Compare commits
42 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| cdee0bc8c3 | |||
| 0e562a634b | |||
| 2c5ec1eea8 | |||
| bf0431a342 | |||
| c26b132baa | |||
| 3ffdd4d73e | |||
| ea2cae5127 | |||
| dfe560420d | |||
| e4033dcc29 | |||
| 92129e58e4 | |||
| bf9bc3f2a6 | |||
| d703cf58c3 | |||
| c80eb9894b | |||
| 5e7a6ffc7d | |||
| 67ca5cc413 | |||
| 8992b0e1c7 | |||
| 5e9a56c6de | |||
| 9cd1f01f7f | |||
| a0be92bfc2 | |||
| 6ec8e13b9a | |||
| c9bb42fdbf | |||
| b109bc8c95 | |||
| 5f24a51147 | |||
| ef281d4e24 | |||
| 3b139cfc5f | |||
| d6807b6643 | |||
| c89b41fdc6 | |||
| eee97d8b03 | |||
| 9d101822a3 | |||
| 9192be9c72 | |||
| 2fc8e23b12 | |||
| fb86db2043 | |||
| 0a198ab3ed | |||
| fc499fc13a | |||
| b02ea3a88b | |||
| 612e96e757 | |||
| 0adc9b8215 | |||
| 591cbf9044 | |||
| c0a5e20c51 | |||
| c82883d789 | |||
| d8ae44e2a0 | |||
| ac1d2d7d35 |
@@ -12,3 +12,8 @@ updates:
|
||||
ignore:
|
||||
- dependency-name: '@types/node'
|
||||
update-types: ['version-update:semver-major']
|
||||
groups:
|
||||
minor-updates:
|
||||
update-types:
|
||||
- "minor"
|
||||
- "patch"
|
||||
|
||||
@@ -12,7 +12,7 @@ jobs:
|
||||
stale:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/stale@v9.0.0
|
||||
- uses: actions/stale@v9.1.0
|
||||
name: Clean up stale PRs and Issues
|
||||
with:
|
||||
stale-pr-message: "👋 This pull request has been marked as stale because it has been open with no activity for 180 days. You can: comment on the PR or remove the stale label to hold stalebot off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details."
|
||||
|
||||
+3
-3
@@ -35,11 +35,11 @@ Ready to contribute to `dependency-review-action`? Here is some information to
|
||||
|
||||
This action makes an authenticated query to the [Dependency Review API](https://docs.github.com/en/rest/dependency-graph/dependency-review) endpoint (`GET /repos/{owner}/{repo}/dependency-graph/compare/{basehead}`) to find out the set of added and removed dependencies for each manifest.
|
||||
|
||||
The action then evaluates the differences between the pushes based on the the rules defined in the action configuration, and summarizes the differences and any violations of the rules you have defined as a comment in the pull request that triggered it and the action outputs.
|
||||
The action then evaluates the differences between the pushes based on the rules defined in the action configuration, and summarizes the differences and any violations of the rules you have defined as a comment in the pull request that triggered it and the action outputs.
|
||||
|
||||
### Local Development
|
||||
|
||||
Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed, minimum version 18.
|
||||
Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed, minimum version 20.
|
||||
|
||||
#### Bootstrapping the project
|
||||
|
||||
@@ -81,7 +81,7 @@ $ GITHUB_TOKEN=<token> ./scripts/scan_pr --config-file my_custom_config.yml <pr_
|
||||
npm run test
|
||||
```
|
||||
|
||||
_Note_: We don't a very comprehensive test suite, so any contributions to the existing tests are welcome!
|
||||
_Note_: We don't have a very comprehensive test suite, so any contributions to the existing tests are welcome!
