Compare commits
59 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| e58c696e52 | |||
| 9b7c72ddcd | |||
| 7dcfabfea2 | |||
| 5f0808ffb1 | |||
| fcc66c23b3 | |||
| 1dd418bcb3 | |||
| 640617990f | |||
| 2034babb6b | |||
| 7e773b1e98 | |||
| a3460920cc | |||
| 0659a74c94 | |||
| 28facf5722 | |||
| 5ab7b74146 | |||
| 95b6fa4e6b | |||
| 2dba7fdde1 | |||
| 7d44c7c392 | |||
| ce31ee8325 | |||
| df1b3661fd | |||
| 71c57a6108 | |||
| 7e2c3c347b | |||
| f456418f6a | |||
| 19bd35e07b | |||
| ff97293707 | |||
| 5498b6c4c3 | |||
| 80116a4564 | |||
| 68488bcecb | |||
| 16a0212a77 | |||
| 6d3fba9bf2 | |||
| c6cc8585a0 | |||
| c32a0148b3 | |||
| 67d0214607 | |||
| 3ca15314ff | |||
| a318e62c6c | |||
| 061f471b83 | |||
| 012eca3d4d | |||
| 8739aa4bb3 | |||
| a323510dae | |||
| 7cebd9d64d | |||
| f8ca44e2de | |||
| 411e5ec44f | |||
| 72aedfc147 | |||
| 2ce029c676 | |||
| 1c949fbe77 | |||
| bddd13d857 | |||
| 0e665bf3ac | |||
| 5bbc3ba658 | |||
| c59184aa7f | |||
| 54c06574f4 | |||
| 21941b530b | |||
| 733dd5d4a5 | |||
| 9093495859 | |||
| 35b83b4207 | |||
| e057056594 | |||
| d684d038b2 | |||
| 2b0aaf1638 | |||
| d9209374af | |||
| 651d22c5d5 | |||
| 02b13f6b52 | |||
| 6e0fa26ac3 |
+2
-2
@@ -80,12 +80,12 @@ Here are a few things you can do that will increase the likelihood of your pull
|
||||
- Add unit tests for new features.
|
||||
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
|
||||
- Write a [good commit message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
|
||||
- Add examples of the usage to [examples.md](examples.md)
|
||||
- Add examples of the usage to [examples.md](docs/examples.md)
|
||||
- Link to a sample PR in a custom repository running your version of the Action.
|
||||
|
||||
## Cutting a new release
|
||||
|
||||
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json).
|
||||
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
|
||||
1. Go to [Draft a new
|
||||
release](https://github.com/actions/dependency-review-action/releases/new)
|
||||
in the Releases page.
|
||||
|
||||
@@ -66,25 +66,25 @@ jobs:
|
||||
|
||||
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
|
||||
|
||||
| Option | Usage | Possible values | Default value |
|
||||
| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
|
||||
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
|
||||
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
|
||||
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
|
||||
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
|
||||
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
|
||||
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
|
||||
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
|
||||
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. | `always`, `on-failure`, `never` | `never` |
|
||||
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
|
||||
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
|
||||
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
|
||||
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
|
||||
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
|
||||
| `show-openssf-scorecard-levels` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
|
||||
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
|
||||
| Option | Usage | Possible values | Default value |
|
||||
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
|
||||
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
|
||||
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
|
||||
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
|
||||
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
|
||||
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
|
||||
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
|
||||
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
|
||||
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. | `always`, `on-failure`, `never` | `never` |
|
||||
| `deny-packages` | Any number of packages to block in a PR. This option will match on the exact version provided. If no version is provided, the option will treat the specified package as a wildcard and deny all versions. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
|
||||
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
|
||||
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
|
||||
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
|
||||
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
|
||||
| `show-openssf-scorecard-levels` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
|
||||
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
|
||||
|
||||
\*not supported for use with GitHub Enterprise Server
|
||||
|
||||
@@ -171,7 +171,7 @@ The Dependency Review GitHub Action check will only block a pull request from be
|
||||
> Action outputs are unicode strings [with a 1MB size limit](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions).
|
||||
|
||||
> [!IMPORTANT]
|
||||
> If you use these outputs in a run-step, you must store the ouput data in an envrioment variable instead of using the output directly. Using an output directly might break shell scripts. For example:
|
||||
> If you use these outputs in a run-step, you must store the output data in an environment variable instead of using the output directly. Using an output directly might break shell scripts. For example:
|
||||
>
|
||||
> ```yaml
|
||||
> env:
|
||||
|
||||
@@ -54,6 +54,28 @@ test('it raises an error if an empty allow list is specified', async () => {
|
||||
)
|
||||
})
|
||||
|
||||
test('it raises an error when an invalid package-url is used for deny-packages', async () => {
|
||||
setInput('deny-packages', 'not-a-purl')
|
||||
|
||||
await expect(readConfig()).rejects.toThrow(`Error parsing package-url`)
|
||||
})
|
||||
|
||||
test('it raises an error when a nameless package-url is used for deny-packages', async () => {
|
||||
setInput('deny-packages', 'pkg:npm/@namespace/')
|
||||
|
||||
await expect(readConfig()).rejects.toThrow(
|
||||
`Error parsing package-url: name is required`
|
||||
)
|
||||
})
|
||||
|
||||
test('it raises an error when an argument to deny-groups is missing a namespace', async () => {
|
||||
setInput('deny-groups', 'pkg:npm/my-fun-org')
|
||||
|
||||
await expect(readConfig()).rejects.toThrow(
|
||||
`package-url must have a namespace`
|
||||
)
|
||||
})
|
||||
|
||||
test('it raises an error when given an unknown severity', async () => {
|
||||
setInput('fail-on-severity', 'zombies')
|
||||
|
||||
|
||||
+85
-110
@@ -1,100 +1,7 @@
|
||||
import {expect, jest, test} from '@jest/globals'
|
||||
import {Change, Changes} from '../src/schemas'
|
||||
|
||||
let getDeniedChanges: Function
|
||||
|
||||
const npmChange: Change = {
|
||||
manifest: 'package.json',
|
||||
change_type: 'added',
|
||||
ecosystem: 'npm',
|
||||
name: 'Reeuhq',
|
||||
version: '1.0.2',
|
||||
package_url: 'pkg:npm/reeuhq@1.0.2',
|
||||
license: 'MIT',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'critical',
|
||||
advisory_ghsa_id: 'first-random_string',
|
||||
advisory_summary: 'very dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const rubyChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'Gemfile.lock',
|
||||
ecosystem: 'rubygems',
|
||||
name: 'actionsomething',
|
||||
version: '3.2.0',
|
||||
package_url: 'pkg:gem/actionsomething@3.2.0',
|
||||
license: 'BSD',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'moderate',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
},
|
||||
{
|
||||
severity: 'low',
|
||||
advisory_ghsa_id: 'third-random_string',
|
||||
advisory_summary: 'dont page me',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const pipChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'requirements.txt',
|
||||
ecosystem: 'pip',
|
||||
name: 'package-1',
|
||||
version: '1.1.1',
|
||||
package_url: 'pkg:pypi/package-1@1.1.1',
|
||||
license: 'MIT',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'moderate',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
},
|
||||
{
|
||||
severity: 'low',
|
||||
advisory_ghsa_id: 'third-random_string',
|
||||
advisory_summary: 'dont page me',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const mvnChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'pom.xml',
|
||||
ecosystem: 'maven',
|
||||
name: 'org.apache.logging.log4j:log4j-core',
|
||||
version: '2.15.0',
|
||||
package_url: 'pkg:maven/org.apache.logging.log4j/log4j-core@2.14.7',
|
||||
license: 'Apache-2.0',
|
||||
source_repository_url:
|
||||
'https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core',
|
||||
scope: 'unknown',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'critical',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
import {createTestChange, createTestPURLs} from './fixtures/create-test-change'
|
||||
import {getDeniedChanges} from '../src/deny'
|
||||
|
||||
jest.mock('@actions/core')
|
||||
|
||||
@@ -108,6 +15,11 @@ const mockOctokit = {
|
||||
}
|
||||
}
|
||||
|
||||
let npmChange: Change
|
||||
let rubyChange: Change
|
||||
let pipChange: Change
|
||||
let mvnChange: Change
|
||||
|
||||
jest.mock('octokit', () => {
|
||||
return {
|
||||
// eslint-disable-next-line @typescript-eslint/no-extraneous-class
|
||||
@@ -126,40 +38,103 @@ beforeEach(async () => {
|
||||
// true for BSD, false for all others
|
||||
return jest.fn((license: string, _: string): boolean => license === 'BSD')
|
||||
})
|
||||
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
||||
;({getDeniedChanges} = require('../src/deny'))
|
||||
|
||||
npmChange = createTestChange({ecosystem: 'npm'})
|
||||
rubyChange = createTestChange({ecosystem: 'rubygems'})
|
||||
pipChange = createTestChange({ecosystem: 'pip'})
|
||||
mvnChange = createTestChange({ecosystem: 'maven'})
|
||||
})
|
||||
|
||||
test('it adds packages in the deny packages list', async () => {
|
||||
test('denies packages from the deny packages list', async () => {
|
||||
const changes: Changes = [npmChange, rubyChange]
|
||||
const deniedChanges = await getDeniedChanges(
|
||||
changes,
|
||||
['pkg:gem/actionsomething'],
|
||||
[]
|
||||
)
|
||||
const deniedPackages = createTestPURLs(['pkg:gem/actionsomething@3.2.0'])
|
||||
const deniedChanges = await getDeniedChanges(changes, deniedPackages)
|
||||
|
||||
expect(deniedChanges[0]).toBe(rubyChange)
|
||||
expect(deniedChanges.length).toEqual(1)
|
||||
})
|
||||
|
||||
test('it adds packages in the deny group list', async () => {
|
||||
const changes: Changes = [mvnChange, rubyChange]
|
||||
test('denies packages only for the specified version from deny packages list', async () => {
|
||||
const deniedPackageWithDifferentVersion = createTestPURLs([
|
||||
'pkg:npm/lodash@1.2.3'
|
||||
])
|
||||
const changes: Changes = [npmChange]
|
||||
const deniedChanges = await getDeniedChanges(
|
||||
changes,
|
||||
[],
|
||||
['pkg:maven/org.apache.logging.log4j']
|
||||
deniedPackageWithDifferentVersion
|
||||
)
|
||||
|
||||
expect(deniedChanges.length).toEqual(0)
|
||||
})
|
||||
|
||||
test('if no specified version from deny packages list, it will treat package as wildcard and deny all versions', async () => {
|
||||
const changes: Changes = [
|
||||
createTestChange({name: 'lodash', version: '1.2.3'}),
|
||||
createTestChange({name: 'lodash', version: '4.5.6'}),
|
||||
