Compare commits

...

39 Commits

Author SHA1 Message Date
Henri Maurer 9e77cc7329 npm run package 2024-01-04 10:49:05 +00:00
Henri Maurer b383a9aa6e Smaller per_page when requesting diff 2024-01-04 10:17:51 +00:00
Federico Builes 8a49820431 Merge pull request #646 from actions/dependabot/npm_and_yarn/prettier-3.1.1
Bump prettier from 3.1.0 to 3.1.1
2024-01-01 08:02:27 -05:00
Federico Builes a10a70d24c Merge pull request #645 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.16.0
Bump @typescript-eslint/parser from 6.13.1 to 6.16.0
2024-01-01 08:02:14 -05:00
dependabot[bot] 0de163860f Bump prettier from 3.1.0 to 3.1.1
Bumps [prettier](https://github.com/prettier/prettier) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.1.0...3.1.1)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-01 01:27:06 +00:00
dependabot[bot] 522f0218d0 Bump @typescript-eslint/parser from 6.13.1 to 6.16.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.13.1 to 6.16.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.16.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-01 01:26:56 +00:00
Federico Builes 2597ca4eee Merge pull request #640 from actions/dependabot/npm_and_yarn/eslint-8.56.0
Bump eslint from 8.53.0 to 8.56.0
2023-12-28 12:27:10 -05:00
dependabot[bot] e5c6735807 Bump eslint from 8.53.0 to 8.56.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.53.0 to 8.56.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.53.0...v8.56.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-28 15:37:40 +00:00
Federico Builes 94f992f10e Merge pull request #644 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.15.0
Bump @typescript-eslint/eslint-plugin from 6.12.0 to 6.15.0
2023-12-28 10:36:29 -05:00
dependabot[bot] c45cbd720f Bump @typescript-eslint/eslint-plugin from 6.12.0 to 6.15.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.12.0 to 6.15.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.15.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-25 01:37:54 +00:00
Federico Builes 2425542aca Merge pull request #638 from actions/fix-purls
Replace pip -> pypi in PURL examples
2023-12-11 17:25:43 +01:00
Federico Builes b39e17ba5e Replace pip -> pypi in PURL examples 2023-12-11 17:23:19 +01:00
Federico Builes b8a398b675 Merge pull request #636 from actions/dependabot/npm_and_yarn/nodemon-3.0.2
Bump nodemon from 3.0.1 to 3.0.2
2023-12-11 06:04:47 +01:00
Federico Builes 1612de9646 Merge pull request #637 from actions/dependabot/npm_and_yarn/types/jest-29.5.11
Bump @types/jest from 29.5.8 to 29.5.11
2023-12-11 06:04:33 +01:00
dependabot[bot] 53de591348 Bump @types/jest from 29.5.8 to 29.5.11
Bumps [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest) from 29.5.8 to 29.5.11.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

---
updated-dependencies:
- dependency-name: "@types/jest"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-11 01:51:35 +00:00
dependabot[bot] 288d543806 Bump nodemon from 3.0.1 to 3.0.2
Bumps [nodemon](https://github.com/remy/nodemon) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.0.1...v3.0.2)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-11 01:51:24 +00:00
Federico Builes 359e1ffa80 Merge pull request #629 from actions/dependabot/npm_and_yarn/prettier-3.1.0
Bump prettier from 3.0.3 to 3.1.0
2023-12-04 08:58:13 +01:00
Federico Builes 63e1558807 Merge pull request #630 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.13.1
Bump @typescript-eslint/parser from 6.10.0 to 6.13.1
2023-12-04 08:57:52 +01:00
dependabot[bot] 069cbabe02 Bump @typescript-eslint/parser from 6.10.0 to 6.13.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.10.0 to 6.13.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.13.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-04 01:25:07 +00:00
dependabot[bot] 2e3c709016 Bump prettier from 3.0.3 to 3.1.0
Bumps [prettier](https://github.com/prettier/prettier) from 3.0.3 to 3.1.0.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.0.3...3.1.0)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-04 01:24:49 +00:00
Federico Builes 01bc87099b bumping version 2023-11-28 08:11:14 +01:00
Federico Builes 4b4f0de8e1 Merge pull request #623 from actions/fix-advisory-filters
Fix GHSA Filtering
2023-11-28 08:10:11 +01:00
Federico Builes a93fa86c77 Fixing test name. 2023-11-28 08:08:29 +01:00
Federico Builes 550520e2c5 Merge pull request #624 from actions/dependabot/npm_and_yarn/typescript-5.3.2
Bump typescript from 5.2.2 to 5.3.2
2023-11-27 07:22:56 +01:00
Federico Builes 2d0fb60634 Merge pull request #625 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.12.0
Bump @typescript-eslint/eslint-plugin from 6.11.0 to 6.12.0
2023-11-27 07:22:47 +01:00
dependabot[bot] c07c2375ed Bump @typescript-eslint/eslint-plugin from 6.11.0 to 6.12.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.11.0 to 6.12.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.12.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-27 01:17:05 +00:00
dependabot[bot] 4d842d754e Bump typescript from 5.2.2 to 5.3.2
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.2.2 to 5.3.2.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v5.2.2...v5.3.2)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-27 01:16:38 +00:00
Federico Builes a6d4686316 adding dist 2023-11-24 14:40:48 +01:00
Federico Builes 4366dbae42 Advisory filters should not drop entire dependencies. 2023-11-24 14:40:18 +01:00
Federico Builes 50dafeb5e4 Tiny logic refactor. 2023-11-24 14:37:30 +01:00
Federico Builes 1cbb048907 Merge pull request #620 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.11.0
Bump @typescript-eslint/eslint-plugin from 6.10.0 to 6.11.0
2023-11-20 08:33:40 +01:00
dependabot[bot] ee69e92054 Bump @typescript-eslint/eslint-plugin from 6.10.0 to 6.11.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.10.0 to 6.11.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.11.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-20 07:29:18 +00:00
Federico Builes 5991d7a97d Merge pull request #619 from actions/dependabot/npm_and_yarn/types/node-16.18.62
Bump @types/node from 16.18.61 to 16.18.62
2023-11-20 08:27:56 +01:00
dependabot[bot] c409735e58 Bump @types/node from 16.18.61 to 16.18.62
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.61 to 16.18.62.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-20 01:46:41 +00:00
Federico Builes 7bbfa034e7 bumping to 3.1.3 2023-11-13 17:57:44 +01:00
Federico Builes 26f1ad9120 Merge pull request #617 from theztefan/purl-encoding-error
Fixes purl "version must be percent-encoded"
2023-11-13 17:55:23 +01:00
Stefan Petrushevski 152d8e2def Prettier 2023-11-13 17:45:48 +01:00
Stefan Petrushevski b99756ecd3 encode string for pUrl 2023-11-13 17:19:24 +01:00
Federico Builes fde92acd08 Merge pull request #611 from actions/fix-https-proxy
Fix proxy failures in 3.1.1
2023-11-08 09:14:57 +01:00
14 changed files with 487 additions and 184 deletions
+1 -1
View File
@@ -55,7 +55,7 @@ const pipChange: Change = {
ecosystem: 'pip', ecosystem: 'pip',
name: 'package-1', name: 'package-1',
version: '1.1.1', version: '1.1.1',
package_url: 'pkg:pip/package-1@1.1.1', package_url: 'pkg:pypi/package-1@1.1.1',
license: 'MIT', license: 'MIT',
source_repository_url: 'github.com/some-repo', source_repository_url: 'github.com/some-repo',
scope: 'runtime', scope: 'runtime',
+118 -24
View File
@@ -19,7 +19,7 @@ const npmChange: Change = {
vulnerabilities: [ vulnerabilities: [
{ {
severity: 'critical', severity: 'critical',
advisory_ghsa_id: 'first-random_string', advisory_ghsa_id: 'vulnerable-ghsa-id',
advisory_summary: 'very dangerous', advisory_summary: 'very dangerous',
advisory_url: 'github.com/future-funk' advisory_url: 'github.com/future-funk'
} }
@@ -39,13 +39,13 @@ const rubyChange: Change = {
vulnerabilities: [ vulnerabilities: [
{ {
severity: 'moderate', severity: 'moderate',
advisory_ghsa_id: 'second-random_string', advisory_ghsa_id: 'moderate-ghsa-id',
