Compare commits
55 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 3c42649204 | |||
| 8e6ea8d29b | |||
| 1b3d2772d0 | |||
| 220872c81a | |||
| 087d0f81a5 | |||
| 4531204be7 | |||
| df1ca890c5 | |||
| 97c6dd59c3 | |||
| 0bec1ca5b4 | |||
| 5460632ba9 | |||
| f7aca4f481 | |||
| 1988567896 | |||
| 1e26117d02 | |||
| b1e704b9d6 | |||
| 48fae2e703 | |||
| 8d625cd32e | |||
| 3afc0d4eaa | |||
| bc8dee91fe | |||
| 0669e2939d | |||
| fd46ab736e | |||
| 551e0b82bd | |||
| fbfa3f19c8 | |||
| 89204de987 | |||
| 6d4e634e06 | |||
| 4c5eeccebb | |||
| f6e67d2f8d | |||
| eb0576373a | |||
| 981e960c8c | |||
| 87b53ae475 | |||
| c601a5a741 | |||
| 5751523f41 | |||
| 3fe3159bb9 | |||
| 2d3c93c0e0 | |||
| 9770b8da2c | |||
| d5b8317942 | |||
| d3670a3e49 | |||
| f38966fbec | |||
| 9eb0dccbc9 | |||
| 258a2295c6 | |||
| 4c0a483c95 | |||
| 339e2e1bfc | |||
| 40cd879447 | |||
| d11eeb39d8 | |||
| 82ab8f69c7 | |||
| 432d8e7efe | |||
| 0c155c5e85 | |||
| f3dac32d35 | |||
| d0d5cc3ec4 | |||
| 49fbbe0acb | |||
| e58c696e52 | |||
| 9b7c72ddcd | |||
| 7dcfabfea2 | |||
| 2a28e93881 | |||
| 671683931a | |||
| b0986c2fe0 |
@@ -0,0 +1,37 @@
|
||||
---
|
||||
name: Bug report
|
||||
about: Create a bug report to help us improve
|
||||
title: "[BUG] "
|
||||
labels: bug
|
||||
assignees: ''
|
||||
|
||||
---
|
||||
|
||||
**Describe the bug**
|
||||
A clear and concise description of what the bug is.
|
||||
|
||||
**To Reproduce**
|
||||
Steps to reproduce the behavior:
|
||||
1. Go to '...'
|
||||
2. Click on '....'
|
||||
3. Scroll down to '....'
|
||||
4. See error
|
||||
|
||||
**Expected behavior**
|
||||
A clear and concise description of what you expected to happen.
|
||||
|
||||
**Screenshots**
|
||||
If applicable, add screenshots to help explain your problem.
|
||||
|
||||
**Action version**
|
||||
What version of the action are you using in your workflow?
|
||||
|
||||
_Note: if you're not running the [latest release](https://github.com/actions/dependency-review-action/releases/latest) please try that first!_
|
||||
|
||||
**Examples**
|
||||
If possible, please link to a public example of the issue that you're encountering, or a copy of the workflow that you're using to run the action.
|
||||
|
||||
If you have encountered a problem with a specific package (e.g. issue with license or attributions data) please share details about the package, as well as a link to the manifest where it's being referenced.
|
||||
|
||||
**Additional context**
|
||||
Add any other context about the problem here.
|
||||
@@ -0,0 +1,5 @@
|
||||
blank_issues_enabled: false
|
||||
contact_links:
|
||||
- name: GitHub Security Bug Bounty
|
||||
url: https://bounty.github.com/
|
||||
about: If you believe that you've found a security issue, please report security vulnerabilities here.
|
||||
@@ -0,0 +1,20 @@
|
||||
---
|
||||
name: Feature request
|
||||
about: Suggest an idea for this project
|
||||
title: ''
|
||||
labels: enhancement
|
||||
assignees: ''
|
||||
|
||||
---
|
||||
|
||||
**Is your feature request related to a problem? Please describe.**
|
||||
A clear and concise description of what the problem is. e.g. I'm always frustrated when [...]
|
||||
|
||||
**Describe the solution you'd like**
|
||||
A clear and concise description of what you want to happen.
|
||||
|
||||
**Describe alternatives you've considered**
|
||||
A clear and concise description of any alternative solutions or features you've considered.
|
||||
|
||||
**Additional context**
|
||||
Add any other context or screenshots about the feature request here.
|
||||
+56
-38
@@ -4,41 +4,52 @@
|
||||
[pr]: https://github.com/actions/dependency-review-action/compare
|
||||
[code-of-conduct]: CODE_OF_CONDUCT.md
|
||||
|
||||
Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
|
||||
Hi there! We're thrilled that you'd like to contribute to this project.
|
||||
|
||||
Contributions to this project are
|
||||
[released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license)
|
||||
to the public under the [project's open source license](LICENSE).
|
||||
Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE).
|
||||
|
||||
Please note that this project is released with a [Contributor Code of
|
||||
Conduct][code-of-conduct]. By participating in this project you agree
|
||||
to abide by its terms.
|
||||
Please note that this project is released with a [Contributor Code of Conduct][code-of-conduct]. By participating in this project you agree to abide by its terms.
|
||||
|
||||
### How it works
|
||||
## Bug reports and other issues
|
||||
|
||||
This Action makes an authenticated query to the Dependency Graph Diff
|
||||
API endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`)
|
||||
to find out the set of added and removed dependencies for each manifest.
|
||||
If you've encountered a problem, please let us know by [submitting an issue](https://github.com/actions/dependency-review-action/issues/new)!
|
||||
|
||||
### Bootstrapping the project
|
||||
## Enhancements and feature requests
|
||||
|
||||
```
|
||||
git clone https://github.com/actions/dependency-review-action.git
|
||||
cd dependency-review-action
|
||||
npm install
|
||||
```
|
||||
If you've got an idea for a new feature, please submit as [an issue](https://github.com/actions/dependency-review-action/issues/new) so that the community can see it, and we can discuss it there. We may not be able to respond to every single issue, but will make a best effort!
|
||||
|
||||
### Running the tests
|
||||
If you'd like to make a contribution yourself, we ask that before significant effort is put into code changes, that we have agreement that the change aligns with our strategy for the action. Since this is a verified Action owned by GitHub we want to make sure that contributions are high quality, and that they maintain consistency with the rest of the action's behavior.
|
||||
|
||||
```
|
||||
npm run test
|
||||
```
|
||||
1. Create an [issue discussing the idea](https://github.com/actions/dependency-review-action/issues/new), so that we can discuss it there.
|
||||
2. If we agree to incorporate the idea into the action, please write-up a high level summary of the approach that you plan to take so we can review
|
||||
|
||||
_Note_: We don't have any useful tests yet, contributions are welcome!
|
||||
## Stalebot
|
||||
|
||||
## Local Development
|
||||
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see the configuration [here](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
|
||||
|
||||
## Development lifecycle
|
||||
|
||||
Ready to contribute to `dependency-review-action`? Here is some information to help you get started.
|
||||
|
||||
### High level overview of the action
|
||||
|
||||
This action makes an authenticated query to the [Dependency Review API](https://docs.github.com/en/rest/dependency-graph/dependency-review) endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`) to find out the set of added and removed dependencies for each manifest.
|
||||
|
||||
The action then evaluates the differences between the pushes based on the the rules defined in the action configuration, and summarizes the differences and any violations of the rules you have defined as a comment in the pull request that triggered it and the action outputs.
|
||||
|
||||
### Local Development
|
||||
|
||||
Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed, minimum version 18.
