Compare commits
186 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 5951e7db04 | |||
| 4f537bf170 | |||
| 25f22ad0c7 | |||
| 2878425083 | |||
| 862b667fee | |||
| f7c42c00ca | |||
| 00dbe9df8d | |||
| f89a053f16 | |||
| 700f66ed8f | |||
| fc5eaef91a | |||
| 087d445ca8 | |||
| 95fa321e74 | |||
| 429d317ccc | |||
| 6b34d93738 | |||
| b7a25f4e9b | |||
| 9f0792541a | |||
| 5e6910e937 | |||
| 715956774a | |||
| 94e6fb6deb | |||
| 1090cda9d5 | |||
| 6315b3822f | |||
| c5dab80dd4 | |||
| b089c5b002 | |||
| 6e66d136ec | |||
| 1b9faef957 | |||
| 748b8a5c33 | |||
| 1639aef23d | |||
| f5f33b0c33 | |||
| 2d8dd98fa8 | |||
| 182833caa3 | |||
| b0bc193e06 | |||
| f3146217d6 | |||
| c5b1778acb | |||
| 19ee172e7e | |||
| 23c92ea3fe | |||
| 1af3349db2 | |||
| 2238302e66 | |||
| e4158c9844 | |||
| 7f874fd2fb | |||
| 9928099802 | |||
| d9d1c4ba24 | |||
| a3ee6a76df | |||
| f69167c9be | |||
| 1c85e9db8d | |||
| 5c771993de | |||
| 3f5300728c | |||
| 221de4a420 | |||
| 9aa2640fd4 | |||
| d5ff038b8b | |||
| 63d79cae5c | |||
| ee7fefc22c | |||
| fa8de14daa | |||
| eb8231dc40 | |||
| fff46df8ec | |||
| 9613501c27 | |||
| 08d6d26179 | |||
| 96d0e9ac03 | |||
| 189bf7bc26 | |||
| a2165983d1 | |||
| 0a618d4025 | |||
| 71acb8773c | |||
| 8ae3c6ccb4 | |||
| 2ad07a3006 | |||
| 5d0265a143 | |||
| 9aeec9038b | |||
| 579f2338ab | |||
| 2cf5e60887 | |||
| 4e761fd545 | |||
| 51951998f5 | |||
| b87919684c | |||
| 5cc528819d | |||
| e8bb60680f | |||
| 916da45422 | |||
| 00c58871a0 | |||
| 5232f0766f | |||
| 649dad513a | |||
| 1a5397226b | |||
| 83db3fd780 | |||
| 2bdc2cf95f | |||
| cebddc8ad2 | |||
| caa6381bae | |||
| 31520dc391 | |||
| 4f412af8fc | |||
| 5703934fec | |||
| e78e4ce152 | |||
| a4da452f33 | |||
| d92ca08767 | |||
| 0b30e242cd | |||
| f668822520 | |||
| 898008ba83 | |||
| 4105edb24b | |||
| 2f20ab0305 | |||
| fa94fed3e7 | |||
| 65e82f802d | |||
| 06d9a244cc | |||
| c090f4e553 | |||
| 42ee3c8f53 | |||
| 6855e6ed4e | |||
| efd78809f9 | |||
| e91b527bcb | |||
| f508195cbc | |||
| ef8bfcec89 | |||
| 31cb4e05f7 | |||
| 7920884bc8 | |||
| aae0422a7f | |||
| 46d2ba8805 | |||
| 7c07c1da42 | |||
| 6e3a1cfe9e | |||
| 3190101729 | |||
| 3576f26c76 | |||
| 97fef8f979 | |||
| 60e20b95c9 | |||
| e6aba92fb0 | |||
| 4b2cf01947 | |||
| 33b11b63b3 | |||
| 90014ebf46 | |||
| c0fcb40fb5 | |||
| 6213daabf8 | |||
| 6c62d64ea3 | |||
| 6154af02da | |||
| df40ce1edc | |||
| a033837e12 | |||
| d79457303f | |||
| b2f83f35c7 | |||
| 389b38eb1a | |||
| e3926a59f5 | |||
| 54656aadd8 | |||
| f02b9fb886 | |||
| 6587f9feee | |||
| cab2d5f36f | |||
| ef411f3a4c | |||
| 589f46e5a2 | |||
| a482eabd84 | |||
| c63a70f2bb | |||
| ea081cab93 | |||
| 78231376d4 | |||
| ea38797bf9 | |||
| 383b34b013 | |||
| 234f1c3e6b | |||
| 1aca439347 | |||
| f5231a7139 | |||
| 872c5e3689 | |||
| 86e4c38e88 | |||
| 70a13ae7e3 | |||
| 0ff3da6f81 | |||
| 6d88398316 | |||
| 29022577bf | |||
| a4bf690c47 | |||
| 3f67248108 | |||
| e82e9497cb | |||
| 945cb4d00a | |||
| 459b39211c | |||
| c109d3f46d | |||
| 706aa54d76 | |||
| 12cfe866a8 | |||
| 0caa632377 | |||
| df02ee7d42 | |||
| 38e9237630 | |||
| 03c7962be5 | |||
| cff3674e25 | |||
| a184554be2 | |||
| 660812709b | |||
| d8b4cd80d5 | |||
| 8e5d487bb8 | |||
| 3e6e055a26 | |||
| 1f8d096c90 | |||
| 0247f51a25 | |||
| f599dc7887 | |||
| 6919a4885f | |||
| 8f97494d2e | |||
| 08ec176670 | |||
| 40a9da4614 | |||
| 9ad1f84ed2 | |||
| 464e6ac735 | |||
| 141e2dae22 | |||
| 37bb7a46dd | |||
| 5abb42a215 | |||
| 5aafbe4a32 | |||
| d623612924 | |||
| 08fe899167 | |||
| 067e030d27 | |||
| 6b47d2662b | |||
| 290634fe98 | |||
| 352f50a80e | |||
| 11310527b4 | |||
| ea0f46928b |
@@ -3,12 +3,12 @@ updates:
|
||||
- package-ecosystem: github-actions
|
||||
directory: /
|
||||
schedule:
|
||||
interval: daily
|
||||
interval: weekly
|
||||
|
||||
- package-ecosystem: npm
|
||||
directory: /
|
||||
schedule:
|
||||
interval: daily
|
||||
interval: weekly
|
||||
ignore:
|
||||
- dependency-name: '@types/node'
|
||||
update-types: ['version-update:semver-major']
|
||||
|
||||
@@ -27,6 +27,7 @@ jobs:
|
||||
uses: actions/setup-node@v3
|
||||
with:
|
||||
node-version: 18.x
|
||||
cache: npm
|
||||
|
||||
- name: Install dependencies
|
||||
run: npm ci
|
||||
|
||||
@@ -100,3 +100,5 @@ Thumbs.db
|
||||
# Ignore built ts files
|
||||
__tests__/runner/*
|
||||
lib/**/*
|
||||
|
||||
tmp
|
||||
|
||||
+2
-2
@@ -112,8 +112,8 @@ minor/patch updates.
|
||||
To do this just checkout `main`, force-create a new annotated tag, and push it:
|
||||
|
||||
```
|
||||
git tag -fa v2 -m "Updating v2 to 2.3.4"
|
||||
git push origin v2 --force
|
||||
git tag -fa v3 -m "Updating v3 to 3.0.1"
|
||||
git push origin v3 --force
|
||||
```
|
||||
|
||||
## Resources
|
||||
|
||||
@@ -66,25 +66,25 @@ jobs:
|
||||
|
||||
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
|
||||
|
||||
| Option | Usage | Possible values | Default value |
|
||||
|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|---------------|
|
||||
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
|
||||
| `allow-licenses`* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `deny-licenses`* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. |`runtime`, `development`, `unknown` | `runtime` |
|
||||
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
|
||||
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
|
||||
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
|
||||
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
|
||||
| Option | Usage | Possible values | Default value |
|
||||
| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | ------------- |
|
||||
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
|
||||
| `allow-licenses`* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `deny-licenses`* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
|
||||
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
|
||||
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
|
||||
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
|
||||
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
|
||||
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `true`, `false` | `false` |
|
||||
|
||||
*not supported for use with GitHub Enterprise Server
|
||||
|
||||
†will be supported with GitHub Enterprise Server 3.8
|
||||
|
||||
†will be supported with GitHub Enterprise Server 3.8
|
||||
|
||||
### Inline Configuration
|
||||
|
||||
You can pass options to the Dependency Review GitHub Action using your workflow file.
|
||||
You can pass options to the Dependency Review GitHub Action using your workflow file.