advisory_summary: 'not so dangerous', advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk' advisory_url: 'github.com/future-funk'
}, },
{ {
severity: 'low', severity: 'low',
advisory_ghsa_id: 'third-random_string', advisory_ghsa_id: 'low-ghsa-id',
advisory_summary: 'dont page me', advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk' advisory_url: 'github.com/future-funk'
} }
@@ -65,6 +65,64 @@ const noVulnNpmChange: Change = {
vulnerabilities: [] vulnerabilities: []
} }
const lodashChange: Change = {
change_type: 'added',
manifest: 'package.json',
ecosystem: 'npm',
name: 'lodash',
version: '4.17.0',
package_url: 'pkg:npm/lodash@4.17.0',
license: 'MIT',
source_repository_url: 'https://github.com/lodash/lodash',
scope: 'runtime',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'GHSA-jf85-cpcp-j695',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-jf85-cpcp-j695'
},
{
severity: 'high',
advisory_ghsa_id: 'GHSA-4xc9-xhrj-v574',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-4xc9-xhrj-v574'
},
{
severity: 'high',
advisory_ghsa_id: 'GHSA-35jh-r3h4-6jhm',
advisory_summary: 'Command Injection in lodash',
advisory_url: 'https://github.com/advisories/GHSA-35jh-r3h4-6jhm'
},
{
severity: 'high',
advisory_ghsa_id: 'GHSA-p6mc-m468-83gw',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-p6mc-m468-83gw'
},
{
severity: 'moderate',
advisory_ghsa_id: 'GHSA-x5rq-j2xg-h7qm',
advisory_summary:
'Regular Expression Denial of Service (ReDoS) in lodash',
advisory_url: 'https://github.com/advisories/GHSA-x5rq-j2xg-h7qm'
},
{
severity: 'moderate',
advisory_ghsa_id: 'GHSA-29mw-wpgm-hmr9',
advisory_summary:
'Regular Expression Denial of Service (ReDoS) in lodash',
advisory_url: 'https://github.com/advisories/GHSA-29mw-wpgm-hmr9'
},
{
severity: 'low',
advisory_ghsa_id: 'GHSA-fvqr-27wr-82fm',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-fvqr-27wr-82fm'
}
]
}
test('it properly filters changes by severity', async () => { test('it properly filters changes by severity', async () => {
const changes = [npmChange, rubyChange] const changes = [npmChange, rubyChange]
let result = filterChangesBySeverity('high', changes) let result = filterChangesBySeverity('high', changes)
@@ -99,25 +157,61 @@ test('it properly handles undefined advisory IDs', async () => {
test('it properly filters changes with allowed vulnerabilities', async () => { test('it properly filters changes with allowed vulnerabilities', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange] const changes = [npmChange, rubyChange, noVulnNpmChange]
let result = filterAllowedAdvisories(['notrealGHSAID'], changes) const fakeGHSAChanges = filterAllowedAdvisories(['notrealGHSAID'], changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange]) expect(fakeGHSAChanges).toEqual([npmChange, rubyChange, noVulnNpmChange])
})
result = filterAllowedAdvisories(['first-random_string'], changes)
expect(result).toEqual([rubyChange, noVulnNpmChange]) test('it properly filters only allowed vulnerabilities', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
result = filterAllowedAdvisories( const oldVulns = [
['second-random_string', 'third-random_string'], ...npmChange.vulnerabilities,
changes ...rubyChange.vulnerabilities,
) ...noVulnNpmChange.vulnerabilities
expect(result).toEqual([npmChange, noVulnNpmChange]) ]
result = filterAllowedAdvisories( const vulnerable = filterAllowedAdvisories(['vulnerable-ghsa-id'], changes)
['first-random_string', 'second-random_string', 'third-random_string'],
changes const newVulns = vulnerable.map(change => change.vulnerabilities).flat()
)
expect(result).toEqual([noVulnNpmChange]) expect(newVulns.length).toEqual(oldVulns.length - 1)
expect(newVulns).not.toContainEqual(
// if we have a change with multiple vulnerabilities but only one is allowed, we still should not filter out that change expect.objectContaining({advisory_ghsa_id: 'vulnerable-ghsa-id'})
result = filterAllowedAdvisories(['second-random_string'], changes) )
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange]) })
test('does not drop dependencies when filtering by GHSA', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
const result = filterAllowedAdvisories(
['moderate-ghsa-id', 'low-ghsa-id', 'GHSA-jf85-cpcp-j695'],
changes
)
expect(result.map(change => change.name)).toEqual(
changes.map(change => change.name)
)
})
test('it properly filters multiple GHSAs', async () => {
const allowedGHSAs = ['vulnerable-ghsa-id', 'moderate-ghsa-id', 'low-ghsa-id']
const changes = [npmChange, rubyChange, noVulnNpmChange]
const oldVulns = changes.map(change => change.vulnerabilities).flat()
const result = filterAllowedAdvisories(allowedGHSAs, changes)
const newVulns = result.map(change => change.vulnerabilities).flat()
expect(newVulns.length).toEqual(oldVulns.length - 3)
})
test('it filters out GHSA dependencies', async () => {
const lodash = filterAllowedAdvisories(
['GHSA-jf85-cpcp-j695'],
[lodashChange]
)[0]
// the filter should have removed a single GHSA from the list
const expected = lodashChange.vulnerabilities.filter(
vuln => vuln.advisory_ghsa_id !== 'GHSA-jf85-cpcp-j695'
)
expect(expected.length).toEqual(lodashChange.vulnerabilities.length - 1)
expect(lodash.vulnerabilities).toEqual(expected)
}) })
+7 -4
View File
@@ -55,7 +55,7 @@ const pipChange: Change = {
ecosystem: 'pip', ecosystem: 'pip',
name: 'package-1', name: 'package-1',
version: '1.1.1', version: '1.1.1',
package_url: 'pkg:pip/package-1@1.1.1', package_url: 'pkg:pypi/package-1@1.1.1',
license: 'MIT', license: 'MIT',
source_repository_url: 'github.com/some-repo', source_repository_url: 'github.com/some-repo',
scope: 'runtime', scope: 'runtime',
@@ -183,7 +183,7 @@ test('it does not filter out changes that are on the exclusions list', async ()
const changes: Changes = [pipChange, npmChange, rubyChange] const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = { const licensesConfig = {
allow: ['BSD'], allow: ['BSD'],
licenseExclusions: ['pkg:pip/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2'] licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
} }
const invalidLicenses = await getInvalidLicenseChanges( const invalidLicenses = await getInvalidLicenseChanges(
changes, changes,
@@ -199,7 +199,7 @@ test('it does not fail when the packages dont have a valid PURL', async () => {
const changes: Changes = [emptyPurlChange, npmChange, rubyChange] const changes: Changes = [emptyPurlChange, npmChange, rubyChange]
const licensesConfig = { const licensesConfig = {
allow: ['BSD'], allow: ['BSD'],
licenseExclusions: ['pkg:pip/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2'] licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
} }
const invalidLicenses = await getInvalidLicenseChanges( const invalidLicenses = await getInvalidLicenseChanges(
@@ -213,7 +213,10 @@ test('it does filters out changes if they are not on the exclusions list', async
const changes: Changes = [pipChange, npmChange, rubyChange] const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = { const licensesConfig = {
allow: ['BSD'], allow: ['BSD'],
licenseExclusions: ['pkg:pip/notmypackage-1@1.1.1', 'pkg:npm/alsonot@1.0.2'] licenseExclusions: [
'pkg:pypi/notmypackage-1@1.1.1',
'pkg:npm/alsonot@1.0.2'
]
} }
const invalidLicenses = await getInvalidLicenseChanges( const invalidLicenses = await getInvalidLicenseChanges(
changes, changes,
+3 -3
View File
@@ -30,7 +30,7 @@ inputs:
description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause") description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false required: false
allow-dependencies-licenses: allow-dependencies-licenses:
description: Comma-separated list of dependencies in purl format (e.g. "pkg:npm/express, pkg:pip/pycrypto"). These dependencies will be permitted to use any license, no matter what license policy is enforced otherwise. description: Comma-separated list of dependencies in purl format (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). These dependencies will be permitted to use any license, no matter what license policy is enforced otherwise.
