Compare commits

..

1 Commits

Author SHA1 Message Date
Federico Builes 23bc3cbcbc temp home for ghes-related logic 2022-06-09 07:59:36 +02:00
25 changed files with 9759 additions and 973 deletions
-3
View File
@@ -9,6 +9,3 @@ updates:
directory: /
schedule:
interval: daily
ignore:
- dependency-name: '@types/node'
update-types: ['version-update:semver-major']
+8
View File
@@ -0,0 +1,8 @@
fail_on_severity: low
allow_licenses:
- 'GPL 3.0'
- 'BSD 3 Clause'
- 'MIT'
#deny_licenses:
# - "LGPL 2.0"
# - "BSD 2 Clause"
-42
View File
@@ -1,42 +0,0 @@
name: CI
on:
push:
branches:
- main
paths-ignore:
- '**.md'
pull_request:
paths-ignore:
- '**.md'
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
- name: Test
run: |
npm test
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: 16
cache: npm
- name: Install dependencies
run: npm ci --ignore-scripts
- name: Check format
run: |
npm run format-check
- name: Lint
run: |
npm run lint
-3
View File
@@ -1,3 +0,0 @@
{
"recommendations": ["dbaeumer.vscode-eslint", "esbenp.prettier-vscode"]
}
-13
View File
@@ -1,13 +0,0 @@
{
"version": "0.1.0",
"configurations": [
{
"name": "Debug Jest Tests",
"type": "node",
"request": "launch",
"runtimeArgs": ["--inspect-brk", "${workspaceRoot}/node_modules/.bin/jest", "--runInBand", "--coverage", "false"],
"console": "integratedTerminal",
"internalConsoleOptions": "neverOpen"
}
]
}
-4
View File
@@ -1,4 +0,0 @@
{
"editor.formatOnSave": true,
"editor.defaultFormatter": "esbenp.prettier-vscode"
}
-33
View File
@@ -73,39 +73,6 @@ Here are a few things you can do that will increase the likelihood of your pull
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
- Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
## Cutting a new release
1. Go to [Draft a new
release](https://github.com/actions/dependency-review-action/releases/new)
in the Releases page.
2. Make sure that the `Publish this Action to the GitHub Marketplace`
checkbox is enabled
<img width="481" alt="Screenshot 2022-06-15 at 12 08 19" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
3. Click "Choose a tag" and then "Create new tag", where the tag name
will be your version prefixed by a `v` (e.g. `v1.2.3`).
4. Use a version number for the release title (e.g. "1.2.3").
<img width="700" alt="Screenshot 2022-06-15 at 12 08 36" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
5. Add your release notes. If this is a major version make sure to
include a small description of the biggest changes in the new version.
6. Click "Publish Release".
You now have a tag and release using the semver version you used
above. The last remaining thing to do is to move the dynamic version
identifier to match the current SHA. This allows users to adopt a
major version number (e.g. `v1`) in their workflows while
automatically getting all the
minor/patch updates.
To do this just force-create a new annotated tag and push it:
```
git tag -fa v1 -m "Updating v1 tag"
git push origin v1 --force
```
## Resources
- [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/)
+4 -93
View File
@@ -2,7 +2,7 @@
This action scans your pull requests for dependency changes and will raise an error if any new dependencies have existing vulnerabilities. The action is supported by an [API endpoint](https://docs.github.com/en/rest/reference/dependency-graph#dependency-review) that diffs the dependencies between any two revisions.
The action is available for all public repositories, as well as private repositories that have GitHub Advanced Security licensed.
The action is available for all public repositories, as well as private repositories that have Github Advanced Security licensed.
<img width="854" alt="Screen Shot 2022-03-31 at 1 10 51 PM" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
@@ -25,99 +25,10 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v2
uses: actions/dependency-review-action@v1
```
Please keep in mind that you need a GitHub Advanced Security license if you're running this action on private repos.
## Configuration
You can pass additional options to the Dependency Review
Action using your workflow file. Here's an example workflow with
all the possible configurations:
```yaml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
# Possible values: "critical", "high", "moderate", "low"
# fail-on-severity: critical
#
# You can only include one of these two options: `allow-licenses` and `deny-licenses`
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# allow-licenses: GPL-3.0, BSD-3-Clause, MIT
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# deny-licenses: LGPL-2.0, BSD-2-Clause
```
### Vulnerability Severity
By default the action will fail on any pull request that contains a
vulnerable dependency, regardless of the severity level. You can override this behavior by
using the `fail-on-severity` option, which will cause a failure on any pull requests that introduce vulnerabilities of the specified severity level or higher. The possible values are: `critical`, `high`, `moderate`, or `low`. The
action defaults to `low`.