createTestChange({name: 'lodash', version: '7.8.9'})
|
||||
]
|
||||
const denyAllLodashVersions = createTestPURLs(['pkg:npm/lodash'])
|
||||
const deniedChanges = await getDeniedChanges(changes, denyAllLodashVersions)
|
||||
|
||||
expect(deniedChanges.length).toEqual(3)
|
||||
})
|
||||
|
||||
test('denies packages from the deny group list', async () => {
|
||||
const changes: Changes = [mvnChange, rubyChange]
|
||||
const deniedGroups = createTestPURLs(['pkg:maven/org.apache.logging.log4j/'])
|
||||
const deniedChanges = await getDeniedChanges(changes, [], deniedGroups)
|
||||
|
||||
expect(deniedChanges[0]).toBe(mvnChange)
|
||||
expect(deniedChanges.length).toEqual(1)
|
||||
})
|
||||
|
||||
test('it adds packages outside of the deny lists', async () => {
|
||||
test('denies packages that match the deny group list exactly', async () => {
|
||||
const changes: Changes = [
|
||||
createTestChange({
|
||||
package_url: 'pkg:npm/org.test.pass/pass-this@1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
package_url: 'pkg:npm/org.test/deny-this@1.0.0',
|
||||
ecosystem: 'npm'
|
||||
})
|
||||
]
|
||||
const deniedGroups = createTestPURLs(['pkg:npm/org.test/'])
|
||||
const deniedChanges = await getDeniedChanges(changes, [], deniedGroups)
|
||||
|
||||
expect(deniedChanges.length).toEqual(1)
|
||||
expect(deniedChanges[0]).toBe(changes[1])
|
||||
})
|
||||
|
||||
test(`denies packages using the namespace from the name when there's no package_url`, async () => {
|
||||
const changes: Changes = [
|
||||
createTestChange({
|
||||
package_url: 'pkg:npm/org.test.pass/pass-this@1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
name: 'org.test:deny-this',
|
||||
package_url: '',
|
||||
ecosystem: 'maven'
|
||||
})
|
||||
]
|
||||
const deniedGroups = createTestPURLs(['pkg:maven/org.test/'])
|
||||
const deniedChanges = await getDeniedChanges(changes, [], deniedGroups)
|
||||
|
||||
expect(deniedChanges.length).toEqual(1)
|
||||
expect(deniedChanges[0]).toBe(changes[1])
|
||||
})
|
||||
|
||||
test('allows packages not defined in the deny packages and groups list', async () => {
|
||||
const changes: Changes = [npmChange, pipChange]
|
||||
const deniedPackages = createTestPURLs([
|
||||
'pkg:gem/package-not-in-changes@1.0.0'
|
||||
])
|
||||
const deniedGroups = createTestPURLs(['pkg:maven/group.not.in.changes/'])
|
||||
const deniedChanges = await getDeniedChanges(
|
||||
changes,
|
||||
['pkg:gem/actionsomething'],
|
||||
['pkg:maven:org.apache.logging.log4j']
|
||||
deniedPackages,
|
||||
deniedGroups
|
||||
)
|
||||
|
||||
expect(deniedChanges.length).toEqual(0)
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
import {Change} from '../../src/schemas'
|
||||
import {createTestVulnerability} from './create-test-vulnerability'
|
||||
import {PackageURL, parsePURL} from '../../src/purl'
|
||||
|
||||
const defaultChange: Change = {
|
||||
const defaultNpmChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'package.json',
|
||||
ecosystem: 'npm',
|
||||
@@ -28,9 +29,98 @@ const defaultChange: Change = {
|
||||
]
|
||||
}
|
||||
|
||||
const createTestChange = (overwrites: Partial<Change> = {}): Change => ({
|
||||
...defaultChange,
|
||||
...overwrites
|
||||
})
|
||||
const defaultRubyChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'Gemfile.lock',
|
||||
ecosystem: 'rubygems',
|
||||
name: 'actionsomething',
|
||||
version: '3.2.0',
|
||||
package_url: 'pkg:gem/actionsomething@3.2.0',
|
||||
license: 'BSD',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'moderate',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
},
|
||||
{
|
||||
severity: 'low',
|
||||
advisory_ghsa_id: 'third-random_string',
|
||||
advisory_summary: 'dont page me',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
export {createTestChange}
|
||||
const defaultPipChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'requirements.txt',
|
||||
ecosystem: 'pip',
|
||||
name: 'package-1',
|
||||
version: '1.1.1',
|
||||
package_url: 'pkg:pypi/package-1@1.1.1',
|
||||
license: 'MIT',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'moderate',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
},
|
||||
{
|
||||
severity: 'low',
|
||||
advisory_ghsa_id: 'third-random_string',
|
||||
advisory_summary: 'dont page me',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const defaultMavenChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'pom.xml',
|
||||
ecosystem: 'maven',
|
||||
name: 'org.apache.logging.log4j:log4j-core',
|
||||
version: '2.15.0',
|
||||
package_url: 'pkg:maven/org.apache.logging.log4j/log4j-core@2.14.7',
|
||||
license: 'Apache-2.0',
|
||||
source_repository_url:
|
||||
'https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core',
|
||||
scope: 'unknown',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'critical',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const ecosystemToDefaultChange: {[key: string]: Change} = {
|
||||
npm: defaultNpmChange,
|
||||
rubygems: defaultRubyChange,
|
||||
pip: defaultPipChange,
|
||||
maven: defaultMavenChange
|
||||
}
|
||||
|
||||
const createTestChange = (overwrites: Partial<Change> = {}): Change => {
|
||||
const ecosystem = overwrites.ecosystem || 'npm'
|
||||
return {
|
||||
...ecosystemToDefaultChange[ecosystem],
|
||||
...overwrites
|
||||
}
|
||||
}
|
||||
|
||||
const createTestPURLs = (list: string[]): PackageURL[] => {
|
||||
return list.map(purl => {
|
||||
return parsePURL(purl)
|
||||
})
|
||||
}
|
||||
|
||||
export {createTestChange, createTestPURLs}
|
||||
|
||||
@@ -0,0 +1,162 @@
|
||||
import {expect, test} from '@jest/globals'
|
||||
import {parsePURL} from '../src/purl'
|
||||
|
||||
test('parsePURL returns an error if the purl does not start with "pkg:"', () => {
|
||||
const purl = 'not-a-purl'
|
||||
const result = parsePURL(purl)
|
||||
expect(result.error).toEqual('package-url must start with "pkg:"')
|
||||
})
|
||||
|
||||
test('parsePURL returns an error if the purl does not contain a type', () => {
|
||||
const purl = 'pkg:/'
|
||||
const result = parsePURL(purl)
|
||||
expect(result.error).toEqual('package-url must contain a type')
|
||||
})
|
||||
|
||||
test('parsePURL returns an error if the purl does not contain a namespace or name', () => {
|
||||
const purl = 'pkg:ecosystem/'
|
||||
const result = parsePURL(purl)
|
||||
expect(result.type).toEqual('ecosystem')
|
||||
expect(result.error).toEqual('package-url must contain a namespace or name')
|
||||
})
|
||||
|
||||
test('parsePURL returns a PURL with the correct values in the happy case', () => {
|
||||
const purl = 'pkg:ecosystem/namespace/name@version'
|
||||
const result = parsePURL(purl)
|
||||
expect(result.type).toEqual('ecosystem')
|
||||
expect(result.namespace).toEqual('namespace')
|
||||
expect(result.name).toEqual('name')
|
||||
expect(result.version).toEqual('version')
|
||||
expect(result.original).toEqual(purl)
|
||||
expect(result.error).toBeNull()
|
||||
})
|
||||
|
||||
test('parsePURL table test', () => {
|
||||
const examples = [
|
||||
{
|
||||
purl: 'pkg:npm/@n4m3SPACE/Name@^1.2.3',
|
||||
expected: {
|
||||
type: 'npm',
|
||||
namespace: '@n4m3SPACE',
|
||||
name: 'Name',
|
||||
version: '^1.2.3',
|
||||
original: 'pkg:npm/@n4m3SPACE/Name@^1.2.3',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:npm/%40ns%20foo/n%40me@1.%2f2.3',
|
||||
expected: {
|
||||
type: 'npm',
|
||||
namespace: '@ns foo',
|
||||
name: 'n@me',
|
||||
version: '1./2.3',
|
||||
original: 'pkg:npm/%40ns%20foo/n%40me@1.%2f2.3',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:ecosystem/name@version',
|
||||
expected: {
|
||||
type: 'ecosystem',
|
||||
namespace: null,
|
||||
name: 'name',
|
||||
version: 'version',
|
||||
original: 'pkg:ecosystem/name@version',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:npm/namespace/',
|
||||
expected: {
|
||||
type: 'npm',
|
||||
namespace: 'namespace',
|
||||
name: null,
|
||||
version: null,
|
||||
original: 'pkg:npm/namespace/',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:ecosystem/name',
|
||||
expected: {
|
||||
type: 'ecosystem',
|
||||
namespace: null,
|
||||
name: 'name',
|
||||
version: null,
|
||||
original: 'pkg:ecosystem/name',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:/?',
|
||||
expected: {
|
||||
type: '',
|
||||
namespace: null,
|
||||
name: null,
|
||||
version: null,
|
||||
original: 'pkg:/?',
|
||||
error: 'package-url must contain a type'
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:ecosystem/#',
|
||||
expected: {
|
||||
type: 'ecosystem',
|
||||
namespace: null,
|
||||
name: null,
|
||||
version: null,
|
||||
original: 'pkg:ecosystem/#',
|
||||
error: 'package-url must contain a namespace or name'
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:ecosystem/name@version#subpath?attributes=123',
|
||||
expected: {
|
||||
type: 'ecosystem',
|
||||
namespace: null,
|
||||
name: 'name',
|
||||
version: 'version',
|
||||
original: 'pkg:ecosystem/name@version#subpath?attributes=123',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:ecosystem/name@version#subpath',
|
||||
expected: {
|
||||
type: 'ecosystem',
|
||||
namespace: null,
|
||||
name: 'name',
|
||||
version: 'version',
|
||||
original: 'pkg:ecosystem/name@version#subpath',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:ecosystem/namespace/name@version?attributes',
|
||||
expected: {
|
||||
type: 'ecosystem',
|
||||
namespace: 'namespace',
|
||||
name: 'name',
|
||||
version: 'version',
|
||||
original: 'pkg:ecosystem/namespace/name@version?attributes',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:ecosystem/name#subpath?attributes',
|
||||
expected: {
|
||||
type: 'ecosystem',
|
||||
namespace: null,
|
||||
name: 'name',
|
||||
version: null,
|
||||
original: 'pkg:ecosystem/name#subpath?attributes',
|
||||
error: null
|
||||
}
|
||||
}
|
||||
]
|
||||
for (const example of examples) {
|
||||
const result = parsePURL(example.purl)
|
||||
expect(result).toEqual(example.expected)
|
||||
}
|
||||
})
|
||||
@@ -22,6 +22,19 @@ const npmChange: Change = {
|
||||
]
|
||||
}
|
||||
|
||||
const actionsChange: Change = {
|
||||
manifest: 'workflow.yml',
|
||||
change_type: 'added',
|
||||
ecosystem: 'actions',
|
||||
name: 'actions/checkout/',
|
||||
version: 'v3',
|
||||
package_url: 'pkg:githubactions/actions@v3',
|
||||
license: 'MIT',
|
||||
source_repository_url: 'null',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: []
|
||||
}
|
||||
|
||||
test('Get scorecard from API', async () => {
|
||||
const changes: Changes = [npmChange]
|
||||
const scorecard = await getScorecardLevels(changes)
|
||||
@@ -38,3 +51,11 @@ test('Get project URL from deps.dev API', async () => {
|
||||
)
|
||||
expect(result).not.toBeNull()
|
||||
})
|
||||
|
||||
test('Handles Actions special case', async () => {
|
||||
const changes: Changes = [actionsChange]
|
||||
const result = await getScorecardLevels(changes)
|
||||
expect(result).not.toBeNull()
|
||||
expect(result.dependencies).toHaveLength(1)
|
||||
expect(result.dependencies[0].scorecard?.score).toBeGreaterThan(0)
|
||||
})
|
||||
|
||||
@@ -19,7 +19,9 @@ export function clearInputs(): void {
|
||||
'BASE-REF',
|
||||
'HEAD-REF',
|
||||
'COMMENT-SUMMARY-IN-PR',
|
||||
'WARN-ONLY'
|
||||
'WARN-ONLY',
|
||||
'DENY-GROUPS',
|
||||
'DENY-PACKAGES'
|
||||
]