|
||||
|
||||
#### Example
|
||||
|
||||
@@ -112,10 +112,10 @@ jobs:
|
||||
|
||||
You can use an external configuration file to specify the settings for this action. It can be a local file or a file in an external repository. Refer to the following options for the specification.
|
||||
|
||||
| Option | Usage | Possible values |
|
||||
|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|
|
||||
| `config-file` | A path to a file in the current repository or an external repository. Use this syntax for external files: `OWNER/REPOSITORY/FILENAME@BRANCH` | **Local file**: `./.github/dependency-review-config.yml` <br> **External repo**: `github/octorepo/dependency-review-config.yml@main` |
|
||||
| `external-repo-token` | Specifies a token for fetching the configuration file. It is required if the file resides in a private external repository and for all GitHub Enterprise Server repositories. Create a token in [developer settings](https://github.com/settings/tokens). | Any token with `read` permissions to the repository hosting the config file. |
|
||||
| Option | Usage | Possible values |
|
||||
| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
| `config-file` | A path to a file in the current repository or an external repository. Use this syntax for external files: `OWNER/REPOSITORY/FILENAME@BRANCH` | **Local file**: `./.github/dependency-review-config.yml` <br> **External repo**: `github/octorepo/dependency-review-config.yml@main` |
|
||||
| `external-repo-token` | Specifies a token for fetching the configuration file. It is required if the file resides in a private external repository and for all GitHub Enterprise Server repositories. Create a token in [developer settings](https://github.com/settings/tokens). | Any token with `read` permissions to the repository hosting the config file. |
|
||||
|
||||
#### Example
|
||||
|
||||
@@ -128,7 +128,7 @@ Start by specifying that you will be using an external configuration file:
|
||||
config-file: './.github/dependency-review-config.yml'
|
||||
```
|
||||
|
||||
And then create the file in the path you just specified:
|
||||
And then create the file in the path you just specified:
|
||||
|
||||
```yaml
|
||||
fail-on-severity: 'critical'
|
||||
|
||||
@@ -5,13 +5,13 @@ import * as Utils from '../src/utils'
|
||||
|
||||
// GitHub Action inputs come in the form of environment variables
|
||||
// with an INPUT prefix (e.g. INPUT_FAIL-ON-SEVERITY)
|
||||
function setInput(input: string, value: string) {
|
||||
function setInput(input: string, value: string): void {
|
||||
process.env[`INPUT_${input.toUpperCase()}`] = value
|
||||
}
|
||||
|
||||
// We want a clean ENV before each test. We use `delete`
|
||||
// since we want `undefined` values and not empty strings.
|
||||
function clearInputs() {
|
||||
function clearInputs(): void {
|
||||
const allowedOptions = [
|
||||
'FAIL-ON-SEVERITY',
|
||||
'FAIL-ON-SCOPES',
|
||||
@@ -22,9 +22,11 @@ function clearInputs() {
|
||||
'VULNERABILITY-CHECK',
|
||||
'CONFIG-FILE',
|
||||
'BASE-REF',
|
||||
'HEAD-REF'
|
||||
'HEAD-REF',
|
||||
'COMMENT-SUMMARY-IN-PR'
|
||||
]
|
||||
|
||||
// eslint-disable-next-line github/array-foreach
|
||||
allowedOptions.forEach(option => {
|
||||
delete process.env[`INPUT_${option.toUpperCase()}`]
|
||||
})
|
||||
@@ -111,7 +113,7 @@ test('it reads an external config file', async () => {
|
||||
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
|
||||
})
|
||||
|
||||
test('raises an error when the the config file was not found', async () => {
|
||||
test('raises an error when the config file was not found', async () => {
|
||||
setInput('config-file', 'fixtures/i-dont-exist')
|
||||
await expect(readConfig()).rejects.toThrow(/Unable to fetch/)
|
||||
})
|
||||
@@ -237,7 +239,7 @@ test('it supports comma-separated lists', async () => {
|
||||
'config-file',
|
||||
'./__tests__/fixtures/inline-license-config-sample.yml'
|
||||
)
|
||||
let config = await readConfig()
|
||||
const config = await readConfig()
|
||||
|
||||
expect(config.allow_licenses).toEqual(['MIT', 'GPL-2.0-only'])
|
||||
})
|
||||
|
||||
@@ -0,0 +1,29 @@
|
||||
import {RequestError} from '@octokit/request-error'
|
||||
import * as dependencyGraph from '../src/dependency-graph'
|
||||
import * as core from '@actions/core'
|
||||
|
||||
// mock call to core.getInput('repo-token'.. to avoid environment setup - Input required and not supplied: repo-token
|
||||
jest.mock('@actions/core', () => ({
|
||||
getInput: (input: string) => {
|
||||
if (input === 'repo-token') {
|
||||
return 'gh_testtoken'
|
||||
}
|
||||
}
|
||||
}))
|
||||
|
||||
test('it properly catches RequestError type', async () => {
|
||||
const token = core.getInput('repo-token', {required: true})
|
||||
expect(token).toBe('gh_testtoken')
|
||||
|
||||
//Integration test to make an API request using current dependencies and ensure response can parse into RequestError
|
||||
try {
|
||||
await dependencyGraph.compare({
|
||||
owner: 'actions',
|
||||
repo: 'dependency-review-action',
|
||||
baseRef: 'refs/heads/master',
|
||||
headRef: 'refs/heads/master'
|
||||
})
|
||||
} catch (error) {
|
||||
expect(error).toBeInstanceOf(RequestError)
|
||||
}
|
||||
})
|
||||
@@ -1,12 +1,12 @@
|
||||
import {expect, test} from '@jest/globals'
|
||||
import {Change, Changes} from '../src/schemas'
|
||||
import {Change} from '../src/schemas'
|
||||
import {
|
||||
filterChangesBySeverity,
|
||||
filterChangesByScopes,
|
||||
filterAllowedAdvisories
|
||||
} from '../src/filter'
|
||||
|
||||
let npmChange: Change = {
|
||||
const npmChange: Change = {
|
||||
manifest: 'package.json',
|
||||
change_type: 'added',
|
||||
ecosystem: 'npm',
|
||||
@@ -26,7 +26,7 @@ let npmChange: Change = {
|
||||
]
|
||||
}
|
||||
|
||||
let rubyChange: Change = {
|
||||
const rubyChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'Gemfile.lock',
|
||||
ecosystem: 'rubygems',
|
||||
@@ -52,7 +52,7 @@ let rubyChange: Change = {
|
||||
]
|
||||
}
|
||||
|
||||
let noVulnNpmChange: Change = {
|
||||
const noVulnNpmChange: Change = {
|
||||
manifest: 'package.json',
|
||||
change_type: 'added',
|
||||
ecosystem: 'npm',
|
||||
@@ -92,7 +92,7 @@ test('it properly filters changes by scope', async () => {
|
||||
|
||||
test('it properly handles undefined advisory IDs', async () => {
|
||||
const changes = [npmChange, rubyChange, noVulnNpmChange]
|
||||
let result = filterAllowedAdvisories(undefined, changes)
|
||||
const result = filterAllowedAdvisories(undefined, changes)
|
||||
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
|
||||
})
|
||||
|
||||
|
||||
@@ -0,0 +1,36 @@
|
||||
import {Change} from '../../src/schemas'
|
||||
import {createTestVulnerability} from './create-test-vulnerability'
|
||||
|
||||
const defaultChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'package.json',
|
||||
ecosystem: 'npm',
|
||||
name: 'lodash',
|
||||
version: '4.17.20',
|
||||
package_url: 'pkg:npm/lodash@4.17.20',
|
||||
license: 'MIT',
|
||||
source_repository_url: 'https://github.com/lodash/lodash',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
createTestVulnerability({
|
||||
severity: 'high',
|
||||
advisory_ghsa_id: 'GHSA-35jh-r3h4-6jhm',
|
||||
advisory_summary: 'Command Injection in lodash',
|
||||
advisory_url: 'https://github.com/advisories/GHSA-35jh-r3h4-6jhm'
|
||||
}),
|
||||
createTestVulnerability({
|
||||
severity: 'moderate',
|
||||
advisory_ghsa_id: 'GHSA-29mw-wpgm-hmr9',
|
||||
advisory_summary:
|
||||
'Regular Expression Denial of Service (ReDoS) in lodash',
|
||||
advisory_url: 'https://github.com/advisories/GHSA-29mw-wpgm-hmr9'
|
||||
})
|
||||
]
|
||||
}
|
||||
|
||||
const createTestChange = (overwrites: Partial<Change> = {}): Change => ({
|
||||
...defaultChange,
|
||||
...overwrites
|
||||
})
|
||||
|
||||
export {createTestChange}
|
||||
@@ -0,0 +1,19 @@
|
||||
import {Change} from '../../src/schemas'
|
||||
|
||||
type Vulnerability = Change['vulnerabilities'][0]
|
||||
|
||||
const defaultTestVulnerability: Vulnerability = {
|
||||
severity: 'high',
|
||||
advisory_ghsa_id: 'GHSA-35jh-r3h4-6jhm',
|
||||
advisory_summary: 'Command Injection in lodash',
|
||||
advisory_url: 'https://github.com/advisories/GHSA-35jh-r3h4-6jhm'
|
||||
}
|
||||
|
||||
const createTestVulnerability = (
|
||||
overwrites: Partial<Vulnerability> = {}
|
||||
): Vulnerability => ({
|
||||
...defaultTestVulnerability,
|
||||
...overwrites
|
||||
})
|
||||
|
||||
export {createTestVulnerability}
|
||||
@@ -3,7 +3,7 @@ import {Change, Changes} from '../src/schemas'
|
||||
|
||||
let getInvalidLicenseChanges: Function
