Compare commits

..

71 Commits

Author SHA1 Message Date
Federico Builes 5ea8fbfb83 Update docs for config file paths. 2022-11-10 08:18:58 +01:00
Federico Builes c72eb06e71 Update README.md
Co-authored-by: Courtney Claessens <courtneycl@github.com>
2022-11-10 07:59:35 +01:00
Federico Builes aa409fa6cd Update README.md
Co-authored-by: Courtney Claessens <courtneycl@github.com>
2022-11-10 07:59:28 +01:00
Federico Builes 5aaa78ce3c Update README.md
Co-authored-by: Courtney Claessens <courtneycl@github.com>
2022-11-10 07:59:15 +01:00
Federico Builes 59a4f4c4ba Fixing typo in README.md 2022-11-09 13:24:07 +01:00
Federico Builes bf8cfe8b38 Linting, adding dist files. 2022-11-09 13:22:33 +01:00
Federico Builes ae538ebe32 Linting and whitespace. Smol rename. 2022-11-09 13:17:12 +01:00
Federico Builes b4126ce983 Shuffle things around. 2022-11-09 13:16:53 +01:00
Federico Builes 418ae59d51 Replace TODO with instructions for getting PAT. 2022-11-08 17:51:31 +01:00
Federico Builes c38007a979 Don't abbreviate repo in docs.
In general let's try not to use abbreviations in public
documentation.
2022-11-08 17:45:23 +01:00
cnagadya ebe5527e72 Fix readme typo 2022-11-08 11:23:48 +00:00
cnagadya 1589654682 Add dist changes 2022-11-08 11:16:48 +00:00
cnagadya f0ff0b670a Rename config token > external-repo-token 2022-11-08 11:16:26 +00:00
cnagadya 336da03de2 Update empty allow-licenses tests 2022-11-08 11:15:36 +00:00
cnagadya 78565a954f Dont merge config lists
Co-authored-by: Henri Maurer<hmaurer@github.com>
Co-authored-by: Federico Builes<febuiles@github.com>
2022-11-08 10:52:30 +00:00
cnagadya 3c73a622ba Fix config-file tests 2022-11-08 09:53:36 +00:00
cnagadya 13455c7175 Merge array config options 2022-11-07 17:57:05 +00:00
cnagadya 6d941b396a Fix inconsistencies due to zod defaults / partials mixup 2022-11-07 17:08:00 +00:00
cnagadya 49ed3f2876 Merge lists in configs instead of overwritting them 2022-11-07 12:33:54 +00:00
cnagadya b55cddb69d Use config-file for both remote and local config-files 2022-11-07 12:12:03 +00:00
cnagadya dcdeb7de77 Remove redundant skips
Co-authored-by: Federico Builes <febuiles@github.com>
2022-11-04 16:12:05 +00:00
cnagadya b4a2fbfa16 Complete functionality for handling remote config file 2022-11-04 14:51:41 +00:00
cnagadya 97e5a607ba Handle getContent response as is
Co-authored-by: Henri Maurer <hmaurer@github.com>
2022-11-04 10:08:00 +00:00
cnagadya 3b410dc4ad Load remote config file 2022-11-04 09:05:45 +00:00
Federico Builes 683cbc4872 Merge branch 'main' into external-repo-config 2022-11-01 08:11:26 +01:00
Federico Builes 2f696d8c7a Merge pull request #314 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.42.0
Bump @typescript-eslint/eslint-plugin from 5.41.0 to 5.42.0
2022-11-01 08:10:28 +01:00
dependabot[bot] 1a9033d563 Bump @typescript-eslint/eslint-plugin from 5.41.0 to 5.42.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.41.0 to 5.42.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.42.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-01 07:10:21 +00:00
Federico Builes ad6e320da1 Merge pull request #313 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.42.0
Bump @typescript-eslint/parser from 5.41.0 to 5.42.0
2022-11-01 08:09:22 +01:00
dependabot[bot] 3d86825394 Bump @typescript-eslint/parser from 5.41.0 to 5.42.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.41.0 to 5.42.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.42.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-11-01 01:49:12 +00:00
Federico Builes 10dc05ba09 Merge pull request #311 from ericcornelissen/308-disable-license-or-vuln
Add `license-check` and `vulnerability-check` inputs
2022-10-31 07:56:37 +01:00
Federico Builes 04f48dec81 Update __tests__/config.test.ts 2022-10-31 07:55:17 +01:00
Federico Builes bb5c0c7ca0 Merge pull request #312 from actions/dependabot/npm_and_yarn/types/node-16.18.3
Bump @types/node from 16.18.2 to 16.18.3
2022-10-31 06:42:09 +01:00
dependabot[bot] 2d7d700469 Bump @types/node from 16.18.2 to 16.18.3
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.2 to 16.18.3.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-31 01:33:50 +00:00
Eric Cornelissen f095b5a541 Build and package 2022-10-28 22:25:06 +02:00
Eric Cornelissen f54a1f3b74 Document the license-check & vulnerability-check config options
Include the license-check and vulnerability-check options in the config
documentation in the README.

Also fix a typo in the README ("configuraton" -> "configuration").
2022-10-28 22:23:33 +02:00
Eric Cornelissen 84921e5e4a Simplify Summary summary based on license-check and vulnerability-check
Omit details related to the license check of vulnerability check from
the GitHub Actions Summary's summary if the respective check is disabled
from the configuration.
2022-10-28 22:15:44 +02:00
Eric Cornelissen c5af7ff272 Prevent disabling all checks
Prevent users from disabling both the license and vulnerability check by
checking if both are set to `false` and throwing if that's the case.
2022-10-28 22:08:55 +02:00
Eric Cornelissen 31279d265a Add license-check and vulnerability-check inputs
Add support for two new inputs, named `license-check` and
`vulnerability-check`, to disable the license checks or vulnerability
checks performed by this action. By default, both are enabled.
