Compare commits

...

497 Commits

Author SHA1 Message Date
Ahmed ElMallah a6993e2c61 Merge pull request #840 from actions/dependabot-updates
Bump eslint-plugin-jest and ts-jest
2024-10-21 15:29:33 -07:00
ahmed3lmallah d92f08b3ff Bump eslint-plugin-jest and ts-jest 2024-10-21 15:16:32 -07:00
Barry Gordon 3e334b7ca7 Merge pull request #822 from actions/dependabot/npm_and_yarn/got-14.4.2
Bump got from 14.4.1 to 14.4.2
2024-09-30 16:17:18 +01:00
Jon Janego 32b7d886d5 Merge pull request #832 from actions/jonjanego-patch-3
Update stale.yaml
2024-09-26 12:51:51 -05:00
Jon Janego 14b94f8fbc Update stale.yaml
adding closure messages
2024-09-26 11:47:03 -05:00
Eli Reisman 6ea3b24563 Merge pull request #828 from actions/hm/summary
Do not list changed dependencies in summary
2024-09-16 15:28:19 -07:00
Eli Reisman 05042db2b6 update dist packaging 2024-09-16 12:42:52 -07:00
Eli Reisman 6aacbe0934 add a warning message if there is room in the summary prior to cutoff 2024-09-16 12:42:35 -07:00
Eli Reisman 293ccdb6e9 add truncation escape valve to new file summary to avoid overflow 2024-09-16 12:26:36 -07:00
Henri Maurer 83c7cc6aa7 Do not list changes dependencies in summary 2024-09-16 11:29:47 -07:00
Eli Reisman b3559aa82e Merge pull request #829 from actions/elireisman/sec-findings-update
Upgrade transitive micromatch library
2024-09-16 10:04:59 -07:00
Eli Reisman 8179e6abd6 upgrade micromatch within given dependent parent pkg bounds but past security vuln 2024-09-16 09:53:44 -07:00
dependabot[bot] fe833075f3 Bump got from 14.4.1 to 14.4.2
Bumps [got](https://github.com/sindresorhus/got) from 14.4.1 to 14.4.2.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.1...v14.4.2)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-08-26 01:38:54 +00:00
Eli Reisman 526b7f2f9b Merge pull request #815 from actions/dependabot/npm_and_yarn/types/node-20.16.0
Bump @types/node from 20.11.28 to 20.16.0
2024-08-19 10:31:48 -07:00
dependabot[bot] e5cb30f678 Bump @types/node from 20.11.28 to 20.16.0
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.28 to 20.16.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-08-19 01:33:46 +00:00
Jon Janego 90820aba8c Merge pull request #793 from actions/jonjanego-patch-1
Update CONTRIBUTING.md
2024-07-12 16:13:55 -05:00
Jon Janego 7367319600 Merge pull request #794 from actions/jonjanego-patch-2
Create pull_request_template.md
2024-07-12 16:11:24 -05:00
Jon Janego affc3a4f15 Create pull_request_template.md 2024-07-12 16:07:23 -05:00
Jon Janego 07d3c7257a Update CONTRIBUTING.md
minor wording
2024-07-12 15:58:13 -05:00
Justin Holguín a2dda6f539 Merge pull request #766 from louis-bompart/main
fix: getRefs function to handle merge_group events
2024-07-12 12:55:37 -07:00
Louis Bompart 45dc50cabe fix: getRefs function to handle merge_group events 2024-07-12 14:22:20 +02:00
Justin Holguín 5a2ce3f5b9 Merge pull request #791 from actions/juxtin/update-version
Prepare even more for v4.3.4
2024-07-11 13:47:10 -07:00
Justin Holguín ac6a6adece Prepare even more for v4.3.4 2024-07-11 20:39:43 +00:00
Justin Holguín 3e2b91798f Merge pull request #790 from actions/juxtin/update-version
Prepare for v4.3.4 release
2024-07-11 13:38:12 -07:00
Justin Holguín d9ab9c8c45 Update version in package.json 2024-07-11 18:57:29 +00:00
Justin Holguín 8c152c7a0f Merge pull request #769 from actions/dependabot/npm_and_yarn/zod-3.23.8
Bump zod from 3.22.4 to 3.23.8
2024-07-10 10:50:09 -07:00
Justin Holguín 0085d30a6f Update dist 2024-07-10 17:47:42 +00:00
dependabot[bot] 08b5bf2921 Bump zod from 3.22.4 to 3.23.8
Bumps [zod](https://github.com/colinhacks/zod) from 3.22.4 to 3.23.8.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](https://github.com/colinhacks/zod/compare/v3.22.4...v3.23.8)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-07-10 17:43:18 +00:00
Justin Holguín 986fce9040 Merge pull request #784 from actions/dependabot/npm_and_yarn/got-14.4.1
Bump got from 14.2.0 to 14.4.1
2024-07-10 10:41:24 -07:00
Justin Holguín 28743f8570 Merge pull request #719 from actions/change-spdx-parser
Update SPDX Expression Parsing
2024-07-10 10:06:31 -07:00
Justin Holguín d6f34c3a26 Merge pull request #789 from actions/dependabot/npm_and_yarn/braces-3.0.3
Bump braces from 3.0.2 to 3.0.3
2024-07-08 14:53:16 -07:00
dependabot[bot] 465867cec8 Bump braces from 3.0.2 to 3.0.3
Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-07-08 21:49:13 +00:00
Justin Holguín b4ae47ca2c Properly display test failures using jest 2024-06-10 23:07:07 +00:00
Eli Reisman d85edeb45d remove redundant declaration from TS types module registration 2024-06-10 10:11:00 -07:00
Eli Reisman f60d59372e npm run package 2024-06-10 09:52:17 -07:00
Eli Reisman ed624dba72 more SPDX unit tests to illustrate matching behavior 2024-06-10 09:51:01 -07:00
Eli Reisman bbed6f340a update licenses pkg and tests 2024-06-10 09:51:01 -07:00
Eli Reisman 2e4eaa490e complete test suite conversions; simplify fn name 2024-06-10 09:51:00 -07:00
Eli Reisman ecd706f525 register spdx lib as ES Module, start converting call sites to use new spdx pkg - TODO: update tests 2024-06-10 09:51:00 -07:00
Eli Reisman bc5b235cf6 move jest to dev dependencies 2024-06-10 09:51:00 -07:00
Eli Reisman 154c1500f3 add @onebeyond/spdx-license-satisfies to DR Action project 2024-06-10 09:51:00 -07:00
dependabot[bot] 2115d9eeea Bump got from 14.2.0 to 14.4.1
Bumps [got](https://github.com/sindresorhus/got) from 14.2.0 to 14.4.1.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.2.0...v14.4.1)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-06-10 01:18:26 +00:00
Eli Reisman df5d74f5d3 Merge pull request #783 from actions/elireisman/all-changes-to-scorecard
Include all added dependencies in scorecard entries
2024-06-07 14:15:00 -07:00
Eli Reisman 1e5b2e69a2 npm run package 2024-06-07 10:00:47 -07:00
Eli Reisman e69288dbec only filter out removed changes from the original PR diff when adding scorecard entries in DR Action report 2024-06-07 10:00:37 -07:00
Eli Reisman 8285e75fb2 Merge pull request #782 from actions/dependabot/npm_and_yarn/undici-5.28.4
Bump undici from 5.28.3 to 5.28.4
2024-06-07 09:44:10 -07:00
Eli Reisman 2224c7c05a npm run package to update dist 2024-06-07 09:35:26 -07:00
dependabot[bot] c0630c2a88 Bump undici from 5.28.3 to 5.28.4
Bumps [undici](https://github.com/nodejs/undici) from 5.28.3 to 5.28.4.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.3...v5.28.4)

---
updated-dependencies:
- dependency-name: undici
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-06-06 18:28:02 +00:00
Eli Reisman 72eb03d02c Merge pull request #781 from actions/release-v4.3.3
Bump project version to 4.3.3 in prep for a release
2024-06-05 12:15:21 -07:00
Eli Reisman 137d8b42ce bump to version v4.3.3 2024-06-05 10:26:55 -07:00
Eli Reisman e6b618ed05 Merge pull request #767 from actions/max-comment-length
Fix the max comment length issue
2024-06-04 13:03:31 -07:00
Eli Reisman 3c42649204 fix ws for linter 2024-06-04 12:33:48 -07:00
Eli Reisman 8e6ea8d29b update packaging 2024-06-04 12:30:34 -07:00
Eli Reisman 1b3d2772d0 post-review: add PR comment full summary test case 2024-06-04 12:30:05 -07:00
Eli Reisman 220872c81a Update src/main.ts
Co-authored-by: Brandon Teng <bteng22@github.com>
2024-06-04 12:14:40 -07:00
Eli Reisman 087d0f81a5 repackage to update dist 2024-06-04 11:50:22 -07:00
Eli Reisman 4531204be7 whitespace 2024-06-04 11:50:21 -07:00
Eli Reisman df1ca890c5 appease linter 2024-06-04 11:50:21 -07:00
Eli Reisman 97c6dd59c3 run prettier to clear linter warnings 2024-06-04 11:50:21 -07:00
Eli Reisman 0bec1ca5b4 clean up list formatting for PR comment 2024-06-04 11:21:15 -07:00
Eli Reisman 5460632ba9 WIP: summary test 2024-06-04 11:21:15 -07:00
Eli Reisman f7aca4f481 refactor to dedup min summary generation 2024-06-04 11:21:14 -07:00
Eli Reisman 1988567896 re-apply set output for comment-content 2024-06-04 11:20:29 -07:00
Justin Hutchings 1e26117d02 Fix extra whitespace in list 2024-06-04 11:20:27 -07:00
Justin Hutchings b1e704b9d6 Fix bug where I replaced the comment in the wrong spot 2024-06-04 11:20:19 -07:00
Justin Hutchings 48fae2e703 Add min-comment to fix max-comment length issue 2024-06-04 11:20:10 -07:00
Jon Janego 8d625cd32e Merge pull request #777 from actions/jonjanego-issue-templates
Create issue templates
2024-06-04 11:41:12 -05:00
Jon Janego 3afc0d4eaa Merge pull request #778 from actions/jonjanego-contribution-updates
Updates to the contribution guidelines
2024-06-04 09:59:36 -05:00
Jon Janego bc8dee91fe Update CONTRIBUTING.md
being consistent about using forks, minor style updates
2024-06-04 09:58:59 -05:00
Jon Janego 0669e2939d Update CONTRIBUTING.md
Co-authored-by: Barry Gordon <896971+brrygrdn@users.noreply.github.com>
2024-06-04 09:45:14 -05:00
Jon Janego fd46ab736e Update CONTRIBUTING.md
fixing example code for consistency
2024-06-04 09:01:11 -05:00
Jon Janego 551e0b82bd Update CONTRIBUTING.md
fixing a sentence fragment
2024-06-04 08:59:20 -05:00
Jon Janego fbfa3f19c8 Update SECURITY.md
linking to the main bounty site instead of h1
2024-06-03 16:59:30 -05:00
Jon Janego 89204de987 Create config.yml 2024-06-03 16:48:33 -05:00
Jon Janego 6d4e634e06 Create issue templates
issue templates for bugs and feature requests
2024-06-03 16:43:33 -05:00
Jon Janego 4c5eeccebb Update CONTRIBUTING.md
Adding some explanations about contribution standards and local development
2024-06-03 16:18:38 -05:00
Jon Janego f6e67d2f8d Merge pull request #776 from ramann/patch-1
fix show-openssf-scorecard-levels input
2024-06-03 12:54:46 -05:00
robert eb0576373a fix show-openssf-scorecard-levels input
The input in the README was wrong, I have fixed it to match action.yml.
2024-06-03 12:20:08 -04:00
Jon Janego 981e960c8c Merge pull request #773 from am-stead/am-stead-patch-1
PR with suggestions - [Improvement]: Help streamline / simplify dependency review action README
2024-05-30 09:23:53 -05:00
Anne-Marie 87b53ae475 add line break 2024-05-30 11:10:36 +00:00
Anne-Marie c601a5a741 combining Output notes 2024-05-30 11:02:59 +00:00
Jon Janego 5751523f41 Update README.md 2024-05-29 13:21:44 -05:00
Anne-Marie 3fe3159bb9 Indenting to match vulnerable-changes 2024-05-27 09:15:58 +02:00
Anne-Marie 2d3c93c0e0 Update README.md
Co-authored-by: Jon Janego <jonjanego@github.com>
2024-05-27 09:14:01 +02:00
Anne-Marie 9770b8da2c Update README.md
Co-authored-by: Jon Janego <jonjanego@github.com>
2024-05-27 09:13:46 +02:00
Anne-Marie d5b8317942 edits 2024-05-24 07:35:18 +00:00
Anne-Marie d3670a3e49 updating GHES links 2024-05-23 10:38:06 +00:00
Anne-Marie f38966fbec updating overview 2024-05-23 10:26:42 +00:00
Anne-Marie 9eb0dccbc9 editing configuration and remaining sections 2024-05-23 10:03:57 +00:00
Anne-Marie 258a2295c6 installation section 2024-05-23 09:37:47 +00:00
Anne-Marie 4c0a483c95 Update README.md 2024-05-23 10:22:01 +02:00
Eli Reisman 339e2e1bfc Merge pull request #741 from josieang/deps-dev-v3
use the v3 version of the deps.dev API
2024-05-10 14:23:17 -07:00
Josie Anugerah 40cd879447 npm install && npm run build && npm run package 2024-05-07 08:11:58 +10:00
Josie Anugerah d11eeb39d8 Merge branch 'main' into deps-dev-v3 2024-05-06 17:26:48 +10:00
Justin Holguín 82ab8f69c7 Merge pull request #765 from actions/juxtin/allow-slashes-in-purls
Allow slashes in purl package names
2024-05-02 13:30:20 -07:00
Justin Holguín 432d8e7efe Allow slashes in purl package names 2024-05-02 19:11:08 +00:00
Justin Holguín 0c155c5e85 Merge pull request #762 from actions/juxtin/prepare-4.3.2
Update version number to 4.3.2
2024-04-30 09:39:04 -07:00
Justin Holguín f3dac32d35 Merge pull request #761 from actions/juxtin/fix-allow-dependencies-licenses
Fix package-url parsing for allow-dependencies-licenses
2024-04-30 09:38:44 -07:00
Justin Holguín d0d5cc3ec4 Update version number to 4.3.2 2024-04-30 16:30:51 +00:00
Justin Holguín 49fbbe0acb Fix package-url parsing for allow-dependencies-licenses 2024-04-29 23:24:15 +00:00
Justin Holguín e58c696e52 Merge pull request #758 from actions/juxtin/prepare-4.3.1
Change version to 4.3.1
2024-04-29 10:48:18 -07:00
Justin Holguín 9b7c72ddcd Change version to 4.3.1 2024-04-29 17:45:21 +00:00
Justin Holguín 7dcfabfea2 Merge pull request #753 from actions/juxtin/debug-purl
Parse purls cautiously in getDeniedChanges
2024-04-29 10:43:30 -07:00
Justin Holguín 5f0808ffb1 Validate that deny-packages purls are complete 2024-04-29 16:46:21 +00:00
Justin Holguín fcc66c23b3 Refine purl parsing and tests 2024-04-28 20:33:37 +00:00
Justin Holguín 1dd418bcb3 Basic tests for PURL validation in config 2024-04-27 22:16:46 +00:00
Justin Holguín 640617990f Replace packageurl-js with our own implementation 2024-04-27 21:26:06 +00:00
Justin Holguín 2034babb6b Bypass purls (mostly) for deny checks 2024-04-26 23:17:11 +00:00
Justin Holguín 7e773b1e98 Log offending purl 2024-04-26 21:50:12 +00:00
Justin Holguín a3460920cc Parse purls cautiously in getDeniedChanges 2024-04-26 21:28:24 +00:00
Justin Holguín 0659a74c94 Merge pull request #751 from actions/juxtin/release
Update version to 4.3.0 in preparation for release
2024-04-26 10:26:45 -07:00
Justin Holguín 28facf5722 Update release instructions 2024-04-26 17:11:57 +00:00
Justin Holguín 5ab7b74146 Update package-lock.json 2024-04-26 17:11:46 +00:00
Josie Anugerah 2a28e93881 Merge branch 'main' into deps-dev-v3 2024-04-26 14:10:34 +10:00
Justin Holguín 95b6fa4e6b Update version to 4.3.0 2024-04-25 22:41:44 +00:00
Brandon Teng 2dba7fdde1 Merge pull request #733 from actions/deny-list-version
deny-packages configuration option can deny specified version or all packages
2024-04-24 20:38:16 -05:00
Brandon Teng 7d44c7c392 building package with latest typescript version 2024-04-24 20:36:47 -05:00
Brandon Teng ce31ee8325 Merge branch 'main' into deny-list-version 2024-04-24 18:16:35 -05:00
Justin Holguín df1b3661fd Merge pull request #750 from actions/juxtin/fix-deny-icon
Show denied packages with red X
2024-04-24 15:37:25 -07:00
Brandon Teng 71c57a6108 Merge branch 'main' into deny-list-version 2024-04-24 17:19:53 -05:00
Justin Holguín 7e2c3c347b Show denied packages with red X 2024-04-24 22:11:24 +00:00
Justin Holguín f456418f6a Merge pull request #737 from actions/dependabot/npm_and_yarn/eslint-plugin-github-4.10.2
Bump eslint-plugin-github from 4.10.1 to 4.10.2
2024-04-24 14:59:31 -07:00
Justin Holguín 19bd35e07b Merge pull request #744 from actions/dependabot/npm_and_yarn/typescript-5.4.5
Bump typescript from 5.3.3 to 5.4.5
2024-04-24 14:57:23 -07:00
Justin Holguín ff97293707 Update dist 2024-04-24 21:55:26 +00:00
dependabot[bot] 5498b6c4c3 Bump typescript from 5.3.3 to 5.4.5
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.3.3 to 5.4.5.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release.yml)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v5.3.3...v5.4.5)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-04-24 21:39:33 +00:00
Brandon Teng 80116a4564 Merge branch 'main' into deny-list-version 2024-04-24 16:35:05 -05:00
Justin Holguín 68488bcecb Merge pull request #748 from actions/issue-738
Fix extra https:// in summary
2024-04-24 13:54:40 -07:00
Justin Hutchings 16a0212a77 Build source 2024-04-23 17:31:55 +00:00
Justin Hutchings 6d3fba9bf2 Remove extra https:// 2024-04-23 17:26:55 +00:00
Josie Anugerah 671683931a run npm run all 2024-04-17 13:31:49 -07:00
Brandon Teng c6cc8585a0 building and packaging action 2024-04-16 16:25:58 -05:00
Brandon Teng c32a0148b3 throwing parsing error up instead of swallowing it 2024-04-16 16:25:28 -05:00
Brandon Teng 67d0214607 simplifying tests 2024-04-16 16:04:25 -05:00
Brandon Teng 3ca15314ff transforming package URLs during zod parsing 2024-04-16 16:04:11 -05:00
Brandon Teng a318e62c6c using packageurl-js to parse packages and groups from config 2024-04-16 12:44:51 -05:00
Josie Anugerah b0986c2fe0 use the v3 version of the deps.dev API 2024-04-09 16:11:32 +10:00
Brandon Teng 061f471b83 updating docs 2024-04-04 15:48:24 -05:00
Brandon Teng 012eca3d4d building and packaging action 2024-04-04 15:35:28 -05:00
Brandon Teng 8739aa4bb3 Merge branch 'main' into deny-list-version 2024-04-04 15:26:19 -05:00
Brandon Teng a323510dae more refactoring for getDeniedChanges 2024-04-04 15:18:51 -05:00
Brandon Teng 7cebd9d64d refactoring getDeniedChanges 2024-04-04 15:04:45 -05:00
Brandon Teng f8ca44e2de updating README 2024-04-04 13:26:08 -05:00
Brandon Teng 411e5ec44f updating deny-packages config option to deny exact version or wildcard 2024-04-04 13:25:54 -05:00
dependabot[bot] 72aedfc147 Bump eslint-plugin-github from 4.10.1 to 4.10.2
Bumps [eslint-plugin-github](https://github.com/github/eslint-plugin-github) from 4.10.1 to 4.10.2.
- [Release notes](https://github.com/github/eslint-plugin-github/releases)
- [Commits](https://github.com/github/eslint-plugin-github/compare/v4.10.1...v4.10.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-github
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-04-01 01:25:22 +00:00
Federico Builes 2ce029c676 Fix another incidence of the OpenSSF config name. 2024-03-28 06:54:16 +01:00
Federico Builes 1c949fbe77 Merge pull request #735 from StacklokLabs/rename-openssf-scorecard
Readme action variable name for scorecard is wrong
2024-03-28 06:52:47 +01:00
Luke Hinds bddd13d857 Readme action variable name for scorecard is wrong
The actual name from action.yaml is `show-openssf-scorecard`
and not `show-openssf-scorecard-levels`

