Compare commits
68 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 05fe457637 | |||
| 3a8496cb71 | |||
| 0f22a01592 | |||
| 58be34364d | |||
| 9284e0c621 | |||
| 8b766562f0 | |||
| 43f5f029f5 | |||
| f0033fc4d6 | |||
| b379e2e05f | |||
| 2e1cf54a50 | |||
| 68e9887ce6 | |||
| a7c7f3b9b1 | |||
| 98884d411b | |||
| 76bfce5cd7 | |||
| d45151f498 | |||
| 774d14bf50 | |||
| 20b998d4e2 | |||
| ad048f729f | |||
| 35ccfd2548 | |||
| a2014a181b | |||
| 1a0268586f | |||
| 14edcb1b2a | |||
| 805c0b2856 | |||
| 125b995082 | |||
| 289863a7c4 | |||
| 3c4e3dcb1a | |||
| 02930b2072 | |||
| 49ffd9f636 | |||
| 70cb25ec56 | |||
| ebabd31cea | |||
| 19f9360983 | |||
| 5fd2f98b4f | |||
| 28647f4804 | |||
| f620fd175c | |||
| 9b42b7e9a9 | |||
| 4004cfa3a2 | |||
| 94004c3444 | |||
| 75e65b4d81 | |||
| 355d25e5a7 | |||
| d456baec30 | |||
| 66054da10b | |||
| 247f07b0c8 | |||
| 5975520ad2 | |||
| b4849e7628 | |||
| 752c04656e | |||
| 4fa8b92807 | |||
| 3660056ed3 | |||
| 5f8348ab03 | |||
| 6b5a983daf | |||
| 8fd9b22286 | |||
| c4b82d3047 | |||
| 622445f2a8 | |||
| 3f464ea511 | |||
| 8e51299cdf | |||
| 7a990117b1 | |||
| 99ce29f02e | |||
| 140b44b7bf | |||
| 4603a62e00 | |||
| 07b91577a3 | |||
| 3084754c49 | |||
| 0f943b29ae | |||
| 40c09b7dc9 | |||
| 45529485b5 | |||
| e63da9a041 | |||
| 71365c76bc | |||
| 2440f520c8 | |||
| 56339e523c | |||
| 1688b745f3 |
@@ -1,57 +0,0 @@
|
||||
# `dist/index.js` is a special file in Actions.
|
||||
# When you reference an action with `uses:` in a workflow,
|
||||
# `index.js` is the code that will run.
|
||||
# For our project, we generate this file through a build process from other source files.
|
||||
# We need to make sure the checked-in `index.js` actually matches what we expect it to be.
|
||||
name: Check dist/
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
paths-ignore:
|
||||
- '**.md'
|
||||
pull_request:
|
||||
paths-ignore:
|
||||
- '**.md'
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
check-dist:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Set Node.js 20.x
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 20.x
|
||||
cache: npm
|
||||
|
||||
- name: Install dependencies
|
||||
run: npm ci
|
||||
|
||||
- name: Rebuild the dist/ directory
|
||||
run: |
|
||||
npm run build
|
||||
npm run package
|
||||
|
||||
- name: Compare the expected and actual dist/ directories
|
||||
run: |
|
||||
if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
|
||||
echo "Detected uncommitted changes after build. See status below:"
|
||||
git diff
|
||||
exit 1
|
||||
fi
|
||||
id: diff
|
||||
|
||||
# If index.js was different than expected, upload the expected version as an artifact
|
||||
- uses: actions/upload-artifact@v4
|
||||
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
|
||||
with:
|
||||
name: dist
|
||||
path: dist/
|
||||
@@ -18,7 +18,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v4
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version: 20
|
||||
cache: npm
|
||||
@@ -31,7 +31,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- uses: actions/setup-node@v4
|
||||
- uses: actions/setup-node@v6
|
||||
with:
|
||||
node-version: 20
|
||||
cache: npm
|
||||
|
||||
@@ -28,7 +28,7 @@ jobs:
|
||||
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v3
|
||||
uses: github/codeql-action/init@v4
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
# If you wish to specify custom queries, you can do so here or in a config file.
|
||||
@@ -43,6 +43,6 @@ jobs:
|
||||
- dist/sourcemap-register.js
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v3
|
||||
uses: github/codeql-action/analyze@v4
|
||||
with:
|
||||
category: "/language:${{matrix.language}}"
|
||||
|
||||
@@ -12,7 +12,7 @@ jobs:
|
||||
stale:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/stale@v9.1.0
|
||||
- uses: actions/stale@v10.1.0
|
||||
name: Clean up stale PRs and Issues
|
||||
with:
|
||||
stale-pr-message: "👋 This pull request has been marked as stale because it has been open with no activity for 180 days. You can: comment on the PR or remove the stale label to hold stalebot off for a while, add the `Keep` label to hold stale off permanently, or do nothing. If you do nothing, this pull request will be closed eventually by the stalebot. Please see CONTRIBUTING.md for more policy details."
|
||||
|
||||
+28
-31
@@ -25,11 +25,11 @@ If you'd like to make a contribution yourself, we ask that before significant ef
|
||||
|
||||
## Stalebot
|
||||
|
||||
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see the configuration [here](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
|
||||
We have begun using a [Stalebot action](https://github.com/actions/stale) to help keep the Issues and Pull requests backlogs tidy. You can see [the configuration](.github/workflows/stalebot.yml). If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.
|
||||
|
||||
## Development lifecycle
|
||||
|
||||
Ready to contribute to `dependency-review-action`? Here is some information to help you get started.
|
||||
Ready to contribute to `dependency-review-action`? Here is some information to help you get started.
|
||||
|
||||
### High level overview of the action
|
||||
|
||||
@@ -50,10 +50,9 @@ Before you begin, you need to have [Node.js](https://nodejs.org/en/) installed,
|
||||
|
||||
#### Manually testing for vulnerabilities
|
||||
|
||||
We have a script to scan a given PR for vulnerabilities, this will
|
||||
help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
|
||||
We have a script to scan a given PR for vulnerabilities, which will help you test your local changes. Make sure to [grab a Personal Access Token (PAT)](https://github.com/settings/tokens) before proceeding (you'll need `repo` permissions for private repos):
|
||||
|
||||
<img width="480" alt="Screenshot 2022-05-12 at 10 22 21" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
|
||||
<img width="480" alt="Screen to create a PAT with a note of `dr-token`, 30 day duration (expiring Jun 11, 2022), with `repo` scopes selected" src="https://user-images.githubusercontent.com/2161/168026161-16788a0a-b6c8-428e-bb6a-83ea2a403070.png">
|
||||
|
||||
The syntax of the script is:
|
||||
|
||||
@@ -87,8 +86,9 @@ _Note_: We don't have a very comprehensive test suite, so any contributions to t
|
||||
|
||||
1. Create a new branch: `git checkout -b my-branch-name`
|
||||
2. Make your change, add tests, and make sure the tests still pass
|
||||
3. Make sure to build and package before pushing: `npm run build && npm run package`
|
||||
4. Push to your fork and [submit a pull request][pr]
|
||||
3. Push to your fork and [submit a pull request][pr]
|
||||
|
||||
(note: we don't recommend including changes to the `dist` directory in your pull request, because changes there have an increased likelihood of conflicts.)
|
||||
|
||||
Here are a few things you can do that will increase the likelihood of your pull request being accepted:
|
||||
|
||||
@@ -105,41 +105,38 @@ Here are a few things you can do that will increase the likelihood of your pull
|
||||
|
||||
_Note: these instructions are for maintainers_
|
||||
|
||||
1. Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
|
||||
1. Go to [Draft a new
|
||||
release](https://github.com/actions/dependency-review-action/releases/new)
|
||||
in the Releases page.
|
||||
1. Make sure that the `Publish this Action to the GitHub Marketplace`
|
||||
checkbox is enabled
|
||||
- Create a local branch based on the `main` of the upstream repo.
|
||||
- Update the version number in [package.json](https://github.com/actions/dependency-review-action/blob/main/package.json) and run `npm i` to update the lockfile.
|
||||
- Update the dist files by running `npm run build` and `npm run package`
|
||||
- Go to [Draft a new release](https://github.com/actions/dependency-review-action/releases/new) in the Releases page.