2022-10-28 22:06:05 +02:00
Federico Builes 2532504548 Merge pull request #310 from actions/cn/node-18
Upgrade to Node 18
2022-10-28 13:46:26 +02:00
cnagadya cc6d251652 Update contributing guide 2022-10-28 10:13:58 +00:00
cnagadya 516e8497ac Add codespace defaults 2022-10-28 10:13:58 +00:00
cnagadya 43c5083e6c Node 18 2022-10-28 10:13:58 +00:00
Federico Builes fa62a0febc Merge pull request #294 from actions/cn/spdx-licenses
Add support for SPDX expressions
2022-10-28 11:27:18 +02:00
cnagadya e897e8ebdd Add dist folder 2022-10-28 09:25:16 +00:00
cnagadya 216fafaed5 PR feedback
Co-authored-by: Federico Builes <febuiles@github.com>
2022-10-28 11:23:05 +02:00
cnagadya 0144419c8e Format violations area 2022-10-27 16:43:45 +00:00
cnagadya 7b16bd0b54 Add unvalidated changes to summary 2022-10-27 16:24:30 +00:00
cnagadya 4525a8c091 Format summary findings 2022-10-27 15:41:19 +00:00
cnagadya 72273c9a36 Update dist folder 2022-10-27 15:22:00 +00:00
cnagadya 562a2f3c0a Improve summary formatting 2022-10-27 15:19:32 +00:00
cnagadya c82c183029 Resolve package-lock conflicts 2022-10-27 14:37:08 +00:00
cnagadya 26be1f407e Merge pull request #309 from actions/codespace-actions-dependency-review-action-p79j7j9pxqrh669p
Add unresolved licenses section
2022-10-27 15:43:28 +02:00
cnagadya 022ea02fbb Add unresolved licenses section 2022-10-27 13:09:37 +00:00
Federico Builes d6e28cdfae Merge pull request #307 from actions/dependabot/npm_and_yarn/types/node-16.18.2
Bump @types/node from 16.18.0 to 16.18.2
2022-10-27 07:34:11 +02:00
dependabot[bot] da3d8af3e3 Bump @types/node from 16.18.0 to 16.18.2
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 16.18.0 to 16.18.2.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-27 01:26:35 +00:00
cnagadya 52fa73c086 Update readme licenses sections 2022-10-26 10:54:12 +00:00
cnagadya 3baea959cf Fix license test failures 2022-10-26 09:58:00 +00:00
cnagadya 782c57b17e Fix config test failures 2022-10-26 09:57:02 +00:00
cnagadya ac5ed8754d Use SPDX license expressions 2022-10-26 09:56:34 +00:00
Federico Builes 024a5a6342 Merge pull request #305 from actions/dependabot/npm_and_yarn/octokit-2.0.10
Bump octokit from 2.0.9 to 2.0.10
2022-10-26 08:49:12 +02:00
Federico Builes b2fc686406 Resolving merge conflicts 2022-10-26 08:47:43 +02:00
dependabot[bot] 4ec1d46392 Bump octokit from 2.0.9 to 2.0.10
Bumps [octokit](https://github.com/octokit/octokit.js) from 2.0.9 to 2.0.10.
- [Release notes](https://github.com/octokit/octokit.js/releases)
- [Commits](https://github.com/octokit/octokit.js/compare/v2.0.9...v2.0.10)

---
updated-dependencies:
- dependency-name: octokit
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-26 06:46:16 +00:00
Federico Builes cfef8bfe29 Merge pull request #304 from actions/dependabot/npm_and_yarn/octokit/plugin-retry-4.0.3
Bump @octokit/plugin-retry from 3.0.9 to 4.0.3
2022-10-26 08:45:28 +02:00
Federico Builes bd43b8d1e2 updating dist 2022-10-26 08:45:18 +02:00
dependabot[bot] fced408b87 Bump @octokit/plugin-retry from 3.0.9 to 4.0.3
Bumps [@octokit/plugin-retry](https://github.com/octokit/plugin-retry.js) from 3.0.9 to 4.0.3.
- [Release notes](https://github.com/octokit/plugin-retry.js/releases)
- [Commits](https://github.com/octokit/plugin-retry.js/compare/v3.0.9...v4.0.3)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-retry"
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-26 01:51:57 +00:00
Federico Builes 65f9f50468 Merge pull request #303 from actions/dependabot/npm_and_yarn/typescript-eslint/parser-5.41.0
Bump @typescript-eslint/parser from 5.40.1 to 5.41.0
2022-10-25 07:57:41 +02:00
dependabot[bot] a393c83ce5 Bump @typescript-eslint/parser from 5.40.1 to 5.41.0
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 5.40.1 to 5.41.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.41.0/packages/parser)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/parser"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-25 05:56:55 +00:00
Federico Builes 56163c5659 Merge pull request #302 from actions/dependabot/npm_and_yarn/typescript-eslint/eslint-plugin-5.41.0
Bump @typescript-eslint/eslint-plugin from 5.40.1 to 5.41.0
2022-10-25 07:56:10 +02:00
dependabot[bot] 5dc2e6e4bb Bump @typescript-eslint/eslint-plugin from 5.40.1 to 5.41.0
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 5.40.1 to 5.41.0.
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v5.41.0/packages/eslint-plugin)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-10-25 01:44:33 +00:00
Federico Builes 9760f87258 Fix config-file description in action.yml 2022-10-21 17:38:18 +02:00
Federico Builes 74c047086c Adding README and action.yml for external config files. 2022-10-21 17:34:20 +02:00
21 changed files with 6337 additions and 10062 deletions
+9
View File
@@ -0,0 +1,9 @@
{
"name": "Dependency Review Action",
"image": "mcr.microsoft.com/devcontainers/typescript-node:18",
"postCreateCommand": "npm install",
"remoteUser": "node",
"features": {
"ghcr.io/devcontainers/features/ruby:1": {}
}
}
+2 -2
View File
@@ -23,10 +23,10 @@ jobs:
steps:
- uses: actions/checkout@v3
- name: Set Node.js 16.x
- name: Set Node.js 18.x
uses: actions/setup-node@v3
with:
node-version: 16.x
node-version: 18.x
- name: Install dependencies
run: npm ci
+2 -2
View File
@@ -17,7 +17,7 @@ jobs:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
node-version: 18
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
@@ -30,7 +30,7 @@ jobs:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
node-version: 18
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
+3 -2
View File
@@ -38,6 +38,7 @@ _Note_: We don't have any useful tests yet, contributions are welcome!
## Local Development
It is recommended to have atleast [Node 18](https://nodejs.org/en/) installed.
We have a script to scan a given PR for vulnerabilities, this will
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
@@ -56,11 +57,11 @@ $ GITHUB_TOKEN=my-secret-token ./scripts/scan_pr https://github.com/actions/depe
```
[Configuration options](README.md#configuration-options) can be set by
passing an external YAML [configuration file](README.md#configuration-file) to the
passing an external YAML [configuration file](README.md#configuration-file) to the
`scan_pr` script with the `-c`/`--config-file` option:
```sh
$ GITHUB_TOKEN=<token> ./scripts/scan_pr --config-file my_custom_config.yml <pr_url>
$ GITHUB_TOKEN=<token> ./scripts/scan_pr --config-file my_custom_config.yml <pr_url>
```
## Submitting a pull request
+52 -18
View File
@@ -71,13 +71,20 @@ or by inlining these options in your workflow file.
### config-file
A string representing the path to an external configuraton file. By
default external configuration files are not used.
A string representing the path to a configuraton file. It can be a
local file, or a file located in an external repository. You can use
this syntax for external repositories: `OWNER/REPOSITORY/FILENAME@BRANCH`.
**Possible values**: A string representing the absolute path to the
configuration file.
If the configuration file is located in an external private repository,
use the [external-repo-token](#external-repo-token) parameter of the
action to specify a token that has read access to the repository.
**Example**: `config-file: ./.github/dependency-review-config.yml`.
**Possible values**: A string representing a path to a file located
in the current repository, or in an external one.
**Example**: `config-file: ./.github/dependency-review-config.yml # local file`.
**Example**: `config-file: github/octorepo/dependency-review-config.yml@main # external repo`
### fail-on-severity
@@ -106,19 +113,20 @@ fail-on-scopes:
### allow-licenses
Only allow the licenses in this list. See "[Licenses](https://github.com/actions/dependency-review-action#licenses)".
Only allow the licenses that comply with the expressions in this list. See "[Licenses](https://github.com/actions/dependency-review-action#licenses)".
**Possible values**: Any `spdx_id` value(s) from
https://docs.github.com/en/rest/licenses.