|
||||
|
||||
#### Bootstrapping the project
|
||||
|
||||
0. [Fork][fork] and clone the repository
|
||||
1. Change to the working directory: `cd dependency-review-action`
|
||||
2. Install the dependencies: `npm install`
|
||||
3. Make sure the tests pass on your machine: `npm run test`
|
||||
|
||||
#### Manually testing for vulnerabilities
|
||||
|
||||
It is recommended to have atleast [Node 18](https://nodejs.org/en/) installed.
|
||||
We have a script to scan a given PR for vulnerabilities, this will
|
||||
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
|
||||
|
||||
@@ -53,7 +64,7 @@ $ GITHUB_TOKEN=<token> ./scripts/scan_pr <pr_url>
|
||||
Like this:
|
||||
|
||||
```sh
|
||||
$ GITHUB_TOKEN=my-secret-token ./scripts/scan_pr https://github.com/actions/dependency-review-action/pull/3
|
||||
$ GITHUB_TOKEN=<token> ./scripts/scan_pr https://github.com/actions/dependency-review-action/pull/3
|
||||
```
|
||||
|
||||
[Configuration options](README.md#configuration-options) can be set by
|
||||
@@ -64,16 +75,20 @@ passing an external YAML [configuration file](README.md#configuration-file) to t
|
||||
$ GITHUB_TOKEN=<token> ./scripts/scan_pr --config-file my_custom_config.yml <pr_url>
|
||||
```
|
||||
|
||||
## Submitting a pull request
|
||||
#### Running unit tests
|
||||
|
||||
0. [Fork][fork] and clone the repository
|
||||
1. Configure and install the dependencies: `npm install`
|
||||
2. Make sure the tests pass on your machine: `npm run test`
|
||||
3. Create a new branch: `git checkout -b my-branch-name`
|
||||
4. Make your change, add tests, and make sure the tests still pass
|
||||
5. Make sure to build and package before pushing: `npm run build && npm run package`
|
||||
6. Push to your fork and [submit a pull request][pr]
|
||||
7. Pat your self on the back and wait for your pull request to be reviewed and merged.
|
||||
```
|
||||
npm run test
|
||||
```
|
||||
|
||||
_Note_: We don't a very comprehensive test suite, so any contributions to the existing tests are welcome!
|
||||
|
||||
### Submitting a pull request
|
||||
|
||||
1. Create a new branch: `git checkout -b my-branch-name`
|
||||
2. Make your change, add tests, and make sure the tests still pass
|
||||
3. Make sure to build and package before pushing: `npm run build && npm run package`
|
||||
4. Push to your fork and [submit a pull request][pr]
|
||||
|
||||
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
|
||||
|
||||
@@ -82,9 +97,14 @@ Here are a few things you can do that will increase the likelihood of your pull
|
||||
- Write a [good commit message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
|
||||
- Add examples of the usage to [examples.md](docs/examples.md)
|
||||
- Link to a sample PR in a custom repository running your version of the Action.
|
||||
- Please be responsive to any questions and feedback that you get from a maintainer of the repo!
|
||||
|
||||
## Cutting a new release
|
||||
|
||||
<details>
|
||||
|
||||
_Note: these instructions are for maintainers_
|
||||
|
||||
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
|
||||
1. Go to [Draft a new
|
||||
release](https://github.com/actions/dependency-review-action/releases/new)
|
||||
@@ -117,13 +137,11 @@ To do this just checkout `main`, force-create a new annotated tag, and push it:
|
||||
git tag -fa v4 -m "Updating v4 to 4.0.1"
|
||||
git push origin v4 --force
|
||||
```
|
||||
</details>
|
||||
|
||||
## Stalebot
|
||||
|
||||
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see the configuration [here](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
|
||||
|
||||
## Resources
|
||||
|
||||
- [Creating JavaScript GitHub actions](https://docs.github.com/en/actions/creating-actions/creating-a-javascript-action)
|
||||
- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
|
||||
- [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
|
||||
- [GitHub Help](https://help.github.com)
|
||||
|
||||
@@ -1,70 +1,103 @@
|
||||
# dependency-review-action
|
||||
|
||||
This action scans your pull requests for dependency changes, and will
|
||||
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/rest/dependency-graph/dependency-review) that diffs the dependencies between any two revisions on your default branch.
|
||||
- [Overview](#overview)
|
||||
- [Installation](#installation)
|
||||
- [Configuration](#configuration)
|
||||
- [Using dependency review action to block a pull request from being merged](#using-dependency-review-action-to-block-a-pull-request-from-being-merged)
|
||||
- [Outputs](#outputs)
|
||||
- [Getting help](#getting-help)
|
||||
- [Contributing](#contributing)
|
||||
- [License](#license)
|
||||
|
||||
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
|
||||
## Overview
|
||||
|
||||
You can see the results on the job logs:
|
||||
The dependency review action scans your pull requests for dependency changes, and will raise an error if any vulnerabilities or invalid licenses are being introduced.
|
||||
The action is supported by an [API endpoint](https://docs.github.com/en/rest/dependency-graph/dependency-review?apiVersion=2022-11-28) that diffs the dependencies between any two revisions on your default branch.
|
||||
|
||||
<img width="850" alt="GitHub workflow run log showing Dependency Review job output" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
|
||||
The action is available for:
|
||||
- Public repositories
|
||||
- Private repositories with a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license.
|
||||
|
||||
or on the job summary:
|
||||
### Viewing the results
|
||||
|
||||
<img width="850" alt="GitHub job summary showing Dependency Review output" src="https://github.com/actions/dependency-review-action/assets/2161/42fbed1d-64a7-42bf-9b05-c416bc67493f">
|
||||
When the action runs, you can see the results on:
|
||||
|
||||
- The **job logs** page.
|
||||
1. Go to the **Actions** tab for the repository and select the relevant workflow run.
|
||||
1. Then under "Jobs", click **dependency review**.
|
||||
|
||||
<img width="850" alt="GitHub workflow run log showing Dependency Review job output" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
|
||||
|
||||
- The **job summary** page.
|
||||
1. Go to the **Actions** tab for the repository and select the relevant workflow run.
|
||||
1. Click **Summary**, then scroll to "dependency-review summary".
|
||||
|
||||
<img width="850" alt="GitHub job summary showing Dependency Review output" src="https://github.com/actions/dependency-review-action/assets/2161/42fbed1d-64a7-42bf-9b05-c416bc67493f">
|
||||
|
||||
## Installation
|
||||
|
||||
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
|
||||
- [Installation (standard)](#installation)
|
||||
- [Installation (GitHub Enterprise Server)](#installation-github-enterprise-server)
|
||||
|
||||
#### Installation (standard)
|
||||
|
||||
You can install the action on any public repository, or any organization-owned private repository, provided the organization has a GitHub Advanced Security license.
|
||||
|
||||
1. Add a new YAML workflow to your `.github/workflows` folder:
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
on: [pull_request]
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
on: [pull_request]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@v4
|
||||
```
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@v4
|
||||
```
|
||||
|
||||
### GitHub Enterprise Server
|
||||
#### Installation (GitHub Enterprise Server)
|
||||
|
||||
Make sure
|
||||
[GitHub Advanced
|
||||
Security](https://docs.github.com/enterprise-server@3.8/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
|
||||
and [GitHub
|
||||
Connect](https://docs.github.com/enterprise-server@3.8/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
|
||||
are enabled, and that you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
|
||||
You can install the action on repositories on GitHub Enterprise Server.
|
||||
|
||||
You can use the same workflow as above, replacing the `runs-on` value
|
||||
with the label of any of your runners (the default label
|
||||
is `self-hosted`):
|
||||
1. Ensure [GitHub Advanced Security](https://docs.github.com/en/enterprise-server@latest/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise) and [GitHub Connect](https://docs.github.com/en/enterprise-server@latest/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect) are enabled for the enterprise.