This example will only fail on pull requests with `critical` and `high` vulnerabilities:
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
fail-on-severity: high
```
### Licenses
You can set the action to fail on pull requests based on the licenses of the dependencies
they introduce. With `allow-licenses` you can define the list of licenses
your repository will accept. Alternatively, you can use `deny-licenses` to only
forbid a subset of licenses.
You can use the [Licenses
API](https://docs.github.com/en/rest/licenses) to see the full list of
supported licenses. Use the `spdx_id` field for every license you want
to filter. A couple of examples:
```yaml
# only allow MIT-licensed dependents
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
allow-licenses: MIT
```
```yaml
# Block Apache 1.1 and 2.0 licensed dependents
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
deny-licenses: Apache-1.1, Apache-2.0
```
**Important**
* The action will only accept one of the two parameters; an error will
be raised if you provide both.
* By default both parameters are empty (no license checking is
performed).
* We don't have license information for all of your dependents. If we
can't detect the license for a dependency **we will inform you, but the
action won't fail**.
## Blocking pull requests
The Dependency Review GitHub Action check will only block a pull request from being merged if the repository owner has required the check to pass before merging. For more information, see the [documentation on protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging).
Please keep in mind that you need a GitHub Advanced Security license if you're running this Action on private repos.
## Getting help
@@ -126,7 +37,7 @@ issue](https://github.com/actions/dependency-review-action/issues/new/choose).
## Contributing
We are grateful for any contributions made to this project.
We are grateful for any contributions made to this project.
Please read [CONTRIBUTING.MD](https://github.com/actions/dependency-review-action/blob/main/CONTRIBUTING.md) to get started.
+10 -45
View File
@@ -1,53 +1,18 @@
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
import {expect, test} from '@jest/globals'
import {readConfigFile} from '../src/config'
// GitHub Action inputs come in the form of environment variables
// with an INPUT prefix (e.g. INPUT_FAIL-ON-SEVERITY)
function setInput(input: string, value: string) {
process.env[`INPUT_${input.toUpperCase()}`] = value
}
// We want a clean ENV before each test. We use `delete`
// since we want `undefined` values and not empty strings.
function clearInputs() {
delete process.env['INPUT_FAIL-ON-SEVERITY']
delete process.env['INPUT_ALLOW-LICENSES']
delete process.env['INPUT_DENY-LICENSES']
}
beforeEach(() => {
clearInputs()
})
test('it defaults to low severity', async () => {
const options = readConfig()
expect(options.fail_on_severity).toEqual('low')
})
test('it reads custom configs', async () => {
setInput('fail-on-severity', 'critical')
setInput('allow-licenses', ' BSD, GPL 2')
const options = readConfig()
test('reads the config file', async () => {
let options = readConfigFile('./__tests__/fixtures/config-allow-sample.yml')
expect(options.fail_on_severity).toEqual('critical')
expect(options.allow_licenses).toEqual(['BSD', 'GPL 2'])
})
test('it defaults to empty allow/deny lists ', async () => {
const options = readConfig()
expect(options.allow_licenses).toEqual(undefined)
expect(options.deny_licenses).toEqual(undefined)
test('the default config path handles .yml and .yaml', async () => {
expect(true).toEqual(true)
})
test('it raises an error if both an allow and denylist are specified', async () => {
setInput('allow-licenses', 'MIT')
setInput('deny-licenses', 'BSD')
expect(() => readConfig()).toThrow()
})
test('it raises an error when given an unknown severity', async () => {
setInput('fail-on-severity', 'zombies')
expect(() => readConfig()).toThrow()
test('returns a default config when the config file was not found', async () => {
let options = readConfigFile('fixtures/i-dont-exist')
expect(options.fail_on_severity).toEqual('low')
expect(options.allow_licenses).toEqual([])
})
+4 -4
View File
@@ -8,14 +8,14 @@ let npmChange: Change = {
ecosystem: 'npm',
name: 'Reeuhq',
version: '1.0.2',
package_url: 'pkg:npm/reeuhq@1.0.2',
package_url: 'somepurl',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_summary: 'very dangerous',