|
||||
|
||||
// eslint-disable-next-line github/array-foreach
|
||||
|
||||
+12
-9
@@ -1,5 +1,13 @@
|
||||
# Avoid using default values for options here since they will
|
||||
# end up overriding external configurations.
|
||||
# IMPORTANT
|
||||
#
|
||||
# Avoid setting default values for configuration options in
|
||||
# this file, they will overwrite external configurations.
|
||||
#
|
||||
# If you are trying to find out the default value for a config
|
||||
# option please take a look at the README or src/schemas.ts.
|
||||
#
|
||||
# If you are adding an option, make sure the Zod definition
|
||||
# contains a default value.
|
||||
name: 'Dependency Review'
|
||||
description: 'Prevent the introduction of dependencies with known vulnerabilities'
|
||||
author: 'GitHub'
|
||||
@@ -48,31 +56,26 @@ inputs:
|
||||
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
|
||||
required: false
|
||||
deny-packages:
|
||||
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
|
||||
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). If version specified, only deny matching packages and version; else, deny all regardless of version.
|
||||
required: false
|
||||
deny-groups:
|
||||
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
|
||||
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express/, pkg:pypi/pycrypto/"). Please note that the group name must be followed by a `/`.
|
||||
required: false
|
||||
retry-on-snapshot-warnings:
|
||||
description: Whether to retry on snapshot warnings
|
||||
required: false
|
||||
default: false
|
||||
retry-on-snapshot-warnings-timeout:
|
||||
description: Number of seconds to wait before stopping snapshot retries.
|
||||
required: false
|
||||
default: 120
|
||||
warn-only:
|
||||
description: When set to `true` this action will always complete with success, overriding the `fail-on-severity` parameter.
|
||||
required: false
|
||||
default: false
|
||||
show-openssf-scorecard:
|
||||
description: Show a summary of the OpenSSF Scorecard scores.
|
||||
required: false
|
||||
default: true
|
||||
warn-on-openssf-scorecard-level:
|
||||
description: Numeric threshold for the OpenSSF Scorecard score. If the score is below this threshold, the action will warn you.
|
||||
required: false
|
||||
default: 3
|
||||
outputs:
|
||||
comment-content:
|
||||
description: Prepared dependency report comment
|
||||
|
||||
+331
-303
@@ -106,8 +106,8 @@ function commentPr(summary, config) {
|
||||
}
|
||||
exports.commentPr = commentPr;
|
||||
function findCommentByMarker(commentBodyIncludes) {
|
||||
var _a, e_1, _b, _c;
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
var _a, e_1, _b, _c;
|
||||
const commentsIterator = octo.paginate.iterator(octo.rest.issues.listComments, {
|
||||
owner: github.context.repo.owner,
|
||||
repo: github.context.repo.repo,
|
||||
@@ -177,33 +177,33 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
||||
});
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.getDeniedChanges = void 0;
|
||||
exports.getNamespace = exports.getDeniedChanges = void 0;
|
||||
const core = __importStar(__nccwpck_require__(2186));
|
||||
function getDeniedChanges(changes, deniedPackages, deniedGroups) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const purl_1 = __nccwpck_require__(3609);
|
||||
function getDeniedChanges(changes_1) {
|
||||
return __awaiter(this, arguments, void 0, function* (changes, deniedPackages = [], deniedGroups = []) {
|
||||
const changesDenied = [];
|
||||
let failed = false;
|
||||
let hasDeniedPackage = false;
|
||||
for (const change of changes) {
|
||||
change.name = change.name.toLowerCase();
|
||||
const packageUrl = change.package_url.toLowerCase().split('@')[0];
|
||||
if (deniedPackages) {
|
||||
for (const denied of deniedPackages) {
|
||||
if (packageUrl === denied.split('@')[0].toLowerCase()) {
|
||||
changesDenied.push(change);
|
||||
failed = true;
|
||||
}
|
||||
for (const denied of deniedPackages) {
|
||||
if ((!denied.version || change.version === denied.version) &&
|
||||
change.name === denied.name) {
|
||||
changesDenied.push(change);
|
||||
hasDeniedPackage = true;
|
||||
}
|
||||
}
|
||||
if (deniedGroups) {
|
||||
for (const denied of deniedGroups) {
|
||||
if (packageUrl.startsWith(denied.toLowerCase())) {
|
||||
changesDenied.push(change);
|
||||
failed = true;
|
||||
}
|
||||
for (const denied of deniedGroups) {
|
||||
const namespace = (0, exports.getNamespace)(change);
|
||||
if (!denied.namespace) {
|
||||
core.error(`Denied group represented by '${denied.original}' does not have a namespace. The format should be 'pkg:<type>/<namespace>/'.`);
|
||||
}
|
||||
if (namespace && namespace === denied.namespace) {
|
||||
changesDenied.push(change);
|
||||
hasDeniedPackage = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (failed) {
|
||||
if (hasDeniedPackage) {
|
||||
core.setFailed('Dependency review detected denied packages.');
|
||||
}
|
||||
else {
|
||||
@@ -213,6 +213,17 @@ function getDeniedChanges(changes, deniedPackages, deniedGroups) {
|
||||
});
|
||||
}
|
||||
exports.getDeniedChanges = getDeniedChanges;
|
||||
const getNamespace = (change) => {
|
||||
if (change.package_url) {
|
||||
return (0, purl_1.parsePURL)(change.package_url).namespace;
|
||||
}
|
||||
const matches = change.name.match(/([^:/]+)[:/]/);
|
||||
if (matches && matches.length > 1) {
|
||||
return matches[1];
|
||||
}
|
||||
return null;
|
||||
};
|
||||
exports.getNamespace = getNamespace;
|
||||
|
||||
|
||||
/***/ }),
|
||||
@@ -263,8 +274,8 @@ const schemas_1 = __nccwpck_require__(8774);
|
||||
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
|
||||
const SnapshotWarningsHeader = 'x-github-dependency-graph-snapshot-warnings';
|
||||
const octo = new retryingOctokit(githubUtils.getOctokitOptions(core.getInput('repo-token', { required: true })));
|
||||
function compare({ owner, repo, baseRef, headRef }) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
function compare(_a) {
|
||||
return __awaiter(this, arguments, void 0, function* ({ owner, repo, baseRef, headRef }) {
|
||||
let snapshot_warnings = '';
|
||||
const changes = yield octo.paginate({
|
||||
method: 'GET',
|
||||
@@ -356,13 +367,13 @@ Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.getInvalidLicenseChanges = void 0;
|
||||
const spdx_satisfies_1 = __importDefault(__nccwpck_require__(4424));
|
||||
const utils_1 = __nccwpck_require__(918);
|
||||
const packageurl_js_1 = __nccwpck_require__(8915);
|
||||
const purl_1 = __nccwpck_require__(3609);
|
||||
function getInvalidLicenseChanges(changes, licenses) {
|
||||
var _a;
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
var _a;
|
||||
const { allow, deny } = licenses;
|
||||
const licenseExclusions = (_a = licenses.licenseExclusions) === null || _a === void 0 ? void 0 : _a.map((pkgUrl) => {
|
||||
return packageurl_js_1.PackageURL.fromString(encodeURI(pkgUrl));
|
||||
return (0, purl_1.parsePURL)(pkgUrl);
|
||||
});
|
||||
const groupedChanges = yield groupChanges(changes);
|
||||
// Takes the changes from the groupedChanges object and filters out the ones that are part of the exclusions list
|
||||
@@ -371,7 +382,7 @@ function getInvalidLicenseChanges(changes, licenses) {
|
||||
if (change.package_url.length === 0) {
|
||||
return true;
|
||||
}
|
||||
const changeAsPackageURL = packageurl_js_1.PackageURL.fromString(encodeURI(change.package_url));
|
||||
const changeAsPackageURL = (0, purl_1.parsePURL)(encodeURI(change.package_url));
|
||||
// We want to find if the licenseExclussion list contains the PackageURL of the Change
|
||||
// If it does, we want to filter it out and therefore return false
|
||||
// If it doesn't, we want to keep it and therefore return true
|
||||
@@ -813,8 +824,8 @@ function printDeniedDependencies(changes, config) {
|
||||
}));
|
||||
}
|
||||
function createScorecardWarnings(scorecards, config) {
|
||||
var _a, _b, _c;
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
var _a, _b, _c;
|
||||
// Iterate through the list of scorecards, and if the score is less than the threshold, send a warning
|
||||
for (const dependency of scorecards.dependencies) {
|
||||
if (((_a = dependency.scorecard) === null || _a === void 0 ? void 0 : _a.score) &&
|
||||
@@ -829,6 +840,105 @@ function createScorecardWarnings(scorecards, config) {
|
||||
run();
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 3609:
|
||||
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
|
||||
|
||||
"use strict";
|
||||
|
||||
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
||||
if (k2 === undefined) k2 = k;
|
||||
var desc = Object.getOwnPropertyDescriptor(m, k);
|
||||
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
||||
desc = { enumerable: true, get: function() { return m[k]; } };
|
||||
}
|
||||
Object.defineProperty(o, k2, desc);
|
||||
}) : (function(o, m, k, k2) {
|
||||
if (k2 === undefined) k2 = k;
|
||||
o[k2] = m[k];
|
||||
}));
|
||||
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
||||
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
||||
}) : function(o, v) {
|
||||
o["default"] = v;
|
||||
});
|
||||
var __importStar = (this && this.__importStar) || function (mod) {
|
||||
if (mod && mod.__esModule) return mod;
|
||||
var result = {};
|
||||
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
||||
__setModuleDefault(result, mod);
|
||||
return result;
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.parsePURL = exports.PurlSchema = void 0;
|
||||
const z = __importStar(__nccwpck_require__(3301));
|
||||
// the basic purl type, containing type, namespace, name, and version.
|
||||
// other than type, all fields are nullable. this is for maximum flexibility
|
||||
// at the cost of strict adherence to the package-url spec.