|
||||
2. Ensure you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
|
||||
3. Add a new YAML workflow to your `.github/workflows` folder:
|
||||
|
||||
```yaml
|
||||
# ...
|
||||
``` yaml
|
||||
name: 'Dependency Review'
|
||||
on: [pull_request]
|
||||
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: self-hosted
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@v4
|
||||
```
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
## Configuration options
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: self-hosted
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@v4
|
||||
```
|
||||
5. In the workflow file, replace the `runs-on` value with the label of any of your runners. (The default value is `self-hosted`.)
|
||||
|
||||
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
|
||||
## Configuration
|
||||
|
||||
- [Configuration options](#configuration-options)
|
||||
- [Configuration methods](#configuration-methods)
|
||||
|
||||
### Configuration options
|
||||
|
||||
There are various configuration options you can use to specify settings for the dependency review action.
|
||||
|
||||
All configuration options are optional.
|
||||
|
||||
| Option | Usage | Possible values | Default value |
|
||||
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
|
||||
@@ -83,94 +116,119 @@ Configure this action by either inlining these options in your workflow file, or
|
||||
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
|
||||
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
|
||||
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
|
||||
| `show-openssf-scorecard-levels` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
|
||||
| `show-openssf-scorecard` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
|
||||
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
|
||||
|
||||
\*not supported for use with GitHub Enterprise Server
|
||||
> [!NOTE]
|
||||
> - \* Not supported for use with GitHub Enterprise Server. (Checking for licenses is not supported on GitHub Enterprise Server because the API does not return license information.)
|
||||
> - \+ When `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail.
|
||||
> - The `allow-licenses` and `deny-licenses` options are mutually exclusive; an error will be raised if you provide both.
|
||||
> - If we can't detect the license for a dependency **we will inform you, but the action won't fail**.
|
||||
|
||||
+when `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail.
|
||||
### Configuration methods
|
||||
|
||||
### Inline Configuration
|
||||
To specify settings for the dependency review action, you can choose from two options:
|
||||
- [Option 1: Inline the configuration options]() in your workflow file.
|
||||
- [Option 2: Reference an external configuration file]() in your workflow file.
|
||||
|
||||
You can pass options to the Dependency Review GitHub Action using your workflow file.
|
||||
#### Option 1: Using inline configuration
|
||||
|
||||
#### Example
|
||||
You can pass configuration options to the dependency review action using your workflow file.
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
on: [pull_request]
|
||||
permissions:
|
||||
contents: read
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: Dependency Review
|
||||
uses: actions/dependency-review-action@v4
|
||||
with:
|
||||
fail-on-severity: moderate
|
||||
1. In the same YAML workflow file you created during installation, use the `with:` key to specify your chosen settings:
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
on: [pull_request]
|
||||
permissions:
|
||||
contents: read
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: Dependency Review
|
||||
uses: actions/dependency-review-action@v4
|
||||
with:
|
||||
fail-on-severity: moderate
|
||||
|
||||
# Use comma-separated names to pass list arguments:
|
||||
deny-licenses: LGPL-2.0, BSD-2-Clause
|
||||
```
|
||||
# Use comma-separated names to pass list arguments:
|
||||
deny-licenses: LGPL-2.0, BSD-2-Clause
|
||||
```
|
||||
|
||||
### Configuration File
|
||||
#### Option 2: Using an external configuration file
|
||||
|
||||
You can use an external configuration file to specify the settings for this action. It can be a local file or a file in an external repository. Refer to the following options for the specification.
|
||||
You can use an external configuration file to specify settings for this action. The file can be a local file or a file in an external repository.
|
||||
|
||||
| Option | Usage | Possible values |
|
||||
| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
|
||||
| `config-file` | A path to a file in the current repository or an external repository. Use this syntax for external files: `OWNER/REPOSITORY/FILENAME@BRANCH` | **Local file**: `./.github/dependency-review-config.yml` <br> **External repo**: `github/octorepo/dependency-review-config.yml@main` |
|
||||
| `external-repo-token` | Specifies a token for fetching the configuration file. It is required if the file resides in a private external repository and for all GitHub Enterprise Server repositories. Create a token in [developer settings](https://github.com/settings/tokens). | Any token with `read` permissions to the repository hosting the config file. |
|
||||
1. In the same YAML workflow file you created during installation, use `config-file` to specify that you are using an external configuration file.
|
||||
|
||||
#### Example
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
on: [pull_request]
|
||||
permissions:
|
||||
contents: read
|
||||
jobs:
|
||||
dependency-review:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: Dependency Review
|
||||
uses: actions/dependency-review-action@v4
|
||||
with:
|
||||
config-file: './.github/dependency-review-config.yml'
|
||||
```
|
||||
| Option | Usage | Possible values |
|
||||
|--------------------- | ----------- | ----------------------------- |
|
||||
| `config-file` | A path to a file in the current repository or an external repository. Use this syntax for external files: `OWNER/REPOSITORY/FILENAME@BRANCH` | **Local file**: `./.github/dependency-review-config.yml` <br> **External repo**: `github/octorepo/dependency-review-config.yml@main` |
|
||||
2. Optionally, if the file resides in a private external repository, and for all GitHub Enterprise Server repositories, use `external-repo-token` to specify a token for fetching the file.
|
||||
|
||||
Start by specifying that you will be using an external configuration file:
|
||||
```yaml
|
||||
- name: Dependency Review
|
||||
uses: actions/dependency-review-action@v4
|
||||
with:
|
||||
config-file: 'github/octorepo/dependency-review-config.yml@main'
|
||||
external-repo-token: 'ghp_123456789abcde'
|
||||
```
|
||||
|
||||
```yaml
|
||||
- name: Dependency Review
|
||||
uses: actions/dependency-review-action@v4
|
||||
with:
|
||||
config-file: './.github/dependency-review-config.yml'
|
||||
```
|
||||
| Option | Usage | Possible values |
|
||||
|--------------------- | ----------- | ----------------------------- |
|
||||
| `external-repo-token` | Specifies a token for fetching the configuration file. It is required if the file resides in a private external repository and for all GitHub Enterprise Server repositories. Create a token in [developer settings](https://github.com/settings/tokens). | Any token with `read` permissions to the repository hosting the config file. |
|
||||
3. Create the configuration file in the path you specified for `config-file`.
|
||||
4. In the configuration file, specify your chosen settings.
|
||||
```yaml
|
||||
fail_on_severity: 'critical'
|
||||
allow_licenses:
|
||||
- 'GPL-3.0'
|
||||
- 'BSD-3-Clause'
|
||||
- 'MIT'
|
||||
```
|
||||
> [!NOTE]
|
||||
> For external configuration files, the option names use underscores instead of dashes.
|
||||
> Example: `fail_on_severity`
|
||||
|
||||
And then create the file in the path you just specified. Please note
|
||||
that the **option names in external files use underscores instead of dashes**:
|
||||
#### Further information
|
||||
|
||||
```yaml
|
||||
fail_on_severity: 'critical'
|
||||
allow_licenses:
|
||||
- 'GPL-3.0'
|
||||
- 'BSD-3-Clause'
|
||||
- 'MIT'
|
||||
```
|
||||
- For more examples of how to use this action and its configuration options, see the [examples](docs/examples.md) page.
|
||||
- For general information about dependency review on GitHub, see "[About dependency review](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)" in the GitHub Docs documentation.
|
||||
|
||||
For more examples of how to use this action and its configuration options, see the [examples](docs/examples.md) page.
|
||||
## Using dependency review action to block a pull request from being merged
|
||||
|
||||
### Considerations
|
||||
|
||||
- Checking for licenses is not supported on Enterprise Server as the API does not return license information.
|
||||
- The `allow-licenses` and `deny-licenses` options are mutually exclusive; an error will be raised if you provide both.
