Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: actions/dependency-review-action
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v4.3.3
Choose a base ref
...
head repository: actions/dependency-review-action
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v4.3.4
Choose a head ref
4 contributors

Commits on Jun 6, 2024

  1. Bump undici from 5.28.3 to 5.28.4 

    Bumps [undici](https://github.com/nodejs/undici) from 5.28.3 to 5.28.4.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v5.28.3...v5.28.4)

---
updated-dependencies:
- dependency-name: undici
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
    @dependabot
    dependabot[bot] authored Jun 6, 2024
    Copy the full SHA
    c0630c2 View commit details

Commits on Jun 7, 2024

  1. npm run package to update dist

    @elireisman
    elireisman committed Jun 7, 2024
    Copy the full SHA
    2224c7c View commit details

  2. Merge pull request #782 from actions/dependabot/npm_and_yarn/undici-5… 

    ….28.4

Bump undici from 5.28.3 to 5.28.4
    @elireisman
    elireisman authored Jun 7, 2024
    Copy the full SHA
    8285e75 View commit details

  3. only filter out removed changes from the original PR diff when adding… 

    … scorecard entries in DR Action report
    @elireisman
    elireisman committed Jun 7, 2024
    Copy the full SHA
    e69288d View commit details

  4. npm run package

    @elireisman
    elireisman committed Jun 7, 2024
    Copy the full SHA
    1e5b2e6 View commit details

  5. Merge pull request #783 from actions/elireisman/all-changes-to-scorecard 

    Include all added dependencies in scorecard entries
    @elireisman
    elireisman authored Jun 7, 2024
    Copy the full SHA
    df5d74f View commit details

Commits on Jun 10, 2024

  1. Bump got from 14.2.0 to 14.4.1 

    Bumps [got](https://github.com/sindresorhus/got) from 14.2.0 to 14.4.1.
- [Release notes](https://github.com/sindresorhus/got/releases)
- [Commits](sindresorhus/got@v14.2.0...v14.4.1)

---
updated-dependencies:
- dependency-name: got
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
    @dependabot
    dependabot[bot] authored Jun 10, 2024
    Copy the full SHA
    2115d9e View commit details

  2. add @onebeyond/spdx-license-satisfies to DR Action project

    @elireisman
    elireisman committed Jun 10, 2024
    Copy the full SHA
    154c150 View commit details

  3. move jest to dev dependencies

    @elireisman
    elireisman committed Jun 10, 2024
    Copy the full SHA
    bc5b235 View commit details

  4. register spdx lib as ES Module, start converting call sites to use ne… 

    …w spdx pkg - TODO: update tests
    @elireisman
    elireisman committed Jun 10, 2024
    Copy the full SHA
    ecd706f View commit details

  5. complete test suite conversions; simplify fn name

    @elireisman
    elireisman committed Jun 10, 2024
    Copy the full SHA
    2e4eaa4 View commit details

  6. update licenses pkg and tests

    @elireisman
    elireisman committed Jun 10, 2024
    Copy the full SHA
    bbed6f3 View commit details

  7. more SPDX unit tests to illustrate matching behavior

    @elireisman
    elireisman committed Jun 10, 2024
    Copy the full SHA
    ed624db View commit details

  8. npm run package

    @elireisman
    elireisman committed Jun 10, 2024
    Copy the full SHA
    f60d593 View commit details

  9. remove redundant declaration from TS types module registration

    @elireisman
    elireisman committed Jun 10, 2024
    Copy the full SHA
    d85edeb View commit details

  10. Properly display test failures using jest

    @juxtin
    juxtin authored Jun 10, 2024
    Copy the full SHA
    b4ae47c View commit details

Commits on Jul 8, 2024

  1. Bump braces from 3.0.2 to 3.0.3 

    Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
    @dependabot
    dependabot[bot] authored Jul 8, 2024
    Copy the full SHA
    465867c View commit details

  2. Merge pull request #789 from actions/dependabot/npm_and_yarn/braces-3… 

    ….0.3

Bump braces from 3.0.2 to 3.0.3
    @juxtin
    juxtin authored Jul 8, 2024
    Copy the full SHA
    d6f34c3 View commit details

Commits on Jul 10, 2024

  1. Merge pull request #719 from actions/change-spdx-parser 

    Update SPDX Expression Parsing
    @juxtin
    juxtin authored Jul 10, 2024
    Copy the full SHA
    28743f8 View commit details

  2. Merge pull request #784 from actions/dependabot/npm_and_yarn/got-14.4.1 

    Bump got from 14.2.0 to 14.4.1
    @juxtin
    juxtin authored Jul 10, 2024
    Copy the full SHA
    986fce9 View commit details

  3. Bump zod from 3.22.4 to 3.23.8 

    Bumps [zod](https://github.com/colinhacks/zod) from 3.22.4 to 3.23.8.
- [Release notes](https://github.com/colinhacks/zod/releases)
- [Changelog](https://github.com/colinhacks/zod/blob/master/CHANGELOG.md)
- [Commits](colinhacks/zod@v3.22.4...v3.23.8)

