Compare commits
115 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| ce3cf9537a | |||
| 479b69732e | |||
| aee95908ea | |||
| 080ada6281 | |||
| 430e5f0bbf | |||
| 51699b6461 | |||
| ac9b193beb | |||
| d630451aa0 | |||
| c8dafca32b | |||
| bc858b5649 | |||
| cd1541ea8d | |||
| 7bce095f93 | |||
| 195b0c2e88 | |||
| cdee0bc8c3 | |||
| 0e562a634b | |||
| 3d00aed36d | |||
| 2c5ec1eea8 | |||
| bf0431a342 | |||
| c26b132baa | |||
| 3ffdd4d73e | |||
| ea2cae5127 | |||
| dfe560420d | |||
| e4033dcc29 | |||
| 92129e58e4 | |||
| bf9bc3f2a6 | |||
| d703cf58c3 | |||
| c80eb9894b | |||
| 5e7a6ffc7d | |||
| c665328b35 | |||
| 5370d75f36 | |||
| 7f3cd87ec0 | |||
| 67ca5cc413 | |||
| 8992b0e1c7 | |||
| 5e9a56c6de | |||
| 9cd1f01f7f | |||
| a0be92bfc2 | |||
| 6ec8e13b9a | |||
| c9bb42fdbf | |||
| b109bc8c95 | |||
| 5f24a51147 | |||
| ef281d4e24 | |||
| 67fc6dd646 | |||
| 2caab057ed | |||
| 3b139cfc5f | |||
| d6807b6643 | |||
| c89b41fdc6 | |||
| eee97d8b03 | |||
| 9d101822a3 | |||
| 9192be9c72 | |||
| 2fc8e23b12 | |||
| fb86db2043 | |||
| 0a198ab3ed | |||
| fc499fc13a | |||
| b02ea3a88b | |||
| 612e96e757 | |||
| 0adc9b8215 | |||
| 591cbf9044 | |||
| c0a5e20c51 | |||
| c82883d789 | |||
| 4081bf99e2 | |||
| 03e585eea7 | |||
| 08b4117924 | |||
| 9c3441f7ee | |||
| 304a544dca | |||
| e99353b1e1 | |||
| d8ae44e2a0 | |||
| a6993e2c61 | |||
| d92f08b3ff | |||
| 3e334b7ca7 | |||
| 32b7d886d5 | |||
| 14b94f8fbc | |||
| 6ea3b24563 | |||
| 05042db2b6 | |||
| 6aacbe0934 | |||
| 293ccdb6e9 | |||
| 83c7cc6aa7 | |||
| b3559aa82e | |||
| 8179e6abd6 | |||
| ac1d2d7d35 | |||
| fe833075f3 | |||
| 526b7f2f9b | |||
| e5cb30f678 | |||
| 90820aba8c | |||
| 7367319600 | |||
| affc3a4f15 | |||
| 07d3c7257a | |||
| a2dda6f539 | |||
| 45dc50cabe | |||
| 5a2ce3f5b9 | |||
| ac6a6adece | |||
| 3e2b91798f | |||
| d9ab9c8c45 | |||
| 8c152c7a0f | |||
| 0085d30a6f | |||
| 08b5bf2921 | |||
| 986fce9040 | |||
| 28743f8570 | |||
| d6f34c3a26 | |||
| 465867cec8 | |||
| b4ae47ca2c | |||
| d85edeb45d | |||
| f60d59372e | |||
| ed624dba72 | |||
| bbed6f340a | |||
| 2e4eaa490e | |||
| ecd706f525 | |||
| bc5b235cf6 | |||
| 154c1500f3 | |||
| 2115d9eeea | |||
| df5d74f5d3 | |||
| 1e5b2e69a2 | |||
| e69288dbec | |||
| 8285e75fb2 | |||
| 2224c7c05a | |||
| c0630c2a88 |
@@ -0,0 +1,7 @@
|
||||
## Purpose
|
||||
|
||||
_Describe the purpose of this pull request_
|
||||
|
||||
## Related Issues
|
||||
|
||||
_What issues does this PR close or relate to?_
|
||||
@@ -12,3 +12,8 @@ updates:
|
||||
ignore:
|
||||
- dependency-name: '@types/node'
|
||||
update-types: ['version-update:semver-major']
|
||||
groups:
|
||||
minor-updates:
|
||||
update-types:
|
||||
- "minor"
|
||||
- "patch"
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
name: 'Dependency Review'
|
||||
|
||||
on: [pull_request]
|
||||
|
||||
permissions:
|
||||
@@ -11,4 +12,4 @@ jobs:
|
||||
- name: 'Checkout Repository'
|
||||
uses: actions/checkout@v4
|
||||
- name: Dependency Review
|
||||
uses: actions/dependency-review-action@main
|
||||
uses: ./
|
||||
|
||||
@@ -12,12 +12,15 @@ jobs:
|
||||
stale:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/stale@v9.0.0
|
||||
- uses: actions/stale@v9.1.0
|
||||
name: Clean up stale PRs and Issues
|
||||
with:
|
||||
stale-pr-message: "👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details."
|
||||
stale-pr-message: "👋 This pull request has been marked as stale because it has been open with no activity for 180 days. You can: comment on the PR or remove the stale label to hold stalebot off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details."
|
||||
stale-pr-label: "Stale"
|
||||
close-pr-message: "👋 This pull request has been closed by stalebot because it has been open with no activity for over 180 days. Please see CONTRIBUTING.md for more policy details."
|
||||
stale-issue-label: "Stale"
|
||||
stale-issue-message: "👋 This issue has been marked as stale because it has been open with no activity for 180 days. You can: comment on the issue or remove the stale label to hold stalebot off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details."
|
||||
close-issue-message: "👋 This issue has been closed by stalebot because it has been open with no activity for over 180 days. Please see CONTRIBUTING.md for more policy details."
|
||||
exempt-pr-labels: "Keep" # a "Keep" label will keep the PR from being closed as stale
|
||||
exempt-issue-labels: "Keep" # a "Keep" label will keep the issue from being closed as stale
|
||||
days-before-pr-stale: 180 # when the PR is considered stale
|
||||
|
||||
+4
-4
@@ -16,7 +16,7 @@ If you've encountered a problem, please let us know by [submitting an issue](htt
|
||||
|
||||
## Enhancements and feature requests
|
||||
|
||||
If you've got an idea for a new feature, please submit as [an issue](https://github.com/actions/dependency-review-action/issues/new) so that the community can see it, and we can discuss it there. We may not be able to respond to every single issue, but will make a best effort!
|
||||
If you've got an idea for a new feature or a significant change to the code or its dependencies, please submit as [an issue](https://github.com/actions/dependency-review-action/issues/new) so that the community can see it, and we can discuss it there. We may not be able to respond to every single issue, but will make a best effort!
|
||||
|
||||
If you'd like to make a contribution yourself, we ask that before significant effort is put into code changes, that we have agreement that the change aligns with our strategy for the action. Since this is a verified Action owned by GitHub we want to make sure that contributions are high quality, and that they maintain consistency with the rest of the action's behavior.
|
||||
|
||||
@@ -35,11 +35,11 @@ Ready to contribute to `dependency-review-action`? Here is some information to
|
||||
|
||||
This action makes an authenticated query to the [Dependency Review API](https://docs.github.com/en/rest/dependency-graph/dependency-review) endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`) to find out the set of added and removed dependencies for each manifest.
|
||||
|
||||
The action then evaluates the differences between the pushes based on the the rules defined in the action configuration, and summarizes the differences and any violations of the rules you have defined as a comment in the pull request that triggered it and the action outputs.
|
||||
The action then evaluates the differences between the pushes based on the rules defined in the action configuration, and summarizes the differences and any violations of the rules you have defined as a comment in the pull request that triggered it and the action outputs.
|
||||
|
||||
### Local Development
|
||||
|
||||
Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed, minimum version 18.
|
||||
Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed, minimum version 20.
|
||||
|
||||
#### Bootstrapping the project
|
||||
|
||||
@@ -81,7 +81,7 @@ $ GITHUB_TOKEN=<token> ./scripts/scan_pr --config-file my_custom_config.yml <pr_
|
||||
npm run test
|
||||
```
|
||||
|
||||
_Note_: We don't a very comprehensive test suite, so any contributions to the existing tests are welcome!
