Compare commits

...

171 Commits

Author SHA1 Message Date
Federico Builes 9b3a7f61dd Minor README tweaks. 2022-11-11 11:26:05 +01:00
Federico Builes a4761312ac Add pull_request to the list of events that don't need refs. 2022-11-11 11:23:46 +01:00
Federico Builes 28c7c8c314 Set the correct default for license-check in README. 2022-11-11 11:17:08 +01:00
Courtney Claessens 8e5000107a Update README.md 2022-11-10 20:01:11 -05:00
Courtney Claessens 89a074ec7e Update README.md 2022-11-10 19:59:21 -05:00
Courtney Claessens 8d7a4c48ad Update README.md 2022-11-10 19:55:22 -05:00
Courtney Claessens 2f59625b62 reorg the readme 2022-11-10 19:51:20 -05:00
Federico Builes 9e552623cc Merge pull request #323 from actions/dependabot/npm_and_yarn/esbuild-register-3.4.0
Bump esbuild-register from 3.3.3 to 3.4.0
2022-11-10 12:45:45 +01:00
Federico Builes 4108a15bd3 Merge pull request #306 from actions/external-repo-config
Read configuration from external repositories
2022-11-10 11:03:15 +01:00
Federico Builes 5ea8fbfb83 Update docs for config file paths. 2022-11-10 08:18:58 +01:00
Federico Builes c72eb06e71 Update README.md
Co-authored-by: Courtney Claessens <courtneycl@github.com>
2022-11-10 07:59:35 +01:00
Federico Builes aa409fa6cd Update README.md
Co-authored-by: Courtney Claessens <courtneycl@github.com>
2022-11-10 07:59:28 +01:00
Federico Builes 5aaa78ce3c Update README.md
Co-authored-by: Courtney Claessens <courtneycl@github.com>
2022-11-10 07:59:15 +01:00
dependabot[bot] 8d9ea3eb63 Bump esbuild-register from 3.3.3 to 3.4.0
Bumps esbuild-register from 3.3.3 to 3.4.0.

---
updated-dependencies:
- dependency-name: esbuild-register
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-10 01:11:37 +00:00
Federico Builes 59a4f4c4ba Fixing typo in README.md 2022-11-09 13:24:07 +01:00
Federico Builes bf8cfe8b38 Linting, adding dist files. 2022-11-09 13:22:33 +01:00
Federico Builes ae538ebe32 Linting and whitespace. Smol rename. 2022-11-09 13:17:12 +01:00
Federico Builes b4126ce983 Shuffle things around. 2022-11-09 13:16:53 +01:00
Federico Builes 418ae59d51 Replace TODO with instructions for getting PAT. 2022-11-08 17:51:31 +01:00
Federico Builes c38007a979 Don't abbreviate repo in docs.
In general let's try not to use abbreviations in public
documentation.
2022-11-08 17:45:23 +01:00
cnagadya ebe5527e72 Fix readme typo 2022-11-08 11:23:48 +00:00
cnagadya 1589654682 Add dist changes 2022-11-08 11:16:48 +00:00
cnagadya f0ff0b670a Rename config token > external-repo-token 2022-11-08 11:16:26 +00:00
cnagadya 336da03de2 Update empty allow-licenses tests 2022-11-08 11:15:36 +00:00
cnagadya 78565a954f Dont merge config lists
Co-authored-by: Henri Maurer<hmaurer@github.com>
Co-authored-by: Federico Builes<febuiles@github.com>
2022-11-08 10:52:30 +00:00
cnagadya 3c73a622ba Fix config-file tests 2022-11-08 09:53:36 +00:00
Federico Builes 7a42af0f2f Merge pull request #320 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.1.4
Bump eslint-plugin-jest from 27.1.3 to 27.1.4
2022-11-08 10:40:36 +01:00
dependabot[bot] abfd4a1fc7 Bump eslint-plugin-jest from 27.1.3 to 27.1.4
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.1.3 to 27.1.4.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.1.3...v27.1.4)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-08 09:39:22 +00:00
Federico Builes 40e460b464 Merge pull request #316 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.42.1
Bump @typescript-eslint/parser from 5.42.0 to 5.42.1
2022-11-08 10:38:41 +01:00
dependabot[bot] 9f1bc9b354 Bump @typescript-eslint/parser from 5.42.0 to 5.42.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.42.0 to 5.42.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.42.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-08 09:38:34 +00:00
Federico Builes 774bd6c1d5 Merge pull request #318 from actions/dependabot/npm_and_yarn/eslint-plugin-github-4.4.1
Bump eslint-plugin-github from 4.4.0 to 4.4.1
2022-11-08 10:37:41 +01:00
Federico Builes f7686f8c21 Merge pull request #317 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.42.1
Bump @typescript-eslint/eslint-plugin from 5.42.0 to 5.42.1
2022-11-08 10:36:16 +01:00
dependabot[bot] 688e92b5e5 Bump eslint-plugin-github from 4.4.0 to 4.4.1
Bumps [eslint-plugin-github](https://github.com/github/eslint-plugin-github) from 4.4.0 to 4.4.1.
- [Release notes](https://github.com/github/eslint-plugin-github/releases)
- [Commits](https://github.com/github/eslint-plugin-github/compare/v4.4.0...v4.4.1)

---
updated-dependencies:
- dependency-name: eslint-plugin-github
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-08 07:35:47 +00:00
Federico Builes 7ce779229f Merge pull request #319 from actions/dependabot/npm_and_yarn/eslint-8.27.0
Bump eslint from 8.26.0 to 8.27.0
2022-11-08 08:34:38 +01:00
dependabot[bot] 543eecb644 Bump eslint from 8.26.0 to 8.27.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.26.0 to 8.27.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.26.0...v8.27.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-08 01:17:47 +00:00
dependabot[bot] a7ec2eb771 Bump @typescript-eslint/eslint-plugin from 5.42.0 to 5.42.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.42.0 to 5.42.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.42.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-08 01:17:25 +00:00
cnagadya 13455c7175 Merge array config options 2022-11-07 17:57:05 +00:00
cnagadya 6d941b396a Fix inconsistencies due to zod defaults / partials mixup 2022-11-07 17:08:00 +00:00
cnagadya 49ed3f2876 Merge lists in configs instead of overwritting them 2022-11-07 12:33:54 +00:00
cnagadya b55cddb69d Use config-file for both remote and local config-files 2022-11-07 12:12:03 +00:00
cnagadya dcdeb7de77 Remove redundant skips
Co-authored-by: Federico Builes <febuiles@github.com>
2022-11-04 16:12:05 +00:00
cnagadya b4a2fbfa16 Complete functionality for handling remote config file 2022-11-04 14:51:41 +00:00
cnagadya 97e5a607ba Handle getContent response as is
Co-authored-by: Henri Maurer <hmaurer@github.com>
2022-11-04 10:08:00 +00:00
cnagadya 3b410dc4ad Load remote config file 2022-11-04 09:05:45 +00:00
Federico Builes 683cbc4872 Merge branch 'main' into external-repo-config 2022-11-01 08:11:26 +01:00
Federico Builes 2f696d8c7a Merge pull request #314 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.42.0
Bump @typescript-eslint/eslint-plugin from 5.41.0 to 5.42.0
2022-11-01 08:10:28 +01:00
dependabot[bot] 1a9033d563 Bump @typescript-eslint/eslint-plugin from 5.41.0 to 5.42.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.41.0 to 5.42.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.42.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-01 07:10:21 +00:00
Federico Builes ad6e320da1 Merge pull request #313 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.42.0
Bump @typescript-eslint/parser from 5.41.0 to 5.42.0
2022-11-01 08:09:22 +01:00
dependabot[bot] 3d86825394 Bump @typescript-eslint/parser from 5.41.0 to 5.42.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.41.0 to 5.42.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.42.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-01 01:49:12 +00:00
Federico Builes 10dc05ba09 Merge pull request #311 from ericcornelissen/308-disable-license-or-vuln
Add `license-check` and `vulnerability-check` inputs
2022-10-31 07:56:37 +01:00
Federico Builes 04f48dec81 Update __tests__/config.test.ts 2022-10-31 07:55:17 +01:00
Federico Builes bb5c0c7ca0 Merge pull request #312 from actions/dependabot/npm_and_yarn/types/node-16.18.3
Bump @types/node from 16.18.2 to 16.18.3
2022-10-31 06:42:09 +01:00
dependabot[bot] 2d7d700469 Bump @types/node from 16.18.2 to 16.18.3
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.2 to 16.18.3.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-31 01:33:50 +00:00
Eric Cornelissen f095b5a541 Build and package 2022-10-28 22:25:06 +02:00
Eric Cornelissen f54a1f3b74 Document the license-check & vulnerability-check config options
Include the license-check and vulnerability-check options in the config
documentation in the README.

Also fix a typo in the README ("configuraton" -> "configuration").
2022-10-28 22:23:33 +02:00
Eric Cornelissen 84921e5e4a Simplify Summary summary based on license-check and vulnerability-check
Omit details related to the license check of vulnerability check from
the GitHub Actions Summary's summary if the respective check is disabled
from the configuration.
2022-10-28 22:15:44 +02:00
Eric Cornelissen c5af7ff272 Prevent disabling all checks
Prevent users from disabling both the license and vulnerability check by
checking if both are set to `false` and throwing if that's the case.
2022-10-28 22:08:55 +02:00
Eric Cornelissen 31279d265a Add license-check and vulnerability-check inputs
Add support for two new inputs, named `license-check` and
`vulnerability-check`, to disable the license checks or vulnerability
checks performed by this action. By default, both are enabled.
