||
}
|
||||
+66
-3
@@ -1,10 +1,67 @@
|
||||
import * as z from 'zod'
|
||||
import {parsePURL} from './purl'
|
||||
|
||||
export const SEVERITIES = ['critical', 'high', 'moderate', 'low'] as const
|
||||
export const SCOPES = ['unknown', 'runtime', 'development'] as const
|
||||
|
||||
export const SeveritySchema = z.enum(SEVERITIES).default('low')
|
||||
|
||||
const PackageURL = z
|
||||
.string()
|
||||
.transform(purlString => {
|
||||
return parsePURL(purlString)
|
||||
})
|
||||
.superRefine((purl, context) => {
|
||||
if (purl.error) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: ${purl.error}`
|
||||
})
|
||||
}
|
||||
if (!purl.name) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: name is required`
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
const PackageURLWithNamespace = z
|
||||
.string()
|
||||
.transform(purlString => {
|
||||
return parsePURL(purlString)
|
||||
})
|
||||
.superRefine((purl, context) => {
|
||||
if (purl.error) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing purl: ${purl.error}`
|
||||
})
|
||||
}
|
||||
if (purl.namespace === null) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `package-url must have a namespace, and the namespace must be followed by '/'`
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
const PackageURLString = z.string().superRefine((value, context) => {
|
||||
const purl = parsePURL(value)
|
||||
if (purl.error) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: ${purl.error}`
|
||||
})
|
||||
}
|
||||
if (!purl.name) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: name is required`
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
export const ChangeSchema = z.object({
|
||||
change_type: z.enum(['added', 'removed']),
|
||||
manifest: z.string(),
|
||||
@@ -34,16 +91,21 @@ export const PullRequestSchema = z.object({
|
||||
head: z.object({sha: z.string()})
|
||||
})
|
||||
|
||||
export const MergeGroupSchema = z.object({
|
||||
base_sha: z.string(),
|
||||
head_sha: z.string()
|
||||
})
|
||||
|
||||
export const ConfigurationOptionsSchema = z
|
||||
.object({
|
||||
fail_on_severity: SeveritySchema,
|
||||
fail_on_scopes: z.array(z.enum(SCOPES)).default(['runtime']),
|
||||
allow_licenses: z.array(z.string()).optional(),
|
||||
deny_licenses: z.array(z.string()).optional(),
|
||||
allow_dependencies_licenses: z.array(z.string()).optional(),
|
||||
allow_dependencies_licenses: z.array(PackageURLString).optional(),
|
||||
allow_ghsas: z.array(z.string()).default([]),
|
||||
deny_packages: z.array(z.string()).default([]),
|
||||
deny_groups: z.array(z.string()).default([]),
|
||||
deny_packages: z.array(PackageURL).default([]),
|
||||
deny_groups: z.array(PackageURLWithNamespace).default([]),
|
||||
license_check: z.boolean().default(true),
|
||||
vulnerability_check: z.boolean().default(true),
|
||||
config_file: z.string().optional(),
|
||||
@@ -53,6 +115,7 @@ export const ConfigurationOptionsSchema = z
|
||||
retry_on_snapshot_warnings_timeout: z.number().default(120),
|
||||
show_openssf_scorecard: z.boolean().optional().default(true),
|
||||
warn_on_openssf_scorecard_level: z.number().default(3),
|
||||
show_patched_versions: z.boolean().default(false),
|
||||
comment_summary_in_pr: z
|
||||
.union([
|
||||
z.preprocess(
|
||||
|
||||
+11
-3
@@ -17,8 +17,16 @@ export async function getScorecardLevels(
|
||||
repositoryUrl = repositoryUrl.replace('https://', '')
|
||||
}
|
||||
|
||||
// Handle the special case for GitHub Actions, where the repository URL is null
|
||||
if (ecosystem === 'actions') {
|
||||
// The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
|
||||
// If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out
|
||||
const parts = packageName.split('/')
|
||||
repositoryUrl = `github.com/${parts[0]}/${parts[1]}` // e.g. github.com/actions/checkout
|
||||
}
|
||||
|
||||
// If GitHub API doesn't have the repository URL, query deps.dev for it.
