Compare commits

...

92 Commits

Author SHA1 Message Date
Federico Builes 1360a344cc Merge pull request #494 from actions/fix-purl-bug
Empty PURLs should not block the action from running
2023-05-31 17:11:07 +02:00
Federico Builes 123b58703a bumping to 3.0.6 2023-05-31 17:10:00 +02:00
Federico Builes cd559bc984 adding dist 2023-05-31 17:09:53 +02:00
Federico Builes 70f8094bec adding a test for empty PURLs 2023-05-31 16:24:19 +02:00
Federico Builes 0b306aef97 Don't try to create PURLs from empty strings. 2023-05-31 16:14:02 +02:00
Federico Builes 554aaf5c3d Merge pull request #423 from theztefan/allow-list-dependencies
Exclude dependencies from license checks
2023-05-31 14:24:05 +02:00
Federico Builes c6e94c1336 External config files should use underscores, not dashes 2023-05-31 14:21:57 +02:00
Stefan Petrushevski 88d6af3d4a latest build 2023-05-31 12:54:16 +02:00
Stefan Petrushevski f1c8401a59 resolve merge conflicts 2023-05-30 18:04:26 +02:00
Stefan Petrushevski ef8ebf0eef rebuild 2023-05-30 17:33:40 +02:00
Federico Builes 1f7c838fcb Merge pull request #492 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.8
Bump @typescript-eslint/eslint-plugin from 5.59.6 to 5.59.8
2023-05-30 08:10:28 +02:00
dependabot[bot] 1ee07d8652 Bump @typescript-eslint/eslint-plugin from 5.59.6 to 5.59.8
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.59.6 to 5.59.8.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.8/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-30 05:32:06 +00:00
Federico Builes 861f696c44 Merge pull request #491 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.8
Bump @typescript-eslint/parser from 5.59.7 to 5.59.8
2023-05-30 07:31:16 +02:00
dependabot[bot] ce9db3928f Bump @typescript-eslint/parser from 5.59.7 to 5.59.8
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.7 to 5.59.8.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.8/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-30 05:25:32 +00:00
Federico Builes 854aa8a142 Merge pull request #485 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.7
Bump @typescript-eslint/parser from 5.59.6 to 5.59.7
2023-05-30 07:24:55 +02:00
Federico Builes 9fbf14f620 Merge pull request #484 from actions/dependabot/npm_and_yarn/types/node-16.18.34
Bump @types/node from 16.18.32 to 16.18.34
2023-05-30 07:24:43 +02:00
Federico Builes 64222d2efe Merge pull request #483 from actions/dependabot/npm_and_yarn/yaml-2.3.1
Bump yaml from 2.2.2 to 2.3.1
2023-05-30 07:24:34 +02:00
Federico Builes f2a3e1af33 updating dist 2023-05-30 07:23:40 +02:00
dependabot[bot] e3de7a00a8 Bump @typescript-eslint/parser from 5.59.6 to 5.59.7
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.6 to 5.59.7.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.7/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-29 02:01:45 +00:00
dependabot[bot] 627344199b Bump @types/node from 16.18.32 to 16.18.34
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.32 to 16.18.34.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-29 02:01:13 +00:00
dependabot[bot] 2406ed1539 Bump yaml from 2.2.2 to 2.3.1
Bumps [yaml](https://github.com/eemeli/yaml) from 2.2.2 to 2.3.1.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.2.2...v2.3.1)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-29 02:00:41 +00:00
Stefan 20f1bbadfc Update README.md
Co-authored-by: Justin Holguín <juxtin@github.com>
2023-05-26 20:20:06 +02:00
Stefan 32e5b32ec4 Update docs/examples.md
Co-authored-by: Justin Holguín <juxtin@github.com>
2023-05-26 20:19:52 +02:00
Federico Builes 4ee0db82cc Merge pull request #480 from actions/dependabot/npm_and_yarn/octokit-2.0.16
Bump octokit from 2.0.14 to 2.0.16
2023-05-22 07:35:59 +02:00
Federico Builes f303e9cd65 adding dist 2023-05-22 07:31:33 +02:00
Federico Builes fa8ddf1781 Merge pull request #482 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.6
Bump @typescript-eslint/parser from 5.59.2 to 5.59.6
2023-05-22 07:26:50 +02:00
dependabot[bot] 70422dcfbd Bump @typescript-eslint/parser from 5.59.2 to 5.59.6
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.2 to 5.59.6.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.6/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-22 05:25:44 +00:00
Federico Builes fe724aebb5 Merge pull request #481 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.6
Bump @typescript-eslint/eslint-plugin from 5.59.2 to 5.59.6
2023-05-22 07:25:14 +02:00
Federico Builes 6ab307aa49 Merge pull request #479 from actions/dependabot/npm_and_yarn/types/node-16.18.32
Bump @types/node from 16.18.26 to 16.18.32
2023-05-22 07:24:49 +02:00
Federico Builes 7b02d77054 Merge pull request #478 from actions/dependabot/npm_and_yarn/eslint-8.41.0
Bump eslint from 8.40.0 to 8.41.0
2023-05-22 07:24:40 +02:00