**Possible values**: A list of of [SPDX-compliant license identifiers](https://spdx.org/licenses/).
**Inline example**: `allow-licenses: BSD-3-Clause, MIT`
**Inline example**: `allow-licenses: BSD-3-Clause, LGPL-2.1 OR MIT OR BSD-3-Clause`
**YAML example**:
```yaml
allow-licenses:
- BSD-3-Clause
- LGPL-2.1
- MIT
- BSD-3-Clause
```
### deny-licenses
@@ -126,24 +134,23 @@ allow-licenses:
Add a custom list of licenses you want to block. See
"[Licenses](https://github.com/actions/dependency-review-action#licenses)".
**Possible values**: Any `spdx_id` value(s) from
https://docs.github.com/en/rest/licenses.
**Possible values**: Any valid set of [SPDX licenses](https://spdx.org/licenses/).
**Inline example**: `deny-licenses: LGPL-2.0, BSD-2-Clause`
**Inline example**: `deny-licenses: LGPL-2.0, GPL-2.0+ WITH Bison-exception-2.2`
**YAML example**:
```yaml
deny-licenses:
- LGPL-2.0
- BSD-2-Clause
- GPL-2.0+ WITH Bison-exception-2.2
```
### allow-ghsas
Add a custom list of GitHub Advisory IDs that can be skipped during detection.
A list of GitHub Security Advisory IDs that can be skipped during detection.
**Possible values**: Any valid advisory GHSA ids.
**Possible values**: Any valid GHSAs from the [GitHub Advisory Database](https://github.com/advisories).
**Inline example**: `allow-ghsas: GHSA-abcd-1234-5679, GHSA-efgh-1234-5679`
@@ -155,6 +162,20 @@ allow-ghsas:
- GHSA-efgh-1234-5679
```
### license-check/vulnerability-check
Disable the license checks or vulnerability checks performed by this Action.
You can't disable both checks.
**Possible values**: `true` or `false`
**Example**:
```yaml
license-check: true
vulnerability-check: false
```
### base-ref/head-ref
Provide custom git references for the git base/head when performing
@@ -171,6 +192,19 @@ base-ref: 8bb8a58d6a4028b6c2e314d5caaf273f57644896
head-ref: 69af5638bf660cf218aad5709a4c100e42a2f37b
```
### external-repo-token
A token for fetching external configuration files if they live in
an external private repository.
Visit the [developer settings](https://github.com/settings/tokens) to
create a new personal access token with `read` permissions for the
repository that hosts the config file.
**Possible values**: Any GitHub token with read access to the external repository.
**Example**: `external-repo-token: ghp_123456789abcdef...`
### Configuration File
You can use an external configuration file to specify the settings for
@@ -259,8 +293,8 @@ forbid a subset of licenses. These options are not supported on Enterprise Serve
You can use the [Licenses
API](https://docs.github.com/en/rest/licenses) to see the full list of
supported licenses. Use the `spdx_id` field for every license you want
to filter. A couple of examples:
supported licenses. Use [SPDX licenses](https://spdx.org/licenses/)
to filter the licenses. A couple of examples:
```yaml
# only allow MIT-licensed dependents
@@ -275,7 +309,7 @@ to filter. A couple of examples:
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
deny-licenses: Apache-1.1, Apache-2.0
deny-licenses: Apache-1.1+
```
### Considerations
+125 -49
View File
@@ -1,6 +1,7 @@
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig, readConfigFile} from '../src/config'
import {readConfig} from '../src/config'
import {getRefs} from '../src/git-refs'
import * as Utils from '../src/utils'
// GitHub Action inputs come in the form of environment variables
// with an INPUT prefix (e.g. INPUT_FAIL-ON-SEVERITY)
@@ -17,6 +18,8 @@ function clearInputs() {
'ALLOW-LICENSES',
'DENY-LICENSES',
'ALLOW-GHSAS',
'LICENSE-CHECK',
'VULNERABILITY-CHECK',
'CONFIG-FILE',
'BASE-REF',
'HEAD-REF'
@@ -27,48 +30,62 @@ function clearInputs() {
})
}
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
})
beforeEach(() => {
clearInputs()
})
test('it defaults to low severity', async () => {
const options = readConfig()
expect(options.fail_on_severity).toEqual('low')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('low')
})
test('it reads custom configs', async () => {
setInput('fail-on-severity', 'critical')
setInput('allow-licenses', ' BSD, GPL 2')
const options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
expect(options.allow_licenses).toEqual(['BSD', 'GPL 2'])
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
})
test('it defaults to empty allow/deny lists ', async () => {
const options = readConfig()
const config = await readConfig()
expect(options.allow_licenses).toEqual(undefined)
expect(options.deny_licenses).toEqual(undefined)
expect(config.allow_licenses).toEqual(undefined)
expect(config.deny_licenses).toEqual(undefined)
})
test('it raises an error if both an allow and denylist are specified', async () => {
setInput('allow-licenses', 'MIT')
setInput('deny-licenses', 'BSD')
expect(() => readConfig()).toThrow()
await expect(readConfig()).rejects.toThrow(
'You cannot specify both allow-licenses and deny-licenses'
)
})
test('it raises an error if an empty allow list is specified', async () => {
setInput('config-file', './__tests__/fixtures/config-empty-allow-sample.yml')
await expect(readConfig()).rejects.toThrow(
'You should provide at least one license in allow-licenses'
)
})
test('it raises an error when given an unknown severity', async () => {
setInput('fail-on-severity', 'zombies')
expect(() => readConfig()).toThrow()
await expect(readConfig()).rejects.toThrow(/received 'zombies'/)
})
test('it uses the given refs when the event is not a pull request', async () => {
setInput('base-ref', 'a-custom-base-ref')
setInput('head-ref', 'a-custom-head-ref')
const refs = getRefs(readConfig(), {
const refs = getRefs(await readConfig(), {
payload: {},
eventName: 'workflow_dispatch'
})
@@ -77,9 +94,9 @@ test('it uses the given refs when the event is not a pull request', async () =>
})
test('it raises an error when no refs are provided and the event is not a pull request', async () => {
const options = readConfig()
const config = await readConfig()
expect(() =>
getRefs(options, {
getRefs(config, {
payload: {},
eventName: 'workflow_dispatch'
})
@@ -87,91 +104,150 @@ test('it raises an error when no refs are provided and the event is not a pull r
})
test('it reads an external config file', async () => {
let options = readConfigFile('./__tests__/fixtures/config-allow-sample.yml')
expect(options.fail_on_severity).toEqual('critical')
expect(options.allow_licenses).toEqual(['BSD', 'GPL 2'])
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
})
test('raises an error when the the config file was not found', async () => {
expect(() => readConfigFile('fixtures/i-dont-exist')).toThrow()
setInput('config-file', 'fixtures/i-dont-exist')
await expect(readConfig()).rejects.toThrow(/Unable to fetch config file/)
})
test('it parses options from both sources', async () => {
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml')
let options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