required: false required: false
allow-ghsas: allow-ghsas:
description: Comma-separated list of allowed GitHub Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679") description: Comma-separated list of allowed GitHub Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")
@@ -48,10 +48,10 @@ inputs:
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
required: false required: false
deny-packages: deny-packages:
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto") description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
required: false required: false
deny-groups: deny-groups:
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto") description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
required: false required: false
retry-on-snapshot-warnings: retry-on-snapshot-warnings:
description: Whether to retry on snapshot warnings description: Whether to retry on snapshot warnings
Generated Vendored
+23 -20
View File
@@ -264,7 +264,8 @@ function compare({ owner, repo, baseRef, headRef }) {
url: '/repos/{owner}/{repo}/dependency-graph/compare/{basehead}', url: '/repos/{owner}/{repo}/dependency-graph/compare/{basehead}',
owner, owner,
repo, repo,
basehead: `${baseRef}...${headRef}` basehead: `${baseRef}...${headRef}`,
per_page: 5
}, response => { }, response => {
if (response.headers[SnapshotWarningsHeader] && if (response.headers[SnapshotWarningsHeader] &&
typeof response.headers[SnapshotWarningsHeader] === 'string') { typeof response.headers[SnapshotWarningsHeader] === 'string') {
@@ -351,7 +352,7 @@ function getInvalidLicenseChanges(changes, licenses) {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
const { allow, deny } = licenses; const { allow, deny } = licenses;
const licenseExclusions = (_a = licenses.licenseExclusions) === null || _a === void 0 ? void 0 : _a.map((pkgUrl) => { const licenseExclusions = (_a = licenses.licenseExclusions) === null || _a === void 0 ? void 0 : _a.map((pkgUrl) => {
return packageurl_js_1.PackageURL.fromString(pkgUrl); return packageurl_js_1.PackageURL.fromString(encodeURI(pkgUrl));
}); });
const groupedChanges = yield groupChanges(changes); const groupedChanges = yield groupChanges(changes);
// Takes the changes from the groupedChanges object and filters out the ones that are part of the exclusions list // Takes the changes from the groupedChanges object and filters out the ones that are part of the exclusions list
@@ -360,7 +361,7 @@ function getInvalidLicenseChanges(changes, licenses) {
if (change.package_url.length === 0) { if (change.package_url.length === 0) {
return true; return true;
} }
const changeAsPackageURL = packageurl_js_1.PackageURL.fromString(change.package_url); const changeAsPackageURL = packageurl_js_1.PackageURL.fromString(encodeURI(change.package_url));
// We want to find if the licenseExclussion list contains the PackageURL of the Change // We want to find if the licenseExclussion list contains the PackageURL of the Change
// If it does, we want to filter it out and therefore return false // If it does, we want to filter it out and therefore return false
// If it doesn't, we want to keep it and therefore return true // If it doesn't, we want to keep it and therefore return true
@@ -606,12 +607,10 @@ function run() {
core.info('No Dependency Changes found. Skipping Dependency Review.'); core.info('No Dependency Changes found. Skipping Dependency Review.');
return; return;
} }
const minSeverity = config.fail_on_severity;
const scopedChanges = (0, filter_1.filterChangesByScopes)(config.fail_on_scopes, changes); const scopedChanges = (0, filter_1.filterChangesByScopes)(config.fail_on_scopes, changes);
const filteredChanges = (0, filter_1.filterAllowedAdvisories)(config.allow_ghsas, scopedChanges); const filteredChanges = (0, filter_1.filterAllowedAdvisories)(config.allow_ghsas, scopedChanges);
const vulnerableChanges = (0, filter_1.filterChangesBySeverity)(minSeverity, filteredChanges).filter(change => change.change_type === 'added' && const minSeverity = config.fail_on_severity;
change.vulnerabilities !== undefined && const vulnerableChanges = (0, filter_1.filterChangesBySeverity)(minSeverity, filteredChanges);
change.vulnerabilities.length > 0);
const invalidLicenseChanges = yield (0, licenses_1.getInvalidLicenseChanges)(filteredChanges, { const invalidLicenseChanges = yield (0, licenses_1.getInvalidLicenseChanges)(filteredChanges, {
allow: config.allow_licenses, allow: config.allow_licenses,
deny: config.deny_licenses, deny: config.deny_licenses,
@@ -55933,6 +55932,14 @@ function validatePURL(allow_dependencies_licenses) {
Object.defineProperty(exports, "__esModule", ({ value: true })); Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.filterAllowedAdvisories = exports.filterChangesByScopes = exports.filterChangesBySeverity = void 0; exports.filterAllowedAdvisories = exports.filterChangesByScopes = exports.filterChangesBySeverity = void 0;
const schemas_1 = __nccwpck_require__(1129); const schemas_1 = __nccwpck_require__(1129);
/**
* Filters changes by a severity level. Only vulnerable
* dependencies will be returned.
*
* @param severity - The severity level to filter by.
* @param changes - The array of changes to filter.
* @returns The filtered array of changes that match the specified severity level and have vulnerabilities.