dependabot[bot] 98717099a1 Bump @typescript-eslint/eslint-plugin from 5.59.2 to 5.59.6
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.59.2 to 5.59.6.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.6/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-22 02:02:05 +00:00
dependabot[bot] b582a7ae96 Bump octokit from 2.0.14 to 2.0.16
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.0.14 to 2.0.16.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.0.14...v2.0.16)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-22 02:01:13 +00:00
dependabot[bot] 894a896fb1 Bump @types/node from 16.18.26 to 16.18.32
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.26 to 16.18.32.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-22 01:59:51 +00:00
dependabot[bot] eb565747bb Bump eslint from 8.40.0 to 8.41.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.40.0 to 8.41.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.40.0...v8.41.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-22 01:59:24 +00:00
Stefan Petrushevski 7b5fa84cfc added tests; docs and cleanup 2023-05-19 10:47:59 +02:00
Stefan 8ef2903f61 Update action.yml
Co-authored-by: Justin Holguín <juxtin@github.com>
2023-05-17 09:45:02 +02:00
Stefan 16c0c13a8b Update README.md
Co-authored-by: Justin Holguín <juxtin@github.com>
2023-05-17 09:44:49 +02:00
Stefan b36110c8a0 Update docs/examples.md
Co-authored-by: Justin Holguín <juxtin@github.com>
2023-05-17 09:44:33 +02:00
Stefan Petrushevski 0574926a14 document; code style; 2023-05-16 16:50:04 +02:00
Federico Builes 57c07f037a Merge pull request #473 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.2
Bump @typescript-eslint/parser from 5.59.1 to 5.59.2
2023-05-08 06:16:13 +02:00
dependabot[bot] 8fba746b74 Bump @typescript-eslint/parser from 5.59.1 to 5.59.2
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.1 to 5.59.2.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.2/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-08 04:16:03 +00:00
Federico Builes 632eabaaf6 Merge pull request #474 from actions/dependabot/npm_and_yarn/eslint-8.40.0
Bump eslint from 8.39.0 to 8.40.0
2023-05-08 06:15:33 +02:00
Federico Builes d1f8348e2e Merge pull request #472 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.2
Bump @typescript-eslint/eslint-plugin from 5.59.1 to 5.59.2
2023-05-08 06:15:13 +02:00
Federico Builes 66da8857a8 Merge pull request #471 from actions/dependabot/npm_and_yarn/types/node-16.18.26
Bump @types/node from 16.18.25 to 16.18.26
2023-05-08 06:15:06 +02:00
dependabot[bot] 9fe22cbd4d Bump eslint from 8.39.0 to 8.40.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.39.0 to 8.40.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.39.0...v8.40.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-08 02:01:40 +00:00
dependabot[bot] 192b846247 Bump @typescript-eslint/eslint-plugin from 5.59.1 to 5.59.2
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.59.1 to 5.59.2.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.2/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-08 02:00:42 +00:00
dependabot[bot] faed3d989f Bump @types/node from 16.18.25 to 16.18.26
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.25 to 16.18.26.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-08 01:59:37 +00:00
Federico Builes 7d25be7d68 Merge pull request #467 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.1
Bump @typescript-eslint/eslint-plugin from 5.59.0 to 5.59.1
2023-05-01 13:47:42 +02:00
Federico Builes 57e6a1aeb8 Merge pull request #469 from actions/dependabot/npm_and_yarn/yaml-2.2.2
Bump yaml from 2.2.1 to 2.2.2
2023-05-01 13:47:23 +02:00
Federico Builes 8450611ed5 adding dist 2023-05-01 13:47:13 +02:00
dependabot[bot] adc7610fb4 Bump @typescript-eslint/eslint-plugin from 5.59.0 to 5.59.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.59.0 to 5.59.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-01 11:45:43 +00:00
dependabot[bot] b81c2dfce6 Bump yaml from 2.2.1 to 2.2.2
Bumps [yaml](https://github.com/eemeli/yaml) from 2.2.1 to 2.2.2.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.2.1...v2.2.2)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-01 11:45:32 +00:00
Federico Builes 70370c1727 Merge pull request #468 from actions/dependabot/npm_and_yarn/types/node-16.18.25
Bump @types/node from 16.18.24 to 16.18.25
2023-05-01 13:44:58 +02:00
Federico Builes 1e46123a48 Merge pull request #466 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.1
Bump @typescript-eslint/parser from 5.59.0 to 5.59.1
2023-05-01 13:44:30 +02:00
dependabot[bot] de626ab5bc Bump @types/node from 16.18.24 to 16.18.25
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.24 to 16.18.25.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-01 02:03:23 +00:00
