Compare commits

...

11 Commits

Author SHA1 Message Date
Eli Reisman 05042db2b6 update dist packaging 2024-09-16 12:42:52 -07:00
Eli Reisman 6aacbe0934 add a warning message if there is room in the summary prior to cutoff 2024-09-16 12:42:35 -07:00
Eli Reisman 293ccdb6e9 add truncation escape valve to new file summary to avoid overflow 2024-09-16 12:26:36 -07:00
Henri Maurer 83c7cc6aa7 Do not list changes dependencies in summary 2024-09-16 11:29:47 -07:00
Eli Reisman b3559aa82e Merge pull request #829 from actions/elireisman/sec-findings-update
Upgrade transitive micromatch library
2024-09-16 10:04:59 -07:00
Eli Reisman 8179e6abd6 upgrade micromatch within given dependent parent pkg bounds but past security vuln 2024-09-16 09:53:44 -07:00
Eli Reisman 526b7f2f9b Merge pull request #815 from actions/dependabot/npm_and_yarn/types/node-20.16.0
Bump @types/node from 20.11.28 to 20.16.0
2024-08-19 10:31:48 -07:00
dependabot[bot] e5cb30f678 Bump @types/node from 20.11.28 to 20.16.0
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.28 to 20.16.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-08-19 01:33:46 +00:00
Jon Janego 90820aba8c Merge pull request #793 from actions/jonjanego-patch-1
Update CONTRIBUTING.md
2024-07-12 16:13:55 -05:00
Jon Janego 7367319600 Merge pull request #794 from actions/jonjanego-patch-2
Create pull_request_template.md
2024-07-12 16:11:24 -05:00
Jon Janego affc3a4f15 Create pull_request_template.md 2024-07-12 16:07:23 -05:00
8 changed files with 74 additions and 81 deletions
@@ -0,0 +1,7 @@
## Purpose
_Describe the purpose of this pull request_
## Related Issues
_What issues does this PR close or relate to?_
+3 -43
View File
@@ -109,42 +109,6 @@ test('prints headline as h1', () => {
expect(text).toContain('<h1>Dependency Review</h1>')
})
test('returns minimal summary in case the core.summary is too large for a PR comment', () => {
let changes: Changes = [
createTestChange({name: 'lodash', version: '1.2.3'}),
createTestChange({name: 'colors', version: '2.3.4'}),
createTestChange({name: '@foo/bar', version: '*'})
]
let minSummary: string = summary.addSummaryToSummary(
changes,
emptyInvalidLicenseChanges,
emptyChanges,
scorecard,
defaultConfig
)
// side effect DR report into core.summary as happens in main.ts
summary.addScannedDependencies(changes)
const text = core.summary.stringify()
expect(text).toContain('<h1>Dependency Review</h1>')
expect(minSummary).toContain('# Dependency Review')
expect(text).toContain('❌ 3 vulnerable package(s)')
expect(text).not.toContain('* ❌ 3 vulnerable package(s)')
expect(text).toContain('lodash')
expect(text).toContain('colors')
expect(text).toContain('@foo/bar')
expect(minSummary).toContain('* ❌ 3 vulnerable package(s)')
expect(minSummary).not.toContain('lodash')
expect(minSummary).not.toContain('colors')
expect(minSummary).not.toContain('@foo/bar')
expect(text.length).toBeGreaterThan(minSummary.length)
})
test('returns minimal summary formatted for posting as a PR comment', () => {
const OLD_ENV = process.env
@@ -232,14 +196,10 @@ test('groups dependencies with empty manifest paths together', () => {
emptyScorecard,
defaultConfig
)
summary.addScannedDependencies(changesWithEmptyManifests)
summary.addScannedFiles(changesWithEmptyManifests)
const text = core.summary.stringify()
expect(text).toContain('<summary>Unnamed Manifest</summary>')
expect(text).toContain('castore')
expect(text).toContain('connection')
expect(text).toContain('<summary>python/dist-info/METADATA</summary>')
expect(text).toContain('pygments')
expect(text).toContain('Unnamed Manifest')
expect(text).toContain('python/dist-info/METADATA')
})