|
||||
- We don't have license information for all of your dependents. If we can't detect the license for a dependency **we will inform you, but the action won't fail**.
|
||||
|
||||
## Blocking pull requests
|
||||
|
||||
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
|
||||
You can configure your repository to block a pull request from being merged if the pull request fails the dependency review action check. To do this, the repository owner must configure branch protection settings that require the check to pass before merging. For more information, see "[Require status checks before merging](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging)" in GitHub Docs documentation.
|
||||
|
||||
## Outputs
|
||||
|
||||
Dependency review action can create [outputs](https://docs.github.com/en/actions/using-jobs/defining-outputs-for-jobs), so that data from its execution can be used by other jobs in a workflow.
|
||||
|
||||
- `comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
|
||||
- `dependency-changes` holds all dependency changes in a JSON format. The following outputs are subsets of `dependency-changes` filtered based on the configuration:
|
||||
- `vulnerable-changes` holds information about dependency changes with vulnerable dependencies in a JSON format.
|
||||
- `invalid-license-changes` holds information about invalid or non-compliant license dependency changes in a JSON format.
|
||||
- `denied-changes` holds information about denied dependency changes in a JSON format.
|
||||
- `vulnerable-changes` holds information about dependency changes with vulnerable dependencies in a JSON format.
|
||||
- `invalid-license-changes` holds information about invalid or non-compliant license dependency changes in a JSON format.
|
||||
- `denied-changes` holds information about denied dependency changes in a JSON format.
|
||||
|
||||
> [!NOTE]
|
||||
> Action outputs are unicode strings [with a 1MB size limit](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions).
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Action outputs are unicode strings [with a 1MB size limit](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions).
|
||||
>
|
||||
> If you use these outputs in a run-step, you must store the output data in an environment variable instead of using the output directly. Using an output directly might break shell scripts. For example:
|
||||
>
|
||||
> ```yaml
|
||||
@@ -180,7 +238,8 @@ The Dependency Review GitHub Action check will only block a pull request from be
|
||||
> echo "$VULNERABLE_CHANGES" | jq
|
||||
> ```
|
||||
>
|
||||
> instead of direct `echo '${{ steps.review.outputs.vulnerable-changes }}'`. See [examples](docs/examples.md) for more.
|
||||
> instead of direct `echo '${{ steps.review.outputs.vulnerable-changes }}'`.
|
||||
> See [examples](docs/examples.md) for more.
|
||||
|
||||
## Getting help
|
||||
|
||||
|
||||
+1
-1
@@ -1,3 +1,3 @@
|
||||
If you discover a security issue in this repo, please submit it through the [GitHub Security Bug Bounty](https://hackerone.com/github)
|
||||
If you discover a security issue in this repo, please submit it through the [GitHub Security Bug Bounty](https://bounty.github.com/)
|
||||
|
||||
Thanks for helping make GitHub Actions safe for everyone.
|
||||
|
||||
@@ -54,6 +54,30 @@ test('it raises an error if an empty allow list is specified', async () => {
|
||||
)
|
||||
})
|
||||
|
||||
test('it successfully parses allow-dependencies-licenses', async () => {
|
||||
setInput(
|
||||
'allow-dependencies-licenses',
|
||||
'pkg:npm/@test/package@1.2.3,pkg:npm/example'
|
||||
)
|
||||
const config = await readConfig()
|
||||
expect(config.allow_dependencies_licenses).toEqual([
|
||||
'pkg:npm/@test/package@1.2.3',
|
||||
'pkg:npm/example'
|
||||
])
|
||||
})
|
||||
|
||||
test('it raises an error when an invalid package-url is used for allow-dependencies-licenses', async () => {
|
||||
setInput('allow-dependencies-licenses', 'not-a-purl')
|
||||
await expect(readConfig()).rejects.toThrow(`Error parsing package-url`)
|
||||
})
|
||||
|
||||
test('it raises an error when a nameless package-url is used for allow-dependencies-licenses', async () => {
|
||||
setInput('allow-dependencies-licenses', 'pkg:npm/@namespace/')
|
||||
await expect(readConfig()).rejects.toThrow(
|
||||
`Error parsing package-url: name is required`
|
||||
)
|
||||
})
|
||||
|
||||
test('it raises an error when an invalid package-url is used for deny-packages', async () => {
|
||||
setInput('deny-packages', 'not-a-purl')
|
||||
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
fail_on_severity: critical
|
||||
allow_licenses:
|
||||
- "BSD"
|
||||
- "GPL 2"
|
||||
- 'BSD'
|
||||
- 'GPL 2'
|
||||
|
||||
@@ -1 +1 @@
|
||||
allow-licenses: "MIT, GPL-2.0-only"
|
||||
allow-licenses: 'MIT, GPL-2.0-only'
|
||||
|
||||
@@ -44,6 +44,30 @@ test('parsePURL table test', () => {
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:golang/gopkg.in/DataDog/dd-trace-go.v1@1.63.1',
|
||||
// Note: this purl is technically invalid, but we can still parse it
|
||||
expected: {
|
||||
type: 'golang',
|
||||
namespace: 'gopkg.in',
|
||||
name: 'DataDog/dd-trace-go.v1',
|
||||
version: '1.63.1',
|
||||
original: 'pkg:golang/gopkg.in/DataDog/dd-trace-go.v1@1.63.1',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:golang/github.com/pelletier/go-toml/v2',
|
||||
// Note: this purl is technically invalid, but we can still parse it
|
||||
expected: {
|
||||
type: 'golang',
|
||||
namespace: 'github.com',
|
||||
name: 'pelletier/go-toml/v2',
|
||||
version: null,
|
||||
original: 'pkg:golang/github.com/pelletier/go-toml/v2',
|
||||
error: null
|
||||
}
|
||||
},
|
||||
{
|
||||
purl: 'pkg:npm/%40ns%20foo/n%40me@1.%2f2.3',
|
||||
expected: {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import {expect, jest, test} from '@jest/globals'
|
||||
import {Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
|
||||
import {Change, Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
|
||||
import * as summary from '../src/summary'
|
||||
import * as core from '@actions/core'
|
||||
import {createTestChange} from './fixtures/create-test-change'
|
||||
@@ -109,6 +109,80 @@ test('prints headline as h1', () => {
|
||||
expect(text).toContain('<h1>Dependency Review</h1>')
|
||||
})
|
||||
|
||||
test('returns minimal summary in case the core.summary is too large for a PR comment', () => {
|
||||
let changes: Changes = [
|
||||
createTestChange({name: 'lodash', version: '1.2.3'}),
|
||||
createTestChange({name: 'colors', version: '2.3.4'}),
|
||||
createTestChange({name: '@foo/bar', version: '*'})
|
||||
]
|
||||
|
||||
let minSummary: string = summary.addSummaryToSummary(
|
||||
changes,
|
||||
emptyInvalidLicenseChanges,
|
||||
emptyChanges,
|
||||
scorecard,
|
||||
defaultConfig
|
||||
)
|
||||
|
||||
// side effect DR report into core.summary as happens in main.ts
|
||||
summary.addScannedDependencies(changes)
|
||||
const text = core.summary.stringify()
|
||||
|
||||
expect(text).toContain('<h1>Dependency Review</h1>')
|
||||
expect(minSummary).toContain('# Dependency Review')
|
||||
|
||||
expect(text).toContain('❌ 3 vulnerable package(s)')
|
||||
expect(text).not.toContain('* ❌ 3 vulnerable package(s)')
|
||||
expect(text).toContain('lodash')
|
||||
expect(text).toContain('colors')
|
||||
expect(text).toContain('@foo/bar')
|
||||
|
||||
expect(minSummary).toContain('* ❌ 3 vulnerable package(s)')
|
||||
expect(minSummary).not.toContain('lodash')
|
||||
expect(minSummary).not.toContain('colors')
|
||||
expect(minSummary).not.toContain('@foo/bar')
|
||||
|
||||
expect(text.length).toBeGreaterThan(minSummary.length)
|
||||
})
|
||||
|
||||
test('returns minimal summary formatted for posting as a PR comment', () => {
|
||||
const OLD_ENV = process.env
|
||||
|
||||
let changes: Changes = [
|
||||
createTestChange({name: 'lodash', version: '1.2.3'}),
|
||||
createTestChange({name: 'colors', version: '2.3.4'}),
|
||||
createTestChange({name: '@foo/bar', version: '*'})
|
||||
]
|
||||
|
||||
process.env.GITHUB_SERVER_URL = 'https://github.com'
|
||||
process.env.GITHUB_REPOSITORY = 'owner/repo'
|
||||
process.env.GITHUB_RUN_ID = 'abc-123-xyz'
|
||||
|
||||
let minSummary: string = summary.addSummaryToSummary(
|
||||
changes,
|
||||
emptyInvalidLicenseChanges,
|
||||
emptyChanges,
|
||||
scorecard,
|
||||
defaultConfig
|
||||
)
|
||||
|
||||
process.env = OLD_ENV
|
||||
|
||||
// note: no Actions context values in unit test env
|
||||
const expected = `
|
||||
# Dependency Review
|
||||
The following issues were found:
|
||||
* ❌ 3 vulnerable package(s)
|
||||
* ✅ 0 package(s) with incompatible licenses
|
||||
* ✅ 0 package(s) with invalid SPDX license definitions
|
||||
* ✅ 0 package(s) with unknown licenses.