dependabot[bot] 5907e06ae4 Bump @typescript-eslint/parser from 5.59.0 to 5.59.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.59.0 to 5.59.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-05-01 02:01:40 +00:00
Federico Builes 9bc0593cb7 Merge pull request #462 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.59.0
Bump @typescript-eslint/eslint-plugin from 5.57.1 to 5.59.0
2023-04-24 13:32:54 +02:00
dependabot[bot] 7070612acc Bump @typescript-eslint/eslint-plugin from 5.57.1 to 5.59.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.57.1 to 5.59.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-24 11:31:30 +00:00
Federico Builes f6e0fab375 Merge pull request #465 from actions/dependabot/npm_and_yarn/prettier-2.8.8
Bump prettier from 2.8.7 to 2.8.8
2023-04-24 13:31:03 +02:00
Federico Builes 51fa253565 Merge pull request #464 from actions/dependabot/npm_and_yarn/eslint-8.39.0
Bump eslint from 8.38.0 to 8.39.0
2023-04-24 13:30:54 +02:00
Federico Builes 2dffe8e22c Merge pull request #463 from actions/dependabot/npm_and_yarn/types/node-16.18.24
Bump @types/node from 16.18.23 to 16.18.24
2023-04-24 13:30:43 +02:00
Federico Builes e263d60b8b Merge pull request #461 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.59.0
Bump @typescript-eslint/parser from 5.57.1 to 5.59.0
2023-04-24 13:30:07 +02:00
dependabot[bot] bf512683a2 Bump prettier from 2.8.7 to 2.8.8
Bumps [prettier](https://github.com/prettier/prettier) from 2.8.7 to 2.8.8.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/2.8.7...2.8.8)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-24 02:01:16 +00:00
dependabot[bot] 6c9f94c4e5 Bump eslint from 8.38.0 to 8.39.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.38.0 to 8.39.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.38.0...v8.39.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-24 02:01:05 +00:00
dependabot[bot] 8321ca9367 Bump @types/node from 16.18.23 to 16.18.24
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.23 to 16.18.24.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-24 02:00:45 +00:00
dependabot[bot] 00ef46c947 Bump @typescript-eslint/parser from 5.57.1 to 5.59.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.57.1 to 5.59.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.59.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-24 01:59:58 +00:00
Federico Builes b206cbf92e Merge pull request #453 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.57.1
Bump @typescript-eslint/eslint-plugin from 5.57.0 to 5.57.1
2023-04-10 07:48:03 +02:00
dependabot[bot] d482d746c3 Bump @typescript-eslint/eslint-plugin from 5.57.0 to 5.57.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.57.0 to 5.57.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.57.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-10 05:47:39 +00:00
Federico Builes 041e4f1437 Merge pull request #454 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.57.1
Bump @typescript-eslint/parser from 5.57.0 to 5.57.1
2023-04-10 07:47:09 +02:00
Federico Builes c883e5a202 Merge pull request #455 from actions/dependabot/npm_and_yarn/eslint-8.38.0
Bump eslint from 8.37.0 to 8.38.0
2023-04-10 07:46:57 +02:00
Federico Builes 8938bd9ef0 Merge pull request #451 from actions/fix-external-config
Fix default values for fail-on-severity
2023-04-10 07:41:00 +02:00
dependabot[bot] 35a369d1cd Bump eslint from 8.37.0 to 8.38.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.37.0 to 8.38.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.37.0...v8.38.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-10 02:03:04 +00:00
dependabot[bot] 0a9f43e15a Bump @typescript-eslint/parser from 5.57.0 to 5.57.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.57.0 to 5.57.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.57.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-10 02:02:19 +00:00
Justin Holguín e0ec35dfb0 Merge pull request #439 from actions/juxtin/snapshot-warnings
Show snapshot warnings in the summary
2023-04-06 13:27:46 -07:00
Federico Builes 73625ad716 Merge branch 'allow-list-dependencies' of github.com:theztefan/dependency-review-action into allow-list-dependencies 2023-04-06 22:01:49 +02:00
Stefan Petrushevski 1896d6f936 Clean up; updated docs 2023-04-06 10:49:30 +02:00
Stefan Petrushevski 39dca1ce09 Adjusted output 2023-04-06 10:04:48 +02:00
Stefan Petrushevski d3fdbc93c5 Build and updated README 2023-04-06 09:58:14 +02:00
Stefan Petrushevski 9ad7edb033 switched to purl format 2023-04-06 09:37:42 +02:00
Justin Holguín 76b8e83d1a Use 'Unnamed Manifest' as catchall bucket 2023-03-28 16:06:07 +00:00
Justin Holguín 7e1f7be1f6 Handle dependencies with an empty manifest field
This happens sometimes with snapshots. We just want them to be displayed properly in the HTML output.