let config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
setInput('base-ref', 'a-custom-base-ref')
options = readConfig()
expect(options.base_ref).toEqual('a-custom-base-ref')
config = await readConfig()
expect(config.base_ref).toEqual('a-custom-base-ref')
})
test('in case of conflicts, the external config is the source of truth', async () => {
test('in case of conflicts, the inline config is the source of truth', async () => {
setInput('fail-on-severity', 'low')
setInput('config-file', './__tests__/fixtures/config-allow-sample.yml') // this will set fail-on-severity to 'critical'
let options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
// this should not overwite the previous value
setInput('fail-on-severity', 'low')
options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('low')
})
test('it uses the default values when loading external files', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
let options = readConfig()
expect(options.allow_licenses).toEqual(undefined)
expect(options.deny_licenses).toEqual(undefined)
let config = await readConfig()
expect(config.allow_licenses).toEqual(undefined)
expect(config.deny_licenses).toEqual(undefined)
setInput('config-file', './__tests__/fixtures/license-config-sample.yml')
options = readConfig()
expect(options.fail_on_severity).toEqual('low')
config = await readConfig()
expect(config.fail_on_severity).toEqual('low')
})
test('it accepts an external configuration filename', async () => {
setInput('config-file', './__tests__/fixtures/no-licenses-config.yml')
const options = readConfig()
expect(options.fail_on_severity).toEqual('critical')
const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
})
test('it raises an error when given an unknown severity in an external config file', async () => {
setInput('config-file', './__tests__/fixtures/invalid-severity-config.yml')
expect(() => readConfig()).toThrow()
await expect(readConfig()).rejects.toThrow()
})
test('it defaults to runtime scope', async () => {
const options = readConfig()
expect(options.fail_on_scopes).toEqual(['runtime'])
const config = await readConfig()
expect(config.fail_on_scopes).toEqual(['runtime'])
})
test('it parses custom scopes preference', async () => {
setInput('fail-on-scopes', 'runtime, development')
let options = readConfig()
expect(options.fail_on_scopes).toEqual(['runtime', 'development'])
let config = await readConfig()
expect(config.fail_on_scopes).toEqual(['runtime', 'development'])
clearInputs()
setInput('fail-on-scopes', 'development')
options = readConfig()
expect(options.fail_on_scopes).toEqual(['development'])
config = await readConfig()
expect(config.fail_on_scopes).toEqual(['development'])
})
test('it raises an error when given invalid scope', async () => {
setInput('fail-on-scopes', 'runtime, zombies')
expect(() => readConfig()).toThrow()
await expect(readConfig()).rejects.toThrow(/received 'zombies'/)
})
test('it defaults to an empty GHSA allowlist', async () => {
const options = readConfig()
expect(options.allow_ghsas).toEqual(undefined)
const config = await readConfig()
expect(config.allow_ghsas).toEqual([])
})
test('it successfully parses GHSA allowlist', async () => {
setInput('allow-ghsas', 'GHSA-abcd-1234-5679, GHSA-efgh-1234-5679')
const options = readConfig()
expect(options.allow_ghsas).toEqual([
const config = await readConfig()
expect(config.allow_ghsas).toEqual([
'GHSA-abcd-1234-5679',
'GHSA-efgh-1234-5679'
])
})
test('it defaults to checking licenses', async () => {
const config = await readConfig()
expect(config.license_check).toBe(true)
})
test('it parses the license-check input', async () => {
setInput('license-check', 'false')
let config = await readConfig()
expect(config.license_check).toEqual(false)
clearInputs()
setInput('license-check', 'true')
config = await readConfig()
expect(config.license_check).toEqual(true)
})
test('it defaults to checking vulnerabilities', async () => {
const config = await readConfig()
expect(config.vulnerability_check).toBe(true)
})
test('it parses the vulnerability-check input', async () => {
setInput('vulnerability-check', 'false')
let config = await readConfig()
expect(config.vulnerability_check).toEqual(false)
clearInputs()
setInput('vulnerability-check', 'true')
config = await readConfig()
expect(config.vulnerability_check).toEqual(true)
})
test('it is not possible to disable both checks', async () => {
setInput('license-check', 'false')
setInput('vulnerability-check', 'false')
await expect(readConfig()).rejects.toThrow(
/Can't disable both license-check and vulnerability-check/
)
})
describe('licenses that are not valid SPDX licenses', () => {
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(false)
})
test('it raises an error for invalid licenses in allow-licenses', async () => {
setInput('allow-licenses', ' BSD, GPL 2')
await expect(readConfig()).rejects.toThrow(
'Invalid license(s) in allow-licenses: BSD, GPL 2'
)
})
test('it raises an error for invalid licenses in deny-licenses', async () => {
setInput('deny-licenses', ' BSD, GPL 2')
await expect(readConfig()).rejects.toThrow(
'Invalid license(s) in deny-licenses: BSD, GPL 2'
)
})
})
@@ -0,0 +1,2 @@
fail_on_severity: critical
allow_licenses: []
+52 -33
View File
@@ -1,6 +1,7 @@
import {expect, jest, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
import {getDeniedLicenseChanges} from '../src/licenses'
let getInvalidLicenseChanges: Function
let npmChange: Change = {
manifest: 'package.json',
@@ -70,65 +71,83 @@ jest.mock('octokit', () => {
}
})
test('it fails if a license outside the allow list is found', async () => {
beforeEach(async () => {
jest.resetModules()
jest.doMock('spdx-satisfies', () => {
// mock spdx-satisfies return value
// true for BSD, false for all others
return jest.fn((license: string, _: string): boolean => license === 'BSD')
})
;({getInvalidLicenseChanges} = require('../src/licenses'))
})
test('it adds license outside the allow list to forbidden changes', async () => {
const changes: Changes = [npmChange, rubyChange]
const [invalidChanges, _] = await getDeniedLicenseChanges(changes, {
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
})
expect(invalidChanges[0]).toBe(npmChange)
expect(forbidden[0]).toBe(npmChange)
expect(forbidden.length).toEqual(1)
})
test('it fails if a license inside the deny list is found', async () => {
test('it adds license inside the deny list to forbidden changes', async () => {
const changes: Changes = [npmChange, rubyChange]
const [invalidChanges] = await getDeniedLicenseChanges(changes, {
const {forbidden} = await getInvalidLicenseChanges(changes, {
deny: ['BSD']
})
expect(invalidChanges[0]).toBe(rubyChange)
expect(forbidden[0]).toBe(rubyChange)
expect(forbidden.length).toEqual(1)
})
// This is more of a "here's a behavior that might be surprising" than an actual
// thing we want in the system. Please remove this test after refactoring.