|
||||
if (repositoryUrl) {
|
||||
if (!repositoryUrl) {
|
||||
// Call the deps.dev API to get the repository URL from there
|
||||
repositoryUrl = await getProjectUrl(ecosystem, packageName, version)
|
||||
}
|
||||
@@ -41,7 +49,7 @@ export async function getScorecardLevels(
|
||||
}
|
||||
|
||||
async function getScorecard(repositoryUrl: string): Promise<ScorecardApi> {
|
||||
const apiRoot = 'https://api.securityscorecards.dev/'
|
||||
const apiRoot = 'https://api.securityscorecards.dev'
|
||||
let scorecardResponse: ScorecardApi = {} as ScorecardApi
|
||||
|
||||
const url = `${apiRoot}/projects/${repositoryUrl}`
|
||||
@@ -61,7 +69,7 @@ export async function getProjectUrl(
|
||||
): Promise<string> {
|
||||
core.debug(`Getting deps.dev data for ${packageName} ${version}`)
|
||||
const depsDevAPIRoot = 'https://api.deps.dev'
|
||||
const url = `${depsDevAPIRoot}/v3alpha/systems/${ecosystem}/packages/${packageName}/versions/${version}`
|
||||
const url = `${depsDevAPIRoot}/v3/systems/${ecosystem}/packages/${packageName}/versions/${version}`
|
||||
const response = await fetch(url)
|
||||
if (response.ok) {
|
||||
const data = await response.json()
|
||||
|
||||
Vendored
+4
@@ -0,0 +1,4 @@
|
||||
declare module 'spdx-satisfies' {
|
||||
function spdxSatisfies(candidate: string, allowList: string[]): boolean
|
||||
export = spdxSatisfies
|
||||
}
|
||||
+66
@@ -0,0 +1,66 @@
|
||||
import * as spdxlib from '@onebeyond/spdx-license-satisfies'
|
||||
import spdxSatisfies from 'spdx-satisfies'
|
||||
import parse from 'spdx-expression-parse'
|
||||
|
||||
/*
|
||||
* NOTE: spdx-license-satisfies methods depend on spdx-expression-parse
|
||||
* which throws errors in the presence of any syntax trouble, unknown
|
||||
* license tokens, case sensitivity problems etc. to simplify handling
|
||||
* you should pre-screen inputs to the satisfies* methods using isValid
|
||||
*/
|
||||
|
||||
// accepts a pair of well-formed SPDX expressions. the
|
||||
// candidate is tested against the constraint
|
||||
export function satisfies(candidateExpr: string, allowList: string[]): boolean {
|
||||
candidateExpr = cleanInvalidSPDX(candidateExpr)
|
||||
try {
|
||||
return spdxSatisfies(candidateExpr, allowList)
|
||||
} catch (_) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
|
||||
export function satisfiesAny(
|
||||
candidateExpr: string,
|
||||
licenses: string[]
|
||||
): boolean {
|
||||
candidateExpr = cleanInvalidSPDX(candidateExpr)
|
||||
try {
|
||||
return spdxlib.satisfiesAny(candidateExpr, licenses)
|
||||
} catch (_) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
|
||||
export function satisfiesAll(
|
||||
candidateExpr: string,
|
||||
licenses: string[]
|
||||
): boolean {
|
||||
candidateExpr = cleanInvalidSPDX(candidateExpr)
|
||||
try {
|
||||
return spdxlib.satisfiesAll(candidateExpr, licenses)
|
||||
} catch (_) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// accepts any SPDX expression
|
||||
export function isValid(spdxExpr: string): boolean {
|
||||
spdxExpr = cleanInvalidSPDX(spdxExpr)
|
||||
try {
|
||||
parse(spdxExpr)
|
||||
return true
|
||||
} catch (_) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
const replaceOtherRegex = /(?<![\w-])OTHER(?![\w-])/g
|
||||
|
||||
// adjusts license expressions to not include the invalid `OTHER`
|
||||
// which ClearlyDefined adds to license strings
|
||||
export function cleanInvalidSPDX(spdxExpr: string): string {
|
||||
return spdxExpr.replace(replaceOtherRegex, 'LicenseRef-clearlydefined-OTHER')
|
||||
}
|
||||
+430
-80
@@ -1,8 +1,15 @@
|
||||
import * as core from '@actions/core'
|
||||
import {ConfigurationOptions, Changes, Change, Scorecard} from './schemas'
|
||||
import {SummaryTableRow} from '@actions/core/lib/summary'
|
||||
import {InvalidLicenseChanges, InvalidLicenseChangeTypes} from './licenses'
|
||||
import {groupDependenciesByManifest, getManifestsSet, renderUrl} from './utils'
|
||||
import {Change, Changes, ConfigurationOptions, Scorecard} from './schemas'
|
||||
import {
|
||||
groupDependenciesByManifest,
|
||||
getManifestsSet,
|
||||
renderUrl,
|
||||
octokitClient,
|
||||
isEnterprise
|
||||
} from './utils'
|
||||
import * as semver from 'semver'
|
||||
|
||||
const icons = {
|
||||
check: '✅',
|
||||
@@ -10,17 +17,132 @@ const icons = {
|
||||
warning: '⚠️'
|
||||
}
|
||||
|
||||
const MAX_SCANNED_FILES_BYTES = 1048576
|
||||
const API_CONCURRENCY_LIMIT = 10 // Limit concurrent API requests to avoid rate limiting
|
||||
|
||||
/**
|
||||
* Helper to check if a version falls within a vulnerable range.