|
||||
|
||||
let npmChange: Change = {
|
||||
const npmChange: Change = {
|
||||
manifest: 'package.json',
|
||||
change_type: 'added',
|
||||
ecosystem: 'npm',
|
||||
@@ -23,7 +23,7 @@ let npmChange: Change = {
|
||||
]
|
||||
}
|
||||
|
||||
let rubyChange: Change = {
|
||||
const rubyChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'Gemfile.lock',
|
||||
ecosystem: 'rubygems',
|
||||
@@ -63,6 +63,7 @@ const mockOctokit = {
|
||||
|
||||
jest.mock('octokit', () => {
|
||||
return {
|
||||
// eslint-disable-next-line @typescript-eslint/no-extraneous-class
|
||||
Octokit: class {
|
||||
constructor() {
|
||||
return mockOctokit
|
||||
@@ -78,6 +79,7 @@ beforeEach(async () => {
|
||||
// true for BSD, false for all others
|
||||
return jest.fn((license: string, _: string): boolean => license === 'BSD')
|
||||
})
|
||||
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
||||
;({getInvalidLicenseChanges} = require('../src/licenses'))
|
||||
})
|
||||
|
||||
@@ -140,6 +142,7 @@ test('it adds all licenses to unresolved if it is unable to determine the validi
|
||||
throw new Error('Some Error')
|
||||
})
|
||||
})
|
||||
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
||||
;({getInvalidLicenseChanges} = require('../src/licenses'))
|
||||
const changes: Changes = [npmChange, rubyChange]
|
||||
const invalidLicenses = await getInvalidLicenseChanges(changes, {
|
||||
|
||||
@@ -0,0 +1,305 @@
|
||||
import {expect, jest, test} from '@jest/globals'
|
||||
import {Changes, ConfigurationOptions} from '../src/schemas'
|
||||
import * as summary from '../src/summary'
|
||||
import * as core from '@actions/core'
|
||||
import {createTestChange} from './fixtures/create-test-change'
|
||||
import {createTestVulnerability} from './fixtures/create-test-vulnerability'
|
||||
|
||||
afterEach(() => {
|
||||
jest.clearAllMocks()
|
||||
core.summary.emptyBuffer()
|
||||
})
|
||||
|
||||
const emptyChanges: Changes = []
|
||||
const emptyInvalidLicenseChanges = {
|
||||
forbidden: [],
|
||||
unresolved: [],
|
||||
unlicensed: []
|
||||
}
|
||||
const defaultConfig: ConfigurationOptions = {
|
||||
vulnerability_check: true,
|
||||
license_check: true,
|
||||
fail_on_severity: 'high',
|
||||
fail_on_scopes: ['runtime'],
|
||||
allow_ghsas: [],
|
||||
allow_licenses: [],
|
||||
deny_licenses: [],
|
||||
comment_summary_in_pr: true
|
||||
}
|
||||
|
||||
test('prints headline as h1', () => {
|
||||
summary.addSummaryToSummary(
|
||||
emptyChanges,
|
||||
emptyInvalidLicenseChanges,
|
||||
defaultConfig
|
||||
)
|
||||
const text = core.summary.stringify()
|
||||
|
||||
expect(text).toContain('<h1>Dependency Review</h1>')
|
||||
})
|
||||
|
||||
test('only includes "No vulnerabilities or license issues found"-message if both are configured and nothing was found', () => {
|
||||
summary.addSummaryToSummary(
|
||||
emptyChanges,
|
||||
emptyInvalidLicenseChanges,
|
||||
defaultConfig
|
||||
)
|
||||
const text = core.summary.stringify()
|
||||
|
||||
expect(text).toContain('✅ No vulnerabilities or license issues found.')
|
||||
})
|
||||
|
||||
test('only includes "No vulnerabilities found"-message if "license_check" is set to false and nothing was found', () => {
|
||||
const config = {...defaultConfig, license_check: false}
|
||||
summary.addSummaryToSummary(emptyChanges, emptyInvalidLicenseChanges, config)
|
||||
const text = core.summary.stringify()
|
||||
|
||||
expect(text).toContain('✅ No vulnerabilities found.')
|
||||
})
|
||||
|
||||
test('only includes "No license issues found"-message if "vulnerability_check" is set to false and nothing was found', () => {
|
||||
const config = {...defaultConfig, vulnerability_check: false}
|
||||
summary.addSummaryToSummary(emptyChanges, emptyInvalidLicenseChanges, config)
|
||||
const text = core.summary.stringify()
|
||||
|
||||
expect(text).toContain('✅ No license issues found.')
|
||||
})
|
||||
|
||||
test('does not include status section if nothing was found', () => {
|
||||
summary.addSummaryToSummary(
|
||||
emptyChanges,
|
||||
emptyInvalidLicenseChanges,
|
||||
defaultConfig
|
||||
)
|
||||
const text = core.summary.stringify()
|
||||
|
||||
expect(text).not.toContain('The following issues were found:')
|
||||
})
|
||||
|
||||
test('includes count and status icons for all findings', () => {
|
||||
const vulnerabilities = [
|
||||
createTestChange({name: 'lodash'}),
|
||||
createTestChange({name: 'underscore', package_url: 'test-url'})
|
||||
]
|
||||
const licenseIssues = {
|
||||
forbidden: [createTestChange()],
|
||||
unresolved: [createTestChange(), createTestChange()],
|
||||
unlicensed: [createTestChange(), createTestChange(), createTestChange()]
|
||||
}
|
||||
|
||||
summary.addSummaryToSummary(vulnerabilities, licenseIssues, defaultConfig)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain('❌ 2 vulnerable package(s)')
|
||||
expect(text).toContain(
|
||||
'❌ 2 package(s) with invalid SPDX license definitions'
|
||||
)
|
||||
expect(text).toContain('❌ 1 package(s) with incompatible licenses')
|
||||
expect(text).toContain('⚠️ 3 package(s) with unknown licenses')
|
||||
})
|
||||
|
||||
test('uses checkmarks for license issues if only vulnerabilities were found', () => {
|
||||
const vulnerabilities = [createTestChange()]
|
||||
|
||||
summary.addSummaryToSummary(
|
||||
vulnerabilities,
|
||||
emptyInvalidLicenseChanges,
|
||||
defaultConfig
|
||||
)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain('❌ 1 vulnerable package(s)')
|
||||
expect(text).toContain(
|
||||
'✅ 0 package(s) with invalid SPDX license definitions'
|
||||
)
|
||||
expect(text).toContain('✅ 0 package(s) with incompatible licenses')
|
||||
expect(text).toContain('✅ 0 package(s) with unknown licenses')
|
||||
})
|
||||
|
||||
test('uses checkmarks for vulnerabilities if only license issues were found', () => {
|
||||
const licenseIssues = {
|
||||
forbidden: [createTestChange()],
|
||||
unresolved: [],
|
||||
unlicensed: []
|
||||
}
|
||||
|
||||
summary.addSummaryToSummary(emptyChanges, licenseIssues, defaultConfig)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain('✅ 0 vulnerable package(s)')
|
||||
expect(text).toContain(
|
||||
'✅ 0 package(s) with invalid SPDX license definitions'
|
||||
)
|
||||
expect(text).toContain('❌ 1 package(s) with incompatible licenses')
|
||||
expect(text).toContain('✅ 0 package(s) with unknown licenses')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - only includes section if any vulnerabilites found', () => {
|
||||
summary.addChangeVulnerabilitiesToSummary(emptyChanges, 'low')
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toEqual('')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - includes all vulnerabilities', () => {
|
||||
const changes = [
|
||||
createTestChange({name: 'lodash'}),
|
||||
createTestChange({name: 'underscore', package_url: 'test-url'})
|
||||
]
|
||||
|
||||
summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain('<h2>Vulnerabilities</h2>')
|
||||
expect(text).toContain('lodash')
|
||||
expect(text).toContain('underscore')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - includes advisory url if available', () => {
|
||||
const changes = [
|
||||
createTestChange({
|
||||
name: 'underscore',
|
||||
vulnerabilities: [
|
||||
createTestVulnerability({
|
||||
advisory_summary: 'test-summary',
|
||||
advisory_url: 'test-url'
|
||||
})
|
||||
]
|
||||
})
|
||||
]
|
||||
|
||||
summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain('lodash')
|
||||
expect(text).toContain('<a href="test-url">test-summary</a>')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - groups vulnerabilities of a single package', () => {
|
||||
const changes = [
|
||||
createTestChange({
|
||||
name: 'package-with-multiple-vulnerabilities',
|
||||
vulnerabilities: [
|
||||
createTestVulnerability({advisory_summary: 'test-summary-1'}),
|
||||
createTestVulnerability({advisory_summary: 'test-summary-2'})
|
||||
]
|
||||
})
|
||||
]
|
||||
|
||||
summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text.match('package-with-multiple-vulnerabilities')).toHaveLength(1)
|
||||
expect(text).toContain('test-summary-1')
|
||||
expect(text).toContain('test-summary-2')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - prints severity statement if above low', () => {
|
||||
const changes = [createTestChange()]
|
||||
|
||||
summary.addChangeVulnerabilitiesToSummary(changes, 'medium')
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain(
|
||||
'Only included vulnerabilities with severity <strong>medium</strong> or higher.'