test('it fails all license checks when allow is provided an empty array', async () => {
const changes: Changes = [npmChange, rubyChange]
let [invalidChanges, _] = await getDeniedLicenseChanges(changes, {
allow: [],
deny: ['BSD']
})
expect(invalidChanges.length).toBe(2)
})
test('it does not fail if a license outside the allow list is found in removed changes', async () => {
test('it does not add license outside the allow list to forbidden changes if it is in removed changes', async () => {
const changes: Changes = [
{...npmChange, change_type: 'removed'},
{...rubyChange, change_type: 'removed'}
]
const [invalidChanges, _] = await getDeniedLicenseChanges(changes, {
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
})
expect(invalidChanges).toStrictEqual([])
expect(forbidden).toStrictEqual([])
})
test('it does not fail if a license inside the deny list is found in removed changes', async () => {
test('it does not add license inside the deny list to forbidden changes if it is in removed changes', async () => {
const changes: Changes = [
{...npmChange, change_type: 'removed'},
{...rubyChange, change_type: 'removed'}
]
const [invalidChanges, _] = await getDeniedLicenseChanges(changes, {
const {forbidden} = await getInvalidLicenseChanges(changes, {
deny: ['BSD']
})
expect(invalidChanges).toStrictEqual([])
expect(forbidden).toStrictEqual([])
})
test('it fails if a license outside the allow list is found in both of added and removed changes', async () => {
test('it adds license outside the allow list to forbidden changes if it is in both added and removed changes', async () => {
const changes: Changes = [
{...npmChange, change_type: 'removed'},
npmChange,
{...rubyChange, change_type: 'removed'}
]
const [invalidChanges, _] = await getDeniedLicenseChanges(changes, {
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
})
expect(invalidChanges).toStrictEqual([npmChange])
expect(forbidden).toStrictEqual([npmChange])
})
test('it adds all licenses to unresolved if it is unable to determine the validity', async () => {
jest.resetModules() // reset module set in before
jest.doMock('spdx-satisfies', () => {
return jest.fn((_first: string, _second: string) => {
throw new Error('Some Error')
})
})
;({getInvalidLicenseChanges} = require('../src/licenses'))
const changes: Changes = [npmChange, rubyChange]
const invalidLicenses = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
})
expect(invalidLicenses.forbidden.length).toEqual(0)
expect(invalidLicenses.unlicensed.length).toEqual(0)
expect(invalidLicenses.unresolved.length).toEqual(2)
})
describe('GH License API fallback', () => {
@@ -138,7 +157,7 @@ describe('GH License API fallback', () => {
license: null,
source_repository_url: 'http://github.com/some-owner/some-repo'
}
const [_, unknownChanges] = await getDeniedLicenseChanges(
const {unlicensed} = await getInvalidLicenseChanges(
[nullLicenseChange, rubyChange],
{}
)
@@ -147,25 +166,25 @@ describe('GH License API fallback', () => {
owner: 'some-owner',
repo: 'some-repo'
})
expect(unknownChanges.length).toEqual(0)
expect(unlicensed.length).toEqual(0)
})
test('it does not call licenses API endpoint for change with null license and invalid source_repository_url ', async () => {
const [_, unknownChanges] = await getDeniedLicenseChanges(
const {unlicensed} = await getInvalidLicenseChanges(
[{...npmChange, license: null}],
{}
)
expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
expect(unknownChanges.length).toEqual(1)
expect(unlicensed.length).toEqual(1)
})
test('it does not call licenses API endpoint if licenses for all changes are present', async () => {
const [_, unknownChanges] = await getDeniedLicenseChanges(
const {unlicensed} = await getInvalidLicenseChanges(
[npmChange, rubyChange],
{}
)
expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
expect(unknownChanges.length).toEqual(0)
expect(unlicensed.length).toEqual(0)
})
})
+5 -1
View File
@@ -21,7 +21,7 @@ inputs:
description: The head git ref to be used for this check. Has a default value when the workflow event is `pull_request` or `pull_request_target`. Must be provided otherwise.
required: false
config-file:
description: A filepath to the configuration file for the action.
description: A path to the configuration file for the action.
required: false
allow-licenses:
description: Comma-separated list of allowed licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
@@ -32,6 +32,10 @@ inputs:
allow-ghsas:
description: Comma-separated list of allowed Github Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")
required: false
external-repo-token:
description: A token for fetching external configuration file if it lives in another repository. It is required if the repository is private
required: false
runs:
using: 'node16'
main: 'dist/index.js'
Generated Vendored
+2629 -6525
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+108
View File
@@ -517,6 +517,31 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
array-find-index
MIT
The MIT License (MIT)
Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
before-after-hook
Apache-2.0
Apache License
@@ -1590,6 +1615,89 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
spdx-compare
MIT
The MIT License
Copyright (c) 2015 Kyle E. Mitchell
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
spdx-exceptions
CC-BY-3.0
spdx-expression-parse
MIT
The MIT License
Copyright (c) 2015 Kyle E. Mitchell & other authors listed in AUTHORS
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
spdx-license-ids
CC0-1.0
spdx-ranges
(MIT AND CC-BY-3.0)
The MIT License
Copyright (c) 2015 Kyle E. Mitchell
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
spdx-satisfies
MIT
The MIT License
Copyright (c) spdx-satisfies.js contributors
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
tr46
MIT
+2 -2
View File
@@ -1,9 +1,9 @@
module.exports = {
clearMocks: true,
moduleFileExtensions: ['js', 'ts'],
moduleFileExtensions: ['js', 'json', 'ts'],
testMatch: ['**/*.test.ts'],
transform: {
'^.+\\.ts$': 'ts-jest'
},
verbose: true
}
}
+2962 -3247
View File
File diff suppressed because it is too large Load Diff
+9 -5
View File
@@ -27,20 +27,24 @@
"dependencies": {
"@actions/core": "^1.10.0",
"@actions/github": "^5.1.1",
"@octokit/plugin-retry": "^3.0.9",
"@octokit/plugin-retry": "^4.0.3",
"@octokit/request-error": "^3.0.2",
"ansi-styles": "^6.2.1",
"got": "^12.5.2",
"nodemon": "^2.0.20",
"octokit": "^2.0.9",
"octokit": "^2.0.10",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
"yaml": "^2.1.3",
"zod": "^3.19.1"
},
"devDependencies": {
"@types/jest": "^27.5.2",
"@types/node": "^16.18.0",
"@typescript-eslint/eslint-plugin": "^5.40.1",
"@typescript-eslint/parser": "^5.40.1",
"@types/node": "^16.18.3",
"@typescript-eslint/eslint-plugin": "^5.42.0",
"@typescript-eslint/parser": "^5.42.0",
"@types/spdx-expression-parse": "^3.0.2",
"@types/spdx-satisfies": "^0.1.0",
"@vercel/ncc": "^0.34.0",
"esbuild-register": "^3.3.3",
"eslint": "^8.26.0",
+136 -63
View File
@@ -3,12 +3,62 @@ import path from 'path'
import YAML from 'yaml'
import * as core from '@actions/core'
import * as z from 'zod'
import {
ConfigurationOptions,
ConfigurationOptionsSchema,
SeveritySchema,
SCOPES
} from './schemas'
import {ConfigurationOptions, ConfigurationOptionsSchema} from './schemas'
import {isSPDXValid, octokitClient} from './utils'
type ConfigurationOptionsPartial = Partial<ConfigurationOptions>
export async function readConfig(): Promise<ConfigurationOptions> {
const inlineConfig = readInlineConfig()
const configFile = getOptionalInput('config-file')
if (configFile !== undefined) {
const externalConfig = await readConfigFile(configFile)
return ConfigurationOptionsSchema.parse({
...externalConfig,
...inlineConfig
})
}
return ConfigurationOptionsSchema.parse(inlineConfig)
}
function readInlineConfig(): ConfigurationOptionsPartial {
const fail_on_severity = getOptionalInput('fail-on-severity')
const fail_on_scopes = parseList(getOptionalInput('fail-on-scopes'))
const allow_licenses = parseList(getOptionalInput('allow-licenses'))
const deny_licenses = parseList(getOptionalInput('deny-licenses'))
const allow_ghsas = parseList(getOptionalInput('allow-ghsas'))
const license_check = getOptionalBoolean('license-check')
const vulnerability_check = getOptionalBoolean('vulnerability-check')
const base_ref = getOptionalInput('base-ref')
const head_ref = getOptionalInput('head-ref')
validateLicenses('allow-licenses', allow_licenses)
validateLicenses('deny-licenses', deny_licenses)
const keys = {
fail_on_severity,
fail_on_scopes,
allow_licenses,
deny_licenses,
allow_ghsas,
license_check,
vulnerability_check,
base_ref,
head_ref
}
return Object.fromEntries(
Object.entries(keys).filter(([_, value]) => value !== undefined)
)
}
function getOptionalBoolean(name: string): boolean | undefined {
const value = core.getInput(name)
return value.length > 0 ? core.getBooleanInput(name) : undefined
}
function getOptionalInput(name: string): string | undefined {
const value = core.getInput(name)
@@ -23,70 +73,93 @@ function parseList(list: string | undefined): string[] | undefined {
}
}
export function readConfig(): ConfigurationOptions {
const externalConfig = getOptionalInput('config-file')
if (externalConfig !== undefined) {
const config = readConfigFile(externalConfig)
// the reasoning behind reading the inline config when an external
// config file is provided is that we still want to allow users to
// pass inline options in the presence of an external config file.
