Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 9a82545adb |
@@ -2,8 +2,5 @@
|
||||
"name": "Dependency Review Action",
|
||||
"image": "mcr.microsoft.com/devcontainers/typescript-node:18",
|
||||
"postCreateCommand": "npm install",
|
||||
"remoteUser": "node",
|
||||
"features": {
|
||||
"ghcr.io/devcontainers/features/ruby:1": {}
|
||||
}
|
||||
"remoteUser": "node"
|
||||
}
|
||||
|
||||
+2
-2
@@ -80,12 +80,12 @@ Here are a few things you can do that will increase the likelihood of your pull
|
||||
- Add unit tests for new features.
|
||||
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
|
||||
- Write a [good commit message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
|
||||
- Add examples of the usage to [examples.md](docs/examples.md)
|
||||
- Add examples of the usage to [examples.md](examples.md)
|
||||
- Link to a sample PR in a custom repository running your version of the Action.
|
||||
|
||||
## Cutting a new release
|
||||
|
||||
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
|
||||
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json).
|
||||
1. Go to [Draft a new
|
||||
release](https://github.com/actions/dependency-review-action/releases/new)
|
||||
in the Releases page.
|
||||
|
||||
@@ -66,25 +66,25 @@ jobs:
|
||||
|
||||
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
|
||||
|
||||
| Option | Usage | Possible values | Default value |
|
||||
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
|
||||
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
|
||||
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
|
||||
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
|
||||
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
|
||||
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
|
||||
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
|
||||
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
|
||||
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. | `always`, `on-failure`, `never` | `never` |
|
||||
| `deny-packages` | Any number of packages to block in a PR. This option will match on the exact version provided. If no version is provided, the option will treat the specified package as a wildcard and deny all versions. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
|
||||
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
|
||||
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
|
||||
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
|
||||
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
|
||||
| `show-openssf-scorecard-levels` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
|
||||
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
|
||||
| Option | Usage | Possible values | Default value |
|
||||
| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
|
||||
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
|
||||
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
|
||||
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
|
||||
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
|
||||
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
|
||||
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
|
||||
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
|
||||
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
|
||||
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. | `always`, `on-failure`, `never` | `never` |
|
||||
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
|
||||
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
|
||||
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
|
||||
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
|
||||
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
|
||||
| `show-openssf-scorecard-levels` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
|
||||
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
|
||||
|
||||
\*not supported for use with GitHub Enterprise Server
|
||||
|
||||
@@ -171,7 +171,7 @@ The Dependency Review GitHub Action check will only block a pull request from be
|
||||
> Action outputs are unicode strings [with a 1MB size limit](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions).
|
||||
|
||||
> [!IMPORTANT]
|
||||
> If you use these outputs in a run-step, you must store the output data in an environment variable instead of using the output directly. Using an output directly might break shell scripts. For example:
|
||||
> If you use these outputs in a run-step, you must store the ouput data in an envrioment variable instead of using the output directly. Using an output directly might break shell scripts. For example:
|
||||
>
|
||||
> ```yaml
|
||||
> env:
|
||||
|
||||
+110
-66
@@ -1,7 +1,100 @@
|
||||
import {expect, jest, test} from '@jest/globals'
|
||||
import {Change, Changes} from '../src/schemas'
|
||||
import {createTestChange, createTestPURLs} from './fixtures/create-test-change'
|
||||
import {getDeniedChanges} from '../src/deny'
|
||||
|
||||
let getDeniedChanges: Function
|
||||
|
||||
const npmChange: Change = {
|
||||
manifest: 'package.json',
|
||||
change_type: 'added',
|
||||
ecosystem: 'npm',
|
||||
name: 'Reeuhq',
|
||||
version: '1.0.2',
|
||||
package_url: 'pkg:npm/reeuhq@1.0.2',
|
||||
license: 'MIT',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'critical',
|
||||
advisory_ghsa_id: 'first-random_string',
|
||||
advisory_summary: 'very dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const rubyChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'Gemfile.lock',
|
||||
ecosystem: 'rubygems',
|
||||
name: 'actionsomething',
|
||||
version: '3.2.0',
|
||||
package_url: 'pkg:gem/actionsomething@3.2.0',
|
||||
license: 'BSD',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'moderate',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
},
|
||||
{
|
||||
severity: 'low',
|
||||
advisory_ghsa_id: 'third-random_string',
|
||||
advisory_summary: 'dont page me',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const pipChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'requirements.txt',
|
||||
ecosystem: 'pip',
|
||||
name: 'package-1',
|
||||
version: '1.1.1',
|
||||
package_url: 'pkg:pypi/package-1@1.1.1',
|
||||
license: 'MIT',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'moderate',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
},
|
||||
{
|
||||
severity: 'low',
|
||||
advisory_ghsa_id: 'third-random_string',
|
||||
advisory_summary: 'dont page me',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const mvnChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'pom.xml',
|
||||
ecosystem: 'maven',
|
||||
name: 'org.apache.logging.log4j:log4j-core',
|
||||
version: '2.15.0',
|
||||
package_url: 'pkg:maven/org.apache.logging.log4j/log4j-core@2.14.7',
|
||||
license: 'Apache-2.0',
|
||||
source_repository_url:
|
||||
'https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core',
|
||||
scope: 'unknown',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'critical',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
jest.mock('@actions/core')
|
||||
|
||||
@@ -15,11 +108,6 @@ const mockOctokit = {
|
||||
}
|
||||
}
|
||||
|
||||
let npmChange: Change
|
||||
let rubyChange: Change
|
||||
let pipChange: Change
|
||||
let mvnChange: Change
|
||||
|
||||
jest.mock('octokit', () => {
|
||||
return {
|
||||
// eslint-disable-next-line @typescript-eslint/no-extraneous-class
|
||||
@@ -38,84 +126,40 @@ beforeEach(async () => {
|
||||
// true for BSD, false for all others
|
||||
return jest.fn((license: string, _: string): boolean => license === 'BSD')
|
||||
})
|
||||
|
||||
npmChange = createTestChange({ecosystem: 'npm'})
|
||||
rubyChange = createTestChange({ecosystem: 'rubygems'})
|
||||
pipChange = createTestChange({ecosystem: 'pip'})
|
||||
mvnChange = createTestChange({ecosystem: 'maven'})
|
||||
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
||||
;({getDeniedChanges} = require('../src/deny'))
|
||||
})
|
||||
|
||||
test('denies packages from the deny packages list', async () => {
|
||||
test('it adds packages in the deny packages list', async () => {
|
||||
const changes: Changes = [npmChange, rubyChange]
|
||||
const deniedPackages = createTestPURLs(['pkg:gem/actionsomething@3.2.0'])
|
||||
const deniedChanges = await getDeniedChanges(changes, deniedPackages)
|
||||
const deniedChanges = await getDeniedChanges(
|
||||
changes,
|
||||
['pkg:gem/actionsomething'],
|
||||
[]
|
||||
)
|
||||
|
||||
expect(deniedChanges[0]).toBe(rubyChange)
|
||||
expect(deniedChanges.length).toEqual(1)
|
||||
})
|
||||
|
||||
test('denies packages only for the specified version from deny packages list', async () => {
|
||||
const deniedPackageWithDifferentVersion = createTestPURLs([
|
||||
'pkg:npm/lodash@1.2.3'
|
||||
])
|
||||
const changes: Changes = [npmChange]
|
||||
test('it adds packages in the deny group list', async () => {
