Compare commits

...

149 Commits

Author SHA1 Message Date
Lewis Jones 1c271be941 Update README.md 2025-08-28 14:41:04 +01:00
Claire Song 595b5aeba7 Update package version (#975) 2025-08-26 13:00:34 -07:00
Claire Song fc5fd661aa Claire153/fix spamming mentioned issue (#974)
* Keep the issue number and remove the url to avoid linking every PR running the action to that issue
2025-08-26 12:46:02 -07:00
Ashely Tenesaca d38d1a4f40 Merge pull request #965 from actions/dependabot/npm_and_yarn/multi-c22e25d29b
Bump brace-expansion
2025-08-20 17:40:22 -04:00
Ashely Tenesaca 8d420b827c Merge branch 'main' into dependabot/npm_and_yarn/multi-c22e25d29b 2025-08-20 17:28:38 -04:00
Ashely Tenesaca bde01290d3 Merge pull request #966 from actions/ashelytc/add-permissions
Add explicit permissions to workflow files
2025-08-20 09:33:56 -04:00
Ashely Tenesaca ab524903e8 remove ruby 2025-08-19 17:11:41 -04:00
Ashely Tenesaca ef00a0afbb add permissions to workflows 2025-08-19 20:55:24 +00:00
dependabot[bot] 74c8179d39 Bump brace-expansion
Bumps  and [brace-expansion](https://github.com/juliangruber/brace-expansion). These dependencies needed to be updated together.

Updates `brace-expansion` from 1.1.11 to 1.1.12
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/1.1.11...v1.1.12)

Updates `brace-expansion` from 2.0.1 to 2.0.2
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/1.1.11...v1.1.12)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 1.1.12
  dependency-type: indirect
- dependency-name: brace-expansion
  dependency-version: 2.0.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-08-18 22:33:26 +00:00
Claire Song bc41886e18 Cut 4.7.2 version release (#964)
* Cut 4.7.2 version release

* Bump dependency minor versions
2025-08-18 11:17:54 -07:00
Kevin Dangoor 1c73553e36 Merge pull request #960 from ahpook/ahpook/address-docs-dashes
Address discrepancy between docs and reality
2025-08-18 14:02:19 -04:00
dependabot[bot] fac3d41a58 Bump the minor-updates group across 1 directory with 5 updates (#956)
Bumps the minor-updates group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.4.0` | `29.4.1` |
| [yaml](https://github.com/eemeli/yaml) | `2.8.0` | `2.8.1` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.19.7` | `20.19.10` |
| [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.5.1` | `5.5.4` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.8.3` | `5.9.2` |



Updates `ts-jest` from 29.4.0 to 29.4.1
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.4.0...v29.4.1)

Updates `yaml` from 2.8.0 to 2.8.1
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.8.0...v2.8.1)

Updates `@types/node` from 20.19.7 to 20.19.10
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-prettier` from 5.5.1 to 5.5.4
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.5.1...v5.5.4)

Updates `typescript` from 5.8.3 to 5.9.2
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.8.3...v5.9.2)

---
updated-dependencies:
- dependency-name: ts-jest
  dependency-version: 29.4.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: yaml
  dependency-version: 2.8.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: "@types/node"
  dependency-version: 20.19.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: eslint-plugin-prettier
  dependency-version: 5.5.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: typescript
  dependency-version: 5.9.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-08-18 10:31:31 -07:00
Claire Song d8073c4b76 Merge pull request #958 from actions/claire153/deprecate-deny-lists
Deprecate deny lists
2025-08-18 12:33:17 -04:00
Claire Song 77184c6339 Fix tests 2025-08-18 15:10:48 +00:00
Eric Sorenson 5558c35bb3 Address discrepancy between docs and reality
The documentation used to say that you needed to transform keys
in external config files from using `-` to `_`, but in reality
the code transforms `-` to `_` regardless of where they occur.

See 4b4ec08f7b

Closes #909
2025-08-15 17:16:55 -07:00
Claire Song e85d57a50e Remove test code 2025-08-15 16:15:02 +00:00
Claire Song 3eb62794c5 Re-add test package. Only show warning in summary if option is used. Update copy. 2025-08-15 15:49:35 +00:00
Claire Song 7cf33ac2f2 Remove test deny list 2025-08-14 17:58:31 +00:00
Claire Song 493bee0560 Remove test package 2025-08-14 17:46:53 +00:00
Claire Song 659a1e1bd0 Update copy and styling 2025-08-14 17:44:34 +00:00
Claire Song 6e80be31cd Add one more line break 2025-08-14 16:39:53 +00:00
Claire Song 3fb5c613f0 Add one more line break 2025-08-14 16:32:20 +00:00
Claire Song 7d16ba5d7e Add one more line break 2025-08-14 15:43:03 +00:00
Claire Song a92a9da9c8 Add one more line break 2025-08-14 15:39:37 +00:00
Claire Song c1fa9df06b Build 2025-08-14 14:43:45 +00:00
Claire Song 6e2bbef080 Add deprecation warning, fix lint issues 2025-08-14 14:25:52 +00:00
Claire Song 9ca24b6906 Add new package 2025-08-13 21:22:20 +00:00
Claire Song 70e1d26338 Test deny list 2025-08-13 21:07:58 +00:00
Roman Iakovlev 89c7383074 Merge pull request #946 from actions/dependabot/npm_and_yarn/minor-updates-9b599382cb
Bump the minor-updates group across 1 directory with 10 updates
2025-07-22 16:15:34 +02:00
Roman Iakovlev 40f2ab01b7 Update dist 2025-07-22 14:06:49 +00:00
Roman Iakovlev 2bedf4a221 Update dist 2025-07-22 14:01:55 +00:00
dependabot[bot] 87052cdc7b Bump the minor-updates group across 1 directory with 10 updates
Bumps the minor-updates group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@actions/core](https://github.com/actions/toolkit/tree/HEAD/packages/core) | `1.10.1` | `1.11.1` |
| [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github) | `6.0.0` | `6.0.1` |
| [got](https://github.com/sindresorhus/got) | `14.4.5` | `14.4.7` |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `29.2.5` | `29.4.0` |
| [yaml](https://github.com/eemeli/yaml) | `2.3.4` | `2.8.0` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `20.16.0` | `20.19.7` |
| [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) | `5.1.3` | `5.5.1` |
| [nodemon](https://github.com/remy/nodemon) | `3.1.9` | `3.1.10` |
| [prettier](https://github.com/prettier/prettier) | `3.2.5` | `3.6.2` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.4.5` | `5.8.3` |



Updates `@actions/core` from 1.10.1 to 1.11.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/core/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/core)

Updates `@actions/github` from 6.0.0 to 6.0.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

Updates `got` from 14.4.5 to 14.4.7
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.5...v14.4.7)

Updates `ts-jest` from 29.2.5 to 29.4.0
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/kulshekhar/ts-jest/compare/v29.2.5...v29.4.0)

Updates `yaml` from 2.3.4 to 2.8.0
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](https://github.com/eemeli/yaml/compare/v2.3.4...v2.8.0)

Updates `@types/node` from 20.16.0 to 20.19.7
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `eslint-plugin-prettier` from 5.1.3 to 5.5.1
- [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases)
- [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/eslint-plugin-prettier/compare/v5.1.3...v5.5.1)

Updates `nodemon` from 3.1.9 to 3.1.10
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.1.9...v3.1.10)

Updates `prettier` from 3.2.5 to 3.6.2
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prettier/prettier/compare/3.2.5...3.6.2)

Updates `typescript` from 5.4.5 to 5.8.3
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Changelog](https://github.com/microsoft/TypeScript/blob/main/azure-pipelines.release-publish.yml)
- [Commits](https://github.com/microsoft/TypeScript/compare/v5.4.5...v5.8.3)

---
updated-dependencies:
- dependency-name: "@actions/core"
  dependency-version: 1.11.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: "@actions/github"
  dependency-version: 6.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: got
  dependency-version: 14.4.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: ts-jest
  dependency-version: 29.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: yaml
  dependency-version: 2.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: "@types/node"
  dependency-version: 20.19.7
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: eslint-plugin-prettier
  dependency-version: 5.5.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: nodemon
  dependency-version: 3.1.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-updates
- dependency-name: prettier
  dependency-version: 3.6.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: typescript
  dependency-version: 5.8.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-07-22 13:56:08 +00:00
Roman Iakovlev 47d790678f Merge pull request #934 from actions/dependabot/npm_and_yarn/undici-5.29.0
Bump undici from 5.28.5 to 5.29.0
2025-07-21 19:12:52 +02:00
Roman Iakovlev 1e946feb37 Update dist 2025-07-21 13:53:37 +00:00
Kevin Dangoor 8a1ad91c0a Merge pull request #945 from KyFaSt/patch-1
Add Missing Languages to CodeQL Advanced Configuration
2025-07-11 13:47:35 -04:00
Kylie Stradley 8296deda21 Add Missing Languages to CodeQL Advanced Configuration 2025-07-10 09:22:28 -04:00
dependabot[bot] 733ef0ab01 Bump undici from 5.28.5 to 5.29.0
Bumps [undici](https://github.com/nodejs/undici) from 5.28.5 to 5.29.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.5...v5.29.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 5.29.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-05-15 16:32:05 +00:00
Kevin Dangoor da24556b54 Merge pull request #933 from actions/dangoor/471-release
Bump version number for 4.7.1
2025-05-13 12:46:37 -04:00
Kevin Dangoor 9af0caf0e5 Bump version number for 4.7.1 2025-05-13 11:20:20 -04:00
Kevin Dangoor d8f2df20d5 Merge pull request #932 from actions/907-disallow-expression
Discard allow list entries that are not SPDX IDs
2025-05-13 10:28:49 -04:00
Kevin Dangoor 6e9307a3d4 Discard allow list entries that are not SPDX IDs
The allow-licenses list is expected (and documented) to be a list of
SPDX license IDs (LicenseRefs are also valid). If someone puts an
expression in the list (e.g. "GPL-3.0-only OR MIT"), it should be
discarded so that the whole list does not become invalid.

Fixes #907
2025-05-12 18:58:58 -04:00
Kevin Dangoor 8805179dc9 Merge pull request #930 from actions/889-allow-no-license
Allowing dependencies works with no licenses
2025-05-08 17:38:03 -04:00
Kevin Dangoor 014300b08c Update build 2025-05-08 17:19:56 -04:00
Kevin Dangoor 34486f306e Check namespaces when excluding license checks
The `allow-dependencies-licenses` option was not checking the namespace
part of the PURL to make sure it matched.
2025-05-08 17:17:08 -04:00
Kevin Dangoor 9b155d6432 Update build 2025-05-08 16:37:11 -04:00
Kevin Dangoor f199659a6a Allowing dependencies works with no licenses
When using the `allow-dependencies-licenses` option, the packages listed
there should be allowed even if they have no license. This wasn't
working because the filtering for allowed dependencies was done
specifically on the list of packages that had licenses, leaving a
separate list (unfiltered) for packages with no licenses. With this
change, we filter out any changes for packages that have been allowed
_before_ we retrieve licenses.