|
||||
)
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - does not print severity statment if it is set to "low"', () => {
|
||||
const changes = [createTestChange()]
|
||||
|
||||
summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).not.toContain('Only included vulnerabilities')
|
||||
})
|
||||
|
||||
test('addLicensesToSummary() - does not include entire section if no license issues found', () => {
|
||||
summary.addLicensesToSummary(emptyInvalidLicenseChanges, defaultConfig)
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toEqual('')
|
||||
})
|
||||
|
||||
test('addLicensesToSummary() - includes all license issues in table', () => {
|
||||
const licenseIssues = {
|
||||
forbidden: [createTestChange()],
|
||||
unresolved: [createTestChange(), createTestChange()],
|
||||
unlicensed: [createTestChange(), createTestChange(), createTestChange()]
|
||||
}
|
||||
|
||||
summary.addLicensesToSummary(licenseIssues, defaultConfig)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain('<h2>License Issues</h2>')
|
||||
expect(text).toContain('<td>Incompatible License</td>')
|
||||
expect(text).toContain('<td>Invalid SPDX License</td>')
|
||||
expect(text).toContain('<td>Unknown License</td>')
|
||||
})
|
||||
|
||||
test('addLicenseToSummary() - adds one table per manifest', () => {
|
||||
const licenseIssues = {
|
||||
forbidden: [
|
||||
createTestChange({manifest: 'package.json'}),
|
||||
createTestChange({manifest: '.github/workflows/test.yml'})
|
||||
],
|
||||
unresolved: [],
|
||||
unlicensed: []
|
||||
}
|
||||
|
||||
summary.addLicensesToSummary(licenseIssues, defaultConfig)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
|
||||
expect(text).toContain('<h4><em>package.json</em></h4>')
|
||||
expect(text).toContain('<h4><em>.github/workflows/test.yml</em></h4>')
|
||||
})
|
||||
|
||||
test('addLicensesToSummary() - does not include specific license type sub-section if nothing is found', () => {
|
||||
const licenseIssues = {
|
||||
forbidden: [],
|
||||
unlicensed: [],
|
||||
unresolved: [createTestChange()]
|
||||
}
|
||||
|
||||
summary.addLicensesToSummary(licenseIssues, defaultConfig)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).not.toContain('<td>Incompatible License</td>')
|
||||
expect(text).not.toContain('<td>Unknown License</td>')
|
||||
expect(text).toContain('<td>Invalid SPDX License</td>')
|
||||
})
|
||||
|
||||
test('addLicensesToSummary() - includes list of configured allowed licenses', () => {
|
||||
const licenseIssues = {
|
||||
forbidden: [createTestChange()],
|
||||
unresolved: [],
|
||||
unlicensed: []
|
||||
}
|
||||
|
||||
const config: ConfigurationOptions = {
|
||||
...defaultConfig,
|
||||
allow_licenses: ['MIT', 'Apache-2.0']
|
||||
}
|
||||
|
||||
summary.addLicensesToSummary(licenseIssues, config)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain('<strong>Allowed Licenses</strong>: MIT, Apache-2.0')
|
||||
})
|
||||
|
||||
test('addLicensesToSummary() - includes configured denied license', () => {
|
||||
const licenseIssues = {
|
||||
forbidden: [createTestChange()],
|
||||
unresolved: [],
|
||||
unlicensed: []
|
||||
}
|
||||
|
||||
const config: ConfigurationOptions = {
|
||||
...defaultConfig,
|
||||
deny_licenses: ['MIT']
|
||||
}
|
||||
|
||||
summary.addLicensesToSummary(licenseIssues, config)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain('<strong>Denied Licenses</strong>: MIT')
|
||||
})
|
||||
+4
-1
@@ -30,7 +30,7 @@ inputs:
|
||||
description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
|
||||
required: false
|
||||
allow-ghsas:
|
||||
description: Comma-separated list of allowed Github Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")
|
||||
description: Comma-separated list of allowed GitHub Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")
|
||||
required: false
|
||||
external-repo-token:
|
||||
description: A token for fetching external configuration file if it lives in another repository. It is required if the repository is private
|
||||
@@ -41,6 +41,9 @@ inputs:
|
||||
vulnerability-check:
|
||||
description: A boolean to determine if vulnerability checks should be performed
|
||||
required: false
|
||||
comment-summary-in-pr:
|
||||
description: A boolean to determine if the report should be posted as a comment in the PR itself. Setting this to true requires you to give the workflow the write permissions for pull-requests
|
||||
required: false
|
||||
runs:
|
||||
using: 'node16'
|
||||
main: 'dist/index.js'
|
||||
|
||||
+21472
-3936
File diff suppressed because one or more lines are too long
+1
-1
File diff suppressed because one or more lines are too long
+3
-234
@@ -1175,240 +1175,9 @@ FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TOR
|
||||
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
|
||||
lodash.includes
|
||||
lodash
|
||||
MIT
|
||||
Copyright jQuery Foundation and other contributors <https://jquery.org/>
|
||||
|
||||
Based on Underscore.js, copyright Jeremy Ashkenas,
|
||||
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
|
||||
|
||||
This software consists of voluntary contributions made by many
|
||||
individuals. For exact contribution history, see the revision history
|
||||
available at https://github.com/lodash/lodash
|
||||
|
||||
The following license applies to all parts of this software except as
|
||||
documented below:
|
||||
|
||||
====
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining
|
||||
a copy of this software and associated documentation files (the
|
||||
"Software"), to deal in the Software without restriction, including
|
||||
without limitation the rights to use, copy, modify, merge, publish,
|
||||
distribute, sublicense, and/or sell copies of the Software, and to
|
||||
permit persons to whom the Software is furnished to do so, subject to
|
||||
the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be
|
||||
included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
||||
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
||||
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
||||
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
====
|
||||
|
||||
Copyright and related rights for sample code are waived via CC0. Sample
|
||||
code is defined as all source code displayed within the prose of the
|
||||
documentation.
|
||||
|
||||
CC0: http://creativecommons.org/publicdomain/zero/1.0/
|
||||
|
||||
====
|
||||
|
||||
Files located in the node_modules and vendor directories are externally
|
||||
maintained libraries used by this software which have their own
|
||||
licenses; we recommend you read them, as their terms may differ from the
|
||||
terms above.