|
||||
_Note_: We don't have a very comprehensive test suite, so any contributions to the existing tests are welcome!
|
||||
|
||||
### Submitting a pull request
|
||||
|
||||
|
||||
@@ -110,7 +110,7 @@ All configuration options are optional.
|
||||
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
|
||||
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
|
||||
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
|
||||
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. | `always`, `on-failure`, `never` | `never` |
|
||||
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. With each execution, a new comment will overwrite the existing one. | `always`, `on-failure`, `never` | `never` |
|
||||
| `deny-packages` | Any number of packages to block in a PR. This option will match on the exact version provided. If no version is provided, the option will treat the specified package as a wildcard and deny all versions. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
|
||||
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
|
||||
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
|
||||
|
||||
+80
-16
@@ -1,13 +1,9 @@
|
||||
import {expect, test, beforeEach} from '@jest/globals'
|
||||
import {readConfig} from '../src/config'
|
||||
import {getRefs} from '../src/git-refs'
|
||||
import * as Utils from '../src/utils'
|
||||
import * as spdx from '../src/spdx'
|
||||
import {setInput, clearInputs} from './test-helpers'
|
||||
|
||||
beforeAll(() => {
|
||||
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
|
||||
})
|
||||
|
||||
beforeEach(() => {
|
||||
clearInputs()
|
||||
})
|
||||
@@ -19,11 +15,11 @@ test('it defaults to low severity', async () => {
|
||||
|
||||
test('it reads custom configs', async () => {
|
||||
setInput('fail-on-severity', 'critical')
|
||||
setInput('allow-licenses', ' BSD, GPL 2')
|
||||
setInput('allow-licenses', 'ISC, GPL-2.0')
|
||||
|
||||
const config = await readConfig()
|
||||
expect(config.fail_on_severity).toEqual('critical')
|
||||
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
|
||||
expect(config.allow_licenses).toEqual(['ISC', 'GPL-2.0'])
|
||||
})
|
||||
|
||||
test('it defaults to false for warn-only', async () => {
|
||||
@@ -40,7 +36,7 @@ test('it defaults to empty allow/deny lists ', async () => {
|
||||
|
||||
test('it raises an error if both an allow and denylist are specified', async () => {
|
||||
setInput('allow-licenses', 'MIT')
|
||||
setInput('deny-licenses', 'BSD')
|
||||
setInput('deny-licenses', 'BSD-3-Clause')
|
||||
|
||||
await expect(readConfig()).rejects.toThrow(
|
||||
'You cannot specify both allow-licenses and deny-licenses'
|
||||
@@ -128,6 +124,78 @@ test('it raises an error when no refs are provided and the event is not a pull r
|
||||
).toThrow()
|
||||
})
|
||||
|
||||
const pullRequestLikeEvents = ['pull_request', 'pull_request_target']
|
||||
|
||||
test.each(pullRequestLikeEvents)(
|
||||
'it uses the given refs even when the event is %s',
|
||||
async eventName => {
|
||||
setInput('base-ref', 'a-custom-base-ref')
|
||||
setInput('head-ref', 'a-custom-head-ref')
|
||||
|
||||
const refs = getRefs(await readConfig(), {
|
||||
payload: {
|
||||
pull_request: {
|
||||
number: 42,
|
||||
base: {sha: 'pr-base-ref'},
|
||||
head: {sha: 'pr-head-ref'}
|
||||
}
|
||||
},
|
||||
eventName
|
||||
})
|
||||
expect(refs.base).toEqual('a-custom-base-ref')
|
||||
expect(refs.head).toEqual('a-custom-head-ref')
|
||||
}
|
||||
)
|
||||
|
||||
test.each(pullRequestLikeEvents)(
|
||||
'it uses the event refs when the event is %s and no refs are provided in config',
|
||||
async eventName => {
|
||||
const refs = getRefs(await readConfig(), {
|
||||
payload: {
|
||||
pull_request: {
|
||||
number: 42,
|
||||
base: {sha: 'pr-base-ref'},
|
||||
head: {sha: 'pr-head-ref'}
|
||||
}
|
||||
},
|
||||
eventName
|
||||
})
|
||||
expect(refs.base).toEqual('pr-base-ref')
|
||||
expect(refs.head).toEqual('pr-head-ref')
|
||||
}
|
||||
)
|
||||
|
||||
test('it uses the given refs even when the event is merge_group', async () => {
|
||||
setInput('base-ref', 'a-custom-base-ref')
|
||||
setInput('head-ref', 'a-custom-head-ref')
|
||||
|
||||
const refs = getRefs(await readConfig(), {
|
||||
payload: {
|
||||
merge_group: {
|
||||
base_sha: 'pr-base-ref',
|
||||
head_sha: 'pr-head-ref'
|
||||
}
|
||||
},
|
||||
eventName: 'merge_group'
|
||||
})
|
||||
expect(refs.base).toEqual('a-custom-base-ref')
|
||||
expect(refs.head).toEqual('a-custom-head-ref')
|
||||
})
|
||||
|
||||
test('it uses the event refs when the event is merge_group and no refs are provided in config', async () => {
|
||||
const refs = getRefs(await readConfig(), {
|
||||
payload: {
|
||||
merge_group: {
|
||||
base_sha: 'pr-base-ref',
|
||||
head_sha: 'pr-head-ref'
|
||||
}
|
||||
},
|
||||
eventName: 'merge_group'
|
||||
})
|
||||
expect(refs.base).toEqual('pr-base-ref')
|
||||
expect(refs.head).toEqual('pr-head-ref')
|
||||
})
|
||||
|
||||
test('it defaults to runtime scope', async () => {
|
||||
const config = await readConfig()
|
||||
expect(config.fail_on_scopes).toEqual(['runtime'])
|
||||
@@ -204,21 +272,17 @@ test('it is not possible to disable both checks', async () => {
|
||||
})
|
||||
|
||||
describe('licenses that are not valid SPDX licenses', () => {
|
||||
beforeAll(() => {
|
||||
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(false)
|
||||
})
|
||||
|
||||
test('it raises an error for invalid licenses in allow-licenses', async () => {
|
||||
setInput('allow-licenses', ' BSD, GPL 2')
|
||||
setInput('allow-licenses', ' BSD-YOLO, GPL-2.0')
|
||||
await expect(readConfig()).rejects.toThrow(
|
||||
'Invalid license(s) in allow-licenses: BSD,GPL 2'
|
||||
'Invalid license(s) in allow-licenses: BSD-YOLO'
|
||||
)
|
||||
})
|
||||
|
||||
test('it raises an error for invalid licenses in deny-licenses', async () => {
|
||||
setInput('deny-licenses', ' BSD, GPL 2')
|
||||
setInput('deny-licenses', ' GPL-2.0, BSD-YOLO, Apache-2.0, ToIll')
|
||||
await expect(readConfig()).rejects.toThrow(
|
||||
'Invalid license(s) in deny-licenses: BSD,GPL 2'
|
||||
'Invalid license(s) in deny-licenses: BSD-YOLO, ToIll'
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
+59
-5
@@ -33,11 +33,6 @@ jest.mock('octokit', () => {
|
||||
|
||||
beforeEach(async () => {
|
||||
jest.resetModules()
|
||||
jest.doMock('spdx-satisfies', () => {
|
||||
// mock spdx-satisfies return value
|
||||
// true for BSD, false for all others
|
||||
return jest.fn((license: string, _: string): boolean => license === 'BSD')
|
||||
})
|
||||
|
||||
npmChange = createTestChange({ecosystem: 'npm'})
|
||||
rubyChange = createTestChange({ecosystem: 'rubygems'})
|
||||
@@ -139,3 +134,62 @@ test('allows packages not defined in the deny packages and groups list', async (
|
||||
|
||||
expect(deniedChanges.length).toEqual(0)
|
||||
})
|
||||
|
||||
test('deny packages does not prevent removal of denied packages', async () => {
|
||||
const changes: Changes = [
|
||||
createTestChange({
|
||||
change_type: 'added',
|
||||
name: 'deny-by-name-and-version',
|
||||
version: '1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
change_type: 'removed',
|
||||
name: 'pass-by-name-and-version',
|
||||
version: '1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
change_type: 'added',
|
||||
name: 'deny-by-name',
|
||||
version: '1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
change_type: 'removed',
|
||||
name: 'pass-by-name',
|
||||
version: '1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
change_type: 'added',
|
||||
package_url: 'pkg:npm/org.test.deny.by.namespace/only@1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
change_type: 'removed',
|
||||
package_url: 'pkg:npm/org.test.pass.by.namespace/only@1.0.0',
|
||||
ecosystem: 'npm'
|
||||
})
|
||||
]
|
||||
const deniedPackages = createTestPURLs([
|
||||
'pkg:npm/org.test.deny.by/deny-by-name-and-version@1.0.0',
|
||||
'pkg:npm/org.test.pass.by/pass-by-name-and-version@1.0.0',
|
||||
'pkg:npm/org.test.deny.by/deny-by-name',
|
||||
'pkg:npm/org.test.pass.by/pass-by-name'
|
||||
])
|