Fixes #889
2025-05-08 16:31:46 -04:00
Kevin Dangoor 38ecb5b593 Merge pull request #929 from actions/dangoor/4.7-release
Version 4.7.0 release
2025-05-08 14:14:35 -04:00
Kevin Dangoor 0e9e935cc8 Version 4.7.0 release
Also add a note about the new `LicenseRef-clearlydefined-OTHER`
to the README.
2025-05-08 13:58:56 -04:00
Kevin Dangoor 69d2faa365 Merge pull request #926 from dangoor/dangoor/replace-other
Replace OTHER with a LicenseRef
2025-05-07 13:25:04 -04:00
Kevin Dangoor 7e14978e0e Merge branch 'actions:main' into dangoor/replace-other 2025-05-07 13:08:00 -04:00
Kevin Dangoor 8477905b0e Merge pull request #927 from dangoor/dangoor/multilicense
Handle complex licenses (e.g. X AND Y)
2025-05-07 13:06:06 -04:00
Kevin Dangoor f3ff3564fa Update dist 2025-05-06 12:26:28 -04:00
Kevin Dangoor c7565d44ec Fix tests and respond to review feedback 2025-05-06 12:25:30 -04:00
Kevin Dangoor 82299c3bbe Replace OTHER with a LicenseRef
ClearlyDefined uses the string `OTHER` for the declared license when
a human has reviewed `NOASSERTION` text and found it to be a valid
license, but one without an SPDX identifier. `OTHER`, unlike
`NOASSERTION`, is not valid. With this change, when `OTHER` appears
in a license string, we'll replace it with
`LicenseRef-clearlydefined-OTHER`, which _is_ valid and will allow
the expressions to parse.
2025-05-06 11:22:50 -04:00
Kevin Dangoor 2013ccccfe Update type definition for spdx-satisfies
I have a PR in with DefinitelyTyped, but this change should allow CI
to pass while that goes through the process.
2025-05-06 11:02:54 -04:00
Kevin Dangoor 3a2b68706a Handle complex licenses (e.g. X AND Y)
There are many packages that are dual-licensed, offering a choice
of licenses (e.g. `MIT OR Apache-2.0`). There are some that include
code from multiple sources and require multiple licenses
(e.g. `MIT AND Apache-2.0`). There are also complex combinations that
can exist for a variety of reasons, such as
`MIT AND (Apache-2.0 OR BSD-3-Clause)`.

The most straightforward approach to handle these is to have an
allow list. As long as the licenses on the allow list can satisfy
the license expression of the package in question, it should pass.

To implement this, I the newest release of spdx-satisfies
which changed the interface to be exactly as described
`satisfies(license, allowList)` (see
https://github.com/jslicense/spdx-satisfies.js/pull/17).

Fixes https://github.com/actions/dependency-review-action/issues/263
2025-05-05 19:06:50 -04:00
Kevin Dangoor a87294d992 Revert "Merge pull request #916 from jebeaudet/spdx-support"
This reverts commit 5a5d4df8ad, reversing
changes made to 67d4f4bd7a.
2025-05-05 18:43:46 -04:00
Ashely Tenesaca 5a5d4df8ad Merge pull request #916 from jebeaudet/spdx-support
Support SPDX expressions with operators in allow/deny license lists
2025-04-15 11:33:49 -04:00
Jacques-Etienne Beaudet 4eb8182aba Support SPDX expressions in allow/deny lists
This change updates license validation to support full SPDX expressions
(such as 'EPL-1.0 AND LGPL-2.1') in both allow-lists and deny-lists. This
enables the action to correctly validate packages that declare multiple
licenses using SPDX conjunctions like AND/OR, which are common in complex
open-source projects.

Previously, only simple license identifiers were supported, which caused
multi-licensed packages to be improperly flagged as invalid even when
they matched the intent of the allow-list.

The new logic uses `spdx.satisfies()` to evaluate whether a package’s
declared license satisfies any expression in the allow/deny list, and
comprehensive tests have been added to verify behavior for various SPDX
combinations.

This improves compatibility with projects using compound SPDX license
expressions and ensures more accurate license policy enforcement.
2025-04-09 12:19:46 -04:00
Barry Gordon 67d4f4bd7a Merge pull request #911 from actions/brrygrdn/handle-spdx-updates-as-priority
Handle any SPDX dependencies as a priority Dependabot PR
2025-04-04 13:00:44 +01:00
Barry Gordon d2e453a37e Handle any SPDX dependencies as a priority PR 2025-04-01 13:52:16 +01:00
Barry Gordon ce3cf9537a Merge pull request #910 from actions/brrygrdn/4.6.0-release-candidate
Prepare 4.6.0 Release candidate
2025-04-01 12:33:27 +01:00
Barry Gordon 479b69732e Prepare 4.6.0 2025-04-01 12:22:08 +01:00
Barry Gordon aee95908ea Merge pull request #902 from Pantelis-Santorinios/patch-1
Clarify comment-summary-in-pr behaviour
2025-04-01 11:40:30 +01:00
Barry Gordon 080ada6281 Merge pull request #883 from fabasoad/fix/ci
Improve usage of this action in dependency-review.yml
2025-04-01 11:36:38 +01:00
Barry Gordon 430e5f0bbf Merge pull request #884 from fabasoad/fix/863
To not print OpenSSF Scorecard section if no dependencies scanned
2025-04-01 11:35:58 +01:00
Barry Gordon 51699b6461 Merge pull request #855 from ailox/ailox/fix/invalid-new-licenses
Update transitive dependency spdx-license-ids
2025-04-01 11:33:12 +01:00
Roman Iakovlev ac9b193beb Merge pull request #899 from actions/dependabot/npm_and_yarn/octokit/plugin-paginate-rest-9.2.2
Bump @octokit/plugin-paginate-rest from 9.1.5 to 9.2.2
2025-03-13 15:37:55 +01:00
Roman Iakovlev d630451aa0 Pin @octokit/types version for compatibility 2025-03-13 14:34:23 +00:00
Roman Iakovlev c8dafca32b Add dist for @octokit/plugin-paginate-rest version bump 2025-03-12 16:55:30 +00:00
dependabot[bot] bc858b5649 Bump @octokit/plugin-paginate-rest from 9.1.5 to 9.2.2
Bumps [@octokit/plugin-paginate-rest](https://github.com/octokit/plugin-paginate-rest.js) from 9.1.5 to 9.2.2.
- [Release notes](https://github.com/octokit/plugin-paginate-rest.js/releases)
- [Commits](https://github.com/octokit/plugin-paginate-rest.js/compare/v9.1.5...v9.2.2)

---
updated-dependencies:
- dependency-name: "@octokit/plugin-paginate-rest"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-12 16:53:26 +00:00
Roman Iakovlev cd1541ea8d Merge pull request #905 from actions/dependabot/npm_and_yarn/babel/helpers-7.26.10
Bump @babel/helpers from 7.23.2 to 7.26.10
2025-03-12 15:43:04 +01:00
dependabot[bot] 7bce095f93 Bump @babel/helpers from 7.23.2 to 7.26.10
Bumps [@babel/helpers](https://github.com/babel/babel/tree/HEAD/packages/babel-helpers) from 7.23.2 to 7.26.10.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.26.10/packages/babel-helpers)

---
updated-dependencies:
- dependency-name: "@babel/helpers"
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-03-12 11:42:46 +00:00
Roman Iakovlev 195b0c2e88 Merge pull request #904 from actions/roman/upd
Bump octokit and related dependencies
2025-03-12 12:41:41 +01:00
Roman Iakovlev cdee0bc8c3 Bump octokit and related dependencies 2025-03-12 10:57:15 +00:00
Lewis Jones 0e562a634b Merge pull request #900 from actions/dependabot/npm_and_yarn/esbuild-0.25.0
Bump esbuild from 0.19.5 to 0.25.0
2025-03-07 11:49:50 +00:00
Pantelis 3d00aed36d Update README.md 2025-03-06 14:43:51 +01:00
dependabot[bot] 2c5ec1eea8 Bump esbuild from 0.19.5 to 0.25.0
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.19.5 to 0.25.0.
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2023.md)
- [Commits](https://github.com/evanw/esbuild/compare/v0.19.5...v0.25.0)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-02-26 20:54:18 +00:00
Eric Sorenson bf0431a342 Merge pull request #893 from omahs/patch-1
Fix typos
2025-02-07 14:27:22 -08:00
omahs c26b132baa fix typos 2025-02-07 13:22:20 +01:00
omahs 3ffdd4d73e fix typos 2025-02-07 13:20:46 +01:00
Ashely Tenesaca ea2cae5127 Merge pull request #888 from ellenfieldn/allow-deny-package-removal
Allow deny package removal
2025-02-06 17:18:15 -05:00
Nathan Ellenfield dfe560420d fix formatting and dist 2025-02-05 15:50:50 -05:00
Nathan Ellenfield e4033dcc29 Merge remote-tracking branch 'origin/main' into allow-deny-package-removal 2025-02-04 13:33:03 -05:00
Ashely Tenesaca 92129e58e4 Merge pull request #891 from actions/ashelytc/server-url-fix
DR Action should link to the proxima stamp when appropriate in error messages
2025-02-03 14:46:11 -05:00
Ashely Tenesaca bf9bc3f2a6 generate dist code 2025-02-03 17:25:46 +00:00
Ashely Tenesaca d703cf58c3 replace server url with variable 2025-02-03 15:57:21 +00:00
Nathan Ellenfield c80eb9894b fixit 2025-01-27 16:01:10 -05:00
Nathan Ellenfield 5e7a6ffc7d fix: Allow removal denied packages 2025-01-27 16:00:09 -05:00
fabasoad c665328b35 Make 'None' to be a text instead of list 2025-01-26 22:36:42 +09:00
fabasoad 5370d75f36 To not print OpenSSF Scorecard section if no dependencies scanned 2025-01-25 23:28:54 +09:00
fabasoad 7f3cd87ec0 Fix usage of this action in dependency-review.yml 2025-01-25 23:11:35 +09:00
Ahmed ElMallah 67ca5cc413 Merge pull request #877 from actions/dependabot/npm_and_yarn/undici-5.28.5
Bump undici from 5.28.4 to 5.28.5
2025-01-24 12:04:24 -08:00
Ahmed ElMallah 8992b0e1c7 updating dist code 2025-01-24 20:01:21 +00:00
Ahmed ElMallah 5e9a56c6de Merge pull request #878 from actions/dependabot/github_actions/actions/stale-9.1.0
Bump actions/stale from 9.0.0 to 9.1.0
2025-01-24 11:58:00 -08:00
dependabot[bot] 9cd1f01f7f Bump actions/stale from 9.0.0 to 9.1.0
Bumps [actions/stale](https://github.com/actions/stale) from 9.0.0 to 9.1.0.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/stale/compare/v9.0.0...v9.1.0)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-24 19:52:48 +00:00
Ahmed ElMallah a0be92bfc2 Merge pull request #876 from actions/ahmed3lmallah/dependabot-updates
Grouping minor and patch dependabot updates to lessen the number of PRs
2025-01-24 11:52:11 -08:00
dependabot[bot] 6ec8e13b9a Bump undici from 5.28.4 to 5.28.5
Bumps [undici](https://github.com/nodejs/undici) from 5.28.4 to 5.28.5.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v5.28.4...v5.28.5)