|
||||
|
||||
|
||||
lodash.isboolean
|
||||
MIT
|
||||
Copyright 2012-2016 The Dojo Foundation <http://dojofoundation.org/>
|
||||
Based on Underscore.js, copyright 2009-2016 Jeremy Ashkenas,
|
||||
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining
|
||||
a copy of this software and associated documentation files (the
|
||||
"Software"), to deal in the Software without restriction, including
|
||||
without limitation the rights to use, copy, modify, merge, publish,
|
||||
distribute, sublicense, and/or sell copies of the Software, and to
|
||||
permit persons to whom the Software is furnished to do so, subject to
|
||||
the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be
|
||||
included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
||||
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
||||
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
||||
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
|
||||
lodash.isinteger
|
||||
MIT
|
||||
Copyright jQuery Foundation and other contributors <https://jquery.org/>
|
||||
|
||||
Based on Underscore.js, copyright Jeremy Ashkenas,
|
||||
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
|
||||
|
||||
This software consists of voluntary contributions made by many
|
||||
individuals. For exact contribution history, see the revision history
|
||||
available at https://github.com/lodash/lodash
|
||||
|
||||
The following license applies to all parts of this software except as
|
||||
documented below:
|
||||
|
||||
====
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining
|
||||
a copy of this software and associated documentation files (the
|
||||
"Software"), to deal in the Software without restriction, including
|
||||
without limitation the rights to use, copy, modify, merge, publish,
|
||||
distribute, sublicense, and/or sell copies of the Software, and to
|
||||
permit persons to whom the Software is furnished to do so, subject to
|
||||
the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be
|
||||
included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
||||
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
||||
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
||||
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
====
|
||||
|
||||
Copyright and related rights for sample code are waived via CC0. Sample
|
||||
code is defined as all source code displayed within the prose of the
|
||||
documentation.
|
||||
|
||||
CC0: http://creativecommons.org/publicdomain/zero/1.0/
|
||||
|
||||
====
|
||||
|
||||
Files located in the node_modules and vendor directories are externally
|
||||
maintained libraries used by this software which have their own
|
||||
licenses; we recommend you read them, as their terms may differ from the
|
||||
terms above.
|
||||
|
||||
|
||||
lodash.isnumber
|
||||
MIT
|
||||
Copyright 2012-2016 The Dojo Foundation <http://dojofoundation.org/>
|
||||
Based on Underscore.js, copyright 2009-2016 Jeremy Ashkenas,
|
||||
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining
|
||||
a copy of this software and associated documentation files (the
|
||||
"Software"), to deal in the Software without restriction, including
|
||||
without limitation the rights to use, copy, modify, merge, publish,
|
||||
distribute, sublicense, and/or sell copies of the Software, and to
|
||||
permit persons to whom the Software is furnished to do so, subject to
|
||||
the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be
|
||||
included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
||||
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
||||
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
||||
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
|
||||
lodash.isplainobject
|
||||
MIT
|
||||
Copyright jQuery Foundation and other contributors <https://jquery.org/>
|
||||
|
||||
Based on Underscore.js, copyright Jeremy Ashkenas,
|
||||
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
|
||||
|
||||
This software consists of voluntary contributions made by many
|
||||
individuals. For exact contribution history, see the revision history
|
||||
available at https://github.com/lodash/lodash
|
||||
|
||||
The following license applies to all parts of this software except as
|
||||
documented below:
|
||||
|
||||
====
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining
|
||||
a copy of this software and associated documentation files (the
|
||||
"Software"), to deal in the Software without restriction, including
|
||||
without limitation the rights to use, copy, modify, merge, publish,
|
||||
distribute, sublicense, and/or sell copies of the Software, and to
|
||||
permit persons to whom the Software is furnished to do so, subject to
|
||||
the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be
|
||||
included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
||||
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
||||
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
||||
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
====
|
||||
|
||||
Copyright and related rights for sample code are waived via CC0. Sample
|
||||
code is defined as all source code displayed within the prose of the
|
||||
documentation.
|
||||
|
||||
CC0: http://creativecommons.org/publicdomain/zero/1.0/
|
||||
|
||||
====
|
||||
|
||||
Files located in the node_modules and vendor directories are externally
|
||||
maintained libraries used by this software which have their own
|
||||
licenses; we recommend you read them, as their terms may differ from the
|
||||
terms above.
|
||||
|
||||
|
||||
lodash.isstring
|
||||
MIT
|
||||
Copyright 2012-2016 The Dojo Foundation <http://dojofoundation.org/>
|
||||
Based on Underscore.js, copyright 2009-2016 Jeremy Ashkenas,
|
||||
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining
|
||||
a copy of this software and associated documentation files (the
|
||||
"Software"), to deal in the Software without restriction, including
|
||||
without limitation the rights to use, copy, modify, merge, publish,
|
||||
distribute, sublicense, and/or sell copies of the Software, and to
|
||||
permit persons to whom the Software is furnished to do so, subject to
|
||||
the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be
|
||||
included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
||||
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
||||
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
||||
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
|
||||
lodash.once
|
||||
MIT
|
||||
Copyright jQuery Foundation and other contributors <https://jquery.org/>
|
||||
Copyright OpenJS Foundation and other contributors <https://openjsf.org/>
|
||||
|
||||
Based on Underscore.js, copyright Jeremy Ashkenas,
|
||||
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
|
||||
@@ -1531,7 +1300,7 @@ octokit
|
||||
MIT
|
||||
The MIT License
|
||||
|
||||
Copyright (c) 2018 Octokit contributors
|
||||
Copyright (c) 2023 Octokit contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
|
||||
Generated
+1548
-640
File diff suppressed because it is too large
Load Diff
+22
-20
@@ -1,11 +1,11 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "3.0.0",
|
||||
"version": "3.0.3",
|
||||
"private": true,
|
||||
"description": "A GitHub Action for Dependency Review",
|
||||
"main": "lib/main.js",
|
||||
"scripts": {
|
||||
"build": "tsc",
|
||||
"build": "tsc -p tsconfig.build.json",
|
||||
"format": "prettier --write '**/*.ts'",
|
||||
"format-check": "prettier --check '**/*.ts'",
|
||||
"lint": "eslint src/**/*.ts",
|
||||
@@ -27,34 +27,36 @@
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.0",
|
||||
"@actions/github": "^5.1.1",
|
||||
"@octokit/plugin-retry": "^4.0.3",
|
||||
"@octokit/request-error": "^3.0.2",
|
||||
"@octokit/plugin-retry": "^4.1.1",
|
||||
"@octokit/request-error": "^2.1.0",
|
||||
"ansi-styles": "^6.2.1",
|
||||
"got": "^12.5.2",
|
||||
"nodemon": "^2.0.20",
|
||||
"octokit": "^2.0.10",
|
||||
"got": "^12.6.0",
|
||||
"nodemon": "^2.0.21",
|
||||
"octokit": "^2.0.14",
|
||||
"spdx-expression-parse": "^3.0.1",
|
||||
"spdx-satisfies": "^5.0.1",
|
||||
"yaml": "^2.1.3",
|
||||
"zod": "^3.19.1"
|
||||
"yaml": "^2.2.1",
|
||||
"zod": "^3.21.0"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/jest": "^27.5.2",
|
||||
"@types/node": "^16.18.3",
|
||||
"@typescript-eslint/eslint-plugin": "^5.43.0",
|
||||
"@typescript-eslint/parser": "^5.43.0",
|
||||
"@types/node": "^16.18.14",
|
||||
"@typescript-eslint/eslint-plugin": "^5.48.1",
|
||||
"@typescript-eslint/parser": "^5.48.0",
|
||||
"@types/spdx-expression-parse": "^3.0.2",
|
||||
"@types/spdx-satisfies": "^0.1.0",
|
||||
"@vercel/ncc": "^0.34.0",
|
||||
"esbuild-register": "^3.4.1",
|
||||
"eslint": "^8.27.0",
|
||||
"eslint-plugin-github": "^4.4.1",
|
||||
"eslint-plugin-jest": "^27.1.5",
|
||||
"@typescript-eslint/eslint-plugin": "^5.54.0",
|
||||
"@typescript-eslint/parser": "^5.53.0",
|
||||
"@vercel/ncc": "^0.36.1",
|
||||
"esbuild-register": "^3.4.2",
|
||||
"eslint": "^8.35.0",
|
||||
"eslint-plugin-github": "^4.6.1",
|
||||
"eslint-plugin-jest": "^27.2.1",
|
||||
"jest": "^27.5.1",
|
||||
"js-yaml": "^4.1.0",
|
||||
"nodemon": "^2.0.20",
|
||||
"prettier": "2.7.1",
|
||||
"nodemon": "^2.0.21",
|
||||
"prettier": "2.8.4",
|
||||
"ts-jest": "^27.1.4",
|
||||
"typescript": "^4.9.3"
|
||||
"typescript": "^4.9.5"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,114 @@
|
||||
/**
|
||||
* This scripts creates example markdown files for the summary in the ./tmp folder.
|
||||
* You can use it to preview changes to the summary.