advisory_summary: 'very dangerouns',
advisory_url: 'github.com/future-funk'
}
]
@@ -27,14 +27,14 @@ let rubyChange: Change = {
ecosystem: 'rubygems',
name: 'actionsomething',
version: '3.2.0',
package_url: 'pkg:gem/actionsomething@3.2.0',
package_url: 'somerubypurl',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_summary: 'not so dangerouns',
advisory_url: 'github.com/future-funk'
},
{
@@ -1,2 +0,0 @@
allow_licenses: []
deny_licenses: []
@@ -1 +0,0 @@
fail_on_severity: critical
-98
View File
@@ -1,98 +0,0 @@
import {expect, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
import {getDeniedLicenseChanges} from '../src/licenses'
let npmChange: Change = {
manifest: 'package.json',
change_type: 'added',
ecosystem: 'npm',
name: 'Reeuhq',
version: '1.0.2',
package_url: 'pkg:npm/reeuhq@1.0.2',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_summary: 'very dangerous',
advisory_url: 'github.com/future-funk'
}
]
}
let rubyChange: Change = {
change_type: 'added',
manifest: 'Gemfile.lock',
ecosystem: 'rubygems',
name: 'actionsomething',
version: '3.2.0',
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
test('it fails if a license outside the allow list is found', async () => {
const changes: Changes = [npmChange, rubyChange]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {allow: ['BSD']})
expect(invalidChanges[0]).toBe(npmChange)
})
test('it fails if a license inside the deny list is found', async () => {
const changes: Changes = [npmChange, rubyChange]
const [invalidChanges] = getDeniedLicenseChanges(changes, {deny: ['BSD']})
expect(invalidChanges[0]).toBe(rubyChange)
})
// This is more of a "here's a behavior that might be surprising" than an actual
// thing we want in the system. Please remove this test after refactoring.
test('it fails all license checks when allow is provided an empty array', async () => {
const changes: Changes = [npmChange, rubyChange]
let [invalidChanges, _] = getDeniedLicenseChanges(changes, {
allow: [],
deny: ['BSD']
})
expect(invalidChanges.length).toBe(2)
})
test('it does not fail if a license outside the allow list is found in removed changes', async () => {
const changes: Changes = [
{...npmChange, change_type: 'removed'},
{...rubyChange, change_type: 'removed'}
]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {allow: ['BSD']})
expect(invalidChanges).toStrictEqual([])
})
test('it does not fail if a license inside the deny list is found in removed changes', async () => {
const changes: Changes = [
{...npmChange, change_type: 'removed'},
{...rubyChange, change_type: 'removed'}
]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {deny: ['BSD']})
expect(invalidChanges).toStrictEqual([])
})
test('it fails if a license outside the allow list is found in both of added and removed changes', async () => {
const changes: Changes = [
{...npmChange, change_type: 'removed'},
npmChange,
{...rubyChange, change_type: 'removed'}
]
const [invalidChanges, _] = getDeniedLicenseChanges(changes, {allow: ['BSD']})
expect(invalidChanges).toStrictEqual([npmChange])
})
+1 -11
View File
@@ -3,19 +3,9 @@ description: 'Prevent the introduction of dependencies with known vulnerabilitie
author: 'GitHub'
inputs:
repo-token:
description: Token for the repository. Can be passed in using `{{ secrets.GITHUB_TOKEN }}`.
description: 'Token for the repository. Can be passed in using `{{ secrets.GITHUB_TOKEN }}`.'
required: false
default: ${{ github.token }}
fail-on-severity:
description: Don't block PRs below this severity. Possible values are `low`, `moderate`, `high`, `critical`.
required: false
default: 'low'
allow-licenses:
description: Comma-separated list of allowed licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
deny-licenses:
description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
runs:
using: 'node16'
main: 'dist/index.js'
Generated Vendored
+8331 -265
View File
File diff suppressed because it is too large Load Diff
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+17
View File
@@ -684,6 +684,23 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
yaml
ISC
Copyright Eemeli Aro <eemeli@gmail.com>
Permission to use, copy, modify, and/or distribute this software for any purpose
with or without fee is hereby granted, provided that the above copyright notice
and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
THIS SOFTWARE.