Signed-off-by: Luke Hinds <luke@stacklok.com>
2024-03-27 17:18:17 -07:00
Federico Builes 0e665bf3ac Adding a failing test.
Co-authored-by: Brandon Teng <bteng22@github.com>
2024-03-27 15:05:17 +01:00
Federico Builes 5bbc3ba658 bumping version 2024-03-26 08:04:16 +01:00
Federico Builes c59184aa7f Merge pull request #722 from actions/remove-warn-default
Revert default values in action.yml to fix external configs
2024-03-26 07:55:00 +01:00
Federico Builes 54c06574f4 Merge pull request #728 from actions/dependabot/npm_and_yarn/eslint-8.57.0
Bump eslint from 8.56.0 to 8.57.0
2024-03-25 06:27:19 +01:00
dependabot[bot] 21941b530b Bump eslint from 8.56.0 to 8.57.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.56.0 to 8.57.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.56.0...v8.57.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-25 01:27:32 +00:00
Federico Builes 733dd5d4a5 bumping to 4.2.4 2024-03-24 14:59:17 +01:00
Federico Builes 9093495859 Merge pull request #725 from actions/issue-718
Bug fixes to #718
2024-03-24 14:56:57 +01:00
Justin Hutchings 35b83b4207 Fix prettier issues 2024-03-22 21:59:08 +00:00
Justin Hutchings e057056594 Add packaged code update 2024-03-22 21:31:00 +00:00
Justin Hutchings d684d038b2 Add trailing slash to tests 2024-03-22 21:21:52 +00:00
Justin Hutchings 2b0aaf1638 Fix extra slash issue 2024-03-22 21:20:15 +00:00
Justin Hutchings d9209374af Fix repositoryUrl issues around GitHub Actions 2024-03-22 21:00:38 +00:00
Federico Builes 651d22c5d5 Revert default values in action.yml to fix external configs. 2024-03-22 08:29:26 +01:00
Eli Reisman 02b13f6b52 Merge pull request #721 from sporkmonger/patch-1
Typo fixes in README
2024-03-21 17:18:11 -07:00
Bob Aman 6e0fa26ac3 Typo fixes
Fixed a couple spelling errors.
2024-03-21 16:37:36 -07:00
Federico Builes 0fa40c3c10 bumping to 4.2.3. 2024-03-20 17:57:26 +01:00
Federico Builes 1f6240f54c Merge pull request #707 from laughedelic/feat/data-outputs
Add outputs for the changes data
2024-03-20 17:47:40 +01:00
Federico Builes b751d41e7e Merge pull request #702 from actions/dependabot/npm_and_yarn/nodemon-3.1.0
Bump nodemon from 3.0.3 to 3.1.0
2024-03-20 06:48:20 +01:00
Federico Builes 6183eb9d2b Merge pull request #703 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.9.0
Bump eslint-plugin-jest from 27.6.3 to 27.9.0
2024-03-20 06:48:14 +01:00
laughedelic 6585cc5f01 fix run syntax 2024-03-19 21:23:25 +01:00
laughedelic 218a76cbd5 add clarification about output usage hygiene 2024-03-19 21:22:12 +01:00
laughedelic d78d095945 revert changes in CI 2024-03-19 19:48:45 +01:00
Federico Builes 36297aa214 Merge pull request #716 from actions/dependabot/npm_and_yarn/types/node-20.11.28
Bump @types/node from 20.11.19 to 20.11.28
2024-03-18 05:01:38 +01:00
dependabot[bot] 1e69a8c24a Bump @types/node from 20.11.19 to 20.11.28
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.19 to 20.11.28.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-03-18 02:01:11 +00:00
Jon Janego 2f10643938 Merge pull request #715 from actions/jonjanego-patch-2
Update README.md
2024-03-15 11:24:37 -05:00
Jon Janego 1eb83b5560 Update README.md
minor text clarifications to keep consistent with wording in (the docs)[https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review]
2024-03-15 11:22:32 -05:00
laughedelic 47b7acc8e3 update dist 2024-03-15 03:22:15 +01:00
laughedelic 16bfb3360c Merge branch 'main' into feat/data-outputs 2024-03-15 03:21:07 +01:00
Alexey Alekhin bc6a1f0dd4 avoid using if: always() 2024-03-15 03:01:16 +01:00
Alexey Alekhin e38e634e54 Apply suggestions for docs
Co-authored-by: Federico Builes <febuiles@github.com>
2024-03-15 02:32:15 +01:00
Jon Janego 5574be321f Merge pull request #712 from actions/jonjanego-patch-1
Update stale.yaml and CONTRIBUTING.md
2024-03-14 15:23:18 -05:00
Jon Janego aef51371b7 Update CONTRIBUTING.md
explaining stalebot
2024-03-14 14:44:38 -05:00
Jon Janego 3b70c9966e Update stale.yaml
fixing some comments, adding a keep label for issues, explicitly defining labeling behavior for issues
2024-03-14 14:43:08 -05:00
Federico Builes adaed32746 Merge pull request #709 from jhutchings1/scorecard
Add support for calculating OpenSSF Scorecards
2024-03-14 06:30:21 +01:00
Justin Hutchings 4ce120135b Fix OpenSSF Scorecard display issue 2024-03-13 16:23:23 +00:00
Justin Hutchings 0e8bc32a54 Fix prettier linting 2024-03-12 22:06:54 +00:00
Justin Hutchings f875e6ec1d Simplify truthiness check 2024-03-12 21:49:01 +00:00
Justin Hutchings 72666694f0 Fix broken tests, clean up dead code 2024-03-12 21:32:27 +00:00
Justin Hutchings 7dc5f537be Add scorecard to summary and count scorecard warnings 2024-03-12 20:47:25 +00:00
Justin Hutchings ac600387ca Add tests 2024-03-12 17:55:10 +00:00
Justin Hutchings d186d663df Automatically collapse the scorecard table 2024-03-11 22:23:03 +00:00
Justin Hutchings b7fdb4c8e2 Remove unused import 2024-03-11 22:19:09 +00:00
Justin Hutchings ba6b805e18 Remove dead code, complete printScorecardBlock 2024-03-11 22:17:28 +00:00
Justin Hutchings 70801db78f Revert line number implementation 2024-03-11 22:05:19 +00:00
Justin Hutchings 5bc19761c5 Add debugging 2024-03-08 03:00:15 +00:00
Justin Hutchings 5ba0d0fe17 Add debugging 2024-03-08 02:53:41 +00:00
Justin Hutchings 6a74ebd41e Fix column number implementation 2024-03-08 02:49:15 +00:00
Justin Hutchings 250250e73d Refactor schema, add line numbers to warnings 2024-03-08 02:31:11 +00:00
Justin Hutchings cb0a0415fb Update dist 2024-03-08 01:30:46 +00:00
Justin Hutchings 296bf3ab1b Add docs, implement warning behavior 2024-03-08 01:29:53 +00:00
Justin Hutchings 59d4782b76 Add links to summary 2024-03-06 20:14:19 +00:00
Justin Hutchings e878bf8824 Fix bug with protocol prefixes 2024-03-06 20:06:26 +00:00
Justin Hutchings 1b21f392ca Fix scorecard bug 2024-03-06 19:44:54 +00:00
Justin Hutchings 111227a118 Refactor scorecard API implementation 2024-03-06 14:43:49 +00:00
Justin Hutchings a1258f2a2e Fix icon issues 2024-03-04 20:07:08 +00:00
Justin Hutchings 29b9ef447a Fix icons and undefined/null checks 2024-03-04 20:03:39 +00:00
Justin Hutchings b5a1aee21a Add debugging 2024-03-04 19:45:36 +00:00
Justin Hutchings b3d2872ac7 Update dist 2024-03-04 19:39:13 +00:00
Justin Hutchings 5bace73db3 Fix undefined/null checks 2024-03-04 19:38:52 +00:00
Justin Hutchings f8ebb4b946 Add formatting around warning for low scorecard levels 2024-03-04 19:34:29 +00:00
laughedelic 84b80e6e84 add checks for the outputs 2024-03-04 19:53:14 +01:00
Justin Hutchings 1251834b92 Add dependencies without scorecards to scorecards table 2024-03-04 18:51:52 +00:00
Justin Hutchings 94125c4b1e Fix formatting issues 2024-03-04 18:38:53 +00:00
Justin Hutchings 9843156266 Improve summary formatting 2024-03-04 18:28:43 +00:00
Justin Hutchings 2fcc6a1c72 Fix config implementation 2024-03-04 18:17:53 +00:00
Justin Hutchings ea64ae9d4d Fix config mapping issue 2024-03-04 18:11:46 +00:00
Justin Hutchings 5955069e69 Add debugging 2024-03-04 18:04:06 +00:00
laughedelic 05fcfa49e0 add a note about outputs size limit 2024-03-04 18:58:48 +01:00
laughedelic 75be7f0c0c clarify docs, add a usage example 2024-03-04 18:53:03 +01:00
Justin Hutchings 7d2e20d06d Stub out summary implementation for scorecards 2024-03-04 17:52:17 +00:00
Jon Janego 97f7ba06d0 Update CONTRIBUTING.md
some more examples of good contribution standards
2024-03-04 10:31:16 -06:00
Justin Hutchings 2bc3ecb19b Fix type issues 2024-03-03 06:50:11 +00:00
Justin Hutchings c286ea91b0 Add nullish to types 2024-03-03 06:08:47 +00:00
Justin Hutchings 6bcbf042ff Fix OpenSSF Scorecard Score retrieval 2024-03-03 05:59:37 +00:00
Justin Hutchings 43286afc54 Add debugging 2024-03-03 05:48:33 +00:00
Justin Hutchings 764e39e792 Attempt to fix type issues 2024-03-03 05:43:20 +00:00
Justin Hutchings bf2683a10c Fixing url error 2024-03-03 05:30:49 +00:00
Justin Hutchings f1b66d10c9 Remove dependency on PackageURL 2024-03-03 05:26:55 +00:00
Justin Hutchings ffd129c285 Refactor types, add printing 2024-03-03 05:24:07 +00:00
Justin Hutchings 72d5b06a68 Add more error handling 2024-03-03 01:34:03 +00:00
Justin Hutchings b2ddac1749 Remove custom type to go around errors 2024-03-03 01:27:54 +00:00
Justin Hutchings f357c751be fix extra slash 2024-03-03 01:21:27 +00:00
Justin Hutchings e16e218fdc Encode URI component to fix 404 2024-03-03 01:15:16 +00:00
Justin Hutchings f87cc241f7 Fixing bugs 2024-03-03 01:10:08 +00:00
Justin Hutchings d641d3a261 Fix bugs in scorecard 2024-03-03 01:05:36 +00:00
Justin Hutchings 4230610a70 Add exception handling 2024-03-03 00:46:24 +00:00
Justin Hutchings af5438b06f Add debugging 2024-03-03 00:31:13 +00:00
Justin Hutchings 781bff117a Fix prettier issues, and JSON error in main 2024-03-03 00:25:40 +00:00
Justin Hutchings 7a8ce509c9 Update dist 2024-03-03 00:17:26 +00:00
Justin Hutchings f419e37c19 Fix build breaks 2024-03-03 00:15:42 +00:00
Justin Hutchings 3d70a3cf05 Draft integration with deps.dev 2024-03-02 22:37:50 +00:00
laughedelic e7aef164a1 chore: build and package 2024-03-02 05:10:30 +01:00
laughedelic ab8c3848de docs: update readme 2024-03-02 05:09:49 +01:00
laughedelic eecc9aab88 feat: add action outputs for different types of changes 2024-03-02 04:55:58 +01:00
dependabot[bot] 7f632dbe1f Bump eslint-plugin-jest from 27.6.3 to 27.9.0
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.6.3 to 27.9.0.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.6.3...v27.9.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-26 01:35:46 +00:00
dependabot[bot] ba18fafa8d Bump nodemon from 3.0.3 to 3.1.0
Bumps [nodemon](https://github.com/remy/nodemon) from 3.0.3 to 3.1.0.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.0.3...v3.1.0)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-26 01:35:37 +00:00
Federico Builes 40eb2b8b00 Merge pull request #698 from jsoref/set-comment-as-output
Set comment as output
2024-02-21 12:36:50 +01:00
Josh Soref db6a5119ce Set comment as output
Move the logic from the caller as a negation instead of trying to
negate it by hand.
2024-02-20 14:19:19 -05:00
Federico Builes 9129d7d40b don't set output on every run 2024-02-20 18:47:36 +01:00
Jon Janego a1be843151 Update stale.yaml
Adding stale checks to issues
2024-02-20 10:25:09 -06:00
Federico Builes 587ff57efd Don't use if: always() in examples. 2024-02-19 18:11:35 +01:00
Federico Builes be8bc500ee Merge branch 'output-comment' 2024-02-19 17:26:04 +01:00
Federico Builes cb180bf383 Merge pull request #696 from actions/output-comment
Expose dependency comment content
2024-02-19 17:23:55 +01:00
Federico Builes b2ea187fd2 bumping action version 2024-02-19 17:21:55 +01:00
Federico Builes c94f57ba90 Add a new image for the example report. 2024-02-19 17:18:02 +01:00
Federico Builes 124fafe31e Merge branch 'issue-250' into output-comment 2024-02-19 17:12:19 +01:00
Federico Builes 26174d80a2 Merge branch 'issue-250' of https://github.com/jsoref/dependency-review-action into issue-250 2024-02-19 17:12:08 +01:00
Federico Builes a87338ac8a Update example workflow. 2024-02-19 17:10:11 +01:00
Josh Soref 64f81cd2da Expose dependency comment content 2024-02-19 11:07:56 -05:00
Josh Soref 0ca1f606a4 Report action input names 2024-02-19 11:07:42 -05:00
Josh Soref d416fb5267 Add minimal alt text to README 2024-02-19 11:07:19 -05:00
Josh Soref 81bba5eb54 Remove /en/ from doc links
The docs server will redirect based on the user's browser's
preference.
2024-02-19 11:07:07 -05:00
Josh Soref f9daaa3561 Remove obsolete reference to GHES 3.8
GHES 3.7 reached EOL 2024-01-04, as such all GHES versions should be supported.
2024-02-19 11:06:54 -05:00
Josh Soref 60c44a0894 Remove obsolete references to GHES 3.6
GHES 3.6 reached EOL 2023-09-25.
2024-02-19 11:06:54 -05:00
Federico Builes 7911825c25 Point directly to DR API. 2024-02-19 16:38:15 +01:00
Federico Builes ad040f4b88 adding dist/ 2024-02-19 16:22:53 +01:00
Josh Soref 2876926e7f Expose dependency comment content 2024-02-19 10:09:03 -05:00
Josh Soref 47a0fcbcd4 Report action input names 2024-02-19 10:06:32 -05:00
Josh Soref da507e61ac Add minimal alt text to README 2024-02-19 10:06:32 -05:00
Josh Soref 0034949d8d Remove /en/ from doc links
The docs server will redirect based on the user's browser's
preference.
2024-02-19 10:06:32 -05:00
Josh Soref f1706f5a9d Remove obsolete reference to GHES 3.8
GHES 3.7 reached EOL 2024-01-04, as such all GHES versions should be supported.
2024-02-19 09:49:21 -05:00
Josh Soref a569f6fc5c Remove obsolete references to GHES 3.6
GHES 3.6 reached EOL 2023-09-25.
2024-02-19 09:49:21 -05:00
Federico Builes fd07d42ce8 bumping to 4.1.1 2024-02-19 10:03:58 +01:00
Federico Builes 77290ae4a1 bump transitive dep on undici 2024-02-19 10:03:58 +01:00
Federico Builes 9411082069 Merge pull request #693 from actions/dependabot/npm_and_yarn/types/node-20.11.19
Bump @types/node from 20.11.17 to 20.11.19
2024-02-19 08:54:35 +01:00
dependabot[bot] 73d8c1b981 Bump @types/node from 20.11.17 to 20.11.19
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.17 to 20.11.19.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-19 01:24:57 +00:00
Federico Builes 80f10bf419 Bump to 4.1.0. 2024-02-14 08:13:14 +01:00
Federico Builes 17728c80ab Merge pull request #689 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.21.0
Bump @typescript-eslint/eslint-plugin from 6.20.0 to 6.21.0
2024-02-12 06:31:08 +01:00
dependabot[bot] 0ac4f80276 Bump @typescript-eslint/eslint-plugin from 6.20.0 to 6.21.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.20.0 to 6.21.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.21.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 05:29:22 +00:00
Federico Builes 1ebcf1475c Merge pull request #690 from actions/dependabot/npm_and_yarn/types/node-20.11.17
Bump @types/node from 20.11.10 to 20.11.17
2024-02-12 06:28:34 +01:00
Federico Builes 5777ce6aec Merge pull request #688 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.21.0
Bump @typescript-eslint/parser from 6.20.0 to 6.21.0
2024-02-12 06:28:19 +01:00
Federico Builes 37dd5f9e8a Merge pull request #687 from actions/dependabot/npm_and_yarn/ts-jest-29.1.2
Bump ts-jest from 29.1.1 to 29.1.2
2024-02-12 06:28:12 +01:00
dependabot[bot] 6c2af06a9d Bump @types/node from 20.11.10 to 20.11.17
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.10 to 20.11.17.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 01:14:23 +00:00
dependabot[bot] 58d70bd41a Bump @typescript-eslint/parser from 6.20.0 to 6.21.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.20.0 to 6.21.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.21.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 01:14:01 +00:00
dependabot[bot] 972c2b36d8 Bump ts-jest from 29.1.1 to 29.1.2
Bumps [ts-jest](https://github.com/kulshekhar/ts-jest) from 29.1.1 to 29.1.2.
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.1.1...v29.1.2)

---
updated-dependencies:
- dependency-name: ts-jest
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-12 01:13:48 +00:00
Justin Holguín 60f93ef4a0 Merge pull request #432 from tgrall/issue-431-fail-on-severity-none
Add none as option for fail-on-severity
2024-02-11 14:00:39 -08:00
tgrall c2936a6e3e fix reviewed done by @juxtin - bad line in yml 2024-02-10 09:20:39 +01:00
Federico Builes ba2d570913 Merge pull request #682 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.20.0
Bump @typescript-eslint/eslint-plugin from 6.19.1 to 6.20.0
2024-02-05 07:57:39 +01:00
dependabot[bot] 629b4c97dd Bump @typescript-eslint/eslint-plugin from 6.19.1 to 6.20.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.19.1 to 6.20.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.20.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 06:56:33 +00:00
Federico Builes 58e8c75f3b Merge pull request #684 from actions/dependabot/npm_and_yarn/got-14.2.0
Bump got from 14.0.0 to 14.2.0
2024-02-05 07:55:50 +01:00
dependabot[bot] 8db04ed44f Bump got from 14.0.0 to 14.2.0
Bumps [got](https://github.com/sindresorhus/got) from 14.0.0 to 14.2.0.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.0.0...v14.2.0)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 06:55:44 +00:00
Federico Builes b3aa197a26 Merge pull request #683 from actions/dependabot/npm_and_yarn/prettier-3.2.5
Bump prettier from 3.2.4 to 3.2.5
2024-02-05 07:55:42 +01:00
Federico Builes 4e78eb60ef Merge pull request #681 from actions/dependabot/npm_and_yarn/types/jest-29.5.12
Bump @types/jest from 29.5.11 to 29.5.12
2024-02-05 07:54:49 +01:00
Federico Builes 65f749b96d Merge pull request #680 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.20.0
Bump @typescript-eslint/parser from 6.18.1 to 6.20.0
2024-02-05 07:54:36 +01:00
dependabot[bot] 0043ed5ccb Bump prettier from 3.2.4 to 3.2.5
Bumps [prettier](https://github.com/prettier/prettier) from 3.2.4 to 3.2.5.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.2.4...3.2.5)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 01:24:36 +00:00
dependabot[bot] 52933765bf Bump @types/jest from 29.5.11 to 29.5.12
Bumps [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest) from 29.5.11 to 29.5.12.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

---
updated-dependencies:
- dependency-name: "@types/jest"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 01:24:18 +00:00
dependabot[bot] 6a6f26102b Bump @typescript-eslint/parser from 6.18.1 to 6.20.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.18.1 to 6.20.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.20.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-05 01:24:11 +00:00
tgrall 8f3df4d674 fix ci failure on format-check 2024-02-02 06:09:20 +01:00
tgrall 98e8293881 Update Readme and action.yml based on review comments 2024-02-01 06:03:53 +01:00
Justin Holguín 748888b3fd Merge pull request #665 from actions/dependabot/npm_and_yarn/prettier-3.2.4
Bump prettier from 3.1.1 to 3.2.4
2024-01-31 14:19:36 -08:00
Justin Holguín 4dffb75625 Run prettier --write 2024-01-31 22:09:37 +00:00
Justin Holguín 9e50351924 Merge pull request #678 from actions/juxtin/codeql-ignore-dist
Use manual codeql config
2024-01-31 13:49:51 -08:00
Justin Holguín 0812876f7c Update codeql.yml 2024-01-31 13:44:54 -08:00
Justin Holguín 4f37a60d4f Create codeql.yml 2024-01-31 13:36:31 -08:00
dependabot[bot] c0518321c3 Bump prettier from 3.1.1 to 3.2.4
Bumps [prettier](https://github.com/prettier/prettier) from 3.1.1 to 3.2.4.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.1.1...3.2.4)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-31 18:57:22 +00:00
Justin Holguín 0229309241 Merge pull request #673 from actions/dependabot/npm_and_yarn/nodemon-3.0.3
Bump nodemon from 3.0.2 to 3.0.3
2024-01-31 10:56:20 -08:00
Jon Janego c664fc5964 Update examples.md
spelling
2024-01-31 12:43:08 -06:00
Federico Builes a7da313c35 Merge pull request #675 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.19.1
Bump @typescript-eslint/eslint-plugin from 6.18.1 to 6.19.1
2024-01-29 07:50:12 +01:00
Federico Builes 8953f45584 Merge pull request #674 from actions/dependabot/npm_and_yarn/types/node-20.11.10
Bump @types/node from 20.11.5 to 20.11.10
2024-01-29 07:49:59 +01:00
dependabot[bot] d93026fc89 Bump @typescript-eslint/eslint-plugin from 6.18.1 to 6.19.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.18.1 to 6.19.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.19.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 01:35:06 +00:00
dependabot[bot] 5a2ac62566 Bump @types/node from 20.11.5 to 20.11.10
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.5 to 20.11.10.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 01:34:51 +00:00
dependabot[bot] 0f007f69b1 Bump nodemon from 3.0.2 to 3.0.3
Bumps [nodemon](https://github.com/remy/nodemon) from 3.0.2 to 3.0.3.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.0.2...v3.0.3)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-29 01:34:40 +00:00
tgrall 05d861260a finalize testing 2024-01-28 15:54:59 +01:00
tgrall 2c526853b4 new debug test 2024-01-28 15:51:39 +01:00
tgrall 9e251a5913 dist 2024-01-28 15:00:36 +01:00
tgrall ee5bd475ba debug behavior 2024-01-28 14:59:04 +01:00
tgrall b0a705da21 Fix license printing bug in main.ts 2024-01-28 14:54:28 +01:00
tgrall 0bab6ffc2c Fix vulnerability check to print warnings instead
of failing
2024-01-28 14:54:14 +01:00
tgrall f91404ca86 set status to low when warn-only is set to true 2024-01-28 14:35:44 +01:00
tgrall d6f324d18a fix typo in readme 2024-01-28 14:24:12 +01:00
tgrall f1576849e6 package the action 2024-01-28 10:58:10 +01:00
tgrall fc49851780 merge from main and fix code review comment from @juxtin 2024-01-28 10:16:07 +01:00
Jon Janego d53388efe8 Merge pull request #671 from jonjanego/main
Create stale.yaml
2024-01-26 10:09:43 -06:00
Jon Janego 56991330a3 Update stale.yaml
assigning explicit permissions
2024-01-26 09:15:48 -06:00
Jon Janego a824acd5d7 Create stale.yaml 2024-01-25 13:49:10 -06:00
Federico Builes 935098a950 updating @types/node to Node 20 2024-01-22 07:54:40 +01:00
Federico Builes b658b91622 Merge pull request #669 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.6.3
Bump eslint-plugin-jest from 27.6.0 to 27.6.3
2024-01-22 07:40:35 +01:00
dependabot[bot] d16453ab26 Bump eslint-plugin-jest from 27.6.0 to 27.6.3
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.6.0 to 27.6.3.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.6.0...v27.6.3)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-22 06:38:10 +00:00
Federico Builes 0381eac2bc Merge pull request #667 from actions/dependabot/npm_and_yarn/eslint-plugin-prettier-5.1.3
Bump eslint-plugin-prettier from 5.1.2 to 5.1.3
2024-01-22 07:36:52 +01:00
dependabot[bot] 1967b21a03 Bump eslint-plugin-prettier from 5.1.2 to 5.1.3
Bumps [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) from 5.1.2 to 5.1.3.
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/master/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.1.2...v5.1.3)

---
updated-dependencies:
- dependency-name: eslint-plugin-prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-22 01:15:42 +00:00
Federico Builes 4cd9eb2d23 Updating docs to point to v4. 2024-01-18 14:23:52 +01:00
Federico Builes 4901385134 bump to 4.0.0 2024-01-18 13:57:38 +01:00
Federico Builes dbf82a4a5e Merge pull request #639 from takost/takost/update-to-node-20
Update action to node20
2024-01-18 13:52:05 +01:00
Federico Builes 78aeb2a948 Merge pull request #663 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.18.1
Bump @typescript-eslint/parser from 6.18.0 to 6.18.1
2024-01-15 06:39:13 +01:00
dependabot[bot] 4e510006f5 Bump @typescript-eslint/parser from 6.18.0 to 6.18.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.18.0 to 6.18.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.18.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-15 05:38:23 +00:00
Federico Builes 9560737c5e Merge pull request #661 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.18.1
Bump @typescript-eslint/eslint-plugin from 6.18.0 to 6.18.1
2024-01-15 06:37:15 +01:00
Federico Builes 4125f47f7e Merge pull request #660 from actions/dependabot/npm_and_yarn/types/node-16.18.70
Bump @types/node from 16.18.62 to 16.18.70
2024-01-15 06:37:05 +01:00
dependabot[bot] 07cc93e0c8 Bump @typescript-eslint/eslint-plugin from 6.18.0 to 6.18.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.18.0 to 6.18.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.18.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-15 01:21:13 +00:00
dependabot[bot] e2c203b8b7 Bump @types/node from 16.18.62 to 16.18.70
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.62 to 16.18.70.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-15 01:20:53 +00:00
Federico Builes f0b304d0bc Merge pull request #653 from actions/dependabot/npm_and_yarn/got-14.0.0
Bump got from 13.0.0 to 14.0.0
2024-01-09 13:24:33 +01:00
Federico Builes e41543eaf0 Merge pull request #656 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.18.0
Bump @typescript-eslint/parser from 6.16.0 to 6.18.0
2024-01-08 11:50:44 +01:00
dependabot[bot] 8ded6194d1 Bump @typescript-eslint/parser from 6.16.0 to 6.18.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.16.0 to 6.18.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.18.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 10:46:03 +00:00
Federico Builes b5f60d5e37 Merge pull request #657 from actions/dependabot/npm_and_yarn/typescript-5.3.3
Bump typescript from 5.3.2 to 5.3.3
2024-01-08 11:45:16 +01:00
Federico Builes 45fc3f5adc Merge pull request #655 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.18.0
Bump @typescript-eslint/eslint-plugin from 6.15.0 to 6.18.0
2024-01-08 11:44:58 +01:00
Federico Builes c8593625f2 Merge pull request #654 from actions/dependabot/npm_and_yarn/eslint-plugin-prettier-5.1.2
Bump eslint-plugin-prettier from 5.0.1 to 5.1.2
2024-01-08 11:44:42 +01:00
dependabot[bot] d2ca024914 Bump typescript from 5.3.2 to 5.3.3
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.3.2 to 5.3.3.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v5.3.2...v5.3.3)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 01:27:41 +00:00
dependabot[bot] 9649fc68a8 Bump @typescript-eslint/eslint-plugin from 6.15.0 to 6.18.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.15.0 to 6.18.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.18.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 01:27:04 +00:00
dependabot[bot] 2ac94ccf28 Bump eslint-plugin-prettier from 5.0.1 to 5.1.2
Bumps [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) from 5.0.1 to 5.1.2.
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/master/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.0.1...v5.1.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 01:26:42 +00:00
dependabot[bot] 925e3a5871 Bump got from 13.0.0 to 14.0.0
Bumps [got](https://github.com/sindresorhus/got) from 13.0.0 to 14.0.0.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v13.0.0...v14.0.0)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-08 01:26:34 +00:00
Henri Maurer ab6f73d40f Merge pull request #621 from actions/dependabot/npm_and_yarn/octokit-3.1.2
Bump octokit from 2.1.0 to 3.1.2
2024-01-05 09:38:43 +00:00
Henri Maurer 746e9675d6 npm run package 2024-01-05 09:37:10 +00:00
Henri Maurer 3735443721 update @octokit/* and @actions/* 2024-01-05 09:36:49 +00:00
dependabot[bot] 44bab84b22 Bump octokit from 2.1.0 to 3.1.2
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.1.0 to 3.1.2.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.1.0...v3.1.2)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-04 16:51:50 +00:00
Henri Maurer 8690720eb6 Merge pull request #652 from actions/dependabot/npm_and_yarn/octokit/webhooks-10.9.2
Bump @octokit/webhooks from 10.9.1 to 10.9.2
2024-01-04 16:48:16 +00:00
Henri Maurer e03c8a14eb npm run all 2024-01-04 16:46:59 +00:00
dependabot[bot] 194e338d30 Bump @octokit/webhooks from 10.9.1 to 10.9.2
Bumps [@octokit/webhooks](https://github.com/octokit/webhooks.js) from 10.9.1 to 10.9.2.
- [Release notes](https://github.com/octokit/webhooks.js/releases)
- [Commits](https://github.com/octokit/webhooks.js/compare/v10.9.1...v10.9.2)

