dependency-review-action/scripts/create_summary.ts

/**
 * This scripts creates example markdown files for the summary in the ./tmp folder.
 * You can use it to preview changes to the summary.
 *
 * You can execute it like this:
 * npx ts-node scripts/create_summary.ts
 */

import {Change, Changes, ConfigurationOptions, Scorecard} from '../src/schemas'
import {createTestChange} from '../__tests__/fixtures/create-test-change'
import {InvalidLicenseChanges} from '../src/licenses'
import * as fs from 'fs'
import * as core from '@actions/core'
import * as summary from '../src/summary'
import * as path from 'path'

const defaultConfig: ConfigurationOptions = {
  vulnerability_check: true,
  license_check: true,
  fail_on_severity: 'high',
  fail_on_scopes: ['runtime'],
  allow_ghsas: [],
  allow_licenses: ['MIT'],
  deny_licenses: [],
  deny_packages: [],
  deny_groups: [],
  allow_dependencies_licenses: [
    'pkg:npm/express@4.17.1',
    'pkg:pypi/requests',
    'pkg:pypi/certifi',
    'pkg:pypi/pycrypto@2.6.1'
  ],
  comment_summary_in_pr: true,
  retry_on_snapshot_warnings: false,
  retry_on_snapshot_warnings_timeout: 120,
  warn_only: false,
  warn_on_openssf_scorecard_level: 3,
  show_openssf_scorecard: true,
  show_patched_versions: false
}

const scorecard: Scorecard = {
  dependencies: [
    {
      change: {
        change_type: 'added',
        manifest: '',
        ecosystem: 'unknown',
        name: 'castore',
        version: '0.1.17',
        package_url: 'pkg:hex/castore@0.1.17',
        license: null,
        source_repository_url: null,
        scope: 'runtime',
        vulnerabilities: []
      },
      scorecard: null
    }
  ]
}

const tmpDir = path.resolve(__dirname, '../tmp')

const createExampleSummaries = async (): Promise<void> => {
  await fs.promises.mkdir(tmpDir, {recursive: true})

  await createNonIssueSummary()
  await createFullSummary()
}

const createNonIssueSummary = async (): Promise<void> => {
  await createSummary(
    [],
    {forbidden: [], unresolved: [], unlicensed: []},
    [],
    defaultConfig,
    'non-issue-summary.md'
  )
}

const createFullSummary = async (): Promise<void> => {
  const changes = [createTestChange()]
  const licenses: InvalidLicenseChanges = {
    forbidden: [
      createTestChange({
        name: 'underscore',
        version: '1.12.0',
        license: 'Apache 2.0'
      })
    ],
    unresolved: [
      createTestChange({
        name: 'octoinvader',
        license: 'Non SPDX License'
      }),
      createTestChange({
        name: 'owner/action-1',
        license: 'XYZ-License',
        version: 'v1.2.2',
        manifest: '.github/workflows/action.yml'
      })
    ],
    unlicensed: [
      createTestChange({
        name: 'my-other-dependency',
        license: null
      }),
      createTestChange({
        name: 'owner/action-2',
        version: 'main',
        license: null,
        manifest: '.github/workflows/action.yml'
      })
    ]
  }

  await createSummary(changes, licenses, [], defaultConfig, 'full-summary.md')
}

async function createSummary(
  vulnerabilities: Changes,
  licenseIssues: InvalidLicenseChanges,
  denied: Change[],
  config: ConfigurationOptions,
  fileName: string
): Promise<void> {
  summary.addSummaryToSummary(
    vulnerabilities,
    licenseIssues,
    denied,
    scorecard,
    config
  )
  await summary.addChangeVulnerabilitiesToSummary(
    vulnerabilities,
    config.fail_on_severity
  )
  summary.addLicensesToSummary(licenseIssues, defaultConfig)

  const allChanges = [
    ...vulnerabilities,
    ...licenseIssues.forbidden,
    ...licenseIssues.unresolved,
    ...licenseIssues.unlicensed
  ]

  summary.addScannedFiles(allChanges)

  const text = core.summary.stringify()
  await fs.promises.writeFile(path.resolve(tmpDir, fileName), text, {
    flag: 'w'
  })
  core.summary.emptyBuffer()
}

createExampleSummaries()
Adds some explanation on how to use the script 2023-03-01 07:43:08 +00:00			`/**`
			`* This scripts creates example markdown files for the summary in the ./tmp folder.`
			`* You can use it to preview changes to the summary.`
			`*`
			`* You can execute it like this:`
			`* npx ts-node scripts/create_summary.ts`
			`*/`