|
||||
|
||||
[View full job summary](https://github.com/owner/repo/actions/runs/abc-123-xyz)
|
||||
`.trim()
|
||||
|
||||
expect(minSummary).toEqual(expected)
|
||||
})
|
||||
|
||||
test('only includes "No vulnerabilities or license issues found"-message if both are configured and nothing was found', () => {
|
||||
summary.addSummaryToSummary(
|
||||
emptyChanges,
|
||||
|
||||
@@ -11,6 +11,7 @@ export function clearInputs(): void {
|
||||
'FAIL-ON-SEVERITY',
|
||||
'FAIL-ON-SCOPES',
|
||||
'ALLOW-LICENSES',
|
||||
'ALLOW-DEPENDENCIES-LICENSES',
|
||||
'DENY-LICENSES',
|
||||
'ALLOW-GHSAS',
|
||||
'LICENSE-CHECK',
|
||||
|
||||
+79
-37
@@ -46,20 +46,19 @@ var __asyncValues = (this && this.__asyncValues) || function (o) {
|
||||
function settle(resolve, reject, d, v) { Promise.resolve(v).then(function(v) { resolve({ value: v, done: d }); }, reject); }
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.commentPr = void 0;
|
||||
exports.commentPr = exports.MAX_COMMENT_LENGTH = void 0;
|
||||
const github = __importStar(__nccwpck_require__(5438));
|
||||
const core = __importStar(__nccwpck_require__(2186));
|
||||
const githubUtils = __importStar(__nccwpck_require__(3030));
|
||||
const retry = __importStar(__nccwpck_require__(6298));
|
||||
const request_error_1 = __nccwpck_require__(537);
|
||||
exports.MAX_COMMENT_LENGTH = 65536;
|
||||
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
|
||||
const octo = new retryingOctokit(githubUtils.getOctokitOptions(core.getInput('repo-token', { required: true })));
|
||||
// Comment Marker to identify an existing comment to update, so we don't spam the PR with comments
|
||||
const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->';
|
||||
function commentPr(summary, config) {
|
||||
function commentPr(commentContent, config) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const commentContent = summary.stringify();
|
||||
core.setOutput('comment-content', commentContent);
|
||||
if (!(config.comment_summary_in_pr === 'always' ||
|
||||
(config.comment_summary_in_pr === 'on-failure' &&
|
||||
process.exitCode === core.ExitCode.Failure))) {
|
||||
@@ -648,7 +647,7 @@ function run() {
|
||||
core.debug(`Config Deny Packages: ${JSON.stringify(config)}`);
|
||||
const deniedChanges = yield (0, deny_1.getDeniedChanges)(filteredChanges, config.deny_packages, config.deny_groups);
|
||||
const scorecard = yield (0, scorecard_1.getScorecardLevels)(filteredChanges);
|
||||
summary.addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedChanges, scorecard, config);
|
||||
const minSummary = summary.addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedChanges, scorecard, config);
|
||||
if (snapshot_warnings) {
|
||||
summary.addSnapshotWarnings(config, snapshot_warnings);
|
||||
}
|
||||
@@ -675,7 +674,16 @@ function run() {
|
||||
core.setOutput('dependency-changes', JSON.stringify(changes));
|
||||
summary.addScannedDependencies(changes);
|
||||
printScannedDependencies(changes);
|
||||
yield (0, comment_pr_1.commentPr)(core.summary, config);
|
||||
// include full summary in output; Actions will truncate if oversized
|
||||
let rendered = core.summary.stringify();
|
||||
core.setOutput('comment-content', rendered);
|
||||
// if the summary is oversized, replace with minimal version
|
||||
if (rendered.length >= comment_pr_1.MAX_COMMENT_LENGTH) {
|
||||
core.debug('The comment was too big for the GitHub API. Falling back on a minimum comment');
|
||||
rendered = minSummary;
|
||||
}
|
||||
// update the PR comment if needed with the right-sized summary
|
||||
yield (0, comment_pr_1.commentPr)(rendered, config);
|
||||
}
|
||||
catch (error) {
|
||||
if (error instanceof request_error_1.RequestError && error.status === 404) {
|
||||
@@ -916,7 +924,10 @@ function parsePURL(purl) {
|
||||
}
|
||||
else {
|
||||
result.namespace = decodeURIComponent(parts[1]);
|
||||
namePlusRest = parts[2];
|
||||
// Add back the '/'s to the rest of the parts, in case there are any more.
|
||||
// This may violate the purl spec, but people do it and it can be parsed
|
||||
// without ambiguity.
|
||||
namePlusRest = parts.slice(2).join('/');
|
||||
}
|
||||
const name = namePlusRest.match(/([^@#?]+)[@#?]?.*/);
|
||||
if (!result.namespace && !name) {
|
||||
@@ -1014,6 +1025,21 @@ const PackageURLWithNamespace = z
|
||||
});
|
||||
}
|
||||
});
|
||||
const PackageURLString = z.string().superRefine((value, context) => {
|
||||
const purl = (0, purl_1.parsePURL)(value);
|
||||
if (purl.error) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: ${purl.error}`
|
||||
});
|
||||
}
|
||||
if (!purl.name) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: name is required`
|
||||
});
|
||||
}
|
||||
});
|
||||
exports.ChangeSchema = z.object({
|
||||
change_type: z.enum(['added', 'removed']),
|
||||
manifest: z.string(),
|
||||
@@ -1045,7 +1071,7 @@ exports.ConfigurationOptionsSchema = z
|
||||
fail_on_scopes: z.array(z.enum(exports.SCOPES)).default(['runtime']),
|
||||
allow_licenses: z.array(z.string()).optional(),
|
||||
deny_licenses: z.array(z.string()).optional(),
|
||||
allow_dependencies_licenses: z.array(z.string()).optional(),
|
||||
allow_dependencies_licenses: z.array(PackageURLString).optional(),
|
||||
allow_ghsas: z.array(z.string()).default([]),
|
||||
deny_packages: z.array(PackageURL).default([]),
|
||||
deny_groups: z.array(PackageURLWithNamespace).default([]),
|
||||
@@ -1242,7 +1268,7 @@ function getProjectUrl(ecosystem, packageName, version) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
core.debug(`Getting deps.dev data for ${packageName} ${version}`);
|
||||
const depsDevAPIRoot = 'https://api.deps.dev';
|
||||
const url = `${depsDevAPIRoot}/v3alpha/systems/${ecosystem}/packages/${packageName}/versions/${version}`;
|
||||
const url = `${depsDevAPIRoot}/v3/systems/${ecosystem}/packages/${packageName}/versions/${version}`;
|
||||
const response = yield fetch(url);
|
||||
if (response.ok) {
|
||||
const data = yield response.json();
|
||||
@@ -1295,10 +1321,15 @@ const icons = {
|
||||
cross: '❌',
|
||||
warning: '⚠️'
|
||||
};
|
||||
// generates the DR report summmary and caches it to the Action's core.summary.
