Compare commits
51 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 3c4e3dcb1a | |||
| 02930b2072 | |||
| 49ffd9f636 | |||
| 70cb25ec56 | |||
| ebabd31cea | |||
| 19f9360983 | |||
| 5fd2f98b4f | |||
| 28647f4804 | |||
| f620fd175c | |||
| 9b42b7e9a9 | |||
| 4004cfa3a2 | |||
| 94004c3444 | |||
| 75e65b4d81 | |||
| 355d25e5a7 | |||
| d456baec30 | |||
| 66054da10b | |||
| 247f07b0c8 | |||
| 5975520ad2 | |||
| b4849e7628 | |||
| 752c04656e | |||
| 4fa8b92807 | |||
| 3660056ed3 | |||
| 5f8348ab03 | |||
| 6b5a983daf | |||
| 8fd9b22286 | |||
| c4b82d3047 | |||
| 622445f2a8 | |||
| 3f464ea511 | |||
| 8e51299cdf | |||
| 7a990117b1 | |||
| 99ce29f02e | |||
| 140b44b7bf | |||
| 4603a62e00 | |||
| 07b91577a3 | |||
| 3084754c49 | |||
| 40c09b7dc9 | |||
| 45529485b5 | |||
| e63da9a041 | |||
| 71365c76bc | |||
| 56339e523c | |||
| 1688b745f3 | |||
| 31c9f175b9 | |||
| eacde7836e | |||
| 81510090e4 | |||
| b472ec914b | |||
| e0cedc52dc | |||
| e3fdf0f899 | |||
| 6fad417932 | |||
| e86e9692ad | |||
| 85c8e53ab7 | |||
| c6a7eb7252 |
@@ -1,57 +0,0 @@
|
||||
# `dist/index.js` is a special file in Actions.
|
||||
# When you reference an action with `uses:` in a workflow,
|
||||
# `index.js` is the code that will run.
|
||||
# For our project, we generate this file through a build process from other source files.
|
||||
# We need to make sure the checked-in `index.js` actually matches what we expect it to be.
|
||||
name: Check dist/
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
paths-ignore:
|
||||
- '**.md'
|
||||
pull_request:
|
||||
paths-ignore:
|
||||
- '**.md'
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
check-dist:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set Node.js 20.x
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 20.x
|
||||
cache: npm
|
||||
|
||||
- name: Install dependencies
|
||||
run: npm ci
|
||||
|
||||
- name: Rebuild the dist/ directory
|
||||
run: |
|
||||
npm run build
|
||||
npm run package
|
||||
|
||||
- name: Compare the expected and actual dist/ directories
|
||||
run: |
|
||||
if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
|
||||
echo "Detected uncommitted changes after build. See status below:"
|
||||
git diff
|
||||
exit 1
|
||||
fi
|
||||
id: diff
|
||||
|
||||
# If index.js was different than expected, upload the expected version as an artifact
|
||||
- uses: actions/upload-artifact@v4
|
||||
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
|
||||
with:
|
||||
name: dist
|
||||
path: dist/
|
||||
@@ -0,0 +1,51 @@
|
||||
name: CI-update-dist
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
branches:
|
||||
- 'main'
|
||||
paths-ignore:
|
||||
- 'dist/**'
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
update-dist:
|
||||
# Only run for the original DRA repository; otherwise when users create pull requests from their `main` branch
|
||||
# it would erroneously update `dist` on their branch (and the pull request)
|
||||
if: github.repository == 'actions/dependency-review-action'
|
||||
permissions:
|
||||
contents: write
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
||||
|
||||
- name: Set up Node.js
|
||||
uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
|
||||
with:
|
||||
node-version: 20
|
||||
cache: npm
|
||||
|
||||
- name: Install npm dependencies
|
||||
run: |
|
||||
npm clean-install
|
||||
|
||||
- name: Build distribution
|
||||
run: |
|
||||
npm run build
|
||||
npm run package
|
||||
|
||||
# Commit and push changes; has no effect if the files did not change
|
||||
# Important: The push event will not trigger any other workflows, see
|
||||
# https://github.com/stefanzweifel/git-auto-commit-action?tab=readme-ov-file#commits-made-by-this-action-do-not-trigger-new-workflow-runs
|
||||
- name: Commit & push changes
|
||||
uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 # v7.0.0
|
||||
with:
|
||||
commit_author: 'github-actions[bot] <github-actions[bot]@users.noreply.github.com>'
|
||||
commit_user_name: 'github-actions[bot]'
|
||||
commit_user_email: 'github-actions[bot]@users.noreply.github.com'
|
||||
commit_message: '[bot] Update dist directory [skip ci]'
|
||||
file_pattern: 'dist/'
|
||||
@@ -20,7 +20,7 @@ jobs:
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
language: [ 'javascript-typescript', 'actions' ]
|
||||
language: [ 'javascript-typescript', 'actions', 'ruby' ]
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
@@ -38,7 +38,7 @@ jobs:
|
||||
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
|
||||
# queries: security-extended,security-and-quality
|
||||
config: |
|
||||
paths-ignore:
|
||||
paths-ignore:
|
||||
- dist/index.js
|
||||
- dist/sourcemap-register.js
|
||||
|
||||
|
||||
+10
-8
@@ -25,11 +25,11 @@ If you'd like to make a contribution yourself, we ask that before significant ef
|
||||
|
||||
## Stalebot
|
||||
|
||||
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see the configuration [here](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
|
||||
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see [the configuration](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
|
||||
|
||||
## Development lifecycle
|
||||
|
||||
Ready to contribute to `dependency-review-action`? Here is some information to help you get started.