|
||||
- Make sure that the `Publish this Action to the GitHub Marketplace` checkbox is enabled
|
||||
|
||||
<img width="481" alt="Screenshot 2022-06-15 at 12 08 19" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
|
||||
<img width="481" alt="Screen showing Release Action with Publish this Action to the GitHub Marketplace checked" src="https://user-images.githubusercontent.com/2161/173822484-4b60d8b4-c674-4bff-b5ff-b0c4a3650ab7.png">
|
||||
|
||||
3. Click "Choose a tag" and then "Create new tag", where the tag name
|
||||
will be your version prefixed by a `v` (e.g. `v1.2.3`).
|
||||
4. Use a version number for the release title (e.g. "1.2.3").
|
||||
- Click "Choose a tag" and then "Create new tag", where the tag name
|
||||
will be your version prefixed by a `v` (e.g. `v1.2.3`).
|
||||
- Use a version number for the release title (e.g. "1.2.3").
|
||||
|
||||
<img width="700" alt="Screenshot 2022-06-15 at 12 08 36" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
|
||||
<img width="700" alt="Create an action release in categories Security + Dependency management from branch main creating tag v2.0.0 on publish" src="https://user-images.githubusercontent.com/2161/173822548-33ab3432-d679-4dc1-adf8-b50fdaf47de3.png">
|
||||
|
||||
5. Add your release notes. If this is a major version make sure to
|
||||
include a small description of the biggest changes in the new version.
|
||||
6. Click "Publish Release".
|
||||
- Add your release notes. If this is a major version make sure to include details about any breaking changes in the new version.
|
||||
- Click "Publish Release".
|
||||
|
||||
You now have a tag and release using the semver version you used
|
||||
above. The last remaining thing to do is to move the dynamic version
|
||||
identifier to match the current SHA. This allows users to adopt a
|
||||
major version number (e.g. `v1`) in their workflows while
|
||||
automatically getting all the
|
||||
minor/patch updates.
|
||||
You now have a tag and release using the semver version you used above. The last remaining thing to do is to update the major version branch to match the current release. This allows users to adopt a major version number (e.g. `v4`) in their workflows while automatically getting all the minor/patch updates.
|
||||
|
||||
To do this just checkout `main`, force-create a new annotated tag, and push it:
|
||||
As of v4.8.3, we use a **branch** (not a force-pushed tag) for the major version pointer. This is important because force-pushing tags breaks GitHub's auto-generated release changelog links (see [#1035](https://github.com/actions/dependency-review-action/issues/1035)) and violates git's (unenforced) expectation that tags are immutable.
|
||||
|
||||
To update the major version branch:
|
||||
|
||||
```
|
||||
git tag -fa v4 -m "Updating v4 to 4.0.1"
|
||||
git push origin v4 --force
|
||||
git checkout main
|
||||
git pull origin main
|
||||
git branch -f v4 HEAD
|
||||
git push origin v4
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
## Resources
|
||||
|
||||
- [Creating JavaScript GitHub actions](https://docs.github.com/en/actions/creating-actions/creating-a-javascript-action)
|
||||
|
||||
@@ -169,6 +169,7 @@ You can pass configuration options to the dependency review action using your wo
|
||||
|
||||
# Use comma-separated names to pass list arguments:
|
||||
deny-licenses: LGPL-2.0, BSD-2-Clause
|
||||
allow-dependencies-licenses: "pkg:npm/@myorg/mypackage, pkg:npm/packagename, pkg:githubactions/owner/repo@2.0.0"
|
||||
```
|
||||
|
||||
#### Option 2: Using an external configuration file
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
import {expect, test, beforeEach} from '@jest/globals'
|
||||
import {readConfig} from '../src/config'
|
||||
import {getRefs} from '../src/git-refs'
|
||||
import * as spdx from '../src/spdx'
|
||||
import {setInput, clearInputs} from './test-helpers'
|
||||
|
||||
beforeEach(() => {
|
||||
|
||||
+14
-3
@@ -132,9 +132,13 @@ describe('handleLargeSummary', () => {