2023-03-24 19:07:22 +00:00
Justin Holguín 0c01e947d6 Flesh out the warnings section a tiny bit 2023-03-23 23:26:23 +00:00
Justin Holguín 782549c724 Ignore snapshot_warnings for missing head snapshots 2023-03-23 22:59:07 +00:00
Justin Holguín 419396de41 Show snapshot warnings in the summary 2023-03-22 21:30:12 +00:00
Stefan Petrushevski e17845d155 README changes as per PR comments 2023-03-16 11:23:57 +01:00
Stefan Petrushevski f0bda66bbf updated README 2023-03-08 15:44:01 +01:00
Stefan Petrushevski 1d7d9a2c93 new builds 2023-03-08 15:24:23 +01:00
Stefan Petrushevski d5c2f70a7f no inline config options due to limitations 2023-03-08 15:23:57 +01:00
Stefan Petrushevski f92376010c inline config options 2023-03-08 15:05:16 +01:00
Stefan Petrushevski c2303c3070 builds 2023-03-08 14:30:37 +01:00
Stefan Petrushevski 884b7abd2d updated summary output; create_summary.ts script 2023-03-08 13:02:59 +01:00
Stefan Petrushevski 600458c5dd licenses check exclusion list 2023-03-08 12:38:34 +01:00
18 changed files with 5638 additions and 8767 deletions
+15 -12
View File
@@ -66,19 +66,20 @@ jobs:
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
| Option | Usage | Possible values | Default value |
| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `true`, `false` | `false` |
| Option | Usage | Possible values | Default value |
| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `true`, `false` | `false` |
*not supported for use with GitHub Enterprise Server
\*not supported for use with GitHub Enterprise Server
†will be supported with GitHub Enterprise Server 3.8
@@ -139,6 +140,8 @@ allow_licenses:
- 'MIT'
```
For more examples of how to use this action and its configuration options, see the [examples](docs/examples.md) page.
### Considerations
- Checking for licenses is not supported on Enterprise Server.
+71
View File
@@ -49,6 +49,32 @@ const rubyChange: Change = {
]
}
const pipChange: Change = {
change_type: 'added',
manifest: 'requirements.txt',
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pip/package-1@1.1.1',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
jest.mock('@actions/core')
const mockOctokit = {
@@ -153,6 +179,51 @@ test('it adds all licenses to unresolved if it is unable to determine the validi
expect(invalidLicenses.unresolved.length).toEqual(2)
})
test('it does not filter out changes that are on the exclusions list', async () => {
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}
const invalidLicenses = await getInvalidLicenseChanges(
changes,
licensesConfig
)
expect(invalidLicenses.forbidden.length).toEqual(0)
})
test('it does not fail when the packages dont have a valid PURL', async () => {
const emptyPurlChange = pipChange
emptyPurlChange.package_url = ''
const changes: Changes = [emptyPurlChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}
const invalidLicenses = await getInvalidLicenseChanges(
changes,
licensesConfig
)
expect(invalidLicenses.forbidden.length).toEqual(1)
})
test('it does filters out changes if they are not on the exclusions list', async () => {
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/notmypackage-1@1.1.1', 'pkg:npm/alsonot@1.0.2']
}
const invalidLicenses = await getInvalidLicenseChanges(
changes,
licensesConfig
)
expect(invalidLicenses.forbidden.length).toEqual(2)
expect(invalidLicenses.forbidden[0]).toBe(pipChange)
expect(invalidLicenses.forbidden[1]).toBe(npmChange)
})
describe('GH License API fallback', () => {
test('it calls licenses endpoint if atleast one of the changes has null license and valid source_repository_url', async () => {
const nullLicenseChange = {
+55
View File
@@ -27,6 +27,45 @@ const defaultConfig: ConfigurationOptions = {
comment_summary_in_pr: true
}
const changesWithEmptyManifests: Changes = [
{
change_type: 'added',
manifest: '',
ecosystem: 'unknown',
name: 'castore',
version: '0.1.17',
package_url: 'pkg:hex/castore@0.1.17',
license: null,
source_repository_url: null,
scope: 'runtime',
vulnerabilities: []
},
{
change_type: 'added',
manifest: '',
ecosystem: 'unknown',
name: 'connection',
version: '1.1.0',
package_url: 'pkg:hex/connection@1.1.0',
license: null,
source_repository_url: null,
scope: 'runtime',
vulnerabilities: []
},
{
change_type: 'added',
manifest: 'python/dist-info/METADATA',
ecosystem: 'pip',
name: 'pygments',
version: '2.6.1',
package_url: 'pkg:pypi/pygments@2.6.1',
license: 'BSD-2-Clause',
source_repository_url: 'https://github.com/pygments/pygments',
scope: 'runtime',
vulnerabilities: []
}
]
test('prints headline as h1', () => {
summary.addSummaryToSummary(
emptyChanges,
@@ -65,6 +104,22 @@ test('only includes "No license issues found"-message if "vulnerability_check" i
expect(text).toContain('✅ No license issues found.')