|
||||
Ready to contribute to `dependency-review-action`? Here is some information to help you get started.
|
||||
|
||||
### High level overview of the action
|
||||
|
||||
@@ -53,7 +53,7 @@ Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed,
|
||||
We have a script to scan a given PR for vulnerabilities, this will
|
||||
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
|
||||
|
||||
<img width="480" alt="Screenshot 2022-05-12 at 10 22 21" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
|
||||
<img width="480" alt="Screen to create a PAT with a note of `dr-token`, 30 day duration (expiring Jun 11, 2022), with `repo` scopes selected" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
|
||||
|
||||
The syntax of the script is:
|
||||
|
||||
@@ -87,8 +87,9 @@ _Note_: We don't have a very comprehensive test suite, so any contributions to t
|
||||
|
||||
1. Create a new branch: `git checkout -b my-branch-name`
|
||||
2. Make your change, add tests, and make sure the tests still pass
|
||||
3. Make sure to build and package before pushing: `npm run build && npm run package`
|
||||
4. Push to your fork and [submit a pull request][pr]
|
||||
3. Push to your fork and [submit a pull request][pr]
|
||||
|
||||
(note: we don't recommend including changes to the `dist` directory in your pull request, because changes there have an increased likelihood of conflicts.)
|
||||
|
||||
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
|
||||
|
||||
@@ -106,19 +107,20 @@ Here are a few things you can do that will increase the likelihood of your pull
|
||||
_Note: these instructions are for maintainers_
|
||||
|
||||
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
|
||||
1. Update the dist files by running `npm run build` and `npm run package`
|
||||
1. Go to [Draft a new
|
||||
release](https://github.com/actions/dependency-review-action/releases/new)
|
||||
in the Releases page.
|
||||
1. Make sure that the `Publish this Action to the GitHub Marketplace`
|
||||
checkbox is enabled
|
||||
|
||||
<img width="481" alt="Screenshot 2022-06-15 at 12 08 19" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
|
||||
<img width="481" alt="Screen showing Release Action with Publish this Action to the GitHub Marketplace checked" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
|
||||
|
||||
3. Click "Choose a tag" and then "Create new tag", where the tag name
|
||||
will be your version prefixed by a `v` (e.g. `v1.2.3`).
|
||||
4. Use a version number for the release title (e.g. "1.2.3").
|
||||
|
||||
<img width="700" alt="Screenshot 2022-06-15 at 12 08 36" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
|
||||
<img width="700" alt="Create an action release in categories Security + Dependency management from branch main creating tag v2.0.0 on publish" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
|
||||
|
||||
5. Add your release notes. If this is a major version make sure to
|
||||
include a small description of the biggest changes in the new version.