2022-10-28 22:06:05 +02:00
Federico Builes 2532504548 Merge pull request #310 from actions/cn/node-18
Upgrade to Node 18
2022-10-28 13:46:26 +02:00
cnagadya cc6d251652 Update contributing guide 2022-10-28 10:13:58 +00:00
cnagadya 516e8497ac Add codespace defaults 2022-10-28 10:13:58 +00:00
cnagadya 43c5083e6c Node 18 2022-10-28 10:13:58 +00:00
Federico Builes fa62a0febc Merge pull request #294 from actions/cn/spdx-licenses
Add support for SPDX expressions
2022-10-28 11:27:18 +02:00
cnagadya e897e8ebdd Add dist folder 2022-10-28 09:25:16 +00:00
cnagadya 216fafaed5 PR feedback
Co-authored-by: Federico Builes <febuiles@github.com>
2022-10-28 11:23:05 +02:00
cnagadya 0144419c8e Format violations area 2022-10-27 16:43:45 +00:00
cnagadya 7b16bd0b54 Add unvalidated changes to summary 2022-10-27 16:24:30 +00:00
cnagadya 4525a8c091 Format summary findings 2022-10-27 15:41:19 +00:00
cnagadya 72273c9a36 Update dist folder 2022-10-27 15:22:00 +00:00
cnagadya 562a2f3c0a Improve summary formatting 2022-10-27 15:19:32 +00:00
cnagadya c82c183029 Resolve package-lock conflicts 2022-10-27 14:37:08 +00:00
cnagadya 26be1f407e Merge pull request #309 from actions/codespace-actions-dependency-review-action-p79j7j9pxqrh669p
Add unresolved licenses section
2022-10-27 15:43:28 +02:00
cnagadya 022ea02fbb Add unresolved licenses section 2022-10-27 13:09:37 +00:00
Federico Builes d6e28cdfae Merge pull request #307 from actions/dependabot/npm_and_yarn/types/node-16.18.2
Bump @types/node from 16.18.0 to 16.18.2
2022-10-27 07:34:11 +02:00
dependabot[bot] da3d8af3e3 Bump @types/node from 16.18.0 to 16.18.2
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.0 to 16.18.2.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-27 01:26:35 +00:00
cnagadya 52fa73c086 Update readme licenses sections 2022-10-26 10:54:12 +00:00
cnagadya 3baea959cf Fix license test failures 2022-10-26 09:58:00 +00:00
cnagadya 782c57b17e Fix config test failures 2022-10-26 09:57:02 +00:00
cnagadya ac5ed8754d Use SPDX license expressions 2022-10-26 09:56:34 +00:00
Federico Builes 024a5a6342 Merge pull request #305 from actions/dependabot/npm_and_yarn/octokit-2.0.10
Bump octokit from 2.0.9 to 2.0.10
2022-10-26 08:49:12 +02:00
Federico Builes b2fc686406 Resolving merge conflicts 2022-10-26 08:47:43 +02:00
dependabot[bot] 4ec1d46392 Bump octokit from 2.0.9 to 2.0.10
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.0.9 to 2.0.10.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.0.9...v2.0.10)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-26 06:46:16 +00:00
Federico Builes cfef8bfe29 Merge pull request #304 from actions/dependabot/npm_and_yarn/octokit/plugin-retry-4.0.3
Bump @octokit/plugin-retry from 3.0.9 to 4.0.3
2022-10-26 08:45:28 +02:00
Federico Builes bd43b8d1e2 updating dist 2022-10-26 08:45:18 +02:00
dependabot[bot] fced408b87 Bump @octokit/plugin-retry from 3.0.9 to 4.0.3
Bumps [@octokit/plugin-retry](https://github.com/octokit/plugin-retry.js) from 3.0.9 to 4.0.3.
- [Release notes](https://github.com/octokit/plugin-retry.js/releases)
- [Commits](https://github.com/octokit/plugin-retry.js/compare/v3.0.9...v4.0.3)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-retry"
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-26 01:51:57 +00:00
Federico Builes 65f9f50468 Merge pull request #303 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.41.0
Bump @typescript-eslint/parser from 5.40.1 to 5.41.0
2022-10-25 07:57:41 +02:00
dependabot[bot] a393c83ce5 Bump @typescript-eslint/parser from 5.40.1 to 5.41.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.40.1 to 5.41.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.41.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-25 05:56:55 +00:00
Federico Builes 56163c5659 Merge pull request #302 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.41.0
Bump @typescript-eslint/eslint-plugin from 5.40.1 to 5.41.0
2022-10-25 07:56:10 +02:00
dependabot[bot] 5dc2e6e4bb Bump @typescript-eslint/eslint-plugin from 5.40.1 to 5.41.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.40.1 to 5.41.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.41.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-25 01:44:33 +00:00
Federico Builes 0efb1d1d84 bumping to 2.5.1 2022-10-24 17:03:38 +02:00
Federico Builes d4f6425aa4 Merge pull request #290 from actions/cn/scan_pr
Enable setting configuration options for local testing
2022-10-24 16:55:54 +02:00
Federico Builes 49a61bd9bd Update scripts/scan_pr
Co-authored-by: cnagadya <cnagadya@github.com>
2022-10-24 16:54:03 +02:00
Federico Builes 06c01e11e8 Update scripts/scan_pr
Co-authored-by: cnagadya <cnagadya@github.com>
2022-10-24 16:53:56 +02:00
Federico Builes 4538b29c27 Merge pull request #300 from actions/dependabot/npm_and_yarn/eslint-8.26.0
Bump eslint from 8.25.0 to 8.26.0
2022-10-24 07:14:08 +02:00
Federico Builes 4153ec555a Merge pull request #299 from actions/dependabot/npm_and_yarn/types/node-16.18.0
Bump @types/node from 16.11.68 to 16.18.0
2022-10-24 07:13:59 +02:00
dependabot[bot] 7c8d0843f9 Bump eslint from 8.25.0 to 8.26.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.25.0 to 8.26.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.25.0...v8.26.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-24 01:47:43 +00:00
dependabot[bot] fc00198e43 Bump @types/node from 16.11.68 to 16.18.0
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.68 to 16.18.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-24 01:47:19 +00:00
Federico Builes 9760f87258 Fix config-file description in action.yml 2022-10-21 17:38:18 +02:00
Federico Builes 74c047086c Adding README and action.yml for external config files. 2022-10-21 17:34:20 +02:00
Federico Builes 80e573b784 Fixing whitespace. 2022-10-21 14:03:17 +02:00
Federico Builes b5c3d1e723 Update scan_pr to support loading an external config YAML file. 2022-10-21 14:00:52 +02:00
Federico Builes 7fd272118a Updating scan_pr to support a config file option. 2022-10-21 13:55:52 +02:00
Federico Builes 3c9a31f5a0 Updating CONTRIBUTING.md 2022-10-21 13:36:00 +02:00
Federico Builes d8fba3fdc1 Remove hardcode file from .gitignore 2022-10-21 13:33:24 +02:00
Federico Builes e805dd89e8 Merge branch 'main' into cn/scan_pr 2022-10-21 13:27:09 +02:00
Federico Builes 32276cb73d Merge pull request #298 from actions/dependabot/npm_and_yarn/types/node-16.11.68
Bump @types/node from 16.11.66 to 16.11.68
2022-10-19 07:49:08 +02:00
Federico Builes fe226ac019 Merge pull request #297 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.1.3
Bump eslint-plugin-jest from 27.1.2 to 27.1.3
2022-10-19 07:48:52 +02:00
dependabot[bot] b759175bdb Bump @types/node from 16.11.66 to 16.11.68
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.66 to 16.11.68.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-19 01:34:58 +00:00
dependabot[bot] 6af054f363 Bump eslint-plugin-jest from 27.1.2 to 27.1.3
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.1.2 to 27.1.3.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.1.2...v27.1.3)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-19 01:34:46 +00:00
Federico Builes 6f32cb0afd Merge pull request #296 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.40.1
Bump @typescript-eslint/parser from 5.40.0 to 5.40.1
2022-10-18 10:05:25 +02:00
dependabot[bot] 2791afab72 Bump @typescript-eslint/parser from 5.40.0 to 5.40.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.40.0 to 5.40.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.40.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-18 06:54:19 +00:00
Federico Builes a8b5c8c24e Merge pull request #295 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.40.1
Bump @typescript-eslint/eslint-plugin from 5.40.0 to 5.40.1
2022-10-18 08:53:31 +02:00
dependabot[bot] 12a250de95 Bump @typescript-eslint/eslint-plugin from 5.40.0 to 5.40.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.40.0 to 5.40.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.40.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-18 01:26:32 +00:00
Federico Builes 917e5af203 Merge pull request #291 from actions/dependabot/npm_and_yarn/types/node-16.11.66
Bump @types/node from 16.11.65 to 16.11.66
2022-10-17 07:28:53 +02:00
Federico Builes ba6dba6225 Merge pull request #292 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.1.2
Bump eslint-plugin-jest from 27.1.1 to 27.1.2
2022-10-17 07:26:25 +02:00
dependabot[bot] 63154658bc Bump eslint-plugin-jest from 27.1.1 to 27.1.2
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.1.1 to 27.1.2.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.1.1...v27.1.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-17 01:51:39 +00:00
dependabot[bot] f84c5813e5 Bump @types/node from 16.11.65 to 16.11.66
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.65 to 16.11.66.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-17 01:51:15 +00:00
cnagadya 228a6404a2 Remove untracked dev-config.yml 2022-10-14 13:07:46 +00:00
cnagadya c84947f64b Ignore dev-config file 2022-10-14 12:31:49 +00:00
cnagadya 71dbf10e60 Add configuration instruction to docs 2022-10-14 12:31:17 +00:00
cnagadya f9deefc2e9 Retrieve config file values for local testing 2022-10-14 09:26:12 +00:00
Federico Builes 0e5d083be1 Merge pull request #289 from actions/dependabot/npm_and_yarn/octokit-2.0.9
Bump octokit from 2.0.7 to 2.0.9
2022-10-14 09:09:30 +02:00
Federico Builes 2f428eec67 adding dist 2022-10-14 09:03:58 +02:00
dependabot[bot] dff2fdff0f Bump octokit from 2.0.7 to 2.0.9
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.0.7 to 2.0.9.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.0.7...v2.0.9)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-14 06:56:20 +00:00
Federico Builes 12a171cf96 Merge pull request #288 from actions/dependabot/npm_and_yarn/octokit/request-error-3.0.2
Bump @octokit/request-error from 3.0.1 to 3.0.2
2022-10-14 08:55:30 +02:00
dependabot[bot] 3156cf8998 Bump @octokit/request-error from 3.0.1 to 3.0.2
Bumps [@octokit/request-error](https://github.com/octokit/request-error.js) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/octokit/request-error.js/releases)
- [Commits](https://github.com/octokit/request-error.js/compare/v3.0.1...v3.0.2)

---
updated-dependencies:
- dependency-name: "@octokit/request-error"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-14 01:25:21 +00:00
cnagadya fd675ced9c v2.5.0 release
Co-authored-by: Henri Maurer <hmaurer@github.com>
Co-authored-by: Federico Builes <febuiles@github.com>
2022-10-13 15:00:15 +00:00
Federico Builes f7d03d8b76 Merge pull request #284 from actions/cn/license-api-fallback
Use GH Licenses API to retrieve null licenses
2022-10-13 16:54:33 +02:00
Federico Builes 7e41a6f1ee Removing unnecessary beforeAll block
Mocks are removed in Jest automatically due to our
Jest config file.