})
test('groups dependencies with empty manifest paths together', () => {
summary.addSummaryToSummary(
changesWithEmptyManifests,
emptyInvalidLicenseChanges,
defaultConfig
)
summary.addScannedDependencies(changesWithEmptyManifests)
const text = core.summary.stringify()
expect(text).toContain('<summary>Unnamed Manifest</summary>')
expect(text).toContain('castore')
expect(text).toContain('connection')
expect(text).toContain('<summary>python/dist-info/METADATA</summary>')
expect(text).toContain('pygments')
})
test('does not include status section if nothing was found', () => {
summary.addSummaryToSummary(
emptyChanges,
+3
View File
@@ -29,6 +29,9 @@ inputs:
deny-licenses:
description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
allow-dependencies-licenses:
description: Comma-separated list of dependencies in purl format (e.g. "pkg:npm/express, pkg:pip/pycrypto"). These dependencies will be permitted to use any license, no matter what license policy is enforced otherwise.
required: false
allow-ghsas:
description: Comma-separated list of allowed GitHub Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")
required: false
Generated Vendored
+4712 -1849
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+22
View File
@@ -1340,6 +1340,28 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
packageurl-js
MIT
Copyright (c) the purl authors
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
safe-buffer
MIT
The MIT License (MIT)
+232
View File
@@ -0,0 +1,232 @@
# Examples on how to use the Dependancy Review Action
## Basic Usage
A very basic example of how to use the action. This will run the action with the default configuration.
The full list of configuration options can be found [here](../README.md#configuration-options).
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
```
## Using an inline configuration
The following example will fail the action if any vulnerabilities are found with a severity of medium or higher; and if any packages are found with an incompatible license - in this case, the LGPL-2.0 and BSD-2-Clause licenses.
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
```
## Using a configuration file
The following example will use a configuration file to configure the action. This is useful if you want to keep your configuration in a single place and makes it easier to manage as the configuration grows.
The configuration file can be located in the same repository or in a separate repository. Having it in a separate repository might be useful if you plan to use the same configuration across multiple repositories and control it centrally.
In this example, the configuration file is located in the same repository under `.github/dependency-review-config.yml`. The following configuration will fail the action if any vulnerabilities are found with a severity of critical; and if any packages are found with an incompatible license - in this case, the LGPL-2.0 and BSD-2-Clause licenses.
```yaml
fail_on_severity: 'critical'
allow_licenses:
- 'LGPL-2.0'
- 'BSD-2-Clause'
```
The Dependancy Review Action workflow file will then look like this:
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
config-file: './.github/dependency-review-config.yml'
```
## Using a configuration file from a external repository
The following example will use a configuration file from an external public GitHub repository to configure the action.
Let's say that the configuration file is located in `github/octorepo/dependency-review-config.yml@main`
The Dependancy Review Action workflow file will then look like this:
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
config-file: 'github/octorepo/dependency-review-config.yml@main'
```
## Using a configuration file from a external repository with a personal access token
The following example will use a configuration file from an external private GtiHub repository to configure the action.
Let's say that the configuration file is located in `github/octorepo-private/dependency-review-config.yml@main`
The Dependancy Review Action workflow file will then look like this:
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
config-file: 'github/octorepo-private/dependency-review-config.yml@main'
config-file-token: ${{ secrets.GITHUB_TOKEN }} # or a personal access token
```
## Getting the results of the action in the PR as a comment
Using the `comment-summary-in-pr` you can get the results of the action in the PR as a comment. In order for this to work, the action needs to be able to create a comment in the PR. This requires additional `pull-requests: write` permission.
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: true
```
## Exclude dependencies from the license check
Using the `allow-dependencies-licenses` you can exclude dependencies from the license check. The values should be provided in [purl](https://github.com/package-url/purl-spec) format.