|
||||
@@ -137,8 +139,8 @@ To do this just checkout `main`, force-create a new annotated tag, and push it:
|
||||
git tag -fa v4 -m "Updating v4 to 4.0.1"
|
||||
git push origin v4 --force
|
||||
```
|
||||
</details>
|
||||
|
||||
</details>
|
||||
|
||||
## Resources
|
||||
|
||||
|
||||
@@ -169,6 +169,7 @@ You can pass configuration options to the dependency review action using your wo
|
||||
|
||||
# Use comma-separated names to pass list arguments:
|
||||
deny-licenses: LGPL-2.0, BSD-2-Clause
|
||||
allow-dependencies-licenses: "pkg:npm/@myorg/mypackage, pkg:npm/packagename, pkg:githubactions/owner/repo@2.0.0"
|
||||
```
|
||||
|
||||
#### Option 2: Using an external configuration file
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
import {expect, test, beforeEach} from '@jest/globals'
|
||||
import {readConfig} from '../src/config'
|
||||
import {getRefs} from '../src/git-refs'
|
||||
import * as spdx from '../src/spdx'
|
||||
import {setInput, clearInputs} from './test-helpers'
|
||||
|
||||
beforeEach(() => {
|
||||
|
||||
@@ -0,0 +1,153 @@
|
||||
import {
|
||||
afterEach,
|
||||
beforeEach,
|
||||
describe,
|
||||
expect,
|
||||
jest,
|
||||
test
|
||||
} from '@jest/globals'
|
||||
import * as fs from 'fs'
|
||||
import * as core from '@actions/core'
|
||||
import {DefaultArtifactClient} from '@actions/artifact'
|
||||
import type {SpyInstance} from 'jest-mock'
|
||||
import {handleLargeSummary} from '../src/main'
|
||||
|
||||
jest.mock('ansi-styles', () => ({
|
||||
__esModule: true,
|
||||
default: {
|
||||
color: {
|
||||
red: {open: '', close: ''},
|
||||
yellow: {open: '', close: ''},
|
||||
grey: {open: '', close: ''},
|
||||
green: {open: '', close: ''}
|
||||
},
|
||||
bold: {open: '', close: ''}
|
||||
}
|
||||
}))
|
||||
jest.mock('../src/dependency-graph', () => ({}))
|
||||
jest.mock('@actions/core', () => {
|
||||
const summary = {
|
||||
addRaw: jest.fn().mockReturnThis(),
|
||||
addHeading: jest.fn().mockReturnThis(),
|
||||
addTable: jest.fn().mockReturnThis(),
|
||||
addSeparator: jest.fn().mockReturnThis(),
|
||||
addImage: jest.fn().mockReturnThis(),
|
||||
addList: jest.fn().mockReturnThis(),
|
||||
addBreak: jest.fn().mockReturnThis(),
|
||||
addLink: jest.fn().mockReturnThis(),
|
||||
addDetails: jest.fn().mockReturnThis(),
|
||||
addSection: jest.fn().mockReturnThis(),
|
||||
addCodeBlock: jest.fn().mockReturnThis(),
|
||||
addFields: jest.fn().mockReturnThis(),
|
||||
addEol: jest.fn().mockReturnThis(),
|
||||
write: jest.fn(async () => undefined),
|
||||
emptyBuffer: jest.fn(),
|
||||
stringify: jest.fn(() => '')
|
||||
}
|
||||
return {
|
||||
__esModule: true,
|
||||
getInput: jest.fn((name: string) =>
|
||||
name === 'repo-token' ? 'gh_test_token' : ''
|
||||
),
|
||||
setOutput: jest.fn(),
|
||||
setFailed: jest.fn(),
|
||||
warning: jest.fn(),
|
||||
info: jest.fn(),
|
||||
debug: jest.fn(),
|
||||
startGroup: jest.fn(),
|
||||
endGroup: jest.fn(),
|
||||
group: jest.fn(async (_name: string, fn: () => Promise<unknown>) => fn()),
|
||||
summary
|
||||
}
|
||||
})
|
||||
jest.mock('@actions/artifact', () => ({
|
||||
DefaultArtifactClient: jest.fn()
|
||||
}))
|
||||
|
||||
const ORIGINAL_ENV = {...process.env}
|
||||
|
||||
type ArtifactClientInstance = {
|
||||
uploadArtifact: jest.Mock
|
||||
}
|
||||
|
||||
const DefaultArtifactClientMock = DefaultArtifactClient as unknown as jest.Mock
|
||||
|
||||
const createArtifactClient = (): ArtifactClientInstance => ({
|
||||
uploadArtifact: jest.fn(async () => undefined)
|
||||
})
|
||||
|
||||
describe('handleLargeSummary', () => {
|
||||
let writeFileSpy: SpyInstance<typeof fs.promises.writeFile>
|
||||
|
||||
beforeEach(() => {
|
||||
process.env = {...ORIGINAL_ENV}
|
||||
writeFileSpy = jest
|
||||
.spyOn(fs.promises, 'writeFile')
|
||||
.mockImplementation(async () => undefined)
|
||||
DefaultArtifactClientMock.mockClear()
|
||||
DefaultArtifactClientMock.mockImplementation(() => createArtifactClient())
|
||||
})
|
||||
|
||||
afterEach(() => {
|
||||
writeFileSpy.mockRestore()
|
||||
jest.clearAllMocks()
|
||||
process.env = {...ORIGINAL_ENV}
|
||||
})
|
||||
|
||||
test('returns original summary when under size threshold', async () => {
|
||||
const summaryContent = 'short summary'
|
||||
|
||||
const result = await handleLargeSummary(summaryContent)
|
||||
|
||||
expect(result).toBe(summaryContent)
|
||||
expect(writeFileSpy).not.toHaveBeenCalled()
|
||||
expect(DefaultArtifactClientMock).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
test('uploads artifact and returns minimal summary when summary is too large', async () => {
|
||||
process.env.GITHUB_SERVER_URL = 'https://github.com'
|
||||
process.env.GITHUB_REPOSITORY = 'owner/repo'
|
||||
process.env.GITHUB_RUN_ID = '12345'
|
||||
|