*/
function filterChangesBySeverity(severity, changes) { function filterChangesBySeverity(severity, changes) {
const severityIdx = schemas_1.SEVERITIES.indexOf(severity); const severityIdx = schemas_1.SEVERITIES.indexOf(severity);
let filteredChanges = []; let filteredChanges = [];
@@ -55952,7 +55959,10 @@ function filterChangesBySeverity(severity, changes) {
} }
// don't want to deal with changes with no vulnerabilities // don't want to deal with changes with no vulnerabilities
filteredChanges = filteredChanges.filter(change => change.vulnerabilities.length > 0); filteredChanges = filteredChanges.filter(change => change.vulnerabilities.length > 0);
return filteredChanges; // only report vulnerability additions
return filteredChanges.filter(change => change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
change.vulnerabilities.length > 0);
} }
exports.filterChangesBySeverity = filterChangesBySeverity; exports.filterChangesBySeverity = filterChangesBySeverity;
function filterChangesByScopes(scopes, changes) { function filterChangesByScopes(scopes, changes) {
@@ -55979,22 +55989,15 @@ function filterAllowedAdvisories(ghsas, changes) {
if (ghsas === undefined) { if (ghsas === undefined) {
return changes; return changes;
} }
const filteredChanges = changes.filter(change => { const filteredChanges = changes.map(change => {
const noAdvisories = change.vulnerabilities === undefined || const noAdvisories = change.vulnerabilities === undefined ||
change.vulnerabilities.length === 0; change.vulnerabilities.length === 0;
if (noAdvisories) { if (noAdvisories) {
return true; return change;
}
let allAllowedAdvisories = true;
// if there's at least one advisory that is not allowlisted, we will keep the change
for (const vulnerability of change.vulnerabilities) {
if (!ghsas.includes(vulnerability.advisory_ghsa_id)) {
allAllowedAdvisories = false;
}
if (!allAllowedAdvisories) {
return true;
}
} }
const newChange = Object.assign({}, change);
newChange.vulnerabilities = change.vulnerabilities.filter(vuln => !ghsas.includes(vuln.advisory_ghsa_id));
return newChange;
}); });
return filteredChanges; return filteredChanges;
} }
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+2 -2
View File
@@ -190,7 +190,7 @@ jobs:
fail-on-severity: critical fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: always comment-summary-in-pr: always
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pip/requests' allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pypi/requests'
``` ```
If we were to use configuration file, the configuration would look like this: If we were to use configuration file, the configuration would look like this:
@@ -202,7 +202,7 @@ allow-licenses:
- 'BSD-2-Clause' - 'BSD-2-Clause'
allow-dependencies-licenses: allow-dependencies-licenses:
- 'pkg:npm/loadash' - 'pkg:npm/loadash'
- 'pkg:pip/requests' - 'pkg:pypi/requests'
``` ```
## Only check for vulnerabilities ## Only check for vulnerabilities
+289 -95
View File
@@ -1,19 +1,19 @@
{ {
"name": "dependency-review-action", "name": "dependency-review-action",
"version": "3.1.2", "version": "3.1.4",
"lockfileVersion": 3, "lockfileVersion": 3,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "dependency-review-action", "name": "dependency-review-action",
"version": "3.1.2", "version": "3.1.4",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/core": "^1.10.1", "@actions/core": "^1.10.1",
"@actions/github": "^5.1.1", "@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^5.0.4", "@octokit/plugin-retry": "^5.0.4",
"@octokit/request-error": "^2.1.0", "@octokit/request-error": "^2.1.0",
"@types/jest": "^29.5.5", "@types/jest": "^29.5.11",
"ansi-styles": "^6.2.1", "ansi-styles": "^6.2.1",
"got": "^13.0.0", "got": "^13.0.0",
"jest": "^29.7.0", "jest": "^29.7.0",
@@ -26,21 +26,21 @@
"zod": "^3.22.3" "zod": "^3.22.3"
}, },
"devDependencies": { "devDependencies": {
"@types/node": "^16.18.58", "@types/node": "^16.18.62",
"@types/spdx-expression-parse": "^3.0.4", "@types/spdx-expression-parse": "^3.0.4",
"@types/spdx-satisfies": "^0.1.1", "@types/spdx-satisfies": "^0.1.1",
"@typescript-eslint/eslint-plugin": "^6.9.1", "@typescript-eslint/eslint-plugin": "^6.15.0",
"@typescript-eslint/parser": "^6.9.1", "@typescript-eslint/parser": "^6.16.0",
"@vercel/ncc": "^0.38.0", "@vercel/ncc": "^0.38.0",
"esbuild-register": "^3.5.0", "esbuild-register": "^3.5.0",
"eslint": "^8.52.0", "eslint": "^8.56.0",
"eslint-plugin-github": "^4.10.1", "eslint-plugin-github": "^4.10.1",
"eslint-plugin-jest": "^27.6.0", "eslint-plugin-jest": "^27.6.0",
"eslint-plugin-prettier": "^5.0.1", "eslint-plugin-prettier": "^5.0.1",
"js-yaml": "^4.1.0", "js-yaml": "^4.1.0",
"nodemon": "^3.0.1", "nodemon": "^3.0.2",
"prettier": "3.0.3", "prettier": "3.1.1",
"typescript": "^5.2.2" "typescript": "^5.3.2"
} }
}, },
"node_modules/@aashutoshrathi/word-wrap": { "node_modules/@aashutoshrathi/word-wrap": {
@@ -1141,9 +1141,9 @@
} }
}, },
"node_modules/@eslint/eslintrc": { "node_modules/@eslint/eslintrc": {
"version": "2.1.3", "version": "2.1.4",
"resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.3.tgz", "resolved": "https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.4.tgz",
"integrity": "sha512-yZzuIG+jnVu6hNSzFEN07e8BxF3uAzYtQb6uDkaYZLo6oYZDCq454c5kB8zxnzfCYyP4MIuyBn10L0DqwujTmA==", "integrity": "sha512-269Z39MS6wVJtsoUl10L60WdkhJVdPG24Q4eZTH3nnF6lpvSShEK3wQjDX9JRWAUPvPh7COouPpU9IrqaZFvtQ==",
"dev": true, "dev": true,
"dependencies": { "dependencies": {
"ajv": "^6.12.4", "ajv": "^6.12.4",
@@ -1164,9 +1164,9 @@
} }
}, },
"node_modules/@eslint/js": { "node_modules/@eslint/js": {
"version": "8.53.0", "version": "8.56.0",
"resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.53.0.tgz", "resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.56.0.tgz",
"integrity": "sha512-Kn7K8dx/5U6+cT1yEhpX1w4PCSg0M+XyRILPgvwcEBjerFWCwQj5sbr3/VmxqV0JGHCBCzyd6LxypEuehypY1w==", "integrity": "sha512-gMsVel9D7f2HLkBma9VbtzZRehRogVRfbr++f06nL2vnCGCNlzOD+/MUov/F4p8myyAHspEhVobgjpX64q5m6A==",
"dev": true, "dev": true,
"engines": { "engines": {
"node": "^12.22.0 || ^14.17.0 || >=16.0.0" "node": "^12.22.0 || ^14.17.0 || >=16.0.0"
@@ -2279,9 +2279,9 @@
} }
}, },
"node_modules/@types/jest": { "node_modules/@types/jest": {
"version": "29.5.8", "version": "29.5.11",