---
updated-dependencies:
- dependency-name: "@octokit/webhooks"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-04 16:40:33 +00:00
Henri Maurer 1d740b64ec Merge pull request #642 from actions/dependabot/github_actions/actions/upload-artifact-4
Bump actions/upload-artifact from 3 to 4
2024-01-04 16:40:31 +00:00
Henri Maurer c74b580d73 Merge pull request #651 from actions/release-3.1.5
Bump version to 3.1.5
2024-01-04 15:06:44 +00:00
Henri Maurer cc4f6536e3 Release 3.1.5 2024-01-04 15:05:38 +00:00
Henri Maurer d2ed7c0d19 Merge pull request #649 from actions/per-page
Smaller `per_page` when requesting diff
2024-01-04 14:33:15 +00:00
Henri Maurer 9e77cc7329 npm run package 2024-01-04 10:49:05 +00:00
Henri Maurer b383a9aa6e Smaller per_page when requesting diff 2024-01-04 10:17:51 +00:00
Federico Builes 8a49820431 Merge pull request #646 from actions/dependabot/npm_and_yarn/prettier-3.1.1
Bump prettier from 3.1.0 to 3.1.1
2024-01-01 08:02:27 -05:00
Federico Builes a10a70d24c Merge pull request #645 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.16.0
Bump @typescript-eslint/parser from 6.13.1 to 6.16.0
2024-01-01 08:02:14 -05:00
dependabot[bot] 0de163860f Bump prettier from 3.1.0 to 3.1.1
Bumps [prettier](https://github.com/prettier/prettier) from 3.1.0 to 3.1.1.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.1.0...3.1.1)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-01 01:27:06 +00:00
dependabot[bot] 522f0218d0 Bump @typescript-eslint/parser from 6.13.1 to 6.16.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.13.1 to 6.16.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.16.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-01 01:26:56 +00:00
Federico Builes 2597ca4eee Merge pull request #640 from actions/dependabot/npm_and_yarn/eslint-8.56.0
Bump eslint from 8.53.0 to 8.56.0
2023-12-28 12:27:10 -05:00
dependabot[bot] e5c6735807 Bump eslint from 8.53.0 to 8.56.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.53.0 to 8.56.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.53.0...v8.56.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-28 15:37:40 +00:00
Federico Builes 94f992f10e Merge pull request #644 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.15.0
Bump @typescript-eslint/eslint-plugin from 6.12.0 to 6.15.0
2023-12-28 10:36:29 -05:00
dependabot[bot] c45cbd720f Bump @typescript-eslint/eslint-plugin from 6.12.0 to 6.15.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.12.0 to 6.15.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.15.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-25 01:37:54 +00:00
dependabot[bot] 5ccb7d478c Bump actions/upload-artifact from 3 to 4
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-18 01:54:59 +00:00
Tatyana Kostromskaya 02456f4a00 Merge branch 'main' into takost/update-to-node-20 2023-12-14 15:08:39 +00:00
Tatyana Kostromskaya 1c9a424cbc . 2023-12-14 15:06:21 +00:00
Federico Builes 2425542aca Merge pull request #638 from actions/fix-purls
Replace pip -> pypi in PURL examples
2023-12-11 17:25:43 +01:00
Federico Builes b39e17ba5e Replace pip -> pypi in PURL examples 2023-12-11 17:23:19 +01:00
Federico Builes b8a398b675 Merge pull request #636 from actions/dependabot/npm_and_yarn/nodemon-3.0.2
Bump nodemon from 3.0.1 to 3.0.2
2023-12-11 06:04:47 +01:00
Federico Builes 1612de9646 Merge pull request #637 from actions/dependabot/npm_and_yarn/types/jest-29.5.11
Bump @types/jest from 29.5.8 to 29.5.11
2023-12-11 06:04:33 +01:00
dependabot[bot] 53de591348 Bump @types/jest from 29.5.8 to 29.5.11
Bumps [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest) from 29.5.8 to 29.5.11.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

---
updated-dependencies:
- dependency-name: "@types/jest"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-11 01:51:35 +00:00
dependabot[bot] 288d543806 Bump nodemon from 3.0.1 to 3.0.2
Bumps [nodemon](https://github.com/remy/nodemon) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.0.1...v3.0.2)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-11 01:51:24 +00:00
Federico Builes 359e1ffa80 Merge pull request #629 from actions/dependabot/npm_and_yarn/prettier-3.1.0
Bump prettier from 3.0.3 to 3.1.0
2023-12-04 08:58:13 +01:00
Federico Builes 63e1558807 Merge pull request #630 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.13.1
Bump @typescript-eslint/parser from 6.10.0 to 6.13.1
2023-12-04 08:57:52 +01:00
dependabot[bot] 069cbabe02 Bump @typescript-eslint/parser from 6.10.0 to 6.13.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.10.0 to 6.13.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.13.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-04 01:25:07 +00:00
dependabot[bot] 2e3c709016 Bump prettier from 3.0.3 to 3.1.0
Bumps [prettier](https://github.com/prettier/prettier) from 3.0.3 to 3.1.0.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.0.3...3.1.0)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-12-04 01:24:49 +00:00
Federico Builes 01bc87099b bumping version 2023-11-28 08:11:14 +01:00
Federico Builes 4b4f0de8e1 Merge pull request #623 from actions/fix-advisory-filters
Fix GHSA Filtering
2023-11-28 08:10:11 +01:00
Federico Builes a93fa86c77 Fixing test name. 2023-11-28 08:08:29 +01:00
Federico Builes 550520e2c5 Merge pull request #624 from actions/dependabot/npm_and_yarn/typescript-5.3.2
Bump typescript from 5.2.2 to 5.3.2
2023-11-27 07:22:56 +01:00
Federico Builes 2d0fb60634 Merge pull request #625 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.12.0
Bump @typescript-eslint/eslint-plugin from 6.11.0 to 6.12.0
2023-11-27 07:22:47 +01:00
dependabot[bot] c07c2375ed Bump @typescript-eslint/eslint-plugin from 6.11.0 to 6.12.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.11.0 to 6.12.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.12.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-27 01:17:05 +00:00
dependabot[bot] 4d842d754e Bump typescript from 5.2.2 to 5.3.2
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 5.2.2 to 5.3.2.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v5.2.2...v5.3.2)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-27 01:16:38 +00:00
Federico Builes a6d4686316 adding dist 2023-11-24 14:40:48 +01:00
Federico Builes 4366dbae42 Advisory filters should not drop entire dependencies. 2023-11-24 14:40:18 +01:00
Federico Builes 50dafeb5e4 Tiny logic refactor. 2023-11-24 14:37:30 +01:00
Federico Builes 1cbb048907 Merge pull request #620 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.11.0
Bump @typescript-eslint/eslint-plugin from 6.10.0 to 6.11.0
2023-11-20 08:33:40 +01:00
dependabot[bot] ee69e92054 Bump @typescript-eslint/eslint-plugin from 6.10.0 to 6.11.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.10.0 to 6.11.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.11.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-20 07:29:18 +00:00
Federico Builes 5991d7a97d Merge pull request #619 from actions/dependabot/npm_and_yarn/types/node-16.18.62
Bump @types/node from 16.18.61 to 16.18.62
2023-11-20 08:27:56 +01:00
dependabot[bot] c409735e58 Bump @types/node from 16.18.61 to 16.18.62
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.61 to 16.18.62.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-20 01:46:41 +00:00
Federico Builes 7bbfa034e7 bumping to 3.1.3 2023-11-13 17:57:44 +01:00
Federico Builes 26f1ad9120 Merge pull request #617 from theztefan/purl-encoding-error
Fixes purl "version must be percent-encoded"
2023-11-13 17:55:23 +01:00
Stefan Petrushevski 152d8e2def Prettier 2023-11-13 17:45:48 +01:00
Stefan Petrushevski b99756ecd3 encode string for pUrl 2023-11-13 17:19:24 +01:00
Federico Builes fde92acd08 Merge pull request #611 from actions/fix-https-proxy
Fix proxy failures in 3.1.1
2023-11-08 09:14:57 +01:00
Federico Builes a89dd96450 adding dist 2023-11-08 08:49:49 +01:00
Federico Builes 76891836b1 revert octokit changes 2023-11-08 08:47:43 +01:00
Federico Builes fc5e2db757 go back to Node 16 to skip using fetch API 2023-11-08 08:36:27 +01:00
Federico Builes ded987cb3b Downgrade usage of retries.
This commit reverts:

f7363549ac
76b050a607
8dc52cdbed
2023-11-08 08:35:44 +01:00
Federico Builes 9f45b2463b bumping to 3.1.1 2023-11-06 08:03:41 +01:00
Federico Builes 559513a56c Merge pull request #606 from actions/dependabot/npm_and_yarn/actions/github-6.0.0
Bump @actions/github from 5.1.1 to 6.0.0
2023-11-06 07:55:54 +01:00
Federico Builes 8edc431d7d Merge branch 'main' into dependabot/npm_and_yarn/actions/github-6.0.0 2023-11-06 07:52:53 +01:00
Federico Builes 3e8322e4bb Merge pull request #605 from actions/dependabot/npm_and_yarn/yaml-2.3.4
Bump yaml from 2.3.3 to 2.3.4
2023-11-06 07:51:31 +01:00
Federico Builes 5a55885447 adding dist 2023-11-06 07:50:51 +01:00
Federico Builes f952b5a2c5 Merge branch 'main' into dependabot/npm_and_yarn/yaml-2.3.4 2023-11-06 07:48:24 +01:00
Federico Builes 8678cfac42 Merge pull request #607 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.9.1
Bump @typescript-eslint/eslint-plugin from 6.9.0 to 6.9.1
2023-11-06 07:47:08 +01:00
Federico Builes aa8e70d588 adding dist 2023-11-06 07:46:52 +01:00
Federico Builes 3331d25f9d adding dist 2023-11-06 07:42:40 +01:00
dependabot[bot] 2af83f55fa Bump @actions/github from 5.1.1 to 6.0.0
Bumps [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) from 5.1.1 to 6.0.0.
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

---
updated-dependencies:
- dependency-name: "@actions/github"
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-06 06:42:18 +00:00
dependabot[bot] 0d3cf5ba9e Bump @typescript-eslint/eslint-plugin from 6.9.0 to 6.9.1
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.9.0 to 6.9.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.9.1/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-06 06:42:16 +00:00
Federico Builes b2a5ead1f7 Merge pull request #604 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.9.1
Bump @typescript-eslint/parser from 6.8.0 to 6.9.1
2023-11-06 07:41:16 +01:00
Federico Builes 79f0a0b62b Merge pull request #603 from actions/dependabot/npm_and_yarn/actions/core-1.10.1
Bump @actions/core from 1.10.0 to 1.10.1
2023-11-06 07:40:58 +01:00
Federico Builes fc44602899 adding dist 2023-11-06 07:40:46 +01:00
dependabot[bot] 7177991451 Bump yaml from 2.3.3 to 2.3.4
Bumps [yaml](https://github.com/eemeli/yaml) from 2.3.3 to 2.3.4.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.3.3...v2.3.4)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-06 01:17:54 +00:00
dependabot[bot] 90fe789d91 Bump @typescript-eslint/parser from 6.8.0 to 6.9.1
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.8.0 to 6.9.1.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.9.1/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-06 01:17:45 +00:00
dependabot[bot] 5cbf74f675 Bump @actions/core from 1.10.0 to 1.10.1
Bumps [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) from 1.10.0 to 1.10.1.
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-11-06 01:17:31 +00:00
Federico Builes 11e0dead9a Merge pull request #598 from actions/dependabot/npm_and_yarn/packageurl-js-1.2.0
Bump packageurl-js from 1.0.2 to 1.2.0
2023-10-30 09:43:41 +01:00
Federico Builes 3c1cb72dcd updating dist 2023-10-30 09:31:26 +01:00
Federico Builes 570a2b5dcd Merge pull request #597 from actions/dependabot/npm_and_yarn/eslint-8.52.0
Bump eslint from 8.51.0 to 8.52.0
2023-10-30 09:28:21 +01:00
Federico Builes a7e01b8d9c Merge pull request #599 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.9.0
Bump @typescript-eslint/eslint-plugin from 6.8.0 to 6.9.0
2023-10-30 09:28:05 +01:00
dependabot[bot] 168567cd17 Bump eslint from 8.51.0 to 8.52.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.51.0 to 8.52.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.51.0...v8.52.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-30 08:25:08 +00:00
dependabot[bot] 1d86ff759b Bump @typescript-eslint/eslint-plugin from 6.8.0 to 6.9.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.8.0 to 6.9.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.9.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-30 08:25:07 +00:00
Federico Builes 0631089c32 Merge pull request #596 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.6.0
Bump eslint-plugin-jest from 27.4.2 to 27.6.0
2023-10-30 09:24:44 +01:00
Federico Builes 0b8ffde994 Merge pull request #600 from actions/dependabot/npm_and_yarn/types/spdx-satisfies-0.1.1
Bump @types/spdx-satisfies from 0.1.0 to 0.1.1
2023-10-30 09:23:36 +01:00
Federico Builes 68d57cd360 Merge pull request #601 from actions/dependabot/github_actions/actions/setup-node-4
Bump actions/setup-node from 3 to 4
2023-10-30 09:22:44 +01:00
dependabot[bot] 7314a0c1f5 Bump actions/setup-node from 3 to 4
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3 to 4.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-30 01:40:15 +00:00
dependabot[bot] cfeea91bf4 Bump @types/spdx-satisfies from 0.1.0 to 0.1.1
Bumps [@types/spdx-satisfies](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/spdx-satisfies) from 0.1.0 to 0.1.1.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/spdx-satisfies)

---
updated-dependencies:
- dependency-name: "@types/spdx-satisfies"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-30 01:08:35 +00:00
dependabot[bot] c8515ab391 Bump packageurl-js from 1.0.2 to 1.2.0
Bumps [packageurl-js](https://github.com/package-url/packageurl-js) from 1.0.2 to 1.2.0.
- [Changelog](https://github.com/package-url/packageurl-js/blob/master/CHANGELOG.md)
- [Commits](https://github.com/package-url/packageurl-js/compare/v1.0.2...v1.2.0)

---
updated-dependencies:
- dependency-name: packageurl-js
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-30 01:07:56 +00:00
dependabot[bot] cff52fd316 Bump eslint-plugin-jest from 27.4.2 to 27.6.0
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.4.2 to 27.6.0.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.4.2...v27.6.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-30 01:07:31 +00:00
Federico Builes e65eb02ccf Merge pull request #591 from actions/dependabot/npm_and_yarn/typescript-5.2.2
Bump typescript from 4.9.5 to 5.2.2
2023-10-23 12:27:41 +02:00
Federico Builes 88953c2b16 updating dist 2023-10-23 12:26:03 +02:00
Federico Builes d97416955e Merge pull request #594 from actions/dependabot/npm_and_yarn/babel/traverse-7.23.2
Bump @babel/traverse from 7.23.0 to 7.23.2
2023-10-23 06:57:28 +02:00
dependabot[bot] 523c9a28aa Bump @babel/traverse from 7.23.0 to 7.23.2
Bumps [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) from 7.23.0 to 7.23.2.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.23.2/packages/babel-traverse)

---
updated-dependencies:
- dependency-name: "@babel/traverse"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-23 04:56:30 +00:00
dependabot[bot] f85d4d5bc2 Bump typescript from 4.9.5 to 5.2.2
Bumps [typescript](https://github.com/Microsoft/TypeScript) from 4.9.5 to 5.2.2.
- [Release notes](https://github.com/Microsoft/TypeScript/releases)
- [Commits](https://github.com/Microsoft/TypeScript/compare/v4.9.5...v5.2.2)

---
updated-dependencies:
- dependency-name: typescript
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-23 03:19:39 +00:00
Federico Builes 89ff65dbf7 Merge pull request #589 from actions/dependabot/npm_and_yarn/eslint-plugin-github-4.10.1
Bump eslint-plugin-github from 4.9.2 to 4.10.1
2023-10-23 05:18:52 +02:00
Federico Builes c3c32181a9 Merge pull request #592 from actions/dependabot/npm_and_yarn/types/spdx-expression-parse-3.0.4
Bump @types/spdx-expression-parse from 3.0.3 to 3.0.4
2023-10-23 05:18:42 +02:00
Federico Builes ead6e4616f Merge pull request #593 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.8.0
Bump @typescript-eslint/parser from 6.7.3 to 6.8.0
2023-10-23 05:18:25 +02:00
dependabot[bot] a265e18106 Bump @types/spdx-expression-parse from 3.0.3 to 3.0.4
Bumps [@types/spdx-expression-parse](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/spdx-expression-parse) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/spdx-expression-parse)

---
updated-dependencies:
- dependency-name: "@types/spdx-expression-parse"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-23 03:13:32 +00:00
dependabot[bot] a8759965d7 Bump @typescript-eslint/parser from 6.7.3 to 6.8.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.7.3 to 6.8.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.8.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-23 03:13:20 +00:00
Federico Builes 954314c2b1 Merge pull request #590 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.8.0
Bump @typescript-eslint/eslint-plugin from 6.7.5 to 6.8.0
2023-10-23 05:11:58 +02:00
dependabot[bot] 5b62f3bc06 Bump @typescript-eslint/eslint-plugin from 6.7.5 to 6.8.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.7.5 to 6.8.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.8.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-23 01:57:41 +00:00
dependabot[bot] fddf4c3474 Bump eslint-plugin-github from 4.9.2 to 4.10.1
Bumps [eslint-plugin-github](https://github.com/github/eslint-plugin-github) from 4.9.2 to 4.10.1.
- [Release notes](https://github.com/github/eslint-plugin-github/releases)
- [Commits](https://github.com/github/eslint-plugin-github/compare/v4.9.2...v4.10.1)

---
updated-dependencies:
- dependency-name: eslint-plugin-github
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-23 01:57:14 +00:00
Federico Builes 04e56a4409 Merge pull request #586 from actions/dependabot/npm_and_yarn/yaml-2.3.3
Bump yaml from 2.3.2 to 2.3.3
2023-10-16 05:39:42 +02:00
Federico Builes af51c4b700 adding dist 2023-10-16 03:44:04 +02:00
dependabot[bot] bd3b04e194 Bump yaml from 2.3.2 to 2.3.3
Bumps [yaml](https://github.com/eemeli/yaml) from 2.3.2 to 2.3.3.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.3.2...v2.3.3)

---
updated-dependencies:
- dependency-name: yaml
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-16 01:43:15 +00:00
Federico Builes 382d2873a9 Merge pull request #585 from actions/dependabot/npm_and_yarn/types/spdx-expression-parse-3.0.3
Bump @types/spdx-expression-parse from 3.0.2 to 3.0.3
2023-10-16 03:42:54 +02:00
dependabot[bot] 500120a761 Bump @types/spdx-expression-parse from 3.0.2 to 3.0.3
Bumps [@types/spdx-expression-parse](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/spdx-expression-parse) from 3.0.2 to 3.0.3.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/spdx-expression-parse)

---
updated-dependencies:
- dependency-name: "@types/spdx-expression-parse"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-16 01:41:27 +00:00
Federico Builes 212ded88b2 Merge pull request #584 from actions/dependabot/npm_and_yarn/eslint-plugin-prettier-5.0.1
Bump eslint-plugin-prettier from 5.0.0 to 5.0.1
2023-10-16 03:41:10 +02:00
Federico Builes 7ec89343e1 Merge pull request #587 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-6.7.5
Bump @typescript-eslint/eslint-plugin from 6.7.2 to 6.7.5
2023-10-16 03:40:22 +02:00
Federico Builes 536cc3d4b6 Merge pull request #588 from actions/dependabot/npm_and_yarn/types/node-16.18.58
Bump @types/node from 16.18.54 to 16.18.58
2023-10-16 03:40:11 +02:00
dependabot[bot] 2bc52c6348 Bump @types/node from 16.18.54 to 16.18.58
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.54 to 16.18.58.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-16 01:17:28 +00:00
dependabot[bot] fe9d8a52c4 Bump @typescript-eslint/eslint-plugin from 6.7.2 to 6.7.5
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 6.7.2 to 6.7.5.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.7.5/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-16 01:17:14 +00:00
dependabot[bot] bd251cc9eb Bump eslint-plugin-prettier from 5.0.0 to 5.0.1
Bumps [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) from 5.0.0 to 5.0.1.
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/master/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.0.0...v5.0.1)

---
updated-dependencies:
- dependency-name: eslint-plugin-prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-16 01:16:34 +00:00
Federico Builes 7e65a9bb48 Merge branch 'update-octokit' 2023-10-09 13:39:21 +02:00
Federico Builes b91ea51364 updating dist. 2023-10-09 13:34:29 +02:00
Federico Builes 76b050a607 Use octokit-rest for the PR comments client. 2023-10-09 13:34:14 +02:00
Federico Builes e6d6badddb Update jest. 2023-10-09 13:33:55 +02:00
Federico Builes f7363549ac use octokit plugins 2023-10-09 13:20:24 +02:00
Federico Builes f71a906c2e Update plugins. 2023-10-09 13:17:54 +02:00
Federico Builes 03ace23f96 Update Node JS version. 2023-10-09 12:36:16 +02:00
Federico Builes 0564d6f4de adding dist 2023-10-09 11:41:16 +02:00
dependabot[bot] cd09f857a3 Bump octokit from 2.1.0 to 3.1.1
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.1.0 to 3.1.1.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.1.0...v3.1.1)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-09 09:38:02 +00:00
Federico Builes 69a61b613b updating dist 2023-10-09 11:36:34 +02:00
Federico Builes 53eb1ebcf5 Merge branch 'update-request-errors' 2023-10-09 11:36:00 +02:00
Federico Builes e8634671a4 Merge pull request #583 from actions/dependabot/npm_and_yarn/eslint-plugin-jest-27.4.2
Bump eslint-plugin-jest from 27.2.3 to 27.4.2
2023-10-09 10:25:41 +02:00
Federico Builes 69ecf4db79 Merge pull request #582 from actions/dependabot/npm_and_yarn/eslint-8.51.0
Bump eslint from 8.48.0 to 8.51.0
2023-10-09 10:25:28 +02:00
dependabot[bot] 70835908ea Bump eslint-plugin-jest from 27.2.3 to 27.4.2
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.2.3 to 27.4.2.
- [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases)
- [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jest-community/eslint-plugin-jest/compare/v27.2.3...v27.4.2)