||||
const largeSummary = 'a'.repeat(1024 * 1024 + 1)
|
||||
|
||||
const result = await handleLargeSummary(largeSummary)
|
||||
|
||||
expect(writeFileSpy).toHaveBeenCalledTimes(1)
|
||||
expect(writeFileSpy).toHaveBeenCalledWith('summary.md', largeSummary)
|
||||
expect(DefaultArtifactClientMock).toHaveBeenCalledTimes(1)
|
||||
|
||||
const artifactInstance = DefaultArtifactClientMock.mock.results[0]
|
||||
?.value as ArtifactClientInstance
|
||||
|
||||
expect(artifactInstance.uploadArtifact).toHaveBeenCalledWith(
|
||||
'dependency-review-summary',
|
||||
['summary.md'],
|
||||
'.',
|
||||
{retentionDays: 1}
|
||||
)
|
||||
|
||||
expect(result).toContain('# Dependency Review Summary')
|
||||
expect(result).toContain('dependency-review-summary')
|
||||
expect(result).toContain('actions/runs/12345')
|
||||
})
|
||||
|
||||
test('returns original summary and logs a warning when artifact handling fails', async () => {
|
||||
const warningMock = core.warning as jest.Mock
|
||||
warningMock.mockClear()
|
||||
const largeSummary = 'b'.repeat(1024 * 1024 + 1)
|
||||
|
||||
DefaultArtifactClientMock.mockImplementation(() => ({
|
||||
uploadArtifact: jest.fn(async () => {
|
||||
throw new Error('upload failed')
|
||||
})
|
||||
}))
|
||||
|
||||
const result = await handleLargeSummary(largeSummary)
|
||||
|
||||
expect(result).toBe(largeSummary)
|
||||
expect(warningMock).toHaveBeenCalledWith(
|
||||
expect.stringContaining('Failed to handle large summary')
|
||||
)
|
||||
})
|
||||
})
|
||||
@@ -315,7 +315,7 @@ test('uses checkmarks for vulnerabilities if only license issues were found', ()
|
||||
expect(text).toContain('✅ 0 package(s) with unknown licenses')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - only includes section if any vulnerabilites found', () => {
|
||||
test('addChangeVulnerabilitiesToSummary() - only includes section if any vulnerabilities found', () => {
|
||||
summary.addChangeVulnerabilitiesToSummary(emptyChanges, 'low')
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toEqual('')
|
||||
@@ -385,7 +385,7 @@ test('addChangeVulnerabilitiesToSummary() - prints severity statement if above l
|
||||
)
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - does not print severity statment if it is set to "low"', () => {
|
||||
test('addChangeVulnerabilitiesToSummary() - does not print severity statement if it is set to "low"', () => {
|
||||
const changes = [createTestChange()]
|
||||
|
||||
summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
@@ -464,7 +464,9 @@ test('addLicensesToSummary() - includes list of configured allowed licenses', ()
|
||||
summary.addLicensesToSummary(licenseIssues, config)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain('<strong>Allowed Licenses</strong>: MIT, Apache-2.0')
|
||||
expect(text).toContain(
|
||||
'<details><summary><strong>Allowed Licenses</strong>:</summary> MIT, Apache-2.0</details>'
|
||||
)
|
||||
})
|
||||
|
||||
test('addLicensesToSummary() - includes configured denied license', () => {
|
||||
@@ -476,11 +478,33 @@ test('addLicensesToSummary() - includes configured denied license', () => {
|
||||
|
||||
const config: ConfigurationOptions = {
|
||||
...defaultConfig,
|
||||
deny_licenses: ['MIT']
|
||||
deny_licenses: ['MIT', 'Apache-2.0']
|
||||
}
|
||||
|
||||
summary.addLicensesToSummary(licenseIssues, config)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain('<strong>Denied Licenses</strong>: MIT')
|
||||
expect(text).toContain(
|
||||
'<details><summary><strong>Denied Licenses</strong>:</summary> MIT, Apache-2.0</details>'
|
||||
)
|
||||
})
|
||||
|
||||
test('addLicensesToSummary() - includes allowed dependency licences', () => {
|
||||
const licenseIssues = {
|
||||
forbidden: [createTestChange()],
|
||||
unresolved: [],
|
||||
unlicensed: []
|
||||
}
|
||||
|
||||
const config: ConfigurationOptions = {
|
||||
...defaultConfig,
|
||||
allow_dependencies_licenses: ['MIT', 'Apache-2.0']
|
||||
}
|
||||
|
||||
summary.addLicensesToSummary(licenseIssues, config)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toContain(
|
||||
'<details><summary><strong>Excluded from license check</strong>:</summary> MIT, Apache-2.0</details>'
|
||||
)
|
||||
})
|
||||
|
||||
+1
-1
@@ -53,7 +53,7 @@ inputs:
|
||||
description: A boolean to determine if vulnerability checks should be performed
|
||||
required: false
|
||||
comment-summary-in-pr:
|
||||
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
|
||||
description: "Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow `pull-requests: write` permissions"
|
||||
required: false
|
||||
deny-packages:
|
||||
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). If version specified, only deny matching packages and version; else, deny all regardless of version.