|
||||
const changes: Changes = [mvnChange, rubyChange]
|
||||
const deniedChanges = await getDeniedChanges(
|
||||
changes,
|
||||
deniedPackageWithDifferentVersion
|
||||
[],
|
||||
['pkg:maven/org.apache.logging.log4j']
|
||||
)
|
||||
|
||||
expect(deniedChanges.length).toEqual(0)
|
||||
})
|
||||
|
||||
test('if no specified version from deny packages list, it will treat package as wildcard and deny all versions', async () => {
|
||||
const changes: Changes = [
|
||||
createTestChange({name: 'lodash', version: '1.2.3'}),
|
||||
createTestChange({name: 'lodash', version: '4.5.6'}),
|
||||
createTestChange({name: 'lodash', version: '7.8.9'})
|
||||
]
|
||||
const denyAllLodashVersions = createTestPURLs(['pkg:npm/lodash'])
|
||||
const deniedChanges = await getDeniedChanges(changes, denyAllLodashVersions)
|
||||
|
||||
expect(deniedChanges.length).toEqual(3)
|
||||
})
|
||||
|
||||
test('denies packages from the deny group list', async () => {
|
||||
const changes: Changes = [mvnChange, rubyChange]
|
||||
const deniedGroups = createTestPURLs(['pkg:maven/org.apache.logging.log4j/'])
|
||||
const deniedChanges = await getDeniedChanges(changes, [], deniedGroups)
|
||||
|
||||
expect(deniedChanges[0]).toBe(mvnChange)
|
||||
expect(deniedChanges.length).toEqual(1)
|
||||
})
|
||||
|
||||
test('denies packages that match the deny group list exactly', async () => {
|
||||
const changes: Changes = [
|
||||
createTestChange({
|
||||
package_url: 'pkg:npm/org.test.pass/pass-this@1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
package_url: 'pkg:npm/org.test/deny-this@1.0.0',
|
||||
ecosystem: 'npm'
|
||||
})
|
||||
]
|
||||
const deniedGroups = createTestPURLs(['pkg:npm/org.test/'])
|
||||
const deniedChanges = await getDeniedChanges(changes, [], deniedGroups)
|
||||
|
||||
expect(deniedChanges.length).toEqual(1)
|
||||
expect(deniedChanges[0]).toBe(changes[1])
|
||||
})
|
||||
|
||||
test('allows packages not defined in the deny packages and groups list', async () => {
|
||||
test('it adds packages outside of the deny lists', async () => {
|
||||
const changes: Changes = [npmChange, pipChange]
|
||||
const deniedPackages = createTestPURLs([
|
||||
'pkg:gem/package-not-in-changes@1.0.0'
|
||||
])
|
||||
const deniedGroups = createTestPURLs(['pkg:maven/group.not.in.changes/'])
|
||||
const deniedChanges = await getDeniedChanges(
|
||||
changes,
|
||||
deniedPackages,
|
||||
deniedGroups
|
||||
['pkg:gem/actionsomething'],
|
||||
['pkg:maven:org.apache.logging.log4j']
|
||||
)
|
||||
|
||||
expect(deniedChanges.length).toEqual(0)
|
||||
|
||||
@@ -1,9 +1,7 @@
|
||||
import {PackageURL} from 'packageurl-js'
|
||||
import {Change} from '../../src/schemas'
|
||||
import {createTestVulnerability} from './create-test-vulnerability'
|
||||
import {parsePURL} from '../../src/utils'
|
||||
|
||||
const defaultNpmChange: Change = {
|
||||
const defaultChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'package.json',
|
||||
ecosystem: 'npm',
|
||||
@@ -30,98 +28,9 @@ const defaultNpmChange: Change = {
|
||||
]
|
||||
}
|
||||
|
||||
const defaultRubyChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'Gemfile.lock',
|
||||
ecosystem: 'rubygems',
|
||||
name: 'actionsomething',
|
||||
version: '3.2.0',
|
||||
package_url: 'pkg:gem/actionsomething@3.2.0',
|
||||
license: 'BSD',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'moderate',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
},
|
||||
{
|
||||
severity: 'low',
|
||||
advisory_ghsa_id: 'third-random_string',
|
||||
advisory_summary: 'dont page me',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
const createTestChange = (overwrites: Partial<Change> = {}): Change => ({
|
||||
...defaultChange,
|
||||
...overwrites
|
||||
})
|
||||
|
||||
const defaultPipChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'requirements.txt',
|
||||
ecosystem: 'pip',
|
||||
name: 'package-1',
|
||||
version: '1.1.1',
|
||||
package_url: 'pkg:pypi/package-1@1.1.1',
|
||||
license: 'MIT',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'moderate',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
},
|
||||
{
|
||||
severity: 'low',
|
||||
advisory_ghsa_id: 'third-random_string',
|
||||
advisory_summary: 'dont page me',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const defaultMavenChange: Change = {
|
||||
change_type: 'added',
|
||||
manifest: 'pom.xml',
|
||||
ecosystem: 'maven',
|
||||
name: 'org.apache.logging.log4j:log4j-core',
|
||||
version: '2.15.0',
|
||||
package_url: 'pkg:maven/org.apache.logging.log4j/log4j-core@2.14.7',
|
||||
license: 'Apache-2.0',
|
||||
source_repository_url:
|
||||
'https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core',
|
||||
scope: 'unknown',
|
||||
vulnerabilities: [
|
||||
{
|
||||
severity: 'critical',
|
||||
advisory_ghsa_id: 'second-random_string',
|
||||
advisory_summary: 'not so dangerous',
|
||||
advisory_url: 'github.com/future-funk'
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
const ecosystemToDefaultChange: {[key: string]: Change} = {
|
||||
npm: defaultNpmChange,
|
||||
rubygems: defaultRubyChange,
|
||||
pip: defaultPipChange,
|
||||
maven: defaultMavenChange
|
||||
}
|
||||
|
||||
const createTestChange = (overwrites: Partial<Change> = {}): Change => {
|
||||
const ecosystem = overwrites.ecosystem || 'npm'
|
||||
return {
|
||||
...ecosystemToDefaultChange[ecosystem],
|
||||
...overwrites
|
||||
}
|
||||
}
|
||||
|
||||
const createTestPURLs = (list: string[]): PackageURL[] => {
|
||||
return list.map(purl => {
|
||||
return parsePURL(purl)
|
||||
})
|
||||
}
|
||||
|
||||
export {createTestChange, createTestPURLs}
|
||||
export {createTestChange}
|
||||
|
||||
@@ -22,19 +22,6 @@ const npmChange: Change = {
|
||||
]
|
||||
}
|
||||
|
||||
const actionsChange: Change = {
|
||||
manifest: 'workflow.yml',
|
||||
change_type: 'added',
|
||||
ecosystem: 'actions',
|
||||
name: 'actions/checkout/',
|
||||
version: 'v3',
|
||||
package_url: 'pkg:githubactions/actions@v3',
|
||||
license: 'MIT',
|
||||
source_repository_url: 'null',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: []
|
||||
}
|
||||
|
||||
test('Get scorecard from API', async () => {
|
||||
const changes: Changes = [npmChange]
|
||||
const scorecard = await getScorecardLevels(changes)
|
||||
@@ -51,11 +38,3 @@ test('Get project URL from deps.dev API', async () => {
|
||||
)
|
||||
expect(result).not.toBeNull()
|
||||
})
|
||||
|
||||
test('Handles Actions special case', async () => {
|
||||
const changes: Changes = [actionsChange]
|
||||
const result = await getScorecardLevels(changes)
|
||||
expect(result).not.toBeNull()
|
||||
expect(result.dependencies).toHaveLength(1)
|
||||
expect(result.dependencies[0].scorecard?.score).toBeGreaterThan(0)
|
||||
})
|
||||
|
||||
+8
-11
@@ -1,13 +1,5 @@
|
||||
# IMPORTANT
|
||||
#
|
||||
# Avoid setting default values for configuration options in
|
||||
# this file, they will overwrite external configurations.
|
||||
#
|
||||
# If you are trying to find out the default value for a config
|
||||
# option please take a look at the README or src/schemas.ts.
|
||||
#
|
||||
# If you are adding an option, make sure the Zod definition
|
||||
# contains a default value.
|
||||
# Avoid using default values for options here since they will
|
||||
# end up overriding external configurations.
|
||||
name: 'Dependency Review'
|
||||
description: 'Prevent the introduction of dependencies with known vulnerabilities'
|
||||
author: 'GitHub'
|
||||
@@ -56,7 +48,7 @@ inputs:
|
||||
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
|
||||
required: false
|
||||
deny-packages:
|
||||
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). If version specified, only deny matching packages and version; else, deny all regardless of version.
|
||||
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
|
||||
required: false
|
||||
deny-groups:
|
||||
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
|
||||
@@ -64,18 +56,23 @@ inputs:
|
||||
retry-on-snapshot-warnings:
|
||||
description: Whether to retry on snapshot warnings
|
||||
required: false
|
||||
default: false
|
||||
retry-on-snapshot-warnings-timeout:
|
||||
description: Number of seconds to wait before stopping snapshot retries.
|
||||
required: false
|
||||
default: 120
|
||||
warn-only:
|
||||
description: When set to `true` this action will always complete with success, overriding the `fail-on-severity` parameter.
|
||||
required: false
|
||||
default: false
|
||||
show-openssf-scorecard:
|
||||
description: Show a summary of the OpenSSF Scorecard scores.
|
||||
required: false
|
||||
default: true
|
||||
warn-on-openssf-scorecard-level:
|
||||
description: Numeric threshold for the OpenSSF Scorecard score. If the score is below this threshold, the action will warn you.