|
||||
* Uses the `semver` library for proper prerelease handling and range parsing.
|
||||
*
|
||||
* @param version - The version to check (can be pre-trimmed).
|
||||
* @param range - The version range to check against (can be pre-trimmed and/or pre-normalized).
|
||||
* @param options - Configuration options.
|
||||
* @param options.preTrimmed - If true, assumes inputs are already trimmed (optimization).
|
||||
* @param options.preNormalized - If true, assumes range is already normalized (comma-to-space conversion done).
|
||||
* @param options.failClosed - If true, returns true (vulnerable) on errors; if false, returns false (no match).
|
||||
* @returns `true` if the version is considered within the vulnerable range (or on fail-closed), otherwise `false`.
|
||||
*/
|
||||
function versionInRange(
|
||||
version: string | undefined,
|
||||
range: string | undefined,
|
||||
options: {
|
||||
preTrimmed?: boolean
|
||||
preNormalized?: boolean
|
||||
failClosed?: boolean
|
||||
} = {}
|
||||
): boolean {
|
||||
const {preTrimmed = false, preNormalized = false, failClosed = true} = options
|
||||
|
||||
// Trim inputs if not pre-trimmed
|
||||
const trimmedVersion = preTrimmed ? version : version?.trim() || ''
|
||||
const trimmedRange = preTrimmed ? range : range?.trim() || ''
|
||||
|
||||
if (!trimmedVersion) {
|
||||
if (failClosed) {
|
||||
core.debug(
|
||||
`Empty or missing version for range "${range}". Treating as vulnerable (fail closed).`
|
||||
)
|
||||
}
|
||||
return failClosed
|
||||
}
|
||||
if (!trimmedRange) {
|
||||
if (failClosed) {
|
||||
core.debug(
|
||||
`Empty or missing version range for version "${version}". Treating as vulnerable (fail closed).`
|
||||
)
|
||||
}
|
||||
return failClosed
|
||||
}
|
||||
|
||||
// Convert GitHub API range format to semver-compatible format if not already normalized
|
||||
// GitHub uses: ">= 8.0.0, <= 8.0.20"
|
||||
// Semver accepts: ">= 8.0.0 <= 8.0.20" (operators may be followed by a space)
|
||||
const semverRange = preNormalized
|
||||
? trimmedRange
|
||||
: trimmedRange.replace(/,\s*/g, ' ')
|
||||
|
||||
// Validate version and range explicitly to enforce fail-closed semantics
|
||||
// semver.satisfies() typically returns false for invalid inputs without throwing
|
||||
let validVersion = semver.valid(trimmedVersion)
|
||||
const validRange = semver.validRange(semverRange)
|
||||
|
||||
// For fail-open mode (patch selection), try coercing invalid versions
|
||||
// to handle common real-world formats like "8.0", date-based versions, etc.
|
||||
if (!validVersion && !failClosed) {
|
||||
const coerced = semver.coerce(trimmedVersion)
|
||||
if (coerced) {
|
||||
validVersion = coerced.version
|
||||
core.debug(
|
||||
`Coerced version "${trimmedVersion}" to "${validVersion}" for range matching`
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
if (!validVersion || !validRange) {
|
||||
if (failClosed) {
|
||||
const issues: string[] = []
|
||||
if (!validVersion) issues.push('version')
|
||||
if (!validRange) issues.push('version range')
|
||||
core.debug(
|
||||
`Invalid ${issues.join(' and ')}: version="${version}", range="${range}". Treating as vulnerable (fail closed).`
|
||||
)
|
||||
}
|
||||
return failClosed
|
||||
}
|
||||
|
||||
// Both version and range are valid; perform the satisfies check
|
||||
// Only include prereleases when the version being checked is itself a prerelease
|
||||
// to avoid changing range semantics globally
|
||||
const isPrerelease = semver.prerelease(validVersion) !== null
|
||||
return semver.satisfies(validVersion, validRange, {
|
||||
includePrerelease: isPrerelease
|
||||
})
|
||||
}
|
||||
|
||||
function extractPatchVersionId(patchData: unknown): string | null {
|
||||
// Handle string format (current API response)
|
||||
if (typeof patchData === 'string') return patchData
|
||||
|
||||
// Handle object format with identifier field (for backward compatibility)
|
||||
if (patchData && typeof patchData === 'object' && 'identifier' in patchData) {
|
||||
const id = (patchData as {identifier: unknown}).identifier
|
||||
return typeof id === 'string' ? id : null
|
||||
}
|
||||
|
||||
return null
|
||||
}
|
||||
|
||||
// generates the DR report summary and caches it to the Action's core.summary.