|
||||
|
||||
+100244
-1313
File diff suppressed because one or more lines are too long
+1
-1
File diff suppressed because one or more lines are too long
+2911
File diff suppressed because it is too large
Load Diff
+4
-4
@@ -4,7 +4,7 @@
|
||||
|
||||
A very basic example of how to use the action. This will run the action with the default configuration.
|
||||
|
||||
The full list of configuration options can be found [here](../README.md#configuration-options).
|
||||
See the [full list of configuration options](../README.md#configuration-options).
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
@@ -112,7 +112,7 @@ jobs:
|
||||
|
||||
## Using a configuration file from an external repository with a personal access token
|
||||
|
||||
The following example will use a configuration file from an external private GtiHub repository to configure the action.
|
||||
The following example will use a configuration file from an external private GitHub repository to configure the action.
|
||||
|
||||
Let's say that the configuration file is located in `github/octorepo-private/dependency-review-config.yml@main`
|
||||
|
||||
@@ -233,7 +233,7 @@ jobs:
|
||||
fail-on-severity: critical
|
||||
deny-licenses: LGPL-2.0, BSD-2-Clause
|
||||
comment-summary-in-pr: always
|
||||
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pypi/requests'
|
||||
allow-dependencies-licenses: 'pkg:npm/lodash, pkg:pypi/requests'
|
||||
```
|
||||
|
||||
If we were to use configuration file, the configuration would look like this:
|
||||
@@ -244,7 +244,7 @@ allow-licenses:
|
||||
- 'LGPL-2.0'
|
||||
- 'BSD-2-Clause'
|
||||
allow-dependencies-licenses:
|
||||
- 'pkg:npm/loadash'
|
||||
- 'pkg:npm/lodash'
|
||||
- 'pkg:pypi/requests'
|
||||
```
|
||||
|
||||
|
||||
Generated
+1385
-467
File diff suppressed because it is too large
Load Diff
+4
-3
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.7.3",
|
||||
"version": "4.8.2",
|
||||
"private": true,
|
||||
"description": "A GitHub Action for Dependency Review",
|
||||
"main": "lib/main.js",
|
||||
@@ -25,6 +25,7 @@
|
||||
"author": "GitHub",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/artifact": "^2.3.2",
|
||||
"@actions/core": "^1.11.1",
|
||||
"@actions/github": "^6.0.1",
|
||||
"@octokit/plugin-retry": "^6.1.0",
|
||||
@@ -42,7 +43,7 @@
|
||||
"zod": "^3.24.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/jest": "^29.5.12",
|
||||
"@types/jest": "^29.5.14",
|
||||
"@types/node": "^20",
|
||||
"@types/spdx-expression-parse": "^3.0.4",
|
||||
"@typescript-eslint/eslint-plugin": "^6.21.0",
|
||||
@@ -62,4 +63,4 @@
|
||||
"cross-spawn": ">=7.0.5",
|
||||
"@octokit/request-error@5.0.1": "5.1.1"
|
||||
}
|
||||
}
|
||||
}
|
||||
+5
-84
@@ -1,87 +1,8 @@
|
||||
#!/usr/bin/env ruby
|
||||
require 'json'
|
||||
require 'tempfile'
|
||||
require 'open3'
|
||||
require 'bundler/inline'
|
||||
require 'optparse'
|
||||
|
||||
gemfile do
|
||||
source 'https://rubygems.org'
|
||||
gem 'octokit'
|
||||
end
|
||||
# Load the scan_pr library
|
||||
require_relative 'scan_pr_lib'
|
||||
|
||||
config_file = nil
|
||||
github_token = ENV["GITHUB_TOKEN"]
|
||||
|
||||
if !github_token || github_token.empty?
|
||||
puts "Please set the GITHUB_TOKEN environment variable"
|
||||
exit -1
|
||||
end
|
||||
|
||||
op = OptionParser.new do |opts|
|
||||
usage = <<EOF
|
||||
Run Dependency Review on a repository.