||||
const deniedGroups = createTestPURLs([
|
||||
'pkg:npm/org.test.deny.by.namespace/',
|
||||
'pkg:npm/org.test.pass.by.namespace/'
|
||||
])
|
||||
const deniedChanges = await getDeniedChanges(
|
||||
changes,
|
||||
deniedPackages,
|
||||
deniedGroups
|
||||
)
|
||||
|
||||
expect(deniedChanges.length).toEqual(3)
|
||||
expect(deniedChanges[0]).toBe(changes[0])
|
||||
expect(deniedChanges[1]).toBe(changes[2])
|
||||
expect(deniedChanges[2]).toBe(changes[4])
|
||||
})
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import {expect, test, beforeEach} from '@jest/globals'
|
||||
import {readConfig} from '../src/config'
|
||||
import * as Utils from '../src/utils'
|
||||
import * as spdx from '../src/spdx'
|
||||
import {setInput, clearInputs} from './test-helpers'
|
||||
|
||||
const externalConfig = `fail_on_severity: 'high'
|
||||
@@ -25,10 +25,6 @@ jest.mock('octokit', () => {
|
||||
}
|
||||
})
|
||||
|
||||
beforeAll(() => {
|
||||
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
|
||||
})
|
||||
|
||||
beforeEach(() => {
|
||||
clearInputs()
|
||||
})
|
||||
@@ -38,7 +34,7 @@ test('it reads an external config file', async () => {
|
||||
|
||||
const config = await readConfig()
|
||||
expect(config.fail_on_severity).toEqual('critical')
|
||||
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
|
||||
expect(config.allow_licenses).toEqual(['BSD-3-Clause', 'GPL-2.0'])
|
||||
})
|
||||
|
||||
test('raises an error when the config file was not found', async () => {
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
fail_on_severity: critical
|
||||
allow_licenses:
|
||||
- 'BSD'
|
||||
- 'GPL 2'
|
||||
- 'BSD-3-Clause'
|
||||
- 'GPL-2.0'
|
||||
|
||||
+29
-30
@@ -1,7 +1,6 @@
|
||||
import {expect, jest, test} from '@jest/globals'
|
||||
import {Change, Changes} from '../src/schemas'
|
||||
|
||||
let getInvalidLicenseChanges: Function
|
||||
import {getInvalidLicenseChanges} from '../src/licenses'
|
||||
|
||||
const npmChange: Change = {
|
||||
manifest: 'package.json',
|
||||
@@ -30,7 +29,7 @@ const rubyChange: Change = {
|
||||
name: 'actionsomething',
|
||||
version: '3.2.0',
|
||||
package_url: 'pkg:gem/actionsomething@3.2.0',
|
||||
license: 'BSD',
|
||||
license: 'BSD-3-Clause',
|
||||
source_repository_url: 'github.com/some-repo',
|
||||
scope: 'runtime',
|
||||
vulnerabilities: [
|
||||
@@ -100,29 +99,32 @@ jest.mock('octokit', () => {
|
||||
|
||||
beforeEach(async () => {
|
||||
jest.resetModules()
|
||||
jest.doMock('spdx-satisfies', () => {
|
||||
// mock spdx-satisfies return value
|
||||
// true for BSD, false for all others
|
||||
return jest.fn((license: string, _: string): boolean => license === 'BSD')
|
||||
})
|
||||
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
||||
;({getInvalidLicenseChanges} = require('../src/licenses'))
|
||||
})
|
||||
|
||||
test('it adds license outside the allow list to forbidden changes', async () => {
|
||||
const changes: Changes = [npmChange, rubyChange]
|
||||
const changes: Changes = [
|
||||
npmChange, // MIT license
|
||||
rubyChange // BSD license
|
||||
]
|
||||
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
allow: ['BSD']
|
||||
allow: ['BSD-3-Clause']
|
||||
})
|
||||
|
||||
expect(forbidden[0]).toBe(npmChange)
|
||||
expect(forbidden.length).toEqual(1)
|
||||
})
|
||||
|
||||
test('it adds license inside the deny list to forbidden changes', async () => {
|
||||
const changes: Changes = [npmChange, rubyChange]
|
||||
const changes: Changes = [
|
||||
npmChange, // MIT license
|
||||
rubyChange // BSD license
|
||||
]
|
||||
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
deny: ['BSD']
|
||||
deny: ['BSD-3-Clause']
|
||||
})
|
||||
|
||||
expect(forbidden[0]).toBe(rubyChange)
|
||||
expect(forbidden.length).toEqual(1)
|
||||
})
|
||||
@@ -133,7 +135,7 @@ test('it does not add license outside the allow list to forbidden changes if it
|
||||
{...rubyChange, change_type: 'removed'}
|
||||
]
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
allow: ['BSD']
|
||||
allow: ['BSD-3-Clause']
|
||||
})
|
||||
expect(forbidden).toStrictEqual([])
|
||||
})
|
||||
@@ -144,7 +146,7 @@ test('it does not add license inside the deny list to forbidden changes if it is
|
||||
{...rubyChange, change_type: 'removed'}
|
||||
]
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
deny: ['BSD']
|
||||
deny: ['BSD-3-Clause']
|
||||
})
|
||||
expect(forbidden).toStrictEqual([])
|
||||
})
|
||||
@@ -156,23 +158,18 @@ test('it adds license outside the allow list to forbidden changes if it is in bo
|
||||
{...rubyChange, change_type: 'removed'}
|
||||
]
|
||||
const {forbidden} = await getInvalidLicenseChanges(changes, {
|
||||
allow: ['BSD']
|
||||
allow: ['BSD-3-Clause']
|
||||
})
|
||||
expect(forbidden).toStrictEqual([npmChange])
|
||||
})
|
||||
|
||||
test('it adds all licenses to unresolved if it is unable to determine the validity', async () => {
|
||||
jest.resetModules() // reset module set in before
|
||||
jest.doMock('spdx-satisfies', () => {
|
||||
return jest.fn((_first: string, _second: string) => {
|
||||
throw new Error('Some Error')
|
||||
})
|
||||
})
|
||||
// eslint-disable-next-line @typescript-eslint/no-require-imports
|
||||
;({getInvalidLicenseChanges} = require('../src/licenses'))
|
||||
const changes: Changes = [npmChange, rubyChange]
|
||||
const changes: Changes = [
|
||||
{...npmChange, license: 'Foo'},
|
||||
{...rubyChange, license: 'Bar'}
|
||||
]
|
||||
const invalidLicenses = await getInvalidLicenseChanges(changes, {
|
||||
allow: ['BSD']
|
||||
allow: ['Apache-2.0']
|
||||
})
|
||||
expect(invalidLicenses.forbidden.length).toEqual(0)
|
||||
expect(invalidLicenses.unlicensed.length).toEqual(0)
|
||||
@@ -182,7 +179,7 @@ test('it adds all licenses to unresolved if it is unable to determine the validi
|
||||
test('it does not filter out changes that are on the exclusions list', async () => {
|
||||
const changes: Changes = [pipChange, npmChange, rubyChange]
|
||||
const licensesConfig = {
|
||||
allow: ['BSD'],
|
||||
allow: ['BSD-3-Clause'],
|
||||
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
|
||||
}
|
||||
const invalidLicenses = await getInvalidLicenseChanges(
|
||||
@@ -198,7 +195,7 @@ test('it does not fail when the packages dont have a valid PURL', async () => {
|
||||
|
||||
const changes: Changes = [emptyPurlChange, npmChange, rubyChange]
|
||||
const licensesConfig = {
|
||||
allow: ['BSD'],
|
||||
allow: ['BSD-3-Clause'],
|
||||
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
|
||||
}
|
||||
|
||||
@@ -212,16 +209,18 @@ test('it does not fail when the packages dont have a valid PURL', async () => {
|
||||
test('it does filters out changes if they are not on the exclusions list', async () => {
|
||||
const changes: Changes = [pipChange, npmChange, rubyChange]
|
||||
const licensesConfig = {
|
||||
allow: ['BSD'],
|
||||
allow: ['BSD-3-Clause'],
|
||||
licenseExclusions: [
|
||||
'pkg:pypi/notmypackage-1@1.1.1',
|
||||
'pkg:npm/alsonot@1.0.2'
|
||||
]
|
||||
}
|
||||
|
||||
const invalidLicenses = await getInvalidLicenseChanges(
|
||||
changes,
|
||||
licensesConfig
|
||||
)
|
||||
|
||||
expect(invalidLicenses.forbidden.length).toEqual(2)
|
||||
expect(invalidLicenses.forbidden[0]).toBe(pipChange)
|
||||
expect(invalidLicenses.forbidden[1]).toBe(npmChange)
|
||||
|
||||
@@ -0,0 +1,257 @@
|
||||
import {expect, test, describe} from '@jest/globals'
|
||||
import * as spdx from '../src/spdx'
|
||||
|
||||
describe('satisfiesAny', () => {
|
||||
const units = [
|
||||
{
|
||||
candidate: 'MIT',
|
||||
licenses: ['MIT'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: '(MIT AND ISC) OR Apache-2.0',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND Apache-2.0',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND BSD-3-Clause',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
|
||||
// missing params, case sensitivity, syntax problems,
|
||||
// or unknown licenses will return 'false'
|
||||
{
|
||||
candidate: 'MIT OR',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: '',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR (Apache-2.0 AND ISC)',