---
updated-dependencies:
- dependency-name: undici
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-01-24 17:39:09 +00:00
Ahmed ElMallah c9bb42fdbf grouping minor and patch updates to lessen the number of PRs 2025-01-23 23:01:53 +00:00
Ahmed ElMallah b109bc8c95 Merge pull request #870 from actions/ahmed3lmallah/updating-dependencies
Updating multiple dependency versions
2025-01-23 14:00:10 -08:00
Ahmed ElMallah 5f24a51147 Updating dist folder 2025-01-23 21:07:48 +00:00
Ahmed ElMallah ef281d4e24 Updating multiple dependency versions 2025-01-23 21:07:39 +00:00
Paul Scheunemann 67fc6dd646 Update compiled assets 2025-01-09 15:15:28 +01:00
Paul Scheunemann 2caab057ed Update transitive dependency spdx-license-ids 2024-12-06 16:36:10 +01:00
Ahmed ElMallah 3b139cfc5f Merge pull request #851 from actions/ahmed3lmallah/prepare-for-4.5.0-release
Prepare for 4.5.0 release
2024-11-20 13:49:04 -08:00
Ahmed ElMallah d6807b6643 updating generated code 2024-11-20 21:42:05 +00:00
Ahmed ElMallah c89b41fdc6 addressing lint issues 2024-11-20 21:41:54 +00:00
Ahmed ElMallah eee97d8b03 incrementing project version 2024-11-20 21:41:43 +00:00
Ahmed ElMallah 9d101822a3 Merge pull request #827 from ebickle/fix/comment-warn-only
fix: add summary comment on failure when warn-only: true
2024-11-20 13:28:17 -08:00
Ahmed ElMallah 9192be9c72 Merge pull request #850 from actions/ahmed3lmallah/adressing-CVE-2024-21538
Overriding the cross-spawn dependency to use a safe version
2024-11-19 14:42:32 -08:00
Ahmed ElMallah 2fc8e23b12 Using cross-spawn safe version 2024-11-19 22:26:34 +00:00
Eric Bickle fb86db2043 fix: resolve race conditions in async core.group calls 2024-11-19 14:17:06 -08:00
Eric Bickle 0a198ab3ed fix: replace integer failureCount with boolean 2024-11-19 13:15:15 -08:00
Eric Bickle fc499fc13a Merge branch 'main' into fix/comment-warn-only 2024-11-19 12:51:47 -08:00
Ahmed ElMallah b02ea3a88b Merge pull request #849 from actions/dependabot/npm_and_yarn/vercel/ncc-0.38.3
Bump @vercel/ncc from 0.38.1 to 0.38.3
2024-11-18 15:14:46 -08:00
Ahmed ElMallah 612e96e757 updating dist code 2024-11-18 22:36:35 +00:00
Ahmed ElMallah 0adc9b8215 Merge pull request #847 from actions/dependabot/npm_and_yarn/nodemon-3.1.7
Bump nodemon from 3.1.0 to 3.1.7
2024-11-18 13:05:25 -08:00
dependabot[bot] 591cbf9044 Bump @vercel/ncc from 0.38.1 to 0.38.3
Bumps [@vercel/ncc](https://github.com/vercel/ncc) from 0.38.1 to 0.38.3.
- [Release notes](https://github.com/vercel/ncc/releases)
- [Commits](https://github.com/vercel/ncc/compare/0.38.1...0.38.3)

---
updated-dependencies:
- dependency-name: "@vercel/ncc"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-18 01:28:26 +00:00
dependabot[bot] c0a5e20c51 Bump nodemon from 3.1.0 to 3.1.7
Bumps [nodemon](https://github.com/remy/nodemon) from 3.1.0 to 3.1.7.
- [Release notes](https://github.com/remy/nodemon/releases)
- [Commits](https://github.com/remy/nodemon/compare/v3.1.0...v3.1.7)