|
||||
required: false
|
||||
default: 3
|
||||
outputs:
|
||||
comment-content:
|
||||
description: Prepared dependency report comment
|
||||
|
||||
+60
-109
@@ -106,8 +106,8 @@ function commentPr(summary, config) {
|
||||
}
|
||||
exports.commentPr = commentPr;
|
||||
function findCommentByMarker(commentBodyIncludes) {
|
||||
var _a, e_1, _b, _c;
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
var _a, e_1, _b, _c;
|
||||
const commentsIterator = octo.paginate.iterator(octo.rest.issues.listComments, {
|
||||
owner: github.context.repo.owner,
|
||||
repo: github.context.repo.repo,
|
||||
@@ -179,29 +179,31 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.getDeniedChanges = void 0;
|
||||
const core = __importStar(__nccwpck_require__(2186));
|
||||
const packageurl_js_1 = __nccwpck_require__(8915);
|
||||
function getDeniedChanges(changes_1) {
|
||||
return __awaiter(this, arguments, void 0, function* (changes, deniedPackages = [], deniedGroups = []) {
|
||||
function getDeniedChanges(changes, deniedPackages, deniedGroups) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const changesDenied = [];
|
||||
let hasDeniedPackage = false;
|
||||
let failed = false;
|
||||
for (const change of changes) {
|
||||
const changedPackage = packageurl_js_1.PackageURL.fromString(change.package_url);
|
||||
for (const denied of deniedPackages) {
|
||||
if ((!denied.version || changedPackage.version === denied.version) &&
|
||||
changedPackage.name === denied.name) {
|
||||
changesDenied.push(change);
|
||||
hasDeniedPackage = true;
|
||||
change.name = change.name.toLowerCase();
|
||||
const packageUrl = change.package_url.toLowerCase().split('@')[0];
|
||||
if (deniedPackages) {
|
||||
for (const denied of deniedPackages) {
|
||||
if (packageUrl === denied.split('@')[0].toLowerCase()) {
|
||||
changesDenied.push(change);
|
||||
failed = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
for (const denied of deniedGroups) {
|
||||
if (changedPackage.namespace &&
|
||||
changedPackage.namespace === denied.namespace) {
|
||||
changesDenied.push(change);
|
||||
hasDeniedPackage = true;
|
||||
if (deniedGroups) {
|
||||
for (const denied of deniedGroups) {
|
||||
if (packageUrl.startsWith(denied.toLowerCase())) {
|
||||
changesDenied.push(change);
|
||||
failed = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (hasDeniedPackage) {
|
||||
if (failed) {
|
||||
core.setFailed('Dependency review detected denied packages.');
|
||||
}
|
||||
else {
|
||||
@@ -261,8 +263,8 @@ const schemas_1 = __nccwpck_require__(8774);
|
||||
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
|
||||
const SnapshotWarningsHeader = 'x-github-dependency-graph-snapshot-warnings';
|
||||
const octo = new retryingOctokit(githubUtils.getOctokitOptions(core.getInput('repo-token', { required: true })));
|
||||
function compare(_a) {
|
||||
return __awaiter(this, arguments, void 0, function* ({ owner, repo, baseRef, headRef }) {
|
||||
function compare({ owner, repo, baseRef, headRef }) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
let snapshot_warnings = '';
|
||||
const changes = yield octo.paginate({
|
||||
method: 'GET',
|
||||
@@ -356,8 +358,8 @@ const spdx_satisfies_1 = __importDefault(__nccwpck_require__(4424));
|
||||
const utils_1 = __nccwpck_require__(918);
|
||||
const packageurl_js_1 = __nccwpck_require__(8915);
|
||||
function getInvalidLicenseChanges(changes, licenses) {
|
||||
var _a;
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
var _a;
|
||||
const { allow, deny } = licenses;
|
||||
const licenseExclusions = (_a = licenses.licenseExclusions) === null || _a === void 0 ? void 0 : _a.map((pkgUrl) => {
|
||||
return packageurl_js_1.PackageURL.fromString(encodeURI(pkgUrl));
|
||||
@@ -811,8 +813,8 @@ function printDeniedDependencies(changes, config) {
|
||||
}));
|
||||
}
|
||||
function createScorecardWarnings(scorecards, config) {
|
||||
var _a, _b, _c;
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
var _a, _b, _c;
|
||||
// Iterate through the list of scorecards, and if the score is less than the threshold, send a warning
|
||||
for (const dependency of scorecards.dependencies) {
|
||||
if (((_a = dependency.scorecard) === null || _a === void 0 ? void 0 : _a.score) &&
|
||||
@@ -860,13 +862,9 @@ var __importStar = (this && this.__importStar) || function (mod) {
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.ScorecardSchema = exports.ScorecardApiSchema = exports.ComparisonResponseSchema = exports.ChangesSchema = exports.ConfigurationOptionsSchema = exports.PullRequestSchema = exports.ChangeSchema = exports.SeveritySchema = exports.SCOPES = exports.SEVERITIES = void 0;
|
||||
const z = __importStar(__nccwpck_require__(3301));
|
||||
const utils_1 = __nccwpck_require__(918);
|
||||
exports.SEVERITIES = ['critical', 'high', 'moderate', 'low'];
|
||||
exports.SCOPES = ['unknown', 'runtime', 'development'];
|
||||
exports.SeveritySchema = z.enum(exports.SEVERITIES).default('low');
|
||||
const PackageURL = z.string().transform(purlString => {
|
||||
return (0, utils_1.parsePURL)(purlString);
|
||||
});
|
||||
exports.ChangeSchema = z.object({
|
||||
change_type: z.enum(['added', 'removed']),
|
||||
manifest: z.string(),
|
||||
@@ -900,8 +898,8 @@ exports.ConfigurationOptionsSchema = z
|
||||
deny_licenses: z.array(z.string()).optional(),
|
||||
allow_dependencies_licenses: z.array(z.string()).optional(),
|
||||
allow_ghsas: z.array(z.string()).default([]),
|
||||
deny_packages: z.array(PackageURL).default([]),
|
||||
deny_groups: z.array(PackageURL).default([]),
|
||||
deny_packages: z.array(z.string()).default([]),
|
||||
deny_groups: z.array(z.string()).default([]),
|
||||
license_check: z.boolean().default(true),
|
||||
vulnerability_check: z.boolean().default(true),
|
||||
config_file: z.string().optional(),
|
||||
@@ -1045,15 +1043,8 @@ function getScorecardLevels(changes) {
|
||||
if (repositoryUrl === null || repositoryUrl === void 0 ? void 0 : repositoryUrl.startsWith('https://')) {
|
||||
repositoryUrl = repositoryUrl.replace('https://', '');
|
||||
}
|
||||
// Handle the special case for GitHub Actions, where the repository URL is null
|
||||
if (ecosystem === 'actions') {
|
||||
// The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
|
||||
// If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out
|
||||
const parts = packageName.split('/');
|
||||
repositoryUrl = `github.com/${parts[0]}/${parts[1]}`; // e.g. github.com/actions/checkout
|
||||
}
|
||||
// If GitHub API doesn't have the repository URL, query deps.dev for it.