|
||||
licenses: [],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND (ISC',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR ISC',
|
||||
licenses: ['MiT'],
|
||||
expected: false
|
||||
}
|
||||
]
|
||||
|
||||
for (const unit of units) {
|
||||
const got: boolean = spdx.satisfiesAny(unit.candidate, unit.licenses)
|
||||
test(`should return ${unit.expected} for ("${unit.candidate}", "${unit.licenses}")`, () => {
|
||||
expect(got).toBe(unit.expected)
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
describe('satisfiesAll', () => {
|
||||
const units = [
|
||||
{
|
||||
candidate: 'MIT',
|
||||
licenses: ['MIT'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'Apache-2.0',
|
||||
licenses: ['MIT', 'ISC', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND Apache-2.0',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: '(MIT OR ISC) AND Apache-2.0',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR BSD-3-Clause',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'BSD-3-Clause OR ISC',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: '(MIT AND ISC) OR Apache-2.0',
|
||||
licenses: ['MIT', 'ISC'],
|
||||
expected: true
|
||||
},
|
||||
|
||||
// missing params, case sensitivity, syntax problems,
|
||||
// or unknown licenses will return 'false'
|
||||
{
|
||||
candidate: 'MIT OR',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: '',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR (Apache-2.0 AND ISC)',
|
||||
licenses: [],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND (ISC',
|
||||
licenses: ['MIT', 'Apache-2.0'],
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR ISC',
|
||||
licenses: ['MiT'],
|
||||
expected: false
|
||||
}
|
||||
]
|
||||
|
||||
for (const unit of units) {
|
||||
const got: boolean = spdx.satisfiesAll(unit.candidate, unit.licenses)
|
||||
test(`should return ${unit.expected} for ("${unit.candidate}", "${unit.licenses}")`, () => {
|
||||
expect(got).toBe(unit.expected)
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
describe('satisfies', () => {
|
||||
const units = [
|
||||
{
|
||||
candidate: 'MIT',
|
||||
constraint: 'MIT',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'Apache-2.0',
|
||||
constraint: 'MIT',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
constraint: 'MIT',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
constraint: 'Apache-2.0',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
constraint: 'BSD-3-Clause',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
constraint: 'Apache-2.0 OR BSD-3-Clause',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND Apache-2.0',
|
||||
constraint: 'MIT AND Apache-2.0',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR Apache-2.0',
|
||||
constraint: 'MIT AND Apache-2.0',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'ISC OR (MIT AND Apache-2.0)',
|
||||
constraint: 'MIT AND Apache-2.0',
|
||||
expected: true
|
||||
},
|
||||
|
||||
// missing params, case sensitivity, syntax problems,
|
||||
// or unknown licenses will return 'false'
|
||||
{
|
||||
candidate: 'MIT',
|
||||
constraint: 'MiT',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND (ISC OR',
|
||||
constraint: 'MIT',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'MIT OR ISC OR Apache-2.0',
|
||||
constraint: '',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: '',
|
||||
constraint: '(BSD-3-Clause AND ISC) OR MIT',
|
||||
expected: false
|
||||
}
|
||||
]
|
||||
|
||||
for (const unit of units) {
|
||||
const got: boolean = spdx.satisfies(unit.candidate, unit.constraint)
|
||||
test(`should return ${unit.expected} for ("${unit.candidate}", "${unit.constraint}")`, () => {
|
||||
expect(got).toBe(unit.expected)
|
||||
})
|
||||
}
|
||||
})
|
||||
|
||||
describe('isValid', () => {
|
||||
const units = [
|
||||
{
|
||||
candidate: 'MIT',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'MIT AND BSD-3-Clause',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: '(MIT AND ISC) OR BSD-3-Clause',
|
||||
expected: true
|
||||
},
|
||||
{
|
||||
candidate: 'NOASSERTION',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: 'Foobar',
|
||||
expected: false
|
||||
},
|
||||
{
|
||||
candidate: '',
|
||||
expected: false
|
||||
}
|
||||
]
|
||||
for (const unit of units) {
|
||||
const got: boolean = spdx.isValid(unit.candidate)
|
||||
test(`should return ${unit.expected} for ("${unit.candidate}")`, () => {
|
||||
expect(got).toBe(unit.expected)
|
||||
})
|
||||
}
|
||||
})
|
||||
@@ -109,42 +109,6 @@ test('prints headline as h1', () => {
|
||||
expect(text).toContain('<h1>Dependency Review</h1>')
|
||||
})
|
||||
|
||||
test('returns minimal summary in case the core.summary is too large for a PR comment', () => {
|
||||
let changes: Changes = [
|
||||
createTestChange({name: 'lodash', version: '1.2.3'}),
|
||||
createTestChange({name: 'colors', version: '2.3.4'}),
|
||||
createTestChange({name: '@foo/bar', version: '*'})
|
||||
]
|
||||
|
||||
let minSummary: string = summary.addSummaryToSummary(
|
||||
changes,
|
||||
emptyInvalidLicenseChanges,
|
||||
emptyChanges,
|
||||
scorecard,
|
||||
defaultConfig
|
||||
)
|
||||
|
||||
// side effect DR report into core.summary as happens in main.ts
|
||||
summary.addScannedDependencies(changes)
|
||||
const text = core.summary.stringify()
|
||||
|
||||
expect(text).toContain('<h1>Dependency Review</h1>')
|
||||
expect(minSummary).toContain('# Dependency Review')
|
||||
|
||||
expect(text).toContain('❌ 3 vulnerable package(s)')
|
||||
expect(text).not.toContain('* ❌ 3 vulnerable package(s)')
|
||||
expect(text).toContain('lodash')
|
||||
expect(text).toContain('colors')
|
||||
expect(text).toContain('@foo/bar')
|
||||
|
||||
expect(minSummary).toContain('* ❌ 3 vulnerable package(s)')
|
||||
expect(minSummary).not.toContain('lodash')
|
||||
expect(minSummary).not.toContain('colors')
|
||||
expect(minSummary).not.toContain('@foo/bar')
|
||||
|
||||
expect(text.length).toBeGreaterThan(minSummary.length)
|
||||
})
|
||||
|
||||
test('returns minimal summary formatted for posting as a PR comment', () => {
|
||||
const OLD_ENV = process.env
|
||||
|
||||
@@ -232,14 +196,10 @@ test('groups dependencies with empty manifest paths together', () => {
|
||||
emptyScorecard,
|
||||
defaultConfig
|
||||
)
|
||||
summary.addScannedDependencies(changesWithEmptyManifests)
|
||||
summary.addScannedFiles(changesWithEmptyManifests)
|
||||
const text = core.summary.stringify()
|
||||
|
||||
expect(text).toContain('<summary>Unnamed Manifest</summary>')
|
||||
expect(text).toContain('castore')
|
||||
expect(text).toContain('connection')
|
||||
expect(text).toContain('<summary>python/dist-info/METADATA</summary>')
|
||||
expect(text).toContain('pygments')
|
||||
expect(text).toContain('Unnamed Manifest')
|
||||
expect(text).toContain('python/dist-info/METADATA')
|
||||
})
|
||||
|
||||
test('does not include status section if nothing was found', () => {
|
||||
|
||||
+2911
-2731
File diff suppressed because one or more lines are too long
+1
-1
File diff suppressed because one or more lines are too long
+26
-45
@@ -514,6 +514,31 @@ The above copyright notice and this permission notice shall be included in all c
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
|
||||
@onebeyond/spdx-license-satisfies
|
||||
MIT
|
||||
The MIT License
|
||||
|
||||
Copyright (c) spdx-satisfies.js contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a
|
||||
copy of this software and associated documentation files (the "Software"),
|
||||
to deal in the Software without restriction, including without limitation
|
||||
the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
||||
and/or sell copies of the Software, and to permit persons to whom the
|
||||
Software is furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included
|
||||
in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
||||
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
|
||||
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
|
||||
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
|
||||
OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
|
||||
aggregate-error
|
||||
MIT
|
||||
MIT License
|
||||
@@ -1435,7 +1460,7 @@ lru-cache
|
||||
ISC
|
||||
The ISC License
|
||||
|
||||
Copyright (c) Isaac Z. Schlueter and Contributors
|
||||
Copyright (c) 2010-2023 Isaac Z. Schlueter and Contributors
|
||||
|
||||
Permission to use, copy, modify, and/or distribute this software for any
|
||||
purpose with or without fee is hereby granted, provided that the above
|
||||
@@ -1621,31 +1646,6 @@ The above copyright notice and this permission notice shall be included in all c
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
|
||||
spdx-satisfies
|
||||
MIT
|
||||
The MIT License
|
||||
|
||||
Copyright (c) spdx-satisfies.js contributors
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a
|
||||
copy of this software and associated documentation files (the "Software"),
|
||||
to deal in the Software without restriction, including without limitation
|
||||
the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
||||
and/or sell copies of the Software, and to permit persons to whom the
|
||||
Software is furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included
|
||||
in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
||||
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
|
||||
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
|
||||
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
|
||||
OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
|
||||
tunnel
|
||||
MIT
|
||||
The MIT License (MIT)
|
||||
@@ -1764,25 +1764,6 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
|
||||
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
|
||||
yallist
|
||||
ISC
|
||||
The ISC License
|
||||
|
||||
Copyright (c) Isaac Z. Schlueter and Contributors
|
||||
|
||||
Permission to use, copy, modify, and/or distribute this software for any
|
||||
purpose with or without fee is hereby granted, provided that the above
|
||||
copyright notice and this permission notice appear in all copies.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
|
||||
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
|
||||
yaml
|
||||
ISC
|
||||
Copyright Eemeli Aro <eemeli@gmail.com>
|
||||
|
||||
+1
-1
File diff suppressed because one or more lines are too long
+3
-3
@@ -1,4 +1,4 @@
|
||||
# Examples on how to use the Dependency Review Action
|
||||
# Examples of how to use the Dependency Review Action
|
||||
|
||||
## Basic Usage
|
||||
|
||||
@@ -89,7 +89,7 @@ The following example will use a configuration file from an external public GitH
|
||||
|
||||
Let's say that the configuration file is located in `github/octorepo/dependency-review-config.yml@main`
|
||||
|
||||
The Dependancy Review Action workflow file will then look like this:
|
||||
The Dependency Review Action workflow file will then look like this:
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
@@ -116,7 +116,7 @@ The following example will use a configuration file from an external private Gti
|
||||
|
||||
Let's say that the configuration file is located in `github/octorepo-private/dependency-review-config.yml@main`
|
||||
|
||||
The Dependancy Review Action workflow file will then look like this:
|
||||
The Dependency Review Action workflow file will then look like this:
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
|
||||
Generated
+752
-746
File diff suppressed because it is too large
Load Diff
+17
-11
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.3.3",
|
||||
"version": "4.6.0",
|
||||
"private": true,
|
||||
"description": "A GitHub Action for Dependency Review",
|
||||
"main": "lib/main.js",
|
||||
@@ -27,34 +27,40 @@
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
"@actions/github": "^6.0.0",
|
||||
"@octokit/plugin-retry": "^6.0.1",
|
||||
"@octokit/request-error": "^5.0.1",
|
||||
"@types/jest": "^29.5.12",
|
||||
"@octokit/plugin-retry": "^6.1.0",
|
||||
"@octokit/request-error": "^5.1.1",
|
||||
"@octokit/types": "12.5.0",
|
||||
"@onebeyond/spdx-license-satisfies": "^1.0.1",
|
||||
"ansi-styles": "^6.2.1",
|
||||
"got": "^14.2.0",
|
||||
"got": "^14.4.5",
|
||||
"jest": "^29.7.0",
|
||||
"octokit": "^3.1.2",
|
||||
"spdx-expression-parse": "^3.0.1",
|
||||
"spdx-satisfies": "^5.0.1",
|
||||
"ts-jest": "^29.1.2",
|
||||
"ts-jest": "^29.2.5",
|
||||
"yaml": "^2.3.4",
|
||||
"zod": "^3.22.3"
|
||||
"zod": "^3.24.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/jest": "^29.5.12",
|
||||
"@types/node": "^20",
|
||||
"@types/spdx-expression-parse": "^3.0.4",
|
||||
"@types/spdx-satisfies": "^0.1.1",
|
||||
"@typescript-eslint/eslint-plugin": "^6.21.0",
|
||||
"@typescript-eslint/parser": "^6.21.0",
|
||||
"@vercel/ncc": "^0.38.0",
|
||||
"esbuild-register": "^3.5.0",
|
||||
"@vercel/ncc": "^0.38.3",
|
||||
"esbuild-register": "^3.6.0",
|
||||
"eslint": "^8.57.0",
|
||||
"eslint-plugin-github": "^4.10.2",
|
||||
"eslint-plugin-jest": "^27.9.0",
|
||||
"eslint-plugin-jest": "^28.8.3",
|
||||
"eslint-plugin-prettier": "^5.1.3",
|
||||
"js-yaml": "^4.1.0",
|
||||
"nodemon": "^3.1.0",
|
||||
"nodemon": "^3.1.9",
|
||||
"prettier": "3.2.5",
|
||||
"typescript": "^5.4.5"
|
||||
},
|
||||
"overrides": {
|
||||
"cross-spawn": ">=7.0.5",
|
||||
"@octokit/request-error@5.0.1": "5.1.1"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -143,7 +143,7 @@ async function createSummary(
|
||||
...licenseIssues.unlicensed
|
||||
]
|
||||
|
||||
summary.addScannedDependencies(allChanges)
|
||||
summary.addScannedFiles(allChanges)
|
||||
|
||||
const text = core.summary.stringify()
|
||||
await fs.promises.writeFile(path.resolve(tmpDir, fileName), text, {
|
||||
|
||||
+3
-3
@@ -17,13 +17,13 @@ const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
|
||||
|
||||
export async function commentPr(
|
||||
commentContent: string,
|
||||
config: ConfigurationOptions
|
||||
config: ConfigurationOptions,
|
||||
issueFound: boolean
|
||||
): Promise<void> {
|
||||
if (
|
||||
!(
|
||||
config.comment_summary_in_pr === 'always' ||
|
||||
(config.comment_summary_in_pr === 'on-failure' &&
|
||||
process.exitCode === core.ExitCode.Failure)
|
||||
(config.comment_summary_in_pr === 'on-failure' && issueFound)
|
||||
)
|
||||
) {
|
||||
return
|
||||
|
||||
+6
-3
@@ -4,7 +4,8 @@ import YAML from 'yaml'
|
||||
import * as core from '@actions/core'
|
||||
import * as z from 'zod'
|
||||
import {ConfigurationOptions, ConfigurationOptionsSchema} from './schemas'
|
||||
import {isSPDXValid, octokitClient} from './utils'
|
||||
import {octokitClient} from './utils'
|
||||
import {isValid} from './spdx'
|
||||
|
||||
type ConfigurationOptionsPartial = Partial<ConfigurationOptions>
|
||||
|
||||
@@ -113,10 +114,12 @@ function validateLicenses(
|
||||
return
|
||||
}
|
||||
|
||||
const invalid_licenses = licenses.filter(license => !isSPDXValid(license))
|
||||
const invalid_licenses = licenses.filter(license => !isValid(license))
|
||||
|
||||
if (invalid_licenses.length > 0) {
|
||||
throw new Error(`Invalid license(s) in ${key}: ${invalid_licenses}`)
|
||||
throw new Error(
|
||||
`Invalid license(s) in ${key}: ${invalid_licenses.join(', ')}`
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
+4
-9
@@ -9,15 +9,17 @@ export async function getDeniedChanges(
|
||||
): Promise<Change[]> {
|
||||
const changesDenied: Change[] = []
|
||||
|
||||
let hasDeniedPackage = false
|
||||
for (const change of changes) {
|
||||
if (change.change_type === 'removed') {
|
||||
continue
|
||||
}
|
||||
|
||||
for (const denied of deniedPackages) {
|
||||
if (
|
||||
(!denied.version || change.version === denied.version) &&
|
||||
change.name === denied.name
|
||||
) {
|
||||
changesDenied.push(change)
|
||||
hasDeniedPackage = true
|
||||
}
|
||||
}
|
||||
|
||||
@@ -30,17 +32,10 @@ export async function getDeniedChanges(
|
||||
}
|
||||
if (namespace && namespace === denied.namespace) {
|
||||
changesDenied.push(change)
|
||||
hasDeniedPackage = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (hasDeniedPackage) {
|
||||
core.setFailed('Dependency review detected denied packages.')