|
||||
// returns the DR summary string, ready to be posted as a PR comment if the
|
||||
// final DR report is too large
|
||||
export function addSummaryToSummary(
|
||||
vulnerableChanges: Changes,
|
||||
invalidLicenseChanges: InvalidLicenseChanges,
|
||||
deniedChanges: Changes,
|
||||
scorecard: Scorecard,
|
||||
config: ConfigurationOptions
|
||||
): void {
|
||||
): string {
|
||||
if (config.deny_licenses && config.deny_licenses.length > 0) {
|
||||
addDenyListsDeprecationWarningToSummary()
|
||||
}
|
||||
|
||||
const out: string[] = []
|
||||
|
||||
const scorecardWarnings = countScorecardWarnings(scorecard, config)
|
||||
const licenseIssues = countLicenseIssues(invalidLicenseChanges)
|
||||
|
||||
core.summary.addHeading('Dependency Review', 1)
|
||||
out.push('# Dependency Review')
|
||||
|
||||
if (
|
||||
vulnerableChanges.length === 0 &&
|
||||
@@ -33,54 +155,76 @@ export function addSummaryToSummary(
|
||||
config.license_check ? 'license issues' : '',
|
||||
config.show_openssf_scorecard ? 'OpenSSF Scorecard issues' : ''
|
||||
]
|
||||
|
||||
let msg = ''
|
||||
if (issueTypes.filter(Boolean).length === 0) {
|
||||
core.summary.addRaw(`${icons.check} No issues found.`)
|
||||
msg = `${icons.check} No issues found.`
|
||||
} else {
|
||||
core.summary.addRaw(
|
||||
`${icons.check} No ${issueTypes.filter(Boolean).join(' or ')} found.`
|
||||
)
|
||||
msg = `${icons.check} No ${issueTypes.filter(Boolean).join(' or ')} found.`
|
||||
}
|
||||
|
||||
return
|
||||
core.summary.addRaw(msg)
|
||||
out.push(msg)
|
||||
return out.join('\n')
|
||||
}
|
||||
|
||||
core.summary
|
||||
.addRaw('The following issues were found:')
|
||||
.addList([
|
||||
...(config.vulnerability_check
|
||||
? [
|
||||
`${checkOrFailIcon(vulnerableChanges.length)} ${
|
||||
vulnerableChanges.length
|
||||
} vulnerable package(s)`
|
||||
]
|
||||
: []),
|
||||
...(config.license_check
|
||||
? [
|
||||
`${checkOrFailIcon(invalidLicenseChanges.forbidden.length)} ${
|
||||
invalidLicenseChanges.forbidden.length
|
||||
} package(s) with incompatible licenses`,
|
||||
`${checkOrFailIcon(invalidLicenseChanges.unresolved.length)} ${
|
||||
invalidLicenseChanges.unresolved.length
|
||||
} package(s) with invalid SPDX license definitions`,
|
||||
`${checkOrWarnIcon(invalidLicenseChanges.unlicensed.length)} ${
|
||||
invalidLicenseChanges.unlicensed.length
|
||||
} package(s) with unknown licenses.`
|
||||
]
|
||||
: []),
|
||||
...(deniedChanges.length > 0
|
||||
? [
|
||||
`${checkOrWarnIcon(deniedChanges.length)} ${
|
||||
deniedChanges.length
|
||||
} package(s) denied.`
|
||||
]
|
||||
: []),
|
||||
...(config.show_openssf_scorecard && scorecardWarnings > 0
|
||||
? [
|
||||
`${checkOrWarnIcon(scorecardWarnings)} ${scorecardWarnings ? scorecardWarnings : 'No'} packages with OpenSSF Scorecard issues.`
|
||||
]
|
||||
: [])
|
||||
])
|
||||
.addRaw('See the Details below.')
|
||||
const foundIssuesHeader = 'The following issues were found:'
|
||||
core.summary.addRaw(foundIssuesHeader)
|
||||
out.push(foundIssuesHeader)
|
||||
|
||||
const summaryList: string[] = [
|
||||
...(config.vulnerability_check
|
||||
? [
|
||||
`${checkOrFailIcon(vulnerableChanges.length)} ${
|
||||
vulnerableChanges.length
|
||||
} vulnerable package(s)`
|
||||
]
|
||||
: []),
|
||||
...(config.license_check
|
||||
? [
|
||||
`${checkOrFailIcon(invalidLicenseChanges.forbidden.length)} ${
|
||||
invalidLicenseChanges.forbidden.length
|
||||
} package(s) with incompatible licenses`,
|
||||
`${checkOrFailIcon(invalidLicenseChanges.unresolved.length)} ${
|
||||
invalidLicenseChanges.unresolved.length
|
||||
} package(s) with invalid SPDX license definitions`,
|
||||
`${checkOrWarnIcon(invalidLicenseChanges.unlicensed.length)} ${
|
||||
invalidLicenseChanges.unlicensed.length
|
||||
} package(s) with unknown licenses.`
|
||||
]
|
||||
: []),
|
||||
...(deniedChanges.length > 0
|
||||
? [
|
||||
`${checkOrWarnIcon(deniedChanges.length)} ${
|
||||
deniedChanges.length
|
||||
} package(s) denied.`
|
||||
]
|
||||
: []),
|
||||
...(config.show_openssf_scorecard && scorecardWarnings > 0
|
||||
? [
|
||||
`${checkOrWarnIcon(scorecardWarnings)} ${scorecardWarnings ? scorecardWarnings : 'No'} packages with OpenSSF Scorecard issues.`
|
||||
]
|
||||
: [])
|
||||
]
|
||||
|
||||
core.summary.addList(summaryList)
|
||||
for (const line of summaryList) {
|
||||
out.push(`* ${line}`)
|
||||
}
|
||||
|
||||
core.summary.addRaw('See the Details below.')