---
updated-dependencies:
- dependency-name: zod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
    @dependabot
    dependabot[bot] authored Jul 10, 2024
    Copy the full SHA
    08b5bf2 View commit details

  4. Update dist

    @juxtin
    juxtin authored Jul 10, 2024
    Copy the full SHA
    0085d30 View commit details

  5. Merge pull request #769 from actions/dependabot/npm_and_yarn/zod-3.23.8 

    Bump zod from 3.22.4 to 3.23.8
    @juxtin
    juxtin authored Jul 10, 2024
    Copy the full SHA
    8c152c7 View commit details

Commits on Jul 11, 2024

  1. Update version in package.json

    @juxtin
    juxtin authored Jul 11, 2024
    Copy the full SHA
    d9ab9c8 View commit details

  2. Merge pull request #790 from actions/juxtin/update-version 

    Prepare for v4.3.4 release
    @juxtin
    juxtin authored Jul 11, 2024
    Copy the full SHA
    3e2b917 View commit details

  3. Prepare even more for v4.3.4

    @juxtin
    juxtin authored Jul 11, 2024
    Copy the full SHA
    ac6a6ad View commit details

  4. Merge pull request #791 from actions/juxtin/update-version 

    Prepare even more for v4.3.4
    @juxtin
    juxtin authored Jul 11, 2024
    Copy the full SHA
    5a2ce3f View commit details
24 changes: 8 additions & 16 deletions __tests__/config.test.ts
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,9 @@
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
import {getRefs} from '../src/git-refs'
import * as Utils from '../src/utils'
import * as spdx from '../src/spdx'
import {setInput, clearInputs} from './test-helpers'

beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
})

beforeEach(() => {
clearInputs()
})
@@ -19,11 +15,11 @@ test('it defaults to low severity', async () => {

test('it reads custom configs', async () => {
setInput('fail-on-severity', 'critical')
setInput('allow-licenses', ' BSD, GPL 2')
setInput('allow-licenses', 'ISC, GPL-2.0')

const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
expect(config.allow_licenses).toEqual(['ISC', 'GPL-2.0'])
})

test('it defaults to false for warn-only', async () => {
@@ -40,7 +36,7 @@ test('it defaults to empty allow/deny lists ', async () => {

test('it raises an error if both an allow and denylist are specified', async () => {
setInput('allow-licenses', 'MIT')
setInput('deny-licenses', 'BSD')
setInput('deny-licenses', 'BSD-3-Clause')

await expect(readConfig()).rejects.toThrow(
'You cannot specify both allow-licenses and deny-licenses'
@@ -204,21 +200,17 @@ test('it is not possible to disable both checks', async () => {
})

describe('licenses that are not valid SPDX licenses', () => {
beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(false)
})

test('it raises an error for invalid licenses in allow-licenses', async () => {
setInput('allow-licenses', ' BSD, GPL 2')
setInput('allow-licenses', ' BSD-YOLO, GPL-2.0')
await expect(readConfig()).rejects.toThrow(
'Invalid license(s) in allow-licenses: BSD,GPL 2'
'Invalid license(s) in allow-licenses: BSD-YOLO'
)
})

test('it raises an error for invalid licenses in deny-licenses', async () => {
setInput('deny-licenses', ' BSD, GPL 2')
setInput('deny-licenses', ' GPL-2.0, BSD-YOLO, Apache-2.0, ToIll')
await expect(readConfig()).rejects.toThrow(
'Invalid license(s) in deny-licenses: BSD,GPL 2'
'Invalid license(s) in deny-licenses: BSD-YOLO, ToIll'
)
})
})
5 changes: 0 additions & 5 deletions __tests__/deny.test.ts
View file
Original file line number Diff line number Diff line change
@@ -33,11 +33,6 @@ jest.mock('octokit', () => {

beforeEach(async () => {
jest.resetModules()
jest.doMock('spdx-satisfies', () => {
// mock spdx-satisfies return value
// true for BSD, false for all others
return jest.fn((license: string, _: string): boolean => license === 'BSD')
})

npmChange = createTestChange({ecosystem: 'npm'})
rubyChange = createTestChange({ecosystem: 'rubygems'})
8 changes: 2 additions & 6 deletions __tests__/external-config.test.ts
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import {expect, test, beforeEach} from '@jest/globals'
import {readConfig} from '../src/config'
import * as Utils from '../src/utils'
import * as spdx from '../src/spdx'
import {setInput, clearInputs} from './test-helpers'

const externalConfig = `fail_on_severity: 'high'
@@ -25,10 +25,6 @@ jest.mock('octokit', () => {
}
})

beforeAll(() => {
jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(true)
})

beforeEach(() => {
clearInputs()
})
@@ -38,7 +34,7 @@ test('it reads an external config file', async () => {