|
||||
} else {
|
||||
core.info('Dependency review did not detect any denied packages')
|
||||
}
|
||||
|
||||
return changesDenied
|
||||
}
|
||||
|
||||
|
||||
+25
-12
@@ -1,40 +1,53 @@
|
||||
import {PullRequestSchema, ConfigurationOptions} from './schemas'
|
||||
import {
|
||||
PullRequestSchema,
|
||||
ConfigurationOptions,
|
||||
MergeGroupSchema
|
||||
} from './schemas'
|
||||
|
||||
export function getRefs(
|
||||
config: ConfigurationOptions,
|
||||
context: {payload: {pull_request?: unknown}; eventName: string}
|
||||
context: {
|
||||
payload: {pull_request?: unknown; merge_group?: unknown}
|
||||
eventName: string
|
||||
}
|
||||
): {base: string; head: string} {
|
||||
let base_ref = config.base_ref
|
||||
let head_ref = config.head_ref
|
||||
|
||||
// If possible, source default base & head refs from the GitHub event.
|
||||
// The base/head ref from the config take priority, if provided.
|
||||
if (
|
||||
context.eventName === 'pull_request' ||
|
||||
context.eventName === 'pull_request_target'
|
||||
) {
|
||||
const pull_request = PullRequestSchema.parse(context.payload.pull_request)
|
||||
base_ref = base_ref || pull_request.base.sha
|
||||
head_ref = head_ref || pull_request.head.sha
|
||||
if (!base_ref && !head_ref) {
|
||||
if (
|
||||
context.eventName === 'pull_request' ||
|
||||
context.eventName === 'pull_request_target'
|
||||
) {
|
||||
const pull_request = PullRequestSchema.parse(context.payload.pull_request)
|
||||
base_ref = base_ref || pull_request.base.sha
|
||||
head_ref = head_ref || pull_request.head.sha
|
||||
} else if (context.eventName === 'merge_group') {
|
||||
const merge_group = MergeGroupSchema.parse(context.payload.merge_group)
|
||||
base_ref = base_ref || merge_group.base_sha
|
||||
head_ref = head_ref || merge_group.head_sha
|
||||
}
|
||||
}
|
||||
|
||||
if (!base_ref && !head_ref) {
|
||||
throw new Error(
|
||||
'Both a base ref and head ref must be provided, either via the `base_ref`/`head_ref` ' +
|
||||
'config options, `base-ref`/`head-ref` workflow action options, or by running a ' +
|
||||
'`pull_request`/`pull_request_target` workflow.'
|
||||
'`pull_request`/`pull_request_target`/`merge_group` workflow.'
|
||||
)
|
||||
} else if (!base_ref) {
|
||||
throw new Error(
|
||||
'A base ref must be provided, either via the `base_ref` config option, ' +
|
||||
'`base-ref` workflow action option, or by running a ' +
|
||||
'`pull_request`/`pull_request_target` workflow.'
|
||||
'`pull_request`/`pull_request_target`/`merge_group` workflow.'
|
||||
)
|
||||
} else if (!head_ref) {
|
||||
throw new Error(
|
||||
'A head ref must be provided, either via the `head_ref` config option, ' +
|
||||
'`head-ref` workflow action option, or by running a ' +
|
||||
'or by running a `pull_request`/`pull_request_target` workflow.'
|
||||
'or by running a `pull_request`/`pull_request_target`/`merge_group` workflow.'
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
+17
-12
@@ -1,7 +1,7 @@
|
||||
import spdxSatisfies from 'spdx-satisfies'
|
||||
import {Change, Changes} from './schemas'
|
||||
import {isSPDXValid, octokitClient} from './utils'
|
||||
import {octokitClient} from './utils'
|
||||
import {parsePURL} from './purl'
|
||||
import * as spdx from './spdx'
|
||||
|
||||
/**
|
||||
* Loops through a list of changes, filtering and returning the
|
||||
@@ -47,7 +47,7 @@ export async function getInvalidLicenseChanges(
|
||||
|
||||
const changeAsPackageURL = parsePURL(encodeURI(change.package_url))
|
||||
|
||||
// We want to find if the licenseExclussion list contains the PackageURL of the Change
|
||||
// We want to find if the licenseExclusion list contains the PackageURL of the Change
|
||||
// If it does, we want to filter it out and therefore return false
|
||||
// If it doesn't, we want to keep it and therefore return true
|
||||
if (
|
||||
@@ -87,15 +87,19 @@ export async function getInvalidLicenseChanges(
|
||||
} else if (validityCache.get(license) === undefined) {
|
||||
try {
|
||||
if (allow !== undefined) {
|
||||
const found = allow.find(spdxExpression =>
|
||||
spdxSatisfies(license, spdxExpression)
|
||||
)
|
||||
validityCache.set(license, found !== undefined)
|
||||
if (spdx.isValid(license)) {
|
||||
const found = spdx.satisfiesAny(license, allow)
|
||||
validityCache.set(license, found)
|
||||
} else {
|
||||
invalidLicenseChanges.unresolved.push(change)
|
||||
}
|
||||
} else if (deny !== undefined) {
|
||||
const found = deny.find(spdxExpression =>
|
||||
spdxSatisfies(license, spdxExpression)
|
||||
)
|
||||
validityCache.set(license, found === undefined)
|
||||
if (spdx.isValid(license)) {
|
||||
const found = spdx.satisfiesAny(license, deny)
|
||||
validityCache.set(license, !found)
|
||||
} else {
|
||||
invalidLicenseChanges.unresolved.push(change)
|
||||
}
|
||||
}
|
||||
} catch (err) {
|
||||
invalidLicenseChanges.unresolved.push(change)
|
||||
@@ -161,10 +165,11 @@ const setGHLicenses = async (changes: Change[]): Promise<Change[]> => {
|
||||
|
||||
return Promise.all(updatedChanges)
|
||||
}
|
||||
|
||||
// Currently Dependency Graph licenses are truncated to 255 characters
|
||||
// This possibly makes them invalid spdx ids
|
||||
const truncatedDGLicense = (license: string): boolean =>
|
||||
license.length === 255 && !isSPDXValid(license)
|
||||
license.length === 255 && !spdx.isValid(license)
|
||||
|
||||
async function groupChanges(
|
||||
changes: Changes
|
||||
|
||||
+61
-24
@@ -125,7 +125,9 @@ async function run(): Promise<void> {
|
||||
config.deny_groups
|
||||
)
|
||||
|
||||
const scorecard = await getScorecardLevels(filteredChanges)
|
||||
// generate informational scorecard entries for all added changes in the PR
|
||||
const scorecardChanges = getScorecardChanges(changes)
|
||||
const scorecard = await getScorecardLevels(scorecardChanges)
|
||||
|
||||
const minSummary = summary.addSummaryToSummary(
|
||||
vulnerableChanges,
|
||||