Co-authored-by: Christine Nagadya <cnagadya@github.com>
Co-authored-by: Henri Maurer <hmaurer@github.com>
2022-10-13 16:52:54 +02:00
cnagadya 4c0961eff6 Add tests for GitHub License API fallback 2022-10-13 11:57:38 +00:00
cnagadya d1e9a12830 Resolve conflicts 2022-10-13 11:06:40 +00:00
cnagadya 2e3713aab8 Optimise setGHLicenses
Co-authored-by: Henri Maurer <hmaurer@github.com>
Co-authored-by: Federico Builes <febuiles@github.com>
2022-10-13 11:03:34 +00:00
cnagadya ba9d7c1389 Retrieve null licenses from licenses API 2022-10-13 11:03:34 +00:00
Federico Builes 0cd2781117 Merge pull request #286 from actions/dependabot/npm_and_yarn/ansi-styles-6.2.1
Bump ansi-styles from 6.2.0 to 6.2.1
2022-10-13 12:28:39 +02:00
Federico Builes 129f0ad973 adding dist 2022-10-13 12:26:58 +02:00
dependabot[bot] 0a88a4704b Bump ansi-styles from 6.2.0 to 6.2.1
Bumps [ansi-styles](https://github.com/chalk/ansi-styles) from 6.2.0 to 6.2.1.
- [Release notes](https://github.com/chalk/ansi-styles/releases)
- [Commits](https://github.com/chalk/ansi-styles/compare/v6.2.0...v6.2.1)

---
updated-dependencies:
- dependency-name: ansi-styles
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-13 06:12:45 +00:00
Federico Builes 18069caed8 Merge pull request #287 from actions/dependabot/npm_and_yarn/got-12.5.2
Bump got from 12.5.1 to 12.5.2
2022-10-13 08:12:07 +02:00
dependabot[bot] 61cee4b12b Bump got from 12.5.1 to 12.5.2
Bumps [got](https://github.com/sindresorhus/got) from 12.5.1 to 12.5.2.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v12.5.1...v12.5.2)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-13 01:25:32 +00:00
Federico Builes 94670a1af8 Merge pull request #282 from actions/dependabot/npm_and_yarn/eslint-plugin-github-4.4.0
Bump eslint-plugin-github from 4.3.7 to 4.4.0
2022-10-12 08:05:50 +02:00
Federico Builes 577d9714ad Merge pull request #283 from actions/dependabot/npm_and_yarn/ansi-styles-6.2.0
Bump ansi-styles from 6.1.1 to 6.2.0
2022-10-12 08:02:05 +02:00
Federico Builes 9ce6cb532b adding dist 2022-10-12 08:01:53 +02:00
dependabot[bot] 0b980b1ccd Bump ansi-styles from 6.1.1 to 6.2.0
Bumps [ansi-styles](https://github.com/chalk/ansi-styles) from 6.1.1 to 6.2.0.
- [Release notes](https://github.com/chalk/ansi-styles/releases)
- [Commits](https://github.com/chalk/ansi-styles/compare/v6.1.1...v6.2.0)

---
updated-dependencies:
- dependency-name: ansi-styles
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-12 01:41:51 +00:00
dependabot[bot] bc5f6c2f39 Bump eslint-plugin-github from 4.3.7 to 4.4.0
Bumps [eslint-plugin-github](https://github.com/github/eslint-plugin-github) from 4.3.7 to 4.4.0.
- [Release notes](https://github.com/github/eslint-plugin-github/releases)
- [Commits](https://github.com/github/eslint-plugin-github/compare/v4.3.7...v4.4.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-github
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-12 01:41:43 +00:00
cnagadya 9c96258789 Update to 2.4.1 2022-10-11 13:42:40 +00:00
Federico Builes f076f221f4 Merge pull request #280 from actions/format-bugs
Fix display issues with versions and GHSAs
2022-10-11 15:22:44 +02:00
Federico Builes 88b817ec8d adding dist 2022-10-11 15:20:02 +02:00
Federico Builes 2dd6c6a3d7 Fixing a bug with GHSA filtering.
Co-authored-by: Christine Nagadya <cnagadya@github.com>
2022-10-11 15:17:34 +02:00
Federico Builes 1d9bfbbddf Document the behavior of the GHSA filtering function. 2022-10-11 15:09:58 +02:00
Federico Builes f632f5f79d adding dist 2022-10-11 14:51:27 +02:00
Federico Builes ee42a6512f Show the dependency name instead of the manifest. 2022-10-11 14:50:55 +02:00
Federico Builes 6f58092362 Merge pull request #278 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.40.0
Bump @typescript-eslint/eslint-plugin from 5.39.0 to 5.40.0
2022-10-11 12:11:26 +02:00
dependabot[bot] b81bfe53ce Bump @typescript-eslint/eslint-plugin from 5.39.0 to 5.40.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.39.0 to 5.40.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.40.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-11 10:10:06 +00:00
Federico Builes 5679c0f8be Merge pull request #277 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.40.0
Bump @typescript-eslint/parser from 5.39.0 to 5.40.0
2022-10-11 12:09:15 +02:00
dependabot[bot] 2018b3e66f Bump @typescript-eslint/parser from 5.39.0 to 5.40.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.39.0 to 5.40.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.40.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-11 08:50:56 +00:00
Federico Builes 463890c1ed Merge pull request #276 from actions/dependabot/npm_and_yarn/types/node-16.11.65
Bump @types/node from 16.11.64 to 16.11.65
2022-10-11 10:50:05 +02:00
dependabot[bot] c9b9d23e75 Bump @types/node from 16.11.64 to 16.11.65
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.64 to 16.11.65.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-11 01:32:53 +00:00
Federico Builes 4c14cfe593 Merge pull request #275 from actions/dependabot/npm_and_yarn/eslint-8.25.0
Bump eslint from 8.24.0 to 8.25.0
2022-10-10 08:24:07 +02:00
dependabot[bot] 5b70fe08e7 Bump eslint from 8.24.0 to 8.25.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.24.0 to 8.25.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.24.0...v8.25.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-10 01:52:29 +00:00
Federico Builes 81216f689b Merge pull request #274 from actions/dependabot/npm_and_yarn/yaml-2.1.3
Bump yaml from 2.1.2 to 2.1.3
2022-10-06 14:43:54 +02:00
Federico Builes afbc15c97f updating dist files 2022-10-06 14:41:07 +02:00
dependabot[bot] 8d974c4ee8 Bump yaml from 2.1.2 to 2.1.3
Bumps [yaml](https://github.com/eemeli/yaml) from 2.1.2 to 2.1.3.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.1.2...v2.1.3)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-06 11:19:30 +00:00
Federico Builes cdad98596a Merge pull request #273 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.1.1
Bump eslint-plugin-jest from 27.1.0 to 27.1.1
2022-10-06 13:18:40 +02:00
dependabot[bot] 0a0eb39992 Bump eslint-plugin-jest from 27.1.0 to 27.1.1
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.1.0 to 27.1.1.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.1.0...v27.1.1)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-06 01:41:12 +00:00
Federico Builes df3ceaf7f0 Merge pull request #269 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.39.0
Bump @typescript-eslint/eslint-plugin from 5.38.1 to 5.39.0
2022-10-05 13:17:37 +02:00
dependabot[bot] 1997789b86 Bump @typescript-eslint/eslint-plugin from 5.38.1 to 5.39.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.38.1 to 5.39.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.39.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-05 11:01:03 +00:00
Federico Builes 584e620d09 Merge pull request #270 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.39.0
Bump @typescript-eslint/parser from 5.38.1 to 5.39.0
2022-10-05 13:00:23 +02:00
Federico Builes 1fa34689ad Merge pull request #271 from actions/dependabot/npm_and_yarn/types/node-16.11.64
Bump @types/node from 16.11.63 to 16.11.64
2022-10-05 13:00:15 +02:00
Federico Builes de2814d20e Merge pull request #272 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.1.0
Bump eslint-plugin-jest from 27.0.4 to 27.1.0
2022-10-05 08:17:58 +02:00
dependabot[bot] eabc27054f Bump eslint-plugin-jest from 27.0.4 to 27.1.0
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.0.4 to 27.1.0.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.0.4...v27.1.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-05 01:54:54 +00:00
dependabot[bot] b486e073e9 Bump @types/node from 16.11.63 to 16.11.64
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.11.63 to 16.11.64.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-05 01:54:43 +00:00
dependabot[bot] 03321307df Bump @typescript-eslint/parser from 5.38.1 to 5.39.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.38.1 to 5.39.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.39.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-05 01:51:49 +00:00
25 changed files with 18927 additions and 3111 deletions
+9
View File
@@ -0,0 +1,9 @@
{
"name": "Dependency Review Action",
"image": "mcr.microsoft.com/devcontainers/typescript-node:18",
"postCreateCommand": "npm install",
"remoteUser": "node",
"features": {
"ghcr.io/devcontainers/features/ruby:1": {}
}
}
-1
View File
@@ -1 +0,0 @@
fail-on-severity: low
+2 -2
View File
@@ -23,10 +23,10 @@ jobs:
steps:
- uses: actions/checkout@v3
- name: Set Node.js 16.x
- name: Set Node.js 18.x
uses: actions/setup-node@v3
with:
node-version: 16.x
node-version: 18.x
- name: Install dependencies
run: npm ci
+2 -2
View File
@@ -17,7 +17,7 @@ jobs:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
node-version: 18
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
@@ -30,7 +30,7 @@ jobs:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
node-version: 18
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
+25 -16
View File
@@ -1,4 +1,5 @@
# Contributing
[fork]: https://github.com/actions/dependency-review-action/fork
[pr]: https://github.com/actions/dependency-review-action/compare
[code-of-conduct]: CODE_OF_CONDUCT.md
@@ -9,7 +10,6 @@ Contributions to this project are
[released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license)
to the public under the [project's open source license](LICENSE).
Please note that this project is released with a [Contributor Code of
Conduct][code-of-conduct]. By participating in this project you agree
to abide by its terms.
@@ -20,7 +20,6 @@ This Action makes an authenticated query to the Dependency Graph Diff
API endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`)
to find out the set of added and removed dependencies for each manifest.
### Bootstrapping the project
```
@@ -35,10 +34,11 @@ npm install
npm run test
```
*Note*: We don't have any useful tests yet, contributions are welcome!
_Note_: We don't have any useful tests yet, contributions are welcome!
## Local Development
It is recommended to have atleast [Node 18](https://nodejs.org/en/) installed.