const inlineConfig = readInlineConfig()
// the external config takes precedence
return Object.assign({}, inlineConfig, config)
} else {
return readInlineConfig()
function validateLicenses(
key: 'allow-licenses' | 'deny-licenses',
licenses: string[] | undefined
): void {
if (licenses === undefined) {
return
}
const invalid_licenses = licenses.filter(license => !isSPDXValid(license))
if (invalid_licenses.length > 0) {
throw new Error(
`Invalid license(s) in ${key}: ${invalid_licenses.join(', ')}`
)
}
}
export function readInlineConfig(): ConfigurationOptions {
const fail_on_severity = SeveritySchema.parse(
getOptionalInput('fail-on-severity')
async function readConfigFile(
filePath: string
): Promise<ConfigurationOptionsPartial> {
// match a remote config (e.g. 'owner/repo/filepath@someref')
const format = new RegExp(
'(?<owner>[^/]+)/(?<repo>[^/]+)/(?<path>[^@]+)@(?<ref>.*)'
)
const fail_on_scopes = z
.array(z.enum(SCOPES))
.default(['runtime'])
.parse(parseList(getOptionalInput('fail-on-scopes')))
const allow_licenses = parseList(getOptionalInput('allow-licenses'))
const deny_licenses = parseList(getOptionalInput('deny-licenses'))
if (allow_licenses !== undefined && deny_licenses !== undefined) {
throw new Error("Can't specify both allow_licenses and deny_licenses")
}
const allow_ghsas = parseList(getOptionalInput('allow-ghsas'))
const base_ref = getOptionalInput('base-ref')
const head_ref = getOptionalInput('head-ref')
return {
fail_on_severity,
fail_on_scopes,
allow_licenses,
deny_licenses,
allow_ghsas,
base_ref,
head_ref
}
}
export function readConfigFile(filePath: string): ConfigurationOptions {
let data
let data: string
const pieces = format.exec(filePath)
try {
data = fs.readFileSync(path.resolve(filePath), 'utf-8')
} catch (error: unknown) {
if (pieces?.groups && pieces.length === 5) {
data = await getRemoteConfig({
owner: pieces.groups.owner,
repo: pieces.groups.repo,
path: pieces.groups.path,
ref: pieces.groups.ref
})
} else {
data = fs.readFileSync(path.resolve(filePath), 'utf-8')
}
return parseConfigFile(data)
} catch (error) {
core.debug(error as string)
throw new Error('Unable to fetch config file')
}
}
function parseConfigFile(configData: string): ConfigurationOptionsPartial {
try {
const data = YAML.parse(configData)
for (const key of Object.keys(data)) {
if (key === 'allow-licenses' || key === 'deny-licenses') {
validateLicenses(key, data[key])
}
// get rid of the ugly dashes from the actions conventions
if (key.includes('-')) {
data[key.replace(/-/g, '_')] = data[key]
delete data[key]
}
}
return data
} catch (error) {
throw error
}
data = YAML.parse(data)
// get rid of the ugly dashes from the actions conventions
for (const key of Object.keys(data)) {
if (key.includes('-')) {
data[key.replace(/-/g, '_')] = data[key]
delete data[key]
}
}
const values = ConfigurationOptionsSchema.parse(data)
return values
}
async function getRemoteConfig(configOpts: {
[key: string]: string
}): Promise<string> {
try {
const {data} = await octokitClient(
'external-repo-token',
false
).rest.repos.getContent({
mediaType: {
format: 'raw'
},
owner: configOpts.owner,
repo: configOpts.repo,
path: configOpts.path,
ref: configOpts.ref
})
// When using mediaType.format = 'raw', the response.data is a string
// but this is not reflected in the return type of getContent, so we're
// casting the return value to a string.
return z.string().parse(data as unknown)
} catch (error) {
core.debug(error as string)
throw new Error('Error fetching remote config file')
}
}
+95 -31
View File
@@ -1,6 +1,6 @@
import * as core from '@actions/core'
import {Octokit} from 'octokit'
import {Change} from './schemas'
import spdxSatisfies from 'spdx-satisfies'
import {Change, Changes} from './schemas'
import {isSPDXValid, octokitClient} from './utils'
/**
* Loops through a list of changes, filtering and returning the
@@ -12,60 +12,73 @@ import {Change} from './schemas'
* we will ignore the deny list.
* @param {Change[]} changes The list of changes to filter.
* @param { { allow?: string[], deny?: string[]}} licenses An object with `allow`/`deny` keys, each containing a list of licenses.