|
||||
// returns the DR summary string, ready to be posted as a PR comment if the
|
||||
// final DR report is too large
|
||||
function addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedChanges, scorecard, config) {
|
||||
const out = [];
|
||||
const scorecardWarnings = countScorecardWarnings(scorecard, config);
|
||||
const licenseIssues = countLicenseIssues(invalidLicenseChanges);
|
||||
core.summary.addHeading('Dependency Review', 1);
|
||||
out.push('# Dependency Review');
|
||||
if (vulnerableChanges.length === 0 &&
|
||||
licenseIssues === 0 &&
|
||||
deniedChanges.length === 0 &&
|
||||
@@ -1308,17 +1339,21 @@ function addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedCha
|
||||
config.license_check ? 'license issues' : '',
|
||||
config.show_openssf_scorecard ? 'OpenSSF Scorecard issues' : ''
|
||||
];
|
||||
let msg = '';
|
||||
if (issueTypes.filter(Boolean).length === 0) {
|
||||
core.summary.addRaw(`${icons.check} No issues found.`);
|
||||
msg = `${icons.check} No issues found.`;
|
||||
}
|
||||
else {
|
||||
core.summary.addRaw(`${icons.check} No ${issueTypes.filter(Boolean).join(' or ')} found.`);
|
||||
msg = `${icons.check} No ${issueTypes.filter(Boolean).join(' or ')} found.`;
|
||||
}
|
||||
return;
|
||||
core.summary.addRaw(msg);
|
||||
out.push(msg);
|
||||
return out.join('\n');
|
||||
}
|
||||
core.summary
|
||||
.addRaw('The following issues were found:')
|
||||
.addList([
|
||||
const foundIssuesHeader = 'The following issues were found:';
|
||||
core.summary.addRaw(foundIssuesHeader);
|
||||
out.push(foundIssuesHeader);
|
||||
const summaryList = [
|
||||
...(config.vulnerability_check
|
||||
? [
|
||||
`${checkOrFailIcon(vulnerableChanges.length)} ${vulnerableChanges.length} vulnerable package(s)`
|
||||
@@ -1333,7 +1368,7 @@ function addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedCha
|
||||
: []),
|
||||
...(deniedChanges.length > 0
|
||||
? [
|
||||
`${checkOrFailIcon(deniedChanges.length)} ${deniedChanges.length} package(s) denied.`
|
||||
`${checkOrWarnIcon(deniedChanges.length)} ${deniedChanges.length} package(s) denied.`
|
||||
]
|
||||
: []),
|
||||
...(config.show_openssf_scorecard && scorecardWarnings > 0
|
||||
@@ -1341,8 +1376,14 @@ function addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedCha
|
||||
`${checkOrWarnIcon(scorecardWarnings)} ${scorecardWarnings ? scorecardWarnings : 'No'} packages with OpenSSF Scorecard issues.`
|
||||
]
|
||||
: [])
|
||||
])
|
||||
.addRaw('See the Details below.');
|
||||
];
|
||||
core.summary.addList(summaryList);
|
||||
for (const line of summaryList) {
|
||||
out.push(`* ${line}`);
|
||||
}
|
||||
core.summary.addRaw('See the Details below.');
|
||||
out.push(`\n[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`);
|
||||
return out.join('\n');
|
||||
}
|
||||
exports.addSummaryToSummary = addSummaryToSummary;
|
||||
function countScorecardWarnings(scorecard, config) {
|
||||
@@ -49598,7 +49639,6 @@ const core = __importStar(__nccwpck_require__(2186));
|
||||
const z = __importStar(__nccwpck_require__(3301));
|
||||
const schemas_1 = __nccwpck_require__(1129);
|
||||
const utils_1 = __nccwpck_require__(1314);
|
||||
const purl_1 = __nccwpck_require__(4498);
|
||||
function readConfig() {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const inlineConfig = readInlineConfig();
|
||||
@@ -49630,7 +49670,6 @@ function readInlineConfig() {
|
||||
const warn_only = getOptionalBoolean('warn-only');
|
||||
const show_openssf_scorecard = getOptionalBoolean('show-openssf-scorecard');
|
||||
const warn_on_openssf_scorecard_level = getOptionalNumber('warn-on-openssf-scorecard-level');
|
||||
validatePURL(allow_dependencies_licenses);
|
||||
validateLicenses('allow-licenses', allow_licenses);
|
||||
validateLicenses('deny-licenses', deny_licenses);
|
||||
const keys = {
|
||||
@@ -49737,10 +49776,6 @@ function parseConfigFile(configData) {
|
||||
if (key === 'allow-licenses' || key === 'deny-licenses') {
|
||||
validateLicenses(key, data[key]);
|
||||
}
|
||||
// validate purls from the allow-dependencies-licenses
|
||||
if (key === 'allow-dependencies-licenses') {
|
||||
validatePURL(data[key]);
|
||||
}
|
||||
// get rid of the ugly dashes from the actions conventions
|
||||
if (key.includes('-')) {
|
||||
data[key.replace(/-/g, '_')] = data[key];
|
||||
@@ -49776,17 +49811,6 @@ function getRemoteConfig(configOpts) {
|
||||
}
|
||||
});
|
||||
}
|
||||
function validatePURL(allow_dependencies_licenses) {
|
||||
//validate that the provided elements of the string are in valid purl format
|
||||
if (allow_dependencies_licenses === undefined) {
|
||||
return;
|
||||
}
|
||||
const invalid_purls = allow_dependencies_licenses.filter(purl => !(0, purl_1.parsePURL)(purl).error);
|
||||
if (invalid_purls.length > 0) {
|
||||
throw new Error(`Invalid purl(s) in allow-dependencies-licenses: ${invalid_purls}`);
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
/***/ }),
|
||||
@@ -49947,7 +49971,10 @@ function parsePURL(purl) {
|
||||
}
|
||||
else {
|
||||
result.namespace = decodeURIComponent(parts[1]);
|
||||
namePlusRest = parts[2];
|
||||
// Add back the '/'s to the rest of the parts, in case there are any more.
|
||||
// This may violate the purl spec, but people do it and it can be parsed
|
||||
// without ambiguity.