In this example, we are excluding `lodash` from `npm` and `requests` from `pip` dependencies from the license check
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: true
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pip/requests'
```
If we were to use configuration file, the configuration would look like this:
```yaml
fail-on-severity: 'critical'
allow-licenses:
- 'LGPL-2.0'
- 'BSD-2-Clause'
allow-dependencies-licenses:
- 'pkg:npm/loadash'
- 'pkg:pip/requests'
```
## Only check for vulnerabilities
To only do the vulnerability check you can use the `license-check` to disable the license compatibility check (which is done by default).
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
fail-on-severity: critical
comment-summary-in-pr: true
license-check: false
```
+378 -6888
View File
File diff suppressed because it is too large Load Diff
+9 -8
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "3.0.4",
"version": "3.0.6",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -32,30 +32,31 @@
"ansi-styles": "^6.2.1",
"got": "^12.6.0",
"nodemon": "^2.0.22",
"octokit": "^2.0.14",
"octokit": "^2.0.16",
"packageurl-js": "^1.0.2",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
"yaml": "^2.2.1",
"yaml": "^2.3.1",
"zod": "^3.21.4"
},
"devDependencies": {
"@types/jest": "^27.5.2",
"@types/node": "^16.18.23",
"@types/node": "^16.18.34",
"@typescript-eslint/eslint-plugin": "^5.48.1",
"@typescript-eslint/parser": "^5.48.0",
"@types/spdx-expression-parse": "^3.0.2",
"@types/spdx-satisfies": "^0.1.0",
"@typescript-eslint/eslint-plugin": "^5.57.0",
"@typescript-eslint/parser": "^5.57.0",
"@typescript-eslint/eslint-plugin": "^5.59.8",
"@typescript-eslint/parser": "^5.59.8",
"@vercel/ncc": "^0.36.1",
"esbuild-register": "^3.4.2",
"eslint": "^8.37.0",
"eslint": "^8.41.0",
"eslint-plugin-github": "^4.7.0",
"eslint-plugin-jest": "^27.2.1",
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^2.0.22",
"prettier": "2.8.7",
"prettier": "2.8.8",
"ts-jest": "^27.1.4",
"typescript": "^4.9.5"
}
+6
View File
@@ -22,6 +22,12 @@ const defaultConfig: ConfigurationOptions = {
allow_ghsas: [],
allow_licenses: ['MIT'],
deny_licenses: [],
allow_dependencies_licenses: [
'pkg:npm/express@4.17.1',
'pkg:pip/requests',
'pkg:pip/certifi',
'pkg:pip/pycrypto@2.6.1'
],
comment_summary_in_pr: true
}
+29 -1
View File
@@ -5,6 +5,7 @@ import * as core from '@actions/core'
import * as z from 'zod'
import {ConfigurationOptions, ConfigurationOptionsSchema} from './schemas'
import {isSPDXValid, octokitClient} from './utils'
import {PackageURL} from 'packageurl-js'
type ConfigurationOptionsPartial = Partial<ConfigurationOptions>
@@ -29,6 +30,9 @@ function readInlineConfig(): ConfigurationOptionsPartial {
const fail_on_scopes = parseList(getOptionalInput('fail-on-scopes'))
const allow_licenses = parseList(getOptionalInput('allow-licenses'))
const deny_licenses = parseList(getOptionalInput('deny-licenses'))
const allow_dependencies_licenses = parseList(
getOptionalInput('allow-dependencies-licenses')
)
const allow_ghsas = parseList(getOptionalInput('allow-ghsas'))
const license_check = getOptionalBoolean('license-check')
const vulnerability_check = getOptionalBoolean('vulnerability-check')
@@ -36,6 +40,7 @@ function readInlineConfig(): ConfigurationOptionsPartial {
const head_ref = getOptionalInput('head-ref')
const comment_summary_in_pr = getOptionalBoolean('comment-summary-in-pr')
validatePURL(allow_dependencies_licenses)
validateLicenses('allow-licenses', allow_licenses)
validateLicenses('deny-licenses', deny_licenses)
@@ -44,6 +49,7 @@ function readInlineConfig(): ConfigurationOptionsPartial {
fail_on_scopes,
allow_licenses,
deny_licenses,
allow_dependencies_licenses,
allow_ghsas,
license_check,
vulnerability_check,
@@ -130,7 +136,8 @@ function parseConfigFile(configData: string): ConfigurationOptionsPartial {
'allow-licenses',
'deny-licenses',
'fail-on-scopes',
'allow-ghsas'
'allow-ghsas',
'allow-dependencies-licenses'
]
for (const key of Object.keys(data)) {
@@ -149,6 +156,11 @@ function parseConfigFile(configData: string): ConfigurationOptionsPartial {
validateLicenses(key, data[key])
}
// validate purls from the allow-dependencies-licenses
if (key === 'allow-dependencies-licenses') {
validatePURL(data[key])
}
// get rid of the ugly dashes from the actions conventions
if (key.includes('-')) {
data[key.replace(/-/g, '_')] = data[key]
@@ -187,3 +199,19 @@ async function getRemoteConfig(configOpts: {
throw new Error('Error fetching remote config file')
}
}
function validatePURL(allow_dependencies_licenses: string[] | undefined): void {
//validate that the provided elements of the string are in valid purl format
if (allow_dependencies_licenses === undefined) {
return
}
const invalid_purls = allow_dependencies_licenses.filter(