|
||||
|
||||
### Submitting a pull request
|
||||
|
||||
|
||||
@@ -134,3 +134,62 @@ test('allows packages not defined in the deny packages and groups list', async (
|
||||
|
||||
expect(deniedChanges.length).toEqual(0)
|
||||
})
|
||||
|
||||
test('deny packages does not prevent removal of denied packages', async () => {
|
||||
const changes: Changes = [
|
||||
createTestChange({
|
||||
change_type: 'added',
|
||||
name: 'deny-by-name-and-version',
|
||||
version: '1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
change_type: 'removed',
|
||||
name: 'pass-by-name-and-version',
|
||||
version: '1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
change_type: 'added',
|
||||
name: 'deny-by-name',
|
||||
version: '1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
change_type: 'removed',
|
||||
name: 'pass-by-name',
|
||||
version: '1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
change_type: 'added',
|
||||
package_url: 'pkg:npm/org.test.deny.by.namespace/only@1.0.0',
|
||||
ecosystem: 'npm'
|
||||
}),
|
||||
createTestChange({
|
||||
change_type: 'removed',
|
||||
package_url: 'pkg:npm/org.test.pass.by.namespace/only@1.0.0',
|
||||
ecosystem: 'npm'
|
||||
})
|
||||
]
|
||||
const deniedPackages = createTestPURLs([
|
||||
'pkg:npm/org.test.deny.by/deny-by-name-and-version@1.0.0',
|
||||
'pkg:npm/org.test.pass.by/pass-by-name-and-version@1.0.0',
|
||||
'pkg:npm/org.test.deny.by/deny-by-name',
|
||||
'pkg:npm/org.test.pass.by/pass-by-name'
|
||||
])
|
||||
const deniedGroups = createTestPURLs([
|
||||
'pkg:npm/org.test.deny.by.namespace/',
|
||||
'pkg:npm/org.test.pass.by.namespace/'
|
||||
])
|
||||
const deniedChanges = await getDeniedChanges(
|
||||
changes,
|
||||
deniedPackages,
|
||||
deniedGroups
|
||||
)
|
||||
|
||||
expect(deniedChanges.length).toEqual(3)
|
||||
expect(deniedChanges[0]).toBe(changes[0])
|
||||
expect(deniedChanges[1]).toBe(changes[2])
|
||||
expect(deniedChanges[2]).toBe(changes[4])
|
||||
})
|
||||
|
||||
+1801
-1613
File diff suppressed because one or more lines are too long
+1
-1
File diff suppressed because one or more lines are too long
+1
-1
File diff suppressed because one or more lines are too long
+3
-3
@@ -1,4 +1,4 @@
|
||||
# Examples on how to use the Dependency Review Action
|
||||
# Examples of how to use the Dependency Review Action
|
||||
|
||||
## Basic Usage
|
||||
|
||||
@@ -89,7 +89,7 @@ The following example will use a configuration file from an external public GitH
|
||||
|
||||
Let's say that the configuration file is located in `github/octorepo/dependency-review-config.yml@main`
|
||||
|
||||
The Dependancy Review Action workflow file will then look like this:
|
||||
The Dependency Review Action workflow file will then look like this:
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
@@ -116,7 +116,7 @@ The following example will use a configuration file from an external private Gti
|
||||
|
||||
Let's say that the configuration file is located in `github/octorepo-private/dependency-review-config.yml@main`
|
||||
|
||||
The Dependancy Review Action workflow file will then look like this:
|
||||
The Dependency Review Action workflow file will then look like this:
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
|
||||
Generated
+500
-347
File diff suppressed because it is too large
Load Diff
+12
-8
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.3.5",
|
||||
"version": "4.5.0",
|
||||
"private": true,
|
||||
"description": "A GitHub Action for Dependency Review",
|
||||
"main": "lib/main.js",
|
||||
@@ -27,18 +27,18 @@
|
||||
"dependencies": {
|
||||
"@actions/core": "^1.10.1",
|
||||
"@actions/github": "^6.0.0",
|
||||
"@octokit/plugin-retry": "^6.0.1",
|
||||
"@octokit/request-error": "^5.0.1",
|
||||
"@octokit/plugin-retry": "^6.1.0",
|
||||
"@octokit/request-error": "^5.1.1",
|
||||
"@onebeyond/spdx-license-satisfies": "^1.0.1",
|
||||
"ansi-styles": "^6.2.1",
|
||||
"got": "^14.4.2",
|
||||
"got": "^14.4.5",
|
||||
"jest": "^29.7.0",
|
||||
"octokit": "^3.1.2",
|
||||
"spdx-expression-parse": "^3.0.1",
|
||||
"spdx-satisfies": "^5.0.1",
|
||||
"ts-jest": "^29.2.5",
|
||||
"yaml": "^2.3.4",
|
||||
