ensure scope filtering is backward compatible with enterprise rest api versions

This commit is contained in:
Sarah Aladetan
2022-09-16 19:13:58 +00:00
parent e641ee9a41
commit 10bc05df70
3 changed files with 5 additions and 3 deletions

View File

@@ -124,7 +124,7 @@ This example will only fail on pull requests with `critical` and `high` vulnerab
### Dependency Scoping
By default the action will only fail on `runtime` dependencies that have vulnerabilities or unacceptable licenses, ignoring `development` dependencies. You can override this behavior with the `fail-on-scopes` option, which will allow you to list the specific dependency scopes you care about. The possible values are: `unknown`, `runtime`, and `development`. Note: Filtering by scope will not be supported on GHES just yet, as the REST API's introduction of `scope` will be released in an upcoming version.
By default the action will only fail on `runtime` dependencies that have vulnerabilities or unacceptable licenses, ignoring `development` dependencies. You can override this behavior with the `fail-on-scopes` option, which will allow you to list the specific dependency scopes you care about. The possible values are: `unknown`, `runtime`, and `development`. Note: Filtering by scope will not be supported on GHES just yet, as the REST API's introduction of `scope` will be released in an upcoming version. We will treat all dependencies on GHES as having a `runtime` scope and thus will not be filtered away.
```yaml
- name: Dependency Review

View File

@@ -39,7 +39,9 @@ export function filterChangesByScopes(
changes: Changes
): Changes {
const filteredChanges = changes.filter(change => {
if (scopes.includes(change.scope)) {
// if there is no scope on the change (GHES API for now), we will assume it is a runtime scope
const scope = change.scope || 'runtime'
if (scopes.includes(scope)) {
return true
}
})

View File

@@ -12,7 +12,7 @@ export const ChangeSchema = z.object({
package_url: z.string(),
license: z.string().nullable(),
source_repository_url: z.string().nullable(),
scope: z.enum(SCOPES),
scope: z.enum(SCOPES).optional(),
vulnerabilities: z
.array(
z.object({