|
||||
out.push(
|
||||
`\n[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`
|
||||
)
|
||||
|
||||
return out.join('\n')
|
||||
}
|
||||
|
||||
function addDenyListsDeprecationWarningToSummary(): void {
|
||||
core.summary.addRaw(
|
||||
`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see issue 997.`,
|
||||
true
|
||||
)
|
||||
}
|
||||
|
||||
function countScorecardWarnings(
|
||||
@@ -98,21 +242,142 @@ function countScorecardWarnings(
|
||||
)
|
||||
}
|
||||
|
||||
export function addChangeVulnerabilitiesToSummary(
|
||||
/**
|
||||
* Execute promises with a concurrency limit to avoid overwhelming APIs.
|
||||
* @param tasks - Array of functions that return promises
|
||||
* @param limit - Maximum number of concurrent promises
|
||||
*/
|
||||
async function promisePool(
|
||||
tasks: (() => Promise<void>)[],
|
||||
limit: number
|
||||
): Promise<void> {
|
||||
const executing: Set<Promise<void>> = new Set()
|
||||
|
||||
for (const task of tasks) {
|
||||
// Execute task and clean up
|
||||
const wrappedPromise = (async () => {
|
||||
await task()
|
||||
})()
|
||||
|
||||
executing.add(wrappedPromise)
|
||||
|
||||
// When promise completes, remove it from the executing set
|
||||
wrappedPromise.finally(() => {
|
||||
executing.delete(wrappedPromise)
|
||||
})
|
||||
|
||||
// Wait if we've hit the concurrency limit
|
||||
if (executing.size >= limit) {
|
||||
await Promise.race(executing)
|
||||
}
|
||||
}
|
||||
|
||||
// Wait for all remaining promises
|
||||
await Promise.all(executing)
|
||||
}
|
||||
|
||||
export async function addChangeVulnerabilitiesToSummary(
|
||||
vulnerableChanges: Changes,
|
||||
severity: string
|
||||
): void {
|
||||
severity: string,
|
||||
showPatchedVersions = false
|
||||
): Promise<void> {
|
||||
if (vulnerableChanges.length === 0) {
|
||||
return
|
||||
}
|
||||
|
||||
const rows: SummaryTableRow[] = []
|
||||
|
||||
const manifests = getManifestsSet(vulnerableChanges)
|
||||
|
||||
// Build set of unique advisories to query
|
||||
const advisorySet = new Set<string>()
|
||||
if (showPatchedVersions) {
|
||||
if (isEnterprise()) {
|
||||
core.warning(
|
||||
'show-patched-versions is not supported on GitHub Enterprise Server. The Patched Version column will be omitted.'