"zod": "^3.23.8"
|
||||
"zod": "^3.24.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/jest": "^29.5.12",
|
||||
@@ -47,15 +47,19 @@
|
||||
"@types/spdx-satisfies": "^0.1.1",
|
||||
"@typescript-eslint/eslint-plugin": "^6.21.0",
|
||||
"@typescript-eslint/parser": "^6.21.0",
|
||||
"@vercel/ncc": "^0.38.0",
|
||||
"esbuild-register": "^3.5.0",
|
||||
"@vercel/ncc": "^0.38.3",
|
||||
"esbuild-register": "^3.6.0",
|
||||
"eslint": "^8.57.0",
|
||||
"eslint-plugin-github": "^4.10.2",
|
||||
"eslint-plugin-jest": "^28.8.3",
|
||||
"eslint-plugin-prettier": "^5.1.3",
|
||||
"js-yaml": "^4.1.0",
|
||||
"nodemon": "^3.1.0",
|
||||
"nodemon": "^3.1.9",
|
||||
"prettier": "3.2.5",
|
||||
"typescript": "^5.4.5"
|
||||
},
|
||||
"overrides": {
|
||||
"cross-spawn": ">=7.0.5",
|
||||
"@octokit/request-error@5.0.1": "5.1.1"
|
||||
}
|
||||
}
|
||||
|
||||
+3
-3
@@ -17,13 +17,13 @@ const COMMENT_MARKER = '<!-- dependency-review-pr-comment-marker -->'
|
||||
|
||||
export async function commentPr(
|
||||
commentContent: string,
|
||||
config: ConfigurationOptions
|
||||
config: ConfigurationOptions,
|
||||
issueFound: boolean
|
||||
): Promise<void> {
|
||||
if (
|
||||
!(
|
||||
config.comment_summary_in_pr === 'always' ||
|
||||
(config.comment_summary_in_pr === 'on-failure' &&
|
||||
process.exitCode === core.ExitCode.Failure)
|
||||
(config.comment_summary_in_pr === 'on-failure' && issueFound)
|
||||
)
|
||||
) {
|
||||
return
|
||||
|
||||
+4
-9
@@ -9,15 +9,17 @@ export async function getDeniedChanges(
|
||||
): Promise<Change[]> {
|
||||
const changesDenied: Change[] = []
|
||||
|
||||
let hasDeniedPackage = false
|
||||
for (const change of changes) {
|
||||
if (change.change_type === 'removed') {
|
||||
continue
|
||||
}
|
||||
|
||||
for (const denied of deniedPackages) {
|
||||
if (
|
||||
(!denied.version || change.version === denied.version) &&
|
||||
change.name === denied.name
|
||||
) {
|
||||
changesDenied.push(change)
|
||||
hasDeniedPackage = true
|
||||
}
|
||||
}
|
||||
|
||||
@@ -30,17 +32,10 @@ export async function getDeniedChanges(
|
||||
}
|
||||
if (namespace && namespace === denied.namespace) {
|
||||
changesDenied.push(change)
|
||||
hasDeniedPackage = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (hasDeniedPackage) {
|
||||
core.setFailed('Dependency review detected denied packages.')
|
||||
} else {
|
||||
core.info('Dependency review did not detect any denied packages')
|
||||
}
|
||||
|
||||
return changesDenied
|
||||
}
|
||||
|
||||
|
||||
+45
-21
@@ -141,10 +141,16 @@ async function run(): Promise<void> {
|
||||
summary.addSnapshotWarnings(config, snapshot_warnings)
|
||||
}
|
||||
|
||||
let issueFound = false
|
||||
|
||||
if (config.vulnerability_check) {
|
||||
core.setOutput('vulnerable-changes', JSON.stringify(vulnerableChanges))
|
||||
summary.addChangeVulnerabilitiesToSummary(vulnerableChanges, minSeverity)
|
||||
printVulnerabilitiesBlock(vulnerableChanges, minSeverity, warnOnly)
|
||||
issueFound ||= await printVulnerabilitiesBlock(
|
||||
vulnerableChanges,
|
||||
minSeverity,
|
||||
warnOnly
|
||||
)
|
||||
}
|
||||
if (config.license_check) {
|
||||
core.setOutput(
|
||||
@@ -152,12 +158,12 @@ async function run(): Promise<void> {
|
||||
JSON.stringify(invalidLicenseChanges)
|
||||
)
|
||||
summary.addLicensesToSummary(invalidLicenseChanges, config)
|
||||
printLicensesBlock(invalidLicenseChanges, warnOnly)
|
||||
issueFound ||= await printLicensesBlock(invalidLicenseChanges, warnOnly)
|
||||
}
|
||||
if (config.deny_packages || config.deny_groups) {
|
||||
core.setOutput('denied-changes', JSON.stringify(deniedChanges))
|
||||
summary.addDeniedToSummary(deniedChanges)
|
||||
printDeniedDependencies(deniedChanges, config)
|
||||
issueFound ||= await printDeniedDependencies(deniedChanges, config)
|
||||
}
|
||||
if (config.show_openssf_scorecard) {
|
||||
summary.addScorecardToSummary(scorecard, config)
|
||||
@@ -182,7 +188,7 @@ async function run(): Promise<void> {
|
||||
}
|
||||
|
||||
// update the PR comment if needed with the right-sized summary
|
||||
await commentPr(rendered, config)
|
||||
await commentPr(rendered, config, issueFound)