|
||||
if (!repositoryUrl) {
|
||||
if (repositoryUrl) {
|
||||
// Call the deps.dev API to get the repository URL from there
|
||||
repositoryUrl = yield getProjectUrl(ecosystem, packageName, version);
|
||||
}
|
||||
@@ -1078,7 +1069,7 @@ function getScorecardLevels(changes) {
|
||||
exports.getScorecardLevels = getScorecardLevels;
|
||||
function getScorecard(repositoryUrl) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const apiRoot = 'https://api.securityscorecards.dev';
|
||||
const apiRoot = 'https://api.securityscorecards.dev/';
|
||||
let scorecardResponse = {};
|
||||
const url = `${apiRoot}/projects/${repositoryUrl}`;
|
||||
const response = yield fetch(url);
|
||||
@@ -1186,7 +1177,7 @@ function addSummaryToSummary(vulnerableChanges, invalidLicenseChanges, deniedCha
|
||||
: []),
|
||||
...(deniedChanges.length > 0
|
||||
? [
|
||||
`${checkOrFailIcon(deniedChanges.length)} ${deniedChanges.length} package(s) denied.`
|
||||
`${checkOrWarnIcon(deniedChanges.length)} ${deniedChanges.length} package(s) denied.`
|
||||
]
|
||||
: []),
|
||||
...(config.show_openssf_scorecard && scorecardWarnings > 0
|
||||
@@ -1360,7 +1351,7 @@ function addScorecardToSummary(scorecard, config) {
|
||||
: ':green_circle:';
|
||||
}
|
||||
//Add a row for the dependency
|
||||
core.summary.addRaw(`<tr><td>${dependency.change.source_repository_url ? `<a href="${dependency.change.source_repository_url}">` : ''} ${dependency.change.ecosystem}/${dependency.change.name} ${dependency.change.source_repository_url ? `</a>` : ''}</td><td>${dependency.change.version}</td>
|
||||
core.summary.addRaw(`<tr><td>${dependency.change.source_repository_url ? `<a href="https://${dependency.change.source_repository_url}">` : ''} ${dependency.change.ecosystem}/${dependency.change.name} ${dependency.change.source_repository_url ? `</a>` : ''}</td><td>${dependency.change.version}</td>
|
||||
<td>${overallIcon} ${((_d = dependency.scorecard) === null || _d === void 0 ? void 0 : _d.score) === undefined || ((_e = dependency.scorecard) === null || _e === void 0 ? void 0 : _e.score) === null ? 'Unknown' : (_f = dependency.scorecard) === null || _f === void 0 ? void 0 : _f.score}</td>`, false);
|
||||
//Add details table in the last column
|
||||
if (((_g = dependency.scorecard) === null || _g === void 0 ? void 0 : _g.checks) !== undefined) {
|
||||
@@ -1455,11 +1446,10 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
||||
return (mod && mod.__esModule) ? mod : { "default": mod };
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.parsePURL = exports.octokitClient = exports.isSPDXValid = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
|
||||
exports.octokitClient = exports.isSPDXValid = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
|
||||
const core = __importStar(__nccwpck_require__(2186));
|
||||
const octokit_1 = __nccwpck_require__(7467);
|
||||
const spdx_expression_parse_1 = __importDefault(__nccwpck_require__(1620));
|
||||
const packageurl_js_1 = __nccwpck_require__(8915);
|
||||
function groupDependenciesByManifest(changes) {
|
||||
var _a;
|
||||
const dependencies = new Map();
|
||||
@@ -1519,23 +1509,6 @@ function octokitClient(token = 'repo-token', required = true) {
|
||||
return new octokit_1.Octokit(opts);
|
||||
}
|
||||
exports.octokitClient = octokitClient;
|
||||
const parsePURL = (purlString) => {
|
||||
try {
|
||||
return packageurl_js_1.PackageURL.fromString(purlString);
|
||||
}
|
||||
catch (error) {
|
||||
if (error.message ===
|
||||
`purl is missing the required "name" component.`) {
|
||||
//packageurl-js does not support empty names, so will manually override it for deny-groups
|
||||
//https://github.com/package-url/packageurl-js/blob/master/src/package-url.js#L216
|
||||
const purl = packageurl_js_1.PackageURL.fromString(`${purlString}TEMP_NAME`);
|
||||
purl.name = '';
|
||||
return purl;
|
||||
}
|
||||
throw error;
|
||||
}
|
||||
};
|
||||
exports.parsePURL = parsePURL;
|
||||
|
||||
|
||||
/***/ }),
|
||||
@@ -5420,11 +5393,11 @@ __export(dist_src_exports, {
|
||||
module.exports = __toCommonJS(dist_src_exports);
|
||||
var import_universal_user_agent = __nccwpck_require__(5030);
|
||||
var import_request = __nccwpck_require__(6234);
|
||||
var import_auth_oauth_app = __nccwpck_require__(8459);
|
||||
var import_auth_oauth_app = __nccwpck_require__(4098);
|
||||
|
||||
// pkg/dist-src/auth.js
|
||||
var import_deprecation = __nccwpck_require__(8932);
|
||||
var OAuthAppAuth = __toESM(__nccwpck_require__(8459));
|
||||
var OAuthAppAuth = __toESM(__nccwpck_require__(4098));
|
||||
|
||||
// pkg/dist-src/get-app-authentication.js
|
||||
var import_universal_github_app_jwt = __nccwpck_require__(4419);
|
||||
@@ -5872,7 +5845,7 @@ function createAppAuth(options) {
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 8459:
|
||||
/***/ 4098:
|
||||
/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
|
||||
|
||||
"use strict";
|
||||
@@ -7382,7 +7355,7 @@ __export(dist_src_exports, {
|
||||
unknownRouteResponse: () => unknownRouteResponse
|
||||
});
|
||||
module.exports = __toCommonJS(dist_src_exports);
|
||||
var import_auth_oauth_app = __nccwpck_require__(8459);
|
||||
var import_auth_oauth_app = __nccwpck_require__(4098);
|
||||
|
||||
// pkg/dist-src/version.js
|
||||
var VERSION = "6.0.0";
|
||||
@@ -7470,7 +7443,7 @@ function getWebFlowAuthorizationUrlWithState(state, options) {
|
||||
}
|
||||
|
||||
// pkg/dist-src/methods/create-token.js
|
||||
var OAuthAppAuth = __toESM(__nccwpck_require__(8459));
|
||||
var OAuthAppAuth = __toESM(__nccwpck_require__(4098));
|
||||
async function createTokenWithState(state, options) {
|
||||
const authentication = await state.octokit.auth({
|
||||
type: "oauth-user",
|
||||
@@ -19451,7 +19424,7 @@ const { MAX_LENGTH, MAX_SAFE_INTEGER } = __nccwpck_require__(2293)
|
||||
const { safeRe: re, t } = __nccwpck_require__(9523)
|
||||
|
||||
const parseOptions = __nccwpck_require__(785)
|
||||
const { compareIdentifiers } = __nccwpck_require__(2463)
|
||||
const { compareIdentifiers } = __nccwpck_require__(5865)
|
||||
class SemVer {
|
||||
constructor (version, options) {
|
||||
options = parseOptions(options)
|
||||
@@ -19824,7 +19797,7 @@ module.exports = cmp
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 3466:
|
||||
/***/ 5280:
|
||||
/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
|
||||
|
||||
const SemVer = __nccwpck_require__(9087)
|
||||
@@ -20210,7 +20183,7 @@ module.exports = valid
|
||||
const internalRe = __nccwpck_require__(9523)
|
||||
const constants = __nccwpck_require__(2293)
|
||||
const SemVer = __nccwpck_require__(9087)
|
||||
const identifiers = __nccwpck_require__(2463)
|
||||
const identifiers = __nccwpck_require__(5865)
|
||||
const parse = __nccwpck_require__(5925)
|
||||
const valid = __nccwpck_require__(9601)
|
||||
const clean = __nccwpck_require__(8848)
|
||||
@@ -20233,7 +20206,7 @@ const neq = __nccwpck_require__(6017)
|
||||
const gte = __nccwpck_require__(5930)
|
||||
const lte = __nccwpck_require__(7520)
|
||||
const cmp = __nccwpck_require__(5098)
|
||||
const coerce = __nccwpck_require__(3466)
|
||||
const coerce = __nccwpck_require__(5280)
|
||||
const Comparator = __nccwpck_require__(1532)
|
||||
const Range = __nccwpck_require__(9828)
|
||||
const satisfies = __nccwpck_require__(6055)
|
||||
@@ -20357,7 +20330,7 @@ module.exports = debug
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 2463:
|
||||
/***/ 5865:
|
||||
/***/ ((module) => {
|
||||
|
||||
const numeric = /^[0-9]+$/
|
||||
@@ -50041,13 +50014,9 @@ var __importStar = (this && this.__importStar) || function (mod) {
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.ScorecardSchema = exports.ScorecardApiSchema = exports.ComparisonResponseSchema = exports.ChangesSchema = exports.ConfigurationOptionsSchema = exports.PullRequestSchema = exports.ChangeSchema = exports.SeveritySchema = exports.SCOPES = exports.SEVERITIES = void 0;
|
||||
const z = __importStar(__nccwpck_require__(3301));
|
||||
const utils_1 = __nccwpck_require__(1314);
|
||||
exports.SEVERITIES = ['critical', 'high', 'moderate', 'low'];
|
||||
exports.SCOPES = ['unknown', 'runtime', 'development'];
|
||||
exports.SeveritySchema = z.enum(exports.SEVERITIES).default('low');