---
updated-dependencies:
- dependency-name: nodemon
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-04 01:59:13 +00:00
Eli Reisman c82883d789 Merge pull request #844 from actions/dependabot/npm_and_yarn/got-14.4.3
Bump got from 14.4.2 to 14.4.3
2024-10-28 16:23:56 -07:00
Ahmed ElMallah 4081bf99e2 Merge pull request #846 from actions/merge-group-bug-fix
Fix for merge_group event bug
2024-10-28 11:42:18 -07:00
ahmed3lmallah 03e585eea7 fixing minor typo 2024-10-27 23:34:29 -07:00
ahmed3lmallah 08b4117924 updating dist code 2024-10-27 23:30:45 -07:00
ahmed3lmallah 9c3441f7ee updating dist code 2024-10-27 23:12:50 -07:00
ahmed3lmallah 304a544dca updating tests 2024-10-27 23:11:58 -07:00
ahmed3lmallah e99353b1e1 fixing merge_group schema bug 2024-10-27 22:56:44 -07:00
dependabot[bot] d8ae44e2a0 Bump got from 14.4.2 to 14.4.3
Bumps [got](https://github.com/sindresorhus/got) from 14.4.2 to 14.4.3.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.2...v14.4.3)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-10-28 01:10:40 +00:00
Ahmed ElMallah a6993e2c61 Merge pull request #840 from actions/dependabot-updates
Bump eslint-plugin-jest and ts-jest
2024-10-21 15:29:33 -07:00
ahmed3lmallah d92f08b3ff Bump eslint-plugin-jest and ts-jest 2024-10-21 15:16:32 -07:00
Barry Gordon 3e334b7ca7 Merge pull request #822 from actions/dependabot/npm_and_yarn/got-14.4.2
Bump got from 14.4.1 to 14.4.2
2024-09-30 16:17:18 +01:00
Jon Janego 32b7d886d5 Merge pull request #832 from actions/jonjanego-patch-3
Update stale.yaml
2024-09-26 12:51:51 -05:00
Jon Janego 14b94f8fbc Update stale.yaml
adding closure messages
2024-09-26 11:47:03 -05:00
Eli Reisman 6ea3b24563 Merge pull request #828 from actions/hm/summary
Do not list changed dependencies in summary
2024-09-16 15:28:19 -07:00
Eli Reisman 05042db2b6 update dist packaging 2024-09-16 12:42:52 -07:00
Eli Reisman 6aacbe0934 add a warning message if there is room in the summary prior to cutoff 2024-09-16 12:42:35 -07:00
Eli Reisman 293ccdb6e9 add truncation escape valve to new file summary to avoid overflow 2024-09-16 12:26:36 -07:00
Henri Maurer 83c7cc6aa7 Do not list changes dependencies in summary 2024-09-16 11:29:47 -07:00
Eli Reisman b3559aa82e Merge pull request #829 from actions/elireisman/sec-findings-update
Upgrade transitive micromatch library
2024-09-16 10:04:59 -07:00
Eli Reisman 8179e6abd6 upgrade micromatch within given dependent parent pkg bounds but past security vuln 2024-09-16 09:53:44 -07:00
Eric Bickle ac1d2d7d35 fix: add summary comment on failure when warn-only: true 2024-09-06 12:24:42 -07:00
dependabot[bot] fe833075f3 Bump got from 14.4.1 to 14.4.2
Bumps [got](https://github.com/sindresorhus/got) from 14.4.1 to 14.4.2.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](https://github.com/sindresorhus/got/compare/v14.4.1...v14.4.2)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-08-26 01:38:54 +00:00
Eli Reisman 526b7f2f9b Merge pull request #815 from actions/dependabot/npm_and_yarn/types/node-20.16.0
Bump @types/node from 20.11.28 to 20.16.0
2024-08-19 10:31:48 -07:00
dependabot[bot] e5cb30f678 Bump @types/node from 20.11.28 to 20.16.0
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.28 to 20.16.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-08-19 01:33:46 +00:00
Jon Janego 90820aba8c Merge pull request #793 from actions/jonjanego-patch-1
Update CONTRIBUTING.md
2024-07-12 16:13:55 -05:00
Jon Janego 7367319600 Merge pull request #794 from actions/jonjanego-patch-2
Create pull_request_template.md
2024-07-12 16:11:24 -05:00
Jon Janego affc3a4f15 Create pull_request_template.md 2024-07-12 16:07:23 -05:00
Jon Janego 07d3c7257a Update CONTRIBUTING.md
minor wording
2024-07-12 15:58:13 -05:00
Justin Holguín a2dda6f539 Merge pull request #766 from louis-bompart/main
fix: getRefs function to handle merge_group events
2024-07-12 12:55:37 -07:00
Louis Bompart 45dc50cabe fix: getRefs function to handle merge_group events 2024-07-12 14:22:20 +02:00
31 changed files with 6102 additions and 4716 deletions
@@ -0,0 +1,7 @@
## Purpose
_Describe the purpose of this pull request_
## Related Issues
_What issues does this PR close or relate to?_
+11
View File
@@ -12,3 +12,14 @@ updates:
ignore:
- dependency-name: '@types/node'
update-types: ['version-update:semver-major']
groups:
minor-updates:
update-types:
- 'minor'
- 'patch'
exclude-patterns:
- '*spdx*'
# Pull out any updates to spdx definitions and parsing as a priority PR
spdx-licenses:
patterns:
- '*spdx*'
+3
View File
@@ -16,6 +16,9 @@ on:
- '**.md'
workflow_dispatch:
permissions:
contents: read
jobs:
check-dist:
runs-on: ubuntu-latest
+3
View File
@@ -10,6 +10,9 @@ on:
paths-ignore:
- '**.md'
permissions:
contents: read
jobs:
test:
runs-on: ubuntu-latest
+1 -1
View File
@@ -20,7 +20,7 @@ jobs:
strategy:
fail-fast: false
matrix:
language: [ 'javascript-typescript' ]
language: [ 'javascript-typescript', 'actions' ]
steps:
- name: Checkout repository
+2 -1
View File
@@ -1,4 +1,5 @@
name: 'Dependency Review'
on: [pull_request]
permissions:
@@ -11,4 +12,4 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@main
uses: ./
+5 -2
View File
@@ -12,12 +12,15 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v9.0.0
- uses: actions/stale@v9.1.0
name: Clean up stale PRs and Issues
with:
stale-pr-message: "👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details."
stale-pr-message: "👋 This pull request has been marked as stale because it has been open with no activity for 180 days. You can: comment on the PR or remove the stale label to hold stalebot off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details."
stale-pr-label: "Stale"
close-pr-message: "👋 This pull request has been closed by stalebot because it has been open with no activity for over 180 days. Please see CONTRIBUTING.md for more policy details."
stale-issue-label: "Stale"
stale-issue-message: "👋 This issue has been marked as stale because it has been open with no activity for 180 days. You can: comment on the issue or remove the stale label to hold stalebot off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this issue will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details."
close-issue-message: "👋 This issue has been closed by stalebot because it has been open with no activity for over 180 days. Please see CONTRIBUTING.md for more policy details."
exempt-pr-labels: "Keep" # a "Keep" label will keep the PR from being closed as stale
exempt-issue-labels: "Keep" # a "Keep" label will keep the issue from being closed as stale
days-before-pr-stale: 180 # when the PR is considered stale
+4 -4
View File
@@ -16,7 +16,7 @@ If you've encountered a problem, please let us know by [submitting an issue](htt
## Enhancements and feature requests
If you've got an idea for a new feature, please submit as [an issue](https://github.com/actions/dependency-review-action/issues/new) so that the community can see it, and we can discuss it there. We may not be able to respond to every single issue, but will make a best effort!
If you've got an idea for a new feature or a significant change to the code or its dependencies, please submit as [an issue](https://github.com/actions/dependency-review-action/issues/new) so that the community can see it, and we can discuss it there. We may not be able to respond to every single issue, but will make a best effort!
If you'd like to make a contribution yourself, we ask that before significant effort is put into code changes, that we have agreement that the change aligns with our strategy for the action. Since this is a verified Action owned by GitHub we want to make sure that contributions are high quality, and that they maintain consistency with the rest of the action's behavior.
@@ -35,11 +35,11 @@ Ready to contribute to `dependency-review-action`? Here is some information to
This action makes an authenticated query to the [Dependency Review API](https://docs.github.com/en/rest/dependency-graph/dependency-review) endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`) to find out the set of added and removed dependencies for each manifest.
The action then evaluates the differences between the pushes based on the the rules defined in the action configuration, and summarizes the differences and any violations of the rules you have defined as a comment in the pull request that triggered it and the action outputs.
The action then evaluates the differences between the pushes based on the rules defined in the action configuration, and summarizes the differences and any violations of the rules you have defined as a comment in the pull request that triggered it and the action outputs.
### Local Development
Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed, minimum version 18.
Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed, minimum version 20.
#### Bootstrapping the project
@@ -81,7 +81,7 @@ $ GITHUB_TOKEN=<token> ./scripts/scan_pr --config-file my_custom_config.yml <pr_
npm run test
```
_Note_: We don't a very comprehensive test suite, so any contributions to the existing tests are welcome!
_Note_: We don't have a very comprehensive test suite, so any contributions to the existing tests are welcome!
### Submitting a pull request
+85 -60
View File
@@ -1,37 +1,48 @@
# dependency-review-action
- [Overview](#overview)
- [Installation](#installation)
- [Configuration](#configuration)
- [Using dependency review action to block a pull request from being merged](#using-dependency-review-action-to-block-a-pull-request-from-being-merged)
- [Outputs](#outputs)
- [Getting help](#getting-help)
- [Contributing](#contributing)
- [License](#license)
- [dependency-review-action](#dependency-review-action)
- [Overview](#overview)
- [Viewing the results](#viewing-the-results)
- [Installation](#installation)
- [Installation (standard)](#installation-standard)
- [Installation (GitHub Enterprise Server)](#installation-github-enterprise-server)
- [Configuration](#configuration)
- [Configuration options](#configuration-options)
- [Configuration methods](#configuration-methods)
- [Option 1: Using inline configuration](#option-1-using-inline-configuration)
- [Option 2: Using an external configuration file](#option-2-using-an-external-configuration-file)
- [`OTHER` in license strings](#other-in-license-strings)
- [Further information](#further-information)
- [Using dependency review action to block a pull request from being merged](#using-dependency-review-action-to-block-a-pull-request-from-being-merged)
- [Outputs](#outputs)
- [Getting help](#getting-help)
- [Contributing](#contributing)
- [License](#license)
## Overview
The dependency review action scans your pull requests for dependency changes, and will raise an error if any vulnerabilities or invalid licenses are being introduced.
The dependency review action scans your pull requests for dependency changes, and will raise an error if any vulnerabilities or invalid licenses are being introduced.
The action is supported by an [API endpoint](https://docs.github.com/en/rest/dependency-graph/dependency-review?apiVersion=2022-11-28) that diffs the dependencies between any two revisions on your default branch.
The action is available for:
The action is available for:
- Public repositories
- Private repositories with a [GitHub Advanced Security](https://docs.github.com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security) license.
### Viewing the results
When the action runs, you can see the results on:
When the action runs, you can see the results on:
- The **job logs** page.
1. Go to the **Actions** tab for the repository and select the relevant workflow run.
- The **job logs** page.
1. Go to the **Actions** tab for the repository and select the relevant workflow run.
1. Then under "Jobs", click **dependency review**.
<img width="850" alt="GitHub workflow run log showing Dependency Review job output" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
