actions · virangdoshi · Nov 22, 2023 · Nov 22, 2023 · Nov 22, 2023 · Nov 22, 2023
@@ -121,3 +121,17 @@ test('it properly filters changes with allowed vulnerabilities', async () => {
   result = filterAllowedAdvisories(['second-random_string'], changes)
   expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
 })
+
+test('it properly filters by severity and also allowed vulnerabilities', async () => {
+  const changes = [rubyChange]
+
+  // filter by severity first then by allowed advisory
+  let tempResult = filterChangesBySeverity('moderate', changes)
+  let result = filterAllowedAdvisories(['second-random_string'], tempResult)
+  expect(result).toEqual([])
+
+  //filter by allowed advisory first then by severity (yields different output)
+  tempResult = filterAllowedAdvisories(['second-random_string'], changes)
+  result = filterChangesBySeverity('moderate', tempResult)
+  expect(result).not.toEqual([])
+})
@@ -82,23 +82,22 @@ async function run(): Promise<void> {
 
     const minSeverity = config.fail_on_severity
     const scopedChanges = filterChangesByScopes(config.fail_on_scopes, changes)
-    const filteredChanges = filterAllowedAdvisories(
-      config.allow_ghsas,
-      scopedChanges
-    )
-
-    const vulnerableChanges = filterChangesBySeverity(
+    const filteredChanges = filterChangesBySeverity(
       minSeverity,
-      filteredChanges
+      scopedChanges
     ).filter(
       change =>
         change.change_type === 'added' &&
         change.vulnerabilities !== undefined &&
         change.vulnerabilities.length > 0
     )
 
+    const vulnerableChanges = filterAllowedAdvisories(
+      config.allow_ghsas,
+      filteredChanges
+    )
     const invalidLicenseChanges = await getInvalidLicenseChanges(
-      filteredChanges,
+      scopedChanges,
       {
         allow: config.allow_licenses,
         deny: config.deny_licenses,
@@ -108,9 +107,10 @@ async function run(): Promise<void> {
 
     core.debug(`Filtered Changes: ${JSON.stringify(filteredChanges)}`)
     core.debug(`Config Deny Packages: ${JSON.stringify(config)}`)
+    core.debug(`Vulnerable Changes: ${JSON.stringify(vulnerableChanges)}`)
 
     const deniedChanges = await getDeniedChanges(
-      filteredChanges,
+      scopedChanges,
       config.deny_packages,
       config.deny_groups
     )