|
||||
exports.PurlSchema = z.object({
|
||||
type: z.string(),
|
||||
namespace: z.string().nullable(),
|
||||
name: z.string().nullable(), // name is nullable for deny-groups
|
||||
version: z.string().nullable(),
|
||||
original: z.string(),
|
||||
error: z.string().nullable()
|
||||
});
|
||||
const PURL_TYPE = /pkg:([a-zA-Z0-9-_]+)\/.*/;
|
||||
function parsePURL(purl) {
|
||||
const result = {
|
||||
type: '',
|
||||
namespace: null,
|
||||
name: null,
|
||||
version: null,
|
||||
original: purl,
|
||||
error: null
|
||||
};
|
||||
if (!purl.startsWith('pkg:')) {
|
||||
result.error = 'package-url must start with "pkg:"';
|
||||
return result;
|
||||
}
|
||||
const type = purl.match(PURL_TYPE);
|
||||
if (!type) {
|
||||
result.error = 'package-url must contain a type';
|
||||
return result;
|
||||
}
|
||||
result.type = type[1];
|
||||
const parts = purl.split('/');
|
||||
// the first 'part' should be 'pkg:ecosystem'
|
||||
if (parts.length < 2 || !parts[1]) {
|
||||
result.error = 'package-url must contain a namespace or name';
|
||||
return result;
|
||||
}
|
||||
let namePlusRest;
|
||||
if (parts.length === 2) {
|
||||
namePlusRest = parts[1];
|
||||
}
|
||||
else {
|
||||
result.namespace = decodeURIComponent(parts[1]);
|
||||
namePlusRest = parts[2];
|
||||
}
|
||||
const name = namePlusRest.match(/([^@#?]+)[@#?]?.*/);
|
||||
if (!result.namespace && !name) {
|
||||
result.error = 'package-url must contain a namespace or name';
|
||||
return result;
|
||||
}
|
||||
if (!name) {
|
||||
// we're done here
|
||||
return result;
|
||||
}
|
||||
result.name = decodeURIComponent(name[1]);
|
||||
const version = namePlusRest.match(/@([^#?]+)[#?]?.*/);
|
||||
if (!version) {
|
||||
return result;
|
||||
}
|
||||
result.version = decodeURIComponent(version[1]);
|
||||
// we don't parse subpath or attributes, so we're done here
|
||||
return result;
|
||||
}
|
||||
exports.parsePURL = parsePURL;
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 8774:
|
||||
@@ -862,9 +972,48 @@ var __importStar = (this && this.__importStar) || function (mod) {
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.ScorecardSchema = exports.ScorecardApiSchema = exports.ComparisonResponseSchema = exports.ChangesSchema = exports.ConfigurationOptionsSchema = exports.PullRequestSchema = exports.ChangeSchema = exports.SeveritySchema = exports.SCOPES = exports.SEVERITIES = void 0;
|
||||
const z = __importStar(__nccwpck_require__(3301));
|
||||
const purl_1 = __nccwpck_require__(3609);
|
||||
exports.SEVERITIES = ['critical', 'high', 'moderate', 'low'];
|
||||
exports.SCOPES = ['unknown', 'runtime', 'development'];
|
||||
exports.SeveritySchema = z.enum(exports.SEVERITIES).default('low');
|
||||
const PackageURL = z
|
||||
.string()
|
||||
.transform(purlString => {
|
||||
return (0, purl_1.parsePURL)(purlString);
|
||||
})
|
||||
.superRefine((purl, context) => {
|
||||
if (purl.error) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: ${purl.error}`
|
||||
});
|
||||
}
|
||||
if (!purl.name) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: name is required`
|
||||
});
|
||||
}
|
||||
});
|
||||
const PackageURLWithNamespace = z
|
||||
.string()
|
||||
.transform(purlString => {
|
||||
return (0, purl_1.parsePURL)(purlString);
|
||||
})
|
||||
.superRefine((purl, context) => {
|
||||
if (purl.error) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing purl: ${purl.error}`
|
||||
});
|
||||
}
|
||||
if (purl.namespace === null) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `package-url must have a namespace, and the namespace must be followed by '/'`
|
||||
});
|
||||
}
|
||||
});
|
||||
exports.ChangeSchema = z.object({
|
||||
change_type: z.enum(['added', 'removed']),
|
||||
manifest: z.string(),
|
||||
@@ -898,8 +1047,8 @@ exports.ConfigurationOptionsSchema = z
|
||||
deny_licenses: z.array(z.string()).optional(),
|
||||
allow_dependencies_licenses: z.array(z.string()).optional(),
|
||||
allow_ghsas: z.array(z.string()).default([]),
|
||||
deny_packages: z.array(z.string()).default([]),
|
||||
deny_groups: z.array(z.string()).default([]),
|
||||
deny_packages: z.array(PackageURL).default([]),
|
||||
deny_groups: z.array(PackageURLWithNamespace).default([]),
|
||||
license_check: z.boolean().default(true),
|
||||
vulnerability_check: z.boolean().default(true),
|
||||
config_file: z.string().optional(),
|
||||
@@ -1043,8 +1192,15 @@ function getScorecardLevels(changes) {
|
||||
if (repositoryUrl === null || repositoryUrl === void 0 ? void 0 : repositoryUrl.startsWith('https://')) {
|
||||
repositoryUrl = repositoryUrl.replace('https://', '');
|
||||
}
|
||||
// Handle the special case for GitHub Actions, where the repository URL is null
|
||||
if (ecosystem === 'actions') {
|
||||
// The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
|
||||
// If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out
|
||||
const parts = packageName.split('/');
|
||||
repositoryUrl = `github.com/${parts[0]}/${parts[1]}`; // e.g. github.com/actions/checkout
|
||||
}
|
||||
// If GitHub API doesn't have the repository URL, query deps.dev for it.
|
||||
if (repositoryUrl) {
|
||||
if (!repositoryUrl) {
|
||||
// Call the deps.dev API to get the repository URL from there
|
||||
repositoryUrl = yield getProjectUrl(ecosystem, packageName, version);
|
||||
}
|
||||
@@ -1069,7 +1225,7 @@ function getScorecardLevels(changes) {
|
||||
exports.getScorecardLevels = getScorecardLevels;
|
||||
function getScorecard(repositoryUrl) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const apiRoot = 'https://api.securityscorecards.dev/';
|
||||
const apiRoot = 'https://api.securityscorecards.dev';
|
||||
let scorecardResponse = {};
|
||||
const url = `${apiRoot}/projects/${repositoryUrl}`;
|
||||
const response = yield fetch(url);
|
||||
@@ -1177,7 +1333,7 @@ function addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedCha
|
||||
: []),
|
||||
...(deniedChanges.length > 0
|
||||
? [
|
||||
`${checkOrWarnIcon(deniedChanges.length)} ${deniedChanges.length} package(s) denied.`
|
||||
`${checkOrFailIcon(deniedChanges.length)} ${deniedChanges.length} package(s) denied.`
|
||||
]
|
||||
: []),
|
||||
...(config.show_openssf_scorecard && scorecardWarnings > 0
|
||||
@@ -1351,7 +1507,7 @@ function addScorecardToSummary(scorecard, config) {
|
||||
: ':green_circle:';
|
||||
}
|
||||
//Add a row for the dependency
|
||||
core.summary.addRaw(`<tr><td>${dependency.change.source_repository_url ? `<a href="https://${dependency.change.source_repository_url}">` : ''} ${dependency.change.ecosystem}/${dependency.change.name} ${dependency.change.source_repository_url ? `</a>` : ''}</td><td>${dependency.change.version}</td>
|
||||
core.summary.addRaw(`<tr><td>${dependency.change.source_repository_url ? `<a href="${dependency.change.source_repository_url}">` : ''} ${dependency.change.ecosystem}/${dependency.change.name} ${dependency.change.source_repository_url ? `</a>` : ''}</td><td>${dependency.change.version}</td>
|
||||
<td>${overallIcon} ${((_d = dependency.scorecard) === null || _d === void 0 ? void 0 : _d.score) === undefined || ((_e = dependency.scorecard) === null || _e === void 0 ? void 0 : _e.score) === null ? 'Unknown' : (_f = dependency.scorecard) === null || _f === void 0 ? void 0 : _f.score}</td>`, false);
|
||||
//Add details table in the last column
|
||||
if (((_g = dependency.scorecard) === null || _g === void 0 ? void 0 : _g.checks) !== undefined) {
|
||||
@@ -18382,272 +18538,6 @@ function onceStrict (fn) {
|
||||
}
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 8915:
|
||||
/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
|
||||
|
||||
/*!
|
||||
Copyright (c) the purl authors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
*/
|
||||
|
||||
const PackageURL = __nccwpck_require__(8749);
|
||||
|
||||
module.exports = {
|
||||
PackageURL
|
||||
};
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 8749:
|
||||
/***/ ((module) => {
|
||||
|
||||
/*!