<img width="850" alt="GitHub workflow run log showing Dependency Review job output" src="https://user-images.githubusercontent.com/2161/161042286-b22d7dd3-13cb-458d-8744-ce70ed9bf562.png">
- The **job summary** page.
1. Go to the **Actions** tab for the repository and select the relevant workflow run.
1. Click **Summary**, then scroll to "dependency-review summary".
1. Go to the **Actions** tab for the repository and select the relevant workflow run.
1. Click **Summary**, then scroll to "dependency-review summary".
<img width="850" alt="GitHub job summary showing Dependency Review output" src="https://github.com/actions/dependency-review-action/assets/2161/42fbed1d-64a7-42bf-9b05-c416bc67493f">
## Installation
@@ -41,7 +52,7 @@ When the action runs, you can see the results on:
#### Installation (standard)
You can install the action on any public repository, or any organization-owned private repository, provided the organization has a GitHub Advanced Security license.
You can install the action on any public repository, or any organization-owned private repository, provided the organization has a GitHub Advanced Security license.
1. Add a new YAML workflow to your `.github/workflows` folder:
@@ -64,13 +75,13 @@ You can install the action on any public repository, or any organization-owned p
#### Installation (GitHub Enterprise Server)
You can install the action on repositories on GitHub Enterprise Server.
You can install the action on repositories on GitHub Enterprise Server.
1. Ensure [GitHub Advanced Security](https://docs.github.com/en/enterprise-server@latest/admin/code-security/managing-github-advanced-security-for-your-enterprise/enabling-github-advanced-security-for-your-enterprise) and [GitHub Connect](https://docs.github.com/en/enterprise-server@latest/admin/github-actions/managing-access-to-actions-from-githubcom/enabling-automatic-access-to-githubcom-actions-using-github-connect) are enabled for the enterprise.
2. Ensure you have installed the [dependency-review-action](https://github.com/actions/dependency-review-action) on the server.
3. Add a new YAML workflow to your `.github/workflows` folder:
``` yaml
```yaml
name: 'Dependency Review'
on: [pull_request]
@@ -86,7 +97,8 @@ You can install the action on repositories on GitHub Enterprise Server.
- name: 'Dependency Review'
uses: actions/dependency-review-action@v4
```
5. In the workflow file, replace the `runs-on` value with the label of any of your runners. (The default value is `self-hosted`.)
4. In the workflow file, replace the `runs-on` value with the label of any of your runners. (The default value is `self-hosted`.)
## Configuration
@@ -97,29 +109,30 @@ You can install the action on repositories on GitHub Enterprise Server.
There are various configuration options you can use to specify settings for the dependency review action.
All configuration options are optional.
All configuration options are optional.
| Option | Usage | Possible values | Default value |
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. This option will match on the exact version provided. If no version is provided, the option will treat the specified package as a wildcard and deny all versions. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
| `show-openssf-scorecard` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
| Option | Usage | Possible values | Default value |
| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | ⚠️ This option is deprecated for possible removal in the next major release. See [Deprecate the deny-licenses option #938](https://github.com/actions/dependency-review-action/issues/938) for more information. <br> Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. With each execution, a new comment will overwrite the existing one. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. This option will match on the exact version provided. If no version is provided, the option will treat the specified package as a wildcard and deny all versions. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
| `show-openssf-scorecard` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
> [!NOTE]
>
> - \* Not supported for use with GitHub Enterprise Server. (Checking for licenses is not supported on GitHub Enterprise Server because the API does not return license information.)
> - \+ When `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail.
> - The `allow-licenses` and `deny-licenses` options are mutually exclusive; an error will be raised if you provide both.
@@ -128,6 +141,7 @@ All configuration options are optional.
### Configuration methods
To specify settings for the dependency review action, you can choose from two options:
- [Option 1: Inline the configuration options]() in your workflow file.
- [Option 2: Reference an external configuration file]() in your workflow file.
@@ -136,6 +150,7 @@ To specify settings for the dependency review action, you can choose from two op
You can pass configuration options to the dependency review action using your workflow file.
1. In the same YAML workflow file you created during installation, use the `with:` key to specify your chosen settings:
```yaml
name: 'Dependency Review'
on: [pull_request]
@@ -158,7 +173,7 @@ You can pass configuration options to the dependency review action using your wo
#### Option 2: Using an external configuration file
You can use an external configuration file to specify settings for this action. The file can be a local file or a file in an external repository.
You can use an external configuration file to specify settings for this action. The file can be a local file or a file in an external repository.
1. In the same YAML workflow file you created during installation, use `config-file` to specify that you are using an external configuration file.
@@ -178,34 +193,42 @@ You can use an external configuration file to specify settings for this action.
with:
config-file: './.github/dependency-review-config.yml'
```
| Option | Usage | Possible values |
|--------------------- | ----------- | ----------------------------- |
| `config-file` | A path to a file in the current repository or an external repository. Use this syntax for external files: `OWNER/REPOSITORY/FILENAME@BRANCH` | **Local file**: `./.github/dependency-review-config.yml` <br> **External repo**: `github/octorepo/dependency-review-config.yml@main` |
| Option | Usage | Possible values |
| ------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
| `config-file` | A path to a file in the current repository or an external repository. Use this syntax for external files: `OWNER/REPOSITORY/FILENAME@BRANCH` | **Local file**: `./.github/dependency-review-config.yml` <br> **External repo**: `github/octorepo/dependency-review-config.yml@main` |
2. Optionally, if the file resides in a private external repository, and for all GitHub Enterprise Server repositories, use `external-repo-token` to specify a token for fetching the file.
```yaml
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
config-file: 'github/octorepo/dependency-review-config.yml@main'
external-repo-token: 'ghp_123456789abcde'
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
config-file: 'github/octorepo/dependency-review-config.yml@main'
external-repo-token: 'ghp_123456789abcde'
```
| Option | Usage | Possible values |
|--------------------- | ----------- | ----------------------------- |
| Option | Usage | Possible values |
| --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
| `external-repo-token` | Specifies a token for fetching the configuration file. It is required if the file resides in a private external repository and for all GitHub Enterprise Server repositories. Create a token in [developer settings](https://github.com/settings/tokens). | Any token with `read` permissions to the repository hosting the config file. |
3. Create the configuration file in the path you specified for `config-file`.
4. In the configuration file, specify your chosen settings.
```yaml
fail_on_severity: 'critical'
allow_licenses:
fail-on-severity: 'critical'
allow-licenses:
- 'GPL-3.0'
- 'BSD-3-Clause'
- 'MIT'
```
> [!NOTE]
> For external configuration files, the option names use underscores instead of dashes.
> Example: `fail_on_severity`
#### `OTHER` in license strings
License data comes from [ClearlyDefined](https://clearlydefined.io) and you may sometimes see licenses displayed with the string `OTHER` in them. ClearlyDefined [defines OTHER](https://docs.clearlydefined.io/docs/curation/curation-guidelines) as:
> This indicates that a human confirmed that there is license information in the file but that the license is not an SPDX-identified license.
`OTHER` is not a valid [SPDX license identifier](https://spdx.org/licenses/), so we convert `OTHER` in a license string into `LicenseRef-clearlydefined-OTHER`, which _is_ valid in SPDX. If you want to add that to the deny or allow list, be sure to add `LicenseRef-clearlydefined-OTHER` to this list, because that is what we'll actually be comparing.
#### Further information
@@ -214,7 +237,7 @@ You can use an external configuration file to specify settings for this action.
## Using dependency review action to block a pull request from being merged
You can configure your repository to block a pull request from being merged if the pull request fails the dependency review action check. To do this, the repository owner must configure branch protection settings that require the check to pass before merging. For more information, see "[Require status checks before merging](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging)" in GitHub Docs documentation.
You can configure your repository to block a pull request from being merged if the pull request fails the dependency review action check. To do this, the repository owner must configure branch protection settings that require the check to pass before merging. For more information, see "[Require status checks before merging](https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-status-checks-before-merging)" in GitHub Docs documentation.
## Outputs
@@ -227,7 +250,7 @@ Dependency review action can create [outputs](https://docs.github.com/en/actions
- `denied-changes` holds information about denied dependency changes in a JSON format.
> [!NOTE]
> Action outputs are unicode strings [with a 1MB size limit](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions).
> Action outputs are unicode strings [with a 1MB size limit](https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#outputs-for-docker-container-and-javascript-actions).
>
> If you use these outputs in a run-step, you must store the output data in an environment variable instead of using the output directly. Using an output directly might break shell scripts. For example:
>
@@ -238,7 +261,7 @@ Dependency review action can create [outputs](https://docs.github.com/en/actions
> echo "$VULNERABLE_CHANGES" | jq
> ```
>
> instead of direct `echo '${{ steps.review.outputs.vulnerable-changes }}'`.
> instead of direct `echo '${{ steps.review.outputs.vulnerable-changes }}'`.
> See [examples](docs/examples.md) for more.
## Getting help
@@ -252,3 +275,5 @@ We are grateful for any contributions made to this project. Please read [CONTRIB
## License
This project is released under the [MIT License](https://github.com/actions/dependency-review-action/blob/main/LICENSE).
test PR
+72
View File
@@ -124,6 +124,78 @@ test('it raises an error when no refs are provided and the event is not a pull r
).toThrow()
})
const pullRequestLikeEvents = ['pull_request', 'pull_request_target']
test.each(pullRequestLikeEvents)(
'it uses the given refs even when the event is %s',
async eventName => {
setInput('base-ref', 'a-custom-base-ref')
setInput('head-ref', 'a-custom-head-ref')
const refs = getRefs(await readConfig(), {