|
||||
)
|
||||
showPatchedVersions = false
|
||||
} else {
|
||||
for (const pkg of vulnerableChanges) {
|
||||
for (const vuln of pkg.vulnerabilities) {
|
||||
advisorySet.add(vuln.advisory_ghsa_id)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Query GitHub API for patch info with concurrency limiting
|
||||
// Store all vulnerability entries (may be multiple per package with different ranges)
|
||||
// Pre-normalize ecosystem, package name, and range to avoid repeated work in rendering
|
||||
const patchInfo: Record<
|
||||
string,
|
||||
{
|
||||
eco: string
|
||||
pkg: string
|
||||
range: string
|
||||
patch: string
|
||||
ecoLower: string
|
||||
pkgLower: string
|
||||
normalizedRange: string
|
||||
}[]
|
||||
> = {}
|
||||
const apiClient = octokitClient()
|
||||
|
||||
// Create tasks for promise pool
|
||||
const tasks = Array.from(advisorySet).map(advId => async () => {
|
||||
try {
|
||||
core.debug(`Fetching advisory data for ${advId}`)
|
||||
const apiResult = await apiClient.request('GET /advisories/{ghsa_id}', {
|
||||
ghsa_id: advId
|
||||
})
|
||||
|
||||
patchInfo[advId] = []
|
||||
const vulnList = apiResult.data.vulnerabilities || []
|
||||
core.debug(`Found ${vulnList.length} vulnerability entries for ${advId}`)
|
||||
|
||||
for (const v of vulnList) {
|
||||
if (v.package && v.package.ecosystem) {
|
||||
const normalizedEco = v.package.ecosystem.toLowerCase()
|
||||
const pkgName = v.package.name || ''
|
||||
const vulnRange = v.vulnerable_version_range || ''
|
||||
const patchVerId = extractPatchVersionId(v.first_patched_version)
|
||||
if (patchVerId) {
|
||||
// Pre-normalize and cache values to avoid repeated work in rendering loop
|
||||
const trimmedRange = vulnRange.trim()
|
||||
const normalizedRange = trimmedRange.replace(/,\s*/g, ' ')
|
||||
patchInfo[advId].push({
|
||||
eco: normalizedEco,
|
||||
pkg: pkgName,
|
||||
range: vulnRange,
|
||||
patch: patchVerId,
|
||||
ecoLower: normalizedEco, // Ecosystem already normalized to lowercase
|
||||
pkgLower: pkgName.toLowerCase(),
|
||||
normalizedRange
|
||||
})
|
||||
core.debug(
|
||||
`Added patch info for ${pkgName} (${normalizedEco}): ${patchVerId} for range ${vulnRange}`
|
||||
)
|
||||
} else {
|
||||
core.debug(
|
||||
`No patch version found for ${pkgName} (${normalizedEco}) in ${advId}`
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
} catch (e) {
|
||||
const errorMessage = e instanceof Error ? e.message : String(e)
|
||||
core.debug(`API call failed for ${advId}: ${errorMessage}`)
|
||||
patchInfo[advId] = []
|
||||
}
|
||||
})
|
||||
|
||||
// Execute API calls with concurrency limit
|
||||
await promisePool(tasks, API_CONCURRENCY_LIMIT)
|
||||
|
||||
core.summary.addHeading('Vulnerabilities', 2)
|
||||
|
||||
for (const manifest of manifests) {
|
||||
// Create fresh rows array for each manifest to avoid accumulation
|
||||
const rows: SummaryTableRow[] = []
|
||||
|
||||
for (const change of vulnerableChanges.filter(
|
||||
pkg => pkg.manifest === manifest
|
||||
)) {
|
||||
@@ -123,33 +388,100 @@ export function addChangeVulnerabilitiesToSummary(
|
||||
previous_package === change.name &&
|
||||
previous_version === change.version
|
||||
|
||||
// Look up patch version by matching package name, ecosystem, and version range
|
||||
let patchVer = 'N/A'
|
||||
const advisoryEntries = patchInfo[vuln.advisory_ghsa_id]
|
||||
if (advisoryEntries && advisoryEntries.length > 0) {
|
||||
const ecoLowercase = change.ecosystem.toLowerCase()
|
||||
const packageLowercase = change.name.toLowerCase()
|
||||
const normalizedChangeVersion = change.version.trim()
|
||||
core.debug(
|
||||
`Looking up patch for ${change.name}@${change.version} (${ecoLowercase}) in ${vuln.advisory_ghsa_id}`
|
||||
)
|
||||
|
||||
// Find matching entry by ecosystem, package name (case-insensitive), and version range
|
||||
// Use pre-normalized values from cache to avoid repeated lowercasing and range conversion
|
||||
let foundEntry:
|
||||
| {eco: string; pkg: string; range: string; patch: string}
|
||||
| undefined
|
||||
for (const vulnEntry of advisoryEntries) {
|
||||
if (vulnEntry.ecoLower !== ecoLowercase) continue
|
||||
if (vulnEntry.pkgLower !== packageLowercase) continue
|
||||
|
||||
// Use fail-open (failClosed: false) for patch selection to avoid
|
||||