|
||||
Copyright (c) the purl authors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
*/
|
||||
|
||||
const KnownQualifierNames = Object.freeze({
|
||||
// known qualifiers as defined here:
|
||||
// https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#known-qualifiers-keyvalue-pairs
|
||||
RepositoryUrl: 'repository_url',
|
||||
DownloadUrl: 'download_url',
|
||||
VcsUrl: 'vcs_url',
|
||||
FileName: 'file_name',
|
||||
Checksum: 'checksum'
|
||||
});
|
||||
|
||||
class PackageURL {
|
||||
|
||||
static get KnownQualifierNames() {
|
||||
return KnownQualifierNames;
|
||||
}
|
||||
|
||||
constructor(type, namespace, name, version, qualifiers, subpath) {
|
||||
let required = { 'type': type, 'name': name };
|
||||
Object.keys(required).forEach(key => {
|
||||
if (!required[key]) {
|
||||
throw new Error('Invalid purl: "' + key + '" is a required field.');
|
||||
}
|
||||
});
|
||||
|
||||
let strings = { 'type': type, 'namespace': namespace, 'name': name, 'versions': version, 'subpath': subpath };
|
||||
Object.keys(strings).forEach(key => {
|
||||
if (strings[key] && typeof strings[key] === 'string' || !strings[key]) {
|
||||
return;
|
||||
}
|
||||
throw new Error('Invalid purl: "' + key + '" argument must be a string.');
|
||||
});
|
||||
|
||||
if (qualifiers) {
|
||||
if (typeof qualifiers !== 'object') {
|
||||
throw new Error('Invalid purl: "qualifiers" argument must be a dictionary.');
|
||||
}
|
||||
Object.keys(qualifiers).forEach(key => {
|
||||
if (!/^[a-z]+$/i.test(key) && !/[\.-_]/.test(key)) {
|
||||
throw new Error('Invalid purl: qualifier "' + key + '" contains an illegal character.');
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
this.type = type;
|
||||
this.name = name;
|
||||
this.namespace = namespace;
|
||||
this.version = version;
|
||||
this.qualifiers = qualifiers;
|
||||
this.subpath = subpath;
|
||||
}
|
||||
|
||||
_handlePyPi() {
|
||||
this.name = this.name.toLowerCase().replace(/_/g, '-');
|
||||
}
|
||||
_handlePub() {
|
||||
this.name = this.name.toLowerCase();
|
||||
if (!/^[a-z0-9_]+$/i.test(this.name)) {
|
||||
throw new Error('Invalid purl: contains an illegal character.');
|
||||
}
|
||||
}
|
||||
|
||||
toString() {
|
||||
var purl = ['pkg:', encodeURIComponent(this.type), '/'];
|
||||
|
||||
if (this.type === 'pypi') {
|
||||
this._handlePyPi();
|
||||
}
|
||||
if (this.type === 'pub') {
|
||||
this._handlePub();
|
||||
}
|
||||
|
||||
if (this.namespace) {
|
||||
purl.push(
|
||||
encodeURIComponent(this.namespace)
|
||||
.replace(/%3A/g, ':')
|
||||
.replace(/%2F/g, '/')
|
||||
);
|
||||
purl.push('/');
|
||||
}
|
||||
|
||||
purl.push(encodeURIComponent(this.name).replace(/%3A/g, ':'));
|
||||
|
||||
if (this.version) {
|
||||
purl.push('@');
|
||||
purl.push(encodeURIComponent(this.version).replace(/%3A/g, ':').replace(/%2B/g,'+'));
|
||||
}
|
||||
|
||||
if (this.qualifiers) {
|
||||
purl.push('?');
|
||||
|
||||
let qualifiers = this.qualifiers;
|
||||
let qualifierString = [];
|
||||
Object.keys(qualifiers).sort().forEach(key => {
|
||||
qualifierString.push(
|
||||
encodeURIComponent(key).replace(/%3A/g, ':')
|
||||
+ '='
|
||||
+ encodeURIComponent(qualifiers[key]).replace(/%2F/g, '/')
|
||||
);
|
||||
});
|
||||
|
||||
purl.push(qualifierString.join('&'));
|
||||
}
|
||||
|
||||
if (this.subpath) {
|
||||
purl.push('#');
|
||||
purl.push(encodeURIComponent(this.subpath)
|
||||
.replace(/%3A/g, ':')
|
||||
.replace(/%2F/g, '/'));
|
||||
}
|
||||
|
||||
return purl.join('');
|
||||
}
|
||||
|
||||
static fromString(purl) {
|
||||
if (!purl || typeof purl !== 'string' || !purl.trim()) {
|
||||
throw new Error('A purl string argument is required.');
|
||||
}
|
||||
|
||||
let scheme = purl.slice(0, purl.indexOf(':'))
|
||||
let remainder = purl.slice(purl.indexOf(':') + 1)
|
||||
if (scheme !== 'pkg') {
|
||||
throw new Error('purl is missing the required "pkg" scheme component.');
|
||||
}
|
||||
// this strip '/, // and /// as possible in :// or :///
|
||||
// from https://gist.github.com/refo/47632c8a547f2d9b6517#file-remove-leading-slash
|
||||
remainder = remainder.trim().replace(/^\/+/g, '');
|
||||
|
||||
let type
|
||||
[type, remainder] = remainder.split('/', 2);
|
||||
if (!type || !remainder) {
|
||||
throw new Error('purl is missing the required "type" component.');
|
||||
}
|
||||
type = decodeURIComponent(type)
|
||||
|
||||
let url = new URL(purl);
|
||||
|
||||
let qualifiers = null;
|
||||
url.searchParams.forEach((value, key) => {
|
||||
if (!qualifiers) {
|
||||
qualifiers = {};
|
||||
}
|
||||
qualifiers[key] = value;
|
||||
});
|
||||
let subpath = url.hash;
|
||||
if (subpath.indexOf('#') === 0) {
|
||||
subpath = subpath.substring(1);
|
||||
}
|
||||
subpath = subpath.length === 0
|
||||
? null
|
||||
: decodeURIComponent(subpath)
|
||||
|
||||
if (url.username !== '' || url.password !== '') {
|
||||
throw new Error('Invalid purl: cannot contain a "user:pass@host:port"');
|
||||
}
|
||||
|
||||
// this strip '/, // and /// as possible in :// or :///
|
||||
// from https://gist.github.com/refo/47632c8a547f2d9b6517#file-remove-leading-slash
|
||||
let path = url.pathname.trim().replace(/^\/+/g, '');
|
||||
|
||||
// version is optional - check for existence
|
||||
let version = null;
|
||||
if (path.includes('@')) {
|
||||
let index = path.indexOf('@');
|
||||
let rawVersion= path.substring(index + 1);
|
||||
version = decodeURIComponent(rawVersion);
|
||||
|
||||
// Convert percent-encoded colons (:) back, to stay in line with the `toString`
|
||||
// implementation of this library.
|
||||
// https://github.com/package-url/packageurl-js/blob/58026c86978c6e356e5e07f29ecfdccbf8829918/src/package-url.js#L98C10-L98C10
|
||||
let versionEncoded = encodeURIComponent(version).replace(/%3A/g, ':').replace(/%2B/g,'+');
|
||||
|
||||
if (rawVersion !== versionEncoded) {
|
||||
throw new Error('Invalid purl: version must be percent-encoded');
|
||||
}
|
||||
|
||||
remainder = path.substring(0, index);
|
||||
} else {
|
||||
remainder = path;
|
||||
}
|
||||
|
||||
// The 'remainder' should now consist of an optional namespace and the name
|
||||
let remaining = remainder.split('/').slice(1);
|
||||
let name = null;
|
||||
let namespace = null;
|
||||
if (remaining.length > 1) {
|
||||
let nameIndex = remaining.length - 1;
|
||||
let namespaceComponents = remaining.slice(0, nameIndex);
|
||||
name = decodeURIComponent(remaining[nameIndex]);
|
||||
namespace = decodeURIComponent(namespaceComponents.join('/'));
|
||||
} else if (remaining.length === 1) {
|
||||
name = decodeURIComponent(remaining[0]);
|
||||
}
|
||||
|
||||
if (name === '') {
|
||||
throw new Error('purl is missing the required "name" component.');
|
||||
}
|
||||
|
||||
return new PackageURL(type, namespace, name, version, qualifiers, subpath);
|
||||
}
|
||||
|
||||
};
|
||||
|
||||
module.exports = PackageURL;
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 1867:
|
||||
@@ -49708,7 +49598,7 @@ const core = __importStar(__nccwpck_require__(2186));
|
||||
const z = __importStar(__nccwpck_require__(3301));
|
||||
const schemas_1 = __nccwpck_require__(1129);
|
||||
const utils_1 = __nccwpck_require__(1314);
|
||||
const packageurl_js_1 = __nccwpck_require__(8915);
|
||||
const purl_1 = __nccwpck_require__(4498);
|
||||
function readConfig() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const inlineConfig = readInlineConfig();
|
||||
@@ -49891,7 +49781,7 @@ function validatePURL(allow_dependencies_licenses) {
|
||||
if (allow_dependencies_licenses === undefined) {
|
||||
return;
|
||||
}
|
||||
const invalid_purls = allow_dependencies_licenses.filter(purl => !packageurl_js_1.PackageURL.fromString(purl));
|
||||
const invalid_purls = allow_dependencies_licenses.filter(purl => !(0, purl_1.parsePURL)(purl).error);
|
||||
if (invalid_purls.length > 0) {
|
||||
throw new Error(`Invalid purl(s) in allow-dependencies-licenses: ${invalid_purls}`);
|
||||
}
|
||||
@@ -49981,6 +49871,105 @@ function filterAllowedAdvisories(ghsas, changes) {
|
||||
exports.filterAllowedAdvisories = filterAllowedAdvisories;
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 4498:
|
||||
/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
|
||||
|
||||
"use strict";
|
||||
|
||||
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
||||
if (k2 === undefined) k2 = k;
|
||||
var desc = Object.getOwnPropertyDescriptor(m, k);
|
||||
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
||||
desc = { enumerable: true, get: function() { return m[k]; } };
|
||||
}
|
||||
Object.defineProperty(o, k2, desc);
|
||||
}) : (function(o, m, k, k2) {
|
||||
if (k2 === undefined) k2 = k;
|
||||
o[k2] = m[k];
|
||||
}));
|
||||
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
||||
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
||||
}) : function(o, v) {
|
||||
o["default"] = v;
|
||||
});
|
||||
var __importStar = (this && this.__importStar) || function (mod) {
|
||||
if (mod && mod.__esModule) return mod;
|
||||
var result = {};
|
||||
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
||||
__setModuleDefault(result, mod);
|
||||
return result;
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.parsePURL = exports.PurlSchema = void 0;
|
||||
const z = __importStar(__nccwpck_require__(3301));
|
||||
// the basic purl type, containing type, namespace, name, and version.
|
||||
// other than type, all fields are nullable. this is for maximum flexibility
|
||||
// at the cost of strict adherence to the package-url spec.
|
||||
exports.PurlSchema = z.object({
|
||||
type: z.string(),
|
||||
namespace: z.string().nullable(),
|
||||
name: z.string().nullable(), // name is nullable for deny-groups
|
||||
version: z.string().nullable(),
|
||||
original: z.string(),
|
||||
error: z.string().nullable()
|
||||
});
|
||||
const PURL_TYPE = /pkg:([a-zA-Z0-9-_]+)\/.*/;
|
||||
function parsePURL(purl) {
|
||||
const result = {
|
||||
type: '',
|
||||
namespace: null,
|
||||
name: null,
|
||||
version: null,
|
||||
original: purl,
|
||||
error: null
|
||||
};
|
||||
if (!purl.startsWith('pkg:')) {
|
||||
result.error = 'package-url must start with "pkg:"';
|
||||
return result;
|
||||
}
|
||||
const type = purl.match(PURL_TYPE);
|
||||
if (!type) {
|
||||
result.error = 'package-url must contain a type';
|
||||
return result;
|
||||
}
|
||||
result.type = type[1];
|
||||
const parts = purl.split('/');
|
||||
// the first 'part' should be 'pkg:ecosystem'
|
||||
if (parts.length < 2 || !parts[1]) {
|
||||
result.error = 'package-url must contain a namespace or name';
|
||||
return result;
|
||||
}
|
||||
let namePlusRest;
|
||||
if (parts.length === 2) {
|
||||
namePlusRest = parts[1];
|
||||
}
|
||||
else {
|
||||
result.namespace = decodeURIComponent(parts[1]);
|
||||
namePlusRest = parts[2];
|
||||
}
|
||||
const name = namePlusRest.match(/([^@#?]+)[@#?]?.*/);
|
||||
if (!result.namespace && !name) {
|
||||
result.error = 'package-url must contain a namespace or name';
|
||||
return result;
|
||||
}
|
||||
if (!name) {
|
||||
// we're done here
|
||||
return result;
|
||||
}
|
||||
result.name = decodeURIComponent(name[1]);
|
||||
const version = namePlusRest.match(/@([^#?]+)[#?]?.*/);
|
||||
if (!version) {
|
||||
return result;
|
||||
}
|
||||
result.version = decodeURIComponent(version[1]);
|
||||
// we don't parse subpath or attributes, so we're done here
|
||||
return result;
|
||||
}
|
||||
exports.parsePURL = parsePURL;
|
||||
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 1129:
|
||||
@@ -50014,9 +50003,48 @@ var __importStar = (this && this.__importStar) || function (mod) {
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.ScorecardSchema = exports.ScorecardApiSchema = exports.ComparisonResponseSchema = exports.ChangesSchema = exports.ConfigurationOptionsSchema = exports.PullRequestSchema = exports.ChangeSchema = exports.SeveritySchema = exports.SCOPES = exports.SEVERITIES = void 0;
|
||||
const z = __importStar(__nccwpck_require__(3301));
|
||||
const purl_1 = __nccwpck_require__(4498);
|
||||
exports.SEVERITIES = ['critical', 'high', 'moderate', 'low'];
|
||||
exports.SCOPES = ['unknown', 'runtime', 'development'];
|
||||
exports.SeveritySchema = z.enum(exports.SEVERITIES).default('low');
|
||||
const PackageURL = z
|
||||
.string()
|
||||
.transform(purlString => {
|
||||
return (0, purl_1.parsePURL)(purlString);
|
||||
})
|
||||
.superRefine((purl, context) => {
|
||||
if (purl.error) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: ${purl.error}`
|
||||
});
|
||||
}
|
||||
if (!purl.name) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: name is required`
|
||||
});
|
||||
}
|
||||
});
|
||||
const PackageURLWithNamespace = z
|
||||
.string()
|
||||
.transform(purlString => {
|
||||
return (0, purl_1.parsePURL)(purlString);
|
||||
})
|
||||
.superRefine((purl, context) => {
|
||||
if (purl.error) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing purl: ${purl.error}`
|
||||
});
|
||||
}
|
||||
if (purl.namespace === null) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `package-url must have a namespace, and the namespace must be followed by '/'`
|
||||
});
|
||||
}
|
||||
});
|
||||
exports.ChangeSchema = z.object({
|
||||
change_type: z.enum(['added', 'removed']),
|
||||
manifest: z.string(),
|
||||
@@ -50050,8 +50078,8 @@ exports.ConfigurationOptionsSchema = z
|
||||
deny_licenses: z.array(z.string()).optional(),
|
||||
allow_dependencies_licenses: z.array(z.string()).optional(),
|
||||
allow_ghsas: z.array(z.string()).default([]),
|
||||
deny_packages: z.array(z.string()).default([]),
|
||||
deny_groups: z.array(z.string()).default([]),
|
||||
deny_packages: z.array(PackageURL).default([]),
|
||||
deny_groups: z.array(PackageURLWithNamespace).default([]),
|
||||
license_check: z.boolean().default(true),
|
||||
vulnerability_check: z.boolean().default(true),
|
||||
config_file: z.string().optional(),
|
||||
|
||||
+1
-1
File diff suppressed because one or more lines are too long
-22
@@ -1519,28 +1519,6 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
|
||||
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
|
||||
packageurl-js
|
||||
MIT
|
||||
Copyright (c) the purl authors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
||||
this software and associated documentation files (the "Software"), to deal in
|
||||
the Software without restriction, including without limitation the rights to
|
||||
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
||||
the Software, and to permit persons to whom the Software is furnished to do so,
|
||||
subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
||||
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
||||
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
||||
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
||||
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
|
||||
safe-buffer
|
||||
MIT
|
||||
The MIT License (MIT)
|
||||
|
||||
+6
-5
@@ -167,7 +167,7 @@ jobs:
|
||||
## Getting the results of the action in a later step
|
||||
|
||||
- `comment-content` contains the output of the results comment for the entire run.