test('does not include status section if nothing was found', () => {
Generated Vendored
+23 -12
View File
@@ -705,7 +705,7 @@ function run() {
createScorecardWarnings(scorecard, config);
}
core.setOutput('dependency-changes', JSON.stringify(changes));
summary.addScannedDependencies(changes);
summary.addScannedFiles(changes);
printScannedDependencies(changes);
// include full summary in output; Actions will truncate if oversized
let rendered = core.summary.stringify();
@@ -1442,7 +1442,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
return result;
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.addDeniedToSummary = exports.addSnapshotWarnings = exports.addScorecardToSummary = exports.addScannedDependencies = exports.addLicensesToSummary = exports.addChangeVulnerabilitiesToSummary = exports.addSummaryToSummary = void 0;
exports.addDeniedToSummary = exports.addSnapshotWarnings = exports.addScorecardToSummary = exports.addScannedFiles = exports.addLicensesToSummary = exports.addChangeVulnerabilitiesToSummary = exports.addSummaryToSummary = void 0;
const core = __importStar(__nccwpck_require__(2186));
const utils_1 = __nccwpck_require__(918);
const icons = {
@@ -1450,6 +1450,7 @@ const icons = {
cross: '❌',
warning: '⚠️'
};
const MAX_SCANNED_FILES_BYTES = 1048576;
// generates the DR report summmary and caches it to the Action's core.summary.
// returns the DR summary string, ready to be posted as a PR comment if the
// final DR report is too large
@@ -1631,19 +1632,29 @@ function formatLicense(license) {
}
return license;
}
function addScannedDependencies(changes) {
const dependencies = (0, utils_1.groupDependenciesByManifest)(changes);
const manifests = dependencies.keys();
const summary = core.summary.addHeading('Scanned Manifest Files', 2);
for (const manifest of manifests) {
const deps = dependencies.get(manifest);
if (deps) {
const dependencyNames = deps.map(dependency => `<li>${dependency.name}@${dependency.version}</li>`);
summary.addDetails(manifest, `<ul>${dependencyNames.join('')}</ul>`);
function addScannedFiles(changes) {
const manifests = Array.from((0, utils_1.groupDependenciesByManifest)(changes).keys()).sort();
let sf_size = 0;
let trunc_at = -1;
for (const [index, entry] of manifests.entries()) {
if (sf_size + entry.length >= MAX_SCANNED_FILES_BYTES) {
trunc_at = index;
break;
}
sf_size += entry.length;
}
if (trunc_at >= 0) {
// truncate the manifests list if it will overflow the summary output
manifests.slice(0, trunc_at);
// if there's room between cutoff size and list size, add a warning
const size_diff = MAX_SCANNED_FILES_BYTES - sf_size;
if (size_diff < 12) {
manifests.push('(truncated)');
}
}
core.summary.addHeading('Scanned Files', 2).addList(manifests);
}
exports.addScannedDependencies = addScannedDependencies;
exports.addScannedFiles = addScannedFiles;
function snapshotWarningRecommendation(config, warnings) {
const no_pr_snaps = warnings.includes('No snapshots were found for the head SHA');
const retries_disabled = !config.retry_on_snapshot_warnings;
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+12 -11
View File
@@ -2105,11 +2105,11 @@
}
},
"node_modules/@types/node": {
"version": "20.11.28",
"resolved": "https://registry.npmjs.org/@types/node/-/node-20.11.28.tgz",
"integrity": "sha512-M/GPWVS2wLkSkNHVeLkrF2fD5Lx5UC4PxA0uZcKc6QqbIQUJyW1jVjueJYi1z8n0I5PxYrtpnPnWglE+y9A0KA==",
"version": "20.16.0",
"resolved": "https://registry.npmjs.org/@types/node/-/node-20.16.0.tgz",
"integrity": "sha512-vDxceJcoZhIVh67S568bm1UGZO0DX0hpplJZxzeXMKwIPLn190ec5RRxQ69BKhX44SUGIxxgMdDY557lGLKprQ==",
"dependencies": {
"undici-types": "~5.26.4"