|
||||
expect(result).toContain('actions/runs/12345')
|
||||
})
|
||||
|
||||
test('returns original summary and logs a warning when artifact handling fails', async () => {
|
||||
test('returns truncated summary and replaces buffer when artifact upload fails', async () => {
|
||||
const warningMock = core.warning as jest.Mock
|
||||
const emptyBufferMock = core.summary.emptyBuffer as jest.Mock
|
||||
const addRawMock = core.summary.addRaw as jest.Mock
|
||||
warningMock.mockClear()
|
||||
emptyBufferMock.mockClear()
|
||||
addRawMock.mockClear()
|
||||
const largeSummary = 'b'.repeat(1024 * 1024 + 1)
|
||||
|
||||
DefaultArtifactClientMock.mockImplementation(() => ({
|
||||
@@ -145,9 +149,16 @@ describe('handleLargeSummary', () => {
|
||||
|
||||
const result = await handleLargeSummary(largeSummary)
|
||||
|
||||
expect(result).toBe(largeSummary)
|
||||
// Should NOT return the original oversized content
|
||||
expect(result).not.toBe(largeSummary)
|
||||
// Should return a truncated summary
|
||||
expect(result).toContain('Dependency Review Summary')
|
||||
expect(result).toContain('too large to display')
|
||||
// Should replace the core.summary buffer to prevent write() from failing
|
||||
expect(emptyBufferMock).toHaveBeenCalled()
|
||||
expect(addRawMock).toHaveBeenCalledWith(result)
|
||||
expect(warningMock).toHaveBeenCalledWith(
|
||||
expect.stringContaining('Failed to handle large summary')
|
||||
expect.stringContaining('Failed to upload large summary as artifact')
|
||||
)
|
||||
})
|
||||
})
|
||||
|
||||
@@ -315,7 +315,7 @@ test('uses checkmarks for vulnerabilities if only license issues were found', ()
|
||||
expect(text).toContain('✅ 0 package(s) with unknown licenses')
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - only includes section if any vulnerabilites found', () => {
|
||||
test('addChangeVulnerabilitiesToSummary() - only includes section if any vulnerabilities found', () => {
|
||||
summary.addChangeVulnerabilitiesToSummary(emptyChanges, 'low')
|
||||
const text = core.summary.stringify()
|
||||
expect(text).toEqual('')
|
||||
@@ -385,7 +385,7 @@ test('addChangeVulnerabilitiesToSummary() - prints severity statement if above l
|
||||
)
|
||||
})
|
||||
|
||||
test('addChangeVulnerabilitiesToSummary() - does not print severity statment if it is set to "low"', () => {
|
||||
test('addChangeVulnerabilitiesToSummary() - does not print severity statement if it is set to "low"', () => {
|
||||
const changes = [createTestChange()]
|
||||
|
||||
summary.addChangeVulnerabilitiesToSummary(changes, 'low')
|
||||
|
||||
+1
-1
@@ -53,7 +53,7 @@ inputs:
|
||||
description: A boolean to determine if vulnerability checks should be performed
|
||||
required: false
|
||||
comment-summary-in-pr:
|
||||
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
|
||||
description: "Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow `pull-requests: write` permissions"
|
||||
required: false
|
||||
deny-packages:
|
||||
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). If version specified, only deny matching packages and version; else, deny all regardless of version.
|
||||
|
||||
+4847
-6822
File diff suppressed because one or more lines are too long
+1
-1
File diff suppressed because one or more lines are too long
+21
-105
@@ -360,6 +360,27 @@ SOFTWARE.
|
||||
|
||||
@azure/storage-common
|
||||
MIT
|
||||
The MIT License (MIT)
|
||||
|
||||
Copyright (c) 2018 Microsoft
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
|
||||
@fastify/busboy
|
||||
MIT
|
||||
@@ -1245,16 +1266,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
|
||||
|
||||
@vercel/ncc
|
||||
MIT
|
||||
Copyright 2018 ZEIT, Inc.
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
abort-controller
|
||||
MIT
|
||||
MIT License
|
||||
@@ -2937,31 +2948,6 @@ PERFORMANCE OF THIS SOFTWARE.
|
||||
|
||||
|
||||
|
||||
is-plain-object
|
||||
MIT
|
||||
The MIT License (MIT)
|
||||
|
||||
Copyright (c) 2014-2017, Jon Schlinkert.