"resolved": "https://registry.npmjs.org/@types/jest/-/jest-29.5.8.tgz", "resolved": "https://registry.npmjs.org/@types/jest/-/jest-29.5.11.tgz",
"integrity": "sha512-fXEFTxMV2Co8ZF5aYFJv+YeA08RTYJfhtN5c9JSv/mFEMe+xxjufCb+PHL+bJcMs/ebPUsBu+UNTEz+ydXrR6g==", "integrity": "sha512-S2mHmYIVe13vrm6q4kN6fLYYAka15ALQki/vgDC3mIukEOx8WJlv0kQPM+d4w8Gp6u0uSdKND04IlTXBv0rwnQ==",
"dependencies": { "dependencies": {
"expect": "^29.0.0", "expect": "^29.0.0",
"pretty-format": "^29.0.0" "pretty-format": "^29.0.0"
@@ -2308,9 +2308,9 @@
} }
}, },
"node_modules/@types/node": { "node_modules/@types/node": {
"version": "16.18.61", "version": "16.18.62",
"resolved": "https://registry.npmjs.org/@types/node/-/node-16.18.61.tgz", "resolved": "https://registry.npmjs.org/@types/node/-/node-16.18.62.tgz",
"integrity": "sha512-k0N7BqGhJoJzdh6MuQg1V1ragJiXTh8VUBAZTWjJ9cUq23SG0F0xavOwZbhiP4J3y20xd6jxKx+xNUhkMAi76Q==" "integrity": "sha512-/zbPnIBkef8sT+6vw6BxdvU3dCxRI0v6rBu/6IvXnRNtOPILucigqhUBPYxtQ/8JdAna0JLTAcNTCDmQ77QYkQ=="
}, },
"node_modules/@types/semver": { "node_modules/@types/semver": {
"version": "7.5.5", "version": "7.5.5",
@@ -2349,16 +2349,16 @@
"integrity": "sha512-I4q9QU9MQv4oEOz4tAHJtNz1cwuLxn2F3xcc2iV5WdqLPpUnj30aUuxt1mAxYTG+oe8CZMV/+6rU4S4gRDzqtQ==" "integrity": "sha512-I4q9QU9MQv4oEOz4tAHJtNz1cwuLxn2F3xcc2iV5WdqLPpUnj30aUuxt1mAxYTG+oe8CZMV/+6rU4S4gRDzqtQ=="
}, },
"node_modules/@typescript-eslint/eslint-plugin": { "node_modules/@typescript-eslint/eslint-plugin": {
"version": "6.10.0", "version": "6.15.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-6.10.0.tgz", "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-6.15.0.tgz",
"integrity": "sha512-uoLj4g2OTL8rfUQVx2AFO1hp/zja1wABJq77P6IclQs6I/m9GLrm7jCdgzZkvWdDCQf1uEvoa8s8CupsgWQgVg==", "integrity": "sha512-j5qoikQqPccq9QoBAupOP+CBu8BaJ8BLjaXSioDISeTZkVO3ig7oSIKh3H+rEpee7xCXtWwSB4KIL5l6hWZzpg==",
"dev": true, "dev": true,
"dependencies": { "dependencies": {
"@eslint-community/regexpp": "^4.5.1", "@eslint-community/regexpp": "^4.5.1",
"@typescript-eslint/scope-manager": "6.10.0", "@typescript-eslint/scope-manager": "6.15.0",
"@typescript-eslint/type-utils": "6.10.0", "@typescript-eslint/type-utils": "6.15.0",
"@typescript-eslint/utils": "6.10.0", "@typescript-eslint/utils": "6.15.0",
"@typescript-eslint/visitor-keys": "6.10.0", "@typescript-eslint/visitor-keys": "6.15.0",
"debug": "^4.3.4", "debug": "^4.3.4",
"graphemer": "^1.4.0", "graphemer": "^1.4.0",
"ignore": "^5.2.4", "ignore": "^5.2.4",
@@ -2383,16 +2383,63 @@
} }
} }
}, },
"node_modules/@typescript-eslint/parser": { "node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/scope-manager": {
"version": "6.10.0", "version": "6.15.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.10.0.tgz", "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.15.0.tgz",
"integrity": "sha512-+sZwIj+s+io9ozSxIWbNB5873OSdfeBEH/FR0re14WLI6BaKuSOnnwCJ2foUiu8uXf4dRp1UqHP0vrZ1zXGrog==", "integrity": "sha512-+BdvxYBltqrmgCNu4Li+fGDIkW9n//NrruzG9X1vBzaNK+ExVXPoGB71kneaVw/Jp+4rH/vaMAGC6JfMbHstVg==",
"dev": true, "dev": true,
"dependencies": { "dependencies": {
"@typescript-eslint/scope-manager": "6.10.0", "@typescript-eslint/types": "6.15.0",
"@typescript-eslint/types": "6.10.0", "@typescript-eslint/visitor-keys": "6.15.0"
"@typescript-eslint/typescript-estree": "6.10.0", },
"@typescript-eslint/visitor-keys": "6.10.0", "engines": {
"node": "^16.0.0 || >=18.0.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
}
},
"node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/types": {
"version": "6.15.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.15.0.tgz",
"integrity": "sha512-yXjbt//E4T/ee8Ia1b5mGlbNj9fB9lJP4jqLbZualwpP2BCQ5is6BcWwxpIsY4XKAhmdv3hrW92GdtJbatC6dQ==",
"dev": true,
"engines": {
"node": "^16.0.0 || >=18.0.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
}
},
"node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/visitor-keys": {
"version": "6.15.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.15.0.tgz",
"integrity": "sha512-1zvtdC1a9h5Tb5jU9x3ADNXO9yjP8rXlaoChu0DQX40vf5ACVpYIVIZhIMZ6d5sDXH7vq4dsZBT1fEGj8D2n2w==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "6.15.0",
"eslint-visitor-keys": "^3.4.1"
},
"engines": {
"node": "^16.0.0 || >=18.0.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
}
},
"node_modules/@typescript-eslint/parser": {
"version": "6.16.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.16.0.tgz",
"integrity": "sha512-H2GM3eUo12HpKZU9njig3DF5zJ58ja6ahj1GoHEHOgQvYxzoFJJEvC1MQ7T2l9Ha+69ZSOn7RTxOdpC/y3ikMw==",
"dev": true,
"dependencies": {
"@typescript-eslint/scope-manager": "6.16.0",
"@typescript-eslint/types": "6.16.0",
"@typescript-eslint/typescript-estree": "6.16.0",
"@typescript-eslint/visitor-keys": "6.16.0",
"debug": "^4.3.4" "debug": "^4.3.4"
}, },
"engines": { "engines": {
@@ -2412,13 +2459,13 @@
} }
}, },
"node_modules/@typescript-eslint/scope-manager": { "node_modules/@typescript-eslint/scope-manager": {
"version": "6.10.0", "version": "6.16.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.10.0.tgz", "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.16.0.tgz",
"integrity": "sha512-TN/plV7dzqqC2iPNf1KrxozDgZs53Gfgg5ZHyw8erd6jd5Ta/JIEcdCheXFt9b1NYb93a1wmIIVW/2gLkombDg==", "integrity": "sha512-0N7Y9DSPdaBQ3sqSCwlrm9zJwkpOuc6HYm7LpzLAPqBL7dmzAUimr4M29dMkOP/tEwvOCC/Cxo//yOfJD3HUiw==",
"dev": true, "dev": true,
"dependencies": { "dependencies": {
"@typescript-eslint/types": "6.10.0", "@typescript-eslint/types": "6.16.0",
"@typescript-eslint/visitor-keys": "6.10.0" "@typescript-eslint/visitor-keys": "6.16.0"
}, },
"engines": { "engines": {
"node": "^16.0.0 || >=18.0.0" "node": "^16.0.0 || >=18.0.0"
@@ -2429,13 +2476,13 @@
} }
}, },
"node_modules/@typescript-eslint/type-utils": { "node_modules/@typescript-eslint/type-utils": {
"version": "6.10.0", "version": "6.15.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-6.10.0.tgz", "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-6.15.0.tgz",
"integrity": "sha512-wYpPs3hgTFblMYwbYWPT3eZtaDOjbLyIYuqpwuLBBqhLiuvJ+9sEp2gNRJEtR5N/c9G1uTtQQL5AhV0fEPJYcg==", "integrity": "sha512-CnmHKTfX6450Bo49hPg2OkIm/D/TVYV7jO1MCfPYGwf6x3GO0VU8YMO5AYMn+u3X05lRRxA4fWCz87GFQV6yVQ==",
"dev": true, "dev": true,
"dependencies": { "dependencies": {
"@typescript-eslint/typescript-estree": "6.10.0", "@typescript-eslint/typescript-estree": "6.15.0",