* @returns {Promise<[Array.<Change>, Array.<Change>]>} A promise to a 2 element tuple. The first element is the list of denied changes and the second one is the list of changes with unknown licenses
* @returns {Promise<{Object.<string, Array.<Change>>}} A promise to a Record Object. The keys are strings, unlicensed, unresolved and forbidden. The values are a list of changes
*/
export async function getDeniedLicenseChanges(
export async function getInvalidLicenseChanges(
changes: Change[],
licenses: {
allow?: string[]
deny?: string[]
}
): Promise<[Change[], Change[]]> {
): Promise<Record<string, Changes>> {
const {allow, deny} = licenses
const disallowed: Change[] = []
const unknown: Change[] = []
const groupedChanges = await groupChanges(changes)
const licensedChanges: Changes = groupedChanges.licensed
const consolidatedChanges = changes.some(
({source_repository_url, license}) => !license && source_repository_url
)
? await setGHLicenses(changes)
: changes
const invalidLicenseChanges: Record<string, Changes> = {
unlicensed: groupedChanges.unlicensed,
unresolved: [],
forbidden: []
}
for (const change of consolidatedChanges) {
if (change.change_type === 'removed') {
continue
}
const validityCache = new Map<string, boolean>()
for (const change of licensedChanges) {
const license = change.license
// should never happen since licensedChanges always have licenses but license is nullable in changes schema
if (license === null) {
unknown.push(change)
continue
}
if (allow !== undefined) {
if (!allow.includes(license)) {
disallowed.push(change)
}
} else if (deny !== undefined) {
if (deny.includes(license)) {
disallowed.push(change)
if (license === 'NOASSERTION') {
invalidLicenseChanges.unlicensed.push(change)
} else if (validityCache.get(license) === undefined) {
try {
if (allow !== undefined) {
const found = allow.find(spdxExpression =>
spdxSatisfies(license, spdxExpression)
)
validityCache.set(license, found !== undefined)
} else if (deny !== undefined) {
const found = deny.find(spdxExpression =>
spdxSatisfies(license, spdxExpression)
)
validityCache.set(license, found === undefined)
}
} catch (err) {
invalidLicenseChanges.unresolved.push(change)
}
}
if (validityCache.get(license) === false) {
invalidLicenseChanges.forbidden.push(change)
}
}
return [disallowed, unknown]
return invalidLicenseChanges
}
const fetchGHLicense = async (
owner: string,
repo: string
): Promise<string | null> => {
const octokit = new Octokit({
auth: core.getInput('repo-token', {required: true})
})
try {
const response = await octokit.rest.licenses.getForRepo({owner, repo})
const response = await octokitClient().rest.licenses.getForRepo({
owner,
repo
})
return response.data.license?.spdx_id ?? null
} catch (_) {
return null
@@ -108,3 +121,54 @@ const setGHLicenses = async (changes: Change[]): Promise<Change[]> => {
return Promise.all(updatedChanges)
}
// Currently Dependency Graph licenses are truncated to 255 characters
// This possibly makes them invalid spdx ids
const truncatedDGLicense = (license: string): boolean =>
license.length === 255 && !isSPDXValid(license)
async function groupChanges(
changes: Changes
): Promise<Record<string, Changes>> {
const result: Record<string, Changes> = {
licensed: [],
unlicensed: []
}
const ghChanges = []
for (const change of changes) {
if (change.change_type === 'removed') {
continue
}
if (change.license === null) {
if (change.source_repository_url !== null) {
ghChanges.push(change)
} else {
result.unlicensed.push(change)
}
} else {
if (
truncatedDGLicense(change.license) &&
change.source_repository_url !== null
) {
ghChanges.push(change)
} else {
result.licensed.push(change)
}
}
}
if (ghChanges.length > 0) {
const ghLicenses = await setGHLicenses(ghChanges)
for (const change of ghLicenses) {
if (change.license === null) {
result.unlicensed.push(change)
} else {
result.licensed.push(change)
}
}
}
return result
}
+36 -24
View File
@@ -10,7 +10,7 @@ import {
filterChangesByScopes,
filterAllowedAdvisories
} from '../src/filter'
import {getDeniedLicenseChanges} from './licenses'
import {getInvalidLicenseChanges} from './licenses'
import * as summary from './summary'
import {getRefs} from './git-refs'
@@ -18,7 +18,7 @@ import {groupDependenciesByManifest} from './utils'
async function run(): Promise<void> {
try {
const config = readConfig()
const config = await readConfig()
const refs = getRefs(config, github.context)
const changes = await dependencyGraph.compare({
@@ -28,7 +28,7 @@ async function run(): Promise<void> {
headRef: refs.head
})
const minSeverity = config.fail_on_severity as Severity
const minSeverity = config.fail_on_severity
const scopedChanges = filterChangesByScopes(config.fail_on_scopes, changes)
const filteredChanges = filterAllowedAdvisories(
config.allow_ghsas,
@@ -45,7 +45,7 @@ async function run(): Promise<void> {
change.vulnerabilities.length > 0
)
const [licenseErrors, unknownLicenses] = await getDeniedLicenseChanges(
const invalidLicenseChanges = await getInvalidLicenseChanges(
filteredChanges,
{
allow: config.allow_licenses,
@@ -53,13 +53,21 @@ async function run(): Promise<void> {
}
)
summary.addSummaryToSummary(addedChanges, licenseErrors, unknownLicenses)
summary.addChangeVulnerabilitiesToSummary(addedChanges, minSeverity)
summary.addLicensesToSummary(licenseErrors, unknownLicenses, config)
summary.addScannedDependencies(changes)
summary.addSummaryToSummary(
config.vulnerability_check ? addedChanges : null,
config.license_check ? invalidLicenseChanges : null
)
printVulnerabilitiesBlock(addedChanges, minSeverity)
printLicensesBlock(licenseErrors, unknownLicenses)
if (config.vulnerability_check) {
summary.addChangeVulnerabilitiesToSummary(addedChanges, minSeverity)
printVulnerabilitiesBlock(addedChanges, minSeverity)
}
if (config.license_check) {
summary.addLicensesToSummary(invalidLicenseChanges, config)
printLicensesBlock(invalidLicenseChanges)
}
summary.addScannedDependencies(changes)
printScannedDependencies(changes)
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
@@ -83,7 +91,7 @@ async function run(): Promise<void> {
}
function printVulnerabilitiesBlock(
addedChanges: Change[],
addedChanges: Changes,
minSeverity: Severity
): void {
let failed = false
@@ -119,24 +127,28 @@ function printChangeVulnerabilities(change: Change): void {
}
function printLicensesBlock(
licenseErrors: Change[],
unknownLicenses: Change[]
invalidLicenseChanges: Record<string, Changes>
): void {
core.group('Licenses', async () => {
if (licenseErrors.length > 0) {
printLicensesError(licenseErrors)
if (invalidLicenseChanges.forbidden.length > 0) {
core.info('\nThe following dependencies have incompatible licenses:')
printLicensesError(invalidLicenseChanges.forbidden)
core.setFailed('Dependency review detected incompatible licenses.')
}
printNullLicenses(unknownLicenses)
if (invalidLicenseChanges.unresolved.length > 0) {
core.warning(
'\nThe validity of the licenses of the dependencies below could not be determined. Ensure that they are valid SPDX licenses:'
)
printLicensesError(invalidLicenseChanges.unresolved)
core.setFailed(
'Dependency review could not detect the validity of all licenses.'
)
}
printNullLicenses(invalidLicenseChanges.unlicensed)
})
}
function printLicensesError(changes: Change[]): void {
if (changes.length === 0) {
return
}
core.info('\nThe following dependencies have incompatible licenses:\n')
function printLicensesError(changes: Changes): void {
for (const change of changes) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${change.version}${styles.bold.close} License: ${styles.color.red.open}${change.license}${styles.color.red.close}`
@@ -144,12 +156,12 @@ function printLicensesError(changes: Change[]): void {
}
}
function printNullLicenses(changes: Change[]): void {
function printNullLicenses(changes: Changes): void {
if (changes.length === 0) {
return
}
core.info('\nWe could not detect a license for the following dependencies:\n')
core.info('\nWe could not detect a license for the following dependencies:')
for (const change of changes) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${change.version}${styles.bold.close}`
+30 -10
View File
@@ -38,18 +38,38 @@ export const ConfigurationOptionsSchema = z
.object({
fail_on_severity: SeveritySchema,
fail_on_scopes: z.array(z.enum(SCOPES)).default(['runtime']),
allow_licenses: z.array(z.string()).default([]),
deny_licenses: z.array(z.string()).default([]),
allow_licenses: z.array(z.string()).optional(),
deny_licenses: z.array(z.string()).optional(),
allow_ghsas: z.array(z.string()).default([]),
config_file: z.string().optional().default('false'),
base_ref: z.string(),
head_ref: z.string()
license_check: z.boolean().default(true),
vulnerability_check: z.boolean().default(true),
config_file: z.string().optional(),
base_ref: z.string().optional(),
head_ref: z.string().optional()
})
.superRefine((config, context) => {
if (config.allow_licenses && config.deny_licenses) {
context.addIssue({
code: z.ZodIssueCode.custom,
message: 'You cannot specify both allow-licenses and deny-licenses'
})
}
if (config.allow_licenses && config.allow_licenses.length < 1) {
context.addIssue({
code: z.ZodIssueCode.custom,
message: 'You should provide at least one license in allow-licenses'
})
}
if (
config.license_check === false &&
config.vulnerability_check === false
) {
context.addIssue({
code: z.ZodIssueCode.custom,
message: "Can't disable both license-check and vulnerability-check"
})
}
})
.partial()
.refine(
obj => !(obj.allow_licenses && obj.deny_licenses),
'Your workflow file has both an allow_licenses list and deny_licenses list, but you can only set one or the other.'