Fix broken tests, clean up dead code 2024-03-12 21:32:27 +00:00			`import {Change, Changes, ConfigurationOptions, Scorecard} from '../src/schemas'`
Adds script to generate test-markdown files 2023-02-28 11:08:48 +00:00			`import {createTestChange} from '../__tests__/fixtures/create-test-change'`
			`import {InvalidLicenseChanges} from '../src/licenses'`
			`import * as fs from 'fs'`
			`import * as core from '@actions/core'`
			`import * as summary from '../src/summary'`
			`import * as path from 'path'`

			`const defaultConfig: ConfigurationOptions = {`
			`vulnerability_check: true,`
			`license_check: true,`
			`fail_on_severity: 'high',`
			`fail_on_scopes: ['runtime'],`
			`allow_ghsas: [],`
			`allow_licenses: ['MIT'],`
			`deny_licenses: [],`
add tests and docs 2023-08-07 14:04:41 +02:00			`deny_packages: [],`
			`deny_groups: [],`
switched to purl format 2023-04-06 09:37:42 +02:00			`allow_dependencies_licenses: [`
			`'pkg:npm/express@4.17.1',`
Replace pip -> pypi in PURL examples 2023-12-11 17:23:19 +01:00			`'pkg:pypi/requests',`
			`'pkg:pypi/certifi',`
			`'pkg:pypi/pycrypto@2.6.1'`
switched to purl format 2023-04-06 09:37:42 +02:00			`],`
new build 2023-06-13 08:54:16 +02:00			`comment_summary_in_pr: true,`
Default retry-on-snapshot-warnings to false Keeping this true by default means wasting actions minutes for the vast majority of DR users 2023-09-06 18:04:10 +00:00			`retry_on_snapshot_warnings: false,`
merge from main and fix code review comment from @juxtin 2024-01-28 10:16:07 +01:00			`retry_on_snapshot_warnings_timeout: 120,`
Add formatting around warning for low scorecard levels 2024-03-04 19:34:29 +00:00			`warn_only: false,`
Fix broken tests, clean up dead code 2024-03-12 21:32:27 +00:00			`warn_on_openssf_scorecard_level: 3,`
Add 'show-patched-versions' option to configuration and update summary handling - Introduced 'show-patched-versions' input in action.yml to control visibility of patched versions in vulnerability summaries. - Updated default configuration and related functions to handle the new option. - Enhanced tests to verify behavior with and without the patched version column. 2026-02-27 14:58:54 -05:00			`show_openssf_scorecard: true,`
			`show_patched_versions: false`
Fix broken tests, clean up dead code 2024-03-12 21:32:27 +00:00			`}`

			`const scorecard: Scorecard = {`
			`dependencies: [`
			`{`
			`change: {`
			`change_type: 'added',`
			`manifest: '',`
			`ecosystem: 'unknown',`
			`name: 'castore',`
			`version: '0.1.17',`
			`package_url: 'pkg:hex/castore@0.1.17',`
			`license: null,`
			`source_repository_url: null,`
			`scope: 'runtime',`
			`vulnerabilities: []`
			`},`
			`scorecard: null`
			`}`
			`]`
Adds script to generate test-markdown files 2023-02-28 11:08:48 +00:00			`}`

			`const tmpDir = path.resolve(__dirname, '../tmp')`

			`const createExampleSummaries = async (): Promise<void> => {`
			`await fs.promises.mkdir(tmpDir, {recursive: true})`

			`await createNonIssueSummary()`
			`await createFullSummary()`
			`}`

			`const createNonIssueSummary = async (): Promise<void> => {`
Adjusts headlines and formatting for license issues 2023-02-28 12:28:20 +00:00			`await createSummary(`
Adds script to generate test-markdown files 2023-02-28 11:08:48 +00:00			`[],`
			`{forbidden: [], unresolved: [], unlicensed: []},`
add groups 2023-08-02 16:17:51 +02:00			`[],`
Adjusts headlines and formatting for license issues 2023-02-28 12:28:20 +00:00			`defaultConfig,`
			`'non-issue-summary.md'`
Adds script to generate test-markdown files 2023-02-28 11:08:48 +00:00			`)`
			`}`

			`const createFullSummary = async (): Promise<void> => {`
			`const changes = [createTestChange()]`
			`const licenses: InvalidLicenseChanges = {`
			`forbidden: [`
			`createTestChange({`
			`name: 'underscore',`
			`version: '1.12.0',`
			`license: 'Apache 2.0'`
			`})`
			`],`
			`unresolved: [`
			`createTestChange({`
			`name: 'octoinvader',`
			`license: 'Non SPDX License'`
Makes License Issues a single table per manifest 2023-03-02 07:43:23 +00:00			`}),`
			`createTestChange({`
			`name: 'owner/action-1',`
			`license: 'XYZ-License',`
			`version: 'v1.2.2',`
			`manifest: '.github/workflows/action.yml'`
Adds script to generate test-markdown files 2023-02-28 11:08:48 +00:00			`})`
			`],`
			`unlicensed: [`
			`createTestChange({`
			`name: 'my-other-dependency',`
Makes License Issues a single table per manifest 2023-03-02 07:43:23 +00:00			`license: null`
			`}),`
			`createTestChange({`
			`name: 'owner/action-2',`
			`version: 'main',`
			`license: null,`
			`manifest: '.github/workflows/action.yml'`
Adds script to generate test-markdown files 2023-02-28 11:08:48 +00:00			`})`
			`]`
			`}`

add groups 2023-08-02 16:17:51 +02:00			`await createSummary(changes, licenses, [], defaultConfig, 'full-summary.md')`
Adds script to generate test-markdown files 2023-02-28 11:08:48 +00:00			`}`