@@ -139,10 +141,16 @@ async function run(): Promise<void> {
|
||||
summary.addSnapshotWarnings(config, snapshot_warnings)
|
||||
}
|
||||
|
||||
let issueFound = false
|
||||
|
||||
if (config.vulnerability_check) {
|
||||
core.setOutput('vulnerable-changes', JSON.stringify(vulnerableChanges))
|
||||
summary.addChangeVulnerabilitiesToSummary(vulnerableChanges, minSeverity)
|
||||
printVulnerabilitiesBlock(vulnerableChanges, minSeverity, warnOnly)
|
||||
issueFound ||= await printVulnerabilitiesBlock(
|
||||
vulnerableChanges,
|
||||
minSeverity,
|
||||
warnOnly
|
||||
)
|
||||
}
|
||||
if (config.license_check) {
|
||||
core.setOutput(
|
||||
@@ -150,12 +158,12 @@ async function run(): Promise<void> {
|
||||
JSON.stringify(invalidLicenseChanges)
|
||||
)
|
||||
summary.addLicensesToSummary(invalidLicenseChanges, config)
|
||||
printLicensesBlock(invalidLicenseChanges, warnOnly)
|
||||
issueFound ||= await printLicensesBlock(invalidLicenseChanges, warnOnly)
|
||||
}
|
||||
if (config.deny_packages || config.deny_groups) {
|
||||
core.setOutput('denied-changes', JSON.stringify(deniedChanges))
|
||||
summary.addDeniedToSummary(deniedChanges)
|
||||
printDeniedDependencies(deniedChanges, config)
|
||||
issueFound ||= await printDeniedDependencies(deniedChanges, config)
|
||||
}
|
||||
if (config.show_openssf_scorecard) {
|
||||
summary.addScorecardToSummary(scorecard, config)
|
||||
@@ -164,7 +172,7 @@ async function run(): Promise<void> {
|
||||
}
|
||||
|
||||
core.setOutput('dependency-changes', JSON.stringify(changes))
|
||||
summary.addScannedDependencies(changes)
|
||||
summary.addScannedFiles(changes)
|
||||
printScannedDependencies(changes)
|
||||
|
||||
// include full summary in output; Actions will truncate if oversized
|
||||
@@ -180,7 +188,7 @@ async function run(): Promise<void> {
|
||||
}
|
||||
|
||||
// update the PR comment if needed with the right-sized summary
|
||||
await commentPr(rendered, config)
|
||||
await commentPr(rendered, config, issueFound)
|
||||
} catch (error) {
|
||||
if (error instanceof RequestError && error.status === 404) {
|
||||
core.setFailed(
|
||||
@@ -188,7 +196,7 @@ async function run(): Promise<void> {
|
||||
)
|
||||
} else if (error instanceof RequestError && error.status === 403) {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see https://github.com/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
} else {
|
||||
if (error instanceof Error) {
|
||||
@@ -202,18 +210,16 @@ async function run(): Promise<void> {
|
||||
}
|
||||
}
|
||||
|
||||
function printVulnerabilitiesBlock(
|
||||
async function printVulnerabilitiesBlock(
|
||||
addedChanges: Changes,
|
||||
minSeverity: Severity,
|
||||
warnOnly: boolean
|
||||
): void {
|
||||
let vulFound = false
|
||||
core.group('Vulnerabilities', async () => {
|
||||
if (addedChanges.length > 0) {
|
||||
for (const change of addedChanges) {
|
||||
printChangeVulnerabilities(change)
|
||||
}
|
||||
vulFound = true
|
||||
): Promise<boolean> {
|
||||
return core.group('Vulnerabilities', async () => {
|
||||
let vulFound = false
|
||||
|
||||
for (const change of addedChanges) {
|
||||
vulFound ||= printChangeVulnerabilities(change)
|
||||
}
|
||||
|
||||
if (vulFound) {
|
||||
@@ -228,10 +234,12 @@ function printVulnerabilitiesBlock(
|
||||
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
|
||||
)
|
||||
}
|
||||
|
||||
return vulFound
|
||||
})
|
||||
}
|
||||
|
||||
function printChangeVulnerabilities(change: Change): void {
|
||||
function printChangeVulnerabilities(change: Change): boolean {
|
||||
for (const vuln of change.vulnerabilities) {
|
||||
core.info(
|
||||
`${styles.bold.open}${change.manifest} » ${change.name}@${
|
||||
@@ -242,14 +250,18 @@ function printChangeVulnerabilities(change: Change): void {
|
||||
)
|
||||
core.info(` ↪ ${vuln.advisory_url}`)
|
||||
}
|
||||
return change.vulnerabilities.length > 0
|
||||
}
|
||||
|
||||
function printLicensesBlock(
|
||||
async function printLicensesBlock(
|
||||
invalidLicenseChanges: Record<string, Changes>,
|
||||
warnOnly: boolean
|
||||
): void {
|
||||
core.group('Licenses', async () => {
|
||||
): Promise<boolean> {
|
||||
return core.group('Licenses', async () => {
|
||||
let issueFound = false
|
||||
|
||||
if (invalidLicenseChanges.forbidden.length > 0) {
|
||||
issueFound = true
|
||||
core.info('\nThe following dependencies have incompatible licenses:')
|
||||
printLicensesError(invalidLicenseChanges.forbidden)
|
||||
const msg = 'Dependency review detected incompatible licenses.'
|
||||
@@ -260,6 +272,7 @@ function printLicensesBlock(
|
||||
}
|
||||
}
|
||||
if (invalidLicenseChanges.unresolved.length > 0) {
|
||||
issueFound = true
|
||||
core.warning(
|
||||
'\nThe validity of the licenses of the dependencies below could not be determined. Ensure that they are valid SPDX licenses:'
|
||||
)
|
||||
@@ -269,6 +282,8 @@ function printLicensesBlock(
|
||||
)
|
||||
}
|
||||
printNullLicenses(invalidLicenseChanges.unlicensed)
|
||||
|
||||
return issueFound
|
||||
})
|
||||
}
|
||||
|
||||
@@ -368,11 +383,13 @@ function printScannedDependencies(changes: Changes): void {
|
||||
})
|
||||
}
|
||||
|
||||
function printDeniedDependencies(
|
||||
changes: Change[],
|
||||
async function printDeniedDependencies(
|
||||
changes: Changes,
|
||||
config: ConfigurationOptions
|
||||
): void {
|
||||
core.group('Denied', async () => {
|
||||
): Promise<boolean> {
|
||||
return core.group('Denied', async () => {
|
||||
let issueFound = false
|
||||
|
||||
for (const denied of config.deny_packages) {
|
||||
core.info(`Config: ${denied}`)
|
||||
}
|
||||
@@ -381,9 +398,29 @@ function printDeniedDependencies(
|
||||
core.info(`Change: ${change.name}@${change.version} is denied`)
|
||||
core.info(`Change: ${change.package_url} is denied`)
|
||||
}
|
||||
|
||||
if (changes.length > 0) {
|
||||
issueFound = true
|
||||
core.setFailed('Dependency review detected denied packages.')