"@typescript-eslint/utils": "6.10.0", "@typescript-eslint/utils": "6.15.0",
"debug": "^4.3.4", "debug": "^4.3.4",
"ts-api-utils": "^1.0.1" "ts-api-utils": "^1.0.1"
}, },
@@ -2455,10 +2502,10 @@
} }
} }
}, },
"node_modules/@typescript-eslint/types": { "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/types": {
"version": "6.10.0", "version": "6.15.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.10.0.tgz", "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.15.0.tgz",
"integrity": "sha512-36Fq1PWh9dusgo3vH7qmQAj5/AZqARky1Wi6WpINxB6SkQdY5vQoT2/7rW7uBIsPDcvvGCLi4r10p0OJ7ITAeg==", "integrity": "sha512-yXjbt//E4T/ee8Ia1b5mGlbNj9fB9lJP4jqLbZualwpP2BCQ5is6BcWwxpIsY4XKAhmdv3hrW92GdtJbatC6dQ==",
"dev": true, "dev": true,
"engines": { "engines": {
"node": "^16.0.0 || >=18.0.0" "node": "^16.0.0 || >=18.0.0"
@@ -2468,14 +2515,14 @@
"url": "https://opencollective.com/typescript-eslint" "url": "https://opencollective.com/typescript-eslint"
} }
}, },
"node_modules/@typescript-eslint/typescript-estree": { "node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/typescript-estree": {
"version": "6.10.0", "version": "6.15.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.10.0.tgz", "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.15.0.tgz",
"integrity": "sha512-ek0Eyuy6P15LJVeghbWhSrBCj/vJpPXXR+EpaRZqou7achUWL8IdYnMSC5WHAeTWswYQuP2hAZgij/bC9fanBg==", "integrity": "sha512-7mVZJN7Hd15OmGuWrp2T9UvqR2Ecg+1j/Bp1jXUEY2GZKV6FXlOIoqVDmLpBiEiq3katvj/2n2mR0SDwtloCew==",
"dev": true, "dev": true,
"dependencies": { "dependencies": {
"@typescript-eslint/types": "6.10.0", "@typescript-eslint/types": "6.15.0",
"@typescript-eslint/visitor-keys": "6.10.0", "@typescript-eslint/visitor-keys": "6.15.0",
"debug": "^4.3.4", "debug": "^4.3.4",
"globby": "^11.1.0", "globby": "^11.1.0",
"is-glob": "^4.0.3", "is-glob": "^4.0.3",
@@ -2495,18 +2542,100 @@
} }
} }
}, },
"node_modules/@typescript-eslint/type-utils/node_modules/@typescript-eslint/visitor-keys": {
"version": "6.15.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.15.0.tgz",
"integrity": "sha512-1zvtdC1a9h5Tb5jU9x3ADNXO9yjP8rXlaoChu0DQX40vf5ACVpYIVIZhIMZ6d5sDXH7vq4dsZBT1fEGj8D2n2w==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "6.15.0",
"eslint-visitor-keys": "^3.4.1"
},
"engines": {
"node": "^16.0.0 || >=18.0.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
}
},
"node_modules/@typescript-eslint/types": {
"version": "6.16.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.16.0.tgz",
"integrity": "sha512-hvDFpLEvTJoHutVl87+MG/c5C8I6LOgEx05zExTSJDEVU7hhR3jhV8M5zuggbdFCw98+HhZWPHZeKS97kS3JoQ==",
"dev": true,
"engines": {
"node": "^16.0.0 || >=18.0.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
}
},
"node_modules/@typescript-eslint/typescript-estree": {
"version": "6.16.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.16.0.tgz",
"integrity": "sha512-VTWZuixh/vr7nih6CfrdpmFNLEnoVBF1skfjdyGnNwXOH1SLeHItGdZDHhhAIzd3ACazyY2Fg76zuzOVTaknGA==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "6.16.0",
"@typescript-eslint/visitor-keys": "6.16.0",
"debug": "^4.3.4",
"globby": "^11.1.0",
"is-glob": "^4.0.3",
"minimatch": "9.0.3",
"semver": "^7.5.4",
"ts-api-utils": "^1.0.1"
},
"engines": {
"node": "^16.0.0 || >=18.0.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
},
"peerDependenciesMeta": {
"typescript": {
"optional": true
}
}
},
"node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion": {
"version": "2.0.1",
"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
"integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
"dev": true,
"dependencies": {
"balanced-match": "^1.0.0"
}
},
"node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch": {
"version": "9.0.3",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz",
"integrity": "sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==",
"dev": true,
"dependencies": {
"brace-expansion": "^2.0.1"
},
"engines": {
"node": ">=16 || 14 >=14.17"
},
"funding": {
"url": "https://github.com/sponsors/isaacs"
}
},
"node_modules/@typescript-eslint/utils": { "node_modules/@typescript-eslint/utils": {
"version": "6.10.0", "version": "6.15.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.10.0.tgz", "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-6.15.0.tgz",
"integrity": "sha512-v+pJ1/RcVyRc0o4wAGux9x42RHmAjIGzPRo538Z8M1tVx6HOnoQBCX/NoadHQlZeC+QO2yr4nNSFWOoraZCAyg==", "integrity": "sha512-eF82p0Wrrlt8fQSRL0bGXzK5nWPRV2dYQZdajcfzOD9+cQz9O7ugifrJxclB+xVOvWvagXfqS4Es7vpLP4augw==",
"dev": true, "dev": true,
"dependencies": { "dependencies": {
"@eslint-community/eslint-utils": "^4.4.0", "@eslint-community/eslint-utils": "^4.4.0",
"@types/json-schema": "^7.0.12", "@types/json-schema": "^7.0.12",
"@types/semver": "^7.5.0", "@types/semver": "^7.5.0",
"@typescript-eslint/scope-manager": "6.10.0", "@typescript-eslint/scope-manager": "6.15.0",
"@typescript-eslint/types": "6.10.0", "@typescript-eslint/types": "6.15.0",
"@typescript-eslint/typescript-estree": "6.10.0", "@typescript-eslint/typescript-estree": "6.15.0",
"semver": "^7.5.4" "semver": "^7.5.4"
}, },
"engines": { "engines": {
@@ -2520,13 +2649,87 @@
"eslint": "^7.0.0 || ^8.0.0" "eslint": "^7.0.0 || ^8.0.0"
} }
}, },
"node_modules/@typescript-eslint/visitor-keys": { "node_modules/@typescript-eslint/utils/node_modules/@typescript-eslint/scope-manager": {
"version": "6.10.0", "version": "6.15.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.10.0.tgz", "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-6.15.0.tgz",
"integrity": "sha512-xMGluxQIEtOM7bqFCo+rCMh5fqI+ZxV5RUUOa29iVPz1OgCZrtc7rFnz5cLUazlkPKYqX+75iuDq7m0HQ48nCg==", "integrity": "sha512-+BdvxYBltqrmgCNu4Li+fGDIkW9n//NrruzG9X1vBzaNK+ExVXPoGB71kneaVw/Jp+4rH/vaMAGC6JfMbHstVg==",
"dev": true, "dev": true,
"dependencies": { "dependencies": {
"@typescript-eslint/types": "6.10.0", "@typescript-eslint/types": "6.15.0",
"@typescript-eslint/visitor-keys": "6.15.0"
},
"engines": {
"node": "^16.0.0 || >=18.0.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
}
},
"node_modules/@typescript-eslint/utils/node_modules/@typescript-eslint/types": {
"version": "6.15.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-6.15.0.tgz",
"integrity": "sha512-yXjbt//E4T/ee8Ia1b5mGlbNj9fB9lJP4jqLbZualwpP2BCQ5is6BcWwxpIsY4XKAhmdv3hrW92GdtJbatC6dQ==",
"dev": true,
"engines": {
"node": "^16.0.0 || >=18.0.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