|
||||
*
|
||||
* You can execute it like this:
|
||||
* npx ts-node scripts/create_summary.ts
|
||||
*/
|
||||
|
||||
import {Changes, ConfigurationOptions} from '../src/schemas'
|
||||
import {createTestChange} from '../__tests__/fixtures/create-test-change'
|
||||
import {InvalidLicenseChanges} from '../src/licenses'
|
||||
import * as fs from 'fs'
|
||||
import * as core from '@actions/core'
|
||||
import * as summary from '../src/summary'
|
||||
import * as path from 'path'
|
||||
|
||||
const defaultConfig: ConfigurationOptions = {
|
||||
vulnerability_check: true,
|
||||
license_check: true,
|
||||
fail_on_severity: 'high',
|
||||
fail_on_scopes: ['runtime'],
|
||||
allow_ghsas: [],
|
||||
allow_licenses: ['MIT'],
|
||||
deny_licenses: [],
|
||||
comment_summary_in_pr: true
|
||||
}
|
||||
|
||||
const tmpDir = path.resolve(__dirname, '../tmp')
|
||||
|
||||
const createExampleSummaries = async (): Promise<void> => {
|
||||
await fs.promises.mkdir(tmpDir, {recursive: true})
|
||||
|
||||
await createNonIssueSummary()
|
||||
await createFullSummary()
|
||||
}
|
||||
|
||||
const createNonIssueSummary = async (): Promise<void> => {
|
||||
await createSummary(
|
||||
[],
|
||||
{forbidden: [], unresolved: [], unlicensed: []},
|
||||
defaultConfig,
|
||||
'non-issue-summary.md'
|
||||
)
|
||||
}
|
||||
|
||||
const createFullSummary = async (): Promise<void> => {
|
||||
const changes = [createTestChange()]
|
||||
const licenses: InvalidLicenseChanges = {
|
||||
forbidden: [
|
||||
createTestChange({
|
||||
name: 'underscore',
|
||||
version: '1.12.0',
|
||||
license: 'Apache 2.0'
|
||||
})
|
||||
],
|
||||
unresolved: [
|
||||
createTestChange({
|
||||
name: 'octoinvader',
|
||||
license: 'Non SPDX License'
|
||||
}),
|
||||
createTestChange({
|
||||
name: 'owner/action-1',
|
||||
license: 'XYZ-License',
|
||||
version: 'v1.2.2',
|
||||
manifest: '.github/workflows/action.yml'
|
||||
})
|
||||
],
|
||||
unlicensed: [
|
||||
createTestChange({
|
||||
name: 'my-other-dependency',
|
||||
license: null
|
||||
}),
|
||||
createTestChange({
|
||||
name: 'owner/action-2',
|
||||
version: 'main',
|
||||
license: null,
|
||||
manifest: '.github/workflows/action.yml'
|
||||
})
|
||||
]
|
||||
}
|
||||
|
||||
await createSummary(changes, licenses, defaultConfig, 'full-summary.md')
|
||||
}
|
||||
|
||||
async function createSummary(
|
||||
vulnerabilities: Changes,
|
||||
licenseIssues: InvalidLicenseChanges,
|
||||
config: ConfigurationOptions,
|
||||
fileName: string
|
||||
): Promise<void> {
|
||||
summary.addSummaryToSummary(vulnerabilities, licenseIssues, config)
|
||||
summary.addChangeVulnerabilitiesToSummary(
|
||||
vulnerabilities,
|
||||
config.fail_on_severity
|
||||
)
|
||||
summary.addLicensesToSummary(licenseIssues, defaultConfig)
|
||||
|
||||
const allChanges = [
|
||||
...vulnerabilities,
|
||||
...licenseIssues.forbidden,
|
||||
...licenseIssues.unresolved,
|
||||
...licenseIssues.unlicensed
|
||||
]
|
||||
|
||||
summary.addScannedDependencies(allChanges)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
await fs.promises.writeFile(path.resolve(tmpDir, fileName), text, {
|
||||
flag: 'w'
|
||||
})
|
||||
core.summary.emptyBuffer()
|
||||
}
|
||||
|
||||
createExampleSummaries()
|
||||
@@ -0,0 +1,84 @@
|
||||
import * as github from '@actions/github'
|
||||
import * as core from '@actions/core'
|
||||
import * as githubUtils from '@actions/github/lib/utils'
|
||||
import * as retry from '@octokit/plugin-retry'
|
||||
import {RequestError} from '@octokit/request-error'
|
||||
|
||||
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
|
||||
const octo = new retryingOctokit(
|
||||
githubUtils.getOctokitOptions(core.getInput('repo-token', {required: true}))
|
||||
)
|
||||
|
||||
// Comment Marker to identify an existing comment to update, so we don't spam the PR with comments
|
||||
const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
|
||||
|
||||
export async function commentPr(summary: typeof core.summary): Promise<void> {
|
||||
if (!github.context.payload.pull_request) {
|
||||
core.warning(
|
||||
'Not in the context of a pull request. Skipping comment creation.'
|
||||
)
|
||||
return
|
||||
}
|
||||
|
||||
const commentBody = `${summary.stringify()}\n\n${COMMENT_MARKER}`
|
||||
|
||||
try {
|
||||
const existingCommentId = await findCommentByMarker(COMMENT_MARKER)
|
||||
|
||||
if (existingCommentId) {
|
||||
await octo.rest.issues.updateComment({
|
||||
owner: github.context.repo.owner,
|
||||
repo: github.context.repo.repo,
|
||||
comment_id: existingCommentId,
|
||||
body: commentBody
|
||||
})
|
||||
} else {
|
||||
await octo.rest.issues.createComment({
|
||||
owner: github.context.repo.owner,
|
||||
repo: github.context.repo.repo,
|
||||
issue_number: github.context.payload.pull_request.number,
|
||||
body: commentBody
|
||||
})
|
||||
}
|
||||
} catch (error) {
|
||||
if (error instanceof RequestError && error.status === 403) {
|
||||
core.warning(
|
||||
`Unable to write summary to pull-request. Make sure you are giving this workflow the permission 'pull-requests: write'.`
|
||||
)
|
||||
} else {
|
||||
if (error instanceof Error) {
|
||||
core.warning(
|
||||
`Unable to comment summary to pull-request, received error: ${error.message}`
|
||||
)
|
||||
} else {
|
||||
core.warning(
|
||||
'Unable to comment summary to pull-request: Unexpected fatal error'
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
async function findCommentByMarker(
|
||||
commentBodyIncludes: string
|
||||
): Promise<number | undefined> {
|
||||
const commentsIterator = octo.paginate.iterator(
|
||||
octo.rest.issues.listComments,
|
||||
{
|
||||
owner: github.context.repo.owner,
|
||||
repo: github.context.repo.repo,
|
||||
// We are already checking if we are in the context of a pull request in the caller
|
||||
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
|
||||
issue_number: github.context.payload.pull_request!.number
|
||||
}
|
||||
)
|
||||
|
||||
for await (const {data: comments} of commentsIterator) {
|
||||
const existingComment = comments.find(comment =>
|
||||
comment.body?.includes(commentBodyIncludes)
|
||||
)
|
||||
if (existingComment) return existingComment.id
|
||||
}
|
||||
|
||||
return undefined
|
||||
}
|
||||
+3
-1
@@ -34,6 +34,7 @@ function readInlineConfig(): ConfigurationOptionsPartial {
|
||||
const vulnerability_check = getOptionalBoolean('vulnerability-check')
|
||||
const base_ref = getOptionalInput('base-ref')
|
||||
const head_ref = getOptionalInput('head-ref')
|
||||
const comment_summary_in_pr = getOptionalBoolean('comment-summary-in-pr')
|
||||
|
||||
validateLicenses('allow-licenses', allow_licenses)
|
||||
validateLicenses('deny-licenses', deny_licenses)
|
||||
@@ -47,7 +48,8 @@ function readInlineConfig(): ConfigurationOptionsPartial {
|
||||
license_check,
|
||||
vulnerability_check,
|
||||
base_ref,
|
||||
head_ref
|
||||
head_ref,
|
||||
comment_summary_in_pr
|
||||
}
|
||||
|
||||
return Object.fromEntries(
|
||||
|
||||
+7
-2
@@ -14,19 +14,24 @@ import {isSPDXValid, octokitClient} from './utils'
|
||||
* @param { { allow?: string[], deny?: string[]}} licenses An object with `allow`/`deny` keys, each containing a list of licenses.
