Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 651d22c5d5 |
@@ -22,19 +22,6 @@ const npmChange: Change = {
|
||||
]
|
||||
}
|
||||
|
||||
const actionsChange: Change = {
|
||||
manifest: 'workflow.yml',
|
||||
change_type: 'added',
|
||||
ecosystem: 'actions',
|
||||
name: 'actions/checkout/',
|
||||
version: 'v3',
|
||||
package_url: 'pkg:githubactions/actions@v3',
|
||||
license: 'MIT',
|
||||
source_repository_url: 'null',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: []
|
||||
}
|
||||
|
||||
test('Get scorecard from API', async () => {
|
||||
const changes: Changes = [npmChange]
|
||||
const scorecard = await getScorecardLevels(changes)
|
||||
@@ -51,11 +38,3 @@ test('Get project URL from deps.dev API', async () => {
|
||||
)
|
||||
expect(result).not.toBeNull()
|
||||
})
|
||||
|
||||
test('Handles Actions special case', async () => {
|
||||
const changes: Changes = [actionsChange]
|
||||
const result = await getScorecardLevels(changes)
|
||||
expect(result).not.toBeNull()
|
||||
expect(result.dependencies).toHaveLength(1)
|
||||
expect(result.dependencies[0].scorecard?.score).toBeGreaterThan(0)
|
||||
})
|
||||
|
||||
+10
-7
@@ -1,5 +1,13 @@
|
||||
# Avoid using default values for options here since they will
|
||||
# end up overriding external configurations.
|
||||
# IMPORTANT
|
||||
#
|
||||
# Avoid setting default values for configuration options in
|
||||
# this file, they will overwrite external configurations.
|
||||
#
|
||||
# If you are trying to find out the default value for a config
|
||||
# option please take a look at the README or src/schemas.ts.
|
||||
#
|
||||
# If you are adding an option, make sure the Zod definition
|
||||
# contains a default value.
|
||||
name: 'Dependency Review'
|
||||
description: 'Prevent the introduction of dependencies with known vulnerabilities'
|
||||
author: 'GitHub'
|
||||
@@ -56,23 +64,18 @@ inputs:
|
||||
retry-on-snapshot-warnings:
|
||||
description: Whether to retry on snapshot warnings
|
||||
required: false
|
||||
default: false
|
||||
retry-on-snapshot-warnings-timeout:
|
||||
description: Number of seconds to wait before stopping snapshot retries.
|
||||
required: false
|
||||
default: 120
|
||||
warn-only:
|
||||
description: When set to `true` this action will always complete with success, overriding the `fail-on-severity` parameter.
|
||||
required: false
|
||||
default: false
|
||||
show-openssf-scorecard:
|
||||
description: Show a summary of the OpenSSF Scorecard scores.
|
||||
required: false
|
||||
default: true
|
||||
warn-on-openssf-scorecard-level:
|
||||
description: Numeric threshold for the OpenSSF Scorecard score. If the score is below this threshold, the action will warn you.
|
||||
required: false
|
||||
default: 3
|
||||
outputs:
|
||||
comment-content:
|
||||
description: Prepared dependency report comment
|
||||
|
||||
+2
-9
@@ -1043,15 +1043,8 @@ function getScorecardLevels(changes) {
|
||||
if (repositoryUrl === null || repositoryUrl === void 0 ? void 0 : repositoryUrl.startsWith('https://')) {
|
||||
repositoryUrl = repositoryUrl.replace('https://', '');
|
||||
}
|
||||
// Handle the special case for GitHub Actions, where the repository URL is null
|
||||
if (ecosystem === 'actions') {
|
||||
// The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
|
||||
// If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out
|
||||
const parts = packageName.split('/');
|
||||
repositoryUrl = `github.com/${parts[0]}/${parts[1]}`; // e.g. github.com/actions/checkout
|
||||
}
|
||||
// If GitHub API doesn't have the repository URL, query deps.dev for it.
|
||||
if (!repositoryUrl) {
|
||||
if (repositoryUrl) {
|
||||
// Call the deps.dev API to get the repository URL from there
|
||||
repositoryUrl = yield getProjectUrl(ecosystem, packageName, version);
|
||||
}
|
||||
@@ -1076,7 +1069,7 @@ function getScorecardLevels(changes) {
|
||||
exports.getScorecardLevels = getScorecardLevels;
|
||||
function getScorecard(repositoryUrl) {
|
||||
return __awaiter(this, void 0, void 0, function* () {
|
||||
const apiRoot = 'https://api.securityscorecards.dev';
|
||||
const apiRoot = 'https://api.securityscorecards.dev/';
|
||||
let scorecardResponse = {};
|
||||
const url = `${apiRoot}/projects/${repositoryUrl}`;
|
||||
const response = yield fetch(url);
|
||||
|
||||
+1
-1
File diff suppressed because one or more lines are too long
Generated
+2
-2
@@ -1,12 +1,12 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.2.4",
|
||||
"version": "4.2.3",
|
||||
"lockfileVersion": 3,
|
||||
"requires": true,
|
||||
"packages": {
|
||||
"": {
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.2.4",
|
||||
"version": "4.2.3",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.2.4",
|
||||
"version": "4.2.3",
|
||||
"private": true,
|
||||
"description": "A GitHub Action for Dependency Review",
|
||||
"main": "lib/main.js",
|
||||
|
||||
+2
-10
@@ -17,16 +17,8 @@ export async function getScorecardLevels(
|
||||
repositoryUrl = repositoryUrl.replace('https://', '')
|
||||
}
|
||||
|
||||
// Handle the special case for GitHub Actions, where the repository URL is null
|
||||
if (ecosystem === 'actions') {
|
||||
// The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
|
||||
// If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out
|
||||
const parts = packageName.split('/')
|
||||
repositoryUrl = `github.com/${parts[0]}/${parts[1]}` // e.g. github.com/actions/checkout
|
||||
}
|
||||
|
||||
// If GitHub API doesn't have the repository URL, query deps.dev for it.
|
||||
if (!repositoryUrl) {
|
||||
if (repositoryUrl) {
|
||||
// Call the deps.dev API to get the repository URL from there
|
||||
repositoryUrl = await getProjectUrl(ecosystem, packageName, version)
|
||||
}
|
||||
@@ -49,7 +41,7 @@ export async function getScorecardLevels(
|
||||
}
|
||||
|
||||
async function getScorecard(repositoryUrl: string): Promise<ScorecardApi> {
|
||||
const apiRoot = 'https://api.securityscorecards.dev'
|
||||
const apiRoot = 'https://api.securityscorecards.dev/'
|
||||
let scorecardResponse: ScorecardApi = {} as ScorecardApi
|
||||
|
||||
const url = `${apiRoot}/projects/${repositoryUrl}`
|
||||
|
||||
Reference in New Issue
Block a user