Adjusts headlines and formatting for license issues 2023-02-28 12:28:20 +00:00			`async function createSummary(`
Adds script to generate test-markdown files 2023-02-28 11:08:48 +00:00			`vulnerabilities: Changes,`
			`licenseIssues: InvalidLicenseChanges,`
add groups 2023-08-02 16:17:51 +02:00			`denied: Change[],`
Adjusts headlines and formatting for license issues 2023-02-28 12:28:20 +00:00			`config: ConfigurationOptions,`
			`fileName: string`
			`): Promise<void> {`
Fix broken tests, clean up dead code 2024-03-12 21:32:27 +00:00			`summary.addSummaryToSummary(`
			`vulnerabilities,`
			`licenseIssues,`
			`denied,`
			`scorecard,`
			`config`
			`)`
Add patched version column to vulnerability summary with multi-range support (#5) * Initial plan * Initial plan for adding patched versions to vulnerability summary Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Add patched version column to vulnerability summary table Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Optimize API calls to use Set and Promise.all for better performance Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Remove type assertions and optimize ecosystem lookups with normalization Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Extract patch version type checking into helper function for clarity Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Support multiple version ranges per package in advisory lookup Handle scenarios where the same package has multiple vulnerable version ranges with different patched versions (e.g., GHSA-gwq6-fmvp-qp68 with .NET packages). - Store all vulnerability entries with version ranges, not just one per ecosystem - Implement version range matching to select correct patch version - Match package by ecosystem, name, AND version range - Add comprehensive test for multi-range scenario Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Fix first_patched_version extraction to handle string format The GitHub Advisory API returns first_patched_version as a simple string (e.g., "112.0.0"), not an object with an identifier field. Updated extractPatchVersionId to handle string format primarily while maintaining backward compatibility with object format. - Fixed extractPatchVersionId to check for string first - Updated test mocks to match actual API response format - Added specific test for RestSharp GHSA-4rr6-2v9v-wcpc case - Verified with actual API responses from multiple advisories Fixes issue where patched versions were showing as "N/A" instead of the actual version number. Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Rebuild dist with patched version fix The previous fix to extractPatchVersionId wasn't deployed because the dist/ folder (compiled JavaScript) wasn't rebuilt. This commit rebuilds and packages the action with npm run build && npm run package to include the fix. Changes in dist/: - Updated extractPatchVersionId to handle string format first - Includes all async vulnerability summary logic with API calls - Properly extracts patched versions from GitHub Advisory API This should resolve the issue where patched versions showed as "N/A" in actual GitHub Actions runs. Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> * Add comprehensive debug logging for patch version lookup Added detailed debug logging to help troubleshoot patch version issues: - Log when fetching advisory data from API - Log number of vulnerability entries found - Log each patch info entry added with details - Log when no patch version is found - Log during lookup phase with package details - Log when patch version is found vs not found - Log available entries when no match is found This will make it much easier to diagnose issues in GitHub Actions debug mode. Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> 2026-02-06 18:12:20 -05:00			`await summary.addChangeVulnerabilitiesToSummary(`
Adds script to generate test-markdown files 2023-02-28 11:08:48 +00:00			`vulnerabilities,`
			`config.fail_on_severity`
			`)`
			`summary.addLicensesToSummary(licenseIssues, defaultConfig)`

			`const allChanges = [`
			`...vulnerabilities,`
			`...licenseIssues.forbidden,`
			`...licenseIssues.unresolved,`
			`...licenseIssues.unlicensed`
			`]`

Do not list changes dependencies in summary 2024-09-13 14:10:13 +01:00			`summary.addScannedFiles(allChanges)`
Adds script to generate test-markdown files 2023-02-28 11:08:48 +00:00
			`const text = core.summary.stringify()`
Adjusts headlines and formatting for license issues 2023-02-28 12:28:20 +00:00			`await fs.promises.writeFile(path.resolve(tmpDir, fileName), text, {`
			`flag: 'w'`
			`})`
Adds script to generate test-markdown files 2023-02-28 11:08:48 +00:00			`core.summary.emptyBuffer()`
			`}`

			`createExampleSummaries()`