|
||||
* @returns {Promise<{Object.<string, Array.<Change>>}} A promise to a Record Object. The keys are strings, unlicensed, unresolved and forbidden. The values are a list of changes
|
||||
*/
|
||||
export type InvalidLicenseChangeTypes =
|
||||
| 'unlicensed'
|
||||
| 'unresolved'
|
||||
| 'forbidden'
|
||||
export type InvalidLicenseChanges = Record<InvalidLicenseChangeTypes, Changes>
|
||||
export async function getInvalidLicenseChanges(
|
||||
changes: Change[],
|
||||
licenses: {
|
||||
allow?: string[]
|
||||
deny?: string[]
|
||||
}
|
||||
): Promise<Record<string, Changes>> {
|
||||
): Promise<InvalidLicenseChanges> {
|
||||
const {allow, deny} = licenses
|
||||
|
||||
const groupedChanges = await groupChanges(changes)
|
||||
const licensedChanges: Changes = groupedChanges.licensed
|
||||
|
||||
const invalidLicenseChanges: Record<string, Changes> = {
|
||||
const invalidLicenseChanges: InvalidLicenseChanges = {
|
||||
unlicensed: groupedChanges.unlicensed,
|
||||
unresolved: [],
|
||||
forbidden: []
|
||||
|
||||
+16
-6
@@ -15,6 +15,7 @@ import * as summary from './summary'
|
||||
import {getRefs} from './git-refs'
|
||||
|
||||
import {groupDependenciesByManifest} from './utils'
|
||||
import {commentPr} from './comment-pr'
|
||||
|
||||
async function run(): Promise<void> {
|
||||
try {
|
||||
@@ -28,6 +29,11 @@ async function run(): Promise<void> {
|
||||
headRef: refs.head
|
||||
})
|
||||
|
||||
if (!changes) {
|
||||
core.info('No Dependency Changes found. Skipping Dependency Review.')
|
||||
return
|
||||
}
|
||||
|
||||
const minSeverity = config.fail_on_severity
|
||||
const scopedChanges = filterChangesByScopes(config.fail_on_scopes, changes)
|
||||
const filteredChanges = filterAllowedAdvisories(
|
||||
@@ -35,7 +41,7 @@ async function run(): Promise<void> {
|
||||
scopedChanges
|
||||
)
|
||||
|
||||
const addedChanges = filterChangesBySeverity(
|
||||
const vulnerableChanges = filterChangesBySeverity(
|
||||
minSeverity,
|
||||
filteredChanges
|
||||
).filter(
|
||||
@@ -54,13 +60,14 @@ async function run(): Promise<void> {
|
||||
)
|
||||
|
||||
summary.addSummaryToSummary(
|
||||
config.vulnerability_check ? addedChanges : null,
|
||||
config.license_check ? invalidLicenseChanges : null
|
||||
vulnerableChanges,
|
||||
invalidLicenseChanges,
|
||||
config
|
||||
)
|
||||
|
||||
if (config.vulnerability_check) {
|
||||
summary.addChangeVulnerabilitiesToSummary(addedChanges, minSeverity)
|
||||
printVulnerabilitiesBlock(addedChanges, minSeverity)
|
||||
summary.addChangeVulnerabilitiesToSummary(vulnerableChanges, minSeverity)
|
||||
printVulnerabilitiesBlock(vulnerableChanges, minSeverity)
|
||||
}
|
||||
if (config.license_check) {
|
||||
summary.addLicensesToSummary(invalidLicenseChanges, config)
|
||||
@@ -69,6 +76,9 @@ async function run(): Promise<void> {
|
||||
|
||||
summary.addScannedDependencies(changes)
|
||||
printScannedDependencies(changes)
|
||||
if (config.comment_summary_in_pr) {
|
||||
await commentPr(core.summary)
|
||||
}
|
||||
} catch (error) {
|
||||
if (error instanceof RequestError && error.status === 404) {
|
||||
core.setFailed(
|
||||
@@ -76,7 +86,7 @@ async function run(): Promise<void> {
|
||||
)
|
||||
} else if (error instanceof RequestError && error.status === 403) {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see https://github.com/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see https://github.com/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
} else {
|
||||
if (error instanceof Error) {
|
||||
|
||||
+3
-2
@@ -45,7 +45,8 @@ export const ConfigurationOptionsSchema = z
|
||||
vulnerability_check: z.boolean().default(true),
|
||||
config_file: z.string().optional(),
|
||||
base_ref: z.string().optional(),
|
||||
head_ref: z.string().optional()
|
||||
head_ref: z.string().optional(),
|
||||
comment_summary_in_pr: z.boolean().default(false)
|
||||
})
|
||||
.superRefine((config, context) => {
|
||||
if (config.allow_licenses && config.deny_licenses) {
|
||||
@@ -77,4 +78,4 @@ export type Change = z.infer<typeof ChangeSchema>
|
||||
export type Changes = z.infer<typeof ChangesSchema>
|
||||
export type ConfigurationOptions = z.infer<typeof ConfigurationOptionsSchema>
|
||||
export type Severity = z.infer<typeof SeveritySchema>
|
||||
export type Scope = typeof SCOPES[number]
|
||||
export type Scope = (typeof SCOPES)[number]
|
||||
|
||||
+128
-71
@@ -1,50 +1,82 @@
|
||||
import * as core from '@actions/core'
|
||||
import {ConfigurationOptions, Changes} from './schemas'
|
||||
import {SummaryTableRow} from '@actions/core/lib/summary'
|
||||
import {InvalidLicenseChanges, InvalidLicenseChangeTypes} from './licenses'
|
||||
import {groupDependenciesByManifest, getManifestsSet, renderUrl} from './utils'
|
||||
|
||||
export function addSummaryToSummary(
|
||||
addedPackages: Changes | null,
|
||||
invalidLicenseChanges: Record<string, Changes> | null
|
||||
): void {
|
||||
core.summary
|
||||
.addHeading('Dependency Review')
|
||||
.addRaw('We found:')
|
||||
.addList([
|
||||
...(addedPackages
|
||||
? [`${addedPackages.length} vulnerable package(s)`]
|
||||
: []),
|
||||
...(invalidLicenseChanges
|
||||
? [
|
||||
`${invalidLicenseChanges.unresolved.length} package(s) with invalid SPDX license definitions`,
|
||||
`${invalidLicenseChanges.forbidden.length} package(s) with incompatible licenses`,
|
||||
`${invalidLicenseChanges.unlicensed.length} package(s) with unknown licenses.`
|
||||
]
|
||||
: [])
|
||||
])
|
||||
const icons = {
|
||||
check: '✅',
|
||||
cross: '❌',
|
||||
warning: '⚠️'
|
||||
}
|
||||
|
||||
export function addChangeVulnerabilitiesToSummary(
|
||||
addedPackages: Changes,
|
||||
severity: string
|
||||
export function addSummaryToSummary(
|
||||
vulnerableChanges: Changes,
|
||||
invalidLicenseChanges: InvalidLicenseChanges,
|
||||
config: ConfigurationOptions
|
||||
): void {
|
||||
const rows: SummaryTableRow[] = []
|
||||
core.summary.addHeading('Dependency Review', 1)
|
||||
|
||||
const manifests = getManifestsSet(addedPackages)
|
||||
if (
|
||||
vulnerableChanges.length === 0 &&
|
||||
countLicenseIssues(invalidLicenseChanges) === 0
|
||||
) {
|
||||
if (!config.license_check) {
|
||||
core.summary.addRaw(`${icons.check} No vulnerabilities found.`)
|
||||
} else if (!config.vulnerability_check) {
|
||||
core.summary.addRaw(`${icons.check} No license issues found.`)
|
||||
} else {
|
||||
core.summary.addRaw(
|
||||
`${icons.check} No vulnerabilities or license issues found.`
|
||||
)
|
||||
}
|
||||
|
||||
core.summary
|
||||
.addHeading('Vulnerabilities')
|
||||
.addQuote(
|
||||
`Vulnerabilites were filtered by mininum severity <strong>${severity}</strong>.`
|
||||
)
|
||||
|
||||
if (addedPackages.length === 0) {
|
||||
core.summary.addQuote('No vulnerabilities found in added packages.')
|
||||
return
|
||||
}
|
||||
|
||||
core.summary
|
||||
.addRaw('The following issues were found:')
|
||||
.addList([
|
||||
...(config.vulnerability_check
|
||||
? [
|
||||
`${checkOrFailIcon(vulnerableChanges.length)} ${
|
||||
vulnerableChanges.length
|
||||
} vulnerable package(s)`
|
||||
]
|
||||
: []),
|
||||
...(config.license_check
|
||||
? [
|
||||
`${checkOrFailIcon(invalidLicenseChanges.forbidden.length)} ${
|
||||
invalidLicenseChanges.forbidden.length
|
||||
} package(s) with incompatible licenses`,
|
||||
`${checkOrFailIcon(invalidLicenseChanges.unresolved.length)} ${
|
||||
invalidLicenseChanges.unresolved.length
|
||||
} package(s) with invalid SPDX license definitions`,
|
||||
`${checkOrWarnIcon(invalidLicenseChanges.unlicensed.length)} ${
|
||||
invalidLicenseChanges.unlicensed.length
|
||||
} package(s) with unknown licenses.`
|
||||
]
|
||||
: [])
|
||||
])
|
||||
.addRaw('See the Details below.')