We have a script to scan a given PR for vulnerabilities, this will
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
@@ -56,16 +56,24 @@ Like this:
$ GITHUB_TOKEN=my-secret-token ./scripts/scan_pr https://github.com/actions/dependency-review-action/pull/3
```
[Configuration options](README.md#configuration-options) can be set by
passing an external YAML [configuration file](README.md#configuration-file) to the
`scan_pr` script with the `-c`/`--config-file` option:
```sh
$ GITHUB_TOKEN=<token> ./scripts/scan_pr --config-file my_custom_config.yml <pr_url>
```
## Submitting a pull request
0. [Fork][fork] and clone the repository
0. Configure and install the dependencies: `npm install`
0. Make sure the tests pass on your machine: `npm run test`
0. Create a new branch: `git checkout -b my-branch-name`
0. Make your change, add tests, and make sure the tests still pass
0. Make sure to build and package before pushing: `npm run build && npm run package`
0. Push to your fork and [submit a pull request][pr]
0. Pat your self on the back and wait for your pull request to be reviewed and merged.
1. Configure and install the dependencies: `npm install`
2. Make sure the tests pass on your machine: `npm run test`
3. Create a new branch: `git checkout -b my-branch-name`
4. Make your change, add tests, and make sure the tests still pass
5. Make sure to build and package before pushing: `npm run build && npm run package`
6. Push to your fork and [submit a pull request][pr]
7. Pat your self on the back and wait for your pull request to be reviewed and merged.
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
@@ -77,21 +85,21 @@ Here are a few things you can do that will increase the likelihood of your pull
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json).
1. Go to [Draft a new
release](https://github.com/actions/dependency-review-action/releases/new)
in the Releases page.
2. Make sure that the `Publish this Action to the GitHub Marketplace`
checkbox is enabled
release](https://github.com/actions/dependency-review-action/releases/new)
in the Releases page.
1. Make sure that the `Publish this Action to the GitHub Marketplace`
checkbox is enabled
<img width="481" alt="Screenshot 2022-06-15 at 12 08 19" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
3. Click "Choose a tag" and then "Create new tag", where the tag name
will be your version prefixed by a `v` (e.g. `v1.2.3`).
will be your version prefixed by a `v` (e.g. `v1.2.3`).
4. Use a version number for the release title (e.g. "1.2.3").
<img width="700" alt="Screenshot 2022-06-15 at 12 08 36" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
5. Add your release notes. If this is a major version make sure to
include a small description of the biggest changes in the new version.
include a small description of the biggest changes in the new version.
6. Click "Publish Release".
You now have a tag and release using the semver version you used
@@ -102,6 +110,7 @@ automatically getting all the
minor/patch updates.
To do this just checkout `main`, force-create a new annotated tag, and push it:
```
git tag -fa v2 -m "Updating v2 to 2.3.4"
git push origin v2 --force
+43 -191
View File
@@ -5,11 +5,11 @@ raise an error if any vulnerabilities or invalid licenses are being introduced.
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
You can see the results on the job logs
You can see the results on the job logs:
<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
or on the job summary
or on the job summary:
<img src="https://user-images.githubusercontent.com/7847935/182871416-50332bbb-b279-4621-a136-ca72a4314301.png">
@@ -33,7 +33,7 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v2
uses: actions/dependency-review-action@v3
```
### GitHub Enterprise Server
@@ -59,149 +59,34 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v2
uses: actions/dependency-review-action@v3
```
## Configuration
## Configuration options
Configure this action by either using an external configuration file,
or by inlining these options in your workflow file.
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
## Configuration Options
| Option | Usage | Possible values | Default value |
|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|---------------|
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. |`runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
### config-file
*not supported for use with GitHub Enterprise Server
A string representing the path to an external configuraton file. By
default external configuration files are not used.
†will be supported with GitHub Enterprise Server 3.8
**Possible values**: A string representing the absolute path to the
configuration file.
**Example**: `config-file: ./.github/dependency-review-config.yml`.
### fail-on-severity
Configure the severity level for alerting. See "[Vulnerability Severity](https://github.com/actions/dependency-review-action#vulnerability-severity)".
**Possible values**: `critical`, `high`, `moderate`, `low`.
**Example**: `fail-on-severity: moderate`.
### fail-on-scopes
A list of strings representing the build environments you want to
support. The default value is `development, runtime`.
**Possible values**: `development`, `runtime`, `unknown`
**Inline example**: `fail-on-scopes: development, runtime`
**YAML example**:
```yaml
# this prevents scanning development dependencies
fail-on-scopes:
- runtime
```
### allow-licenses
Only allow the licenses in this list. See "[Licenses](https://github.com/actions/dependency-review-action#licenses)".
**Possible values**: Any `spdx_id` value(s) from
https://docs.github.com/en/rest/licenses.
**Inline example**: `allow-licenses: BSD-3-Clause, MIT`
**YAML example**:
```yaml
allow-licenses:
- BSD-3-Clause
- MIT
```
### deny-licenses
Add a custom list of licenses you want to block. See
"[Licenses](https://github.com/actions/dependency-review-action#licenses)".
**Possible values**: Any `spdx_id` value(s) from
https://docs.github.com/en/rest/licenses.
**Inline example**: `deny-licenses: LGPL-2.0, BSD-2-Clause`
**YAML example**:
```yaml
deny-licenses:
- LGPL-2.0
- BSD-2-Clause
```
### allow-ghsas
Add a custom list of GitHub Advisory IDs that can be skipped during detection.
**Possible values**: Any valid advisory GHSA ids.
**Inline example**: `allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679`
**YAML example**:
```yaml
allow-ghsas:
- GHSA-abcd-1234-5679
- GHSA-efgh-1234-5679
```
### base-ref/head-ref
Provide custom git references for the git base/head when performing
the comparison. If you are using pull requests, or
`pull_request_target` events you do not need to worry about setting
this. The values need to be specified for all other event types.
**Possible values**: Any valid git ref(s) in your project.
**Example**:
```yaml
base-ref: 8bb8a58d6a4028b6c2e314d5caaf273f57644896
head-ref: 69af5638bf660cf218aad5709a4c100e42a2f37b
```
### Configuration File
You can use an external configuration file to specify the settings for
this Action.
Start by specifying that you will be using an external configuration
file:
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
config-file: './.github/dependency-review-config.yml'
```
And then create the file in the path you just specified. **All of these fields are
optional**:
```yaml
fail-on-severity: 'critical'
allow-licenses:
- 'GPL-3.0'
- 'BSD-3-Clause'
- 'MIT'
```
### Inline Configuration
You can pass options to the Dependency Review
Action using your workflow file. Here's an example of what the full
file would look like:
You can pass options to the Dependency Review GitHub Action using your workflow file.
#### Example
```yaml
name: 'Dependency Review'
@@ -215,7 +100,7 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: Dependency Review
uses: actions/dependency-review-action@v2
uses: actions/dependency-review-action@v3
with:
fail-on-severity: moderate
@@ -223,71 +108,41 @@ jobs:
deny-licenses: LGPL-2.0, BSD-2-Clause
```
### Vulnerability Severity
### Configuration File
By default the action will fail on any pull request that contains a
vulnerable dependency, regardless of the severity level. You can override this behavior by
using the `fail-on-severity` option, which will cause a failure on any pull requests that introduce vulnerabilities of the specified severity level or higher. The possible values are: `critical`, `high`, `moderate`, or `low`. The
action defaults to `low`.
You can use an external configuration file to specify the settings for this action. It can be a local file or a file in an external repository. Refer to the following options for the specification.
This example will only fail on pull requests with `critical` and `high` vulnerabilities:
| Option | Usage | Possible values |
|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|
| `config-file` | A path to a file in the current repository or an external repository. Use this syntax for external files: `OWNER/REPOSITORY/FILENAME@BRANCH` | **Local file**: `./.github/dependency-review-config.yml` <br> **External repo**: `github/octorepo/dependency-review-config.yml@main` |
| `external-repo-token` | Specifies a token for fetching the configuration file if the file resides in a private external repository. Create a token in [developer settings](https://github.com/settings/tokens). | Any token with `read` permissions to the repository hosting the config file. |
#### Example
Start by specifying that you will be using an external configuration file:
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
fail-on-severity: high
config-file: './.github/dependency-review-config.yml'
```
### Dependency Scoping
By default the action will only fail on `runtime` dependencies that have vulnerabilities or unacceptable licenses, ignoring `development` dependencies. You can override this behavior with the `fail-on-scopes` option, which will allow you to list the specific dependency scopes you care about. The possible values are: `unknown`, `runtime`, and `development`. Note: Filtering by scope will not be supported on Enterprise Server just yet, as the REST API's introduction of `scope` will be released in an upcoming Enterprise Server version. We will treat all dependencies on Enterprise Server as having a `runtime` scope and thus will not be filtered away.
And then create the file in the path you just specified:
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
fail-on-scopes: runtime, development
```
### Licenses
You can set the action to fail on pull requests based on the licenses of the dependencies
they introduce. With `allow-licenses` you can define the list of licenses
your repository will accept. Alternatively, you can use `deny-licenses` to only
forbid a subset of licenses. These options are not supported on Enterprise Server.
You can use the [Licenses
API](https://docs.github.com/en/rest/licenses) to see the full list of
supported licenses. Use the `spdx_id` field for every license you want
to filter. A couple of examples:
```yaml
# only allow MIT-licensed dependents
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
allow-licenses: MIT
```
```yaml
# Block Apache 1.1 and 2.0 licensed dependents
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
deny-licenses: Apache-1.1, Apache-2.0
fail-on-severity: 'critical'
allow-licenses:
- 'GPL-3.0'
- 'BSD-3-Clause'
- 'MIT'
```
### Considerations
- Checking for licenses is not supported on Enterprise Server.
- The action will only accept one of the two parameters; an error will
be raised if you provide both.
- By default both parameters are empty (no license checking is
performed).
- We don't have license information for all of your dependents. If we
can't detect the license for a dependency **we will inform you, but the
action won't fail**.
- The action will only accept one of the two `license` parameters; an error will be raised if you provide both.
- We don't have license information for all of your dependents. If we can't detect the license for a dependency **we will inform you, but the action won't fail**.
## Blocking pull requests
@@ -295,14 +150,11 @@ The Dependency Review GitHub Action check will only block a pull request from be
## Getting help
If you have bug reports, questions or suggestions please [create a new
issue](https://github.com/actions/dependency-review-action/issues/new/choose).
If you have bug reports, questions or suggestions please [create a new issue](https://github.com/actions/dependency-review-action/issues/new/choose).
## Contributing
We are grateful for any contributions made to this project.
Please read [CONTRIBUTING.MD](https://github.com/actions/dependency-review-action/blob/main/CONTRIBUTING.md) to get started.
We are grateful for any contributions made to this project. Please read [CONTRIBUTING.MD](https://github.com/actions/dependency-review-action/blob/main/CONTRIBUTING.md) to get started.