// incorrectly matching on invalid ranges
|
||||
// Use preTrimmed and preNormalized optimizations since we've done both
|
||||
const isInRange = versionInRange(
|
||||
normalizedChangeVersion,
|
||||
vulnEntry.normalizedRange,
|
||||
{preTrimmed: true, preNormalized: true, failClosed: false}
|
||||
)
|
||||
|
||||
if (isInRange) {
|
||||
foundEntry = vulnEntry
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if (foundEntry) {
|
||||
patchVer = foundEntry.patch
|
||||
core.debug(
|
||||
`Found patch version ${patchVer} for ${change.name}@${change.version}`
|
||||
)
|
||||
} else {
|
||||
const maxLoggedEntries = 5
|
||||
const entriesPreview = advisoryEntries
|
||||
.slice(0, maxLoggedEntries)
|
||||
.map(
|
||||
entry =>
|
||||
`${entry.eco}:${entry.pkg} ${entry.range} -> ${entry.patch}`
|
||||
)
|
||||
core.debug(
|
||||
`No matching patch found for ${change.name}@${change.version}. Available entries (showing up to ${Math.min(advisoryEntries.length, maxLoggedEntries)} of ${advisoryEntries.length}): ${entriesPreview.join('; ')}`
|
||||
)
|
||||
}
|
||||
} else {
|
||||
core.debug(`No advisory data available for ${vuln.advisory_ghsa_id}`)
|
||||
}
|
||||
|
||||
if (!sameAsPrevious) {
|
||||
rows.push([
|
||||
const row: SummaryTableRow = [
|
||||
renderUrl(change.source_repository_url, change.name),
|
||||
change.version,
|
||||
renderUrl(vuln.advisory_url, vuln.advisory_summary),
|
||||
vuln.severity
|
||||
])
|
||||
]
|
||||
if (showPatchedVersions) {
|
||||
row.push(patchVer)
|
||||
}
|
||||
rows.push(row)
|
||||
} else {
|
||||
rows.push([
|
||||
const row: SummaryTableRow = [
|
||||
{data: '', colspan: '2'},
|
||||
renderUrl(vuln.advisory_url, vuln.advisory_summary),
|
||||
vuln.severity
|
||||
])
|
||||
]
|
||||
if (showPatchedVersions) {
|
||||
row.push(patchVer)
|
||||
}
|
||||
rows.push(row)
|
||||
}
|
||||
previous_package = change.name
|
||||
previous_version = change.version
|
||||
}
|
||||
}
|
||||
core.summary.addHeading(`<em>${manifest}</em>`, 4).addTable([
|
||||
[
|
||||
{data: 'Name', header: true},
|
||||
{data: 'Version', header: true},
|
||||
{data: 'Vulnerability', header: true},
|
||||
{data: 'Severity', header: true}
|
||||
],
|
||||
...rows
|
||||
])
|
||||
const headerRow: SummaryTableRow = [
|
||||
{data: 'Name', header: true},
|
||||
{data: 'Version', header: true},
|
||||
{data: 'Vulnerability', header: true},
|
||||
{data: 'Severity', header: true}
|
||||
]
|
||||
if (showPatchedVersions) {
|
||||
headerRow.push({data: 'Patched Version', header: true})
|
||||
}
|
||||
core.summary
|
||||
.addHeading(`<em>${manifest}</em>`, 4)
|
||||
.addTable([headerRow, ...rows])
|
||||
}
|
||||
|
||||
if (severity !== 'low') {
|
||||
@@ -172,19 +504,17 @@ export function addLicensesToSummary(
|
||||
|
||||
if (config.allow_licenses && config.allow_licenses.length > 0) {
|
||||
core.summary.addQuote(
|
||||
`<strong>Allowed Licenses</strong>: ${config.allow_licenses.join(', ')}`
|
||||
`<details><summary><strong>Allowed Licenses</strong>:</summary> ${config.allow_licenses.join(', ')}</details>`
|
||||
)
|
||||
}
|
||||
if (config.deny_licenses && config.deny_licenses.length > 0) {
|
||||
core.summary.addQuote(
|
||||
`<strong>Denied Licenses</strong>: ${config.deny_licenses.join(', ')}`
|
||||
`<details><summary><strong>Denied Licenses</strong>:</summary> ${config.deny_licenses.join(', ')}</details>`
|
||||
)
|
||||
}
|
||||
if (config.allow_dependencies_licenses) {
|
||||
core.summary.addQuote(
|
||||
`<strong>Excluded from license check</strong>: ${config.allow_dependencies_licenses.join(
|
||||
', '
|
||||
)}`
|
||||
`<details><summary><strong>Excluded from license check</strong>:</summary> ${config.allow_dependencies_licenses.join(', ')}</details>`
|
||||
)
|
||||
}
|
||||
|
||||
@@ -242,20 +572,37 @@ function formatLicense(license: string | null): string {
|
||||
return license
|
||||
}
|
||||
|
||||
export function addScannedDependencies(changes: Changes): void {
|
||||
const dependencies = groupDependenciesByManifest(changes)
|
||||
const manifests = dependencies.keys()
|
||||
export function addScannedFiles(changes: Changes): void {
|
||||
const manifests = Array.from(
|
||||
groupDependenciesByManifest(changes).keys()
|
||||
).sort()
|
||||
|
||||
const summary = core.summary.addHeading('Scanned Manifest Files', 2)
|
||||