|
||||
|
||||
\e[1mUsage:\e[22m
|
||||
scripts/scan_pr [options] <pr_url>
|
||||
|
||||
\e[1mExample:\e[22m
|
||||
scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294
|
||||
|
||||
EOF
|
||||
|
||||
opts.banner = usage
|
||||
|
||||
opts.on('-c', '--config-file <FILE>', 'Use an external configuration file') do |cf|
|
||||
config_file = cf
|
||||
end
|
||||
|
||||
opts.on("-h", "--help", "Prints this help") do
|
||||
puts opts
|
||||
exit
|
||||
end
|
||||
end
|
||||
|
||||
op.parse!
|
||||
|
||||
# make sure we have a NWO somewhere in the parameters
|
||||
arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(ARGV.join(" "))
|
||||
|
||||
if arg.nil?
|
||||
puts op
|
||||
exit -1
|
||||
end
|
||||
|
||||
repo_nwo = arg[:repo_nwo]
|
||||
pr_number = arg[:pr_number]
|
||||
|
||||
octo = Octokit::Client.new(access_token: github_token)
|
||||
pr = octo.pull_request(repo_nwo, pr_number)
|
||||
|
||||
event_file = Tempfile.new
|
||||
event_file.write("{ \"pull_request\": #{pr.to_h.to_json}}")
|
||||
event_file.close
|
||||
|
||||
action_inputs = {
|
||||
"repo-token": github_token,
|
||||
"config-file": config_file
|
||||
}
|
||||
|
||||
dev_cmd_env = {
|
||||
"GITHUB_REPOSITORY" => repo_nwo,
|
||||
"GITHUB_EVENT_NAME" => "pull_request",
|
||||
"GITHUB_EVENT_PATH" => event_file.path,
|
||||
"GITHUB_STEP_SUMMARY" => "/dev/null"
|
||||
}
|
||||
|
||||
# bash does not like variable names with dashes like the ones Actions
|
||||
# uses (e.g. INPUT_REPO-TOKEN). Passing them through `env` instead of
|
||||
# manually setting them does the job.
|
||||
action_inputs_env_str = action_inputs.map { |name, value| "\"INPUT_#{name.upcase}=#{value}\"" }.join(" ")
|
||||
dev_cmd = "./node_modules/.bin/nodemon --exec \"env #{action_inputs_env_str} node -r esbuild-register\" src/main.ts"
|
||||
|
||||
Open3.popen2e(dev_cmd_env, dev_cmd) do |stdin, out|
|
||||
while line = out.gets
|
||||
puts line.gsub(github_token, "<REDACTED>")
|
||||
end
|
||||
end
|
||||
# Create and run the scanner
|
||||
scanner = ScanPr.new
|
||||
scanner.run(ARGV)
|
||||
|
||||
@@ -0,0 +1,128 @@
|
||||
require 'json'
|
||||
require 'tempfile'
|
||||
require 'open3'
|
||||
require 'bundler/inline'
|
||||
require 'optparse'
|
||||
|
||||
gemfile do
|
||||
source 'https://rubygems.org'
|
||||
gem 'octokit'
|
||||
end
|
||||
|
||||
class ScanPr
|
||||
def initialize
|
||||
@config_file = nil
|
||||
@github_token = ENV["GITHUB_TOKEN"]
|
||||
|
||||
validate_token
|
||||
end
|
||||
|
||||
def run(args)
|
||||
parse_options(args)
|
||||
repo_nwo, pr_number = extract_repo_and_pr(args)
|
||||
|
||||
pr = fetch_pull_request(repo_nwo, pr_number)
|
||||
event_file = create_event_file(pr)
|
||||
|
||||
execute_dependency_review(repo_nwo, event_file)
|
||||
ensure
|
||||
event_file&.unlink
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def validate_token
|
||||
if !@github_token || @github_token.empty?
|
||||
puts "Please set the GITHUB_TOKEN environment variable"
|
||||
exit -1
|
||||
end
|
||||
end
|
||||
|
||||
def parse_options(args)
|
||||
op = OptionParser.new do |opts|
|
||||
usage = <<EOF
|
||||
Run Dependency Review on a repository.
|
||||
|
||||
\e[1mUsage:\e[22m
|
||||
scripts/scan_pr [options] <pr_url>
|
||||
|
||||
\e[1mExample:\e[22m
|
||||
scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294
|
||||
|
||||
EOF
|
||||
|
||||
opts.banner = usage
|
||||
|
||||
opts.on('-c', '--config-file <FILE>', 'Use an external configuration file') do |cf|
|
||||
@config_file = cf
|
||||
end
|
||||
|
||||
opts.on("-h", "--help", "Prints this help") do
|
||||
puts opts
|
||||
exit
|
||||
end
|
||||
end
|
||||
|
||||
op.parse!(args)
|
||||
@option_parser = op
|
||||
end
|
||||
|
||||
def extract_repo_and_pr(args)
|
||||
# make sure we have a NWO somewhere in the parameters
|
||||
arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(args.join(" "))
|
||||
|
||||
if arg.nil?