payload: {
pull_request: {
number: 42,
base: {sha: 'pr-base-ref'},
head: {sha: 'pr-head-ref'}
}
},
eventName
})
expect(refs.base).toEqual('a-custom-base-ref')
expect(refs.head).toEqual('a-custom-head-ref')
}
)
test.each(pullRequestLikeEvents)(
'it uses the event refs when the event is %s and no refs are provided in config',
async eventName => {
const refs = getRefs(await readConfig(), {
payload: {
pull_request: {
number: 42,
base: {sha: 'pr-base-ref'},
head: {sha: 'pr-head-ref'}
}
},
eventName
})
expect(refs.base).toEqual('pr-base-ref')
expect(refs.head).toEqual('pr-head-ref')
}
)
test('it uses the given refs even when the event is merge_group', async () => {
setInput('base-ref', 'a-custom-base-ref')
setInput('head-ref', 'a-custom-head-ref')
const refs = getRefs(await readConfig(), {
payload: {
merge_group: {
base_sha: 'pr-base-ref',
head_sha: 'pr-head-ref'
}
},
eventName: 'merge_group'
})
expect(refs.base).toEqual('a-custom-base-ref')
expect(refs.head).toEqual('a-custom-head-ref')
})
test('it uses the event refs when the event is merge_group and no refs are provided in config', async () => {
const refs = getRefs(await readConfig(), {
payload: {
merge_group: {
base_sha: 'pr-base-ref',
head_sha: 'pr-head-ref'
}
},
eventName: 'merge_group'
})
expect(refs.base).toEqual('pr-base-ref')
expect(refs.head).toEqual('pr-head-ref')
})
test('it defaults to runtime scope', async () => {
const config = await readConfig()
expect(config.fail_on_scopes).toEqual(['runtime'])
+59
View File
@@ -134,3 +134,62 @@ test('allows packages not defined in the deny packages and groups list', async (
expect(deniedChanges.length).toEqual(0)
})
test('deny packages does not prevent removal of denied packages', async () => {
const changes: Changes = [
createTestChange({
change_type: 'added',
name: 'deny-by-name-and-version',
version: '1.0.0',
ecosystem: 'npm'
}),
createTestChange({
change_type: 'removed',
name: 'pass-by-name-and-version',
version: '1.0.0',
ecosystem: 'npm'
}),
createTestChange({
change_type: 'added',
name: 'deny-by-name',
version: '1.0.0',
ecosystem: 'npm'
}),
createTestChange({
change_type: 'removed',
name: 'pass-by-name',
version: '1.0.0',
ecosystem: 'npm'
}),
createTestChange({
change_type: 'added',
package_url: 'pkg:npm/org.test.deny.by.namespace/only@1.0.0',
ecosystem: 'npm'
}),
createTestChange({
change_type: 'removed',
package_url: 'pkg:npm/org.test.pass.by.namespace/only@1.0.0',
ecosystem: 'npm'
})
]
const deniedPackages = createTestPURLs([
'pkg:npm/org.test.deny.by/deny-by-name-and-version@1.0.0',
'pkg:npm/org.test.pass.by/pass-by-name-and-version@1.0.0',
'pkg:npm/org.test.deny.by/deny-by-name',
'pkg:npm/org.test.pass.by/pass-by-name'
])
const deniedGroups = createTestPURLs([
'pkg:npm/org.test.deny.by.namespace/',
'pkg:npm/org.test.pass.by.namespace/'
])
const deniedChanges = await getDeniedChanges(
changes,
deniedPackages,
deniedGroups
)
expect(deniedChanges.length).toEqual(3)
expect(deniedChanges[0]).toBe(changes[0])
expect(deniedChanges[1]).toBe(changes[2])
expect(deniedChanges[2]).toBe(changes[4])
})
+99
View File
@@ -74,6 +74,46 @@ const pipChange: Change = {
]
}
const complexLicenseChange: Change = {
change_type: 'added',
manifest: 'requirements.txt',
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pypi/package-1@1.1.1',
license: 'MIT AND Apache-2.0',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
const unlicensedChange: Change = {
change_type: 'added',
manifest: '.github/workflows/ci.yml',
ecosystem: 'actions',
name: 'foo-org/actions-repo/.github/workflows/some-action.yml',
version: '1.1.1',
package_url:
'pkg:githubactions/foo-org/actions-repo/.github/workflows/some-action.yml@1.1.1',
license: null,
source_repository_url: 'github.com/some-repo',
scope: 'development',
vulnerabilities: []
}
jest.mock('@actions/core')
const mockOctokit = {
@@ -129,6 +169,30 @@ test('it adds license inside the deny list to forbidden changes', async () => {
expect(forbidden.length).toEqual(1)
})
test('it handles allowed complex licenses', async () => {
const changes: Changes = [
complexLicenseChange // MIT AND Apache-2.0 license
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['MIT', 'Apache-2.0']
})
expect(forbidden.length).toEqual(0)
})
test('it handles complex licenses not all on the allow list', async () => {
const changes: Changes = [
complexLicenseChange // MIT AND Apache-2.0 license
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['MIT']
})
expect(forbidden.length).toEqual(1)
})
test('it does not add license outside the allow list to forbidden changes if it is in removed changes', async () => {
const changes: Changes = [
{...npmChange, change_type: 'removed'},
@@ -226,6 +290,19 @@ test('it does filters out changes if they are not on the exclusions list', async
expect(invalidLicenses.forbidden[1]).toBe(npmChange)
})
test('it does not fail if there is a license expression in the allow list', async () => {
const changes: Changes = [
{...npmChange, license: 'MIT AND Apache-2.0'},
{...rubyChange, license: 'BSD-3-Clause'}
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD-3-Clause', 'MIT AND Apache-2.0', 'MIT', 'Apache-2.0']
})
expect(forbidden.length).toEqual(0)
})
describe('GH License API fallback', () => {
test('it calls licenses endpoint if atleast one of the changes has null license and valid source_repository_url', async () => {
const nullLicenseChange = {
@@ -263,4 +340,26 @@ describe('GH License API fallback', () => {
expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
expect(unlicensed.length).toEqual(0)
})
test('it does not call licenses API if the package is excluded', async () => {
const {unlicensed} = await getInvalidLicenseChanges([unlicensedChange], {
licenseExclusions: [
'pkg:githubactions/foo-org/actions-repo/.github/workflows/some-action.yml'
]
})
expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
expect(unlicensed.length).toEqual(0)
})
test('it checks namespaces when doing exclusions', async () => {
const {unlicensed} = await getInvalidLicenseChanges([unlicensedChange], {
licenseExclusions: [
'pkg:githubactions/bar-org/actions-repo/.github/workflows/some-action.yml'
]
})
expect(mockOctokit.rest.licenses.getForRepo).not.toHaveBeenCalled()
expect(unlicensed.length).toEqual(1)
})
})
+85 -16
View File
@@ -55,6 +55,16 @@ describe('satisfiesAny', () => {
candidate: 'MIT OR ISC',
licenses: ['MiT'],
expected: false
},
{
candidate: 'MIT AND OTHER',
licenses: ['MIT'],
expected: false
},
{
candidate: 'MIT OR OTHER',
licenses: ['MIT', 'LicenseRef-clearlydefined-OTHER'],
expected: true
}
]
@@ -130,6 +140,16 @@ describe('satisfiesAll', () => {
candidate: 'MIT OR ISC',
licenses: ['MiT'],
expected: false
},
{
candidate: 'MIT AND OTHER',
licenses: ['MIT'],
expected: false
},
{
candidate: 'MIT AND OTHER',
licenses: ['MIT', 'LicenseRef-clearlydefined-OTHER'],
expected: true
}
]
@@ -145,47 +165,47 @@ describe('satisfies', () => {
const units = [
{
candidate: 'MIT',
constraint: 'MIT',
allowList: ['MIT'],
expected: true
},
{
candidate: 'Apache-2.0',
constraint: 'MIT',
allowList: ['MIT'],
expected: false
},
{
candidate: 'MIT OR Apache-2.0',
constraint: 'MIT',
allowList: ['MIT'],
expected: true
},
{
candidate: 'MIT OR Apache-2.0',
constraint: 'Apache-2.0',
allowList: ['Apache-2.0'],
expected: true
},
{
candidate: 'MIT OR Apache-2.0',
constraint: 'BSD-3-Clause',
allowList: ['BSD-3-Clause'],
expected: false
},
{
candidate: 'MIT OR Apache-2.0',
constraint: 'Apache-2.0 OR BSD-3-Clause',
allowList: ['Apache-2.0', 'BSD-3-Clause'],
expected: true
},
{
candidate: 'MIT AND Apache-2.0',
constraint: 'MIT AND Apache-2.0',
allowList: ['MIT', 'Apache-2.0'],
expected: true
},
{
candidate: 'MIT OR Apache-2.0',
constraint: 'MIT AND Apache-2.0',
expected: false
allowList: ['MIT', 'Apache-2.0'],
expected: true
},
{
candidate: 'ISC OR (MIT AND Apache-2.0)',
constraint: 'MIT AND Apache-2.0',
allowList: ['MIT', 'Apache-2.0'],
expected: true
},
@@ -193,29 +213,39 @@ describe('satisfies', () => {
// or unknown licenses will return 'false'
{
candidate: 'MIT',
constraint: 'MiT',
allowList: ['MiT'],
expected: false
},
{
candidate: 'MIT AND (ISC OR',
constraint: 'MIT',
allowList: ['MIT'],
expected: false
},
{
candidate: 'MIT OR ISC OR Apache-2.0',
constraint: '',
allowList: [],
expected: false
},
{
candidate: '',
constraint: '(BSD-3-Clause AND ISC) OR MIT',
allowList: ['BSD-3-Clause', 'ISC', 'MIT'],
expected: false
},
{
candidate: 'MIT OR OTHER',
allowList: ['MIT', 'LicenseRef-clearlydefined-OTHER'],
expected: true
},
{
candidate: '(Apache-2.0 AND OTHER) OR (MIT AND OTHER)',
allowList: ['Apache-2.0', 'LicenseRef-clearlydefined-OTHER'],
expected: true
}
]
for (const unit of units) {
const got: boolean = spdx.satisfies(unit.candidate, unit.constraint)
test(`should return ${unit.expected} for ("${unit.candidate}", "${unit.constraint}")`, () => {
const got: boolean = spdx.satisfies(unit.candidate, unit.allowList)
test(`should return ${unit.expected} for ("${unit.candidate}", "${unit.allowList}")`, () => {
expect(got).toBe(unit.expected)
})
}
@@ -246,6 +276,10 @@ describe('isValid', () => {
{
candidate: '',
expected: false
},
{
candidate: 'MIT AND OTHER',
expected: true
}
]
for (const unit of units) {
@@ -255,3 +289,38 @@ describe('isValid', () => {
})
}
})
describe('cleanInvalidSPDX', () => {
const units = [
{
candidate: 'MIT',
expected: 'MIT'
},
{
candidate: 'OTHER',
expected: 'LicenseRef-clearlydefined-OTHER'
},
{
candidate: 'LicenseRef-clearlydefined-OTHER',
expected: 'LicenseRef-clearlydefined-OTHER'
},
{
candidate: 'OTHER AND MIT',
expected: 'LicenseRef-clearlydefined-OTHER AND MIT'
},
{
candidate: 'MIT AND OTHER',
expected: 'MIT AND LicenseRef-clearlydefined-OTHER'
},
{
candidate: 'MIT AND SomethingElse-OTHER',
expected: 'MIT AND SomethingElse-OTHER'
}
]
for (const unit of units) {
const got: string = spdx.cleanInvalidSPDX(unit.candidate)
test(`should return ${unit.expected} for ("${unit.candidate}")`, () => {
expect(got).toBe(unit.expected)
})
}
})
+22 -34
View File
@@ -1,5 +1,5 @@
import {expect, jest, test} from '@jest/globals'
import {Change, Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
import {Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
import * as summary from '../src/summary'
import * as core from '@actions/core'
import {createTestChange} from './fixtures/create-test-change'
@@ -109,46 +109,38 @@ test('prints headline as h1', () => {
expect(text).toContain('<h1>Dependency Review</h1>')
})
test('returns minimal summary in case the core.summary is too large for a PR comment', () => {
let changes: Changes = [
createTestChange({name: 'lodash', version: '1.2.3'}),
createTestChange({name: 'colors', version: '2.3.4'}),
createTestChange({name: '@foo/bar', version: '*'})
]
let minSummary: string = summary.addSummaryToSummary(
changes,
test('does not add deprecation warning for deny-licenses option if not set', () => {
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
scorecard,
defaultConfig
)
// side effect DR report into core.summary as happens in main.ts
summary.addScannedDependencies(changes)
const text = core.summary.stringify()
expect(text).toContain('<h1>Dependency Review</h1>')
expect(minSummary).toContain('# Dependency Review')
expect(text).not.toContain('deny-licenses')
})
expect(text).toContain('❌ 3 vulnerable package(s)')
expect(text).not.toContain('* ❌ 3 vulnerable package(s)')
expect(text).toContain('lodash')
expect(text).toContain('colors')
expect(text).toContain('@foo/bar')
test('adds deprecation warning for deny-licenses option if set', () => {
const config = {...defaultConfig, deny_licenses: ['MIT']}
expect(minSummary).toContain('* ❌ 3 vulnerable package(s)')
expect(minSummary).not.toContain('lodash')
expect(minSummary).not.toContain('colors')
expect(minSummary).not.toContain('@foo/bar')
summary.addSummaryToSummary(
emptyChanges,
emptyInvalidLicenseChanges,
emptyChanges,
scorecard,
config
)