)
export const ChangesSchema = z.array(ChangeSchema)
+52 -47
View File
@@ -1,18 +1,27 @@
import * as core from '@actions/core'
import {ConfigurationOptions, Change, Changes} from './schemas'
import {ConfigurationOptions, Changes} from './schemas'
import {SummaryTableRow} from '@actions/core/lib/summary'
import {groupDependenciesByManifest, getManifestsSet, renderUrl} from './utils'
export function addSummaryToSummary(
addedPackages: Changes,
licenseErrors: Change[],
unknownLicenses: Change[]
addedPackages: Changes | null,
invalidLicenseChanges: Record<string, Changes> | null
): void {
core.summary
.addHeading('Dependency Review')
.addRaw(
`We found ${addedPackages.length} vulnerable package(s), ${licenseErrors.length} package(s) with incompatible licenses, and ${unknownLicenses.length} package(s) with unknown licenses.`
)
.addRaw('We found:')
.addList([
...(addedPackages
? [`${addedPackages.length} vulnerable package(s)`]
: []),
...(invalidLicenseChanges
? [
`${invalidLicenseChanges.unresolved.length} package(s) with invalid SPDX license definitions`,
`${invalidLicenseChanges.forbidden.length} package(s) with incompatible licenses`,
`${invalidLicenseChanges.unlicensed.length} package(s) with unknown licenses.`
]
: [])
])
}
export function addChangeVulnerabilitiesToSummary(
@@ -76,8 +85,7 @@ export function addChangeVulnerabilitiesToSummary(
}
export function addLicensesToSummary(
licenseErrors: Change[],
unknownLicenses: Change[],
invalidLicenseChanges: Record<string, Changes>,
config: ConfigurationOptions
): void {
core.summary.addHeading('Licenses')
@@ -93,62 +101,59 @@ export function addLicensesToSummary(
)
}
if (licenseErrors.length === 0 && unknownLicenses.length === 0) {
if (Object.values(invalidLicenseChanges).every(item => item.length === 0)) {
core.summary.addQuote('No license violations detected.')
return
}
if (licenseErrors.length > 0) {
const rows: SummaryTableRow[] = []
const manifests = getManifestsSet(licenseErrors)
core.debug(
`found ${invalidLicenseChanges.unlicensed.length} unknown licenses`
)
core.summary.addHeading('Incompatible Licenses', 3).addSeparator()
core.debug(
`${invalidLicenseChanges.unresolved.length} licenses could not be validated`
)
printLicenseViolation(
'Incompatible Licenses',
invalidLicenseChanges.forbidden
)
printLicenseViolation('Unknown Licenses', invalidLicenseChanges.unlicensed)
printLicenseViolation(
'Invalid SPDX License Definitions',
invalidLicenseChanges.unresolved
)
}
function printLicenseViolation(heading: string, changes: Changes): void {
core.summary.addHeading(heading, 5).addSeparator()
if (changes.length > 0) {
const rows: SummaryTableRow[] = []
const manifests = getManifestsSet(changes)
for (const manifest of manifests) {
core.summary.addHeading(`<em>${manifest}</em>`, 4)
for (const change of licenseErrors.filter(
pkg => pkg.manifest === manifest
)) {
for (const change of changes.filter(pkg => pkg.manifest === manifest)) {
rows.push([
renderUrl(change.source_repository_url, change.name),
change.version,
change.license || ''
formatLicense(change.license)
])
}
core.summary.addTable([['Package', 'Version', 'License'], ...rows])
}
} else {
core.summary.addQuote('No license violations detected.')
core.summary.addQuote(`No ${heading.toLowerCase()} detected.`)
}
}
core.debug(`found ${unknownLicenses.length} unknown licenses`)
if (unknownLicenses.length > 0) {
const rows: SummaryTableRow[] = []
const manifests = getManifestsSet(unknownLicenses)
core.debug(
`found ${manifests.entries.length} manifests for unknown licenses`
)
core.summary.addHeading('Unknown Licenses', 3).addSeparator()
for (const manifest of manifests) {
core.summary.addHeading(`<em>${manifest}</em>`, 4)
for (const change of unknownLicenses.filter(
pkg => pkg.manifest === manifest
)) {
rows.push([
renderUrl(change.source_repository_url, change.name),
change.version
])
}
core.summary.addTable([['Package', 'Version'], ...rows])
}
function formatLicense(license: string | null): string {
if (license === null || license === 'NOASSERTION') {
return 'Null'
}
return license
}
export function addScannedDependencies(changes: Changes): void {
@@ -157,7 +162,7 @@ export function addScannedDependencies(changes: Changes): void {
const summary = core.summary
.addHeading('Scanned Dependencies')
.addRaw(`We scanned ${dependencies.size} manifest files:`)
.addHeading(`We scanned ${dependencies.size} manifest files:`, 5)
for (const manifest of manifests) {
const deps = dependencies.get(manifest)
@@ -165,7 +170,7 @@ export function addScannedDependencies(changes: Changes): void {
const dependencyNames = deps.map(
dependency => `<li>${dependency.name}@${dependency.version}</li>`
)
summary.addRaw(`<h3>${manifest}</h3><ul>${dependencyNames.join('')}</ul>`)
summary.addDetails(manifest, `<ul>${dependencyNames.join('')}</ul>`)
}
}
}
+25
View File
@@ -1,3 +1,6 @@
import * as core from '@actions/core'
import {Octokit} from 'octokit'
import spdxParse from 'spdx-expression-parse'
import {Changes} from './schemas'
export function groupDependenciesByManifest(
@@ -28,3 +31,25 @@ export function renderUrl(url: string | null, text: string): string {
return text
}
}
export function isSPDXValid(license: string): boolean {
try {
spdxParse(license)
return true
} catch (_) {
return false
}
}
export function octokitClient(token = 'repo-token', required = true): Octokit {
const opts: Record<string, unknown> = {}
// auth is only added if token is present. For remote config files in public
// repos the token is optional, so it could be undefined.
const auth = core.getInput(token, {required})
if (auth !== undefined) {
opts['auth'] = auth
}
return new Octokit(opts)
}