|
||||
puts @option_parser
|
||||
exit -1
|
||||
end
|
||||
|
||||
[arg[:repo_nwo], arg[:pr_number]]
|
||||
end
|
||||
|
||||
def fetch_pull_request(repo_nwo, pr_number)
|
||||
octo = Octokit::Client.new(access_token: @github_token)
|
||||
octo.pull_request(repo_nwo, pr_number)
|
||||
end
|
||||
|
||||
def create_event_file(pr)
|
||||
event_file = Tempfile.new
|
||||
event_file.write("{ \"pull_request\": #{pr.to_h.to_json}}")
|
||||
event_file.close
|
||||
event_file
|
||||
end
|
||||
|
||||
def execute_dependency_review(repo_nwo, event_file)
|
||||
action_inputs = {
|
||||
"repo-token": @github_token,
|
||||
"config-file": @config_file
|
||||
}
|
||||
|
||||
dev_cmd_env = {
|
||||
"GITHUB_REPOSITORY" => repo_nwo,
|
||||
"GITHUB_EVENT_NAME" => "pull_request",
|
||||
"GITHUB_EVENT_PATH" => event_file.path,
|
||||
"GITHUB_STEP_SUMMARY" => "/dev/null"
|
||||
}
|
||||
|
||||
# Merge action inputs into environment, formatting keys as INPUT_...
|
||||
action_inputs_env = action_inputs.each_with_object({}) do |(name, value), h|
|
||||
h["INPUT_#{name.to_s.upcase}"] = value unless value.nil?
|
||||
end
|
||||
env = dev_cmd_env.merge(action_inputs_env)
|
||||
|
||||
dev_cmd = [
|
||||
"./node_modules/.bin/nodemon",
|
||||
"--exec",
|
||||
"node",
|
||||
"-r",
|
||||
"esbuild-register",
|
||||
"src/main.ts"
|
||||
]
|
||||
|
||||
Open3.popen2e(env, *dev_cmd) do |stdin, out|
|
||||
while line = out.gets
|
||||
puts line.gsub(@github_token, "<REDACTED>")
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
+1
-1
@@ -174,7 +174,7 @@ async function groupChanges(
|
||||
return true
|
||||
}
|
||||
|
||||
const changeAsPackageURL = parsePURL(encodeURI(change.package_url))
|
||||
const changeAsPackageURL = parsePURL(change.package_url)
|
||||
|
||||
// We want to find if the licenseExclusion list contains the PackageURL of the Change
|
||||
// If it does, we want to filter it out and therefore return false
|
||||
|
||||
+69
-7
@@ -24,6 +24,10 @@ import {getRefs} from './git-refs'
|
||||
import {groupDependenciesByManifest} from './utils'
|
||||
import {commentPr, MAX_COMMENT_LENGTH} from './comment-pr'
|
||||
import {getDeniedChanges} from './deny'
|
||||
import * as artifact from '@actions/artifact'
|
||||
import * as fs from 'fs'
|
||||
|
||||
import type {PayloadRepository} from '@actions/github/lib/interfaces.d'
|
||||
|
||||
async function delay(ms: number): Promise<void> {
|
||||
return new Promise(resolve => setTimeout(resolve, ms))
|
||||
@@ -61,6 +65,50 @@ async function getComparison(
|
||||
return comparison
|
||||
}
|
||||
|
||||
export async function handleLargeSummary(
|
||||
summaryContent: string
|
||||
): Promise<string> {
|
||||
const MAX_SUMMARY_SIZE = 1024 * 1024 // 1024k in bytes
|
||||
if (Buffer.byteLength(summaryContent, 'utf8') <= MAX_SUMMARY_SIZE) {
|
||||
return summaryContent
|
||||
}
|
||||
|
||||
const artifactClient = new artifact.DefaultArtifactClient()
|
||||
const artifactName = 'dependency-review-summary'
|
||||
const files = ['summary.md']
|
||||
|
||||
try {
|
||||
// Write the summary to a file
|
||||
await fs.promises.writeFile('summary.md', summaryContent)
|
||||
|
||||
// Upload the artifact
|
||||
await artifactClient.uploadArtifact(artifactName, files, '.', {
|
||||
retentionDays: 1
|
||||
})
|
||||
|
||||
// Return a shorter summary with a link to the artifact
|
||||
const shortSummary = `# Dependency Review Summary
|
||||
|
||||
The full dependency review summary is too large to display here. Please download the artifact named "${artifactName}" to view the complete report.