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in
|
||||
all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
THE SOFTWARE.
|
||||
|
||||
|
||||
is-stream
|
||||
MIT
|
||||
MIT License
|
||||
@@ -3537,32 +3523,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
|
||||
|
||||
node-fetch
|
||||
MIT
|
||||
The MIT License (MIT)
|
||||
|
||||
Copyright (c) 2016 David Frank
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
|
||||
|
||||
|
||||
normalize-path
|
||||
MIT
|
||||
The MIT License (MIT)
|
||||
@@ -4441,9 +4401,6 @@ Apache-2.0
|
||||
limitations under the License.
|
||||
|
||||
|
||||
tr46
|
||||
MIT
|
||||
|
||||
traverse
|
||||
MIT/X11
|
||||
Copyright 2010 James Halliday (mail@substack.net)
|
||||
@@ -4626,47 +4583,6 @@ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
|
||||
OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
|
||||
webidl-conversions
|
||||
BSD-2-Clause
|
||||
# The BSD 2-Clause License
|
||||
|
||||
Copyright (c) 2014, Domenic Denicola
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
|
||||
|
||||
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
|
||||
|
||||
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
|
||||
whatwg-url
|
||||
MIT
|
||||
The MIT License (MIT)
|
||||
|
||||
Copyright (c) 2015–2016 Sebastian Mayr
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in
|
||||
all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
THE SOFTWARE.
|
||||
|
||||
|
||||
wrappy
|
||||
ISC
|
||||
The ISC License
|
||||
|
||||
+4
-4
@@ -4,7 +4,7 @@
|
||||
|
||||
A very basic example of how to use the action. This will run the action with the default configuration.
|
||||
|
||||
The full list of configuration options can be found [here](../README.md#configuration-options).
|
||||
See the [full list of configuration options](../README.md#configuration-options).
|
||||
|
||||
```yaml
|
||||
name: 'Dependency Review'
|
||||
@@ -112,7 +112,7 @@ jobs:
|
||||
|
||||
## Using a configuration file from an external repository with a personal access token
|
||||
|
||||
The following example will use a configuration file from an external private GtiHub repository to configure the action.
|
||||
The following example will use a configuration file from an external private GitHub repository to configure the action.
|
||||
|
||||
Let's say that the configuration file is located in `github/octorepo-private/dependency-review-config.yml@main`
|
||||
|
||||
@@ -233,7 +233,7 @@ jobs:
|
||||
fail-on-severity: critical
|
||||
deny-licenses: LGPL-2.0, BSD-2-Clause
|
||||
comment-summary-in-pr: always
|
||||
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pypi/requests'
|
||||
allow-dependencies-licenses: 'pkg:npm/lodash, pkg:pypi/requests'
|
||||
```
|
||||
|
||||
If we were to use configuration file, the configuration would look like this:
|
||||
@@ -244,7 +244,7 @@ allow-licenses:
|
||||
- 'LGPL-2.0'
|
||||
- 'BSD-2-Clause'
|
||||
allow-dependencies-licenses:
|
||||
- 'pkg:npm/loadash'
|
||||
- 'pkg:npm/lodash'
|
||||
- 'pkg:pypi/requests'
|
||||
```
|
||||
|
||||
|
||||
Generated
+561
-233
File diff suppressed because it is too large
Load Diff
+5
-5
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "dependency-review-action",
|
||||
"version": "4.7.4",
|
||||
"version": "4.8.3",
|
||||
"private": true,
|
||||
"description": "A GitHub Action for Dependency Review",
|
||||