|
||||
namePlusRest = parts.slice(2).join('/');
|
||||
}
|
||||
const name = namePlusRest.match(/([^@#?]+)[@#?]?.*/);
|
||||
if (!result.namespace && !name) {
|
||||
@@ -50045,6 +50072,21 @@ const PackageURLWithNamespace = z
|
||||
});
|
||||
}
|
||||
});
|
||||
const PackageURLString = z.string().superRefine((value, context) => {
|
||||
const purl = (0, purl_1.parsePURL)(value);
|
||||
if (purl.error) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: ${purl.error}`
|
||||
});
|
||||
}
|
||||
if (!purl.name) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: name is required`
|
||||
});
|
||||
}
|
||||
});
|
||||
exports.ChangeSchema = z.object({
|
||||
change_type: z.enum(['added', 'removed']),
|
||||
manifest: z.string(),
|
||||
@@ -50076,7 +50118,7 @@ exports.ConfigurationOptionsSchema = z
|
||||
fail_on_scopes: z.array(z.enum(exports.SCOPES)).default(['runtime']),
|
||||
allow_licenses: z.array(z.string()).optional(),
|
||||
deny_licenses: z.array(z.string()).optional(),
|
||||
allow_dependencies_licenses: z.array(z.string()).optional(),
|
||||
allow_dependencies_licenses: z.array(PackageURLString).optional(),
|
||||
allow_ghsas: z.array(z.string()).default([]),
|
||||
deny_packages: z.array(PackageURL).default([]),
|
||||
deny_groups: z.array(PackageURLWithNamespace).default([]),
|
||||
|
||||
+1
-1
File diff suppressed because one or more lines are too long
Generated
+2
-2
@@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.3.0",
|
||||
"version": "4.3.2",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.3.0",
|
||||
"version": "4.3.2",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.3.0",
|
||||
"version": "4.3.2",
|
||||
"private": true,
|
||||
"description": "A GitHub Action for Dependency Review",
|
||||
"main": "lib/main.js",
|
||||
|
||||
+3
-5
@@ -5,6 +5,8 @@ import * as retry from '@octokit/plugin-retry'
|
||||
import {RequestError} from '@octokit/request-error'
|
||||
import {ConfigurationOptions} from './schemas'
|
||||
|
||||
export const MAX_COMMENT_LENGTH = 65536
|
||||
|
||||
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
|
||||
const octo = new retryingOctokit(
|
||||
githubUtils.getOctokitOptions(core.getInput('repo-token', {required: true}))
|
||||
@@ -14,13 +16,9 @@ const octo = new retryingOctokit(
|
||||
const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
|
||||
|
||||
export async function commentPr(
|
||||
summary: typeof core.summary,
|
||||
commentContent: string,
|
||||
config: ConfigurationOptions
|
||||
): Promise<void> {
|
||||
const commentContent = summary.stringify()
|
||||
|
||||
core.setOutput('comment-content', commentContent)
|
||||
|
||||
if (
|
||||
!(
|
||||
config.comment_summary_in_pr === 'always' ||
|
||||
|
||||
@@ -5,7 +5,6 @@ import * as core from '@actions/core'
|
||||
import * as z from 'zod'
|
||||
import {ConfigurationOptions, ConfigurationOptionsSchema} from './schemas'
|
||||
import {isSPDXValid, octokitClient} from './utils'
|
||||
import {parsePURL} from './purl'
|
||||
|
||||
type ConfigurationOptionsPartial = Partial<ConfigurationOptions>
|
||||
|
||||
@@ -53,7 +52,6 @@ function readInlineConfig(): ConfigurationOptionsPartial {
|
||||
'warn-on-openssf-scorecard-level'
|
||||
)
|
||||
|
||||
validatePURL(allow_dependencies_licenses)
|
||||
validateLicenses('allow-licenses', allow_licenses)
|
||||
validateLicenses('deny-licenses', deny_licenses)
|
||||
|
||||
@@ -184,11 +182,6 @@ function parseConfigFile(configData: string): ConfigurationOptionsPartial {
|
||||
validateLicenses(key, data[key])
|
||||
}
|
||||
|
||||
// validate purls from the allow-dependencies-licenses
|
||||
if (key === 'allow-dependencies-licenses') {
|
||||
validatePURL(data[key])
|
||||
}
|
||||
|
||||
// get rid of the ugly dashes from the actions conventions
|
||||
if (key.includes('-')) {
|
||||
data[key.replace(/-/g, '_')] = data[key]
|
||||
@@ -227,19 +220,3 @@ async function getRemoteConfig(configOpts: {
|
||||
throw new Error('Error fetching remote config file')
|
||||
}
|
||||
}
|
||||
function validatePURL(allow_dependencies_licenses: string[] | undefined): void {
|
||||
//validate that the provided elements of the string are in valid purl format
|
||||
if (allow_dependencies_licenses === undefined) {
|
||||
return
|
||||
}
|
||||
const invalid_purls = allow_dependencies_licenses.filter(
|
||||
purl => !parsePURL(purl).error
|
||||
)
|
||||
|
||||
if (invalid_purls.length > 0) {
|
||||
throw new Error(
|
||||
`Invalid purl(s) in allow-dependencies-licenses: ${invalid_purls}`
|
||||
)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
+17
-3
@@ -22,7 +22,7 @@ import * as summary from './summary'
|
||||
import {getRefs} from './git-refs'
|
||||
|
||||
import {groupDependenciesByManifest} from './utils'
|
||||
import {commentPr} from './comment-pr'
|
||||
import {commentPr, MAX_COMMENT_LENGTH} from './comment-pr'
|
||||
import {getDeniedChanges} from './deny'
|
||||
|
||||
async function delay(ms: number): Promise<void> {
|
||||
@@ -127,7 +127,7 @@ async function run(): Promise<void> {
|
||||
|
||||
const scorecard = await getScorecardLevels(filteredChanges)
|
||||
|
||||
summary.addSummaryToSummary(
|
||||
const minSummary = summary.addSummaryToSummary(
|
||||
vulnerableChanges,
|
||||
invalidLicenseChanges,
|
||||
deniedChanges,
|
||||
@@ -166,7 +166,21 @@ async function run(): Promise<void> {
|
||||
core.setOutput('dependency-changes', JSON.stringify(changes))
|
||||
summary.addScannedDependencies(changes)
|
||||
printScannedDependencies(changes)
|
||||
await commentPr(core.summary, config)
|
||||
|
||||
// include full summary in output; Actions will truncate if oversized
|
||||
let rendered = core.summary.stringify()
|
||||
core.setOutput('comment-content', rendered)
|
||||
|
||||
// if the summary is oversized, replace with minimal version
|
||||
if (rendered.length >= MAX_COMMENT_LENGTH) {
|
||||
core.debug(
|
||||
'The comment was too big for the GitHub API. Falling back on a minimum comment'
|
||||
)
|
||||
rendered = minSummary
|
||||
}
|
||||
|
||||
// update the PR comment if needed with the right-sized summary
|
||||
await commentPr(rendered, config)
|
||||
} catch (error) {
|
||||
if (error instanceof RequestError && error.status === 404) {
|
||||
core.setFailed(
|
||||
|
||||
+4
-1
@@ -46,7 +46,10 @@ export function parsePURL(purl: string): PackageURL {
|
||||
namePlusRest = parts[1]
|
||||
} else {
|
||||
result.namespace = decodeURIComponent(parts[1])
|
||||
namePlusRest = parts[2]
|
||||
// Add back the '/'s to the rest of the parts, in case there are any more.
|
||||
// This may violate the purl spec, but people do it and it can be parsed
|
||||
// without ambiguity.