## License
+125 -49
View File
@@ -1,6 +1,7 @@
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig, readConfigFile} from '../src/config'
import {readConfig} from '../src/config'
import {getRefs} from '../src/git-refs'
import * as Utils from '../src/utils'
// GitHub Action inputs come in the form of environment variables
// with an INPUT prefix (e.g. INPUT_FAIL-ON-SEVERITY)
@@ -17,6 +18,8 @@ function clearInputs() {
'ALLOW-LICENSES',
'DENY-LICENSES',
'ALLOW-GHSAS',
'LICENSE-CHECK',
'VULNERABILITY-CHECK',
'CONFIG-FILE',
'BASE-REF',
'HEAD-REF'
@@ -27,48 +30,62 @@ function clearInputs() {
})
}
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
})
beforeEach(() => {
clearInputs()
})
test('it defaults to low severity', async () => {
const options = readConfig()
expect(options.fail_on_severity).toEqual('low')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('low')
})
test('it reads custom configs', async () => {
setInput('fail-on-severity', 'critical')
setInput('allow-licenses', ' BSD, GPL 2')
const options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
expect(options.allow_licenses).toEqual(['BSD', 'GPL 2'])
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
})
test('it defaults to empty allow/deny lists ', async () => {
const options = readConfig()
const config = await readConfig()
expect(options.allow_licenses).toEqual(undefined)
expect(options.deny_licenses).toEqual(undefined)
expect(config.allow_licenses).toEqual(undefined)
expect(config.deny_licenses).toEqual(undefined)
})
test('it raises an error if both an allow and denylist are specified', async () => {
setInput('allow-licenses', 'MIT')
setInput('deny-licenses', 'BSD')
expect(() => readConfig()).toThrow()
await expect(readConfig()).rejects.toThrow(
'You cannot specify both allow-licenses and deny-licenses'
)
})
test('it raises an error if an empty allow list is specified', async () => {
setInput('config-file', './__tests__/fixtures/config-empty-allow-sample.yml')
await expect(readConfig()).rejects.toThrow(
'You should provide at least one license in allow-licenses'
)
})
test('it raises an error when given an unknown severity', async () => {
setInput('fail-on-severity', 'zombies')
expect(() => readConfig()).toThrow()
await expect(readConfig()).rejects.toThrow(/received 'zombies'/)
})
test('it uses the given refs when the event is not a pull request', async () => {
setInput('base-ref', 'a-custom-base-ref')
setInput('head-ref', 'a-custom-head-ref')
const refs = getRefs(readConfig(), {
const refs = getRefs(await readConfig(), {
payload: {},
eventName: 'workflow_dispatch'
})
@@ -77,9 +94,9 @@ test('it uses the given refs when the event is not a pull request', async () =>
})
test('it raises an error when no refs are provided and the event is not a pull request', async () => {
const options = readConfig()
const config = await readConfig()
expect(() =>
getRefs(options, {
getRefs(config, {
payload: {},
eventName: 'workflow_dispatch'
})
@@ -87,91 +104,150 @@ test('it raises an error when no refs are provided and the event is not a pull r
})
test('it reads an external config file', async () => {
let options = readConfigFile('./__tests__/fixtures/config-allow-sample.yml')
expect(options.fail_on_severity).toEqual('critical')
expect(options.allow_licenses).toEqual(['BSD', 'GPL 2'])
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
})
test('raises an error when the the config file was not found', async () => {
expect(() => readConfigFile('fixtures/i-dont-exist')).toThrow()
setInput('config-file', 'fixtures/i-dont-exist')
await expect(readConfig()).rejects.toThrow(/Unable to fetch config file/)
})
test('it parses options from both sources', async () => {
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml')
let options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
let config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
setInput('base-ref', 'a-custom-base-ref')
options = readConfig()
expect(options.base_ref).toEqual('a-custom-base-ref')
config = await readConfig()
expect(config.base_ref).toEqual('a-custom-base-ref')
})
test('in case of conflicts, the external config is the source of truth', async () => {
test('in case of conflicts, the inline config is the source of truth', async () => {
setInput('fail-on-severity', 'low')
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml') // this will set fail-on-severity to 'critical'
let options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
// this should not overwite the previous value
setInput('fail-on-severity', 'low')
options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('low')
})
test('it uses the default values when loading external files', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
let options = readConfig()
expect(options.allow_licenses).toEqual(undefined)
expect(options.deny_licenses).toEqual(undefined)
let config = await readConfig()
expect(config.allow_licenses).toEqual(undefined)
expect(config.deny_licenses).toEqual(undefined)
setInput('config-file', './__tests__/fixtures/license-config-sample.yml')
options = readConfig()
expect(options.fail_on_severity).toEqual('low')
config = await readConfig()
expect(config.fail_on_severity).toEqual('low')
})
test('it accepts an external configuration filename', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
const options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
})
test('it raises an error when given an unknown severity in an external config file', async () => {
setInput('config-file', './__tests__/fixtures/invalid-severity-config.yml')
expect(() => readConfig()).toThrow()
await expect(readConfig()).rejects.toThrow()
})
test('it defaults to runtime scope', async () => {
const options = readConfig()
expect(options.fail_on_scopes).toEqual(['runtime'])
const config = await readConfig()
expect(config.fail_on_scopes).toEqual(['runtime'])
})
test('it parses custom scopes preference', async () => {
setInput('fail-on-scopes', 'runtime, development')
let options = readConfig()
expect(options.fail_on_scopes).toEqual(['runtime', 'development'])
let config = await readConfig()
expect(config.fail_on_scopes).toEqual(['runtime', 'development'])
clearInputs()
setInput('fail-on-scopes', 'development')
options = readConfig()
expect(options.fail_on_scopes).toEqual(['development'])
config = await readConfig()
expect(config.fail_on_scopes).toEqual(['development'])
})
test('it raises an error when given invalid scope', async () => {
setInput('fail-on-scopes', 'runtime, zombies')
expect(() => readConfig()).toThrow()
await expect(readConfig()).rejects.toThrow(/received 'zombies'/)
})
test('it defaults to an empty GHSA allowlist', async () => {
const options = readConfig()
expect(options.allow_ghsas).toEqual(undefined)
const config = await readConfig()
expect(config.allow_ghsas).toEqual([])
})
test('it successfully parses GHSA allowlist', async () => {
setInput('allow-ghsas', 'GHSA-abcd-1234-5679, GHSA-efgh-1234-5679')
const options = readConfig()
expect(options.allow_ghsas).toEqual([
const config = await readConfig()
expect(config.allow_ghsas).toEqual([
'GHSA-abcd-1234-5679',
'GHSA-efgh-1234-5679'
])
})
test('it defaults to checking licenses', async () => {
const config = await readConfig()
expect(config.license_check).toBe(true)
})
test('it parses the license-check input', async () => {
setInput('license-check', 'false')
let config = await readConfig()
expect(config.license_check).toEqual(false)
clearInputs()
setInput('license-check', 'true')
config = await readConfig()
expect(config.license_check).toEqual(true)
})
test('it defaults to checking vulnerabilities', async () => {
const config = await readConfig()
expect(config.vulnerability_check).toBe(true)
})
test('it parses the vulnerability-check input', async () => {
setInput('vulnerability-check', 'false')
let config = await readConfig()
expect(config.vulnerability_check).toEqual(false)
clearInputs()
setInput('vulnerability-check', 'true')
config = await readConfig()
expect(config.vulnerability_check).toEqual(true)
})
test('it is not possible to disable both checks', async () => {
setInput('license-check', 'false')
setInput('vulnerability-check', 'false')
await expect(readConfig()).rejects.toThrow(
/Can't disable both license-check and vulnerability-check/
)
})
describe('licenses that are not valid SPDX licenses', () => {
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(false)
})
test('it raises an error for invalid licenses in allow-licenses', async () => {
setInput('allow-licenses', ' BSD, GPL 2')
await expect(readConfig()).rejects.toThrow(
'Invalid license(s) in allow-licenses: BSD, GPL 2'
)
})
test('it raises an error for invalid licenses in deny-licenses', async () => {
setInput('deny-licenses', ' BSD, GPL 2')
await expect(readConfig()).rejects.toThrow(
'Invalid license(s) in deny-licenses: BSD, GPL 2'
)
})
})
+12 -6
View File
@@ -3,7 +3,7 @@ import {Change, Changes} from '../src/schemas'
import {
filterChangesBySeverity,
filterChangesByScopes,
filterOutAllowedAdvisories
filterAllowedAdvisories
} from '../src/filter'
let npmChange: Change = {
@@ -90,28 +90,34 @@ test('it properly filters changes by scope', async () => {
expect(result).toEqual([npmChange, rubyChange])
})
test('it properly handles undefined advisory IDs', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
let result = filterAllowedAdvisories(undefined, changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
})
test('it properly filters changes with allowed vulnerabilities', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
let result = filterOutAllowedAdvisories(['notrealGHSAID'], changes)
let result = filterAllowedAdvisories(['notrealGHSAID'], changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
result = filterOutAllowedAdvisories(['first-random_string'], changes)
result = filterAllowedAdvisories(['first-random_string'], changes)
expect(result).toEqual([rubyChange, noVulnNpmChange])
result = filterOutAllowedAdvisories(
result = filterAllowedAdvisories(
['second-random_string', 'third-random_string'],
changes
)
expect(result).toEqual([npmChange, noVulnNpmChange])
result = filterOutAllowedAdvisories(
result = filterAllowedAdvisories(
['first-random_string', 'second-random_string', 'third-random_string'],
changes
)
expect(result).toEqual([noVulnNpmChange])
// if we have a change with multiple vulnerabilities but only one is allowed, we still should not filter out that change
result = filterOutAllowedAdvisories(['second-random_string'], changes)
result = filterAllowedAdvisories(['second-random_string'], changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
})
@@ -0,0 +1,2 @@
fail_on_severity: critical
allow_licenses: []
+115 -25
View File
@@ -1,6 +1,7 @@
import {expect, test} from '@jest/globals'
import {expect, jest, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
import {getDeniedLicenseChanges} from '../src/licenses'
let getInvalidLicenseChanges: Function
let npmChange: Change = {
manifest: 'package.json',
@@ -48,53 +49,142 @@ let rubyChange: Change = {
]
}
test('it fails if a license outside the allow list is found', async () => {
const changes: Changes = [npmChange, rubyChange]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {allow: ['BSD']})
expect(invalidChanges[0]).toBe(npmChange)
jest.mock('@actions/core')
const mockOctokit = {
rest: {
licenses: {
getForRepo: jest
.fn()
.mockReturnValue({data: {license: {spdx_id: 'AGPL'}}})
}
}
}
jest.mock('octokit', () => {
return {
Octokit: class {
constructor() {
return mockOctokit
}
}
}
})
test('it fails if a license inside the deny list is found', async () => {
const changes: Changes = [npmChange, rubyChange]
const [invalidChanges] = getDeniedLicenseChanges(changes, {deny: ['BSD']})
expect(invalidChanges[0]).toBe(rubyChange)
beforeEach(async () => {
jest.resetModules()
jest.doMock('spdx-satisfies', () => {
// mock spdx-satisfies return value
// true for BSD, false for all others
return jest.fn((license: string, _: string): boolean => license === 'BSD')
})
;({getInvalidLicenseChanges} = require('../src/licenses'))
})
// This is more of a "here's a behavior that might be surprising" than an actual
// thing we want in the system. Please remove this test after refactoring.