---
updated-dependencies:
- dependency-name: eslint-plugin-jest
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-09 01:37:39 +00:00
dependabot[bot] f704f55fa1 Bump eslint from 8.48.0 to 8.51.0
Bumps [eslint](https://github.com/eslint/eslint) from 8.48.0 to 8.51.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](https://github.com/eslint/eslint/compare/v8.48.0...v8.51.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-09 01:37:24 +00:00
Federico Builes e51d18ae1e updating dist 2023-10-05 17:15:27 +02:00
Federico Builes 62f26a66d6 bumping zod 2023-10-05 17:14:25 +02:00
Federico Builes 2f836bbce6 Merge pull request #580 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-6.7.3
Bump @typescript-eslint/parser from 6.6.0 to 6.7.3
2023-10-01 21:21:28 -05:00
dependabot[bot] 75dbba1acf Bump @typescript-eslint/parser from 6.6.0 to 6.7.3
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 6.6.0 to 6.7.3.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v6.7.3/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-02 02:15:09 +00:00
Federico Builes 8325453339 Merge pull request #579 from actions/dependabot/npm_and_yarn/vercel/ncc-0.38.0
Bump @vercel/ncc from 0.36.1 to 0.38.0
2023-10-01 21:13:34 -05:00
dependabot[bot] 353956d50d Bump @vercel/ncc from 0.36.1 to 0.38.0
Bumps [@vercel/ncc](https://github.com/vercel/ncc) from 0.36.1 to 0.38.0.
- [Release notes](https://github.com/vercel/ncc/releases)
- [Commits](https://github.com/vercel/ncc/compare/0.36.1...0.38.0)