|
||||
const PackageURL = z.string().transform(purlString => {
|
||||
return (0, utils_1.parsePURL)(purlString);
|
||||
});
|
||||
exports.ChangeSchema = z.object({
|
||||
change_type: z.enum(['added', 'removed']),
|
||||
manifest: z.string(),
|
||||
@@ -50081,8 +50050,8 @@ exports.ConfigurationOptionsSchema = z
|
||||
deny_licenses: z.array(z.string()).optional(),
|
||||
allow_dependencies_licenses: z.array(z.string()).optional(),
|
||||
allow_ghsas: z.array(z.string()).default([]),
|
||||
deny_packages: z.array(PackageURL).default([]),
|
||||
deny_groups: z.array(PackageURL).default([]),
|
||||
deny_packages: z.array(z.string()).default([]),
|
||||
deny_groups: z.array(z.string()).default([]),
|
||||
license_check: z.boolean().default(true),
|
||||
vulnerability_check: z.boolean().default(true),
|
||||
config_file: z.string().optional(),
|
||||
@@ -50205,11 +50174,10 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
||||
return (mod && mod.__esModule) ? mod : { "default": mod };
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", ({ value: true }));
|
||||
exports.parsePURL = exports.octokitClient = exports.isSPDXValid = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
|
||||
exports.octokitClient = exports.isSPDXValid = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
|
||||
const core = __importStar(__nccwpck_require__(2186));
|
||||
const octokit_1 = __nccwpck_require__(7467);
|
||||
const spdx_expression_parse_1 = __importDefault(__nccwpck_require__(1620));
|
||||
const packageurl_js_1 = __nccwpck_require__(8915);
|
||||
function groupDependenciesByManifest(changes) {
|
||||
var _a;
|
||||
const dependencies = new Map();
|
||||
@@ -50269,23 +50237,6 @@ function octokitClient(token = 'repo-token', required = true) {
|
||||
return new octokit_1.Octokit(opts);
|
||||
}
|
||||
exports.octokitClient = octokitClient;
|
||||
const parsePURL = (purlString) => {
|
||||
try {
|
||||
return packageurl_js_1.PackageURL.fromString(purlString);
|
||||
}
|
||||
catch (error) {
|
||||
if (error.message ===
|
||||
`purl is missing the required "name" component.`) {
|
||||
//packageurl-js does not support empty names, so will manually override it for deny-groups
|
||||
//https://github.com/package-url/packageurl-js/blob/master/src/package-url.js#L216
|
||||
const purl = packageurl_js_1.PackageURL.fromString(`${purlString}TEMP_NAME`);
|
||||
purl.name = '';
|
||||
return purl;
|
||||
}
|
||||
throw error;
|
||||
}
|
||||
};
|
||||
exports.parsePURL = parsePURL;
|
||||
|
||||
|
||||
/***/ }),
|
||||
@@ -53675,13 +53626,13 @@ exports.mapIncludes = mapIncludes;
|
||||
|
||||
|
||||
var Alias = __nccwpck_require__(5639);
|
||||
var Collection = __nccwpck_require__(2240);
|
||||
var Collection = __nccwpck_require__(3466);
|
||||
var identity = __nccwpck_require__(5589);
|
||||
var Pair = __nccwpck_require__(246);
|
||||
var toJS = __nccwpck_require__(979);
|
||||
var toJS = __nccwpck_require__(2463);
|
||||
var Schema = __nccwpck_require__(6831);
|
||||
var stringifyDocument = __nccwpck_require__(5225);
|
||||
var anchors = __nccwpck_require__(2723);
|
||||
var anchors = __nccwpck_require__(8459);
|
||||
var applyReviver = __nccwpck_require__(3412);
|
||||
var createNode = __nccwpck_require__(9652);
|
||||
var directives = __nccwpck_require__(5400);
|
||||
@@ -54012,7 +53963,7 @@ exports.Document = Document;
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 2723:
|
||||
/***/ 8459:
|
||||
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
|
||||
|
||||
"use strict";
|
||||
@@ -54607,11 +54558,11 @@ exports.warn = warn;
|
||||
"use strict";
|
||||
|
||||
|
||||
var anchors = __nccwpck_require__(2723);
|
||||
var anchors = __nccwpck_require__(8459);
|
||||
var visit = __nccwpck_require__(6796);
|
||||
var identity = __nccwpck_require__(5589);
|
||||
var Node = __nccwpck_require__(1399);
|
||||
var toJS = __nccwpck_require__(979);
|
||||
var toJS = __nccwpck_require__(2463);
|
||||
|
||||
class Alias extends Node.NodeBase {
|
||||
constructor(source) {
|
||||
@@ -54712,7 +54663,7 @@ exports.Alias = Alias;
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 2240:
|
||||
/***/ 3466:
|
||||
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
|
||||
|
||||
"use strict";
|
||||
@@ -54880,7 +54831,7 @@ exports.isEmptyPath = isEmptyPath;
|
||||
|
||||
var applyReviver = __nccwpck_require__(3412);
|
||||
var identity = __nccwpck_require__(5589);
|
||||
var toJS = __nccwpck_require__(979);
|
||||
var toJS = __nccwpck_require__(2463);
|
||||
|
||||
class NodeBase {
|
||||
constructor(type) {
|
||||
@@ -54975,7 +54926,7 @@ exports.createPair = createPair;
|
||||
|
||||
var identity = __nccwpck_require__(5589);
|
||||
var Node = __nccwpck_require__(1399);
|
||||
var toJS = __nccwpck_require__(979);
|
||||
var toJS = __nccwpck_require__(2463);
|
||||
|
||||
const isScalarValue = (value) => !value || (typeof value !== 'function' && typeof value !== 'object');
|
||||
class Scalar extends Node.NodeBase {
|
||||
@@ -55010,7 +54961,7 @@ exports.isScalarValue = isScalarValue;
|
||||
|
||||
var stringifyCollection = __nccwpck_require__(2466);
|
||||
var addPairToJSMap = __nccwpck_require__(4676);
|
||||
var Collection = __nccwpck_require__(2240);
|
||||
var Collection = __nccwpck_require__(3466);
|
||||
var identity = __nccwpck_require__(5589);
|
||||
var Pair = __nccwpck_require__(246);
|
||||
var Scalar = __nccwpck_require__(9338);
|
||||
@@ -55165,10 +55116,10 @@ exports.findPair = findPair;
|
||||
|
||||
var createNode = __nccwpck_require__(9652);
|
||||
var stringifyCollection = __nccwpck_require__(2466);
|
||||
var Collection = __nccwpck_require__(2240);
|
||||
var Collection = __nccwpck_require__(3466);
|
||||
var identity = __nccwpck_require__(5589);
|
||||
var Scalar = __nccwpck_require__(9338);
|
||||
var toJS = __nccwpck_require__(979);
|
||||
var toJS = __nccwpck_require__(2463);
|
||||
|
||||
class YAMLSeq extends Collection.Collection {
|
||||
static get tagName() {
|
||||
@@ -55290,7 +55241,7 @@ var log = __nccwpck_require__(6909);
|
||||
var stringify = __nccwpck_require__(8409);
|
||||
var identity = __nccwpck_require__(5589);
|
||||
var Scalar = __nccwpck_require__(9338);
|
||||
var toJS = __nccwpck_require__(979);
|
||||
var toJS = __nccwpck_require__(2463);
|
||||
|
||||
const MERGE_KEY = '<<';
|
||||
function addPairToJSMap(ctx, map, { key, value }) {
|
||||
@@ -55455,7 +55406,7 @@ exports.isSeq = isSeq;
|
||||
|
||||
/***/ }),
|
||||
|
||||
/***/ 979:
|
||||
/***/ 2463:
|
||||
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
|
||||
|
||||
"use strict";
|
||||
@@ -58606,7 +58557,7 @@ exports.intOct = intOct;
|
||||
|
||||
|
||||
var identity = __nccwpck_require__(5589);
|
||||
var toJS = __nccwpck_require__(979);
|
||||
var toJS = __nccwpck_require__(2463);
|
||||
var YAMLMap = __nccwpck_require__(6011);
|
||||
var YAMLSeq = __nccwpck_require__(5161);
|
||||
var pairs = __nccwpck_require__(9841);
|
||||
@@ -59192,7 +59143,7 @@ exports.foldFlowLines = foldFlowLines;
|
||||
"use strict";
|
||||
|
||||
|
||||
var anchors = __nccwpck_require__(2723);
|
||||
var anchors = __nccwpck_require__(8459);
|
||||
var identity = __nccwpck_require__(5589);
|
||||
var stringifyComment = __nccwpck_require__(5182);
|
||||
var stringifyString = __nccwpck_require__(6226);
|
||||
@@ -59327,7 +59278,7 @@ exports.stringify = stringify;
|
||||
"use strict";
|
||||
|
||||
|
||||
var Collection = __nccwpck_require__(2240);
|
||||
var Collection = __nccwpck_require__(3466);
|
||||
var identity = __nccwpck_require__(5589);
|
||||
var stringify = __nccwpck_require__(8409);
|
||||
var stringifyComment = __nccwpck_require__(5182);
|
||||
|
||||
+1
-1
File diff suppressed because one or more lines are too long
+4
-5
@@ -167,7 +167,7 @@ jobs:
|
||||
## Getting the results of the action in a later step
|
||||
|
||||
- `comment-content` contains the output of the results comment for the entire run.
|
||||
`dependency-changes`, `vulnerable-changes`, `invalid-license-changes` and `denied-changes` are all JSON objects that allow you to access individual sets of changes.
|
||||
`dependency-changes`, `vulnerable-changes`, `invalid-license-changes` and `denied-changes` are all JSON objects that allow you to access individual sets of changes.