|
||||
namePlusRest = parts.slice(2).join('/')
|
||||
}
|
||||
const name = namePlusRest.match(/([^@#?]+)[@#?]?.*/)
|
||||
if (!result.namespace && !name) {
|
||||
|
||||
+17
-1
@@ -46,6 +46,22 @@ const PackageURLWithNamespace = z
|
||||
}
|
||||
})
|
||||
|
||||
const PackageURLString = z.string().superRefine((value, context) => {
|
||||
const purl = parsePURL(value)
|
||||
if (purl.error) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: ${purl.error}`
|
||||
})
|
||||
}
|
||||
if (!purl.name) {
|
||||
context.addIssue({
|
||||
code: z.ZodIssueCode.custom,
|
||||
message: `Error parsing package-url: name is required`
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
export const ChangeSchema = z.object({
|
||||
change_type: z.enum(['added', 'removed']),
|
||||
manifest: z.string(),
|
||||
@@ -81,7 +97,7 @@ export const ConfigurationOptionsSchema = z
|
||||
fail_on_scopes: z.array(z.enum(SCOPES)).default(['runtime']),
|
||||
allow_licenses: z.array(z.string()).optional(),
|
||||
deny_licenses: z.array(z.string()).optional(),
|
||||
allow_dependencies_licenses: z.array(z.string()).optional(),
|
||||
allow_dependencies_licenses: z.array(PackageURLString).optional(),
|
||||
allow_ghsas: z.array(z.string()).default([]),
|
||||
deny_packages: z.array(PackageURL).default([]),
|
||||
deny_groups: z.array(PackageURLWithNamespace).default([]),
|
||||
|
||||
+1
-1
@@ -69,7 +69,7 @@ export async function getProjectUrl(
|
||||
): Promise<string> {
|
||||
core.debug(`Getting deps.dev data for ${packageName} ${version}`)
|
||||
const depsDevAPIRoot = 'https://api.deps.dev'
|
||||
const url = `${depsDevAPIRoot}/v3alpha/systems/${ecosystem}/packages/${packageName}/versions/${version}`
|
||||
const url = `${depsDevAPIRoot}/v3/systems/${ecosystem}/packages/${packageName}/versions/${version}`
|
||||
const response = await fetch(url)
|
||||
if (response.ok) {
|
||||
const data = await response.json()
|
||||
|
||||
+64
-43
@@ -10,17 +10,23 @@ const icons = {
|
||||
warning: '⚠️'
|
||||
}
|
||||
|
||||
// generates the DR report summmary and caches it to the Action's core.summary.
|
||||
// returns the DR summary string, ready to be posted as a PR comment if the
|
||||
// final DR report is too large
|
||||
export function addSummaryToSummary(
|
||||
vulnerableChanges: Changes,
|
||||
invalidLicenseChanges: InvalidLicenseChanges,
|
||||
deniedChanges: Changes,
|
||||
scorecard: Scorecard,
|
||||
config: ConfigurationOptions
|
||||
): void {
|
||||
): string {
|
||||
const out: string[] = []
|
||||
|
||||
const scorecardWarnings = countScorecardWarnings(scorecard, config)
|
||||
const licenseIssues = countLicenseIssues(invalidLicenseChanges)
|
||||
|
||||
core.summary.addHeading('Dependency Review', 1)
|
||||
out.push('# Dependency Review')
|
||||
|
||||
if (
|
||||
vulnerableChanges.length === 0 &&
|
||||
@@ -33,54 +39,69 @@ export function addSummaryToSummary(
|
||||
config.license_check ? 'license issues' : '',
|
||||
config.show_openssf_scorecard ? 'OpenSSF Scorecard issues' : ''
|
||||
]
|
||||
|
||||
let msg = ''
|
||||
if (issueTypes.filter(Boolean).length === 0) {
|
||||
core.summary.addRaw(`${icons.check} No issues found.`)
|
||||
msg = `${icons.check} No issues found.`
|
||||
} else {
|
||||
core.summary.addRaw(
|
||||
`${icons.check} No ${issueTypes.filter(Boolean).join(' or ')} found.`
|
||||
)
|
||||
msg = `${icons.check} No ${issueTypes.filter(Boolean).join(' or ')} found.`
|
||||
}
|
||||
|
||||
return
|
||||
core.summary.addRaw(msg)
|
||||
out.push(msg)
|
||||
return out.join('\n')
|
||||
}
|
||||
|
||||
core.summary
|
||||
.addRaw('The following issues were found:')
|
||||
.addList([
|
||||
...(config.vulnerability_check
|
||||
? [
|
||||
`${checkOrFailIcon(vulnerableChanges.length)} ${
|
||||
vulnerableChanges.length
|
||||
} vulnerable package(s)`
|
||||
]
|
||||
: []),
|
||||
...(config.license_check
|
||||
? [
|
||||
`${checkOrFailIcon(invalidLicenseChanges.forbidden.length)} ${
|
||||
invalidLicenseChanges.forbidden.length
|
||||
} package(s) with incompatible licenses`,
|
||||
`${checkOrFailIcon(invalidLicenseChanges.unresolved.length)} ${
|
||||
invalidLicenseChanges.unresolved.length
|
||||
} package(s) with invalid SPDX license definitions`,
|
||||
`${checkOrWarnIcon(invalidLicenseChanges.unlicensed.length)} ${
|
||||
invalidLicenseChanges.unlicensed.length
|
||||
} package(s) with unknown licenses.`
|
||||
]
|
||||
: []),
|
||||
...(deniedChanges.length > 0
|
||||
? [
|
||||
`${checkOrFailIcon(deniedChanges.length)} ${
|
||||
deniedChanges.length
|
||||
} package(s) denied.`
|
||||
]
|
||||
: []),
|
||||
...(config.show_openssf_scorecard && scorecardWarnings > 0
|
||||
? [
|
||||
`${checkOrWarnIcon(scorecardWarnings)} ${scorecardWarnings ? scorecardWarnings : 'No'} packages with OpenSSF Scorecard issues.`
|
||||
]
|
||||
: [])
|
||||
])
|
||||
.addRaw('See the Details below.')
|
||||
const foundIssuesHeader = 'The following issues were found:'
|
||||
core.summary.addRaw(foundIssuesHeader)
|
||||
out.push(foundIssuesHeader)
|
||||
|
||||
const summaryList: string[] = [
|
||||
...(config.vulnerability_check
|
||||
? [
|
||||
`${checkOrFailIcon(vulnerableChanges.length)} ${
|
||||
vulnerableChanges.length
|
||||
} vulnerable package(s)`
|
||||
]
|
||||
: []),
|
||||
...(config.license_check
|
||||
? [
|
||||
`${checkOrFailIcon(invalidLicenseChanges.forbidden.length)} ${
|
||||
invalidLicenseChanges.forbidden.length
|
||||
} package(s) with incompatible licenses`,
|
||||
`${checkOrFailIcon(invalidLicenseChanges.unresolved.length)} ${
|
||||
invalidLicenseChanges.unresolved.length
|
||||
} package(s) with invalid SPDX license definitions`,
|
||||
`${checkOrWarnIcon(invalidLicenseChanges.unlicensed.length)} ${
|
||||
invalidLicenseChanges.unlicensed.length
|
||||
} package(s) with unknown licenses.`
|
||||
]
|
||||
: []),
|
||||
...(deniedChanges.length > 0
|
||||
? [
|
||||
`${checkOrWarnIcon(deniedChanges.length)} ${
|
||||
deniedChanges.length
|
||||
} package(s) denied.`
|
||||
]
|
||||
: []),
|
||||
...(config.show_openssf_scorecard && scorecardWarnings > 0
|
||||
? [
|
||||
`${checkOrWarnIcon(scorecardWarnings)} ${scorecardWarnings ? scorecardWarnings : 'No'} packages with OpenSSF Scorecard issues.`
|
||||
]
|
||||
: [])
|
||||
]
|
||||
|
||||
core.summary.addList(summaryList)
|
||||
for (const line of summaryList) {
|
||||
out.push(`* ${line}`)
|
||||
}
|
||||
|
||||
core.summary.addRaw('See the Details below.')
|
||||
out.push(
|
||||
`\n[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`
|
||||
)
|
||||
|
||||
return out.join('\n')
|
||||
}
|
||||
|
||||
function countScorecardWarnings(
|
||||
|
||||
Reference in New Issue
Block a user