let sf_size = 0
|
||||
let trunc_at = -1
|
||||
|
||||
for (const manifest of manifests) {
|
||||
const deps = dependencies.get(manifest)
|
||||
if (deps) {
|
||||
const dependencyNames = deps.map(
|
||||
dependency => `<li>${dependency.name}@${dependency.version}</li>`
|
||||
)
|
||||
summary.addDetails(manifest, `<ul>${dependencyNames.join('')}</ul>`)
|
||||
for (const [index, entry] of manifests.entries()) {
|
||||
if (sf_size + entry.length >= MAX_SCANNED_FILES_BYTES) {
|
||||
trunc_at = index
|
||||
break
|
||||
}
|
||||
sf_size += entry.length
|
||||
}
|
||||
|
||||
if (trunc_at >= 0) {
|
||||
// truncate the manifests list if it will overflow the summary output
|
||||
manifests.slice(0, trunc_at)
|
||||
// if there's room between cutoff size and list size, add a warning
|
||||
const size_diff = MAX_SCANNED_FILES_BYTES - sf_size
|
||||
if (size_diff < 12) {
|
||||
manifests.push('(truncated)')
|
||||
}
|
||||
}
|
||||
|
||||
const summary = core.summary.addHeading('Scanned Files', 2)
|
||||
if (manifests.length === 0) {
|
||||
summary.addRaw('None')
|
||||
} else {
|
||||
summary.addList(manifests)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -281,6 +628,9 @@ export function addScorecardToSummary(
|
||||
scorecard: Scorecard,
|
||||
config: ConfigurationOptions
|
||||
): void {
|
||||
if (scorecard.dependencies.length === 0) {
|
||||
return
|
||||
}
|
||||
core.summary.addHeading('OpenSSF Scorecard', 2)
|
||||
if (scorecard.dependencies.length > 10) {
|
||||
core.summary.addRaw(`<details><summary>Scorecard details</summary>`, true)
|
||||
@@ -304,7 +654,7 @@ export function addScorecardToSummary(
|
||||
|
||||
//Add a row for the dependency
|
||||
core.summary.addRaw(
|
||||
`<tr><td>${dependency.change.source_repository_url ? `<a href="https://${dependency.change.source_repository_url}">` : ''} ${dependency.change.ecosystem}/${dependency.change.name} ${dependency.change.source_repository_url ? `</a>` : ''}</td><td>${dependency.change.version}</td>
|
||||
`<tr><td>${dependency.change.source_repository_url ? `<a href="${dependency.change.source_repository_url}">` : ''} ${dependency.change.ecosystem}/${dependency.change.name} ${dependency.change.source_repository_url ? `</a>` : ''}</td><td>${dependency.change.version}</td>
|
||||
<td>${overallIcon} ${dependency.scorecard?.score === undefined || dependency.scorecard?.score === null ? 'Unknown' : dependency.scorecard?.score}</td>`,
|
||||
false
|
||||
)
|
||||
|
||||
+1
-11
@@ -1,6 +1,5 @@
|
||||
import * as core from '@actions/core'
|
||||
import {Octokit} from 'octokit'
|
||||
import spdxParse from 'spdx-expression-parse'
|
||||
import {Changes} from './schemas'
|
||||
|
||||
export function groupDependenciesByManifest(
|
||||
@@ -34,16 +33,7 @@ export function renderUrl(url: string | null, text: string): string {
|
||||
}
|
||||
}
|
||||
|
||||
export function isSPDXValid(license: string): boolean {
|
||||
try {
|
||||
spdxParse(license)
|
||||
return true
|
||||
} catch (_) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
function isEnterprise(): boolean {
|
||||
export function isEnterprise(): boolean {
|
||||
const serverUrl = new URL(
|
||||
process.env['GITHUB_SERVER_URL'] ?? 'https://github.com'
|
||||
)
|
||||
|
||||
+3
-1
@@ -5,7 +5,9 @@
|
||||
"outDir": "./lib" /* Redirect output structure to the directory. */,
|
||||
"strict": true /* Enable all strict type-checking options. */,
|
||||
"noImplicitAny": true /* Raise error on expressions and declarations with an implied 'any' type. */,
|
||||
"esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
|
||||
"esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */,
|
||||
"typeRoots": [ "./node_modules/@types", "./types" ],
|
||||
"types": [ "node", "jest", "spdx-license-satisfies" ]
|
||||
},
|
||||
"exclude": ["node_modules"]
|
||||
}
|
||||
|
||||
Vendored
+16
@@ -0,0 +1,16 @@
|
||||
declare module '@onebeyond/spdx-license-satisfies' {
|
||||
export function satisfies(
|
||||
candidateExpr: string,
|
||||
constraintExpr: string
|
||||
): boolean
|
||||
|
||||
export function satisfiesAny(
|
||||
candidateExpr: string,
|
||||
licenses: string[]
|
||||
): boolean
|
||||
|
||||
export function satisfiesAll(
|
||||
candidateExpr: string,
|
||||
licenses: string[]
|
||||
): boolean
|
||||
}
|
||||
Reference in New Issue
Block a user