const text = core.summary.stringify()
expect(text.length).toBeGreaterThan(minSummary.length)
expect(text).toContain('deny-licenses')
})
test('returns minimal summary formatted for posting as a PR comment', () => {
const OLD_ENV = process.env
let changes: Changes = [
const changes: Changes = [
createTestChange({name: 'lodash', version: '1.2.3'}),
createTestChange({name: 'colors', version: '2.3.4'}),
createTestChange({name: '@foo/bar', version: '*'})
@@ -158,7 +150,7 @@ test('returns minimal summary formatted for posting as a PR comment', () => {
process.env.GITHUB_REPOSITORY = 'owner/repo'
process.env.GITHUB_RUN_ID = 'abc-123-xyz'
let minSummary: string = summary.addSummaryToSummary(
const minSummary: string = summary.addSummaryToSummary(
changes,
emptyInvalidLicenseChanges,
emptyChanges,
@@ -232,14 +224,10 @@ test('groups dependencies with empty manifest paths together', () => {
emptyScorecard,
defaultConfig
)
summary.addScannedDependencies(changesWithEmptyManifests)
summary.addScannedFiles(changesWithEmptyManifests)
const text = core.summary.stringify()
expect(text).toContain('<summary>Unnamed Manifest</summary>')
expect(text).toContain('castore')
expect(text).toContain('connection')
expect(text).toContain('<summary>python/dist-info/METADATA</summary>')
expect(text).toContain('pygments')
expect(text).toContain('Unnamed Manifest')
expect(text).toContain('python/dist-info/METADATA')
})
test('does not include status section if nothing was found', () => {
Generated Vendored
+4580 -3625
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
Generated Vendored
+50 -33
View File
@@ -10,6 +10,18 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@actions/exec
MIT
The MIT License (MIT)
Copyright 2019 GitHub
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@actions/github
MIT
The MIT License (MIT)
@@ -47,6 +59,18 @@ WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@actions/io
MIT
The MIT License (MIT)
Copyright 2019 GitHub
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
@fastify/busboy
MIT
Copyright Brian White. All rights reserved.
@@ -1460,7 +1484,7 @@ lru-cache
ISC
The ISC License
Copyright (c) Isaac Z. Schlueter and Contributors
Copyright (c) 2010-2023 Isaac Z. Schlueter and Contributors
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
@@ -1646,6 +1670,31 @@ The above copyright notice and this permission notice shall be included in all c
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
spdx-satisfies
MIT
The MIT License
Copyright (c) spdx-satisfies.js contributors
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
OTHER DEALINGS IN THE SOFTWARE.
tunnel
MIT
The MIT License (MIT)
@@ -1732,19 +1781,6 @@ Permission to use, copy, modify, and/or distribute this software for any purpose
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
uuid
MIT
The MIT License (MIT)
Copyright (c) 2010-2020 Robert Kieffer and other contributors
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
wrappy
ISC
The ISC License
@@ -1764,25 +1800,6 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
yallist
ISC
The ISC License
Copyright (c) Isaac Z. Schlueter and Contributors
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
yaml
ISC
Copyright Eemeli Aro <eemeli@gmail.com>
Generated Vendored
+1 -1
View File
File diff suppressed because one or more lines are too long
+3 -3
View File
@@ -1,4 +1,4 @@
# Examples on how to use the Dependency Review Action
# Examples of how to use the Dependency Review Action
## Basic Usage
@@ -89,7 +89,7 @@ The following example will use a configuration file from an external public GitH
Let's say that the configuration file is located in `github/octorepo/dependency-review-config.yml@main`
The Dependancy Review Action workflow file will then look like this:
The Dependency Review Action workflow file will then look like this:
```yaml
name: 'Dependency Review'
@@ -116,7 +116,7 @@ The following example will use a configuration file from an external private Gti
Let's say that the configuration file is located in `github/octorepo-private/dependency-review-config.yml@main`
The Dependancy Review Action workflow file will then look like this:
The Dependency Review Action workflow file will then look like this:
```yaml
name: 'Dependency Review'
+792 -821
View File
File diff suppressed because it is too large Load Diff
+22 -18
View File
@@ -1,6 +1,6 @@
{
"name": "dependency-review-action",
"version": "4.3.4",
"version": "4.7.3",
"private": true,
"description": "A GitHub Action for Dependency Review",
"main": "lib/main.js",
@@ -25,37 +25,41 @@
"author": "GitHub",
"license": "MIT",
"dependencies": {
"@actions/core": "^1.10.1",
"@actions/github": "^6.0.0",
"@octokit/plugin-retry": "^6.0.1",
"@octokit/request-error": "^5.0.1",
"@actions/core": "^1.11.1",
"@actions/github": "^6.0.1",
"@octokit/plugin-retry": "^6.1.0",
"@octokit/request-error": "^5.1.1",
"@octokit/types": "12.5.0",
"@onebeyond/spdx-license-satisfies": "^1.0.1",
"ansi-styles": "^6.2.1",
"got": "^14.4.1",
"got": "^14.4.7",
"jest": "^29.7.0",
"octokit": "^3.1.2",
"spdx-expression-parse": "^3.0.1",
"spdx-satisfies": "^5.0.1",
"ts-jest": "^29.1.2",
"yaml": "^2.3.4",
"zod": "^3.23.8"
"spdx-satisfies": "^6.0.0",
"ts-jest": "^29.4.1",
"yaml": "^2.8.1",
"zod": "^3.24.1"
},
"devDependencies": {
"@types/jest": "^29.5.12",
"@types/node": "^20",
"@types/spdx-expression-parse": "^3.0.4",
"@types/spdx-satisfies": "^0.1.1",
"@typescript-eslint/eslint-plugin": "^6.21.0",
"@typescript-eslint/parser": "^6.21.0",
"@vercel/ncc": "^0.38.0",
"esbuild-register": "^3.5.0",
"@vercel/ncc": "^0.38.3",
"esbuild-register": "^3.6.0",
"eslint": "^8.57.0",
"eslint-plugin-github": "^4.10.2",
"eslint-plugin-jest": "^27.9.0",
"eslint-plugin-prettier": "^5.1.3",
"eslint-plugin-jest": "^28.8.3",
"eslint-plugin-prettier": "^5.5.4",
"js-yaml": "^4.1.0",
"nodemon": "^3.1.0",
"prettier": "3.2.5",
"typescript": "^5.4.5"
"nodemon": "^3.1.10",
"prettier": "3.6.2",
"typescript": "^5.9.2"
},
"overrides": {
"cross-spawn": ">=7.0.5",
"@octokit/request-error@5.0.1": "5.1.1"
}
}
+1 -1
View File
@@ -143,7 +143,7 @@ async function createSummary(
...licenseIssues.unlicensed
]
summary.addScannedDependencies(allChanges)
summary.addScannedFiles(allChanges)
const text = core.summary.stringify()
await fs.promises.writeFile(path.resolve(tmpDir, fileName), text, {
+3 -3
View File
@@ -17,13 +17,13 @@ const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
export async function commentPr(
commentContent: string,
config: ConfigurationOptions
config: ConfigurationOptions,
issueFound: boolean
): Promise<void> {
if (
!(
config.comment_summary_in_pr === 'always' ||
(config.comment_summary_in_pr === 'on-failure' &&
process.exitCode === core.ExitCode.Failure)
(config.comment_summary_in_pr === 'on-failure' && issueFound)
)
) {
return
+4 -9
View File
@@ -9,15 +9,17 @@ export async function getDeniedChanges(
): Promise<Change[]> {
const changesDenied: Change[] = []
let hasDeniedPackage = false
for (const change of changes) {
if (change.change_type === 'removed') {
continue
}
for (const denied of deniedPackages) {
if (
(!denied.version || change.version === denied.version) &&
change.name === denied.name
) {
changesDenied.push(change)
hasDeniedPackage = true
}
}
@@ -30,17 +32,10 @@ export async function getDeniedChanges(
}
if (namespace && namespace === denied.namespace) {
changesDenied.push(change)
hasDeniedPackage = true
}
}
}
if (hasDeniedPackage) {
core.setFailed('Dependency review detected denied packages.')
} else {
core.info('Dependency review did not detect any denied packages')
}
return changesDenied
}
+25 -12
View File
@@ -1,40 +1,53 @@
import {PullRequestSchema, ConfigurationOptions} from './schemas'
import {
PullRequestSchema,
ConfigurationOptions,
MergeGroupSchema
} from './schemas'
export function getRefs(
config: ConfigurationOptions,
context: {payload: {pull_request?: unknown}; eventName: string}
context: {
payload: {pull_request?: unknown; merge_group?: unknown}
eventName: string
}
): {base: string; head: string} {
let base_ref = config.base_ref
let head_ref = config.head_ref
// If possible, source default base & head refs from the GitHub event.
// The base/head ref from the config take priority, if provided.
if (
context.eventName === 'pull_request' ||
context.eventName === 'pull_request_target'
) {
const pull_request = PullRequestSchema.parse(context.payload.pull_request)
base_ref = base_ref || pull_request.base.sha
head_ref = head_ref || pull_request.head.sha
if (!base_ref && !head_ref) {
if (
context.eventName === 'pull_request' ||
context.eventName === 'pull_request_target'
) {
const pull_request = PullRequestSchema.parse(context.payload.pull_request)
base_ref = base_ref || pull_request.base.sha
head_ref = head_ref || pull_request.head.sha
} else if (context.eventName === 'merge_group') {
const merge_group = MergeGroupSchema.parse(context.payload.merge_group)
base_ref = base_ref || merge_group.base_sha
head_ref = head_ref || merge_group.head_sha
}
}
if (!base_ref && !head_ref) {
throw new Error(
'Both a base ref and head ref must be provided, either via the `base_ref`/`head_ref` ' +
'config options, `base-ref`/`head-ref` workflow action options, or by running a ' +
'`pull_request`/`pull_request_target` workflow.'
'`pull_request`/`pull_request_target`/`merge_group` workflow.'
)
} else if (!base_ref) {
throw new Error(
'A base ref must be provided, either via the `base_ref` config option, ' +
'`base-ref` workflow action option, or by running a ' +
'`pull_request`/`pull_request_target` workflow.'
'`pull_request`/`pull_request_target`/`merge_group` workflow.'
)
} else if (!head_ref) {
throw new Error(
'A head ref must be provided, either via the `head_ref` config option, ' +
'`head-ref` workflow action option, or by running a ' +
'or by running a `pull_request`/`pull_request_target` workflow.'
'or by running a `pull_request`/`pull_request_target`/`merge_group` workflow.'
)
}
+47 -32
View File
@@ -1,6 +1,6 @@
import {Change, Changes} from './schemas'
import {octokitClient} from './utils'
import {parsePURL} from './purl'
import {parsePURL, PackageURL} from './purl'
import * as spdx from './spdx'
/**
@@ -29,41 +29,24 @@ export async function getInvalidLicenseChanges(
licenseExclusions?: string[]
}
): Promise<InvalidLicenseChanges> {
const {allow, deny} = licenses
const deny = licenses.deny
let allow = licenses.allow
// Filter out elements of the allow list that include AND
// or OR because the list should be simple license IDs and
// not expressions.
allow = allow?.filter(license => {
return !license.includes(' AND ') && !license.includes(' OR ')
})
const licenseExclusions = licenses.licenseExclusions?.map(
(pkgUrl: string) => {
return parsePURL(pkgUrl)
}
)
const groupedChanges = await groupChanges(changes)
const groupedChanges = await groupChanges(changes, licenseExclusions)
// Takes the changes from the groupedChanges object and filters out the ones that are part of the exclusions list
// It does by creating a new PackageURL object from the change and comparing it to the exclusions list
groupedChanges.licensed = groupedChanges.licensed.filter(change => {
if (change.package_url.length === 0) {
return true
}
const changeAsPackageURL = parsePURL(encodeURI(change.package_url))
// We want to find if the licenseExclusion list contains the PackageURL of the Change
// If it does, we want to filter it out and therefore return false
// If it doesn't, we want to keep it and therefore return true
if (
licenseExclusions !== null &&
licenseExclusions !== undefined &&
licenseExclusions.findIndex(
exclusion =>
exclusion.type === changeAsPackageURL.type &&
exclusion.name === changeAsPackageURL.name
) !== -1
) {
return false
} else {
return true
}
})
const licensedChanges: Changes = groupedChanges.licensed
const invalidLicenseChanges: InvalidLicenseChanges = {
@@ -88,7 +71,7 @@ export async function getInvalidLicenseChanges(
try {