zod
MIT
MIT License
+1198 -218
View File
File diff suppressed because it is too large Load Diff
+12 -12
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "2.0.4",
"version": "0.0.1",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -25,30 +25,30 @@
"author": "GitHub",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.9.0",
"@actions/core": "^1.8.2",
"@actions/github": "^5.0.3",
"@octokit/plugin-retry": "^3.0.9",
"@octokit/request-error": "^3.0.0",
"@octokit/request-error": "^2.1.0",
"ansi-styles": "^6.1.0",
"got": "^12.1.0",
"nodemon": "^2.0.19",
"nodemon": "^2.0.16",
"yaml": "^2.1.1",
"zod": "^3.17.3"
},
"devDependencies": {
"@types/node": "^16.11.44",
"@typescript-eslint/eslint-plugin": "^5.30.6",
"@typescript-eslint/parser": "^5.30.6",
"@types/node": "^17.0.40",
"@typescript-eslint/eslint-plugin": "^5.27.1",
"@typescript-eslint/parser": "^5.27.1",
"@vercel/ncc": "^0.34.0",
"esbuild-register": "^3.3.3",
"eslint": "^8.19.0",
"eslint": "^8.17.0",
"eslint-plugin-github": "^4.3.6",
"eslint-plugin-jest": "^26.5.3",
"jest": "^27.5.1",
"js-yaml": "^4.1.0",
"nodemon": "^2.0.19",
"prettier": "2.7.1",
"nodemon": "^2.0.16",
"prettier": "2.6.2",
"ts-jest": "^27.1.4",
"typescript": "^4.7.4"
"typescript": "^4.7.3"
}
}
}
+27 -21
View File
@@ -1,27 +1,33 @@
import * as core from '@actions/core'
import * as z from 'zod'
import {ConfigurationOptions, SEVERITIES} from './schemas'
import * as fs from 'fs'
import YAML from 'yaml'
import {ConfigurationOptions, ConfigurationOptionsSchema} from './schemas'
import path from 'path'
function getOptionalInput(name: string): string | undefined {
const value = core.getInput(name)
return value.length > 0 ? value : undefined
}
export const CONFIG_FILEPATH = './.github/dependency-review.yml'
export function readConfig(): ConfigurationOptions {
const fail_on_severity = z
.enum(SEVERITIES)
.default('low')
.parse(getOptionalInput('fail-on-severity'))
const allow_licenses = getOptionalInput('allow-licenses')
const deny_licenses = getOptionalInput('deny-licenses')
if (allow_licenses !== undefined && deny_licenses !== undefined) {
throw new Error("Can't specify both allow_licenses and deny_licenses")
export function readConfigFile(
filePath: string = CONFIG_FILEPATH
): ConfigurationOptions {
// By default we want to fail on all severities and allow all licenses.
const defaultOptions: ConfigurationOptions = {
fail_on_severity: 'low',
allow_licenses: []
}
return {
fail_on_severity,
allow_licenses: allow_licenses?.split(',').map(x => x.trim()),
deny_licenses: deny_licenses?.split(',').map(x => x.trim())
let data
try {
data = fs.readFileSync(path.resolve(filePath), 'utf-8')
} catch (error: any) {
if (error.code && error.code === 'ENOENT') {
return defaultOptions
} else {
throw error
}
}
const values = YAML.parse(data)
const parsed = ConfigurationOptionsSchema.parse(values)
return parsed
}
+4 -3
View File
@@ -1,4 +1,5 @@
import {Changes, Severity, SEVERITIES} from './schemas'
import {Changes} from './schemas'
import {Severity, SEVERITIES} from './schemas'
export function filterChangesBySeverity(
severity: Severity,
@@ -6,7 +7,7 @@ export function filterChangesBySeverity(
): Changes {
const severityIdx = SEVERITIES.indexOf(severity)
let filteredChanges = []
for (const change of changes) {
for (let change of changes) {
if (
change === undefined ||
change.vulnerabilities === undefined ||
@@ -15,7 +16,7 @@ export function filterChangesBySeverity(
continue
}
const fChange = {
let fChange = {
...change,
vulnerabilities: change.vulnerabilities.filter(vuln => {
const vulnIdx = SEVERITIES.indexOf(vuln.severity)
+134
View File
@@ -0,0 +1,134 @@
"use strict";
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
var __generator = (this && this.__generator) || function (thisArg, body) {
var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
function verb(n) { return function (v) { return step([n, v]); }; }
function step(op) {
if (f) throw new TypeError("Generator is already executing.");
while (_) try {
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
if (y = 0, t) op = [op[0] & 2, t.value];
switch (op[0]) {
case 0: case 1: t = op; break;
case 4: _.label++; return { value: op[1], done: false };
case 5: _.label++; y = op[1]; op = [0]; continue;
case 7: op = _.ops.pop(); _.trys.pop(); continue;
default:
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
if (t[2]) _.ops.pop();
_.trys.pop(); continue;
}
op = body.call(thisArg, _);
} catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
}
};
exports.__esModule = true;
exports.parseGitHubUrl = exports.getApiClient = exports.getPlatform = exports.GITHUB_DOTCOM_URL = exports.Platform = void 0;
// Tons of code lifted from https://github.com/github/codeql-action!