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
@@ -276,11 +276,10 @@ jobs:
|
||||
|
||||
## Exclude dependencies from their name or groups
|
||||
|
||||
With the `deny-packages` option, you can exclude dependencies based on their PURL (Package URL). If a specific version is provided, the action will deny packages matching that version. When no version is specified, the action treats it as a wildcard, denying all matching packages regardless of version. Multiple values can be added, separated by commas.
|
||||
|
||||
Using the `deny-packages` option you can exclude dependencies by their PURL. You can add multiple values separated by a commas.
|
||||
Using the `deny-groups` option you can exclude dependencies by their group name/namespace. You can add multiple values separated by a comma.
|
||||
|
||||
In this example, we are excluding all versions of `pkg:maven/org.apache.logging.log4j:log4j-api` and only `2.23.0` of log4j-core `pkg:maven/org.apache.logging.log4j/log4j-core@2.23.0` from `maven` and all packages in the group `pkg:maven/com.bazaarvoice.maven`
|
||||
In this example, we are excluding `pkg:maven/org.apache.logging.log4j:log4j-api` and `pkg:maven/org.apache.logging.log4j/log4j-core` from `maven` and all packages in the group `pkg:maven/com.bazaarvoice.maven`
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
@@ -299,7 +298,7 @@ jobs:
|
||||
- name: 'Dependency Review'
|
||||
uses: actions/dependency-review-action@v4
|
||||
with:
|
||||
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core@2.23.0'
|
||||
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core'
|
||||
deny-groups: 'pkg:maven/com.bazaarvoice.jolt'
|
||||
```
|
||||
|
||||
|
||||
Generated
+29
-243
@@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.3.0",
|
||||
"version": "4.2.3",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.3.0",
|
||||
"version": "4.2.3",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
@@ -33,14 +33,14 @@
|
||||
"@typescript-eslint/parser": "^6.21.0",
|
||||
"@vercel/ncc": "^0.38.0",
|
||||
"esbuild-register": "^3.5.0",
|
||||
"eslint": "^8.57.0",
|
||||
"eslint-plugin-github": "^4.10.2",
|
||||
"eslint": "^8.56.0",
|
||||
"eslint-plugin-github": "^4.10.1",
|
||||
"eslint-plugin-jest": "^27.9.0",
|
||||
"eslint-plugin-prettier": "^5.1.3",
|
||||
"js-yaml": "^4.1.0",
|
||||
"nodemon": "^3.1.0",
|
||||
"prettier": "3.2.5",
|
||||
"typescript": "^5.4.5"
|
||||
"typescript": "^5.3.3"
|
||||
}
|
||||
},
|
||||
"node_modules/@aashutoshrathi/word-wrap": {
|
||||
@@ -1096,9 +1096,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@eslint/js": {
|
||||
"version": "8.57.0",
|
||||
"resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.57.0.tgz",
|
||||
"integrity": "sha512-Ys+3g2TaW7gADOJzPt83SJtCDhMjndcDMFVQ/Tj9iA1BfJzFKD9mAUXT3OenpuPHbI6P/myECxRJrofUsDx/5g==",
|
||||
"version": "8.56.0",
|
||||
"resolved": "https://registry.npmjs.org/@eslint/js/-/js-8.56.0.tgz",
|
||||
"integrity": "sha512-gMsVel9D7f2HLkBma9VbtzZRehRogVRfbr++f06nL2vnCGCNlzOD+/MUov/F4p8myyAHspEhVobgjpX64q5m6A==",
|
||||
"dev": true,
|
||||
"engines": {
|
||||
"node": "^12.22.0 || ^14.17.0 || >=16.0.0"
|
||||
@@ -1119,13 +1119,13 @@
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/@humanwhocodes/config-array": {
|
||||
"version": "0.11.14",
|
||||
"resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.14.tgz",
|
||||
"integrity": "sha512-3T8LkOmg45BV5FICb15QQMsyUSWrQ8AygVfC7ZG32zOalnqrilm018ZVCw0eapXux8FtA33q8PSRSstjee3jSg==",
|
||||
"version": "0.11.13",
|
||||
"resolved": "https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.11.13.tgz",
|
||||
"integrity": "sha512-JSBDMiDKSzQVngfRjOdFXgFfklaXI4K9nLF49Auh21lmBWRLIK3+xTErTWD4KU54pb6coM6ESE7Awz/FNU3zgQ==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@humanwhocodes/object-schema": "^2.0.2",
|
||||
"debug": "^4.3.1",
|
||||
"@humanwhocodes/object-schema": "^2.0.1",
|
||||
"debug": "^4.1.1",
|
||||
"minimatch": "^3.0.5"
|
||||
},
|
||||
"engines": {
|
||||
@@ -1146,9 +1146,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@humanwhocodes/object-schema": {
|
||||
"version": "2.0.2",
|
||||
"resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-2.0.2.tgz",
|
||||
"integrity": "sha512-6EwiSjwWYP7pTckG6I5eyFANjPhmPjUX9JRLUSfNPC7FX7zK9gyZAfUEaECL6ALTpGX5AjnBq3C9XmVWPitNpw==",
|
||||
"version": "2.0.1",
|
||||
"resolved": "https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-2.0.1.tgz",
|
||||
"integrity": "sha512-dvuCeX5fC9dXgJn9t+X5atfmgQAzUOWqS1254Gh0m6i8wKd10ebXkfNKiRK+1GWi/yTvvLDHpoxLr0xxxeslWw==",
|
||||
"dev": true
|
||||
},
|
||||
"node_modules/@istanbuljs/load-nyc-config": {
|
||||
@@ -3542,16 +3542,16 @@
|
||||
}
|
||||
},
|
||||
"node_modules/eslint": {
|
||||
"version": "8.57.0",
|
||||
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.57.0.tgz",
|
||||
"integrity": "sha512-dZ6+mexnaTIbSBZWgou51U6OmzIhYM2VcNdtiTtI7qPNZm35Akpr0f6vtw3w1Kmn5PYo+tZVfh13WrhpS6oLqQ==",
|
||||
"version": "8.56.0",
|
||||
"resolved": "https://registry.npmjs.org/eslint/-/eslint-8.56.0.tgz",
|
||||
"integrity": "sha512-Go19xM6T9puCOWntie1/P997aXxFsOi37JIHRWI514Hc6ZnaHGKY9xFhrU65RT6CcBEzZoGG1e6Nq+DT04ZtZQ==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@eslint-community/eslint-utils": "^4.2.0",
|
||||
"@eslint-community/regexpp": "^4.6.1",
|
||||
"@eslint/eslintrc": "^2.1.4",
|
||||
"@eslint/js": "8.57.0",
|
||||
"@humanwhocodes/config-array": "^0.11.14",
|
||||
"@eslint/js": "8.56.0",
|
||||
"@humanwhocodes/config-array": "^0.11.13",
|
||||
"@humanwhocodes/module-importer": "^1.0.1",
|
||||
"@nodelib/fs.walk": "^1.2.8",
|
||||
"@ungap/structured-clone": "^1.2.0",
|
||||
@@ -3710,14 +3710,14 @@
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github": {
|
||||
"version": "4.10.2",
|
||||
"resolved": "https://registry.npmjs.org/eslint-plugin-github/-/eslint-plugin-github-4.10.2.tgz",
|
||||
"integrity": "sha512-F1F5aAFgi1Y5hYoTFzGQACBkw5W1hu2Fu5FSTrMlXqrojJnKl1S2pWO/rprlowRQpt+hzHhqSpsfnodJEVd5QA==",
|
||||
"version": "4.10.1",
|
||||
"resolved": "https://registry.npmjs.org/eslint-plugin-github/-/eslint-plugin-github-4.10.1.tgz",
|
||||
"integrity": "sha512-1AqQBockOM+m0ZUpwfjWtX0lWdX5cRi/hwJnSNvXoOmz/Hh+ULH6QFz6ENWueTWjoWpgPv0af3bj+snps6o4og==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@github/browserslist-config": "^1.0.0",
|
||||
"@typescript-eslint/eslint-plugin": "^7.0.1",
|
||||
"@typescript-eslint/parser": "^7.0.1",
|
||||
"@typescript-eslint/eslint-plugin": "^6.0.0",
|
||||
"@typescript-eslint/parser": "^6.0.0",
|
||||
"aria-query": "^5.3.0",
|
||||
"eslint-config-prettier": ">=8.0.0",
|
||||
"eslint-plugin-escompat": "^3.3.3",
|
||||
@@ -3740,220 +3740,6 @@
|
||||
"eslint": "^8.0.1"
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/eslint-plugin": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-7.4.0.tgz",
|
||||
"integrity": "sha512-yHMQ/oFaM7HZdVrVm/M2WHaNPgyuJH4WelkSVEWSSsir34kxW2kDJCxlXRhhGWEsMN0WAW/vLpKfKVcm8k+MPw==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@eslint-community/regexpp": "^4.5.1",