"main": "lib/main.js",
|
||||
@@ -25,7 +25,7 @@
|
||||
"author": "GitHub",
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@actions/artifact": "^2.3.2",
|
||||
"@actions/artifact": "^5.0.1",
|
||||
"@actions/core": "^1.11.1",
|
||||
"@actions/github": "^6.0.1",
|
||||
"@octokit/plugin-retry": "^6.1.0",
|
||||
@@ -36,14 +36,14 @@
|
||||
"got": "^14.4.7",
|
||||
"jest": "^29.7.0",
|
||||
"octokit": "^3.1.2",
|
||||
"spdx-expression-parse": "^3.0.1",
|
||||
"spdx-expression-parse": "^4.0.0",
|
||||
"spdx-satisfies": "^6.0.0",
|
||||
"ts-jest": "^29.4.1",
|
||||
"yaml": "^2.8.1",
|
||||
"zod": "^3.24.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@types/jest": "^29.5.12",
|
||||
"@types/jest": "^29.5.14",
|
||||
"@types/node": "^20",
|
||||
"@types/spdx-expression-parse": "^3.0.4",
|
||||
"@typescript-eslint/eslint-plugin": "^6.21.0",
|
||||
@@ -54,7 +54,7 @@
|
||||
"eslint-plugin-github": "^4.10.2",
|
||||
"eslint-plugin-jest": "^28.8.3",
|
||||
"eslint-plugin-prettier": "^5.5.4",
|
||||
"js-yaml": "^4.1.0",
|
||||
"js-yaml": "^4.1.1",
|
||||
"nodemon": "^3.1.10",
|
||||
"prettier": "3.6.2",
|
||||
"typescript": "^5.9.2"
|
||||
|
||||
+1
-1
@@ -174,7 +174,7 @@ async function groupChanges(
|
||||
return true
|
||||
}
|
||||
|
||||
const changeAsPackageURL = parsePURL(encodeURI(change.package_url))
|
||||
const changeAsPackageURL = parsePURL(change.package_url)
|
||||
|
||||
// We want to find if the licenseExclusion list contains the PackageURL of the Change
|
||||
// If it does, we want to filter it out and therefore return false
|
||||
|
||||
+55
-15
@@ -24,9 +24,11 @@ import {getRefs} from './git-refs'
|
||||
import {groupDependenciesByManifest} from './utils'
|
||||
import {commentPr, MAX_COMMENT_LENGTH} from './comment-pr'
|
||||
import {getDeniedChanges} from './deny'
|
||||
import * as artifact from '@actions/artifact'
|
||||
import {DefaultArtifactClient} from '@actions/artifact'
|
||||
import * as fs from 'fs'
|
||||
|
||||
import type {PayloadRepository} from '@actions/github/lib/interfaces.d'
|
||||
|
||||
async function delay(ms: number): Promise<void> {
|
||||
return new Promise(resolve => setTimeout(resolve, ms))
|
||||
}
|
||||
@@ -71,7 +73,14 @@ export async function handleLargeSummary(
|
||||
return summaryContent
|
||||
}
|
||||
|
||||
const artifactClient = new artifact.DefaultArtifactClient()
|
||||
const summarySize = Math.round(
|
||||
Buffer.byteLength(summaryContent, 'utf8') / 1024
|
||||
)
|
||||
const truncatedSummary = `# Dependency Review Summary
|
||||
|
||||
The full dependency review summary was too large to display here (${summarySize}KB, limit is 1024KB).`
|
||||
|
||||
const artifactClient = new DefaultArtifactClient()
|
||||
const artifactName = 'dependency-review-summary'
|
||||
const files = ['summary.md']
|
||||
|
||||
@@ -84,20 +93,34 @@ export async function handleLargeSummary(
|
||||
retentionDays: 1
|
||||
})
|
||||
|
||||
// Return a minimal summary with a link to the artifact
|
||||
return `# Dependency Review Summary
|
||||
// Return a shorter summary with a link to the artifact
|
||||
const shortSummary = `${truncatedSummary}
|
||||
|
||||
The full dependency review summary is too large to display here. Please download the artifact named "${artifactName}" to view the complete report.
|
||||
Please download the artifact named "${artifactName}" to view the complete report.