}
},
"node_modules/@typescript-eslint/utils/node_modules/@typescript-eslint/typescript-estree": {
"version": "6.15.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-6.15.0.tgz",
"integrity": "sha512-7mVZJN7Hd15OmGuWrp2T9UvqR2Ecg+1j/Bp1jXUEY2GZKV6FXlOIoqVDmLpBiEiq3katvj/2n2mR0SDwtloCew==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "6.15.0",
"@typescript-eslint/visitor-keys": "6.15.0",
"debug": "^4.3.4",
"globby": "^11.1.0",
"is-glob": "^4.0.3",
"semver": "^7.5.4",
"ts-api-utils": "^1.0.1"
},
"engines": {
"node": "^16.0.0 || >=18.0.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
},
"peerDependenciesMeta": {
"typescript": {
"optional": true
}
}
},
"node_modules/@typescript-eslint/utils/node_modules/@typescript-eslint/visitor-keys": {
"version": "6.15.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.15.0.tgz",
"integrity": "sha512-1zvtdC1a9h5Tb5jU9x3ADNXO9yjP8rXlaoChu0DQX40vf5ACVpYIVIZhIMZ6d5sDXH7vq4dsZBT1fEGj8D2n2w==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "6.15.0",
"eslint-visitor-keys": "^3.4.1"
},
"engines": {
"node": "^16.0.0 || >=18.0.0"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/typescript-eslint"
}
},
"node_modules/@typescript-eslint/visitor-keys": {
"version": "6.16.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-6.16.0.tgz",
"integrity": "sha512-QSFQLruk7fhs91a/Ep/LqRdbJCZ1Rq03rqBdKT5Ky17Sz8zRLUksqIe9DW0pKtg/Z35/ztbLQ6qpOCN6rOC11A==",
"dev": true,
"dependencies": {
"@typescript-eslint/types": "6.16.0",
"eslint-visitor-keys": "^3.4.1" "eslint-visitor-keys": "^3.4.1"
}, },
"engines": { "engines": {
@@ -3925,15 +4128,15 @@
} }
}, },
"node_modules/eslint": { "node_modules/eslint": {
"version": "8.53.0", "version": "8.56.0",
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.53.0.tgz", "resolved": "https://registry.npmjs.org/eslint/-/eslint-8.56.0.tgz",
"integrity": "sha512-N4VuiPjXDUa4xVeV/GC/RV3hQW9Nw+Y463lkWaKKXKYMvmRiRDAtfpuPFLN+E1/6ZhyR8J2ig+eVREnYgUsiag==", "integrity": "sha512-Go19xM6T9puCOWntie1/P997aXxFsOi37JIHRWI514Hc6ZnaHGKY9xFhrU65RT6CcBEzZoGG1e6Nq+DT04ZtZQ==",
"dev": true, "dev": true,
"dependencies": { "dependencies": {
"@eslint-community/eslint-utils": "^4.2.0", "@eslint-community/eslint-utils": "^4.2.0",
"@eslint-community/regexpp": "^4.6.1", "@eslint-community/regexpp": "^4.6.1",
"@eslint/eslintrc": "^2.1.3", "@eslint/eslintrc": "^2.1.4",
"@eslint/js": "8.53.0", "@eslint/js": "8.56.0",
"@humanwhocodes/config-array": "^0.11.13", "@humanwhocodes/config-array": "^0.11.13",
"@humanwhocodes/module-importer": "^1.0.1", "@humanwhocodes/module-importer": "^1.0.1",
"@nodelib/fs.walk": "^1.2.8", "@nodelib/fs.walk": "^1.2.8",
@@ -4875,9 +5078,9 @@
} }
}, },
"node_modules/globals": { "node_modules/globals": {
"version": "13.23.0", "version": "13.24.0",
"resolved": "https://registry.npmjs.org/globals/-/globals-13.23.0.tgz", "resolved": "https://registry.npmjs.org/globals/-/globals-13.24.0.tgz",
"integrity": "sha512-XAmF0RjlrjY23MA51q3HltdlGxUpXPvg0GioKiD9X6HD28iMjo2dKC8Vqwm7lne4GNr78+RHTfliktR6ZH09wA==", "integrity": "sha512-AhO5QUcj8llrbG09iWhPU2B204J1xnPeL8kQmVorSsy+Sjj1sk8gIyh6cUocGmH4L0UuhAJy+hJMRA4mgA4mFQ==",
"dev": true, "dev": true,
"dependencies": { "dependencies": {
"type-fest": "^0.20.2" "type-fest": "^0.20.2"
@@ -6621,13 +6824,13 @@
"integrity": "sha512-uYr7J37ae/ORWdZeQ1xxMJe3NtdmqMC/JZK+geofDrkLUApKRHPd18/TxtBOJ4A0/+uUIliorNrfYV6s1b02eQ==" "integrity": "sha512-uYr7J37ae/ORWdZeQ1xxMJe3NtdmqMC/JZK+geofDrkLUApKRHPd18/TxtBOJ4A0/+uUIliorNrfYV6s1b02eQ=="
}, },
"node_modules/nodemon": { "node_modules/nodemon": {
"version": "3.0.1", "version": "3.0.2",
"resolved": "https://registry.npmjs.org/nodemon/-/nodemon-3.0.1.tgz", "resolved": "https://registry.npmjs.org/nodemon/-/nodemon-3.0.2.tgz",
"integrity": "sha512-g9AZ7HmkhQkqXkRc20w+ZfQ73cHLbE8hnPbtaFbFtCumZsjyMhKk9LajQ07U5Ux28lvFjZ5X7HvWR1xzU8jHVw==", "integrity": "sha512-9qIN2LNTrEzpOPBaWHTm4Asy1LxXLSickZStAQ4IZe7zsoIpD/A7LWxhZV3t4Zu352uBcqVnRsDXSMR2Sc3lTA==",
"dev": true, "dev": true,
"dependencies": { "dependencies": {
"chokidar": "^3.5.2", "chokidar": "^3.5.2",
"debug": "^3.2.7", "debug": "^4",
"ignore-by-default": "^1.0.1", "ignore-by-default": "^1.0.1",
"minimatch": "^3.1.2", "minimatch": "^3.1.2",
"pstree.remy": "^1.1.8", "pstree.remy": "^1.1.8",
@@ -6648,15 +6851,6 @@
"url": "https://opencollective.com/nodemon" "url": "https://opencollective.com/nodemon"
} }
}, },
"node_modules/nodemon/node_modules/debug": {
"version": "3.2.7",
"resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz",
"integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==",
"dev": true,
"dependencies": {
"ms": "^2.1.1"
}
},
"node_modules/nodemon/node_modules/has-flag": { "node_modules/nodemon/node_modules/has-flag": {
"version": "3.0.0", "version": "3.0.0",
"resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz", "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz",
@@ -7170,9 +7364,9 @@
} }
}, },
"node_modules/prettier": { "node_modules/prettier": {
"version": "3.0.3", "version": "3.1.1",
"resolved": "https://registry.npmjs.org/prettier/-/prettier-3.0.3.tgz", "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.1.1.tgz",
"integrity": "sha512-L/4pUDMxcNa8R/EthV08Zt42WBO4h1rarVtK0K+QJG0X187OLo7l699jWw0GKuwzkPQ//jMFA/8Xm6Fh3J/DAg==", "integrity": "sha512-22UbSzg8luF4UuZtzgiUOfcGM8s4tjBv6dJRT7j275NXsy2jb4aJa4NNveul5x4eqlF1wuhuR2RElK71RvmVaw==",
"dev": true, "dev": true,
"bin": { "bin": {
"prettier": "bin/prettier.cjs" "prettier": "bin/prettier.cjs"
@@ -8206,9 +8400,9 @@
} }
}, },
"node_modules/typescript": { "node_modules/typescript": {
"version": "5.2.2", "version": "5.3.2",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.2.2.tgz", "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.3.2.tgz",
"integrity": "sha512-mI4WrpHsbCIcwT9cF4FZvr80QUeKvsUsUvKDoR+X/7XHQH98xYD8YHZg7ANtz2GtZt/CBq2QJ0thkGJMHfqc1w==", "integrity": "sha512-6l+RyNy7oAHDfxC4FzSJcz9vnjTKxrLpDG5M2Vu4SHRVNg6xzqZp6LYSR9zjqQTu8DU/f5xwxUdADOkbrIX2gQ==",
"bin": { "bin": {
"tsc": "bin/tsc", "tsc": "bin/tsc",
"tsserver": "bin/tsserver" "tsserver": "bin/tsserver"
+9 -9
View File
@@ -1,6 +1,6 @@
{ {
"name": "dependency-review-action", "name": "dependency-review-action",
"version": "3.1.2", "version": "3.1.4",
"private": true, "private": true,
"description": "A GitHub Action for Dependency Review", "description": "A GitHub Action for Dependency Review",