|
||||
`dependency-changes`, `vulnerable-changes`, `invalid-license-changes` and `denied-changes` are all JSON objects that allow you to access individual sets of changes.
|
||||
`dependency-changes`, `vulnerable-changes`, `invalid-license-changes` and `denied-changes` are all JSON objects that allow you to access individual sets of changes.
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
@@ -276,10 +276,11 @@ jobs:
|
||||
|
||||
## Exclude dependencies from their name or groups
|
||||
|
||||
Using the `deny-packages` option you can exclude dependencies by their PURL. You can add multiple values separated by a commas.
|
||||
With the `deny-packages` option, you can exclude dependencies based on their PURL (Package URL). If a specific version is provided, the action will deny packages matching that version. When no version is specified, the action treats it as a wildcard, denying all matching packages regardless of version. Multiple values can be added, separated by commas.
|
||||
|
||||
Using the `deny-groups` option you can exclude dependencies by their group name/namespace. You can add multiple values separated by a comma.
|
||||
|
||||
In this example, we are excluding `pkg:maven/org.apache.logging.log4j:log4j-api` and `pkg:maven/org.apache.logging.log4j/log4j-core` from `maven` and all packages in the group `pkg:maven/com.bazaarvoice.maven`
|
||||
In this example, we are excluding all versions of `pkg:maven/org.apache.logging.log4j:log4j-api` and only `2.23.0` of log4j-core `pkg:maven/org.apache.logging.log4j/log4j-core@2.23.0` from `maven` and all packages in the group `pkg:maven/com.bazaarvoice.maven/`
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
@@ -298,8 +299,8 @@ jobs:
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@v4
|
||||
with:
|
||||
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core'
|
||||
deny-groups: 'pkg:maven/com.bazaarvoice.jolt'
|
||||
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core@2.23.0'
|
||||
deny-groups: 'pkg:maven/com.bazaarvoice.jolt/'
|
||||
```
|
||||
|
||||
## Waiting for dependency submission jobs to complete
|
||||
|
||||
Generated
+243
-35
@@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.2.3",
|
||||
"version": "4.3.1",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.2.3",
|
||||
"version": "4.3.1",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
@@ -18,7 +18,6 @@
|
||||
"got": "^14.2.0",
|
||||
"jest": "^29.7.0",
|
||||
"octokit": "^3.1.2",
|
||||
"packageurl-js": "^1.2.0",
|
||||
"spdx-expression-parse": "^3.0.1",
|
||||
"spdx-satisfies": "^5.0.1",
|
||||
"ts-jest": "^29.1.2",
|
||||
@@ -33,14 +32,14 @@
|
||||
"@typescript-eslint/parser": "^6.21.0",
|
||||
"@vercel/ncc": "^0.38.0",
|
||||
"esbuild-register": "^3.5.0",
|
||||
"eslint": "^8.56.0",
|
||||
"eslint-plugin-github": "^4.10.1",
|
||||
"eslint": "^8.57.0",
|
||||
"eslint-plugin-github": "^4.10.2",
|
||||
"eslint-plugin-jest": "^27.9.0",
|
||||
"eslint-plugin-prettier": "^5.1.3",
|
||||
"js-yaml": "^4.1.0",
|
||||
"nodemon": "^3.1.0",
|
||||
"prettier": "3.2.5",
|
||||
"typescript": "^5.3.3"
|
||||
"typescript": "^5.4.5"
|
||||
}
|
||||
},
|
||||
"node_modules/@aashutoshrathi/word-wrap": {
|
||||
@@ -1096,9 +1095,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@eslint/js": {
|
||||
"version": "8.56.0",
|
||||
"resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.56.0.tgz",
|
||||
"integrity": "sha512-gMsVel9D7f2HLkBma9VbtzZRehRogVRfbr++f06nL2vnCGCNlzOD+/MUov/F4p8myyAHspEhVobgjpX64q5m6A==",
|
||||
"version": "8.57.0",
|
||||
"resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.57.0.tgz",
|
||||
"integrity": "sha512-Ys+3g2TaW7gADOJzPt83SJtCDhMjndcDMFVQ/Tj9iA1BfJzFKD9mAUXT3OenpuPHbI6P/myECxRJrofUsDx/5g==",
|
||||
"dev": true,
|
||||
"engines": {
|
||||
"node": "^12.22.0 || ^14.17.0 || >=16.0.0"
|
||||
@@ -1119,13 +1118,13 @@
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/@humanwhocodes/config-array": {
|
||||
"version": "0.11.13",
|
||||
"resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.13.tgz",
|
||||
"integrity": "sha512-JSBDMiDKSzQVngfRjOdFXgFfklaXI4K9nLF49Auh21lmBWRLIK3+xTErTWD4KU54pb6coM6ESE7Awz/FNU3zgQ==",
|
||||
"version": "0.11.14",
|
||||
"resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.14.tgz",
|
||||
"integrity": "sha512-3T8LkOmg45BV5FICb15QQMsyUSWrQ8AygVfC7ZG32zOalnqrilm018ZVCw0eapXux8FtA33q8PSRSstjee3jSg==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@humanwhocodes/object-schema": "^2.0.1",
|
||||
"debug": "^4.1.1",
|
||||
"@humanwhocodes/object-schema": "^2.0.2",
|
||||
"debug": "^4.3.1",
|
||||
"minimatch": "^3.0.5"
|
||||
},
|
||||
"engines": {
|
||||
@@ -1146,9 +1145,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@humanwhocodes/object-schema": {
|
||||
"version": "2.0.1",
|
||||
"resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-2.0.1.tgz",
|
||||
"integrity": "sha512-dvuCeX5fC9dXgJn9t+X5atfmgQAzUOWqS1254Gh0m6i8wKd10ebXkfNKiRK+1GWi/yTvvLDHpoxLr0xxxeslWw==",
|
||||
"version": "2.0.2",
|
||||
"resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-2.0.2.tgz",
|
||||
"integrity": "sha512-6EwiSjwWYP7pTckG6I5eyFANjPhmPjUX9JRLUSfNPC7FX7zK9gyZAfUEaECL6ALTpGX5AjnBq3C9XmVWPitNpw==",
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/@istanbuljs/load-nyc-config": {
|
||||
@@ -3542,16 +3541,16 @@
|
||||
}
|
||||
},
|
||||
"node_modules/eslint": {
|
||||
"version": "8.56.0",
|
||||
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.56.0.tgz",
|
||||
"integrity": "sha512-Go19xM6T9puCOWntie1/P997aXxFsOi37JIHRWI514Hc6ZnaHGKY9xFhrU65RT6CcBEzZoGG1e6Nq+DT04ZtZQ==",
|
||||
"version": "8.57.0",
|
||||
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.57.0.tgz",
|
||||
"integrity": "sha512-dZ6+mexnaTIbSBZWgou51U6OmzIhYM2VcNdtiTtI7qPNZm35Akpr0f6vtw3w1Kmn5PYo+tZVfh13WrhpS6oLqQ==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@eslint-community/eslint-utils": "^4.2.0",
|
||||
"@eslint-community/regexpp": "^4.6.1",
|
||||
"@eslint/eslintrc": "^2.1.4",
|
||||
"@eslint/js": "8.56.0",
|
||||
"@humanwhocodes/config-array": "^0.11.13",
|
||||
"@eslint/js": "8.57.0",
|
||||
"@humanwhocodes/config-array": "^0.11.14",
|
||||
"@humanwhocodes/module-importer": "^1.0.1",
|
||||
"@nodelib/fs.walk": "^1.2.8",
|
||||
"@ungap/structured-clone": "^1.2.0",
|
||||
@@ -3710,14 +3709,14 @@
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github": {
|
||||
"version": "4.10.1",
|
||||
"resolved": "https://registry.npmjs.org/eslint-plugin-github/-/eslint-plugin-github-4.10.1.tgz",
|
||||
"integrity": "sha512-1AqQBockOM+m0ZUpwfjWtX0lWdX5cRi/hwJnSNvXoOmz/Hh+ULH6QFz6ENWueTWjoWpgPv0af3bj+snps6o4og==",
|
||||
"version": "4.10.2",
|
||||
"resolved": "https://registry.npmjs.org/eslint-plugin-github/-/eslint-plugin-github-4.10.2.tgz",
|
||||
"integrity": "sha512-F1F5aAFgi1Y5hYoTFzGQACBkw5W1hu2Fu5FSTrMlXqrojJnKl1S2pWO/rprlowRQpt+hzHhqSpsfnodJEVd5QA==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@github/browserslist-config": "^1.0.0",
|
||||
"@typescript-eslint/eslint-plugin": "^6.0.0",
|
||||
"@typescript-eslint/parser": "^6.0.0",
|
||||
"@typescript-eslint/eslint-plugin": "^7.0.1",
|
||||
"@typescript-eslint/parser": "^7.0.1",
|
||||
"aria-query": "^5.3.0",
|
||||
"eslint-config-prettier": ">=8.0.0",
|
||||
"eslint-plugin-escompat": "^3.3.3",
|
||||
@@ -3740,6 +3739,220 @@
|
||||
"eslint": "^8.0.1"
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/eslint-plugin": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-7.4.0.tgz",
|
||||
"integrity": "sha512-yHMQ/oFaM7HZdVrVm/M2WHaNPgyuJH4WelkSVEWSSsir34kxW2kDJCxlXRhhGWEsMN0WAW/vLpKfKVcm8k+MPw==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@eslint-community/regexpp": "^4.5.1",
|
||||
"@typescript-eslint/scope-manager": "7.4.0",
|
||||
"@typescript-eslint/type-utils": "7.4.0",
|
||||
"@typescript-eslint/utils": "7.4.0",
|
||||
"@typescript-eslint/visitor-keys": "7.4.0",
|
||||
"debug": "^4.3.4",
|
||||
"graphemer": "^1.4.0",
|
||||
"ignore": "^5.2.4",
|
||||
"natural-compare": "^1.4.0",
|
||||
"semver": "^7.5.4",
|
||||
"ts-api-utils": "^1.0.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
},
|
||||
"peerDependencies": {
|
||||
"@typescript-eslint/parser": "^7.0.0",
|
||||
"eslint": "^8.56.0"
|
||||
},
|
||||
"peerDependenciesMeta": {
|
||||
"typescript": {
|
||||
"optional": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/parser": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-7.4.0.tgz",
|
||||
"integrity": "sha512-ZvKHxHLusweEUVwrGRXXUVzFgnWhigo4JurEj0dGF1tbcGh6buL+ejDdjxOQxv6ytcY1uhun1p2sm8iWStlgLQ==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@typescript-eslint/scope-manager": "7.4.0",
|
||||
"@typescript-eslint/types": "7.4.0",
|
||||
"@typescript-eslint/typescript-estree": "7.4.0",
|
||||
"@typescript-eslint/visitor-keys": "7.4.0",
|
||||
"debug": "^4.3.4"
|
||||
},
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
},
|
||||
"peerDependencies": {
|
||||