|
||||
"@typescript-eslint/scope-manager": "7.4.0",
|
||||
"@typescript-eslint/type-utils": "7.4.0",
|
||||
"@typescript-eslint/utils": "7.4.0",
|
||||
"@typescript-eslint/visitor-keys": "7.4.0",
|
||||
"debug": "^4.3.4",
|
||||
"graphemer": "^1.4.0",
|
||||
"ignore": "^5.2.4",
|
||||
"natural-compare": "^1.4.0",
|
||||
"semver": "^7.5.4",
|
||||
"ts-api-utils": "^1.0.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
},
|
||||
"peerDependencies": {
|
||||
"@typescript-eslint/parser": "^7.0.0",
|
||||
"eslint": "^8.56.0"
|
||||
},
|
||||
"peerDependenciesMeta": {
|
||||
"typescript": {
|
||||
"optional": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/parser": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-7.4.0.tgz",
|
||||
"integrity": "sha512-ZvKHxHLusweEUVwrGRXXUVzFgnWhigo4JurEj0dGF1tbcGh6buL+ejDdjxOQxv6ytcY1uhun1p2sm8iWStlgLQ==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@typescript-eslint/scope-manager": "7.4.0",
|
||||
"@typescript-eslint/types": "7.4.0",
|
||||
"@typescript-eslint/typescript-estree": "7.4.0",
|
||||
"@typescript-eslint/visitor-keys": "7.4.0",
|
||||
"debug": "^4.3.4"
|
||||
},
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
},
|
||||
"peerDependencies": {
|
||||
"eslint": "^8.56.0"
|
||||
},
|
||||
"peerDependenciesMeta": {
|
||||
"typescript": {
|
||||
"optional": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/scope-manager": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-7.4.0.tgz",
|
||||
"integrity": "sha512-68VqENG5HK27ypafqLVs8qO+RkNc7TezCduYrx8YJpXq2QGZ30vmNZGJJJC48+MVn4G2dCV8m5ZTVnzRexTVtw==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@typescript-eslint/types": "7.4.0",
|
||||
"@typescript-eslint/visitor-keys": "7.4.0"
|
||||
},
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/type-utils": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-7.4.0.tgz",
|
||||
"integrity": "sha512-247ETeHgr9WTRMqHbbQdzwzhuyaJ8dPTuyuUEMANqzMRB1rj/9qFIuIXK7l0FX9i9FXbHeBQl/4uz6mYuCE7Aw==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@typescript-eslint/typescript-estree": "7.4.0",
|
||||
"@typescript-eslint/utils": "7.4.0",
|
||||
"debug": "^4.3.4",
|
||||
"ts-api-utils": "^1.0.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
},
|
||||
"peerDependencies": {
|
||||
"eslint": "^8.56.0"
|
||||
},
|
||||
"peerDependenciesMeta": {
|
||||
"typescript": {
|
||||
"optional": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/types": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-7.4.0.tgz",
|
||||
"integrity": "sha512-mjQopsbffzJskos5B4HmbsadSJQWaRK0UxqQ7GuNA9Ga4bEKeiO6b2DnB6cM6bpc8lemaPseh0H9B/wyg+J7rw==",
|
||||
"dev": true,
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/typescript-estree": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-7.4.0.tgz",
|
||||
"integrity": "sha512-A99j5AYoME/UBQ1ucEbbMEmGkN7SE0BvZFreSnTd1luq7yulcHdyGamZKizU7canpGDWGJ+Q6ZA9SyQobipePg==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@typescript-eslint/types": "7.4.0",
|
||||
"@typescript-eslint/visitor-keys": "7.4.0",
|
||||
"debug": "^4.3.4",
|
||||
"globby": "^11.1.0",
|
||||
"is-glob": "^4.0.3",
|
||||
"minimatch": "9.0.3",
|
||||
"semver": "^7.5.4",
|
||||
"ts-api-utils": "^1.0.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
},
|
||||
"peerDependenciesMeta": {
|
||||
"typescript": {
|
||||
"optional": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/utils": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-7.4.0.tgz",
|
||||
"integrity": "sha512-NQt9QLM4Tt8qrlBVY9lkMYzfYtNz8/6qwZg8pI3cMGlPnj6mOpRxxAm7BMJN9K0AiY+1BwJ5lVC650YJqYOuNg==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@eslint-community/eslint-utils": "^4.4.0",
|
||||
"@types/json-schema": "^7.0.12",
|
||||
"@types/semver": "^7.5.0",
|
||||
"@typescript-eslint/scope-manager": "7.4.0",
|
||||
"@typescript-eslint/types": "7.4.0",
|
||||
"@typescript-eslint/typescript-estree": "7.4.0",
|
||||
"semver": "^7.5.4"
|
||||
},
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
},
|
||||
"peerDependencies": {
|
||||
"eslint": "^8.56.0"
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/@typescript-eslint/visitor-keys": {
|
||||
"version": "7.4.0",
|
||||
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-7.4.0.tgz",
|
||||
"integrity": "sha512-0zkC7YM0iX5Y41homUUeW1CHtZR01K3ybjM1l6QczoMuay0XKtrb93kv95AxUGwdjGr64nNqnOCwmEl616N8CA==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"@typescript-eslint/types": "7.4.0",
|
||||
"eslint-visitor-keys": "^3.4.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": "^18.18.0 || >=20.0.0"
|
||||
},
|
||||
"funding": {
|
||||
"type": "opencollective",
|
||||
"url": "https://opencollective.com/typescript-eslint"
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/brace-expansion": {
|
||||
"version": "2.0.1",
|
||||
"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
|
||||
"integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"balanced-match": "^1.0.0"
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-github/node_modules/minimatch": {
|
||||
"version": "9.0.3",
|
||||
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz",
|
||||
"integrity": "sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg==",
|
||||
"dev": true,
|
||||
"dependencies": {
|
||||
"brace-expansion": "^2.0.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=16 || 14 >=14.17"
|
||||
},
|
||||
"funding": {
|
||||
"url": "https://github.com/sponsors/isaacs"
|
||||
}
|
||||
},
|
||||
"node_modules/eslint-plugin-i18n-text": {
|
||||
"version": "1.0.1",
|
||||
"resolved": "https://registry.npmjs.org/eslint-plugin-i18n-text/-/eslint-plugin-i18n-text-1.0.1.tgz",
|
||||
@@ -7820,9 +7606,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/typescript": {
|
||||
"version": "5.4.5",
|
||||
"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.4.5.tgz",
|
||||
"integrity": "sha512-vcI4UpRgg81oIRUFwR0WSIHKt11nJ7SAVlYNIu+QpqeyXP+gpQJy/Z4+F0aGxSE4MqwjyXvW/TzgkLAx2AGHwQ==",
|
||||
"version": "5.3.3",
|
||||
"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.3.3.tgz",
|
||||
"integrity": "sha512-pXWcraxM0uxAS+tN0AG/BF2TyqmHO014Z070UsJ+pFvYuRSq8KH8DmWpnbXe0pEPDHXZV3FcAbJkijJ5oNEnWw==",
|
||||
"bin": {
|
||||
"tsc": "bin/tsc",
|
||||
"tsserver": "bin/tsserver"
|
||||
|
||||
+4
-4
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.3.0",
|
||||
"version": "4.2.3",
|
||||
"private": true,
|
||||
"description": "A GitHub Action for Dependency Review",
|
||||
"main": "lib/main.js",
|
||||
@@ -49,13 +49,13 @@
|
||||
"@typescript-eslint/parser": "^6.21.0",
|
||||
"@vercel/ncc": "^0.38.0",
|
||||
"esbuild-register": "^3.5.0",
|
||||
"eslint": "^8.57.0",
|
||||
"eslint-plugin-github": "^4.10.2",
|
||||
"eslint": "^8.56.0",
|
||||
"eslint-plugin-github": "^4.10.1",
|
||||
"eslint-plugin-jest": "^27.9.0",
|
||||
"eslint-plugin-prettier": "^5.1.3",
|
||||