"main": "lib/main.js", "main": "lib/main.js",
@@ -29,7 +29,7 @@
"@actions/github": "^5.1.1", "@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^5.0.4", "@octokit/plugin-retry": "^5.0.4",
"@octokit/request-error": "^2.1.0", "@octokit/request-error": "^2.1.0",
"@types/jest": "^29.5.5", "@types/jest": "^29.5.11",
"ansi-styles": "^6.2.1", "ansi-styles": "^6.2.1",
"got": "^13.0.0", "got": "^13.0.0",
"jest": "^29.7.0", "jest": "^29.7.0",
@@ -42,20 +42,20 @@
"zod": "^3.22.3" "zod": "^3.22.3"
}, },
"devDependencies": { "devDependencies": {
"@types/node": "^16.18.58", "@types/node": "^16.18.62",
"@types/spdx-expression-parse": "^3.0.4", "@types/spdx-expression-parse": "^3.0.4",
"@types/spdx-satisfies": "^0.1.1", "@types/spdx-satisfies": "^0.1.1",
"@typescript-eslint/eslint-plugin": "^6.9.1", "@typescript-eslint/eslint-plugin": "^6.15.0",
"@typescript-eslint/parser": "^6.9.1", "@typescript-eslint/parser": "^6.16.0",
"@vercel/ncc": "^0.38.0", "@vercel/ncc": "^0.38.0",
"esbuild-register": "^3.5.0", "esbuild-register": "^3.5.0",
"eslint": "^8.52.0", "eslint": "^8.56.0",
"eslint-plugin-github": "^4.10.1", "eslint-plugin-github": "^4.10.1",
"eslint-plugin-jest": "^27.6.0", "eslint-plugin-jest": "^27.6.0",
"eslint-plugin-prettier": "^5.0.1", "eslint-plugin-prettier": "^5.0.1",
"js-yaml": "^4.1.0", "js-yaml": "^4.1.0",
"nodemon": "^3.0.1", "nodemon": "^3.0.2",
"prettier": "3.0.3", "prettier": "3.1.1",
"typescript": "^5.2.2" "typescript": "^5.3.2"
} }
} }
+3 -3
View File
@@ -26,9 +26,9 @@ const defaultConfig: ConfigurationOptions = {
deny_groups: [], deny_groups: [],
allow_dependencies_licenses: [ allow_dependencies_licenses: [
'pkg:npm/express@4.17.1', 'pkg:npm/express@4.17.1',
'pkg:pip/requests', 'pkg:pypi/requests',
'pkg:pip/certifi', 'pkg:pypi/certifi',
'pkg:pip/pycrypto@2.6.1' 'pkg:pypi/pycrypto@2.6.1'
], ],
comment_summary_in_pr: true, comment_summary_in_pr: true,
retry_on_snapshot_warnings: false, retry_on_snapshot_warnings: false,
+2 -1
View File
@@ -31,7 +31,8 @@ export async function compare({
url: '/repos/{owner}/{repo}/dependency-graph/compare/{basehead}', url: '/repos/{owner}/{repo}/dependency-graph/compare/{basehead}',
owner, owner,
repo, repo,
basehead: `${baseRef}...${headRef}` basehead: `${baseRef}...${headRef}`,
per_page: 5
}, },
response => { response => {
if ( if (
+23 -13
View File
@@ -1,5 +1,13 @@
import {Changes, Severity, SEVERITIES, Scope} from './schemas' import {Changes, Severity, SEVERITIES, Scope} from './schemas'
/**
* Filters changes by a severity level. Only vulnerable
* dependencies will be returned.
*
* @param severity - The severity level to filter by.
* @param changes - The array of changes to filter.
* @returns The filtered array of changes that match the specified severity level and have vulnerabilities.
*/
export function filterChangesBySeverity( export function filterChangesBySeverity(
severity: Severity, severity: Severity,
changes: Changes changes: Changes
@@ -31,7 +39,14 @@ export function filterChangesBySeverity(
filteredChanges = filteredChanges.filter( filteredChanges = filteredChanges.filter(
change => change.vulnerabilities.length > 0 change => change.vulnerabilities.length > 0
) )
return filteredChanges
// only report vulnerability additions
return filteredChanges.filter(
change =>
change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
change.vulnerabilities.length > 0
)
} }
export function filterChangesByScopes( export function filterChangesByScopes(
@@ -67,25 +82,20 @@ export function filterAllowedAdvisories(
return changes return changes
} }
const filteredChanges = changes.filter(change => { const filteredChanges = changes.map(change => {
const noAdvisories = const noAdvisories =
change.vulnerabilities === undefined || change.vulnerabilities === undefined ||
change.vulnerabilities.length === 0 change.vulnerabilities.length === 0
if (noAdvisories) { if (noAdvisories) {
return true return change
} }
const newChange = {...change}
newChange.vulnerabilities = change.vulnerabilities.filter(
vuln => !ghsas.includes(vuln.advisory_ghsa_id)
)
let allAllowedAdvisories = true return newChange
// if there's at least one advisory that is not allowlisted, we will keep the change
for (const vulnerability of change.vulnerabilities) {
if (!ghsas.includes(vulnerability.advisory_ghsa_id)) {
allAllowedAdvisories = false
}
if (!allAllowedAdvisories) {
return true
}
}
}) })
return filteredChanges return filteredChanges
+4 -2
View File
@@ -32,7 +32,7 @@ export async function getInvalidLicenseChanges(
const {allow, deny} = licenses const {allow, deny} = licenses
const licenseExclusions = licenses.licenseExclusions?.map( const licenseExclusions = licenses.licenseExclusions?.map(
(pkgUrl: string) => { (pkgUrl: string) => {
return PackageURL.fromString(pkgUrl) return PackageURL.fromString(encodeURI(pkgUrl))
} }
) )
@@ -45,7 +45,9 @@ export async function getInvalidLicenseChanges(
return true return true
} }
const changeAsPackageURL = PackageURL.fromString(change.package_url) const changeAsPackageURL = PackageURL.fromString(
encodeURI(change.package_url)
)
// We want to find if the licenseExclussion list contains the PackageURL of the Change // We want to find if the licenseExclussion list contains the PackageURL of the Change
// If it does, we want to filter it out and therefore return false // If it does, we want to filter it out and therefore return false
+2 -6
View File
@@ -80,21 +80,17 @@ async function run(): Promise<void> {
return return
} }
const minSeverity = config.fail_on_severity
const scopedChanges = filterChangesByScopes(config.fail_on_scopes, changes) const scopedChanges = filterChangesByScopes(config.fail_on_scopes, changes)
const filteredChanges = filterAllowedAdvisories( const filteredChanges = filterAllowedAdvisories(
config.allow_ghsas, config.allow_ghsas,
scopedChanges scopedChanges
) )
const minSeverity = config.fail_on_severity
const vulnerableChanges = filterChangesBySeverity( const vulnerableChanges = filterChangesBySeverity(
minSeverity, minSeverity,
filteredChanges filteredChanges
).filter(
change =>
change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
change.vulnerabilities.length > 0
) )
const invalidLicenseChanges = await getInvalidLicenseChanges( const invalidLicenseChanges = await getInvalidLicenseChanges(