var path = require("path");
var core = require("@actions/core");
var githubUtils = require("@actions/github/lib/utils");
var retry = require("@octokit/plugin-retry");
var Platform;
(function (Platform) {
Platform[Platform["DOTCOM"] = 0] = "DOTCOM";
Platform[Platform["GHES"] = 1] = "GHES";
Platform[Platform["GHAE"] = 2] = "GHAE";
})(Platform = exports.Platform || (exports.Platform = {}));
exports.GITHUB_DOTCOM_URL = 'https://github.com';
var GITHUB_ENTERPRISE_VERSION_HEADER = 'x-github-enterprise-version';
function getPlatform(url) {
return __awaiter(this, void 0, void 0, function () {
var apiClient, response;
return __generator(this, function (_a) {
switch (_a.label) {
case 0:
// We can avoid making an API request in the standard dotcom case
if (parseGitHubUrl(url) === exports.GITHUB_DOTCOM_URL) {
return [2 /*return*/, Platform.DOTCOM];
}
apiClient = (0, exports.getApiClient)(url);
return [4 /*yield*/, apiClient.rest.meta.get()];
case 1:
response = _a.sent();
if (response.headers[GITHUB_ENTERPRISE_VERSION_HEADER] === 'GitHub AE') {
return [2 /*return*/, Platform.GHAE];
}
return [2 /*return*/, Platform.GHES];
}
});
});
}
exports.getPlatform = getPlatform;
var getApiClient = function (url) {
var auth = core.getInput('repo-token', { required: true });
var retryingOctokit = githubUtils.GitHub.plugin(retry.retry);
return new retryingOctokit(githubUtils.getOctokitOptions(auth, {
baseUrl: getApiUrl(url)
}));
};
exports.getApiClient = getApiClient;
function getApiUrl(githubUrl) {
var url = new URL(githubUrl);
// If we detect this is trying to connect to github.com
// then return with a fixed canonical URL.
if (url.hostname === 'github.com' || url.hostname === 'api.github.com') {
return 'https://api.github.com';
}
// Add the /api/v3 API prefix
url.pathname = path.join(url.pathname, 'api', 'v3');
return url.toString();
}
/**
* Parses user input of a github.com or GHES URL to a canonical form.
* Removes any API prefix or suffix if one is present.
*/
function parseGitHubUrl(inputUrl) {
var originalUrl = inputUrl;
if (inputUrl.indexOf('://') === -1) {
inputUrl = "https://".concat(inputUrl);
}
if (!inputUrl.startsWith('http://') && !inputUrl.startsWith('https://')) {
throw new Error("\"".concat(originalUrl, "\" is not a http or https URL"));
}
var url;
try {
url = new URL(inputUrl);
}
catch (e) {
throw new Error("\"".concat(originalUrl, "\" is not a valid URL"));
}
// If we detect this is trying to be to github.com
// then return with a fixed canonical URL.
if (url.hostname === 'github.com' || url.hostname === 'api.github.com') {
return exports.GITHUB_DOTCOM_URL;
}
// Remove the API prefix if it's present
if (url.pathname.indexOf('/api/v3') !== -1) {
url.pathname = url.pathname.substring(0, url.pathname.indexOf('/api/v3'));
}
// Also consider subdomain isolation on GHES
if (url.hostname.startsWith('api.')) {
url.hostname = url.hostname.substring(4);
}
// Normalise path to having a trailing slash for consistency
if (!url.pathname.endsWith('/')) {
url.pathname = "".concat(url.pathname, "/");
}
return url.toString();
}
exports.parseGitHubUrl = parseGitHubUrl;
getPlatform(exports.GITHUB_DOTCOM_URL);
-49
View File
@@ -1,49 +0,0 @@
import {Change} from './schemas'
/**
* Loops through a list of changes, filtering and returning the
* ones that don't conform to the licenses allow/deny lists.