---
updated-dependencies:
- dependency-name: "@vercel/ncc"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-10-02 01:59:34 +00:00
Federico Builes 4e41165d4b Merge pull request #577 from jsoref/modernize-versions
Modernize versions
2023-09-27 13:46:13 -05:00
Josh Soref cf3393ef0a Drop references to v2 from README
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2023-09-27 12:53:32 -04:00
Josh Soref 8213a1db10 Use checkout@v4
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2023-09-27 12:53:32 -04:00
Federico Builes 64a6d1a0b8 Merge pull request #571 from actions/dependabot/npm_and_yarn/types/node-16.18.54
Bump @types/node from 16.18.48 to 16.18.54
2023-09-26 12:24:33 -05:00
Federico Builes 364de25b16 Merge pull request #573 from actions/dependabot/npm_and_yarn/prettier-3.0.3
Bump prettier from 3.0.2 to 3.0.3
2023-09-26 12:24:18 -05:00
dependabot[bot] 1f5e4f1cd9 Bump prettier from 3.0.2 to 3.0.3
Bumps [prettier](https://github.com/prettier/prettier) from 3.0.2 to 3.0.3.
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: prettier
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-25 01:30:59 +00:00
dependabot[bot] fcb0293419 Bump @types/node from 16.18.48 to 16.18.54
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.48 to 16.18.54.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-25 01:30:38 +00:00
tgrall 3b37a4ef1c update documentation 2023-06-14 09:17:26 +02:00
tgrall 13c4496f31 update doc 2023-06-14 09:12:19 +02:00
tgrall 7ed3405bdc warn_only_test_ 2023-06-14 08:55:38 +02:00
tgrall 9b290a185a fix ini of warn-only param 2023-06-13 09:44:03 +02:00
tgrall 995bb847a3 new dev 2023-06-13 09:34:12 +02:00
tgrall f1e6d67732 wan only 2023-06-13 09:29:10 +02:00
tgrall d833109d4d new build 2023-06-13 08:54:16 +02:00
tgrall a3a8a9c756 new build 2023-06-12 13:56:53 +02:00
tgrall 0b053fccb4 add new parameter warn_only 2023-06-12 11:26:44 +02:00
Courtney Claessens 78f160dece Update README.md
swap order to follow what's in the table
2023-04-03 15:57:39 -04:00
tgrall cc302f4c2b fix linter/format 2023-03-20 09:07:07 +01:00
tgrall 621d03bf3a Add none as option for fail-on-severity 2023-03-18 05:21:58 +01:00
49 changed files with 35050 additions and 32277 deletions
+37
View File
@@ -0,0 +1,37 @@
---
name: Bug report
about: Create a bug report to help us improve
title: "[BUG] "
labels: bug
assignees: ''
---
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Screenshots**
If applicable, add screenshots to help explain your problem.
**Action version**
What version of the action are you using in your workflow?
_Note: if you're not running the [latest release](https://github.com/actions/dependency-review-action/releases/latest) please try that first!_
**Examples**
If possible, please link to a public example of the issue that you're encountering, or a copy of the workflow that you're using to run the action.
If you have encountered a problem with a specific package (e.g. issue with license or attributions data) please share details about the package, as well as a link to the manifest where it's being referenced.
**Additional context**
Add any other context about the problem here.
+5
View File
@@ -0,0 +1,5 @@
blank_issues_enabled: false
contact_links:
- name: GitHub Security Bug Bounty
url: https://bounty.github.com/
about: If you believe that you've found a security issue, please report security vulnerabilities here.
+20
View File
@@ -0,0 +1,20 @@
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: enhancement
assignees: ''
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. e.g. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.
@@ -0,0 +1,7 @@
## Purpose
_Describe the purpose of this pull request_
## Related Issues
_What issues does this PR close or relate to?_
+4 -4
View File
@@ -23,10 +23,10 @@ jobs:
steps:
- uses: actions/checkout@v4
- name: Set Node.js 18.x
uses: actions/setup-node@v3
- name: Set Node.js 20.x
uses: actions/setup-node@v4
with:
node-version: 18.x
node-version: 20.x
cache: npm
- name: Install dependencies
@@ -47,7 +47,7 @@ jobs:
id: diff
# If index.js was different than expected, upload the expected version as an artifact
- uses: actions/upload-artifact@v3
- uses: actions/upload-artifact@v4
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
with:
name: dist
+4 -4
View File
@@ -15,9 +15,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
with:
node-version: 18
node-version: 20
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
@@ -28,9 +28,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v3
- uses: actions/setup-node@v4
with:
node-version: 18
node-version: 20
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
+48
View File
@@ -0,0 +1,48 @@
name: "CodeQL"
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '21 0 * * 4'
jobs:
analyze:
name: Analyze
runs-on: 'ubuntu-latest'
timeout-minutes: 360
permissions:
# required for all workflows
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'javascript-typescript' ]
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
config: |
paths-ignore:
- dist/index.js
- dist/sourcemap-register.js
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
+31
View File
@@ -0,0 +1,31 @@
name: Close stale PRs and Issues
permissions:
issues: write
pull-requests: write
on:
schedule:
- cron: "00 0 * * *" # runs at 00:00 daily
jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9.0.0
name: Clean up stale PRs and Issues
with:
stale-pr-message: "👋 This pull request has been marked as stale because it has been open with no activity for 180 days. You can: comment on the PR or remove the stale label to hold stalebot off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details."
stale-pr-label: "Stale"
close-pr-message: "👋 This pull request has been closed by stalebot because it has been open with no activity for over 180 days. Please see CONTRIBUTING.md for more policy details."
stale-issue-label: "Stale"
stale-issue-message: "👋 This issue has been marked as stale because it has been open with no activity for 180 days. You can: comment on the issue or remove the stale label to hold stalebot off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details."
close-issue-message: "👋 This issue has been closed by stalebot because it has been open with no activity for over 180 days. Please see CONTRIBUTING.md for more policy details."
exempt-pr-labels: "Keep" # a "Keep" label will keep the PR from being closed as stale
exempt-issue-labels: "Keep" # a "Keep" label will keep the issue from being closed as stale
days-before-pr-stale: 180 # when the PR is considered stale
days-before-pr-close: 15 # when the PR is closed by the bot
days-before-issue-stale: 180 # when the issue is considered stale
days-before-issue-close: 15 # when the issue is closed by the bot
exempt-assignees: 'advanced-security-dependency-graph'
ascending: true
+63 -39
View File
@@ -4,41 +4,52 @@
[pr]: https://github.com/actions/dependency-review-action/compare
[code-of-conduct]: CODE_OF_CONDUCT.md
Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great.
Hi there! We're thrilled that you'd like to contribute to this project.
Contributions to this project are
[released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license)
to the public under the [project's open source license](LICENSE).
Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE).
Please note that this project is released with a [Contributor Code of
Conduct][code-of-conduct]. By participating in this project you agree
to abide by its terms.
Please note that this project is released with a [Contributor Code of Conduct][code-of-conduct]. By participating in this project you agree to abide by its terms.
### How it works
## Bug reports and other issues
This Action makes an authenticated query to the Dependency Graph Diff
API endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`)
to find out the set of added and removed dependencies for each manifest.
If you've encountered a problem, please let us know by [submitting an issue](https://github.com/actions/dependency-review-action/issues/new)!
### Bootstrapping the project
## Enhancements and feature requests
```
git clone https://github.com/actions/dependency-review-action.git
cd dependency-review-action
npm install
```
If you've got an idea for a new feature or a significant change to the code or its dependencies, please submit as [an issue](https://github.com/actions/dependency-review-action/issues/new) so that the community can see it, and we can discuss it there. We may not be able to respond to every single issue, but will make a best effort!
### Running the tests
If you'd like to make a contribution yourself, we ask that before significant effort is put into code changes, that we have agreement that the change aligns with our strategy for the action. Since this is a verified Action owned by GitHub we want to make sure that contributions are high quality, and that they maintain consistency with the rest of the action's behavior.
```
npm run test
```
1. Create an [issue discussing the idea](https://github.com/actions/dependency-review-action/issues/new), so that we can discuss it there.
2. If we agree to incorporate the idea into the action, please write-up a high level summary of the approach that you plan to take so we can review
_Note_: We don't have any useful tests yet, contributions are welcome!
## Stalebot
## Local Development
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see the configuration [here](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
## Development lifecycle
Ready to contribute to `dependency-review-action`? Here is some information to help you get started.
### High level overview of the action
This action makes an authenticated query to the [Dependency Review API](https://docs.github.com/en/rest/dependency-graph/dependency-review) endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`) to find out the set of added and removed dependencies for each manifest.
The action then evaluates the differences between the pushes based on the the rules defined in the action configuration, and summarizes the differences and any violations of the rules you have defined as a comment in the pull request that triggered it and the action outputs.
### Local Development
Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed, minimum version 18.
#### Bootstrapping the project
0. [Fork][fork] and clone the repository
1. Change to the working directory: `cd dependency-review-action`
2. Install the dependencies: `npm install`
3. Make sure the tests pass on your machine: `npm run test`
#### Manually testing for vulnerabilities
It is recommended to have atleast [Node 18](https://nodejs.org/en/) installed.
We have a script to scan a given PR for vulnerabilities, this will
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
@@ -53,7 +64,7 @@ $ GITHUB_TOKEN=<token> ./scripts/scan_pr <pr_url>
Like this:
```sh
$ GITHUB_TOKEN=my-secret-token ./scripts/scan_pr https://github.com/actions/dependency-review-action/pull/3
$ GITHUB_TOKEN=<token> ./scripts/scan_pr https://github.com/actions/dependency-review-action/pull/3
```
[Configuration options](README.md#configuration-options) can be set by
@@ -64,26 +75,37 @@ passing an external YAML [configuration file](README.md#configuration-file) to t
$ GITHUB_TOKEN=<token> ./scripts/scan_pr --config-file my_custom_config.yml <pr_url>
```
## Submitting a pull request
#### Running unit tests
0. [Fork][fork] and clone the repository
1. Configure and install the dependencies: `npm install`
2. Make sure the tests pass on your machine: `npm run test`
3. Create a new branch: `git checkout -b my-branch-name`
4. Make your change, add tests, and make sure the tests still pass
5. Make sure to build and package before pushing: `npm run build && npm run package`
6. Push to your fork and [submit a pull request][pr]
7. Pat your self on the back and wait for your pull request to be reviewed and merged.
```
npm run test
```
_Note_: We don't a very comprehensive test suite, so any contributions to the existing tests are welcome!
### Submitting a pull request
1. Create a new branch: `git checkout -b my-branch-name`
2. Make your change, add tests, and make sure the tests still pass
3. Make sure to build and package before pushing: `npm run build && npm run package`
4. Push to your fork and [submit a pull request][pr]
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
- Write tests.
- Add unit tests for new features.
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
- Write a [good commit message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
- Add examples of the usage to [examples.md](docs/examples.md)
- Link to a sample PR in a custom repository running your version of the Action.
- Please be responsive to any questions and feedback that you get from a maintainer of the repo!
## Cutting a new release
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json).
<details>
_Note: these instructions are for maintainers_
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
1. Go to [Draft a new
release](https://github.com/actions/dependency-review-action/releases/new)
in the Releases page.
@@ -112,12 +134,14 @@ minor/patch updates.
To do this just checkout `main`, force-create a new annotated tag, and push it:
```
git tag -fa v3 -m "Updating v3 to 3.0.1"
git push origin v3 --force
git tag -fa v4 -m "Updating v4 to 4.0.1"
git push origin v4 --force
```
</details>
## Resources
- [Creating JavaScript GitHub actions](https://docs.github.com/en/actions/creating-actions/creating-a-javascript-action)
- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
- [Using Pull Requests](https://help.github.com/articles/about-pull-requests/)
- [GitHub Help](https://help.github.com)
+199 -114
View File
@@ -1,160 +1,245 @@
# dependency-review-action
This action scans your pull requests for dependency changes, and will
raise an error if any vulnerabilities or invalid licenses are being introduced. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions on your default branch.
- [Overview](#overview)
- [Installation](#installation)
- [Configuration](#configuration)
- [Using dependency review action to block a pull request from being merged](#using-dependency-review-action-to-block-a-pull-request-from-being-merged)
- [Outputs](#outputs)
- [Getting help](#getting-help)
- [Contributing](#contributing)
- [License](#license)
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
## Overview
You can see the results on the job logs:
The dependency review action scans your pull requests for dependency changes, and will raise an error if any vulnerabilities or invalid licenses are being introduced.
The action is supported by an [API endpoint](https://docs.github.com/en/rest/dependency-graph/dependency-review?apiVersion=2022-11-28) that diffs the dependencies between any two revisions on your default branch.
<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
The action is available for:
- Public repositories
- Private repositories with a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license.
or on the job summary:
### Viewing the results
<img src="https://user-images.githubusercontent.com/7847935/182871416-50332bbb-b279-4621-a136-ca72a4314301.png">
When the action runs, you can see the results on:
- The **job logs** page.
1. Go to the **Actions** tab for the repository and select the relevant workflow run.
1. Then under "Jobs", click **dependency review**.
<img width="850" alt="GitHub workflow run log showing Dependency Review job output" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
- The **job summary** page.
1. Go to the **Actions** tab for the repository and select the relevant workflow run.
1. Click **Summary**, then scroll to "dependency-review summary".
<img width="850" alt="GitHub job summary showing Dependency Review output" src="https://github.com/actions/dependency-review-action/assets/2161/42fbed1d-64a7-42bf-9b05-c416bc67493f">
## Installation
**Please keep in mind that you need a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license if you're running this action on private repositories.**
- [Installation (standard)](#installation)
- [Installation (GitHub Enterprise Server)](#installation-github-enterprise-server)
#### Installation (standard)
You can install the action on any public repository, or any organization-owned private repository, provided the organization has a GitHub Advanced Security license.
1. Add a new YAML workflow to your `.github/workflows` folder:
```yaml
name: 'Dependency Review'
on: [pull_request]
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
```
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v4
```
### GitHub Enterprise Server
#### Installation (GitHub Enterprise Server)
This action is available in Enterprise Server starting with version 3.6. Make sure
[GitHub Advanced
Security](https://docs.github.com/en/enterprise-server@3.6/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise)
and [GitHub
Connect](https://docs.github.com/en/enterprise-server@3.6/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect)
are enabled, and that you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
You can install the action on repositories on GitHub Enterprise Server.
You can use the same workflow as above, replacing the `runs-on` value
with the label of any of your runners (the default label
is `self-hosted`):
1. Ensure [GitHub Advanced Security](https://docs.github.com/en/enterprise-server@latest/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise) and [GitHub Connect](https://docs.github.com/en/enterprise-server@latest/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect) are enabled for the enterprise.
2. Ensure you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
3. Add a new YAML workflow to your `.github/workflows` folder:
```yaml
# ...
``` yaml
name: 'Dependency Review'
on: [pull_request]
jobs:
dependency-review:
runs-on: self-hosted
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
```
permissions:
contents: read
## Configuration options
jobs:
dependency-review:
runs-on: self-hosted
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v4
```
5. In the workflow file, replace the `runs-on` value with the label of any of your runners. (The default value is `self-hosted`.)
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
## Configuration
| Option | Usage | Possible values | Default value |
| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
- [Configuration options](#configuration-options)
- [Configuration methods](#configuration-methods)
\*not supported for use with GitHub Enterprise Server
### Configuration options
†will be supported with GitHub Enterprise Server 3.8
There are various configuration options you can use to specify settings for the dependency review action.
### Inline Configuration
All configuration options are optional.
You can pass options to the Dependency Review GitHub Action using your workflow file.
| Option | Usage | Possible values | Default value |
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. This option will match on the exact version provided. If no version is provided, the option will treat the specified package as a wildcard and deny all versions. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
| `show-openssf-scorecard` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
#### Example
> [!NOTE]
> - \* Not supported for use with GitHub Enterprise Server. (Checking for licenses is not supported on GitHub Enterprise Server because the API does not return license information.)
> - \+ When `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail.
> - The `allow-licenses` and `deny-licenses` options are mutually exclusive; an error will be raised if you provide both.
> - If we can't detect the license for a dependency **we will inform you, but the action won't fail**.
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: Dependency Review
uses: actions/dependency-review-action@v3
with:
fail-on-severity: moderate
### Configuration methods
# Use comma-separated names to pass list arguments:
deny-licenses: LGPL-2.0, BSD-2-Clause
```
To specify settings for the dependency review action, you can choose from two options:
- [Option 1: Inline the configuration options]() in your workflow file.
- [Option 2: Reference an external configuration file]() in your workflow file.
### Configuration File
#### Option 1: Using inline configuration
You can use an external configuration file to specify the settings for this action. It can be a local file or a file in an external repository. Refer to the following options for the specification.
You can pass configuration options to the dependency review action using your workflow file.
| Option | Usage | Possible values |
| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
| `config-file` | A path to a file in the current repository or an external repository. Use this syntax for external files: `OWNER/REPOSITORY/FILENAME@BRANCH` | **Local file**: `./.github/dependency-review-config.yml` <br> **External repo**: `github/octorepo/dependency-review-config.yml@main` |
| `external-repo-token` | Specifies a token for fetching the configuration file. It is required if the file resides in a private external repository and for all GitHub Enterprise Server repositories. Create a token in [developer settings](https://github.com/settings/tokens). | Any token with `read` permissions to the repository hosting the config file. |
1. In the same YAML workflow file you created during installation, use the `with:` key to specify your chosen settings:
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: moderate
#### Example
# Use comma-separated names to pass list arguments:
deny-licenses: LGPL-2.0, BSD-2-Clause
```
Start by specifying that you will be using an external configuration file:
#### Option 2: Using an external configuration file
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
config-file: './.github/dependency-review-config.yml'
```
You can use an external configuration file to specify settings for this action. The file can be a local file or a file in an external repository.
And then create the file in the path you just specified. Please note
that the **option names in external files use underscores instead of dashes**:
1. In the same YAML workflow file you created during installation, use `config-file` to specify that you are using an external configuration file.
```yaml
fail_on_severity: 'critical'
allow_licenses:
- 'GPL-3.0'
- 'BSD-3-Clause'
- 'MIT'
```
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
config-file: './.github/dependency-review-config.yml'
```
| Option | Usage | Possible values |
|--------------------- | ----------- | ----------------------------- |
| `config-file` | A path to a file in the current repository or an external repository. Use this syntax for external files: `OWNER/REPOSITORY/FILENAME@BRANCH` | **Local file**: `./.github/dependency-review-config.yml` <br> **External repo**: `github/octorepo/dependency-review-config.yml@main` |
2. Optionally, if the file resides in a private external repository, and for all GitHub Enterprise Server repositories, use `external-repo-token` to specify a token for fetching the file.
For more examples of how to use this action and its configuration options, see the [examples](docs/examples.md) page.
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
config-file: 'github/octorepo/dependency-review-config.yml@main'
external-repo-token: 'ghp_123456789abcde'
```
### Considerations
| Option | Usage | Possible values |
|--------------------- | ----------- | ----------------------------- |
| `external-repo-token` | Specifies a token for fetching the configuration file. It is required if the file resides in a private external repository and for all GitHub Enterprise Server repositories. Create a token in [developer settings](https://github.com/settings/tokens). | Any token with `read` permissions to the repository hosting the config file. |
3. Create the configuration file in the path you specified for `config-file`.
4. In the configuration file, specify your chosen settings.
```yaml
fail_on_severity: 'critical'
allow_licenses:
- 'GPL-3.0'
- 'BSD-3-Clause'
- 'MIT'
```
> [!NOTE]
> For external configuration files, the option names use underscores instead of dashes.
> Example: `fail_on_severity`
- Checking for licenses is not supported on Enterprise Server as the API does not return license information.
- The action will only accept one of the two `license` parameters; an error will be raised if you provide both.
- We don't have license information for all of your dependents. If we can't detect the license for a dependency **we will inform you, but the action won't fail**.
#### Further information
## Blocking pull requests
- For more examples of how to use this action and its configuration options, see the [examples](docs/examples.md) page.
- For general information about dependency review on GitHub, see "[About dependency review](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)" in the GitHub Docs documentation.
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
## Using dependency review action to block a pull request from being merged
You can configure your repository to block a pull request from being merged if the pull request fails the dependency review action check. To do this, the repository owner must configure branch protection settings that require the check to pass before merging. For more information, see "[Require status checks before merging](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging)" in GitHub Docs documentation.
## Outputs
Dependency review action can create [outputs](https://docs.github.com/en/actions/using-jobs/defining-outputs-for-jobs), so that data from its execution can be used by other jobs in a workflow.
- `comment-content` is generated with the same content as would be present in a Dependency Review Action comment.
- `dependency-changes` holds all dependency changes in a JSON format. The following outputs are subsets of `dependency-changes` filtered based on the configuration:
- `vulnerable-changes` holds information about dependency changes with vulnerable dependencies in a JSON format.
- `invalid-license-changes` holds information about invalid or non-compliant license dependency changes in a JSON format.
- `denied-changes` holds information about denied dependency changes in a JSON format.
> [!NOTE]
> Action outputs are unicode strings [with a 1MB size limit](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions).
>
> If you use these outputs in a run-step, you must store the output data in an environment variable instead of using the output directly. Using an output directly might break shell scripts. For example:
>
> ```yaml
> env:
> VULNERABLE_CHANGES: ${{ steps.review.outputs.vulnerable-changes }}
> run: |
> echo "$VULNERABLE_CHANGES" | jq
> ```
>
> instead of direct `echo '${{ steps.review.outputs.vulnerable-changes }}'`.
> See [examples](docs/examples.md) for more.
## Getting help
+1 -1
View File
@@ -1,3 +1,3 @@
If you discover a security issue in this repo, please submit it through the [GitHub Security Bug Bounty](https://hackerone.com/github)
If you discover a security issue in this repo, please submit it through the [GitHub Security Bug Bounty](https://bounty.github.com/)
Thanks for helping make GitHub Actions safe for everyone.
+104 -16
View File
@@ -1,13 +1,9 @@
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
import {getRefs} from '../src/git-refs'
import * as Utils from '../src/utils'
import * as spdx from '../src/spdx'
import {setInput, clearInputs} from './test-helpers'
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
})
beforeEach(() => {
clearInputs()
})
@@ -19,11 +15,16 @@ test('it defaults to low severity', async () => {
test('it reads custom configs', async () => {
setInput('fail-on-severity', 'critical')
setInput('allow-licenses', ' BSD, GPL 2')
setInput('allow-licenses', 'ISC, GPL-2.0')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
expect(config.allow_licenses).toEqual(['ISC', 'GPL-2.0'])
})
test('it defaults to false for warn-only', async () => {
const config = await readConfig()
expect(config.warn_only).toEqual(false)
})
test('it defaults to empty allow/deny lists ', async () => {
@@ -35,7 +36,7 @@ test('it defaults to empty allow/deny lists ', async () => {
test('it raises an error if both an allow and denylist are specified', async () => {
setInput('allow-licenses', 'MIT')
setInput('deny-licenses', 'BSD')
setInput('deny-licenses', 'BSD-3-Clause')
await expect(readConfig()).rejects.toThrow(
'You cannot specify both allow-licenses and deny-licenses'
@@ -49,6 +50,52 @@ test('it raises an error if an empty allow list is specified', async () => {
)
})
test('it successfully parses allow-dependencies-licenses', async () => {
setInput(
'allow-dependencies-licenses',
'pkg:npm/@test/package@1.2.3,pkg:npm/example'
)
const config = await readConfig()
expect(config.allow_dependencies_licenses).toEqual([
'pkg:npm/@test/package@1.2.3',
'pkg:npm/example'
])
})
test('it raises an error when an invalid package-url is used for allow-dependencies-licenses', async () => {
setInput('allow-dependencies-licenses', 'not-a-purl')
await expect(readConfig()).rejects.toThrow(`Error parsing package-url`)
})
test('it raises an error when a nameless package-url is used for allow-dependencies-licenses', async () => {
setInput('allow-dependencies-licenses', 'pkg:npm/@namespace/')
await expect(readConfig()).rejects.toThrow(
`Error parsing package-url: name is required`
)
})
test('it raises an error when an invalid package-url is used for deny-packages', async () => {
setInput('deny-packages', 'not-a-purl')
await expect(readConfig()).rejects.toThrow(`Error parsing package-url`)
})
test('it raises an error when a nameless package-url is used for deny-packages', async () => {
setInput('deny-packages', 'pkg:npm/@namespace/')
await expect(readConfig()).rejects.toThrow(
`Error parsing package-url: name is required`
)
})
test('it raises an error when an argument to deny-groups is missing a namespace', async () => {
setInput('deny-groups', 'pkg:npm/my-fun-org')
await expect(readConfig()).rejects.toThrow(
`package-url must have a namespace`
)
})
test('it raises an error when given an unknown severity', async () => {
setInput('fail-on-severity', 'zombies')
@@ -77,6 +124,51 @@ test('it raises an error when no refs are provided and the event is not a pull r
).toThrow()
})
const pullRequestLikeEvents = [
'pull_request',
'pull_request_target',
'merge_group'
]
test.each(pullRequestLikeEvents)(
'it uses the given refs even when the event is %s',
async eventName => {
setInput('base-ref', 'a-custom-base-ref')
setInput('head-ref', 'a-custom-head-ref')
const refs = getRefs(await readConfig(), {
payload: {
pull_request: {
number: 42,
base: {sha: 'pr-base-ref'},
head: {sha: 'pr-head-ref'}
}
},
eventName
})
expect(refs.base).toEqual('a-custom-base-ref')
expect(refs.head).toEqual('a-custom-head-ref')
}
)