|
||||
}
|
||||
|
||||
export function addChangeVulnerabilitiesToSummary(
|
||||
vulnerableChanges: Changes,
|
||||
severity: string
|
||||
): void {
|
||||
if (vulnerableChanges.length === 0) {
|
||||
return
|
||||
}
|
||||
|
||||
const rows: SummaryTableRow[] = []
|
||||
|
||||
const manifests = getManifestsSet(vulnerableChanges)
|
||||
|
||||
core.summary.addHeading('Vulnerabilities', 2)
|
||||
|
||||
for (const manifest of manifests) {
|
||||
for (const change of addedPackages.filter(
|
||||
for (const change of vulnerableChanges.filter(
|
||||
pkg => pkg.manifest === manifest
|
||||
)) {
|
||||
let previous_package = ''
|
||||
@@ -72,7 +104,7 @@ export function addChangeVulnerabilitiesToSummary(
|
||||
previous_version = change.version
|
||||
}
|
||||
}
|
||||
core.summary.addHeading(`<em>${manifest}</em>`, 3).addTable([
|
||||
core.summary.addHeading(`<em>${manifest}</em>`, 4).addTable([
|
||||
[
|
||||
{data: 'Name', header: true},
|
||||
{data: 'Version', header: true},
|
||||
@@ -82,13 +114,24 @@ export function addChangeVulnerabilitiesToSummary(
|
||||
...rows
|
||||
])
|
||||
}
|
||||
|
||||
if (severity !== 'low') {
|
||||
core.summary.addQuote(
|
||||
`Only included vulnerabilities with severity <strong>${severity}</strong> or higher.`
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
export function addLicensesToSummary(
|
||||
invalidLicenseChanges: Record<string, Changes>,
|
||||
invalidLicenseChanges: InvalidLicenseChanges,
|
||||
config: ConfigurationOptions
|
||||
): void {
|
||||
core.summary.addHeading('Licenses')
|
||||
if (countLicenseIssues(invalidLicenseChanges) === 0) {
|
||||
return
|
||||
}
|
||||
|
||||
core.summary.addHeading('License Issues', 2)
|
||||
printLicenseViolations(invalidLicenseChanges)
|
||||
|
||||
if (config.allow_licenses && config.allow_licenses.length > 0) {
|
||||
core.summary.addQuote(
|
||||
@@ -101,11 +144,6 @@ export function addLicensesToSummary(
|
||||
)
|
||||
}
|
||||
|
||||
if (Object.values(invalidLicenseChanges).every(item => item.length === 0)) {
|
||||
core.summary.addQuote('No license violations detected.')
|
||||
return
|
||||
}
|
||||
|
||||
core.debug(
|
||||
`found ${invalidLicenseChanges.unlicensed.length} unknown licenses`
|
||||
)
|
||||
@@ -113,39 +151,43 @@ export function addLicensesToSummary(
|
||||
core.debug(
|
||||
`${invalidLicenseChanges.unresolved.length} licenses could not be validated`
|
||||
)
|
||||
|
||||
printLicenseViolation(
|
||||
'Incompatible Licenses',
|
||||
invalidLicenseChanges.forbidden
|
||||
)
|
||||
printLicenseViolation('Unknown Licenses', invalidLicenseChanges.unlicensed)
|
||||
printLicenseViolation(
|
||||
'Invalid SPDX License Definitions',
|
||||
invalidLicenseChanges.unresolved
|
||||
)
|
||||
}
|
||||
function printLicenseViolation(heading: string, changes: Changes): void {
|
||||
core.summary.addHeading(heading, 5).addSeparator()
|
||||
|
||||
if (changes.length > 0) {
|
||||
const rows: SummaryTableRow[] = []
|
||||
const manifests = getManifestsSet(changes)
|
||||
const licenseIssueTypes: InvalidLicenseChangeTypes[] = [
|
||||
'forbidden',
|
||||
'unresolved',
|
||||
'unlicensed'
|
||||
]
|
||||
|
||||
for (const manifest of manifests) {
|
||||
core.summary.addHeading(`<em>${manifest}</em>`, 4)
|
||||
const issueTypeNames: Record<InvalidLicenseChangeTypes, string> = {
|
||||
forbidden: 'Incompatible License',
|
||||
unresolved: 'Invalid SPDX License',
|
||||
unlicensed: 'Unknown License'
|
||||
}
|
||||
|
||||
for (const change of changes.filter(pkg => pkg.manifest === manifest)) {
|
||||
rows.push([
|
||||
renderUrl(change.source_repository_url, change.name),
|
||||
change.version,
|
||||
formatLicense(change.license)
|
||||
])
|
||||
function printLicenseViolations(changes: InvalidLicenseChanges): void {
|
||||
const rowsGroupedByManifest: Record<string, SummaryTableRow[]> = {}
|
||||
|
||||
for (const issueType of licenseIssueTypes) {
|
||||
for (const change of changes[issueType]) {
|
||||
if (!rowsGroupedByManifest[change.manifest]) {
|
||||
rowsGroupedByManifest[change.manifest] = []
|
||||
}
|
||||
|
||||
core.summary.addTable([['Package', 'Version', 'License'], ...rows])
|
||||
rowsGroupedByManifest[change.manifest].push([
|
||||
renderUrl(change.source_repository_url, change.name),
|
||||
change.version,
|
||||
formatLicense(change.license),
|
||||
issueTypeNames[issueType]
|
||||
])
|
||||
}
|
||||
} else {
|
||||
core.summary.addQuote(`No ${heading.toLowerCase()} detected.`)
|
||||
}
|
||||
|
||||
for (const [manifest, rows] of Object.entries(rowsGroupedByManifest)) {
|
||||
core.summary.addHeading(`<em>${manifest}</em>`, 4)
|
||||
core.summary.addTable([
|
||||
['Package', 'Version', 'License', 'Issue Type'],
|
||||
...rows
|
||||
])
|
||||
}
|
||||
}
|
||||
|
||||
@@ -160,9 +202,7 @@ export function addScannedDependencies(changes: Changes): void {
|
||||
const dependencies = groupDependenciesByManifest(changes)
|
||||
const manifests = dependencies.keys()
|
||||
|
||||
const summary = core.summary
|
||||
.addHeading('Scanned Dependencies')
|
||||
.addHeading(`We scanned ${dependencies.size} manifest files:`, 5)
|
||||
const summary = core.summary.addHeading('Scanned Manifest Files', 2)
|
||||
|
||||
for (const manifest of manifests) {
|
||||
const deps = dependencies.get(manifest)
|
||||
@@ -174,3 +214,20 @@ export function addScannedDependencies(changes: Changes): void {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function countLicenseIssues(
|
||||
invalidLicenseChanges: InvalidLicenseChanges
|
||||
): number {
|
||||
return Object.values(invalidLicenseChanges).reduce(
|
||||
(acc, val) => acc + val.length,
|
||||
0
|
||||
)
|
||||
}
|
||||
|
||||
function checkOrFailIcon(count: number): string {
|
||||
return count === 0 ? icons.check : icons.cross
|
||||
}
|
||||
|
||||
function checkOrWarnIcon(count: number): string {
|
||||
return count === 0 ? icons.check : icons.warning
|
||||
}
|
||||
|
||||
@@ -0,0 +1,8 @@
|
||||
{
|
||||
"extends": "./tsconfig.json",
|
||||
"include": ["src"],
|
||||
"compilerOptions": {
|
||||
"outDir": "./lib" /* Redirect output structure to the directory. */,
|
||||
"rootDir": "./src" /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */
|
||||
}
|
||||
}
|
||||
+1
-2
@@ -3,10 +3,9 @@
|
||||
"target": "es6" /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */,
|
||||
"module": "commonjs" /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */,
|
||||
"outDir": "./lib" /* Redirect output structure to the directory. */,
|
||||
"rootDir": "./src" /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */,
|
||||
"strict": true /* Enable all strict type-checking options. */,
|
||||
"noImplicitAny": true /* Raise error on expressions and declarations with an implied 'any' type. */,
|
||||
"esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
|
||||
},
|
||||
"exclude": ["node_modules", "**/*.test.ts"]
|
||||
"exclude": ["node_modules"]
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user