"eslint": "^8.56.0"
|
||||
},
|
||||
"peerDependenciesMeta": {
|
||||
"typescript": {
|
||||
"optional": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/scope-manager": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-7.4.0.tgz",
|
||||
"integrity": "sha512-68VqENG5HK27ypafqLVs8qO+RkNc7TezCduYrx8YJpXq2QGZ30vmNZGJJJC48+MVn4G2dCV8m5ZTVnzRexTVtw==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@typescript-eslint/types": "7.4.0",
|
||||
"@typescript-eslint/visitor-keys": "7.4.0"
|
||||
},
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/type-utils": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-7.4.0.tgz",
|
||||
"integrity": "sha512-247ETeHgr9WTRMqHbbQdzwzhuyaJ8dPTuyuUEMANqzMRB1rj/9qFIuIXK7l0FX9i9FXbHeBQl/4uz6mYuCE7Aw==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@typescript-eslint/typescript-estree": "7.4.0",
|
||||
"@typescript-eslint/utils": "7.4.0",
|
||||
"debug": "^4.3.4",
|
||||
"ts-api-utils": "^1.0.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
},
|
||||
"peerDependencies": {
|
||||
"eslint": "^8.56.0"
|
||||
},
|
||||
"peerDependenciesMeta": {
|
||||
"typescript": {
|
||||
"optional": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/types": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-7.4.0.tgz",
|
||||
"integrity": "sha512-mjQopsbffzJskos5B4HmbsadSJQWaRK0UxqQ7GuNA9Ga4bEKeiO6b2DnB6cM6bpc8lemaPseh0H9B/wyg+J7rw==",
|
||||
"dev": true,
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/typescript-estree": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-7.4.0.tgz",
|
||||
"integrity": "sha512-A99j5AYoME/UBQ1ucEbbMEmGkN7SE0BvZFreSnTd1luq7yulcHdyGamZKizU7canpGDWGJ+Q6ZA9SyQobipePg==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@typescript-eslint/types": "7.4.0",
|
||||
"@typescript-eslint/visitor-keys": "7.4.0",
|
||||
"debug": "^4.3.4",
|
||||
"globby": "^11.1.0",
|
||||
"is-glob": "^4.0.3",
|
||||
"minimatch": "9.0.3",
|
||||
"semver": "^7.5.4",
|
||||
"ts-api-utils": "^1.0.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
},
|
||||
"peerDependenciesMeta": {
|
||||
"typescript": {
|
||||
"optional": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/utils": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-7.4.0.tgz",
|
||||
"integrity": "sha512-NQt9QLM4Tt8qrlBVY9lkMYzfYtNz8/6qwZg8pI3cMGlPnj6mOpRxxAm7BMJN9K0AiY+1BwJ5lVC650YJqYOuNg==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@eslint-community/eslint-utils": "^4.4.0",
|
||||
"@types/json-schema": "^7.0.12",
|
||||
"@types/semver": "^7.5.0",
|
||||
"@typescript-eslint/scope-manager": "7.4.0",
|
||||
"@typescript-eslint/types": "7.4.0",
|
||||
"@typescript-eslint/typescript-estree": "7.4.0",
|
||||
"semver": "^7.5.4"
|
||||
},
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
},
|
||||
"peerDependencies": {
|
||||
"eslint": "^8.56.0"
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/visitor-keys": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-7.4.0.tgz",
|
||||
"integrity": "sha512-0zkC7YM0iX5Y41homUUeW1CHtZR01K3ybjM1l6QczoMuay0XKtrb93kv95AxUGwdjGr64nNqnOCwmEl616N8CA==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@typescript-eslint/types": "7.4.0",
|
||||
"eslint-visitor-keys": "^3.4.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/brace-expansion": {
|
||||
"version": "2.0.1",
|
||||
"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
|
||||
"integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"balanced-match": "^1.0.0"
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/minimatch": {
|
||||
"version": "9.0.3",
|
||||
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz",
|
||||
"integrity": "sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"brace-expansion": "^2.0.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=16 || 14 >=14.17"
|
||||
},
|
||||
"funding": {
|
||||
"url": "https://github.com/sponsors/isaacs"
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-i18n-text": {
|
||||
"version": "1.0.1",
|
||||
"resolved": "https://registry.npmjs.org/eslint-plugin-i18n-text/-/eslint-plugin-i18n-text-1.0.1.tgz",
|
||||
@@ -6437,11 +6650,6 @@
|
||||
"node": ">=6"
|
||||
}
|
||||
},
|
||||
"node_modules/packageurl-js": {
|
||||
"version": "1.2.1",
|
||||
"resolved": "https://registry.npmjs.org/packageurl-js/-/packageurl-js-1.2.1.tgz",
|
||||
"integrity": "sha512-cZ6/MzuXaoFd16/k0WnwtI298UCaDHe/XlSh85SeOKbGZ1hq0xvNbx3ILyCMyk7uFQxl6scF3Aucj6/EO9NwcA=="
|
||||
},
|
||||
"node_modules/parent-module": {
|
||||
"version": "1.0.1",
|
||||
"resolved": "https://registry.npmjs.org/parent-module/-/parent-module-1.0.1.tgz",
|
||||
@@ -7606,9 +7814,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/typescript": {
|
||||
"version": "5.3.3",
|
||||
"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.3.3.tgz",
|
||||
"integrity": "sha512-pXWcraxM0uxAS+tN0AG/BF2TyqmHO014Z070UsJ+pFvYuRSq8KH8DmWpnbXe0pEPDHXZV3FcAbJkijJ5oNEnWw==",
|
||||
"version": "5.4.5",
|
||||
"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.4.5.tgz",
|
||||
"integrity": "sha512-vcI4UpRgg81oIRUFwR0WSIHKt11nJ7SAVlYNIu+QpqeyXP+gpQJy/Z4+F0aGxSE4MqwjyXvW/TzgkLAx2AGHwQ==",
|
||||
"bin": {
|
||||
"tsc": "bin/tsc",
|
||||
"tsserver": "bin/tsserver"
|
||||
|
||||
+4
-5
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.2.3",
|
||||
"version": "4.3.1",
|
||||
"private": true,
|
||||
"description": "A GitHub Action for Dependency Review",
|
||||
"main": "lib/main.js",
|
||||
@@ -34,7 +34,6 @@
|
||||
"got": "^14.2.0",
|
||||
"jest": "^29.7.0",
|
||||
"octokit": "^3.1.2",
|
||||
"packageurl-js": "^1.2.0",
|
||||
"spdx-expression-parse": "^3.0.1",
|
||||
"spdx-satisfies": "^5.0.1",
|
||||
"ts-jest": "^29.1.2",
|
||||
@@ -49,13 +48,13 @@
|
||||
"@typescript-eslint/parser": "^6.21.0",
|
||||
"@vercel/ncc": "^0.38.0",
|
||||
"esbuild-register": "^3.5.0",
|
||||
"eslint": "^8.56.0",
|
||||
"eslint-plugin-github": "^4.10.1",
|
||||
"eslint": "^8.57.0",
|
||||
"eslint-plugin-github": "^4.10.2",
|
||||
"eslint-plugin-jest": "^27.9.0",
|
||||
"eslint-plugin-prettier": "^5.1.3",
|
||||
"js-yaml": "^4.1.0",
|
||||
"nodemon": "^3.1.0",
|
||||
"prettier": "3.2.5",
|
||||
"typescript": "^5.3.3"
|
||||
"typescript": "^5.4.5"
|
||||
}
|
||||
}
|
||||
|
||||
+2
-2
@@ -5,7 +5,7 @@ import * as core from '@actions/core'
|
||||
import * as z from 'zod'
|
||||
import {ConfigurationOptions, ConfigurationOptionsSchema} from './schemas'
|
||||
import {isSPDXValid, octokitClient} from './utils'
|
||||
import {PackageURL} from 'packageurl-js'
|
||||
import {parsePURL} from './purl'
|
||||
|
||||
type ConfigurationOptionsPartial = Partial<ConfigurationOptions>
|
||||
|
||||
@@ -233,7 +233,7 @@ function validatePURL(allow_dependencies_licenses: string[] | undefined): void {
|
||||
return
|
||||
}
|
||||
const invalid_purls = allow_dependencies_licenses.filter(
|
||||
purl => !PackageURL.fromString(purl)
|
||||
purl => !parsePURL(purl).error
|
||||
)
|
||||
|
||||
if (invalid_purls.length > 0) {
|
||||
|
||||
+34
-20
@@ -1,38 +1,41 @@
|
||||
import {Change} from './schemas'
|
||||
import * as core from '@actions/core'
|
||||
import {Change} from './schemas'
|
||||
import {PackageURL, parsePURL} from './purl'
|
||||
|
||||
export async function getDeniedChanges(
|
||||
changes: Change[],
|
||||
deniedPackages: string[],
|
||||
deniedGroups: string[]
|
||||
deniedPackages: PackageURL[] = [],
|
||||
deniedGroups: PackageURL[] = []
|
||||
): Promise<Change[]> {
|
||||
const changesDenied: Change[] = []
|
||||
|
||||
let failed = false
|
||||
let hasDeniedPackage = false
|
||||
for (const change of changes) {
|
||||
change.name = change.name.toLowerCase()
|
||||
const packageUrl = change.package_url.toLowerCase().split('@')[0]
|
||||
|
||||
if (deniedPackages) {
|
||||
for (const denied of deniedPackages) {
|
||||
if (packageUrl === denied.split('@')[0].toLowerCase()) {
|
||||
changesDenied.push(change)
|
||||
failed = true
|
||||
}
|
||||
for (const denied of deniedPackages) {
|
||||
if (
|
||||
(!denied.version || change.version === denied.version) &&
|
||||
change.name === denied.name
|
||||
) {
|
||||
changesDenied.push(change)
|
||||
hasDeniedPackage = true
|
||||
}
|
||||
}
|
||||
|
||||
if (deniedGroups) {
|
||||
for (const denied of deniedGroups) {
|
||||
if (packageUrl.startsWith(denied.toLowerCase())) {
|
||||
changesDenied.push(change)
|
||||
failed = true
|
||||
}
|
||||
for (const denied of deniedGroups) {
|
||||
const namespace = getNamespace(change)
|
||||
if (!denied.namespace) {
|
||||
core.error(
|
||||
`Denied group represented by '${denied.original}' does not have a namespace. The format should be 'pkg:<type>/<namespace>/'.`
|
||||
)
|
||||
}
|
||||
if (namespace && namespace === denied.namespace) {
|
||||
changesDenied.push(change)
|
||||
hasDeniedPackage = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (failed) {
|
||||
if (hasDeniedPackage) {
|
||||
core.setFailed('Dependency review detected denied packages.')