const config = await readConfig()
expect(config.fail_on_severity).toEqual('critical')
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
expect(config.allow_licenses).toEqual(['BSD-3-Clause', 'GPL-2.0'])
})

test('raises an error when the config file was not found', async () => {
4 changes: 2 additions & 2 deletions __tests__/fixtures/config-allow-sample.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
fail_on_severity: critical
allow_licenses:
- 'BSD'
- 'GPL 2'
- 'BSD-3-Clause'
- 'GPL-2.0'
59 changes: 29 additions & 30 deletions __tests__/licenses.test.ts
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
import {expect, jest, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'

let getInvalidLicenseChanges: Function
import {getInvalidLicenseChanges} from '../src/licenses'

const npmChange: Change = {
manifest: 'package.json',
@@ -30,7 +29,7 @@ const rubyChange: Change = {
name: 'actionsomething',
version: '3.2.0',
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
license: 'BSD-3-Clause',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
@@ -100,29 +99,32 @@ jest.mock('octokit', () => {

beforeEach(async () => {
jest.resetModules()
jest.doMock('spdx-satisfies', () => {
// mock spdx-satisfies return value
// true for BSD, false for all others
return jest.fn((license: string, _: string): boolean => license === 'BSD')
})
// eslint-disable-next-line @typescript-eslint/no-require-imports
;({getInvalidLicenseChanges} = require('../src/licenses'))
})

test('it adds license outside the allow list to forbidden changes', async () => {
const changes: Changes = [npmChange, rubyChange]
const changes: Changes = [
npmChange, // MIT license
rubyChange // BSD license
]

const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
allow: ['BSD-3-Clause']
})

expect(forbidden[0]).toBe(npmChange)
expect(forbidden.length).toEqual(1)
})

test('it adds license inside the deny list to forbidden changes', async () => {
const changes: Changes = [npmChange, rubyChange]
const changes: Changes = [
npmChange, // MIT license
rubyChange // BSD license
]

const {forbidden} = await getInvalidLicenseChanges(changes, {
deny: ['BSD']
deny: ['BSD-3-Clause']
})

expect(forbidden[0]).toBe(rubyChange)
expect(forbidden.length).toEqual(1)
})
@@ -133,7 +135,7 @@ test('it does not add license outside the allow list to forbidden changes if it
{...rubyChange, change_type: 'removed'}
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
allow: ['BSD-3-Clause']
})
expect(forbidden).toStrictEqual([])
})
@@ -144,7 +146,7 @@ test('it does not add license inside the deny list to forbidden changes if it is
{...rubyChange, change_type: 'removed'}
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
deny: ['BSD']
deny: ['BSD-3-Clause']
})
expect(forbidden).toStrictEqual([])
})
@@ -156,23 +158,18 @@ test('it adds license outside the allow list to forbidden changes if it is in bo
{...rubyChange, change_type: 'removed'}
]
const {forbidden} = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
allow: ['BSD-3-Clause']
})
expect(forbidden).toStrictEqual([npmChange])
})

test('it adds all licenses to unresolved if it is unable to determine the validity', async () => {
jest.resetModules() // reset module set in before
jest.doMock('spdx-satisfies', () => {
return jest.fn((_first: string, _second: string) => {
throw new Error('Some Error')
})
})
// eslint-disable-next-line @typescript-eslint/no-require-imports
;({getInvalidLicenseChanges} = require('../src/licenses'))
const changes: Changes = [npmChange, rubyChange]
const changes: Changes = [
{...npmChange, license: 'Foo'},
{...rubyChange, license: 'Bar'}
]
const invalidLicenses = await getInvalidLicenseChanges(changes, {
allow: ['BSD']
allow: ['Apache-2.0']
})
expect(invalidLicenses.forbidden.length).toEqual(0)
expect(invalidLicenses.unlicensed.length).toEqual(0)
@@ -182,7 +179,7 @@ test('it adds all licenses to unresolved if it is unable to determine the validi
test('it does not filter out changes that are on the exclusions list', async () => {
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
allow: ['BSD-3-Clause'],
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}
const invalidLicenses = await getInvalidLicenseChanges(
@@ -198,7 +195,7 @@ test('it does not fail when the packages dont have a valid PURL', async () => {

const changes: Changes = [emptyPurlChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
allow: ['BSD-3-Clause'],
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}

@@ -212,16 +209,18 @@ test('it does not fail when the packages dont have a valid PURL', async () => {
test('it does filters out changes if they are not on the exclusions list', async () => {
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
allow: ['BSD-3-Clause'],
licenseExclusions: [
'pkg:pypi/notmypackage-1@1.1.1',
'pkg:npm/alsonot@1.0.2'
]
}

const invalidLicenses = await getInvalidLicenseChanges(
changes,
licensesConfig
)

expect(invalidLicenses.forbidden.length).toEqual(2)
expect(invalidLicenses.forbidden[0]).toBe(pipChange)
expect(invalidLicenses.forbidden[1]).toBe(npmChange)
Loading