|
||||
|
||||
[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`
|
||||
|
||||
// Set core.summary to the shorter summary value to avoid exceeding MAX_SUMMARY_SIZE
|
||||
core.summary.emptyBuffer()
|
||||
core.summary.addRaw(shortSummary)
|
||||
return shortSummary
|
||||
} catch (error) {
|
||||
core.warning(
|
||||
`Failed to handle large summary: ${error instanceof Error ? error.message : 'Unknown error'}`
|
||||
)
|
||||
return summaryContent
|
||||
}
|
||||
}
|
||||
|
||||
interface RepoWithPrivate extends PayloadRepository {
|
||||
private: boolean
|
||||
}
|
||||
|
||||
async function run(): Promise<void> {
|
||||
try {
|
||||
const config = await readConfig()
|
||||
@@ -179,6 +227,9 @@ async function run(): Promise<void> {
|
||||
let rendered = core.summary.stringify()
|
||||
core.setOutput('comment-content', rendered)
|
||||
|
||||
// Handle large summaries by uploading as artifact
|
||||
rendered = await handleLargeSummary(rendered)
|
||||
|
||||
// if the summary is oversized, replace with minimal version
|
||||
if (rendered.length >= MAX_COMMENT_LENGTH) {
|
||||
core.debug(
|
||||
@@ -195,9 +246,20 @@ async function run(): Promise<void> {
|
||||
`Dependency review could not obtain dependency data for the specified owner, repository, or revision range.`
|
||||
)
|
||||
} else if (error instanceof RequestError && error.status === 403) {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
let repoIsPrivate = false
|
||||
if ('repository' in github.context.payload) {
|
||||
const repo = github.context.payload.repository as RepoWithPrivate
|
||||
repoIsPrivate = repo.private
|
||||
}
|
||||
if (repoIsPrivate) {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
} else {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
}
|
||||
} else {
|
||||
if (error instanceof Error) {
|
||||
core.setFailed(error.message)
|
||||
@@ -216,13 +278,13 @@ async function printVulnerabilitiesBlock(
|
||||
warnOnly: boolean
|
||||
): Promise<boolean> {
|
||||
return core.group('Vulnerabilities', async () => {
|
||||
let vulFound = false
|
||||
let vulnFound = false
|
||||
|
||||
for (const change of addedChanges) {
|
||||
vulFound ||= printChangeVulnerabilities(change)
|
||||
vulnFound ||= printChangeVulnerabilities(change)
|
||||
}
|
||||
|
||||
if (vulFound) {
|
||||
if (vulnFound) {
|
||||
const msg = 'Dependency review detected vulnerable packages.'
|
||||
if (warnOnly) {
|
||||
core.warning(msg)
|
||||
@@ -235,7 +297,7 @@ async function printVulnerabilitiesBlock(
|
||||
)
|
||||
}
|
||||
|
||||
return vulFound
|
||||
return vulnFound
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
+5
-7
@@ -12,7 +12,7 @@ const icons = {
|
||||
|
||||
const MAX_SCANNED_FILES_BYTES = 1048576
|
||||
|
||||
// generates the DR report summmary and caches it to the Action's core.summary.
|
||||
// generates the DR report summary and caches it to the Action's core.summary.
|
||||
// returns the DR summary string, ready to be posted as a PR comment if the
|
||||
// final DR report is too large
|
||||
export function addSummaryToSummary(
|
||||
@@ -112,7 +112,7 @@ export function addSummaryToSummary(
|
||||
|
||||
function addDenyListsDeprecationWarningToSummary(): void {
|
||||
core.summary.addRaw(
|
||||
`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see actions/dependency-review-action/issues/938.`,
|
||||
`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see issue 997.`,
|
||||
true
|
||||
)
|
||||
}
|
||||
@@ -206,19 +206,17 @@ export function addLicensesToSummary(
|
||||
|
||||
if (config.allow_licenses && config.allow_licenses.length > 0) {
|
||||
core.summary.addQuote(
|
||||
`<strong>Allowed Licenses</strong>: ${config.allow_licenses.join(', ')}`
|
||||
`<details><summary><strong>Allowed Licenses</strong>:</summary> ${config.allow_licenses.join(', ')}</details>`
|
||||
)
|
||||
}
|
||||
if (config.deny_licenses && config.deny_licenses.length > 0) {
|
||||
core.summary.addQuote(
|
||||
`<strong>Denied Licenses</strong>: ${config.deny_licenses.join(', ')}`
|
||||
`<details><summary><strong>Denied Licenses</strong>:</summary> ${config.deny_licenses.join(', ')}</details>`
|
||||
)
|
||||
}
|
||||
if (config.allow_dependencies_licenses) {
|
||||
core.summary.addQuote(
|
||||
`<strong>Excluded from license check</strong>: ${config.allow_dependencies_licenses.join(
|
||||
', '
|
||||
)}`
|
||||
`<details><summary><strong>Excluded from license check</strong>:</summary> ${config.allow_dependencies_licenses.join(', ')}</details>`
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user