|
||||
|
||||
[View full job summary](${process.env.GITHUB_SERVER_URL}/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID})`
|
||||
|
||||
// Set core.summary to the shorter summary value to avoid exceeding MAX_SUMMARY_SIZE
|
||||
core.summary.emptyBuffer()
|
||||
core.summary.addRaw(shortSummary)
|
||||
return shortSummary
|
||||
} catch (error) {
|
||||
core.warning(
|
||||
`Failed to handle large summary: ${error instanceof Error ? error.message : 'Unknown error'}`
|
||||
`Failed to upload large summary as artifact: ${error instanceof Error ? error.message : 'Unknown error'}`
|
||||
)
|
||||
return summaryContent
|
||||
// Even though artifact upload failed, we must still replace the buffer
|
||||
// with a truncated summary to prevent core.summary.write() from failing
|
||||
// with the oversized content (see issue #867)
|
||||
core.summary.emptyBuffer()
|
||||
core.summary.addRaw(truncatedSummary)
|
||||
return truncatedSummary
|
||||
}
|
||||
}
|
||||
|
||||
interface RepoWithPrivate extends PayloadRepository {
|
||||
private: boolean
|
||||
}
|
||||
|
||||
async function run(): Promise<void> {
|
||||
try {
|
||||
const config = await readConfig()
|
||||
@@ -235,9 +258,20 @@ async function run(): Promise<void> {
|
||||
`Dependency review could not obtain dependency data for the specified owner, repository, or revision range.`
|
||||
)
|
||||
} else if (error instanceof RequestError && error.status === 403) {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security on private repositories, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
let repoIsPrivate = false
|
||||
if ('repository' in github.context.payload) {
|
||||
const repo = github.context.payload.repository as RepoWithPrivate
|
||||
repoIsPrivate = repo.private
|
||||
}
|
||||
if (repoIsPrivate) {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled along with GitHub Advanced Security, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
} else {
|
||||
core.setFailed(
|
||||
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see ${github.context.serverUrl}/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
|
||||
)
|
||||
}
|
||||
} else {
|
||||
if (error instanceof Error) {
|
||||
core.setFailed(error.message)
|
||||
@@ -246,7 +280,13 @@ async function run(): Promise<void> {
|
||||
}
|
||||
}
|
||||
} finally {
|
||||
await core.summary.write()
|
||||
try {
|
||||
await core.summary.write()
|
||||
} catch (error) {
|
||||
core.warning(
|
||||
`Failed to write job summary: ${error instanceof Error ? error.message : 'Unknown error'}`
|
||||
)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -256,13 +296,13 @@ async function printVulnerabilitiesBlock(
|
||||
warnOnly: boolean
|
||||
): Promise<boolean> {
|
||||
return core.group('Vulnerabilities', async () => {
|
||||
let vulFound = false
|
||||
let vulnFound = false
|
||||
|
||||
for (const change of addedChanges) {
|
||||
vulFound ||= printChangeVulnerabilities(change)
|
||||
vulnFound ||= printChangeVulnerabilities(change)
|
||||
}
|
||||
|
||||
if (vulFound) {
|
||||
if (vulnFound) {
|
||||
const msg = 'Dependency review detected vulnerable packages.'
|
||||
if (warnOnly) {
|
||||
core.warning(msg)
|
||||
@@ -275,7 +315,7 @@ async function printVulnerabilitiesBlock(
|
||||
)
|
||||
}
|
||||
|
||||
return vulFound
|
||||
return vulnFound
|
||||
})
|
||||
}
|
||||
|
||||
|
||||
+2
-2
@@ -12,7 +12,7 @@ const icons = {
|
||||
|
||||
const MAX_SCANNED_FILES_BYTES = 1048576
|
||||
|
||||
// generates the DR report summmary and caches it to the Action's core.summary.
|
||||
// generates the DR report summary and caches it to the Action's core.summary.
|
||||
// returns the DR summary string, ready to be posted as a PR comment if the
|
||||
// final DR report is too large
|
||||
export function addSummaryToSummary(
|
||||
@@ -112,7 +112,7 @@ export function addSummaryToSummary(
|
||||
|
||||
function addDenyListsDeprecationWarningToSummary(): void {
|
||||
core.summary.addRaw(
|
||||
`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see actions/dependency-review-action/issues/938.`,
|
||||
`${icons.warning} <strong>Deprecation Warning</strong>: The <em>deny-licenses</em> option is deprecated for possible removal in the next major release. For more information, see issue 997.`,
|
||||
true
|
||||
)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user