test('it fails all license checks when allow is provided an empty array', async () => {
test('it adds license outside the allow list to forbidden changes', async () => {
const changes: Changes = [npmChange, rubyChange]
let [invalidChanges, _] = getDeniedLicenseChanges(changes, {
allow: [],
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
})
expect(forbidden[0]).toBe(npmChange)
expect(forbidden.length).toEqual(1)
})
test('it adds license inside the deny list to forbidden changes', async () => {
const changes: Changes = [npmChange, rubyChange]
const {forbidden} = await getInvalidLicenseChanges(changes, {
deny: ['BSD']
})
expect(invalidChanges.length).toBe(2)
expect(forbidden[0]).toBe(rubyChange)
expect(forbidden.length).toEqual(1)
})
test('it does not fail if a license outside the allow list is found in removed changes', async () => {
test('it does not add license outside the allow list to forbidden changes if it is in removed changes', async () => {
const changes: Changes = [
{...npmChange, change_type: 'removed'},
{...rubyChange, change_type: 'removed'}
]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {allow: ['BSD']})
expect(invalidChanges).toStrictEqual([])
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
})
expect(forbidden).toStrictEqual([])
})
test('it does not fail if a license inside the deny list is found in removed changes', async () => {
test('it does not add license inside the deny list to forbidden changes if it is in removed changes', async () => {
const changes: Changes = [
{...npmChange, change_type: 'removed'},
{...rubyChange, change_type: 'removed'}
]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {deny: ['BSD']})
expect(invalidChanges).toStrictEqual([])
const {forbidden} = await getInvalidLicenseChanges(changes, {
deny: ['BSD']
})
expect(forbidden).toStrictEqual([])
})
test('it fails if a license outside the allow list is found in both of added and removed changes', async () => {
test('it adds license outside the allow list to forbidden changes if it is in both added and removed changes', async () => {
const changes: Changes = [
{...npmChange, change_type: 'removed'},
npmChange,
{...rubyChange, change_type: 'removed'}
]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {allow: ['BSD']})
expect(invalidChanges).toStrictEqual([npmChange])
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
})
expect(forbidden).toStrictEqual([npmChange])
})
test('it adds all licenses to unresolved if it is unable to determine the validity', async () => {
jest.resetModules() // reset module set in before
jest.doMock('spdx-satisfies', () => {
return jest.fn((_first: string, _second: string) => {
throw new Error('Some Error')
})
})
;({getInvalidLicenseChanges} = require('../src/licenses'))
const changes: Changes = [npmChange, rubyChange]
const invalidLicenses = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
})
expect(invalidLicenses.forbidden.length).toEqual(0)
expect(invalidLicenses.unlicensed.length).toEqual(0)
expect(invalidLicenses.unresolved.length).toEqual(2)
})
describe('GH License API fallback', () => {
test('it calls licenses endpoint if atleast one of the changes has null license and valid source_repository_url', async () => {
const nullLicenseChange = {
...npmChange,
license: null,
source_repository_url: 'http://github.com/some-owner/some-repo'
}
const {unlicensed} = await getInvalidLicenseChanges(
[nullLicenseChange, rubyChange],
{}
)
expect(mockOctokit.rest.licenses.getForRepo).toHaveBeenNthCalledWith(1, {
owner: 'some-owner',
repo: 'some-repo'
})
expect(unlicensed.length).toEqual(0)
})
test('it does not call licenses API endpoint for change with null license and invalid source_repository_url ', async () => {
const {unlicensed} = await getInvalidLicenseChanges(
[{...npmChange, license: null}],
{}
)
expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
expect(unlicensed.length).toEqual(1)
})
test('it does not call licenses API endpoint if licenses for all changes are present', async () => {
const {unlicensed} = await getInvalidLicenseChanges(
[npmChange, rubyChange],
{}
)
expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
expect(unlicensed.length).toEqual(0)
})
})
+5 -1
View File
@@ -21,7 +21,7 @@ inputs:
description: The head git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
required: false
config-file:
description: A filepath to the configuration file for the action.
description: A path to the configuration file for the action.
required: false
allow-licenses:
description: Comma-separated list of allowed licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
@@ -32,6 +32,10 @@ inputs:
allow-ghsas:
description: Comma-separated list of allowed Github Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")
required: false
external-repo-token:
description: A token for fetching external configuration file if it lives in another repository. It is required if the repository is private
required: false
runs:
using: 'node16'
main: 'dist/index.js'
Generated Vendored
+13088 -451
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1157
View File
File diff suppressed because it is too large Load Diff
+2 -2
View File
@@ -1,9 +1,9 @@
module.exports = {
clearMocks: true,
moduleFileExtensions: ['js', 'ts'],
moduleFileExtensions: ['js', 'json', 'ts'],
testMatch: ['**/*.test.ts'],
transform: {
'^.+\\.ts$': 'ts-jest'
},
verbose: true
}
}
+3851 -2181
View File
File diff suppressed because it is too large Load Diff
+19 -13
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "2.4.0",
"version": "2.5.1",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -27,23 +27,29 @@
"dependencies": {
"@actions/core": "^1.10.0",
"@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^3.0.9",
"@octokit/request-error": "^3.0.1",
"ansi-styles": "^6.1.1",
"got": "^12.5.1",
"@octokit/plugin-retry": "^4.0.3",
"@octokit/request-error": "^3.0.2",
"ansi-styles": "^6.2.1",
"got": "^12.5.2",
"nodemon": "^2.0.20",
"yaml": "^2.1.2",
"octokit": "^2.0.10",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
"yaml": "^2.1.3",
"zod": "^3.19.1"
},
"devDependencies": {
"@types/node": "^16.11.63",
"@typescript-eslint/eslint-plugin": "^5.38.1",
"@typescript-eslint/parser": "^5.38.1",
"@types/jest": "^27.5.2",
"@types/node": "^16.18.3",
"@typescript-eslint/eslint-plugin": "^5.42.1",
"@typescript-eslint/parser": "^5.42.1",
"@types/spdx-expression-parse": "^3.0.2",
"@types/spdx-satisfies": "^0.1.0",
"@vercel/ncc": "^0.34.0",
"esbuild-register": "^3.3.3",
"eslint": "^8.24.0",
"eslint-plugin-github": "^4.3.7",
"eslint-plugin-jest": "^27.0.4",
"esbuild-register": "^3.4.0",
"eslint": "^8.27.0",
"eslint-plugin-github": "^4.4.1",
"eslint-plugin-jest": "^27.1.4",
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^2.0.20",
+34 -3
View File
@@ -3,22 +3,52 @@ require 'json'
require 'tempfile'
require 'open3'
require 'bundler/inline'
require 'optparse'
gemfile do
source 'https://rubygems.org'
gem 'octokit'
end
config_file = nil
github_token = ENV["GITHUB_TOKEN"]
if !github_token || github_token.empty?
puts "Please set the GITHUB_TOKEN environment variable"
exit -1
end
arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(ARGV[0])
op = OptionParser.new do |opts|
usage = <<EOF
Run Dependency Review on a repository.
\e[1mUsage:\e[22m
scripts/scan_pr [options] <pr_url>
\e[1mExample:\e[22m
scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294
EOF
opts.banner = usage
opts.on('-c', '--config-file <FILE>', 'Use an external configuration file') do |cf|
config_file = cf
end
opts.on("-h", "--help", "Prints this help") do
puts opts
exit
end
end
op.parse!
# make sure we have a NWO somewhere in the parameters
arg = /(?<repo_nwo>[\w\-]+\/[\w\-]+)\/pull\/(?<pr_number>\d+)/.match(ARGV.join(" "))
if arg.nil?
puts "Usage: script/scan_pr <pr_url>"
puts op
exit -1
end
@@ -33,7 +63,8 @@ event_file.write("{ \"pull_request\": #{pr.to_h.to_json}}")
event_file.close
action_inputs = {
"repo-token" => github_token
"repo-token": github_token,
"config-file": config_file
}
dev_cmd_env = {
+136 -63
View File
@@ -3,12 +3,62 @@ import path from 'path'
import YAML from 'yaml'
import * as core from '@actions/core'
import * as z from 'zod'
import {
ConfigurationOptions,
ConfigurationOptionsSchema,
SeveritySchema,
SCOPES
} from './schemas'
import {ConfigurationOptions, ConfigurationOptionsSchema} from './schemas'
import {isSPDXValid, octokitClient} from './utils'
type ConfigurationOptionsPartial = Partial<ConfigurationOptions>
export async function readConfig(): Promise<ConfigurationOptions> {
const inlineConfig = readInlineConfig()
const configFile = getOptionalInput('config-file')
if (configFile !== undefined) {
const externalConfig = await readConfigFile(configFile)
return ConfigurationOptionsSchema.parse({
...externalConfig,
...inlineConfig
})
}
return ConfigurationOptionsSchema.parse(inlineConfig)
}
function readInlineConfig(): ConfigurationOptionsPartial {
const fail_on_severity = getOptionalInput('fail-on-severity')
const fail_on_scopes = parseList(getOptionalInput('fail-on-scopes'))
const allow_licenses = parseList(getOptionalInput('allow-licenses'))
const deny_licenses = parseList(getOptionalInput('deny-licenses'))
const allow_ghsas = parseList(getOptionalInput('allow-ghsas'))
const license_check = getOptionalBoolean('license-check')
const vulnerability_check = getOptionalBoolean('vulnerability-check')
const base_ref = getOptionalInput('base-ref')
const head_ref = getOptionalInput('head-ref')
validateLicenses('allow-licenses', allow_licenses)
validateLicenses('deny-licenses', deny_licenses)
const keys = {
fail_on_severity,
fail_on_scopes,
allow_licenses,
deny_licenses,
allow_ghsas,
license_check,
vulnerability_check,
base_ref,
head_ref
}
return Object.fromEntries(
Object.entries(keys).filter(([_, value]) => value !== undefined)
)
}
function getOptionalBoolean(name: string): boolean | undefined {
const value = core.getInput(name)
return value.length > 0 ? core.getBooleanInput(name) : undefined
}
function getOptionalInput(name: string): string | undefined {
const value = core.getInput(name)
@@ -23,70 +73,93 @@ function parseList(list: string | undefined): string[] | undefined {
}
}
export function readConfig(): ConfigurationOptions {
const externalConfig = getOptionalInput('config-file')
if (externalConfig !== undefined) {
const config = readConfigFile(externalConfig)
// the reasoning behind reading the inline config when an external
// config file is provided is that we still want to allow users to
// pass inline options in the presence of an external config file.