|
||||
} else {
|
||||
core.info('Dependency review did not detect any denied packages')
|
||||
@@ -40,3 +43,14 @@ export async function getDeniedChanges(
|
||||
|
||||
return changesDenied
|
||||
}
|
||||
|
||||
export const getNamespace = (change: Change): string | null => {
|
||||
if (change.package_url) {
|
||||
return parsePURL(change.package_url).namespace
|
||||
}
|
||||
const matches = change.name.match(/([^:/]+)[:/]/)
|
||||
if (matches && matches.length > 1) {
|
||||
return matches[1]
|
||||
}
|
||||
return null
|
||||
}
|
||||
|
||||
+3
-5
@@ -1,7 +1,7 @@
|
||||
import spdxSatisfies from 'spdx-satisfies'
|
||||
import {Change, Changes} from './schemas'
|
||||
import {isSPDXValid, octokitClient} from './utils'
|
||||
import {PackageURL} from 'packageurl-js'
|
||||
import {parsePURL} from './purl'
|
||||
|
||||
/**
|
||||
* Loops through a list of changes, filtering and returning the
|
||||
@@ -32,7 +32,7 @@ export async function getInvalidLicenseChanges(
|
||||
const {allow, deny} = licenses
|
||||
const licenseExclusions = licenses.licenseExclusions?.map(
|
||||
(pkgUrl: string) => {
|
||||
return PackageURL.fromString(encodeURI(pkgUrl))
|
||||
return parsePURL(pkgUrl)
|
||||
}
|
||||
)
|
||||
|
||||
@@ -45,9 +45,7 @@ export async function getInvalidLicenseChanges(
|
||||
return true
|
||||
}
|
||||
|
||||
const changeAsPackageURL = PackageURL.fromString(
|
||||
encodeURI(change.package_url)
|
||||
)
|
||||
const changeAsPackageURL = parsePURL(encodeURI(change.package_url))
|
||||
|
||||
// We want to find if the licenseExclussion list contains the PackageURL of the Change
|
||||
// If it does, we want to filter it out and therefore return false
|
||||
|
||||
+69
@@ -0,0 +1,69 @@
|
||||
import * as z from 'zod'
|
||||
|
||||
// the basic purl type, containing type, namespace, name, and version.
|
||||
// other than type, all fields are nullable. this is for maximum flexibility
|
||||
// at the cost of strict adherence to the package-url spec.
|
||||
export const PurlSchema = z.object({
|
||||
type: z.string(),
|
||||
namespace: z.string().nullable(),
|
||||
name: z.string().nullable(), // name is nullable for deny-groups
|
||||
version: z.string().nullable(),
|
||||
original: z.string(),
|
||||
error: z.string().nullable()
|
||||
})
|
||||
|
||||
export type PackageURL = z.infer<typeof PurlSchema>
|
||||
|
||||
const PURL_TYPE = /pkg:([a-zA-Z0-9-_]+)\/.*/
|
||||
|
||||
export function parsePURL(purl: string): PackageURL {
|
||||
const result: PackageURL = {
|
||||
type: '',
|
||||
namespace: null,
|
||||
name: null,
|
||||
version: null,
|
||||
original: purl,
|
||||
error: null
|
||||
}
|
||||
if (!purl.startsWith('pkg:')) {
|
||||
result.error = 'package-url must start with "pkg:"'
|
||||
return result
|
||||
}
|
||||
const type = purl.match(PURL_TYPE)
|
||||
if (!type) {
|
||||
result.error = 'package-url must contain a type'
|
||||
return result
|
||||
}
|
||||
result.type = type[1]
|
||||
const parts = purl.split('/')
|
||||
// the first 'part' should be 'pkg:ecosystem'
|
||||
if (parts.length < 2 || !parts[1]) {
|
||||
result.error = 'package-url must contain a namespace or name'
|
||||
return result
|
||||
}
|
||||
let namePlusRest: string
|
||||
if (parts.length === 2) {
|
||||
namePlusRest = parts[1]
|
||||
} else {
|
||||
result.namespace = decodeURIComponent(parts[1])
|
||||
namePlusRest = parts[2]
|
||||
}
|
||||
const name = namePlusRest.match(/([^@#?]+)[@#?]?.*/)
|
||||
if (!result.namespace && !name) {
|
||||
result.error = 'package-url must contain a namespace or name'
|
||||
return result
|
||||
}
|
||||
if (!name) {
|
||||
// we're done here
|
||||
return result
|
||||
}
|
||||
result.name = decodeURIComponent(name[1])
|
||||
const version = namePlusRest.match(/@([^#?]+)[#?]?.*/)
|
||||
if (!version) {
|
||||
return result
|
||||
}
|
||||
result.version = decodeURIComponent(version[1])
|
||||
|
||||
// we don't parse subpath or attributes, so we're done here
|
||||
return result
|
||||
}
|
||||
+43
-2
@@ -1,10 +1,51 @@
|
||||
import * as z from 'zod'
|
||||
import {parsePURL} from './purl'
|
||||
|
||||
export const SEVERITIES = ['critical', 'high', 'moderate', 'low'] as const
|
||||
export const SCOPES = ['unknown', 'runtime', 'development'] as const
|
||||
|
||||
export const SeveritySchema = z.enum(SEVERITIES).default('low')
|
||||
|
||||
const PackageURL = z
|
||||
.string()
|
||||
.transform(purlString => {
|
||||
return parsePURL(purlString)
|
||||
})
|
||||
.superRefine((purl, context) => {
|
||||
if (purl.error) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: ${purl.error}`
|
||||
})
|
||||
}
|
||||
if (!purl.name) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: name is required`
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
const PackageURLWithNamespace = z
|
||||
.string()
|
||||
.transform(purlString => {
|
||||
return parsePURL(purlString)
|
||||
})
|
||||
.superRefine((purl, context) => {
|
||||
if (purl.error) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing purl: ${purl.error}`
|
||||
})
|
||||
}
|
||||
if (purl.namespace === null) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `package-url must have a namespace, and the namespace must be followed by '/'`
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
export const ChangeSchema = z.object({
|
||||
change_type: z.enum(['added', 'removed']),
|
||||
manifest: z.string(),
|
||||
@@ -42,8 +83,8 @@ export const ConfigurationOptionsSchema = z
|
||||
deny_licenses: z.array(z.string()).optional(),
|
||||
allow_dependencies_licenses: z.array(z.string()).optional(),
|
||||
allow_ghsas: z.array(z.string()).default([]),
|
||||
deny_packages: z.array(z.string()).default([]),
|
||||
deny_groups: z.array(z.string()).default([]),
|
||||
deny_packages: z.array(PackageURL).default([]),
|
||||
deny_groups: z.array(PackageURLWithNamespace).default([]),
|
||||
license_check: z.boolean().default(true),
|
||||
vulnerability_check: z.boolean().default(true),
|
||||
config_file: z.string().optional(),
|
||||
|
||||
+10
-2
@@ -17,8 +17,16 @@ export async function getScorecardLevels(
|
||||
repositoryUrl = repositoryUrl.replace('https://', '')
|
||||
}
|
||||
|
||||
// Handle the special case for GitHub Actions, where the repository URL is null
|
||||
if (ecosystem === 'actions') {
|
||||
// The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
|
||||
// If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out
|
||||
const parts = packageName.split('/')
|
||||
repositoryUrl = `github.com/${parts[0]}/${parts[1]}` // e.g. github.com/actions/checkout
|
||||
}
|
||||
|
||||
// If GitHub API doesn't have the repository URL, query deps.dev for it.
|
||||
if (repositoryUrl) {
|
||||
if (!repositoryUrl) {
|
||||
// Call the deps.dev API to get the repository URL from there
|
||||
repositoryUrl = await getProjectUrl(ecosystem, packageName, version)
|
||||
}
|
||||
@@ -41,7 +49,7 @@ export async function getScorecardLevels(
|
||||
}
|
||||
|
||||
async function getScorecard(repositoryUrl: string): Promise<ScorecardApi> {
|
||||
const apiRoot = 'https://api.securityscorecards.dev/'
|
||||
const apiRoot = 'https://api.securityscorecards.dev'
|
||||
let scorecardResponse: ScorecardApi = {} as ScorecardApi
|
||||
|
||||
const url = `${apiRoot}/projects/${repositoryUrl}`
|
||||
|
||||
+2
-2
@@ -69,7 +69,7 @@ export function addSummaryToSummary(
|
||||
: []),
|
||||
...(deniedChanges.length > 0
|
||||
? [
|
||||
`${checkOrWarnIcon(deniedChanges.length)} ${
|
||||
`${checkOrFailIcon(deniedChanges.length)} ${
|
||||
deniedChanges.length
|
||||
} package(s) denied.`
|
||||
]
|
||||
@@ -304,7 +304,7 @@ export function addScorecardToSummary(
|
||||
|
||||
//Add a row for the dependency
|
||||
core.summary.addRaw(
|
||||
`<tr><td>${dependency.change.source_repository_url ? `<a href="https://${dependency.change.source_repository_url}">` : ''} ${dependency.change.ecosystem}/${dependency.change.name} ${dependency.change.source_repository_url ? `</a>` : ''}</td><td>${dependency.change.version}</td>
|
||||
`<tr><td>${dependency.change.source_repository_url ? `<a href="${dependency.change.source_repository_url}">` : ''} ${dependency.change.ecosystem}/${dependency.change.name} ${dependency.change.source_repository_url ? `</a>` : ''}</td><td>${dependency.change.version}</td>
|
||||
<td>${overallIcon} ${dependency.scorecard?.score === undefined || dependency.scorecard?.score === null ? 'Unknown' : dependency.scorecard?.score}</td>`,
|
||||
false
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user