if (allow !== undefined) {
if (spdx.isValid(license)) {
const found = spdx.satisfiesAny(license, allow)
const found = spdx.satisfies(license, allow)
validityCache.set(license, found)
} else {
invalidLicenseChanges.unresolved.push(change)
@@ -172,16 +155,48 @@ const truncatedDGLicense = (license: string): boolean =>
license.length === 255 && !spdx.isValid(license)
async function groupChanges(
changes: Changes
changes: Changes,
licenseExclusions: PackageURL[] | null = null
): Promise<Record<string, Changes>> {
const result: Record<string, Changes> = {
licensed: [],
unlicensed: []
}
let candidateChanges = changes
// If a package is excluded from license checking, we don't bother trying to
// fetch the license for it and we leave it off of the `licensed` and
// `unlicensed` lists.
if (licenseExclusions !== null && licenseExclusions !== undefined) {
candidateChanges = candidateChanges.filter(change => {
if (change.package_url.length === 0) {
return true
}
const changeAsPackageURL = parsePURL(encodeURI(change.package_url))
// We want to find if the licenseExclusion list contains the PackageURL of the Change
// If it does, we want to filter it out and therefore return false
// If it doesn't, we want to keep it and therefore return true
if (
licenseExclusions.findIndex(
exclusion =>
exclusion.type === changeAsPackageURL.type &&
exclusion.namespace === changeAsPackageURL.namespace &&
exclusion.name === changeAsPackageURL.name
) !== -1
) {
return false
} else {
return true
}
})
}
const ghChanges = []
for (const change of changes) {
for (const change of candidateChanges) {
if (change.change_type === 'removed') {
continue
}
+46 -22
View File
@@ -141,10 +141,16 @@ async function run(): Promise<void> {
summary.addSnapshotWarnings(config, snapshot_warnings)
}
let issueFound = false
if (config.vulnerability_check) {
core.setOutput('vulnerable-changes', JSON.stringify(vulnerableChanges))
summary.addChangeVulnerabilitiesToSummary(vulnerableChanges, minSeverity)
printVulnerabilitiesBlock(vulnerableChanges, minSeverity, warnOnly)
issueFound ||= await printVulnerabilitiesBlock(
vulnerableChanges,
minSeverity,
warnOnly
)
}
if (config.license_check) {
core.setOutput(
@@ -152,12 +158,12 @@ async function run(): Promise<void> {
JSON.stringify(invalidLicenseChanges)
)
summary.addLicensesToSummary(invalidLicenseChanges, config)
printLicensesBlock(invalidLicenseChanges, warnOnly)
issueFound ||= await printLicensesBlock(invalidLicenseChanges, warnOnly)
}
if (config.deny_packages || config.deny_groups) {
core.setOutput('denied-changes', JSON.stringify(deniedChanges))
summary.addDeniedToSummary(deniedChanges)
printDeniedDependencies(deniedChanges, config)
issueFound ||= await printDeniedDependencies(deniedChanges, config)
}
if (config.show_openssf_scorecard) {
summary.addScorecardToSummary(scorecard, config)
@@ -166,7 +172,7 @@ async function run(): Promise<void> {
}
core.setOutput('dependency-changes', JSON.stringify(changes))
summary.addScannedDependencies(changes)
summary.addScannedFiles(changes)
printScannedDependencies(changes)
// include full summary in output; Actions will truncate if oversized
@@ -182,7 +188,7 @@ async function run(): Promise<void> {
}
// update the PR comment if needed with the right-sized summary
await commentPr(rendered, config)
await commentPr(rendered, config, issueFound)
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
core.setFailed(
@@ -190,7 +196,7 @@ async function run(): Promise<void> {
)
} else if (error instanceof RequestError && error.status === 403) {
core.setFailed(
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see https://github.com/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
)
} else {
if (error instanceof Error) {
@@ -204,18 +210,16 @@ async function run(): Promise<void> {
}
}
function printVulnerabilitiesBlock(
async function printVulnerabilitiesBlock(
addedChanges: Changes,
minSeverity: Severity,
warnOnly: boolean
): void {
let vulFound = false
core.group('Vulnerabilities', async () => {
if (addedChanges.length > 0) {
for (const change of addedChanges) {
printChangeVulnerabilities(change)
}
vulFound = true
): Promise<boolean> {
return core.group('Vulnerabilities', async () => {
let vulFound = false
for (const change of addedChanges) {
vulFound ||= printChangeVulnerabilities(change)
}
if (vulFound) {
@@ -230,10 +234,12 @@ function printVulnerabilitiesBlock(
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
)
}
return vulFound
})
}
function printChangeVulnerabilities(change: Change): void {
function printChangeVulnerabilities(change: Change): boolean {
for (const vuln of change.vulnerabilities) {
core.info(
`${styles.bold.open}${change.manifest} » ${change.name}@${
@@ -244,14 +250,18 @@ function printChangeVulnerabilities(change: Change): void {
)
core.info(`${vuln.advisory_url}`)
}
return change.vulnerabilities.length > 0
}
function printLicensesBlock(
async function printLicensesBlock(
invalidLicenseChanges: Record<string, Changes>,
warnOnly: boolean
): void {
core.group('Licenses', async () => {
): Promise<boolean> {
return core.group('Licenses', async () => {
let issueFound = false
if (invalidLicenseChanges.forbidden.length > 0) {
issueFound = true
core.info('\nThe following dependencies have incompatible licenses:')
printLicensesError(invalidLicenseChanges.forbidden)
const msg = 'Dependency review detected incompatible licenses.'
@@ -262,6 +272,7 @@ function printLicensesBlock(
}
}
if (invalidLicenseChanges.unresolved.length > 0) {
issueFound = true
core.warning(
'\nThe validity of the licenses of the dependencies below could not be determined. Ensure that they are valid SPDX licenses:'
)
@@ -271,6 +282,8 @@ function printLicensesBlock(
)
}
printNullLicenses(invalidLicenseChanges.unlicensed)
return issueFound
})
}
@@ -370,11 +383,13 @@ function printScannedDependencies(changes: Changes): void {
})
}
function printDeniedDependencies(
async function printDeniedDependencies(
changes: Changes,
config: ConfigurationOptions
): void {
core.group('Denied', async () => {
): Promise<boolean> {
return core.group('Denied', async () => {
let issueFound = false
for (const denied of config.deny_packages) {
core.info(`Config: ${denied}`)
}
@@ -383,6 +398,15 @@ function printDeniedDependencies(
core.info(`Change: ${change.name}@${change.version} is denied`)
core.info(`Change: ${change.package_url} is denied`)
}
if (changes.length > 0) {
issueFound = true
core.setFailed('Dependency review detected denied packages.')
} else {
core.info('Dependency review did not detect any denied packages')
}
return issueFound
})
}
+5
View File
@@ -91,6 +91,11 @@ export const PullRequestSchema = z.object({
head: z.object({sha: z.string()})
})
export const MergeGroupSchema = z.object({
base_sha: z.string(),
head_sha: z.string()
})
export const ConfigurationOptionsSchema = z
.object({
fail_on_severity: SeveritySchema,
+4
View File
@@ -0,0 +1,4 @@
declare module 'spdx-satisfies' {
function spdxSatisfies(candidate: string, allowList: string[]): boolean
export = spdxSatisfies
}
+15 -5
View File
@@ -1,4 +1,5 @@
import * as spdxlib from '@onebeyond/spdx-license-satisfies'
import spdxSatisfies from 'spdx-satisfies'
import parse from 'spdx-expression-parse'
/*
@@ -10,12 +11,10 @@ import parse from 'spdx-expression-parse'
// accepts a pair of well-formed SPDX expressions. the
// candidate is tested against the constraint
export function satisfies(
candidateExpr: string,
constraintExpr: string
): boolean {
export function satisfies(candidateExpr: string, allowList: string[]): boolean {
candidateExpr = cleanInvalidSPDX(candidateExpr)
try {
return spdxlib.satisfies(candidateExpr, constraintExpr)
return spdxSatisfies(candidateExpr, allowList)
} catch (_) {
return false
}
@@ -26,6 +25,7 @@ export function satisfiesAny(
candidateExpr: string,
licenses: string[]
): boolean {
candidateExpr = cleanInvalidSPDX(candidateExpr)
try {
return spdxlib.satisfiesAny(candidateExpr, licenses)
} catch (_) {
@@ -38,6 +38,7 @@ export function satisfiesAll(
candidateExpr: string,
licenses: string[]
): boolean {
candidateExpr = cleanInvalidSPDX(candidateExpr)
try {
return spdxlib.satisfiesAll(candidateExpr, licenses)
} catch (_) {
@@ -47,6 +48,7 @@ export function satisfiesAll(
// accepts any SPDX expression
export function isValid(spdxExpr: string): boolean {
spdxExpr = cleanInvalidSPDX(spdxExpr)
try {
parse(spdxExpr)
return true
@@ -54,3 +56,11 @@ export function isValid(spdxExpr: string): boolean {
return false
}
}
const replaceOtherRegex = /(?<![\w-])OTHER(?![\w-])/g
// adjusts license expressions to not include the invalid `OTHER`
// which ClearlyDefined adds to license strings
export function cleanInvalidSPDX(spdxExpr: string): string {
return spdxExpr.replace(replaceOtherRegex, 'LicenseRef-clearlydefined-OTHER')
}
+45 -12
View File
@@ -1,7 +1,7 @@
import * as core from '@actions/core'
import {ConfigurationOptions, Changes, Change, Scorecard} from './schemas'
import {SummaryTableRow} from '@actions/core/lib/summary'
import {InvalidLicenseChanges, InvalidLicenseChangeTypes} from './licenses'
import {Change, Changes, ConfigurationOptions, Scorecard} from './schemas'
import {groupDependenciesByManifest, getManifestsSet, renderUrl} from './utils'
const icons = {
@@ -10,6 +10,8 @@ const icons = {
warning: '⚠️'
}
const MAX_SCANNED_FILES_BYTES = 1048576
// generates the DR report summmary and caches it to the Action's core.summary.
// returns the DR summary string, ready to be posted as a PR comment if the
// final DR report is too large
@@ -20,6 +22,10 @@ export function addSummaryToSummary(
scorecard: Scorecard,
config: ConfigurationOptions
): string {
if (config.deny_licenses && config.deny_licenses.length > 0) {
addDenyListsDeprecationWarningToSummary()
}
const out: string[] = []
const scorecardWarnings = countScorecardWarnings(scorecard, config)
@@ -104,6 +110,13 @@ export function addSummaryToSummary(
return out.join('\n')
}
function addDenyListsDeprecationWarningToSummary(): void {
core.summary.addRaw(
`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see actions/dependency-review-action/issues/938.`,
true
)
}
function countScorecardWarnings(
scorecard: Scorecard,
config: ConfigurationOptions
@@ -263,20 +276,37 @@ function formatLicense(license: string | null): string {
return license
}
export function addScannedDependencies(changes: Changes): void {
const dependencies = groupDependenciesByManifest(changes)
const manifests = dependencies.keys()
export function addScannedFiles(changes: Changes): void {
const manifests = Array.from(
groupDependenciesByManifest(changes).keys()
).sort()
const summary = core.summary.addHeading('Scanned Manifest Files', 2)
let sf_size = 0
let trunc_at = -1
for (const manifest of manifests) {
const deps = dependencies.get(manifest)
if (deps) {
const dependencyNames = deps.map(
dependency => `<li>${dependency.name}@${dependency.version}</li>`
)
summary.addDetails(manifest, `<ul>${dependencyNames.join('')}</ul>`)
for (const [index, entry] of manifests.entries()) {
if (sf_size + entry.length >= MAX_SCANNED_FILES_BYTES) {
trunc_at = index
break
}
sf_size += entry.length
}
if (trunc_at >= 0) {
// truncate the manifests list if it will overflow the summary output
manifests.slice(0, trunc_at)
// if there's room between cutoff size and list size, add a warning
const size_diff = MAX_SCANNED_FILES_BYTES - sf_size
if (size_diff < 12) {
manifests.push('(truncated)')
}
}
const summary = core.summary.addHeading('Scanned Files', 2)
if (manifests.length === 0) {
summary.addRaw('None')
} else {
summary.addList(manifests)
}
}
@@ -302,6 +332,9 @@ export function addScorecardToSummary(
scorecard: Scorecard,
config: ConfigurationOptions
): void {
if (scorecard.dependencies.length === 0) {
return
}
core.summary.addHeading('OpenSSF Scorecard', 2)
if (scorecard.dependencies.length > 10) {
core.summary.addRaw(`<details><summary>Scorecard details</summary>`, true)