|
||||
} else {
|
||||
core.info('Dependency review did not detect any denied packages')
|
||||
}
|
||||
|
||||
return issueFound
|
||||
})
|
||||
}
|
||||
|
||||
function getScorecardChanges(changes: Changes): Changes {
|
||||
const out: Changes = []
|
||||
for (const change of changes) {
|
||||
if (change.change_type === 'added') {
|
||||
out.push(change)
|
||||
}
|
||||
}
|
||||
|
||||
return out
|
||||
}
|
||||
|
||||
async function createScorecardWarnings(
|
||||
scorecards: Scorecard,
|
||||
config: ConfigurationOptions
|
||||
|
||||
@@ -91,6 +91,11 @@ export const PullRequestSchema = z.object({
|
||||
head: z.object({sha: z.string()})
|
||||
})
|
||||
|
||||
export const MergeGroupSchema = z.object({
|
||||
base_sha: z.string(),
|
||||
head_sha: z.string()
|
||||
})
|
||||
|
||||
export const ConfigurationOptionsSchema = z
|
||||
.object({
|
||||
fail_on_severity: SeveritySchema,
|
||||
|
||||
+56
@@ -0,0 +1,56 @@
|
||||
import * as spdxlib from '@onebeyond/spdx-license-satisfies'
|
||||
import parse from 'spdx-expression-parse'
|
||||
|
||||
/*
|
||||
* NOTE: spdx-license-satisfies methods depend on spdx-expression-parse
|
||||
* which throws errors in the presence of any syntax trouble, unknown
|
||||
* license tokens, case sensitivity problems etc. to simplify handling
|
||||
* you should pre-screen inputs to the satisfies* methods using isValid
|
||||
*/
|
||||
|
||||
// accepts a pair of well-formed SPDX expressions. the
|
||||
// candidate is tested against the constraint
|
||||
export function satisfies(
|
||||
candidateExpr: string,
|
||||
constraintExpr: string
|
||||
): boolean {
|
||||
try {
|
||||
return spdxlib.satisfies(candidateExpr, constraintExpr)
|
||||
} catch (_) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
|
||||
export function satisfiesAny(
|
||||
candidateExpr: string,
|
||||
licenses: string[]
|
||||
): boolean {
|
||||
try {
|
||||
return spdxlib.satisfiesAny(candidateExpr, licenses)
|
||||
} catch (_) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// accepts an SPDX expression and a non-empty list of licenses (not expressions)
|
||||
export function satisfiesAll(
|
||||
candidateExpr: string,
|
||||
licenses: string[]
|
||||
): boolean {
|
||||
try {
|
||||
return spdxlib.satisfiesAll(candidateExpr, licenses)
|
||||
} catch (_) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// accepts any SPDX expression
|
||||
export function isValid(spdxExpr: string): boolean {
|
||||
try {
|
||||
parse(spdxExpr)
|
||||
return true
|
||||
} catch (_) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
+34
-12
@@ -1,7 +1,7 @@
|
||||
import * as core from '@actions/core'
|
||||
import {ConfigurationOptions, Changes, Change, Scorecard} from './schemas'
|
||||
import {SummaryTableRow} from '@actions/core/lib/summary'
|
||||
import {InvalidLicenseChanges, InvalidLicenseChangeTypes} from './licenses'
|
||||
import {Change, Changes, ConfigurationOptions, Scorecard} from './schemas'
|
||||
import {groupDependenciesByManifest, getManifestsSet, renderUrl} from './utils'
|
||||
|
||||
const icons = {
|
||||
@@ -10,6 +10,8 @@ const icons = {
|
||||
warning: '⚠️'
|
||||
}
|
||||
|
||||
const MAX_SCANNED_FILES_BYTES = 1048576
|
||||
|
||||
// generates the DR report summmary and caches it to the Action's core.summary.
|
||||
// returns the DR summary string, ready to be posted as a PR comment if the
|
||||
// final DR report is too large
|
||||
@@ -263,20 +265,37 @@ function formatLicense(license: string | null): string {
|
||||
return license
|
||||
}
|
||||
|
||||
export function addScannedDependencies(changes: Changes): void {
|
||||
const dependencies = groupDependenciesByManifest(changes)
|
||||
const manifests = dependencies.keys()
|
||||
export function addScannedFiles(changes: Changes): void {
|
||||
const manifests = Array.from(
|
||||
groupDependenciesByManifest(changes).keys()
|
||||
).sort()
|
||||
|
||||
const summary = core.summary.addHeading('Scanned Manifest Files', 2)
|
||||
let sf_size = 0
|
||||
let trunc_at = -1
|
||||
|
||||
for (const manifest of manifests) {
|
||||
const deps = dependencies.get(manifest)
|
||||
if (deps) {
|
||||
const dependencyNames = deps.map(
|
||||
dependency => `<li>${dependency.name}@${dependency.version}</li>`
|
||||
)
|
||||
summary.addDetails(manifest, `<ul>${dependencyNames.join('')}</ul>`)
|
||||
for (const [index, entry] of manifests.entries()) {
|
||||
if (sf_size + entry.length >= MAX_SCANNED_FILES_BYTES) {
|
||||
trunc_at = index
|
||||
break
|
||||
}
|
||||
sf_size += entry.length
|
||||
}
|
||||
|
||||
if (trunc_at >= 0) {
|
||||
// truncate the manifests list if it will overflow the summary output
|
||||
manifests.slice(0, trunc_at)
|
||||
// if there's room between cutoff size and list size, add a warning
|
||||
const size_diff = MAX_SCANNED_FILES_BYTES - sf_size
|
||||
if (size_diff < 12) {
|
||||
manifests.push('(truncated)')
|
||||
}
|
||||
}
|
||||
|
||||
const summary = core.summary.addHeading('Scanned Files', 2)
|
||||
if (manifests.length === 0) {
|
||||
summary.addRaw('None')
|
||||
} else {
|
||||
summary.addList(manifests)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -302,6 +321,9 @@ export function addScorecardToSummary(
|
||||
scorecard: Scorecard,
|
||||
config: ConfigurationOptions
|
||||
): void {
|
||||
if (scorecard.dependencies.length === 0) {
|
||||
return
|
||||
}
|
||||
core.summary.addHeading('OpenSSF Scorecard', 2)
|
||||
if (scorecard.dependencies.length > 10) {
|
||||
core.summary.addRaw(`<details><summary>Scorecard details</summary>`, true)
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
import * as core from '@actions/core'
|
||||
import {Octokit} from 'octokit'
|
||||
import spdxParse from 'spdx-expression-parse'
|
||||
import {Changes} from './schemas'
|
||||
|
||||
export function groupDependenciesByManifest(
|
||||
@@ -34,15 +33,6 @@ export function renderUrl(url: string | null, text: string): string {
|
||||
}
|
||||
}
|
||||
|
||||
export function isSPDXValid(license: string): boolean {
|
||||
try {
|
||||
spdxParse(license)
|
||||
return true
|
||||
} catch (_) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
function isEnterprise(): boolean {
|
||||
const serverUrl = new URL(
|
||||
process.env['GITHUB_SERVER_URL'] ?? 'https://github.com'
|
||||
|
||||
+3
-1
@@ -5,7 +5,9 @@
|
||||
"outDir": "./lib" /* Redirect output structure to the directory. */,
|
||||
"strict": true /* Enable all strict type-checking options. */,
|
||||
"noImplicitAny": true /* Raise error on expressions and declarations with an implied 'any' type. */,
|
||||
"esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
|
||||
"esModuleInterop": true /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */,
|
||||
"typeRoots": [ "./node_modules/@types", "./types" ],
|
||||
"types": [ "node", "jest", "spdx-license-satisfies" ]
|
||||
},
|
||||
"exclude": ["node_modules"]
|
||||
}
|
||||
|
||||
Vendored
+16
@@ -0,0 +1,16 @@
|
||||
declare module '@onebeyond/spdx-license-satisfies' {
|
||||
export function satisfies(
|
||||
candidateExpr: string,
|
||||
constraintExpr: string
|
||||
): boolean
|
||||
|
||||
export function satisfiesAny(
|
||||
candidateExpr: string,
|
||||
licenses: string[]
|
||||
): boolean
|
||||
|
||||
export function satisfiesAll(
|
||||
candidateExpr: string,
|
||||
licenses: string[]
|
||||
): boolean
|
||||
}
|
||||
Reference in New Issue
Block a user