purl => !PackageURL.fromString(purl)
)
if (invalid_purls.length > 0) {
throw new Error(
`Invalid purl(s) in allow-dependencies-licenses: ${invalid_purls}`
)
}
return
}
+26 -4
View File
@@ -1,9 +1,14 @@
import * as core from '@actions/core'
import * as githubUtils from '@actions/github/lib/utils'
import * as retry from '@octokit/plugin-retry'
import {Changes, ChangesSchema} from './schemas'
import {
ChangesSchema,
ComparisonResponse,
ComparisonResponseSchema
} from './schemas'
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
const SnapshotWarningsHeader = 'x-github-dependency-graph-snapshot-warnings'
const octo = new retryingOctokit(
githubUtils.getOctokitOptions(core.getInput('repo-token', {required: true}))
)
@@ -18,14 +23,31 @@ export async function compare({
repo: string
baseRef: string
headRef: string
}): Promise<Changes> {
}): Promise<ComparisonResponse> {
let snapshot_warnings = ''
const changes = await octo.paginate(
'GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}',
{
method: 'GET',
url: '/repos/{owner}/{repo}/dependency-graph/compare/{basehead}',
owner,
repo,
basehead: `${baseRef}...${headRef}`
},
response => {
if (
response.headers[SnapshotWarningsHeader] &&
typeof response.headers[SnapshotWarningsHeader] === 'string'
) {
snapshot_warnings = Buffer.from(
response.headers[SnapshotWarningsHeader],
'base64'
).toString('utf-8')
}
return ChangesSchema.parse(response.data)
}
)
return ChangesSchema.parse(changes)
return ComparisonResponseSchema.parse({
changes,
snapshot_warnings
})
}
+36 -1
View File
@@ -1,17 +1,19 @@
import spdxSatisfies from 'spdx-satisfies'
import {Change, Changes} from './schemas'
import {isSPDXValid, octokitClient} from './utils'
import {PackageURL} from 'packageurl-js'
/**
* Loops through a list of changes, filtering and returning the
* ones that don't conform to the licenses allow/deny lists.
* It will also filter out the changes which are defined in the licenseExclusions list.
*
* Keep in mind that we don't let users specify both an allow and a deny
* list in their config files, so this code works under the assumption that
* one of the two list parameters will be empty. If both lists are provided,
* we will ignore the deny list.
* @param {Change[]} changes The list of changes to filter.
* @param { { allow?: string[], deny?: string[]}} licenses An object with `allow`/`deny` keys, each containing a list of licenses.
* @param { { allow?: string[], deny?: string[], licenseExclusions?: string[]}} licenses An object with `allow`/`deny`/`licenseExclusions` keys, each containing a list of licenses.
* @returns {Promise<{Object.<string, Array.<Change>>}} A promise to a Record Object. The keys are strings, unlicensed, unresolved and forbidden. The values are a list of changes
*/
export type InvalidLicenseChangeTypes =
@@ -24,11 +26,44 @@ export async function getInvalidLicenseChanges(
licenses: {
allow?: string[]
deny?: string[]
licenseExclusions?: string[]
}
): Promise<InvalidLicenseChanges> {
const {allow, deny} = licenses
const licenseExclusions = licenses.licenseExclusions?.map(
(pkgUrl: string) => {
return PackageURL.fromString(pkgUrl)
}
)
const groupedChanges = await groupChanges(changes)
// Takes the changes from the groupedChanges object and filters out the ones that are part of the exclusions list
// It does by creating a new PackageURL object from the change and comparing it to the exclusions list
groupedChanges.licensed = groupedChanges.licensed.filter(change => {
if (change.package_url.length === 0) {
return true
}
const changeAsPackageURL = PackageURL.fromString(change.package_url)
// We want to find if the licenseExclussion list contains the PackageURL of the Change
// If it does, we want to filter it out and therefore return false
// If it doesn't, we want to keep it and therefore return true
if (
licenseExclusions !== null &&
licenseExclusions !== undefined &&
licenseExclusions.findIndex(
exclusion =>
exclusion.type === changeAsPackageURL.type &&
exclusion.name === changeAsPackageURL.name
) !== -1
) {
return false
} else {
return true
}
})
const licensedChanges: Changes = groupedChanges.licensed
const invalidLicenseChanges: InvalidLicenseChanges = {
+10 -2
View File
@@ -20,14 +20,17 @@ import {commentPr} from './comment-pr'
async function run(): Promise<void> {
try {
const config = await readConfig()
const refs = getRefs(config, github.context)
const changes = await dependencyGraph.compare({
const comparison = await dependencyGraph.compare({
owner: github.context.repo.owner,
repo: github.context.repo.repo,
baseRef: refs.base,
headRef: refs.head
})
const changes = comparison.changes
const snapshot_warnings = comparison.snapshot_warnings
if (!changes) {
core.info('No Dependency Changes found. Skipping Dependency Review.')