"undici-types": "~6.19.2"
}
},
"node_modules/@types/semver": {
@@ -6341,11 +6341,12 @@
}
},
"node_modules/micromatch": {
"version": "4.0.5",
"resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz",
"integrity": "sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==",
"version": "4.0.8",
"resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz",
"integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==",
"license": "MIT",
"dependencies": {
"braces": "^3.0.2",
"braces": "^3.0.3",
"picomatch": "^2.3.1"
},
"engines": {
@@ -7913,9 +7914,9 @@
}
},
"node_modules/undici-types": {
"version": "5.26.5",
"resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
"integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA=="
"version": "6.19.6",
"resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.6.tgz",
"integrity": "sha512-e/vggGopEfTKSvj4ihnOLTsqhrKRN3LeO6qSN/GxohhuRv8qH9bNQ4B8W7e/vFL+0XTnmHPB4/kegunZGA4Org=="
},
"node_modules/universal-github-app-jwt": {
"version": "1.1.2",
+1 -1
View File
@@ -143,7 +143,7 @@ async function createSummary(
...licenseIssues.unlicensed
]
summary.addScannedDependencies(allChanges)
summary.addScannedFiles(allChanges)
const text = core.summary.stringify()
await fs.promises.writeFile(path.resolve(tmpDir, fileName), text, {
+1 -1
View File
@@ -166,7 +166,7 @@ async function run(): Promise<void> {
}
core.setOutput('dependency-changes', JSON.stringify(changes))
summary.addScannedDependencies(changes)
summary.addScannedFiles(changes)
printScannedDependencies(changes)
// include full summary in output; Actions will truncate if oversized
+26 -12
View File
@@ -1,7 +1,7 @@
import * as core from '@actions/core'
import {ConfigurationOptions, Changes, Change, Scorecard} from './schemas'
import {SummaryTableRow} from '@actions/core/lib/summary'
import {InvalidLicenseChanges, InvalidLicenseChangeTypes} from './licenses'
import {Change, Changes, ConfigurationOptions, Scorecard} from './schemas'
import {groupDependenciesByManifest, getManifestsSet, renderUrl} from './utils'
const icons = {
@@ -10,6 +10,8 @@ const icons = {
warning: '⚠️'
}
const MAX_SCANNED_FILES_BYTES = 1048576
// generates the DR report summmary and caches it to the Action's core.summary.
// returns the DR summary string, ready to be posted as a PR comment if the
// final DR report is too large
@@ -263,21 +265,33 @@ function formatLicense(license: string | null): string {
return license
}
export function addScannedDependencies(changes: Changes): void {
const dependencies = groupDependenciesByManifest(changes)
const manifests = dependencies.keys()
export function addScannedFiles(changes: Changes): void {
const manifests = Array.from(
groupDependenciesByManifest(changes).keys()
).sort()
const summary = core.summary.addHeading('Scanned Manifest Files', 2)
let sf_size = 0
let trunc_at = -1
for (const manifest of manifests) {
const deps = dependencies.get(manifest)
if (deps) {
const dependencyNames = deps.map(
dependency => `<li>${dependency.name}@${dependency.version}</li>`
)
summary.addDetails(manifest, `<ul>${dependencyNames.join('')}</ul>`)
for (const [index, entry] of manifests.entries()) {
if (sf_size + entry.length >= MAX_SCANNED_FILES_BYTES) {
trunc_at = index
break
}
sf_size += entry.length
}
if (trunc_at >= 0) {
// truncate the manifests list if it will overflow the summary output
manifests.slice(0, trunc_at)
// if there's room between cutoff size and list size, add a warning
const size_diff = MAX_SCANNED_FILES_BYTES - sf_size
if (size_diff < 12) {
manifests.push('(truncated)')
}
}
core.summary.addHeading('Scanned Files', 2).addList(manifests)
}
function snapshotWarningRecommendation(