Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add none as option for fail-on-severity #432

Merged
merged 25 commits into from Feb 11, 2024
Merged

Add none as option for fail-on-severity #432

Show file tree
Hide file tree
Changes from 24 commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
621d03b
Add none as option for fail-on-severity
tgrall Mar 17, 2023
cc302f4
fix linter/format
tgrall Mar 20, 2023
78f160d
Update README.md
courtneycl Apr 3, 2023
0b053fc
add new parameter warn_only
tgrall Jun 12, 2023
a3a8a9c
new build
tgrall Jun 12, 2023
d833109
new build
tgrall Jun 13, 2023
f1e6d67
wan only
tgrall Jun 13, 2023
995bb84
new dev
tgrall Jun 13, 2023
9b290a1
fix ini of warn-only param
tgrall Jun 13, 2023
7ed3405
warn_only_test_
tgrall Jun 14, 2023
13c4496
update doc
tgrall Jun 14, 2023
3b37a4e
update documentation
tgrall Jun 14, 2023
fc49851
merge from main and fix code review comment from @juxtin
tgrall Jan 28, 2024
f157684
package the action
tgrall Jan 28, 2024
d6f324d
fix typo in readme
tgrall Jan 28, 2024
f91404c
set status to low when warn-only is set to true
tgrall Jan 28, 2024
0bab6ff
Fix vulnerability check to print warnings instead
tgrall Jan 28, 2024
b0a705d
Fix license printing bug in main.ts
tgrall Jan 28, 2024
ee5bd47
debug behavior
tgrall Jan 28, 2024
9e251a5
dist
tgrall Jan 28, 2024
2c52685
new debug test
tgrall Jan 28, 2024
05d8612
finalize testing
tgrall Jan 28, 2024
98e8293
Update Readme and action.yml based on review comments
tgrall Feb 1, 2024
8f3df4d
fix ci failure on format-check
tgrall Feb 2, 2024
c2936a6
fix reviewed done by @juxtin - bad line in yml
tgrall Feb 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
35 changes: 19 additions & 16 deletions README.md
View file
Open in desktop
Expand Up @@ -66,27 +66,30 @@ jobs:

Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.

| Option | Usage | Possible values | Default value |
| -------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
| Option | Usage | Possible values | Default value |
| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |

\*not supported for use with GitHub Enterprise Server

†will be supported with GitHub Enterprise Server 3.8

+when `warn-only` is set to `true`, all vulnerabilities, independently of the severity, will be reported as warnings and the action will not fail.

### Inline Configuration

You can pass options to the Dependency Review GitHub Action using your workflow file.
Expand Down
5 changes: 5 additions & 0 deletions __tests__/config.test.ts
View file
Open in desktop
Expand Up @@ -26,6 +26,11 @@ test('it reads custom configs', async () => {
expect(config.allow_licenses).toEqual(['BSD', 'GPL 2'])
})

test('it defaults to false for warn-only', async () => {
const config = await readConfig()
expect(config.warn_only).toEqual(false)
})

test('it defaults to empty allow/deny lists ', async () => {
const config = await readConfig()

Expand Down
3 changes: 2 additions & 1 deletion __tests__/summary.test.ts
View file
Open in desktop
Expand Up @@ -28,7 +28,8 @@ const defaultConfig: ConfigurationOptions = {
deny_groups: [],
comment_summary_in_pr: true,
retry_on_snapshot_warnings: false,
retry_on_snapshot_warnings_timeout: 120
retry_on_snapshot_warnings_timeout: 120,
warn_only: false
}

const changesWithEmptyManifests: Changes = [
Expand Down
3 changes: 2 additions & 1 deletion __tests__/test-helpers.ts
View file
Open in desktop
Expand Up @@ -18,7 +18,8 @@ export function clearInputs(): void {
'CONFIG-FILE',
'BASE-REF',
'HEAD-REF',
'COMMENT-SUMMARY-IN-PR'
'COMMENT-SUMMARY-IN-PR',
'WARN-ONLY'
]

// eslint-disable-next-line github/array-foreach
Expand Down
6 changes: 6 additions & 0 deletions action.yml
View file
Open in desktop
Expand Up @@ -61,6 +61,12 @@ inputs:
description: Number of seconds to wait before stopping snapshot retries.
required: false
default: 120
warn-only:
description: When set to `true` this action will always complete with success, overriding the `fail-on-severity` parameter.
Comment
tgrall marked this conversation as resolved.
Show resolved Hide resolved
required: false
default: false

runs:
using: 'node20'
main: 'dist/index.js'
48 changes: 35 additions & 13 deletions dist/index.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/index.js.map
View file
Open in desktop

Large diffs are not rendered by default.

3 changes: 2 additions & 1 deletion scripts/create_summary.ts
View file
Open in desktop
Expand Up @@ -32,7 +32,8 @@ const defaultConfig: ConfigurationOptions = {
],
comment_summary_in_pr: true,
retry_on_snapshot_warnings: false,
retry_on_snapshot_warnings_timeout: 120
retry_on_snapshot_warnings_timeout: 120,
warn_only: false
}

const tmpDir = path.resolve(__dirname, '../tmp')
Expand Down
4 changes: 3 additions & 1 deletion src/config.ts
View file
Open in desktop
Expand Up @@ -47,6 +47,7 @@ function readInlineConfig(): ConfigurationOptionsPartial {
const retry_on_snapshot_warnings_timeout = getOptionalNumber(
'retry-on-snapshot-warnings-timeout'
)
const warn_only = getOptionalBoolean('warn-only')

validatePURL(allow_dependencies_licenses)
validateLicenses('allow-licenses', allow_licenses)
Expand All @@ -67,7 +68,8 @@ function readInlineConfig(): ConfigurationOptionsPartial {
head_ref,
comment_summary_in_pr,
retry_on_snapshot_warnings,
retry_on_snapshot_warnings_timeout
retry_on_snapshot_warnings_timeout,
warn_only
}

return Object.fromEntries(
Expand Down