@@ -55,7 +58,8 @@ async function run(): Promise<void> {
filteredChanges,
{
allow: config.allow_licenses,
deny: config.deny_licenses
deny: config.deny_licenses,
licenseExclusions: config.allow_dependencies_licenses
}
)
@@ -65,6 +69,10 @@ async function run(): Promise<void> {
config
)
if (snapshot_warnings) {
summary.addSnapshotWarnings(snapshot_warnings)
}
if (config.vulnerability_check) {
summary.addChangeVulnerabilitiesToSummary(vulnerableChanges, minSeverity)
printVulnerabilitiesBlock(vulnerableChanges, minSeverity)
+6
View File
@@ -40,6 +40,7 @@ export const ConfigurationOptionsSchema = z
fail_on_scopes: z.array(z.enum(SCOPES)).default(['runtime']),
allow_licenses: z.array(z.string()).optional(),
deny_licenses: z.array(z.string()).optional(),
allow_dependencies_licenses: z.array(z.string()).optional(),
allow_ghsas: z.array(z.string()).default([]),
license_check: z.boolean().default(true),
vulnerability_check: z.boolean().default(true),
@@ -73,9 +74,14 @@ export const ConfigurationOptionsSchema = z
})
export const ChangesSchema = z.array(ChangeSchema)
export const ComparisonResponseSchema = z.object({
changes: z.array(ChangeSchema),
snapshot_warnings: z.string()
})
export type Change = z.infer<typeof ChangeSchema>
export type Changes = z.infer<typeof ChangesSchema>
export type ComparisonResponse = z.infer<typeof ComparisonResponseSchema>
export type ConfigurationOptions = z.infer<typeof ConfigurationOptionsSchema>
export type Severity = z.infer<typeof SeveritySchema>
export type Scope = (typeof SCOPES)[number]
+24
View File
@@ -143,6 +143,13 @@ export function addLicensesToSummary(
`<strong>Denied Licenses</strong>: ${config.deny_licenses.join(', ')}`
)
}
if (config.allow_dependencies_licenses) {
core.summary.addQuote(
`<strong>Excluded from license check</strong>: ${config.allow_dependencies_licenses.join(
', '
)}`
)
}
core.debug(
`found ${invalidLicenseChanges.unlicensed.length} unknown licenses`
@@ -215,6 +222,23 @@ export function addScannedDependencies(changes: Changes): void {
}
}
export function addSnapshotWarnings(warnings: string): void {
// For now, we want to ignore warnings that just complain
// about missing snapshots on the head SHA. This is a product
// decision to avoid presenting warnings to users who simply
// don't use snapshots.
const ignore_regex = new RegExp(/No.*snapshot.*found.*head.*/, 'i')
if (ignore_regex.test(warnings)) {
return
}
core.summary.addHeading('Snapshot Warnings', 2)
core.summary.addQuote(`${icons.warning}: ${warnings}`)
core.summary.addRaw(
'Re-running this action after a short time may resolve the issue. See the documentation for more information and troubleshooting advice.'
)
}
function countLicenseIssues(
invalidLicenseChanges: InvalidLicenseChanges
): number {
+3 -1
View File
@@ -8,7 +8,9 @@ export function groupDependenciesByManifest(
): Map<string, Changes> {
const dependencies: Map<string, Changes> = new Map()
for (const change of changes) {
const manifestName = change.manifest
// If the manifest is null or empty, give it a name now to avoid
// breaking the HTML rendering later
const manifestName = change.manifest || 'Unnamed Manifest'
if (dependencies.get(manifestName) === undefined) {
dependencies.set(manifestName, [])