|
||||
} catch (error) {
|
||||
if (error instanceof RequestError && error.status === 404) {
|
||||
core.setFailed(
|
||||
@@ -190,7 +196,7 @@ async function run(): Promise<void> {
|
||||
)
|
||||
} else if (error instanceof RequestError && error.status === 403) {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see https://github.com/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
} else {
|
||||
if (error instanceof Error) {
|
||||
@@ -204,18 +210,16 @@ async function run(): Promise<void> {
|
||||
}
|
||||
}
|
||||
|
||||
function printVulnerabilitiesBlock(
|
||||
async function printVulnerabilitiesBlock(
|
||||
addedChanges: Changes,
|
||||
minSeverity: Severity,
|
||||
warnOnly: boolean
|
||||
): void {
|
||||
let vulFound = false
|
||||
core.group('Vulnerabilities', async () => {
|
||||
if (addedChanges.length > 0) {
|
||||
for (const change of addedChanges) {
|
||||
printChangeVulnerabilities(change)
|
||||
}
|
||||
vulFound = true
|
||||
): Promise<boolean> {
|
||||
return core.group('Vulnerabilities', async () => {
|
||||
let vulFound = false
|
||||
|
||||
for (const change of addedChanges) {
|
||||
vulFound ||= printChangeVulnerabilities(change)
|
||||
}
|
||||
|
||||
if (vulFound) {
|
||||
@@ -230,10 +234,12 @@ function printVulnerabilitiesBlock(
|
||||
`Dependency review did not detect any vulnerable packages with severity level "${minSeverity}" or higher.`
|
||||
)
|
||||
}
|
||||
|
||||
return vulFound
|
||||
})
|
||||
}
|
||||
|
||||
function printChangeVulnerabilities(change: Change): void {
|
||||
function printChangeVulnerabilities(change: Change): boolean {
|
||||
for (const vuln of change.vulnerabilities) {
|
||||
core.info(
|
||||
`${styles.bold.open}${change.manifest} » ${change.name}@${
|
||||
@@ -244,14 +250,18 @@ function printChangeVulnerabilities(change: Change): void {
|
||||
)
|
||||
core.info(` ↪ ${vuln.advisory_url}`)
|
||||
}
|
||||
return change.vulnerabilities.length > 0
|
||||
}
|
||||
|
||||
function printLicensesBlock(
|
||||
async function printLicensesBlock(
|
||||
invalidLicenseChanges: Record<string, Changes>,
|
||||
warnOnly: boolean
|
||||
): void {
|
||||
core.group('Licenses', async () => {
|
||||
): Promise<boolean> {
|
||||
return core.group('Licenses', async () => {
|
||||
let issueFound = false
|
||||
|
||||
if (invalidLicenseChanges.forbidden.length > 0) {
|
||||
issueFound = true
|
||||
core.info('\nThe following dependencies have incompatible licenses:')
|
||||
printLicensesError(invalidLicenseChanges.forbidden)
|
||||
const msg = 'Dependency review detected incompatible licenses.'
|
||||
@@ -262,6 +272,7 @@ function printLicensesBlock(
|
||||
}
|
||||
}
|
||||
if (invalidLicenseChanges.unresolved.length > 0) {
|
||||
issueFound = true
|
||||
core.warning(
|
||||
'\nThe validity of the licenses of the dependencies below could not be determined. Ensure that they are valid SPDX licenses:'
|
||||
)
|
||||
@@ -271,6 +282,8 @@ function printLicensesBlock(
|
||||
)
|
||||
}
|
||||
printNullLicenses(invalidLicenseChanges.unlicensed)
|
||||
|
||||
return issueFound
|
||||
})
|
||||
}
|
||||
|
||||
@@ -370,11 +383,13 @@ function printScannedDependencies(changes: Changes): void {
|
||||
})
|
||||
}
|
||||
|
||||
function printDeniedDependencies(
|
||||
async function printDeniedDependencies(
|
||||
changes: Changes,
|
||||
config: ConfigurationOptions
|
||||
): void {
|
||||
core.group('Denied', async () => {
|
||||
): Promise<boolean> {
|
||||
return core.group('Denied', async () => {
|
||||
let issueFound = false
|
||||
|
||||
for (const denied of config.deny_packages) {
|
||||
core.info(`Config: ${denied}`)
|
||||
}
|
||||
@@ -383,6 +398,15 @@ function printDeniedDependencies(
|
||||
core.info(`Change: ${change.name}@${change.version} is denied`)
|
||||
core.info(`Change: ${change.package_url} is denied`)
|
||||
}
|
||||
|
||||
if (changes.length > 0) {
|
||||
issueFound = true
|
||||
core.setFailed('Dependency review detected denied packages.')
|
||||
} else {
|
||||
core.info('Dependency review did not detect any denied packages')
|
||||
}
|
||||
|
||||
return issueFound
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user