test.each(pullRequestLikeEvents)(
'it uses the event refs when the event is %s and the no refs are input',
async eventName => {
const refs = getRefs(await readConfig(), {
payload: {
pull_request: {
number: 42,
base: {sha: 'pr-base-ref'},
head: {sha: 'pr-head-ref'}
}
},
eventName
})
expect(refs.base).toEqual('pr-base-ref')
expect(refs.head).toEqual('pr-head-ref')
}
)
test('it defaults to runtime scope', async () => {
const config = await readConfig()
expect(config.fail_on_scopes).toEqual(['runtime'])
@@ -153,21 +245,17 @@ test('it is not possible to disable both checks', async () => {
})
describe('licenses that are not valid SPDX licenses', () => {
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(false)
})
test('it raises an error for invalid licenses in allow-licenses', async () => {
setInput('allow-licenses', ' BSD, GPL 2')
setInput('allow-licenses', ' BSD-YOLO, GPL-2.0')
await expect(readConfig()).rejects.toThrow(
'Invalid license(s) in allow-licenses: BSD,GPL 2'
'Invalid license(s) in allow-licenses: BSD-YOLO'
)
})
test('it raises an error for invalid licenses in deny-licenses', async () => {
setInput('deny-licenses', ' BSD, GPL 2')
setInput('deny-licenses', ' GPL-2.0, BSD-YOLO, Apache-2.0, ToIll')
await expect(readConfig()).rejects.toThrow(
'Invalid license(s) in deny-licenses: BSD,GPL 2'
'Invalid license(s) in deny-licenses: BSD-YOLO, ToIll'
)
})
})
+85 -115
View File
@@ -1,100 +1,7 @@
import {expect, jest, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
let getDeniedChanges: Function
const npmChange: Change = {
manifest: 'package.json',
change_type: 'added',
ecosystem: 'npm',
name: 'Reeuhq',
version: '1.0.2',
package_url: 'pkg:npm/reeuhq@1.0.2',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_summary: 'very dangerous',
advisory_url: 'github.com/future-funk'
}
]
}
const rubyChange: Change = {
change_type: 'added',
manifest: 'Gemfile.lock',
ecosystem: 'rubygems',
name: 'actionsomething',
version: '3.2.0',
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
const pipChange: Change = {
change_type: 'added',
manifest: 'requirements.txt',
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pip/package-1@1.1.1',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
const mvnChange: Change = {
change_type: 'added',
manifest: 'pom.xml',
ecosystem: 'maven',
name: 'org.apache.logging.log4j:log4j-core',
version: '2.15.0',
package_url: 'pkg:maven/org.apache.logging.log4j/log4j-core@2.14.7',
license: 'Apache-2.0',
source_repository_url:
'https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core',
scope: 'unknown',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
}
]
}
import {createTestChange, createTestPURLs} from './fixtures/create-test-change'
import {getDeniedChanges} from '../src/deny'
jest.mock('@actions/core')
@@ -108,6 +15,11 @@ const mockOctokit = {
}
}
let npmChange: Change
let rubyChange: Change
let pipChange: Change
let mvnChange: Change
jest.mock('octokit', () => {
return {
// eslint-disable-next-line @typescript-eslint/no-extraneous-class
@@ -121,45 +33,103 @@ jest.mock('octokit', () => {
beforeEach(async () => {
jest.resetModules()
jest.doMock('spdx-satisfies', () => {
// mock spdx-satisfies return value
// true for BSD, false for all others
return jest.fn((license: string, _: string): boolean => license === 'BSD')
})
// eslint-disable-next-line @typescript-eslint/no-require-imports
;({getDeniedChanges} = require('../src/deny'))
npmChange = createTestChange({ecosystem: 'npm'})
rubyChange = createTestChange({ecosystem: 'rubygems'})
pipChange = createTestChange({ecosystem: 'pip'})
mvnChange = createTestChange({ecosystem: 'maven'})
})
test('it adds packages in the deny packages list', async () => {
test('denies packages from the deny packages list', async () => {
const changes: Changes = [npmChange, rubyChange]
const deniedChanges = await getDeniedChanges(
changes,
['pkg:gem/actionsomething'],
[]
)
const deniedPackages = createTestPURLs(['pkg:gem/actionsomething@3.2.0'])
const deniedChanges = await getDeniedChanges(changes, deniedPackages)
expect(deniedChanges[0]).toBe(rubyChange)
expect(deniedChanges.length).toEqual(1)
})
test('it adds packages in the deny group list', async () => {
const changes: Changes = [mvnChange, rubyChange]
test('denies packages only for the specified version from deny packages list', async () => {
const deniedPackageWithDifferentVersion = createTestPURLs([
'pkg:npm/lodash@1.2.3'
])
const changes: Changes = [npmChange]
const deniedChanges = await getDeniedChanges(
changes,
[],
['pkg:maven/org.apache.logging.log4j']
deniedPackageWithDifferentVersion
)
expect(deniedChanges.length).toEqual(0)
})
test('if no specified version from deny packages list, it will treat package as wildcard and deny all versions', async () => {
const changes: Changes = [
createTestChange({name: 'lodash', version: '1.2.3'}),
createTestChange({name: 'lodash', version: '4.5.6'}),
createTestChange({name: 'lodash', version: '7.8.9'})
]
const denyAllLodashVersions = createTestPURLs(['pkg:npm/lodash'])
const deniedChanges = await getDeniedChanges(changes, denyAllLodashVersions)
expect(deniedChanges.length).toEqual(3)
})
test('denies packages from the deny group list', async () => {
const changes: Changes = [mvnChange, rubyChange]
const deniedGroups = createTestPURLs(['pkg:maven/org.apache.logging.log4j/'])
const deniedChanges = await getDeniedChanges(changes, [], deniedGroups)
expect(deniedChanges[0]).toBe(mvnChange)
expect(deniedChanges.length).toEqual(1)
})
test('it adds packages outside of the deny lists', async () => {
test('denies packages that match the deny group list exactly', async () => {
const changes: Changes = [
createTestChange({
package_url: 'pkg:npm/org.test.pass/pass-this@1.0.0',
ecosystem: 'npm'
}),
createTestChange({
package_url: 'pkg:npm/org.test/deny-this@1.0.0',
ecosystem: 'npm'
})
]
const deniedGroups = createTestPURLs(['pkg:npm/org.test/'])
const deniedChanges = await getDeniedChanges(changes, [], deniedGroups)
expect(deniedChanges.length).toEqual(1)
expect(deniedChanges[0]).toBe(changes[1])
})
test(`denies packages using the namespace from the name when there's no package_url`, async () => {
const changes: Changes = [
createTestChange({
package_url: 'pkg:npm/org.test.pass/pass-this@1.0.0',
ecosystem: 'npm'
}),
createTestChange({
name: 'org.test:deny-this',
package_url: '',
ecosystem: 'maven'
})
]
const deniedGroups = createTestPURLs(['pkg:maven/org.test/'])
const deniedChanges = await getDeniedChanges(changes, [], deniedGroups)
expect(deniedChanges.length).toEqual(1)
expect(deniedChanges[0]).toBe(changes[1])
})
test('allows packages not defined in the deny packages and groups list', async () => {
const changes: Changes = [npmChange, pipChange]
const deniedPackages = createTestPURLs([
'pkg:gem/package-not-in-changes@1.0.0'
])
const deniedGroups = createTestPURLs(['pkg:maven/group.not.in.changes/'])
const deniedChanges = await getDeniedChanges(
changes,
['pkg:gem/actionsomething'],
['pkg:maven:org.apache.logging.log4j']
deniedPackages,
deniedGroups
)
expect(deniedChanges.length).toEqual(0)
+1 -2
View File
@@ -24,7 +24,6 @@ test('it properly catches RequestError type', async () => {
headRef: 'refs/heads/master'
})
} catch (error) {
const err = error as RequestError
expect(err.status).toBe(401)
expect(error).toBeInstanceOf(RequestError)
}
})
+2 -6
View File
@@ -1,6 +1,6 @@
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
import * as Utils from '../src/utils'
import * as spdx from '../src/spdx'
import {setInput, clearInputs} from './test-helpers'
const externalConfig = `fail_on_severity: 'high'
@@ -25,10 +25,6 @@ jest.mock('octokit', () => {
}
})
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
})
beforeEach(() => {
clearInputs()
})
@@ -38,7 +34,7 @@ test('it reads an external config file', async () => {
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
expect(config.allow_licenses).toEqual(['BSD-3-Clause', 'GPL-2.0'])
})
test('raises an error when the config file was not found', async () => {
+118 -24
View File
@@ -19,7 +19,7 @@ const npmChange: Change = {
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_ghsa_id: 'vulnerable-ghsa-id',
advisory_summary: 'very dangerous',
advisory_url: 'github.com/future-funk'
}
@@ -39,13 +39,13 @@ const rubyChange: Change = {
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_ghsa_id: 'moderate-ghsa-id',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_ghsa_id: 'low-ghsa-id',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
@@ -65,6 +65,64 @@ const noVulnNpmChange: Change = {
vulnerabilities: []
}
const lodashChange: Change = {
change_type: 'added',
manifest: 'package.json',
ecosystem: 'npm',
name: 'lodash',
version: '4.17.0',
package_url: 'pkg:npm/lodash@4.17.0',
license: 'MIT',
source_repository_url: 'https://github.com/lodash/lodash',
scope: 'runtime',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'GHSA-jf85-cpcp-j695',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-jf85-cpcp-j695'
},
{
severity: 'high',
advisory_ghsa_id: 'GHSA-4xc9-xhrj-v574',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-4xc9-xhrj-v574'
},
{
severity: 'high',
advisory_ghsa_id: 'GHSA-35jh-r3h4-6jhm',
advisory_summary: 'Command Injection in lodash',
advisory_url: 'https://github.com/advisories/GHSA-35jh-r3h4-6jhm'
},
{
severity: 'high',
advisory_ghsa_id: 'GHSA-p6mc-m468-83gw',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-p6mc-m468-83gw'
},
{
severity: 'moderate',
advisory_ghsa_id: 'GHSA-x5rq-j2xg-h7qm',
advisory_summary:
'Regular Expression Denial of Service (ReDoS) in lodash',
advisory_url: 'https://github.com/advisories/GHSA-x5rq-j2xg-h7qm'
},
{
severity: 'moderate',
advisory_ghsa_id: 'GHSA-29mw-wpgm-hmr9',
advisory_summary:
'Regular Expression Denial of Service (ReDoS) in lodash',
advisory_url: 'https://github.com/advisories/GHSA-29mw-wpgm-hmr9'
},
{
severity: 'low',
advisory_ghsa_id: 'GHSA-fvqr-27wr-82fm',
advisory_summary: 'Prototype Pollution in lodash',
advisory_url: 'https://github.com/advisories/GHSA-fvqr-27wr-82fm'
}
]
}
test('it properly filters changes by severity', async () => {
const changes = [npmChange, rubyChange]
let result = filterChangesBySeverity('high', changes)
@@ -99,25 +157,61 @@ test('it properly handles undefined advisory IDs', async () => {
test('it properly filters changes with allowed vulnerabilities', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
let result = filterAllowedAdvisories(['notrealGHSAID'], changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
result = filterAllowedAdvisories(['first-random_string'], changes)
expect(result).toEqual([rubyChange, noVulnNpmChange])
result = filterAllowedAdvisories(
['second-random_string', 'third-random_string'],
changes
)
expect(result).toEqual([npmChange, noVulnNpmChange])
result = filterAllowedAdvisories(
['first-random_string', 'second-random_string', 'third-random_string'],
changes
)
expect(result).toEqual([noVulnNpmChange])
// if we have a change with multiple vulnerabilities but only one is allowed, we still should not filter out that change
result = filterAllowedAdvisories(['second-random_string'], changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
const fakeGHSAChanges = filterAllowedAdvisories(['notrealGHSAID'], changes)
expect(fakeGHSAChanges).toEqual([npmChange, rubyChange, noVulnNpmChange])
})
test('it properly filters only allowed vulnerabilities', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
const oldVulns = [
...npmChange.vulnerabilities,
...rubyChange.vulnerabilities,
...noVulnNpmChange.vulnerabilities
]
const vulnerable = filterAllowedAdvisories(['vulnerable-ghsa-id'], changes)
const newVulns = vulnerable.map(change => change.vulnerabilities).flat()
expect(newVulns.length).toEqual(oldVulns.length - 1)
expect(newVulns).not.toContainEqual(
expect.objectContaining({advisory_ghsa_id: 'vulnerable-ghsa-id'})
)
})
test('does not drop dependencies when filtering by GHSA', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]
const result = filterAllowedAdvisories(
['moderate-ghsa-id', 'low-ghsa-id', 'GHSA-jf85-cpcp-j695'],
changes
)
expect(result.map(change => change.name)).toEqual(
changes.map(change => change.name)
)
})
test('it properly filters multiple GHSAs', async () => {
const allowedGHSAs = ['vulnerable-ghsa-id', 'moderate-ghsa-id', 'low-ghsa-id']
const changes = [npmChange, rubyChange, noVulnNpmChange]
const oldVulns = changes.map(change => change.vulnerabilities).flat()
const result = filterAllowedAdvisories(allowedGHSAs, changes)
const newVulns = result.map(change => change.vulnerabilities).flat()
expect(newVulns.length).toEqual(oldVulns.length - 3)
})
test('it filters out GHSA dependencies', async () => {
const lodash = filterAllowedAdvisories(
['GHSA-jf85-cpcp-j695'],
[lodashChange]
)[0]
// the filter should have removed a single GHSA from the list
const expected = lodashChange.vulnerabilities.filter(
vuln => vuln.advisory_ghsa_id !== 'GHSA-jf85-cpcp-j695'
)
expect(expected.length).toEqual(lodashChange.vulnerabilities.length - 1)
expect(lodash.vulnerabilities).toEqual(expected)
})
+2 -2
View File
@@ -1,4 +1,4 @@
fail_on_severity: critical
allow_licenses:
- "BSD"
- "GPL 2"
- 'BSD-3-Clause'
- 'GPL-2.0'
+96 -6
View File
@@ -1,7 +1,8 @@
import {Change} from '../../src/schemas'
import {createTestVulnerability} from './create-test-vulnerability'
import {PackageURL, parsePURL} from '../../src/purl'
const defaultChange: Change = {
const defaultNpmChange: Change = {
change_type: 'added',
manifest: 'package.json',
ecosystem: 'npm',
@@ -28,9 +29,98 @@ const defaultChange: Change = {
]
}
const createTestChange = (overwrites: Partial<Change> = {}): Change => ({
...defaultChange,
...overwrites
})
const defaultRubyChange: Change = {
change_type: 'added',
manifest: 'Gemfile.lock',
ecosystem: 'rubygems',
name: 'actionsomething',
version: '3.2.0',
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
export {createTestChange}
const defaultPipChange: Change = {
change_type: 'added',
manifest: 'requirements.txt',
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pypi/package-1@1.1.1',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
const defaultMavenChange: Change = {
change_type: 'added',
manifest: 'pom.xml',
ecosystem: 'maven',
name: 'org.apache.logging.log4j:log4j-core',
version: '2.15.0',
package_url: 'pkg:maven/org.apache.logging.log4j/log4j-core@2.14.7',
license: 'Apache-2.0',
source_repository_url:
'https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core',
scope: 'unknown',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
}
]
}
const ecosystemToDefaultChange: {[key: string]: Change} = {
npm: defaultNpmChange,
rubygems: defaultRubyChange,
pip: defaultPipChange,
maven: defaultMavenChange
}
const createTestChange = (overwrites: Partial<Change> = {}): Change => {
const ecosystem = overwrites.ecosystem || 'npm'
return {
...ecosystemToDefaultChange[ecosystem],
...overwrites
}
}
const createTestPURLs = (list: string[]): PackageURL[] => {
return list.map(purl => {
return parsePURL(purl)
})
}
export {createTestChange, createTestPURLs}
@@ -1 +1 @@
allow-licenses: "MIT, GPL-2.0-only"
allow-licenses: 'MIT, GPL-2.0-only'
+36 -34
View File
@@ -1,7 +1,6 @@
import {expect, jest, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
let getInvalidLicenseChanges: Function
import {getInvalidLicenseChanges} from '../src/licenses'
const npmChange: Change = {
manifest: 'package.json',
@@ -30,7 +29,7 @@ const rubyChange: Change = {
name: 'actionsomething',
version: '3.2.0',
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
license: 'BSD-3-Clause',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
@@ -55,7 +54,7 @@ const pipChange: Change = {
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pip/package-1@1.1.1',
package_url: 'pkg:pypi/package-1@1.1.1',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
@@ -100,29 +99,32 @@ jest.mock('octokit', () => {
beforeEach(async () => {
jest.resetModules()
jest.doMock('spdx-satisfies', () => {
// mock spdx-satisfies return value
// true for BSD, false for all others
return jest.fn((license: string, _: string): boolean => license === 'BSD')
})
// eslint-disable-next-line @typescript-eslint/no-require-imports
;({getInvalidLicenseChanges} = require('../src/licenses'))
})
test('it adds license outside the allow list to forbidden changes', async () => {
const changes: Changes = [npmChange, rubyChange]
const changes: Changes = [
npmChange, // MIT license
rubyChange // BSD license
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
allow: ['BSD-3-Clause']
})
expect(forbidden[0]).toBe(npmChange)
expect(forbidden.length).toEqual(1)
})
test('it adds license inside the deny list to forbidden changes', async () => {
const changes: Changes = [npmChange, rubyChange]
const changes: Changes = [
npmChange, // MIT license
rubyChange // BSD license
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
deny: ['BSD']
deny: ['BSD-3-Clause']
})
expect(forbidden[0]).toBe(rubyChange)
expect(forbidden.length).toEqual(1)
})
@@ -133,7 +135,7 @@ test('it does not add license outside the allow list to forbidden changes if it
{...rubyChange, change_type: 'removed'}
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
allow: ['BSD-3-Clause']
})
expect(forbidden).toStrictEqual([])
})
@@ -144,7 +146,7 @@ test('it does not add license inside the deny list to forbidden changes if it is
{...rubyChange, change_type: 'removed'}
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
deny: ['BSD']
deny: ['BSD-3-Clause']
})
expect(forbidden).toStrictEqual([])
})
@@ -156,23 +158,18 @@ test('it adds license outside the allow list to forbidden changes if it is in bo
{...rubyChange, change_type: 'removed'}
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
allow: ['BSD-3-Clause']
})
expect(forbidden).toStrictEqual([npmChange])
})
test('it adds all licenses to unresolved if it is unable to determine the validity', async () => {
jest.resetModules() // reset module set in before
jest.doMock('spdx-satisfies', () => {
return jest.fn((_first: string, _second: string) => {
throw new Error('Some Error')
})
})
// eslint-disable-next-line @typescript-eslint/no-require-imports
;({getInvalidLicenseChanges} = require('../src/licenses'))
const changes: Changes = [npmChange, rubyChange]
const changes: Changes = [
{...npmChange, license: 'Foo'},
{...rubyChange, license: 'Bar'}
]
const invalidLicenses = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
allow: ['Apache-2.0']
})
expect(invalidLicenses.forbidden.length).toEqual(0)
expect(invalidLicenses.unlicensed.length).toEqual(0)
@@ -182,8 +179,8 @@ test('it adds all licenses to unresolved if it is unable to determine the validi
test('it does not filter out changes that are on the exclusions list', async () => {
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
allow: ['BSD-3-Clause'],
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}
const invalidLicenses = await getInvalidLicenseChanges(
changes,
@@ -198,8 +195,8 @@ test('it does not fail when the packages dont have a valid PURL', async () => {
const changes: Changes = [emptyPurlChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
allow: ['BSD-3-Clause'],
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}
const invalidLicenses = await getInvalidLicenseChanges(
@@ -212,13 +209,18 @@ test('it does not fail when the packages dont have a valid PURL', async () => {
test('it does filters out changes if they are not on the exclusions list', async () => {
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/notmypackage-1@1.1.1', 'pkg:npm/alsonot@1.0.2']
allow: ['BSD-3-Clause'],
licenseExclusions: [
'pkg:pypi/notmypackage-1@1.1.1',
'pkg:npm/alsonot@1.0.2'
]
}
const invalidLicenses = await getInvalidLicenseChanges(
changes,
licensesConfig
)
expect(invalidLicenses.forbidden.length).toEqual(2)
expect(invalidLicenses.forbidden[0]).toBe(pipChange)
expect(invalidLicenses.forbidden[1]).toBe(npmChange)
+186
View File
@@ -0,0 +1,186 @@
import {expect, test} from '@jest/globals'
import {parsePURL} from '../src/purl'
test('parsePURL returns an error if the purl does not start with "pkg:"', () => {
const purl = 'not-a-purl'
const result = parsePURL(purl)
expect(result.error).toEqual('package-url must start with "pkg:"')
})
test('parsePURL returns an error if the purl does not contain a type', () => {
const purl = 'pkg:/'
const result = parsePURL(purl)
expect(result.error).toEqual('package-url must contain a type')
})
test('parsePURL returns an error if the purl does not contain a namespace or name', () => {
const purl = 'pkg:ecosystem/'
const result = parsePURL(purl)
expect(result.type).toEqual('ecosystem')
expect(result.error).toEqual('package-url must contain a namespace or name')
})
test('parsePURL returns a PURL with the correct values in the happy case', () => {
const purl = 'pkg:ecosystem/namespace/name@version'
const result = parsePURL(purl)
expect(result.type).toEqual('ecosystem')
expect(result.namespace).toEqual('namespace')
expect(result.name).toEqual('name')
expect(result.version).toEqual('version')
expect(result.original).toEqual(purl)
expect(result.error).toBeNull()
})
test('parsePURL table test', () => {
const examples = [
{
purl: 'pkg:npm/@n4m3SPACE/Name@^1.2.3',
expected: {
type: 'npm',
namespace: '@n4m3SPACE',
name: 'Name',
version: '^1.2.3',
original: 'pkg:npm/@n4m3SPACE/Name@^1.2.3',
error: null
}
},
{
purl: 'pkg:golang/gopkg.in/DataDog/dd-trace-go.v1@1.63.1',
// Note: this purl is technically invalid, but we can still parse it
expected: {
type: 'golang',
namespace: 'gopkg.in',
name: 'DataDog/dd-trace-go.v1',
version: '1.63.1',
original: 'pkg:golang/gopkg.in/DataDog/dd-trace-go.v1@1.63.1',
error: null
}
},
{
purl: 'pkg:golang/github.com/pelletier/go-toml/v2',
// Note: this purl is technically invalid, but we can still parse it
expected: {
type: 'golang',
namespace: 'github.com',
name: 'pelletier/go-toml/v2',
version: null,
original: 'pkg:golang/github.com/pelletier/go-toml/v2',
error: null
}
},
{
purl: 'pkg:npm/%40ns%20foo/n%40me@1.%2f2.3',
expected: {
type: 'npm',
namespace: '@ns foo',
name: 'n@me',
version: '1./2.3',
original: 'pkg:npm/%40ns%20foo/n%40me@1.%2f2.3',
error: null
}
},
{
purl: 'pkg:ecosystem/name@version',
expected: {
type: 'ecosystem',
namespace: null,
name: 'name',
version: 'version',
original: 'pkg:ecosystem/name@version',
error: null
}
},
{
purl: 'pkg:npm/namespace/',
expected: {
type: 'npm',
namespace: 'namespace',
name: null,
version: null,
original: 'pkg:npm/namespace/',
error: null
}
},
{
purl: 'pkg:ecosystem/name',
expected: {
type: 'ecosystem',
namespace: null,
name: 'name',
version: null,
original: 'pkg:ecosystem/name',
error: null
}
},
{
purl: 'pkg:/?',
expected: {
type: '',
namespace: null,
name: null,
version: null,
original: 'pkg:/?',
error: 'package-url must contain a type'
}
},
{
purl: 'pkg:ecosystem/#',
expected: {
type: 'ecosystem',
namespace: null,
name: null,
version: null,
original: 'pkg:ecosystem/#',
error: 'package-url must contain a namespace or name'
}
},
{
purl: 'pkg:ecosystem/name@version#subpath?attributes=123',
expected: {
type: 'ecosystem',
namespace: null,
name: 'name',
version: 'version',
original: 'pkg:ecosystem/name@version#subpath?attributes=123',
error: null
}
},
{
purl: 'pkg:ecosystem/name@version#subpath',
expected: {
type: 'ecosystem',
namespace: null,
name: 'name',
version: 'version',
original: 'pkg:ecosystem/name@version#subpath',
error: null
}
},
{
purl: 'pkg:ecosystem/namespace/name@version?attributes',
expected: {
type: 'ecosystem',
namespace: 'namespace',
name: 'name',
version: 'version',
original: 'pkg:ecosystem/namespace/name@version?attributes',
error: null
}
},
{
purl: 'pkg:ecosystem/name#subpath?attributes',
expected: {
type: 'ecosystem',
namespace: null,
name: 'name',
version: null,
original: 'pkg:ecosystem/name#subpath?attributes',
error: null
}
}
]
for (const example of examples) {
const result = parsePURL(example.purl)
expect(result).toEqual(example.expected)
}
})
+61
View File
@@ -0,0 +1,61 @@
import {expect, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
import {getScorecardLevels, getProjectUrl} from '../src/scorecard'
const npmChange: Change = {
manifest: 'package.json',
change_type: 'added',
ecosystem: 'npm',
name: 'type-is',
version: '1.6.18',
package_url: 'pkg:npm/type-is@1.6.18',
license: 'MIT',
source_repository_url: 'github.com/jshttp/type-is',
scope: 'runtime',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_summary: 'very dangerous',
advisory_url: 'github.com/future-funk'
}
]
}
const actionsChange: Change = {
manifest: 'workflow.yml',
change_type: 'added',
ecosystem: 'actions',
name: 'actions/checkout/',
version: 'v3',
package_url: 'pkg:githubactions/actions@v3',
license: 'MIT',
source_repository_url: 'null',
scope: 'runtime',
vulnerabilities: []
}
test('Get scorecard from API', async () => {
const changes: Changes = [npmChange]
const scorecard = await getScorecardLevels(changes)
expect(scorecard).not.toBeNull()
expect(scorecard.dependencies).toHaveLength(1)
expect(scorecard.dependencies[0].scorecard?.score).toBeGreaterThan(0)
})
test('Get project URL from deps.dev API', async () => {
const result = await getProjectUrl(
npmChange.ecosystem,
npmChange.name,
npmChange.version
)
expect(result).not.toBeNull()
})
test('Handles Actions special case', async () => {
const changes: Changes = [actionsChange]
const result = await getScorecardLevels(changes)
expect(result).not.toBeNull()
expect(result.dependencies).toHaveLength(1)
expect(result.dependencies[0].scorecard?.score).toBeGreaterThan(0)
})
+257
View File
@@ -0,0 +1,257 @@
import {expect, test, describe} from '@jest/globals'
import * as spdx from '../src/spdx'
describe('satisfiesAny', () => {
const units = [
{
candidate: 'MIT',
licenses: ['MIT'],
expected: true
},
{
candidate: 'MIT OR Apache-2.0',
licenses: ['MIT', 'Apache-2.0'],
expected: true
},
{
candidate: '(MIT AND ISC) OR Apache-2.0',
licenses: ['MIT', 'Apache-2.0'],
expected: true
},
{
candidate: 'MIT AND Apache-2.0',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: 'MIT AND BSD-3-Clause',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
// missing params, case sensitivity, syntax problems,
// or unknown licenses will return 'false'
{
candidate: 'MIT OR',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: '',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: 'MIT OR (Apache-2.0 AND ISC)',
licenses: [],
expected: false
},
{
candidate: 'MIT AND (ISC',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: 'MIT OR ISC',
licenses: ['MiT'],
expected: false
}
]
for (const unit of units) {
const got: boolean = spdx.satisfiesAny(unit.candidate, unit.licenses)
test(`should return ${unit.expected} for ("${unit.candidate}", "${unit.licenses}")`, () => {
expect(got).toBe(unit.expected)
})
}
})
describe('satisfiesAll', () => {
const units = [
{
candidate: 'MIT',
licenses: ['MIT'],
expected: true
},
{
candidate: 'Apache-2.0',
licenses: ['MIT', 'ISC', 'Apache-2.0'],
expected: false
},
{
candidate: 'MIT AND Apache-2.0',
licenses: ['MIT', 'Apache-2.0'],
expected: true
},
{
candidate: '(MIT OR ISC) AND Apache-2.0',
licenses: ['MIT', 'Apache-2.0'],
expected: true
},
{
candidate: 'MIT OR BSD-3-Clause',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: 'BSD-3-Clause OR ISC',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: '(MIT AND ISC) OR Apache-2.0',
licenses: ['MIT', 'ISC'],
expected: true
},
// missing params, case sensitivity, syntax problems,
// or unknown licenses will return 'false'
{
candidate: 'MIT OR',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: '',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: 'MIT OR (Apache-2.0 AND ISC)',
licenses: [],
expected: false
},
{
candidate: 'MIT AND (ISC',
licenses: ['MIT', 'Apache-2.0'],
expected: false
},
{
candidate: 'MIT OR ISC',
licenses: ['MiT'],
expected: false
}
]
for (const unit of units) {
const got: boolean = spdx.satisfiesAll(unit.candidate, unit.licenses)
test(`should return ${unit.expected} for ("${unit.candidate}", "${unit.licenses}")`, () => {
expect(got).toBe(unit.expected)
})
}
})
describe('satisfies', () => {
const units = [
{
candidate: 'MIT',
constraint: 'MIT',
expected: true
},
{
candidate: 'Apache-2.0',
constraint: 'MIT',
expected: false
},
{
candidate: 'MIT OR Apache-2.0',
constraint: 'MIT',
expected: true
},
{
candidate: 'MIT OR Apache-2.0',
constraint: 'Apache-2.0',
expected: true
},
{
candidate: 'MIT OR Apache-2.0',
constraint: 'BSD-3-Clause',
expected: false
},
{
candidate: 'MIT OR Apache-2.0',
constraint: 'Apache-2.0 OR BSD-3-Clause',
expected: true
},
{
candidate: 'MIT AND Apache-2.0',
constraint: 'MIT AND Apache-2.0',
expected: true
},
{
candidate: 'MIT OR Apache-2.0',
constraint: 'MIT AND Apache-2.0',
expected: false
},
{
candidate: 'ISC OR (MIT AND Apache-2.0)',
constraint: 'MIT AND Apache-2.0',
expected: true
},
// missing params, case sensitivity, syntax problems,
// or unknown licenses will return 'false'
{
candidate: 'MIT',
constraint: 'MiT',
expected: false
},
{
candidate: 'MIT AND (ISC OR',
constraint: 'MIT',
expected: false
},
{
candidate: 'MIT OR ISC OR Apache-2.0',
constraint: '',
expected: false
},
{
candidate: '',
constraint: '(BSD-3-Clause AND ISC) OR MIT',
expected: false
}
]
for (const unit of units) {
const got: boolean = spdx.satisfies(unit.candidate, unit.constraint)
test(`should return ${unit.expected} for ("${unit.candidate}", "${unit.constraint}")`, () => {
expect(got).toBe(unit.expected)
})
}
})
describe('isValid', () => {
const units = [
{
candidate: 'MIT',
expected: true
},
{
candidate: 'MIT AND BSD-3-Clause',
expected: true
},
{
candidate: '(MIT AND ISC) OR BSD-3-Clause',
expected: true
},
{
candidate: 'NOASSERTION',
expected: false
},
{
candidate: 'Foobar',
expected: false
},
{
candidate: '',
expected: false
}
]
for (const unit of units) {
const got: boolean = spdx.isValid(unit.candidate)
test(`should return ${unit.expected} for ("${unit.candidate}")`, () => {
expect(got).toBe(unit.expected)
})
}
})
+78 -9
View File
@@ -1,5 +1,5 @@
import {expect, jest, test} from '@jest/globals'
import {Changes, ConfigurationOptions} from '../src/schemas'
import {Change, Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
import * as summary from '../src/summary'
import * as core from '@actions/core'
import {createTestChange} from './fixtures/create-test-change'
@@ -16,6 +16,9 @@ const emptyInvalidLicenseChanges = {
unresolved: [],
unlicensed: []
}
const emptyScorecard: Scorecard = {
dependencies: []
}
const defaultConfig: ConfigurationOptions = {
vulnerability_check: true,
license_check: true,
@@ -28,7 +31,10 @@ const defaultConfig: ConfigurationOptions = {
deny_groups: [],
comment_summary_in_pr: true,
retry_on_snapshot_warnings: false,
retry_on_snapshot_warnings_timeout: 120
retry_on_snapshot_warnings_timeout: 120,
warn_only: false,
warn_on_openssf_scorecard_level: 3,
show_openssf_scorecard: false
}
const changesWithEmptyManifests: Changes = [
@@ -70,11 +76,32 @@ const changesWithEmptyManifests: Changes = [
}
]
const scorecard: Scorecard = {
dependencies: [
{
change: {
change_type: 'added',
manifest: '',
