Compare commits

..

1 Commits

Author SHA1 Message Date
Federico Builes 651d22c5d5 Revert default values in action.yml to fix external configs. 2024-03-22 08:29:26 +01:00
7 changed files with 18 additions and 51 deletions
-21
View File
@@ -22,19 +22,6 @@ const npmChange: Change = {
]
}
const actionsChange: Change = {
manifest: 'workflow.yml',
change_type: 'added',
ecosystem: 'actions',
name: 'actions/checkout/',
version: 'v3',
package_url: 'pkg:githubactions/actions@v3',
license: 'MIT',
source_repository_url: 'null',
scope: 'runtime',
vulnerabilities: []
}
test('Get scorecard from API', async () => {
const changes: Changes = [npmChange]
const scorecard = await getScorecardLevels(changes)
@@ -51,11 +38,3 @@ test('Get project URL from deps.dev API', async () => {
)
expect(result).not.toBeNull()
})
test('Handles Actions special case', async () => {
const changes: Changes = [actionsChange]
const result = await getScorecardLevels(changes)
expect(result).not.toBeNull()
expect(result.dependencies).toHaveLength(1)
expect(result.dependencies[0].scorecard?.score).toBeGreaterThan(0)
})
+10 -7
View File
@@ -1,5 +1,13 @@
# Avoid using default values for options here since they will
# end up overriding external configurations.
# IMPORTANT
#
# Avoid setting default values for configuration options in
# this file, they will overwrite external configurations.
#
# If you are trying to find out the default value for a config
# option please take a look at the README or src/schemas.ts.
#
# If you are adding an option, make sure the Zod definition
# contains a default value.
name: 'Dependency Review'
description: 'Prevent the introduction of dependencies with known vulnerabilities'
author: 'GitHub'
@@ -56,23 +64,18 @@ inputs:
retry-on-snapshot-warnings:
description: Whether to retry on snapshot warnings
required: false
default: false
retry-on-snapshot-warnings-timeout:
description: Number of seconds to wait before stopping snapshot retries.
required: false
default: 120
warn-only:
description: When set to `true` this action will always complete with success, overriding the `fail-on-severity` parameter.
required: false
default: false
show-openssf-scorecard:
description: Show a summary of the OpenSSF Scorecard scores.
required: false
default: true
warn-on-openssf-scorecard-level:
description: Numeric threshold for the OpenSSF Scorecard score. If the score is below this threshold, the action will warn you.
required: false
default: 3
outputs:
comment-content:
description: Prepared dependency report comment
Generated Vendored
+2 -9
View File
@@ -1043,15 +1043,8 @@ function getScorecardLevels(changes) {
if (repositoryUrl === null || repositoryUrl === void 0 ? void 0 : repositoryUrl.startsWith('https://')) {
repositoryUrl = repositoryUrl.replace('https://', '');
}
// Handle the special case for GitHub Actions, where the repository URL is null
if (ecosystem === 'actions') {
// The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
// If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out
const parts = packageName.split('/');
repositoryUrl = `github.com/${parts[0]}/${parts[1]}`; // e.g. github.com/actions/checkout
}
// If GitHub API doesn't have the repository URL, query deps.dev for it.
if (!repositoryUrl) {
if (repositoryUrl) {
// Call the deps.dev API to get the repository URL from there
repositoryUrl = yield getProjectUrl(ecosystem, packageName, version);
}
@@ -1076,7 +1069,7 @@ function getScorecardLevels(changes) {
exports.getScorecardLevels = getScorecardLevels;
function getScorecard(repositoryUrl) {
return __awaiter(this, void 0, void 0, function* () {
const apiRoot = 'https://api.securityscorecards.dev';
const apiRoot = 'https://api.securityscorecards.dev/';
let scorecardResponse = {};
const url = `${apiRoot}/projects/${repositoryUrl}`;
const response = yield fetch(url);
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+2 -2
View File
@@ -1,12 +1,12 @@
{
"name": "dependency-review-action",
"version": "4.2.4",
"version": "4.2.3",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "dependency-review-action",
"version": "4.2.4",
"version": "4.2.3",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.10.1",
+1 -1
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "4.2.4",
"version": "4.2.3",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
+2 -10
View File
@@ -17,16 +17,8 @@ export async function getScorecardLevels(
repositoryUrl = repositoryUrl.replace('https://', '')
}
// Handle the special case for GitHub Actions, where the repository URL is null
if (ecosystem === 'actions') {
// The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
// If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out
const parts = packageName.split('/')
repositoryUrl = `github.com/${parts[0]}/${parts[1]}` // e.g. github.com/actions/checkout
}
// If GitHub API doesn't have the repository URL, query deps.dev for it.
if (!repositoryUrl) {
if (repositoryUrl) {
// Call the deps.dev API to get the repository URL from there
repositoryUrl = await getProjectUrl(ecosystem, packageName, version)
}
@@ -49,7 +41,7 @@ export async function getScorecardLevels(
}
async function getScorecard(repositoryUrl: string): Promise<ScorecardApi> {
const apiRoot = 'https://api.securityscorecards.dev'
const apiRoot = 'https://api.securityscorecards.dev/'
let scorecardResponse: ScorecardApi = {} as ScorecardApi
const url = `${apiRoot}/projects/${repositoryUrl}`