const inlineConfig = readInlineConfig()
// the external config takes precedence
return Object.assign({}, inlineConfig, config)
} else {
return readInlineConfig()
function validateLicenses(
key: 'allow-licenses' | 'deny-licenses',
licenses: string[] | undefined
): void {
if (licenses === undefined) {
return
}
const invalid_licenses = licenses.filter(license => !isSPDXValid(license))
if (invalid_licenses.length > 0) {
throw new Error(
`Invalid license(s) in ${key}: ${invalid_licenses.join(', ')}`
)
}
}
export function readInlineConfig(): ConfigurationOptions {
const fail_on_severity = SeveritySchema.parse(
getOptionalInput('fail-on-severity')
async function readConfigFile(
filePath: string
): Promise<ConfigurationOptionsPartial> {
// match a remote config (e.g. 'owner/repo/filepath@someref')
const format = new RegExp(
'(?<owner>[^/]+)/(?<repo>[^/]+)/(?<path>[^@]+)@(?<ref>.*)'
)
const fail_on_scopes = z
.array(z.enum(SCOPES))
.default(['runtime'])
.parse(parseList(getOptionalInput('fail-on-scopes')))
const allow_licenses = parseList(getOptionalInput('allow-licenses'))
const deny_licenses = parseList(getOptionalInput('deny-licenses'))
if (allow_licenses !== undefined && deny_licenses !== undefined) {
throw new Error("Can't specify both allow_licenses and deny_licenses")
}
const allow_ghsas = parseList(getOptionalInput('allow-ghsas'))
const base_ref = getOptionalInput('base-ref')
const head_ref = getOptionalInput('head-ref')
return {
fail_on_severity,
fail_on_scopes,
allow_licenses,
deny_licenses,
allow_ghsas,
base_ref,
head_ref
}
}
export function readConfigFile(filePath: string): ConfigurationOptions {
let data
let data: string
const pieces = format.exec(filePath)
try {
data = fs.readFileSync(path.resolve(filePath), 'utf-8')
} catch (error: unknown) {
if (pieces?.groups && pieces.length === 5) {
data = await getRemoteConfig({
owner: pieces.groups.owner,
repo: pieces.groups.repo,
path: pieces.groups.path,
ref: pieces.groups.ref
})
} else {
data = fs.readFileSync(path.resolve(filePath), 'utf-8')
}
return parseConfigFile(data)
} catch (error) {
core.debug(error as string)
throw new Error('Unable to fetch config file')
}
}
function parseConfigFile(configData: string): ConfigurationOptionsPartial {
try {
const data = YAML.parse(configData)
for (const key of Object.keys(data)) {
if (key === 'allow-licenses' || key === 'deny-licenses') {
validateLicenses(key, data[key])
}
// get rid of the ugly dashes from the actions conventions
if (key.includes('-')) {
data[key.replace(/-/g, '_')] = data[key]
delete data[key]
}
}
return data
} catch (error) {
throw error
}
data = YAML.parse(data)
// get rid of the ugly dashes from the actions conventions
for (const key of Object.keys(data)) {
if (key.includes('-')) {
data[key.replace(/-/g, '_')] = data[key]
delete data[key]
}
}
const values = ConfigurationOptionsSchema.parse(data)
return values
}
async function getRemoteConfig(configOpts: {
[key: string]: string
}): Promise<string> {
try {
const {data} = await octokitClient(
'external-repo-token',
false
).rest.repos.getContent({
mediaType: {
format: 'raw'
},
owner: configOpts.owner,
repo: configOpts.repo,
path: configOpts.path,
ref: configOpts.ref
})
// When using mediaType.format = 'raw', the response.data is a string
// but this is not reflected in the return type of getContent, so we're
// casting the return value to a string.
return z.string().parse(data as unknown)
} catch (error) {
core.debug(error as string)
throw new Error('Error fetching remote config file')
}
}
+10 -2
View File
@@ -51,12 +51,20 @@ export function filterChangesByScopes(
return filteredChanges
}
export function filterOutAllowedAdvisories(
/**
* Filter out changes that are allowed by the allow_ghsas config
* option. We want to remove these changes before we do any
* processing.
* @param ghsas - list of GHSA IDs to allow
* @param changes - list of changes to filter
* @returns a list of changes with the allowed GHSAs removed
*/
export function filterAllowedAdvisories(
ghsas: string[] | undefined,
changes: Changes
): Changes {
if (ghsas === undefined) {
return []
return changes
}
const filteredChanges = changes.filter(change => {
+143 -18
View File
@@ -1,4 +1,6 @@
import {Change} from './schemas'
import spdxSatisfies from 'spdx-satisfies'
import {Change, Changes} from './schemas'
import {isSPDXValid, octokitClient} from './utils'
/**
* Loops through a list of changes, filtering and returning the
@@ -10,40 +12,163 @@ import {Change} from './schemas'
* we will ignore the deny list.
* @param {Change[]} changes The list of changes to filter.
* @param { { allow?: string[], deny?: string[]}} licenses An object with `allow`/`deny` keys, each containing a list of licenses.
* @returns {[Array<Change>, Array<Change]} A tuple where the first element is the list of denied changes and the second one is the list of changes with unknown licenses
* @returns {Promise<{Object.<string, Array.<Change>>}} A promise to a Record Object. The keys are strings, unlicensed, unresolved and forbidden. The values are a list of changes
*/
export function getDeniedLicenseChanges(
export async function getInvalidLicenseChanges(
changes: Change[],
licenses: {
allow?: string[]
deny?: string[]
}
): [Change[], Change[]] {
): Promise<Record<string, Changes>> {
const {allow, deny} = licenses
const disallowed: Change[] = []
const unknown: Change[] = []
const groupedChanges = await groupChanges(changes)
const licensedChanges: Changes = groupedChanges.licensed
const invalidLicenseChanges: Record<string, Changes> = {
unlicensed: groupedChanges.unlicensed,
unresolved: [],
forbidden: []
}
const validityCache = new Map<string, boolean>()
for (const change of licensedChanges) {
const license = change.license
// should never happen since licensedChanges always have licenses but license is nullable in changes schema
if (license === null) {
continue
}
if (license === 'NOASSERTION') {
invalidLicenseChanges.unlicensed.push(change)
} else if (validityCache.get(license) === undefined) {
try {
if (allow !== undefined) {
const found = allow.find(spdxExpression =>
spdxSatisfies(license, spdxExpression)
)
validityCache.set(license, found !== undefined)
} else if (deny !== undefined) {
const found = deny.find(spdxExpression =>
spdxSatisfies(license, spdxExpression)
)
validityCache.set(license, found === undefined)
}
} catch (err) {
invalidLicenseChanges.unresolved.push(change)
}
}
if (validityCache.get(license) === false) {
invalidLicenseChanges.forbidden.push(change)
}
}
return invalidLicenseChanges
}
const fetchGHLicense = async (
owner: string,
repo: string
): Promise<string | null> => {
try {
const response = await octokitClient().rest.licenses.getForRepo({
owner,
repo
})
return response.data.license?.spdx_id ?? null
} catch (_) {
return null
}
}
const parseGitHubURL = (url: string): {owner: string; repo: string} | null => {
try {
const parsed = new URL(url)
if (parsed.host !== 'github.com') {
return null
}
const components = parsed.pathname.split('/')
if (components.length < 3) {
return null
}
return {owner: components[1], repo: components[2]}
} catch (_) {
return null
}
}
const setGHLicenses = async (changes: Change[]): Promise<Change[]> => {
const updatedChanges = changes.map(async change => {
if (change.license !== null || change.source_repository_url === null) {
return change
}
const githubUrl = parseGitHubURL(change.source_repository_url)
if (githubUrl === null) {
return change
}
return {
...change,
license: await fetchGHLicense(githubUrl.owner, githubUrl.repo)
}
})
return Promise.all(updatedChanges)
}
// Currently Dependency Graph licenses are truncated to 255 characters
// This possibly makes them invalid spdx ids
const truncatedDGLicense = (license: string): boolean =>
license.length === 255 && !isSPDXValid(license)
async function groupChanges(
changes: Changes
): Promise<Record<string, Changes>> {
const result: Record<string, Changes> = {
licensed: [],
unlicensed: []
}
const ghChanges = []
for (const change of changes) {
if (change.change_type === 'removed') {
continue
}
const license = change.license
if (license === null) {
unknown.push(change)
continue
}
if (allow !== undefined) {
if (!allow.includes(license)) {
disallowed.push(change)
if (change.license === null) {
if (change.source_repository_url !== null) {
ghChanges.push(change)
} else {
result.unlicensed.push(change)
}
} else if (deny !== undefined) {
if (deny.includes(license)) {
disallowed.push(change)
} else {
if (
truncatedDGLicense(change.license) &&
change.source_repository_url !== null
) {
ghChanges.push(change)
} else {
result.licensed.push(change)
}
}
}
return [disallowed, unknown]
if (ghChanges.length > 0) {
const ghLicenses = await setGHLicenses(ghChanges)
for (const change of ghLicenses) {
if (change.license === null) {
result.unlicensed.push(change)
} else {
result.licensed.push(change)
}
}
}
return result
}
+39 -27
View File
@@ -8,9 +8,9 @@ import {readConfig} from '../src/config'
import {
filterChangesBySeverity,
filterChangesByScopes,
filterOutAllowedAdvisories
filterAllowedAdvisories
} from '../src/filter'
import {getDeniedLicenseChanges} from './licenses'
import {getInvalidLicenseChanges} from './licenses'
import * as summary from './summary'
import {getRefs} from './git-refs'
@@ -18,7 +18,7 @@ import {groupDependenciesByManifest} from './utils'
async function run(): Promise<void> {
try {
const config = readConfig()
const config = await readConfig()
const refs = getRefs(config, github.context)
const changes = await dependencyGraph.compare({
@@ -28,9 +28,9 @@ async function run(): Promise<void> {
headRef: refs.head
})
const minSeverity = config.fail_on_severity as Severity
const minSeverity = config.fail_on_severity
const scopedChanges = filterChangesByScopes(config.fail_on_scopes, changes)
const filteredChanges = filterOutAllowedAdvisories(
const filteredChanges = filterAllowedAdvisories(
config.allow_ghsas,
scopedChanges
)
@@ -45,7 +45,7 @@ async function run(): Promise<void> {
change.vulnerabilities.length > 0
)
const [licenseErrors, unknownLicenses] = getDeniedLicenseChanges(
const invalidLicenseChanges = await getInvalidLicenseChanges(
filteredChanges,
{
allow: config.allow_licenses,
@@ -53,13 +53,21 @@ async function run(): Promise<void> {
}
)
summary.addSummaryToSummary(addedChanges, licenseErrors, unknownLicenses)
summary.addChangeVulnerabilitiesToSummary(addedChanges, minSeverity)
summary.addLicensesToSummary(licenseErrors, unknownLicenses, config)
summary.addScannedDependencies(changes)
summary.addSummaryToSummary(
config.vulnerability_check ? addedChanges : null,
config.license_check ? invalidLicenseChanges : null
)
printVulnerabilitiesBlock(addedChanges, minSeverity)
printLicensesBlock(licenseErrors, unknownLicenses)
if (config.vulnerability_check) {
summary.addChangeVulnerabilitiesToSummary(addedChanges, minSeverity)
printVulnerabilitiesBlock(addedChanges, minSeverity)
}
if (config.license_check) {
summary.addLicensesToSummary(invalidLicenseChanges, config)
printLicensesBlock(invalidLicenseChanges)
}
summary.addScannedDependencies(changes)
printScannedDependencies(changes)
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
@@ -83,7 +91,7 @@ async function run(): Promise<void> {
}
function printVulnerabilitiesBlock(
addedChanges: Change[],
addedChanges: Changes,
minSeverity: Severity
): void {
let failed = false
@@ -119,24 +127,28 @@ function printChangeVulnerabilities(change: Change): void {
}
function printLicensesBlock(
licenseErrors: Change[],
unknownLicenses: Change[]
invalidLicenseChanges: Record<string, Changes>
): void {
core.group('Licenses', async () => {
if (licenseErrors.length > 0) {
printLicensesError(licenseErrors)
if (invalidLicenseChanges.forbidden.length > 0) {
core.info('\nThe following dependencies have incompatible licenses:')
printLicensesError(invalidLicenseChanges.forbidden)
core.setFailed('Dependency review detected incompatible licenses.')