*
* Keep in mind that we don't let users specify both an allow and a deny
* list in their config files, so this code works under the assumption that
* one of the two list parameters will be empty. If both lists are provided,
* we will ignore the deny list.
* @param {Change[]} changes The list of changes to filter.
* @param { { allow?: string[], deny?: string[]}} licenses An object with `allow`/`deny` keys, each containing a list of licenses.
* @returns {[Array<Change>, Array<Change]} A tuple where the first element is the list of denied changes and the second one is the list of changes with unknown licenses
*/
export function getDeniedLicenseChanges(
changes: Change[],
licenses: {
allow?: string[]
deny?: string[]
}
): [Change[], Change[]] {
const {allow, deny} = licenses
const disallowed: Change[] = []
const unknown: Change[] = []
for (const change of changes) {
if (change.change_type === 'removed') {
continue
}
const license = change.license
if (license === null) {
unknown.push(change)
continue
}
if (allow !== undefined) {
if (!allow.includes(license)) {
disallowed.push(change)
}
} else if (deny !== undefined) {
if (deny.includes(license)) {
disallowed.push(change)
}
}
}
return [disallowed, unknown]
}
+7 -51
View File
@@ -4,9 +4,8 @@ import * as github from '@actions/github'
import styles from 'ansi-styles'
import {RequestError} from '@octokit/request-error'
import {Change, PullRequestSchema, Severity} from './schemas'
import {readConfig} from '../src/config'
import {readConfigFile} from '../src/config'
import {filterChangesBySeverity} from '../src/filter'
import {getDeniedLicenseChanges} from './licenses'
async function run(): Promise<void> {
try {
@@ -27,16 +26,11 @@ async function run(): Promise<void> {
headRef: pull_request.head.sha
})
const config = readConfig()
const minSeverity = config.fail_on_severity
let config = readConfigFile()
let minSeverity = config.fail_on_severity
let failed = false
const licenses = {
allow: config.allow_licenses,
deny: config.deny_licenses
}
const filteredChanges = filterChangesBySeverity(
let filteredChanges = filterChangesBySeverity(
minSeverity as Severity,
changes
)
@@ -52,23 +46,11 @@ async function run(): Promise<void> {
}
}
const [licenseErrors, unknownLicenses] = getDeniedLicenseChanges(
changes,
licenses
)
if (licenseErrors.length > 0) {
printLicensesError(licenseErrors)
core.setFailed('Dependency review detected incompatible licenses.')
}
printNullLicenses(unknownLicenses)
if (failed) {
core.setFailed('Dependency review detected vulnerable packages.')
throw new Error('Dependency review detected vulnerable packages.')
} else {
core.info(
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or above.`
)
}
} catch (error) {
@@ -90,7 +72,7 @@ async function run(): Promise<void> {
}
}
function printChangeVulnerabilities(change: Change): void {
function printChangeVulnerabilities(change: Change) {
for (const vuln of change.vulnerabilities) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${
@@ -117,30 +99,4 @@ function renderSeverity(
return `${styles.color[color].open}(${severity} severity)${styles.color[color].close}`
}
function printLicensesError(changes: Change[]): void {
if (changes.length === 0) {
return
}
core.info('\nThe following dependencies have incompatible licenses:\n')
for (const change of changes) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${change.version}${styles.bold.close} License: ${styles.color.red.open}${change.license}${styles.color.red.close}`
)
}
}
function printNullLicenses(changes: Change[]): void {
if (changes.length === 0) {
return
}
core.info('\nWe could not detect a license for the following dependencies:\n')
for (const change of changes) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${change.version}${styles.bold.close}`
)
}
}
run()
+1 -1
View File
@@ -39,7 +39,7 @@ export const ConfigurationOptionsSchema = z
.partial()
.refine(
obj => !(obj.allow_licenses && obj.deny_licenses),
'Your workflow file has both an allow_licenses list and deny_licenses list, but you can only set one or the other.'
"Can't specify both allow_licenses and deny_licenses"
)
export const ChangesSchema = z.array(ChangeSchema)