ecosystem: 'unknown',
name: 'castore',
version: '0.1.17',
package_url: 'pkg:hex/castore@0.1.17',
license: null,
source_repository_url: null,
scope: 'runtime',
vulnerabilities: []
},
scorecard: null
}
]
}
test('prints headline as h1', () => {
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
scorecard,
defaultConfig
)
const text = core.summary.stringify()
@@ -82,11 +109,50 @@ test('prints headline as h1', () => {
expect(text).toContain('<h1>Dependency Review</h1>')
})
test('returns minimal summary formatted for posting as a PR comment', () => {
const OLD_ENV = process.env
let changes: Changes = [
createTestChange({name: 'lodash', version: '1.2.3'}),
createTestChange({name: 'colors', version: '2.3.4'}),
createTestChange({name: '@foo/bar', version: '*'})
]
process.env.GITHUB_SERVER_URL = 'https://github.com'
process.env.GITHUB_REPOSITORY = 'owner/repo'
process.env.GITHUB_RUN_ID = 'abc-123-xyz'
let minSummary: string = summary.addSummaryToSummary(
changes,
emptyInvalidLicenseChanges,
emptyChanges,
scorecard,
defaultConfig
)
process.env = OLD_ENV
// note: no Actions context values in unit test env
const expected = `
# Dependency Review
The following issues were found:
* ❌ 3 vulnerable package(s)
* ✅ 0 package(s) with incompatible licenses
* ✅ 0 package(s) with invalid SPDX license definitions
* ✅ 0 package(s) with unknown licenses.
[View full job summary](https://github.com/owner/repo/actions/runs/abc-123-xyz)
`.trim()
expect(minSummary).toEqual(expected)
})
test('only includes "No vulnerabilities or license issues found"-message if both are configured and nothing was found', () => {
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
emptyScorecard,
defaultConfig
)
const text = core.summary.stringify()
@@ -100,6 +166,7 @@ test('only includes "No vulnerabilities found"-message if "license_check" is set
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
emptyScorecard,
config
)
const text = core.summary.stringify()
@@ -113,6 +180,7 @@ test('only includes "No license issues found"-message if "vulnerability_check" i
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
emptyScorecard,
config
)
const text = core.summary.stringify()
@@ -125,16 +193,13 @@ test('groups dependencies with empty manifest paths together', () => {
changesWithEmptyManifests,
emptyInvalidLicenseChanges,
emptyChanges,
emptyScorecard,
defaultConfig
)
summary.addScannedDependencies(changesWithEmptyManifests)
summary.addScannedFiles(changesWithEmptyManifests)
const text = core.summary.stringify()
expect(text).toContain('<summary>Unnamed Manifest</summary>')
expect(text).toContain('castore')
expect(text).toContain('connection')
expect(text).toContain('<summary>python/dist-info/METADATA</summary>')
expect(text).toContain('pygments')
expect(text).toContain('Unnamed Manifest')
expect(text).toContain('python/dist-info/METADATA')
})
test('does not include status section if nothing was found', () => {
@@ -142,6 +207,7 @@ test('does not include status section if nothing was found', () => {
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
emptyScorecard,
defaultConfig
)
const text = core.summary.stringify()
@@ -164,6 +230,7 @@ test('includes count and status icons for all findings', () => {
vulnerabilities,
licenseIssues,
emptyChanges,
emptyScorecard,
defaultConfig
)
@@ -183,6 +250,7 @@ test('uses checkmarks for license issues if only vulnerabilities were found', ()
vulnerabilities,
emptyInvalidLicenseChanges,
emptyChanges,
emptyScorecard,
defaultConfig
)
@@ -206,6 +274,7 @@ test('uses checkmarks for vulnerabilities if only license issues were found', ()
emptyChanges,
licenseIssues,
emptyChanges,
emptyScorecard,
defaultConfig
)
+5 -1
View File
@@ -11,6 +11,7 @@ export function clearInputs(): void {
'FAIL-ON-SEVERITY',
'FAIL-ON-SCOPES',
'ALLOW-LICENSES',
'ALLOW-DEPENDENCIES-LICENSES',
'DENY-LICENSES',
'ALLOW-GHSAS',
'LICENSE-CHECK',
@@ -18,7 +19,10 @@ export function clearInputs(): void {
'CONFIG-FILE',
'BASE-REF',
'HEAD-REF',
'COMMENT-SUMMARY-IN-PR'
'COMMENT-SUMMARY-IN-PR',
'WARN-ONLY',
'DENY-GROUPS',
'DENY-PACKAGES'
]
// eslint-disable-next-line github/array-foreach
+35 -8
View File
@@ -1,5 +1,13 @@
# Avoid using default values for options here since they will
# end up overriding external configurations.
# IMPORTANT
#
# Avoid setting default values for configuration options in
# this file, they will overwrite external configurations.
#
# If you are trying to find out the default value for a config
# option please take a look at the README or src/schemas.ts.
#
# If you are adding an option, make sure the Zod definition
# contains a default value.
name: 'Dependency Review'
description: 'Prevent the introduction of dependencies with known vulnerabilities'
author: 'GitHub'
@@ -30,7 +38,7 @@ inputs:
description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
allow-dependencies-licenses:
description: Comma-separated list of dependencies in purl format (e.g. "pkg:npm/express, pkg:pip/pycrypto"). These dependencies will be permitted to use any license, no matter what license policy is enforced otherwise.
description: Comma-separated list of dependencies in purl format (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). These dependencies will be permitted to use any license, no matter what license policy is enforced otherwise.
required: false
allow-ghsas:
description: Comma-separated list of allowed GitHub Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")
@@ -48,19 +56,38 @@ inputs:
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
required: false
deny-packages:
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto")
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). If version specified, only deny matching packages and version; else, deny all regardless of version.
required: false
deny-groups:
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto")
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express/, pkg:pypi/pycrypto/"). Please note that the group name must be followed by a `/`.
required: false
retry-on-snapshot-warnings:
description: Whether to retry on snapshot warnings
required: false
default: false
retry-on-snapshot-warnings-timeout:
description: Number of seconds to wait before stopping snapshot retries.
required: false
default: 120
warn-only:
description: When set to `true` this action will always complete with success, overriding the `fail-on-severity` parameter.
required: false
show-openssf-scorecard:
description: Show a summary of the OpenSSF Scorecard scores.
required: false
warn-on-openssf-scorecard-level:
description: Numeric threshold for the OpenSSF Scorecard score. If the score is below this threshold, the action will warn you.
required: false
outputs:
comment-content:
description: Prepared dependency report comment
dependency-changes:
description: All dependency changes (JSON)
vulnerable-changes:
description: Vulnerable dependency changes (JSON)
invalid-license-changes:
description: Invalid license dependency changes (JSON)
denied-changes:
description: Denied dependency changes (JSON)
runs:
using: 'node16'
using: 'node20'
main: 'dist/index.js'
Generated Vendored
+30127 -28232
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+312 -193
View File
@@ -47,6 +47,28 @@ WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@fastify/busboy
MIT
Copyright Brian White. All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to
deal in the Software without restriction, including without limitation the
rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
sell copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
IN THE SOFTWARE.
@octokit/app
MIT
The MIT License
@@ -322,6 +344,17 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@octokit/plugin-paginate-graphql
MIT
MIT License Copyright (c) 2019 Octokit contributors
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice (including the next paragraph) shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@octokit/plugin-paginate-rest
MIT
MIT License Copyright (c) 2019 Octokit contributors
@@ -481,15 +514,30 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@vercel/ncc
@onebeyond/spdx-license-satisfies
MIT
Copyright 2018 ZEIT, Inc.
The MIT License
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
Copyright (c) spdx-satisfies.js contributors
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
aggregate-error
MIT
@@ -1046,30 +1094,6 @@ Apache License
limitations under the License.
fromentries
MIT
The MIT License (MIT)
Copyright (c) Feross Aboukhadijeh
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
indent-string
MIT
MIT License
@@ -1083,31 +1107,6 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
is-plain-object
MIT
The MIT License (MIT)
Copyright (c) 2014-2017, Jon Schlinkert.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
jsonwebtoken
MIT
The MIT License (MIT)
@@ -1175,9 +1174,240 @@ FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TOR
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
lodash
lodash.includes
MIT
Copyright OpenJS Foundation and other contributors <https://openjsf.org/>
Copyright jQuery Foundation and other contributors <https://jquery.org/>
Based on Underscore.js, copyright Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
This software consists of voluntary contributions made by many
individuals. For exact contribution history, see the revision history
available at https://github.com/lodash/lodash
The following license applies to all parts of this software except as
documented below:
====
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
====
Copyright and related rights for sample code are waived via CC0. Sample
code is defined as all source code displayed within the prose of the
documentation.
CC0: http://creativecommons.org/publicdomain/zero/1.0/
====
Files located in the node_modules and vendor directories are externally
maintained libraries used by this software which have their own
licenses; we recommend you read them, as their terms may differ from the
terms above.
lodash.isboolean
MIT
Copyright 2012-2016 The Dojo Foundation <http://dojofoundation.org/>
Based on Underscore.js, copyright 2009-2016 Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
lodash.isinteger
MIT
Copyright jQuery Foundation and other contributors <https://jquery.org/>
Based on Underscore.js, copyright Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
This software consists of voluntary contributions made by many
individuals. For exact contribution history, see the revision history
available at https://github.com/lodash/lodash
The following license applies to all parts of this software except as
documented below:
====
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
====
Copyright and related rights for sample code are waived via CC0. Sample
code is defined as all source code displayed within the prose of the
documentation.
CC0: http://creativecommons.org/publicdomain/zero/1.0/
====
Files located in the node_modules and vendor directories are externally
maintained libraries used by this software which have their own
licenses; we recommend you read them, as their terms may differ from the
terms above.
lodash.isnumber
MIT
Copyright 2012-2016 The Dojo Foundation <http://dojofoundation.org/>
Based on Underscore.js, copyright 2009-2016 Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
lodash.isplainobject
MIT
Copyright jQuery Foundation and other contributors <https://jquery.org/>
Based on Underscore.js, copyright Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
This software consists of voluntary contributions made by many
individuals. For exact contribution history, see the revision history
available at https://github.com/lodash/lodash
The following license applies to all parts of this software except as
documented below:
====
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
====
Copyright and related rights for sample code are waived via CC0. Sample
code is defined as all source code displayed within the prose of the
documentation.
CC0: http://creativecommons.org/publicdomain/zero/1.0/
====
Files located in the node_modules and vendor directories are externally
maintained libraries used by this software which have their own
licenses; we recommend you read them, as their terms may differ from the
terms above.
lodash.isstring
MIT
Copyright 2012-2016 The Dojo Foundation <http://dojofoundation.org/>
Based on Underscore.js, copyright 2009-2016 Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
lodash.once
MIT
Copyright jQuery Foundation and other contributors <https://jquery.org/>
Based on Underscore.js, copyright Jeremy Ashkenas,
DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
@@ -1230,7 +1460,7 @@ lru-cache
ISC
The ISC License
Copyright (c) Isaac Z. Schlueter and Contributors
Copyright (c) 2010-2023 Isaac Z. Schlueter and Contributors
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -1270,32 +1500,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
node-fetch
MIT
The MIT License (MIT)
Copyright (c) 2016 David Frank
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
octokit
MIT
The MIT License
@@ -1340,28 +1544,6 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
packageurl-js
MIT
Copyright (c) the purl authors
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
safe-buffer
MIT
The MIT License (MIT)
@@ -1464,34 +1646,6 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
spdx-satisfies
MIT
The MIT License
Copyright (c) spdx-satisfies.js contributors
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
tr46
MIT
tunnel
MIT
The MIT License (MIT)
@@ -1517,6 +1671,31 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
undici
MIT
MIT License
Copyright (c) Matteo Collina and Undici contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
universal-github-app-jwt
MIT
The MIT License
@@ -1566,47 +1745,6 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
webidl-conversions
BSD-2-Clause
# The BSD 2-Clause License
Copyright (c) 2014, Domenic Denicola
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
whatwg-url
MIT
The MIT License (MIT)
Copyright (c) 20152016 Sebastian Mayr
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
wrappy
ISC
The ISC License
@@ -1626,25 +1764,6 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
yallist
ISC
The ISC License
Copyright (c) Isaac Z. Schlueter and Contributors
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
yaml
ISC
Copyright Eemeli Aro <eemeli@gmail.com>
+72 -28
View File
@@ -1,4 +1,4 @@
# Examples on how to use the Dependancy Review Action
# Examples on how to use the Dependency Review Action
## Basic Usage
@@ -18,9 +18,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
```
## Using an inline configuration
@@ -39,9 +39,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
@@ -62,7 +62,7 @@ allow_licenses:
- 'BSD-2-Clause'
```
The Dependancy Review Action workflow file will then look like this:
The Dependency Review Action workflow file will then look like this:
```yaml
name: 'Dependency Review'
@@ -76,9 +76,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
config-file: './.github/dependency-review-config.yml'
```
@@ -103,9 +103,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
config-file: 'github/octorepo/dependency-review-config.yml@main'
```
@@ -130,9 +130,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
config-file: 'github/octorepo-private/dependency-review-config.yml@main'
external-repo-token: ${{ secrets.GITHUB_TOKEN }} # or a personal access token
@@ -155,15 +155,58 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: always
```
## Getting the results of the action in a later step
- `comment-content` contains the output of the results comment for the entire run.
`dependency-changes`, `vulnerable-changes`, `invalid-license-changes` and `denied-changes` are all JSON objects that allow you to access individual sets of changes.
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: 'Dependency Review'
id: review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
- name: 'Report'
# make sure this step runs even if the previous failed
if: ${{ failure() && steps.review.conclusion == 'failure' }}
shell: bash
env: # store comment HTML data in an environment variable
COMMENT: ${{ steps.review.outputs.comment-content }}
run: | # do something with the comment:
echo "$COMMENT"
- name: 'List vulnerable dependencies'
# make sure this step runs even if the previous failed
if: ${{ failure() && steps.review.conclusion == 'failure' }}
shell: bash
env: # store JSON data in an environment variable
VULNERABLE_CHANGES: ${{ steps.review.outputs.vulnerable-changes }}
run: | # do something with the JSON:
echo "$VULNERABLE_CHANGES" | jq '.[].package_url'
```
## Exclude dependencies from the license check
Using the `allow-dependencies-licenses` you can exclude dependencies from the license check. The values should be provided in [purl](https://github.com/package-url/purl-spec) format.
@@ -183,14 +226,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: always
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pip/requests'
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pypi/requests'
```
If we were to use configuration file, the configuration would look like this:
@@ -202,7 +245,7 @@ allow-licenses:
- 'BSD-2-Clause'
allow-dependencies-licenses:
- 'pkg:npm/loadash'
- 'pkg:pip/requests'
- 'pkg:pypi/requests'
```
## Only check for vulnerabilities
@@ -222,9 +265,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
fail-on-severity: critical
comment-summary-in-pr: always
@@ -233,10 +276,11 @@ jobs:
## Exclude dependencies from their name or groups
Using the `deny-packages` option you can exclude dependencies by their PURL. You can add multiple values separated by a commas.
With the `deny-packages` option, you can exclude dependencies based on their PURL (Package URL). If a specific version is provided, the action will deny packages matching that version. When no version is specified, the action treats it as a wildcard, denying all matching packages regardless of version. Multiple values can be added, separated by commas.
Using the `deny-groups` option you can exclude dependencies by their group name/namespace. You can add multiple values separated by a comma.
In this example, we are excluding `pkg:maven/org.apache.logging.log4j:log4j-api` and `pkg:maven/org.apache.logging.log4j/log4j-core` from `maven` and all packages in the group `pkg:maven/com.bazaarvoice.maven`
In this example, we are excluding all versions of `pkg:maven/org.apache.logging.log4j:log4j-api` and only `2.23.0` of log4j-core `pkg:maven/org.apache.logging.log4j/log4j-core@2.23.0` from `maven` and all packages in the group `pkg:maven/com.bazaarvoice.maven/`
```yaml
name: 'Dependency Review'
@@ -251,12 +295,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core'
deny-groups: 'pkg:maven/com.bazaarvoice.jolt'
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core@2.23.0'
deny-groups: 'pkg:maven/com.bazaarvoice.jolt/'
```
## Waiting for dependency submission jobs to complete
@@ -285,9 +329,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
uses: actions/dependency-review-action@v4
with:
retry-on-snapshot-warnings: true
retry-on-snapshot-warnings-timeout: 60
+2229 -3223
View File
File diff suppressed because it is too large Load Diff
+25 -25
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "3.1.0",
"version": "4.3.5",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -25,37 +25,37 @@
"author": "GitHub",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.10.0",
"@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^5.0.4",
"@actions/core": "^1.10.1",
"@actions/github": "^6.0.0",
"@octokit/plugin-retry": "^6.0.1",
"@octokit/request-error": "^5.0.1",
"@onebeyond/spdx-license-satisfies": "^1.0.1",
"ansi-styles": "^6.2.1",
"got": "^13.0.0",
"octokit": "^2.1.0",
"packageurl-js": "^1.0.2",
"got": "^14.4.2",
"jest": "^29.7.0",
"octokit": "^3.1.2",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
"yaml": "^2.3.2",
"zod": "^3.22.2"
"ts-jest": "^29.2.5",
"yaml": "^2.3.4",
"zod": "^3.23.8"
},
"devDependencies": {
"@types/jest": "^27.5.2",
"@types/node": "^16.18.48",
"@types/spdx-expression-parse": "^3.0.2",
"@types/spdx-satisfies": "^0.1.0",
"@typescript-eslint/eslint-plugin": "^6.7.2",
"@typescript-eslint/parser": "^6.6.0",
"@vercel/ncc": "^0.36.1",
"@types/jest": "^29.5.12",
"@types/node": "^20",
"@types/spdx-expression-parse": "^3.0.4",
"@types/spdx-satisfies": "^0.1.1",
"@typescript-eslint/eslint-plugin": "^6.21.0",
"@typescript-eslint/parser": "^6.21.0",
"@vercel/ncc": "^0.38.0",
"esbuild-register": "^3.5.0",
"eslint": "^8.48.0",
"eslint-plugin-github": "^4.8.0",
"eslint-plugin-jest": "^27.2.2",
"eslint-plugin-prettier": "^5.0.0",
"jest": "^27.5.1",
"eslint": "^8.57.0",
"eslint-plugin-github": "^4.10.2",
"eslint-plugin-jest": "^28.8.3",
"eslint-plugin-prettier": "^5.1.3",
"js-yaml": "^4.1.0",
"nodemon": "^3.0.1",
"prettier": "3.0.2",
"ts-jest": "^27.1.4",
"typescript": "^4.9.5"
"nodemon": "^3.1.0",
"prettier": "3.2.5",
"typescript": "^5.4.5"
}
}
+36 -7
View File
@@ -6,7 +6,7 @@
* npx ts-node scripts/create_summary.ts
*/
import {Change, Changes, ConfigurationOptions} from '../src/schemas'
import {Change, Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
import {createTestChange} from '../__tests__/fixtures/create-test-change'
import {InvalidLicenseChanges} from '../src/licenses'
import * as fs from 'fs'
@@ -26,13 +26,36 @@ const defaultConfig: ConfigurationOptions = {
deny_groups: [],
allow_dependencies_licenses: [
'pkg:npm/express@4.17.1',
'pkg:pip/requests',
'pkg:pip/certifi',
'pkg:pip/pycrypto@2.6.1'
'pkg:pypi/requests',
'pkg:pypi/certifi',
'pkg:pypi/pycrypto@2.6.1'
],
comment_summary_in_pr: true,
retry_on_snapshot_warnings: false,
retry_on_snapshot_warnings_timeout: 120
retry_on_snapshot_warnings_timeout: 120,
warn_only: false,
warn_on_openssf_scorecard_level: 3,
show_openssf_scorecard: true
}
const scorecard: Scorecard = {
dependencies: [
{
change: {
change_type: 'added',
manifest: '',
ecosystem: 'unknown',
name: 'castore',
version: '0.1.17',
package_url: 'pkg:hex/castore@0.1.17',
license: null,
source_repository_url: null,
scope: 'runtime',
vulnerabilities: []
},
scorecard: null
}
]
}
const tmpDir = path.resolve(__dirname, '../tmp')
@@ -100,7 +123,13 @@ async function createSummary(
config: ConfigurationOptions,
fileName: string
): Promise<void> {
summary.addSummaryToSummary(vulnerabilities, licenseIssues, denied, config)
summary.addSummaryToSummary(
vulnerabilities,
licenseIssues,
denied,
scorecard,
config
)
summary.addChangeVulnerabilitiesToSummary(
vulnerabilities,
config.fail_on_severity
@@ -114,7 +143,7 @@ async function createSummary(
...licenseIssues.unlicensed
]
summary.addScannedDependencies(allChanges)
summary.addScannedFiles(allChanges)
const text = core.summary.stringify()
await fs.promises.writeFile(path.resolve(tmpDir, fileName), text, {
+20 -4
View File
@@ -3,6 +3,9 @@ import * as core from '@actions/core'
import * as githubUtils from '@actions/github/lib/utils'
import * as retry from '@octokit/plugin-retry'
import {RequestError} from '@octokit/request-error'
import {ConfigurationOptions} from './schemas'
export const MAX_COMMENT_LENGTH = 65536
const retryingOctokit = githubUtils.GitHub.plugin(retry.retry)
const octo = new retryingOctokit(
@@ -12,7 +15,20 @@ const octo = new retryingOctokit(
// Comment Marker to identify an existing comment to update, so we don't spam the PR with comments
const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
export async function commentPr(summary: typeof core.summary): Promise<void> {
export async function commentPr(
commentContent: string,
config: ConfigurationOptions
): Promise<void> {
if (
!(
config.comment_summary_in_pr === 'always' ||
(config.comment_summary_in_pr === 'on-failure' &&
process.exitCode === core.ExitCode.Failure)
)
) {
return
}
if (!github.context.payload.pull_request) {
core.warning(
'Not in the context of a pull request. Skipping comment creation.'
@@ -20,7 +36,7 @@ export async function commentPr(summary: typeof core.summary): Promise<void> {
return
}
const commentBody = `${summary.stringify()}\n\n${COMMENT_MARKER}`
const commentBody = `${commentContent}\n\n${COMMENT_MARKER}`
try {
const existingCommentId = await findCommentByMarker(COMMENT_MARKER)
@@ -74,8 +90,8 @@ async function findCommentByMarker(
)
for await (const {data: comments} of commentsIterator) {
const existingComment = comments.find(
comment => comment.body?.includes(commentBodyIncludes)
const existingComment = comments.find(comment =>
comment.body?.includes(commentBodyIncludes)
)
if (existingComment) return existingComment.id
}
+15 -27
View File
@@ -4,8 +4,8 @@ import YAML from 'yaml'
import * as core from '@actions/core'
import * as z from 'zod'
import {ConfigurationOptions, ConfigurationOptionsSchema} from './schemas'
import {isSPDXValid, octokitClient} from './utils'
import {PackageURL} from 'packageurl-js'
import {octokitClient} from './utils'
import {isValid} from './spdx'
type ConfigurationOptionsPartial = Partial<ConfigurationOptions>
@@ -47,8 +47,12 @@ function readInlineConfig(): ConfigurationOptionsPartial {
const retry_on_snapshot_warnings_timeout = getOptionalNumber(
'retry-on-snapshot-warnings-timeout'
)
const warn_only = getOptionalBoolean('warn-only')
const show_openssf_scorecard = getOptionalBoolean('show-openssf-scorecard')
const warn_on_openssf_scorecard_level = getOptionalNumber(
'warn-on-openssf-scorecard-level'
)
validatePURL(allow_dependencies_licenses)
validateLicenses('allow-licenses', allow_licenses)
validateLicenses('deny-licenses', deny_licenses)
@@ -67,7 +71,10 @@ function readInlineConfig(): ConfigurationOptionsPartial {
head_ref,
comment_summary_in_pr,
retry_on_snapshot_warnings,
retry_on_snapshot_warnings_timeout
retry_on_snapshot_warnings_timeout,
warn_only,
show_openssf_scorecard,
warn_on_openssf_scorecard_level
}
return Object.fromEntries(
@@ -107,10 +114,12 @@ function validateLicenses(
return
}
const invalid_licenses = licenses.filter(license => !isSPDXValid(license))
const invalid_licenses = licenses.filter(license => !isValid(license))
if (invalid_licenses.length > 0) {
throw new Error(`Invalid license(s) in ${key}: ${invalid_licenses}`)
throw new Error(
`Invalid license(s) in ${key}: ${invalid_licenses.join(', ')}`
)
}
}
@@ -176,11 +185,6 @@ function parseConfigFile(configData: string): ConfigurationOptionsPartial {
validateLicenses(key, data[key])
}
// validate purls from the allow-dependencies-licenses
if (key === 'allow-dependencies-licenses') {
validatePURL(data[key])
}
// get rid of the ugly dashes from the actions conventions
if (key.includes('-')) {
data[key.replace(/-/g, '_')] = data[key]
@@ -219,19 +223,3 @@ async function getRemoteConfig(configOpts: {
throw new Error('Error fetching remote config file')
}
}
function validatePURL(allow_dependencies_licenses: string[] | undefined): void {
//validate that the provided elements of the string are in valid purl format
if (allow_dependencies_licenses === undefined) {
return
}
const invalid_purls = allow_dependencies_licenses.filter(
purl => !PackageURL.fromString(purl)
)
if (invalid_purls.length > 0) {
throw new Error(
`Invalid purl(s) in allow-dependencies-licenses: ${invalid_purls}`
)
}
return
}
+34 -20
View File
@@ -1,38 +1,41 @@
import {Change} from './schemas'
import * as core from '@actions/core'
import {Change} from './schemas'
import {PackageURL, parsePURL} from './purl'
export async function getDeniedChanges(
changes: Change[],
deniedPackages: string[],
deniedGroups: string[]
deniedPackages: PackageURL[] = [],
deniedGroups: PackageURL[] = []
): Promise<Change[]> {
const changesDenied: Change[] = []
let failed = false
let hasDeniedPackage = false
for (const change of changes) {
change.name = change.name.toLowerCase()
const packageUrl = change.package_url.toLowerCase().split('@')[0]
if (deniedPackages) {
for (const denied of deniedPackages) {
if (packageUrl === denied.split('@')[0].toLowerCase()) {
changesDenied.push(change)
failed = true
}
for (const denied of deniedPackages) {
if (
(!denied.version || change.version === denied.version) &&
change.name === denied.name
) {
changesDenied.push(change)
hasDeniedPackage = true
}
}
if (deniedGroups) {
for (const denied of deniedGroups) {
if (packageUrl.startsWith(denied.toLowerCase())) {
changesDenied.push(change)
failed = true
}
for (const denied of deniedGroups) {
const namespace = getNamespace(change)
if (!denied.namespace) {
core.error(
`Denied group represented by '${denied.original}' does not have a namespace. The format should be 'pkg:<type>/<namespace>/'.`
)
}
if (namespace && namespace === denied.namespace) {
changesDenied.push(change)
hasDeniedPackage = true
}
}
}
if (failed) {
if (hasDeniedPackage) {
core.setFailed('Dependency review detected denied packages.')
} else {
core.info('Dependency review did not detect any denied packages')
@@ -40,3 +43,14 @@ export async function getDeniedChanges(
return changesDenied
}
export const getNamespace = (change: Change): string | null => {
if (change.package_url) {
return parsePURL(change.package_url).namespace
}
const matches = change.name.match(/([^:/]+)[:/]/)
if (matches && matches.length > 1) {
return matches[1]
}
return null
}
+2 -1
View File
@@ -31,7 +31,8 @@ export async function compare({
url: '/repos/{owner}/{repo}/dependency-graph/compare/{basehead}',
owner,
repo,
basehead: `${baseRef}...${headRef}`
basehead: `${baseRef}...${headRef}`,
per_page: 5
},
response => {
if (
+23 -13
View File
@@ -1,5 +1,13 @@
import {Changes, Severity, SEVERITIES, Scope} from './schemas'
/**
* Filters changes by a severity level. Only vulnerable
* dependencies will be returned.
*
* @param severity - The severity level to filter by.
* @param changes - The array of changes to filter.
* @returns The filtered array of changes that match the specified severity level and have vulnerabilities.
*/
export function filterChangesBySeverity(
severity: Severity,
changes: Changes
@@ -31,7 +39,14 @@ export function filterChangesBySeverity(
filteredChanges = filteredChanges.filter(
change => change.vulnerabilities.length > 0
)
return filteredChanges
// only report vulnerability additions
return filteredChanges.filter(
change =>
change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
change.vulnerabilities.length > 0
)
}
export function filterChangesByScopes(
@@ -67,25 +82,20 @@ export function filterAllowedAdvisories(
return changes
}
const filteredChanges = changes.filter(change => {
const filteredChanges = changes.map(change => {
const noAdvisories =
change.vulnerabilities === undefined ||
change.vulnerabilities.length === 0
if (noAdvisories) {
return true
return change
}
const newChange = {...change}
newChange.vulnerabilities = change.vulnerabilities.filter(
vuln => !ghsas.includes(vuln.advisory_ghsa_id)
)
let allAllowedAdvisories = true
// if there's at least one advisory that is not allowlisted, we will keep the change
for (const vulnerability of change.vulnerabilities) {
if (!ghsas.includes(vulnerability.advisory_ghsa_id)) {
allAllowedAdvisories = false