}
printNullLicenses(unknownLicenses)
if (invalidLicenseChanges.unresolved.length > 0) {
core.warning(
'\nThe validity of the licenses of the dependencies below could not be determined. Ensure that they are valid SPDX licenses:'
)
printLicensesError(invalidLicenseChanges.unresolved)
core.setFailed(
'Dependency review could not detect the validity of all licenses.'
)
}
printNullLicenses(invalidLicenseChanges.unlicensed)
})
}
function printLicensesError(changes: Change[]): void {
if (changes.length === 0) {
return
}
core.info('\nThe following dependencies have incompatible licenses:\n')
function printLicensesError(changes: Changes): void {
for (const change of changes) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${change.version}${styles.bold.close} License: ${styles.color.red.open}${change.license}${styles.color.red.close}`
@@ -144,12 +156,12 @@ function printLicensesError(changes: Change[]): void {
}
}
function printNullLicenses(changes: Change[]): void {
function printNullLicenses(changes: Changes): void {
if (changes.length === 0) {
return
}
core.info('\nWe could not detect a license for the following dependencies:\n')
core.info('\nWe could not detect a license for the following dependencies:')
for (const change of changes) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${change.version}${styles.bold.close}`
@@ -192,7 +204,7 @@ function renderScannedDependency(change: Change): string {
} as const
)[changeType]
return `${styles.color[color].open}${icon} ${change.manifest}@${change.version}${styles.color[color].close}`
return `${styles.color[color].open}${icon} ${change.name}@${change.version}${styles.color[color].close}`
}
function printScannedDependencies(changes: Changes): void {
+30 -10
View File
@@ -38,18 +38,38 @@ export const ConfigurationOptionsSchema = z
.object({
fail_on_severity: SeveritySchema,
fail_on_scopes: z.array(z.enum(SCOPES)).default(['runtime']),
allow_licenses: z.array(z.string()).default([]),
deny_licenses: z.array(z.string()).default([]),
allow_licenses: z.array(z.string()).optional(),
deny_licenses: z.array(z.string()).optional(),
allow_ghsas: z.array(z.string()).default([]),
config_file: z.string().optional().default('false'),
base_ref: z.string(),
head_ref: z.string()
license_check: z.boolean().default(true),
vulnerability_check: z.boolean().default(true),
config_file: z.string().optional(),
base_ref: z.string().optional(),
head_ref: z.string().optional()
})
.superRefine((config, context) => {
if (config.allow_licenses && config.deny_licenses) {
context.addIssue({
code: z.ZodIssueCode.custom,
message: 'You cannot specify both allow-licenses and deny-licenses'
})
}
if (config.allow_licenses && config.allow_licenses.length < 1) {
context.addIssue({
code: z.ZodIssueCode.custom,
message: 'You should provide at least one license in allow-licenses'
})
}
if (
config.license_check === false &&
config.vulnerability_check === false
) {
context.addIssue({
code: z.ZodIssueCode.custom,
message: "Can't disable both license-check and vulnerability-check"
})
}
})
.partial()
.refine(
obj => !(obj.allow_licenses && obj.deny_licenses),
'Your workflow file has both an allow_licenses list and deny_licenses list, but you can only set one or the other.'
)
export const ChangesSchema = z.array(ChangeSchema)
+52 -47
View File
@@ -1,18 +1,27 @@
import * as core from '@actions/core'
import {ConfigurationOptions, Change, Changes} from './schemas'
import {ConfigurationOptions, Changes} from './schemas'
import {SummaryTableRow} from '@actions/core/lib/summary'
import {groupDependenciesByManifest, getManifestsSet, renderUrl} from './utils'
export function addSummaryToSummary(
addedPackages: Changes,
licenseErrors: Change[],
unknownLicenses: Change[]
addedPackages: Changes | null,
invalidLicenseChanges: Record<string, Changes> | null
): void {
core.summary
.addHeading('Dependency Review')
.addRaw(
`We found ${addedPackages.length} vulnerable package(s), ${licenseErrors.length} package(s) with incompatible licenses, and ${unknownLicenses.length} package(s) with unknown licenses.`
)
.addRaw('We found:')
.addList([
...(addedPackages
? [`${addedPackages.length} vulnerable package(s)`]
: []),
...(invalidLicenseChanges
? [
`${invalidLicenseChanges.unresolved.length} package(s) with invalid SPDX license definitions`,
`${invalidLicenseChanges.forbidden.length} package(s) with incompatible licenses`,
`${invalidLicenseChanges.unlicensed.length} package(s) with unknown licenses.`
]
: [])
])
}
export function addChangeVulnerabilitiesToSummary(
@@ -76,8 +85,7 @@ export function addChangeVulnerabilitiesToSummary(
}
export function addLicensesToSummary(
licenseErrors: Change[],
unknownLicenses: Change[],
invalidLicenseChanges: Record<string, Changes>,
config: ConfigurationOptions
): void {
core.summary.addHeading('Licenses')
@@ -93,62 +101,59 @@ export function addLicensesToSummary(
)
}
if (licenseErrors.length === 0 && unknownLicenses.length === 0) {
if (Object.values(invalidLicenseChanges).every(item => item.length === 0)) {
core.summary.addQuote('No license violations detected.')
return
}
if (licenseErrors.length > 0) {
const rows: SummaryTableRow[] = []
const manifests = getManifestsSet(licenseErrors)
core.debug(
`found ${invalidLicenseChanges.unlicensed.length} unknown licenses`
)
core.summary.addHeading('Incompatible Licenses', 3).addSeparator()
core.debug(
`${invalidLicenseChanges.unresolved.length} licenses could not be validated`
)
printLicenseViolation(
'Incompatible Licenses',
invalidLicenseChanges.forbidden
)
printLicenseViolation('Unknown Licenses', invalidLicenseChanges.unlicensed)
printLicenseViolation(
'Invalid SPDX License Definitions',
invalidLicenseChanges.unresolved
)
}
function printLicenseViolation(heading: string, changes: Changes): void {
core.summary.addHeading(heading, 5).addSeparator()
if (changes.length > 0) {
const rows: SummaryTableRow[] = []
const manifests = getManifestsSet(changes)
for (const manifest of manifests) {
core.summary.addHeading(`<em>${manifest}</em>`, 4)
for (const change of licenseErrors.filter(
pkg => pkg.manifest === manifest
)) {
for (const change of changes.filter(pkg => pkg.manifest === manifest)) {
rows.push([
renderUrl(change.source_repository_url, change.name),
change.version,
change.license || ''
formatLicense(change.license)
])
}
core.summary.addTable([['Package', 'Version', 'License'], ...rows])
}
} else {
core.summary.addQuote('No license violations detected.')
core.summary.addQuote(`No ${heading.toLowerCase()} detected.`)
}
}
core.debug(`found ${unknownLicenses.length} unknown licenses`)
if (unknownLicenses.length > 0) {
const rows: SummaryTableRow[] = []
const manifests = getManifestsSet(unknownLicenses)
core.debug(
`found ${manifests.entries.length} manifests for unknown licenses`
)
core.summary.addHeading('Unknown Licenses', 3).addSeparator()
for (const manifest of manifests) {
core.summary.addHeading(`<em>${manifest}</em>`, 4)
for (const change of unknownLicenses.filter(
pkg => pkg.manifest === manifest
)) {
rows.push([
renderUrl(change.source_repository_url, change.name),
change.version
])
}
core.summary.addTable([['Package', 'Version'], ...rows])
}
function formatLicense(license: string | null): string {
if (license === null || license === 'NOASSERTION') {
return 'Null'
}
return license
}
export function addScannedDependencies(changes: Changes): void {
@@ -157,7 +162,7 @@ export function addScannedDependencies(changes: Changes): void {
const summary = core.summary
.addHeading('Scanned Dependencies')
.addRaw(`We scanned ${dependencies.size} manifest files:`)
.addHeading(`We scanned ${dependencies.size} manifest files:`, 5)
for (const manifest of manifests) {
const deps = dependencies.get(manifest)
@@ -165,7 +170,7 @@ export function addScannedDependencies(changes: Changes): void {
const dependencyNames = deps.map(
dependency => `<li>${dependency.name}@${dependency.version}</li>`
)
summary.addRaw(`<h3>${manifest}</h3><ul>${dependencyNames.join('')}</ul>`)
summary.addDetails(manifest, `<ul>${dependencyNames.join('')}</ul>`)
}
}
}
+25
View File
@@ -1,3 +1,6 @@
import * as core from '@actions/core'
import {Octokit} from 'octokit'
import spdxParse from 'spdx-expression-parse'
import {Changes} from './schemas'
export function groupDependenciesByManifest(
@@ -28,3 +31,25 @@ export function renderUrl(url: string | null, text: string): string {
return text
}
}
export function isSPDXValid(license: string): boolean {
try {
spdxParse(license)
return true
} catch (_) {
return false
}
}
export function octokitClient(token = 'repo-token', required = true): Octokit {
const opts: Record<string, unknown> = {}
// auth is only added if token is present. For remote config files in public
// repos the token is optional, so it could be undefined.
const auth = core.getInput(token, {required})
if (auth !== undefined) {
opts['auth'] = auth
}
return new Octokit(opts)
}