"js-yaml": "^4.1.0",
|
||||
"nodemon": "^3.1.0",
|
||||
"prettier": "3.2.5",
|
||||
"typescript": "^5.4.5"
|
||||
"typescript": "^5.3.3"
|
||||
}
|
||||
}
|
||||
|
||||
+19
-21
@@ -1,40 +1,38 @@
|
||||
import * as core from '@actions/core'
|
||||
import {Change} from './schemas'
|
||||
import {PackageURL} from 'packageurl-js'
|
||||
import * as core from '@actions/core'
|
||||
|
||||
export async function getDeniedChanges(
|
||||
changes: Change[],
|
||||
deniedPackages: PackageURL[] = [],
|
||||
deniedGroups: PackageURL[] = []
|
||||
deniedPackages: string[],
|
||||
deniedGroups: string[]
|
||||
): Promise<Change[]> {
|
||||
const changesDenied: Change[] = []
|
||||
|
||||
let hasDeniedPackage = false
|
||||
let failed = false
|
||||
for (const change of changes) {
|
||||
const changedPackage = PackageURL.fromString(change.package_url)
|
||||
change.name = change.name.toLowerCase()
|
||||
const packageUrl = change.package_url.toLowerCase().split('@')[0]
|
||||
|
||||
for (const denied of deniedPackages) {
|
||||
if (
|
||||
(!denied.version || changedPackage.version === denied.version) &&
|
||||
changedPackage.name === denied.name
|
||||
) {
|
||||
changesDenied.push(change)
|
||||
hasDeniedPackage = true
|
||||
if (deniedPackages) {
|
||||
for (const denied of deniedPackages) {
|
||||
if (packageUrl === denied.split('@')[0].toLowerCase()) {
|
||||
changesDenied.push(change)
|
||||
failed = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for (const denied of deniedGroups) {
|
||||
if (
|
||||
changedPackage.namespace &&
|
||||
changedPackage.namespace === denied.namespace
|
||||
) {
|
||||
changesDenied.push(change)
|
||||
hasDeniedPackage = true
|
||||
if (deniedGroups) {
|
||||
for (const denied of deniedGroups) {
|
||||
if (packageUrl.startsWith(denied.toLowerCase())) {
|
||||
changesDenied.push(change)
|
||||
failed = true
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (hasDeniedPackage) {
|
||||
if (failed) {
|
||||
core.setFailed('Dependency review detected denied packages.')
|
||||
} else {
|
||||
core.info('Dependency review did not detect any denied packages')
|
||||
|
||||
+2
-7
@@ -1,15 +1,10 @@
|
||||
import * as z from 'zod'
|
||||
import {parsePURL} from './utils'
|
||||
|
||||
export const SEVERITIES = ['critical', 'high', 'moderate', 'low'] as const
|
||||
export const SCOPES = ['unknown', 'runtime', 'development'] as const
|
||||
|
||||
export const SeveritySchema = z.enum(SEVERITIES).default('low')
|
||||
|
||||
const PackageURL = z.string().transform(purlString => {
|
||||
return parsePURL(purlString)
|
||||
})
|
||||
|
||||
export const ChangeSchema = z.object({
|
||||
change_type: z.enum(['added', 'removed']),
|
||||
manifest: z.string(),
|
||||
@@ -47,8 +42,8 @@ export const ConfigurationOptionsSchema = z
|
||||
deny_licenses: z.array(z.string()).optional(),
|
||||
allow_dependencies_licenses: z.array(z.string()).optional(),
|
||||
allow_ghsas: z.array(z.string()).default([]),
|
||||
deny_packages: z.array(PackageURL).default([]),
|
||||
deny_groups: z.array(PackageURL).default([]),
|
||||
deny_packages: z.array(z.string()).default([]),
|
||||
deny_groups: z.array(z.string()).default([]),
|
||||
license_check: z.boolean().default(true),
|
||||
vulnerability_check: z.boolean().default(true),
|
||||
config_file: z.string().optional(),
|
||||
|
||||
+2
-10
@@ -17,16 +17,8 @@ export async function getScorecardLevels(
|
||||
repositoryUrl = repositoryUrl.replace('https://', '')
|
||||
}
|
||||
|
||||
// Handle the special case for GitHub Actions, where the repository URL is null
|
||||
if (ecosystem === 'actions') {
|
||||
// The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
|
||||
// If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out
|
||||
const parts = packageName.split('/')
|
||||
repositoryUrl = `github.com/${parts[0]}/${parts[1]}` // e.g. github.com/actions/checkout
|
||||
}
|
||||
|
||||
// If GitHub API doesn't have the repository URL, query deps.dev for it.
|
||||
if (!repositoryUrl) {
|
||||
if (repositoryUrl) {
|
||||
// Call the deps.dev API to get the repository URL from there
|
||||
repositoryUrl = await getProjectUrl(ecosystem, packageName, version)
|
||||
}
|
||||
@@ -49,7 +41,7 @@ export async function getScorecardLevels(
|
||||
}
|
||||
|
||||
async function getScorecard(repositoryUrl: string): Promise<ScorecardApi> {
|
||||
const apiRoot = 'https://api.securityscorecards.dev'
|
||||
const apiRoot = 'https://api.securityscorecards.dev/'
|
||||
let scorecardResponse: ScorecardApi = {} as ScorecardApi
|
||||
|
||||
const url = `${apiRoot}/projects/${repositoryUrl}`
|
||||
|
||||
+2
-2
@@ -69,7 +69,7 @@ export function addSummaryToSummary(
|
||||
: []),
|
||||
...(deniedChanges.length > 0
|
||||
? [
|
||||
`${checkOrFailIcon(deniedChanges.length)} ${
|
||||
`${checkOrWarnIcon(deniedChanges.length)} ${
|
||||
deniedChanges.length
|
||||
} package(s) denied.`
|
||||
]
|
||||
@@ -304,7 +304,7 @@ export function addScorecardToSummary(
|
||||
|
||||
//Add a row for the dependency
|
||||
core.summary.addRaw(
|
||||
`<tr><td>${dependency.change.source_repository_url ? `<a href="${dependency.change.source_repository_url}">` : ''} ${dependency.change.ecosystem}/${dependency.change.name} ${dependency.change.source_repository_url ? `</a>` : ''}</td><td>${dependency.change.version}</td>
|
||||
`<tr><td>${dependency.change.source_repository_url ? `<a href="https://${dependency.change.source_repository_url}">` : ''} ${dependency.change.ecosystem}/${dependency.change.name} ${dependency.change.source_repository_url ? `</a>` : ''}</td><td>${dependency.change.version}</td>
|
||||
<td>${overallIcon} ${dependency.scorecard?.score === undefined || dependency.scorecard?.score === null ? 'Unknown' : dependency.scorecard?.score}</td>`,
|
||||
false
|
||||
)
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
import * as core from '@actions/core'
|
||||
import {Octokit} from 'octokit'
|
||||
import spdxParse from 'spdx-expression-parse'
|
||||
import {PackageURL} from 'packageurl-js'
|
||||
import {Changes} from './schemas'
|
||||
|
||||
export function groupDependenciesByManifest(
|
||||
@@ -69,21 +68,3 @@ export function octokitClient(token = 'repo-token', required = true): Octokit {
|
||||
|
||||
return new Octokit(opts)
|
||||
}
|
||||
|
||||
export const parsePURL = (purlString: string): PackageURL => {
|
||||
try {
|
||||
return PackageURL.fromString(purlString)
|
||||
} catch (error) {
|
||||
if (
|
||||
(error as Error).message ===
|
||||
`purl is missing the required "name" component.`
|
||||
) {
|
||||
//packageurl-js does not support empty names, so will manually override it for deny-groups
|
||||
//https://github.com/package-url/packageurl-js/blob/master/src/package-url.js#L216
|
||||
const purl = PackageURL.fromString(`${purlString}TEMP_NAME`)
|
||||
purl.name = ''
|
||||
return purl
|
||||
}
|
||||
throw error
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user