}
if (!allAllowedAdvisories) {
return true
}
}
return newChange
})
return filteredChanges
+8 -4
View File
@@ -11,7 +11,8 @@ export function getRefs(
// The base/head ref from the config take priority, if provided.
if (
context.eventName === 'pull_request' ||
context.eventName === 'pull_request_target'
context.eventName === 'pull_request_target' ||
context.eventName === 'merge_group'
) {
const pull_request = PullRequestSchema.parse(context.payload.pull_request)
base_ref = base_ref || pull_request.base.sha
@@ -21,17 +22,20 @@ export function getRefs(
if (!base_ref && !head_ref) {
throw new Error(
'Both a base ref and head ref must be provided, either via the `base_ref`/`head_ref` ' +
'config options, or by running a `pull_request`/`pull_request_target` workflow.'
'config options, `base-ref`/`head-ref` workflow action options, or by running a ' +
'`pull_request`/`pull_request_target`/`merge_group` workflow.'
)
} else if (!base_ref) {
throw new Error(
'A base ref must be provided, either via the `base_ref` config option, ' +
'or by running a `pull_request`/`pull_request_target` workflow.'
'`base-ref` workflow action option, or by running a ' +
'`pull_request`/`pull_request_target`/`merge_group` workflow.'
)
} else if (!head_ref) {
throw new Error(
'A head ref must be provided, either via the `head_ref` config option, ' +
'or by running a `pull_request`/`pull_request_target` workflow.'
'`head-ref` workflow action option, or by running a ' +
'or by running a `pull_request`/`pull_request_target`/`merge_group` workflow.'
)
}
+20 -15
View File
@@ -1,7 +1,7 @@
import spdxSatisfies from 'spdx-satisfies'
import {Change, Changes} from './schemas'
import {isSPDXValid, octokitClient} from './utils'
import {PackageURL} from 'packageurl-js'
import {octokitClient} from './utils'
import {parsePURL} from './purl'
import * as spdx from './spdx'
/**
* Loops through a list of changes, filtering and returning the
@@ -32,7 +32,7 @@ export async function getInvalidLicenseChanges(
const {allow, deny} = licenses
const licenseExclusions = licenses.licenseExclusions?.map(
(pkgUrl: string) => {
return PackageURL.fromString(pkgUrl)
return parsePURL(pkgUrl)
}
)
@@ -45,9 +45,9 @@ export async function getInvalidLicenseChanges(
return true
}
const changeAsPackageURL = PackageURL.fromString(change.package_url)
const changeAsPackageURL = parsePURL(encodeURI(change.package_url))
// We want to find if the licenseExclussion list contains the PackageURL of the Change
// We want to find if the licenseExclusion list contains the PackageURL of the Change
// If it does, we want to filter it out and therefore return false
// If it doesn't, we want to keep it and therefore return true
if (
@@ -87,15 +87,19 @@ export async function getInvalidLicenseChanges(
} else if (validityCache.get(license) === undefined) {
try {
if (allow !== undefined) {
const found = allow.find(spdxExpression =>
spdxSatisfies(license, spdxExpression)
)
validityCache.set(license, found !== undefined)
if (spdx.isValid(license)) {
const found = spdx.satisfiesAny(license, allow)
validityCache.set(license, found)
} else {
invalidLicenseChanges.unresolved.push(change)
}
} else if (deny !== undefined) {
const found = deny.find(spdxExpression =>
spdxSatisfies(license, spdxExpression)
)
validityCache.set(license, found === undefined)
if (spdx.isValid(license)) {
const found = spdx.satisfiesAny(license, deny)
validityCache.set(license, !found)
} else {
invalidLicenseChanges.unresolved.push(change)
}
}
} catch (err) {
invalidLicenseChanges.unresolved.push(change)
@@ -161,10 +165,11 @@ const setGHLicenses = async (changes: Change[]): Promise<Change[]> => {
return Promise.all(updatedChanges)
}
// Currently Dependency Graph licenses are truncated to 255 characters
// This possibly makes them invalid spdx ids
const truncatedDGLicense = (license: string): boolean =>
license.length === 255 && !isSPDXValid(license)
license.length === 255 && !spdx.isValid(license)
async function groupChanges(
changes: Changes
+129 -28
View File
@@ -3,7 +3,13 @@ import * as dependencyGraph from './dependency-graph'
import * as github from '@actions/github'
import styles from 'ansi-styles'
import {RequestError} from '@octokit/request-error'
import {Change, Severity, Changes, ConfigurationOptions} from './schemas'
import {
Change,
Severity,
Changes,
ConfigurationOptions,
Scorecard
} from './schemas'
import {readConfig} from '../src/config'
import {
filterChangesBySeverity,
@@ -11,11 +17,12 @@ import {
filterAllowedAdvisories
} from '../src/filter'
import {getInvalidLicenseChanges} from './licenses'
import {getScorecardLevels} from './scorecard'
import * as summary from './summary'
import {getRefs} from './git-refs'
import {groupDependenciesByManifest} from './utils'
import {commentPr} from './comment-pr'
import {commentPr, MAX_COMMENT_LENGTH} from './comment-pr'
import {getDeniedChanges} from './deny'
async function delay(ms: number): Promise<void> {
@@ -80,21 +87,24 @@ async function run(): Promise<void> {
return
}
const minSeverity = config.fail_on_severity
const scopedChanges = filterChangesByScopes(config.fail_on_scopes, changes)
const filteredChanges = filterAllowedAdvisories(
config.allow_ghsas,
scopedChanges
)
const failOnSeverityParams = config.fail_on_severity
const warnOnly = config.warn_only
let minSeverity: Severity = 'low'
// If failOnSeverityParams is not set or warnOnly is true, the minSeverity is low, to allow all vulnerabilities to be reported as warnings
if (failOnSeverityParams && !warnOnly) {
minSeverity = failOnSeverityParams
}
const vulnerableChanges = filterChangesBySeverity(
minSeverity,
filteredChanges
).filter(
change =>
change.change_type === 'added' &&
change.vulnerabilities !== undefined &&
change.vulnerabilities.length > 0
)
const invalidLicenseChanges = await getInvalidLicenseChanges(
@@ -115,10 +125,15 @@ async function run(): Promise<void> {
config.deny_groups
)
summary.addSummaryToSummary(
// generate informational scorecard entries for all added changes in the PR
const scorecardChanges = getScorecardChanges(changes)
const scorecard = await getScorecardLevels(scorecardChanges)
const minSummary = summary.addSummaryToSummary(
vulnerableChanges,
invalidLicenseChanges,
deniedChanges,
scorecard,
config
)
@@ -127,27 +142,47 @@ async function run(): Promise<void> {
}
if (config.vulnerability_check) {
core.setOutput('vulnerable-changes', JSON.stringify(vulnerableChanges))
summary.addChangeVulnerabilitiesToSummary(vulnerableChanges, minSeverity)
printVulnerabilitiesBlock(vulnerableChanges, minSeverity)
printVulnerabilitiesBlock(vulnerableChanges, minSeverity, warnOnly)
}
if (config.license_check) {
core.setOutput(
'invalid-license-changes',
JSON.stringify(invalidLicenseChanges)
)
summary.addLicensesToSummary(invalidLicenseChanges, config)
printLicensesBlock(invalidLicenseChanges)
printLicensesBlock(invalidLicenseChanges, warnOnly)
}
if (config.deny_packages || config.deny_groups) {
core.setOutput('denied-changes', JSON.stringify(deniedChanges))
summary.addDeniedToSummary(deniedChanges)
printDeniedDependencies(deniedChanges, config)
}
summary.addScannedDependencies(changes)
printScannedDependencies(changes)
if (
config.comment_summary_in_pr === 'always' ||
(config.comment_summary_in_pr === 'on-failure' &&
process.exitCode === core.ExitCode.Failure)
) {
await commentPr(core.summary)
if (config.show_openssf_scorecard) {
summary.addScorecardToSummary(scorecard, config)
printScorecardBlock(scorecard, config)
createScorecardWarnings(scorecard, config)
}
core.setOutput('dependency-changes', JSON.stringify(changes))
summary.addScannedFiles(changes)
printScannedDependencies(changes)
// include full summary in output; Actions will truncate if oversized
let rendered = core.summary.stringify()
core.setOutput('comment-content', rendered)
// if the summary is oversized, replace with minimal version
if (rendered.length >= MAX_COMMENT_LENGTH) {
core.debug(
'The comment was too big for the GitHub API. Falling back on a minimum comment'
)
rendered = minSummary
}
// update the PR comment if needed with the right-sized summary
await commentPr(rendered, config)
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
core.setFailed(
@@ -171,19 +206,25 @@ async function run(): Promise<void> {
function printVulnerabilitiesBlock(
addedChanges: Changes,
minSeverity: Severity
minSeverity: Severity,
warnOnly: boolean
): void {
let failed = false
let vulFound = false
core.group('Vulnerabilities', async () => {
if (addedChanges.length > 0) {
for (const change of addedChanges) {
printChangeVulnerabilities(change)
}
failed = true
vulFound = true
}
if (failed) {
core.setFailed('Dependency review detected vulnerable packages.')
if (vulFound) {
const msg = 'Dependency review detected vulnerable packages.'
if (warnOnly) {
core.warning(msg)
} else {
core.setFailed(msg)
}
} else {
core.info(
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
@@ -206,13 +247,19 @@ function printChangeVulnerabilities(change: Change): void {
}
function printLicensesBlock(
invalidLicenseChanges: Record<string, Changes>
invalidLicenseChanges: Record<string, Changes>,
warnOnly: boolean
): void {
core.group('Licenses', async () => {
if (invalidLicenseChanges.forbidden.length > 0) {
core.info('\nThe following dependencies have incompatible licenses:')
printLicensesError(invalidLicenseChanges.forbidden)
core.setFailed('Dependency review detected incompatible licenses.')
const msg = 'Dependency review detected incompatible licenses.'
if (warnOnly) {
core.warning(msg)
} else {
core.setFailed(msg)
}
}
if (invalidLicenseChanges.unresolved.length > 0) {
core.warning(
@@ -248,6 +295,29 @@ function printNullLicenses(changes: Changes): void {
}
}
function printScorecardBlock(
scorecard: Scorecard,
config: ConfigurationOptions
): void {
core.group('Scorecard', async () => {
if (scorecard) {
for (const dependency of scorecard.dependencies) {
if (
dependency.scorecard?.score &&
dependency.scorecard?.score < config.warn_on_openssf_scorecard_level
) {
core.info(
`${styles.color.red.open}${dependency.change.ecosystem}/${dependency.change.name}: OpenSSF Scorecard Score: ${dependency?.scorecard?.score}${styles.red.close}`
)
}
core.info(
`${dependency.change.ecosystem}/${dependency.change.name}: OpenSSF Scorecard Score: ${dependency?.scorecard?.score}`
)
}
}
})
}
function renderSeverity(
severity: 'critical' | 'high' | 'moderate' | 'low'
): string {
@@ -301,7 +371,7 @@ function printScannedDependencies(changes: Changes): void {
}
function printDeniedDependencies(
changes: Change[],
changes: Changes,
config: ConfigurationOptions
): void {
core.group('Denied', async () => {
@@ -316,4 +386,35 @@ function printDeniedDependencies(
})
}
function getScorecardChanges(changes: Changes): Changes {
const out: Changes = []
for (const change of changes) {
if (change.change_type === 'added') {
out.push(change)
}
}
return out
}
async function createScorecardWarnings(
scorecards: Scorecard,
config: ConfigurationOptions
): Promise<void> {
// Iterate through the list of scorecards, and if the score is less than the threshold, send a warning
for (const dependency of scorecards.dependencies) {
if (
dependency.scorecard?.score &&
dependency.scorecard?.score < config.warn_on_openssf_scorecard_level
) {
core.warning(
`${dependency.change.ecosystem}/${dependency.change.name} has an OpenSSF Scorecard of ${dependency.scorecard?.score}, which is less than this repository's threshold of ${config.warn_on_openssf_scorecard_level}.`,
{
title: 'OpenSSF Scorecard Warning'
}
)
}
}
}
run()
+72
View File
@@ -0,0 +1,72 @@
import * as z from 'zod'
// the basic purl type, containing type, namespace, name, and version.
// other than type, all fields are nullable. this is for maximum flexibility
// at the cost of strict adherence to the package-url spec.
export const PurlSchema = z.object({
type: z.string(),
namespace: z.string().nullable(),
name: z.string().nullable(), // name is nullable for deny-groups
version: z.string().nullable(),
original: z.string(),
error: z.string().nullable()
})
export type PackageURL = z.infer<typeof PurlSchema>
const PURL_TYPE = /pkg:([a-zA-Z0-9-_]+)\/.*/
export function parsePURL(purl: string): PackageURL {
const result: PackageURL = {
type: '',
namespace: null,
name: null,
version: null,
original: purl,
error: null
}
if (!purl.startsWith('pkg:')) {
result.error = 'package-url must start with "pkg:"'
return result
}
const type = purl.match(PURL_TYPE)
if (!type) {
result.error = 'package-url must contain a type'
return result
}
result.type = type[1]
const parts = purl.split('/')
// the first 'part' should be 'pkg:ecosystem'
if (parts.length < 2 || !parts[1]) {
result.error = 'package-url must contain a namespace or name'
return result
}
let namePlusRest: string
if (parts.length === 2) {
namePlusRest = parts[1]
} else {
result.namespace = decodeURIComponent(parts[1])
// Add back the '/'s to the rest of the parts, in case there are any more.
// This may violate the purl spec, but people do it and it can be parsed
// without ambiguity.
namePlusRest = parts.slice(2).join('/')
}
const name = namePlusRest.match(/([^@#?]+)[@#?]?.*/)
if (!result.namespace && !name) {
result.error = 'package-url must contain a namespace or name'
return result
}
if (!name) {
// we're done here
return result
}
result.name = decodeURIComponent(name[1])
const version = namePlusRest.match(/@([^#?]+)[#?]?.*/)
if (!version) {
return result
}
result.version = decodeURIComponent(version[1])
// we don't parse subpath or attributes, so we're done here
return result
}
+106 -4
View File
@@ -1,10 +1,67 @@
import * as z from 'zod'
import {parsePURL} from './purl'
export const SEVERITIES = ['critical', 'high', 'moderate', 'low'] as const
export const SCOPES = ['unknown', 'runtime', 'development'] as const
export const SeveritySchema = z.enum(SEVERITIES).default('low')
const PackageURL = z
.string()
.transform(purlString => {
return parsePURL(purlString)
})
.superRefine((purl, context) => {
if (purl.error) {
context.addIssue({
code: z.ZodIssueCode.custom,
message: `Error parsing package-url: ${purl.error}`
})
}
if (!purl.name) {
context.addIssue({
code: z.ZodIssueCode.custom,
message: `Error parsing package-url: name is required`
})
}
})
const PackageURLWithNamespace = z
.string()
.transform(purlString => {
return parsePURL(purlString)
})
.superRefine((purl, context) => {
if (purl.error) {
context.addIssue({
code: z.ZodIssueCode.custom,
message: `Error parsing purl: ${purl.error}`
})
}
if (purl.namespace === null) {
context.addIssue({
code: z.ZodIssueCode.custom,
message: `package-url must have a namespace, and the namespace must be followed by '/'`
})
}
})
const PackageURLString = z.string().superRefine((value, context) => {
const purl = parsePURL(value)
if (purl.error) {
context.addIssue({
code: z.ZodIssueCode.custom,
message: `Error parsing package-url: ${purl.error}`
})
}
if (!purl.name) {
context.addIssue({
code: z.ZodIssueCode.custom,
message: `Error parsing package-url: name is required`
})
}
})
export const ChangeSchema = z.object({
change_type: z.enum(['added', 'removed']),
manifest: z.string(),
@@ -40,10 +97,10 @@ export const ConfigurationOptionsSchema = z
fail_on_scopes: z.array(z.enum(SCOPES)).default(['runtime']),
allow_licenses: z.array(z.string()).optional(),
deny_licenses: z.array(z.string()).optional(),
allow_dependencies_licenses: z.array(z.string()).optional(),
allow_dependencies_licenses: z.array(PackageURLString).optional(),
allow_ghsas: z.array(z.string()).default([]),
deny_packages: z.array(z.string()).default([]),
deny_groups: z.array(z.string()).default([]),
deny_packages: z.array(PackageURL).default([]),
deny_groups: z.array(PackageURLWithNamespace).default([]),
license_check: z.boolean().default(true),
vulnerability_check: z.boolean().default(true),
config_file: z.string().optional(),
@@ -51,6 +108,8 @@ export const ConfigurationOptionsSchema = z
head_ref: z.string().optional(),
retry_on_snapshot_warnings: z.boolean().default(false),
retry_on_snapshot_warnings_timeout: z.number().default(120),
show_openssf_scorecard: z.boolean().optional().default(true),
warn_on_openssf_scorecard_level: z.number().default(3),
comment_summary_in_pr: z
.union([
z.preprocess(
@@ -59,7 +118,8 @@ export const ConfigurationOptionsSchema = z
),
z.enum(['always', 'never', 'on-failure'])
])
.default('never')
.default('never'),
warn_only: z.boolean().default(false)
})
.transform(config => {
if (config.comment_summary_in_pr === true) {
@@ -99,9 +159,51 @@ export const ComparisonResponseSchema = z.object({
snapshot_warnings: z.string()
})
export const ScorecardApiSchema = z.object({
date: z.string(),
repo: z
.object({
name: z.string(),
commit: z.string()
})
.nullish(),
scorecard: z
.object({
version: z.string(),
commit: z.string()
})
.nullish(),
checks: z
.array(
z.object({
name: z.string(),
documentation: z.object({
shortDescription: z.string(),
url: z.string()
}),
score: z.string(),
reason: z.string(),
details: z.array(z.string())
})
)
.nullish(),
score: z.number().nullish()
})
export const ScorecardSchema = z.object({
dependencies: z.array(
z.object({
change: ChangeSchema,
scorecard: ScorecardApiSchema.nullish()
})
)
})
export type Change = z.infer<typeof ChangeSchema>
export type Changes = z.infer<typeof ChangesSchema>
export type ComparisonResponse = z.infer<typeof ComparisonResponseSchema>
export type ConfigurationOptions = z.infer<typeof ConfigurationOptionsSchema>
export type Severity = z.infer<typeof SeveritySchema>
export type Scope = (typeof SCOPES)[number]
export type Scorecard = z.infer<typeof ScorecardSchema>
export type ScorecardApi = z.infer<typeof ScorecardApiSchema>
+81
View File
@@ -0,0 +1,81 @@
import {Change, Scorecard, ScorecardApi} from './schemas'
import * as core from '@actions/core'
export async function getScorecardLevels(
changes: Change[]
): Promise<Scorecard> {
const data: Scorecard = {dependencies: []} as Scorecard
for (const change of changes) {
const ecosystem = change.ecosystem
const packageName = change.name
const version = change.version
//Get the project repository
let repositoryUrl = change.source_repository_url
//If the repository_url includes the protocol, remove it
if (repositoryUrl?.startsWith('https://')) {
repositoryUrl = repositoryUrl.replace('https://', '')
}
// Handle the special case for GitHub Actions, where the repository URL is null
if (ecosystem === 'actions') {
// The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
// If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out
const parts = packageName.split('/')
repositoryUrl = `github.com/${parts[0]}/${parts[1]}` // e.g. github.com/actions/checkout
}
// If GitHub API doesn't have the repository URL, query deps.dev for it.
if (!repositoryUrl) {
// Call the deps.dev API to get the repository URL from there
repositoryUrl = await getProjectUrl(ecosystem, packageName, version)
}
// Get the scorecard API response from the scorecards API
let scorecardApi: ScorecardApi | null = null
if (repositoryUrl) {
try {
scorecardApi = await getScorecard(repositoryUrl)
} catch (error: unknown) {
core.debug(`Error querying for scorecard: ${(error as Error).message}`)
}
}
data.dependencies.push({
change,
scorecard: scorecardApi
})
}
return data
}
async function getScorecard(repositoryUrl: string): Promise<ScorecardApi> {
const apiRoot = 'https://api.securityscorecards.dev'
let scorecardResponse: ScorecardApi = {} as ScorecardApi
const url = `${apiRoot}/projects/${repositoryUrl}`
const response = await fetch(url)
if (response.ok) {
scorecardResponse = await response.json()
} else {
core.debug(`Couldn't get scorecard data for ${repositoryUrl}`)
}
return scorecardResponse
}
export async function getProjectUrl(
ecosystem: string,
packageName: string,
version: string
): Promise<string> {
core.debug(`Getting deps.dev data for ${packageName} ${version}`)
const depsDevAPIRoot = 'https://api.deps.dev'
const url = `${depsDevAPIRoot}/v3/systems/${ecosystem}/packages/${packageName}/versions/${version}`
const response = await fetch(url)
if (response.ok) {
const data = await response.json()
if (data.relatedProjects.length > 0) {
return data.relatedProjects[0].projectKey.id
}
}
return ''
}
+56
View File
@@ -0,0 +1,56 @@
import * as spdxlib from '@onebeyond/spdx-license-satisfies'
import parse from 'spdx-expression-parse'
/*
* NOTE: spdx-license-satisfies methods depend on spdx-expression-parse
* which throws errors in the presence of any syntax trouble, unknown
* license tokens, case sensitivity problems etc. to simplify handling
* you should pre-screen inputs to the satisfies* methods using isValid
*/
// accepts a pair of well-formed SPDX expressions. the
// candidate is tested against the constraint
export function satisfies(
candidateExpr: string,
constraintExpr: string
): boolean {
try {
return spdxlib.satisfies(candidateExpr, constraintExpr)
} catch (_) {
return false
}
}
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
export function satisfiesAny(
candidateExpr: string,
licenses: string[]
): boolean {
try {
return spdxlib.satisfiesAny(candidateExpr, licenses)
} catch (_) {
return false
}
}
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
export function satisfiesAll(
candidateExpr: string,
licenses: string[]
): boolean {
try {
return spdxlib.satisfiesAll(candidateExpr, licenses)
} catch (_) {
return false
}
}
// accepts any SPDX expression
export function isValid(spdxExpr: string): boolean {
try {
parse(spdxExpr)
return true
} catch (_) {
return false
}
}
+177 -55
View File
@@ -1,7 +1,7 @@
import * as core from '@actions/core'
import {ConfigurationOptions, Changes, Change} from './schemas'
import {SummaryTableRow} from '@actions/core/lib/summary'
import {InvalidLicenseChanges, InvalidLicenseChangeTypes} from './licenses'
import {Change, Changes, ConfigurationOptions, Scorecard} from './schemas'
import {groupDependenciesByManifest, getManifestsSet, renderUrl} from './utils'
const icons = {
@@ -10,64 +10,115 @@ const icons = {
warning: '⚠️'
}
const MAX_SCANNED_FILES_BYTES = 1048576
// generates the DR report summmary and caches it to the Action's core.summary.
// returns the DR summary string, ready to be posted as a PR comment if the
// final DR report is too large
export function addSummaryToSummary(
vulnerableChanges: Changes,
invalidLicenseChanges: InvalidLicenseChanges,
deniedChanges: Changes,
scorecard: Scorecard,
config: ConfigurationOptions
): void {
): string {
const out: string[] = []
const scorecardWarnings = countScorecardWarnings(scorecard, config)
const licenseIssues = countLicenseIssues(invalidLicenseChanges)
core.summary.addHeading('Dependency Review', 1)
out.push('# Dependency Review')
if (
vulnerableChanges.length === 0 &&
countLicenseIssues(invalidLicenseChanges) === 0 &&
deniedChanges.length === 0
licenseIssues === 0 &&
deniedChanges.length === 0 &&
scorecardWarnings === 0
) {
if (!config.license_check) {
core.summary.addRaw(`${icons.check} No vulnerabilities found.`)
} else if (!config.vulnerability_check) {
core.summary.addRaw(`${icons.check} No license issues found.`)
const issueTypes = [
config.vulnerability_check ? 'vulnerabilities' : '',
config.license_check ? 'license issues' : '',
config.show_openssf_scorecard ? 'OpenSSF Scorecard issues' : ''
]
let msg = ''
if (issueTypes.filter(Boolean).length === 0) {
msg = `${icons.check} No issues found.`
} else {
core.summary.addRaw(
`${icons.check} No vulnerabilities or license issues found.`
)
msg = `${icons.check} No ${issueTypes.filter(Boolean).join(' or ')} found.`
}
return
core.summary.addRaw(msg)
out.push(msg)
return out.join('\n')
}
core.summary
.addRaw('The following issues were found:')
.addList([
...(config.vulnerability_check
? [
`${checkOrFailIcon(vulnerableChanges.length)} ${
vulnerableChanges.length
} vulnerable package(s)`
]
: []),
...(config.license_check
? [
`${checkOrFailIcon(invalidLicenseChanges.forbidden.length)} ${
invalidLicenseChanges.forbidden.length
} package(s) with incompatible licenses`,
`${checkOrFailIcon(invalidLicenseChanges.unresolved.length)} ${
invalidLicenseChanges.unresolved.length
} package(s) with invalid SPDX license definitions`,
`${checkOrWarnIcon(invalidLicenseChanges.unlicensed.length)} ${
invalidLicenseChanges.unlicensed.length
} package(s) with unknown licenses.`
]
: []),
...(deniedChanges.length > 0
? [
`${checkOrWarnIcon(deniedChanges.length)} ${
deniedChanges.length
} package(s) denied.`
]
: [])
])
.addRaw('See the Details below.')
const foundIssuesHeader = 'The following issues were found:'
core.summary.addRaw(foundIssuesHeader)
out.push(foundIssuesHeader)
const summaryList: string[] = [
...(config.vulnerability_check
? [
`${checkOrFailIcon(vulnerableChanges.length)} ${
vulnerableChanges.length
} vulnerable package(s)`
]
: []),
...(config.license_check
? [
`${checkOrFailIcon(invalidLicenseChanges.forbidden.length)} ${
invalidLicenseChanges.forbidden.length
} package(s) with incompatible licenses`,
`${checkOrFailIcon(invalidLicenseChanges.unresolved.length)} ${
invalidLicenseChanges.unresolved.length
} package(s) with invalid SPDX license definitions`,
`${checkOrWarnIcon(invalidLicenseChanges.unlicensed.length)} ${
invalidLicenseChanges.unlicensed.length
} package(s) with unknown licenses.`
]
: []),
...(deniedChanges.length > 0
? [
`${checkOrWarnIcon(deniedChanges.length)} ${
deniedChanges.length
} package(s) denied.`
]
: []),
...(config.show_openssf_scorecard && scorecardWarnings > 0
? [
`${checkOrWarnIcon(scorecardWarnings)} ${scorecardWarnings ? scorecardWarnings : 'No'} packages with OpenSSF Scorecard issues.`
]
: [])
]
core.summary.addList(summaryList)
for (const line of summaryList) {
out.push(`* ${line}`)
}
core.summary.addRaw('See the Details below.')
out.push(
`\n[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`
)
return out.join('\n')
}
function countScorecardWarnings(
scorecard: Scorecard,
config: ConfigurationOptions
): number {
return scorecard.dependencies.reduce(
(total, dependency) =>
total +
(dependency.scorecard?.score &&
dependency.scorecard?.score < config.warn_on_openssf_scorecard_level
? 1
: 0),
0
)
}
export function addChangeVulnerabilitiesToSummary(
@@ -214,21 +265,33 @@ function formatLicense(license: string | null): string {
return license
}
export function addScannedDependencies(changes: Changes): void {
const dependencies = groupDependenciesByManifest(changes)
const manifests = dependencies.keys()
export function addScannedFiles(changes: Changes): void {
const manifests = Array.from(
groupDependenciesByManifest(changes).keys()
).sort()
const summary = core.summary.addHeading('Scanned Manifest Files', 2)
let sf_size = 0
let trunc_at = -1
for (const manifest of manifests) {
const deps = dependencies.get(manifest)
if (deps) {
const dependencyNames = deps.map(
dependency => `<li>${dependency.name}@${dependency.version}</li>`
)
summary.addDetails(manifest, `<ul>${dependencyNames.join('')}</ul>`)
for (const [index, entry] of manifests.entries()) {
if (sf_size + entry.length >= MAX_SCANNED_FILES_BYTES) {
trunc_at = index
break
}
sf_size += entry.length
}
if (trunc_at >= 0) {
// truncate the manifests list if it will overflow the summary output
manifests.slice(0, trunc_at)
// if there's room between cutoff size and list size, add a warning
const size_diff = MAX_SCANNED_FILES_BYTES - sf_size
if (size_diff < 12) {
manifests.push('(truncated)')
}
}
core.summary.addHeading('Scanned Files', 2).addList(manifests)
}
function snapshotWarningRecommendation(
@@ -249,6 +312,65 @@ function snapshotWarningRecommendation(
return 'Re-running this action after a short time may resolve the issue.'
}
export function addScorecardToSummary(
scorecard: Scorecard,
config: ConfigurationOptions
): void {
core.summary.addHeading('OpenSSF Scorecard', 2)
if (scorecard.dependencies.length > 10) {
core.summary.addRaw(`<details><summary>Scorecard details</summary>`, true)
}
core.summary.addRaw(
`<table><tr><th>Package</th><th>Version</th><th>Score</th><th>Details</th></tr>`,
true
)
for (const dependency of scorecard.dependencies) {
core.debug('Adding scorecard to summary')
core.debug(`Overall score ${dependency.scorecard?.score}`)
// Set the icon based on the overall score value
let overallIcon = ''
if (dependency.scorecard?.score) {
overallIcon =
dependency.scorecard?.score < config.warn_on_openssf_scorecard_level
? ':warning:'
: ':green_circle:'
}
//Add a row for the dependency
core.summary.addRaw(
`<tr><td>${dependency.change.source_repository_url ? `<a href="${dependency.change.source_repository_url}">` : ''} ${dependency.change.ecosystem}/${dependency.change.name} ${dependency.change.source_repository_url ? `</a>` : ''}</td><td>${dependency.change.version}</td>
<td>${overallIcon} ${dependency.scorecard?.score === undefined || dependency.scorecard?.score === null ? 'Unknown' : dependency.scorecard?.score}</td>`,
false
)
//Add details table in the last column
if (dependency.scorecard?.checks !== undefined) {
let detailsTable =
'<table><tr><th>Check</th><th>Score</th><th>Reason</th></tr>'
for (const check of dependency.scorecard?.checks || []) {
const icon =
parseFloat(check.score) < config.warn_on_openssf_scorecard_level
? ':warning:'
: ':green_circle:'
detailsTable += `<tr><td>${check.name}</td><td>${icon} ${check.score}</td><td>${check.reason}</td></tr>`
}
detailsTable += `</table>`
core.summary.addRaw(
`<td><details><summary>Details</summary>${detailsTable}</details></td></tr>`,
true
)
} else {
core.summary.addRaw('<td>Unknown</td></tr>', true)
}
}
core.summary.addRaw(`</table>`)
if (scorecard.dependencies.length > 10) {
core.summary.addRaw(`</details>`)
}
}
export function addSnapshotWarnings(
config: ConfigurationOptions,
warnings: string
-10
View File
@@ -1,6 +1,5 @@
import * as core from '@actions/core'
import {Octokit} from 'octokit'
import spdxParse from 'spdx-expression-parse'
import {Changes} from './schemas'
export function groupDependenciesByManifest(
@@ -34,15 +33,6 @@ export function renderUrl(url: string | null, text: string): string {
}
}
export function isSPDXValid(license: string): boolean {
try {
spdxParse(license)
return true
} catch (_) {
return false
}
}
function isEnterprise(): boolean {
const serverUrl = new URL(
process.env['GITHUB_SERVER_URL'] ?? 'https://github.com'
+3 -1
View File
@@ -5,7 +5,9 @@
"outDir": "./lib" /* Redirect output structure to the directory. */,
"strict": true /* Enable all strict type-checking options. */,
"noImplicitAny": true /* Raise error on expressions and declarations with an implied 'any' type. */,
"esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
"esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */,
"typeRoots": [ "./node_modules/@types", "./types" ],
"types": [ "node", "jest", "spdx-license-satisfies" ]
},
"exclude": ["node_modules"]
}
+16
View File
@@ -0,0 +1,16 @@
declare module '@onebeyond/spdx-license-satisfies' {
export function satisfies(
candidateExpr: string,
constraintExpr: string
): boolean
export function satisfiesAny(
candidateExpr: string,
licenses: string[]
): boolean
export function satisfiesAll(
candidateExpr: string,
licenses: string[]
): boolean
}