Merge pull request #311 from ericcornelissen/308-disable-license-or-vuln

Add `license-check` and `vulnerability-check` inputs
2022-10-31 07:56:37 +01:00
parent bb5c0c7ca0 04f48dec81
commit 10dc05ba09
8 changed files with 145 additions and 23 deletions
--- a/README.md
+++ b/README.md
@@ -71,7 +71,7 @@ or by inlining these options in your workflow file.

 ### config-file

-A string representing the path to an external configuraton file. By
+A string representing the path to an external configuration file. By
 default external configuration files are not used.

 **Possible values**: A string representing the absolute path to the
@@ -155,6 +155,20 @@ allow-ghsas:
  - GHSA-efgh-1234-5679
 ```

+### license-check/vulnerability-check
+
+Disable the license checks or vulnerability checks performed by this Action.
+You can't disable both checks.
+
+**Possible values**: `true` or `false`
+
+**Example**:
+
+```yaml
+license-check: true
+vulnerability-check: false
+```
+
 ### base-ref/head-ref

 Provide custom git references for the git base/head when performing
--- a/tests/config.test.ts
+++ b/tests/config.test.ts
@@ -18,6 +18,8 @@ function clearInputs() {
    'ALLOW-LICENSES',
    'DENY-LICENSES',
    'ALLOW-GHSAS',
+    'LICENSE-CHECK',
+    'VULNERABILITY-CHECK',
    'CONFIG-FILE',
    'BASE-REF',
    'HEAD-REF'
@@ -181,6 +183,46 @@ test('it successfully parses GHSA allowlist', async () => {
  ])
 })

+test('it defaults to checking licenses', async () => {
+  const options = readConfig()
+  expect(options.license_check).toBe(true)
+})
+
+test('it parses the license-check input', async () => {
+  setInput('license-check', 'false')
+  let options = readConfig()
+  expect(options.license_check).toEqual(false)
+
+  clearInputs()
+  setInput('license-check', 'true')
+  options = readConfig()
+  expect(options.license_check).toEqual(true)
+})
+
+test('it defaults to checking vulnerabilities', async () => {
+  const options = readConfig()
+  expect(options.vulnerability_check).toBe(true)
+})
+
+test('it parses the vulnerability-check input', async () => {
+  setInput('vulnerability-check', 'false')
+  let options = readConfig()
+  expect(options.vulnerability_check).toEqual(false)
+
+  clearInputs()
+  setInput('vulnerability-check', 'true')
+  options = readConfig()
+  expect(options.vulnerability_check).toEqual(true)
+})
+
+test('it is not possible to disable both checks', async () => {
+  setInput('license-check', 'false')
+  setInput('vulnerability-check', 'false')
+  expect(() => {
+    readConfig()
+  }).toThrow("Can't disable both license-check and vulnerability-check")
+})
+
 describe('licenses that are not valid SPDX licenses', () => {
  beforeAll(() => {
    jest.spyOn(Utils, 'isSPDXValid').mockReturnValue(false)
--- a/dist/index.js
+++ b/dist/index.js
@@ -368,12 +368,16 @@ function run() {
                allow: config.allow_licenses,
                deny: config.deny_licenses
            });
-            summary.addSummaryToSummary(addedChanges, invalidLicenseChanges);
-            summary.addChangeVulnerabilitiesToSummary(addedChanges, minSeverity);
-            summary.addLicensesToSummary(invalidLicenseChanges, config);
+            summary.addSummaryToSummary(config.vulnerability_check ? addedChanges : null, config.license_check ? invalidLicenseChanges : null);
+            if (config.vulnerability_check) {
+                summary.addChangeVulnerabilitiesToSummary(addedChanges, minSeverity);
+                printVulnerabilitiesBlock(addedChanges, minSeverity);
+            }
+            if (config.license_check) {
+                summary.addLicensesToSummary(invalidLicenseChanges, config);
+                printLicensesBlock(invalidLicenseChanges);
+            }
            summary.addScannedDependencies(changes);
-            printVulnerabilitiesBlock(addedChanges, minSeverity);
-            printLicensesBlock(invalidLicenseChanges);
            printScannedDependencies(changes);
        }
        catch (error) {
@@ -556,6 +560,8 @@ exports.ConfigurationOptionsSchema = z
    allow_licenses: z.array(z.string()).default([]),
    deny_licenses: z.array(z.string()).default([]),
    allow_ghsas: z.array(z.string()).default([]),
+    license_check: z.boolean().default(true),
+    vulnerability_check: z.boolean().default(true),
    config_file: z.string().optional().default('false'),
    base_ref: z.string(),
    head_ref: z.string()
@@ -604,10 +610,16 @@ function addSummaryToSummary(addedPackages, invalidLicenseChanges) {
        .addHeading('Dependency Review')
        .addRaw('We found:')
        .addList([
-        `${addedPackages.length} vulnerable package(s)`,
-        `${invalidLicenseChanges.unresolved.length} package(s) with invalid SPDX license definitions`,
-        `${invalidLicenseChanges.forbidden.length} package(s) with incompatible licenses`,
-        `${invalidLicenseChanges.unlicensed.length} package(s) with unknown licenses.`
+        ...(addedPackages
+            ? [`${addedPackages.length} vulnerable package(s)`]
+            : []),
+        ...(invalidLicenseChanges
+            ? [
+                `${invalidLicenseChanges.unresolved.length} package(s) with invalid SPDX license definitions`,
+                `${invalidLicenseChanges.forbidden.length} package(s) with incompatible licenses`,
+                `${invalidLicenseChanges.unlicensed.length} package(s) with unknown licenses.`
+            ]
+            : [])
    ]);
 }
 exports.addSummaryToSummary = addSummaryToSummary;
@@ -27397,6 +27409,10 @@ const core = __importStar(__nccwpck_require__(2186));
 const z = __importStar(__nccwpck_require__(3301));
 const schemas_1 = __nccwpck_require__(1129);
 const utils_1 = __nccwpck_require__(1314);
+function getOptionalBoolean(name) {
+    const value = core.getInput(name);
+    return value.length > 0 ? core.getBooleanInput(name) : undefined;
+}
 function getOptionalInput(name) {
    const value = core.getInput(name);
    return value.length > 0 ? value : undefined;
@@ -27448,6 +27464,17 @@ function readInlineConfig() {
    validateLicenses('allow-licenses', allow_licenses);
    validateLicenses('deny-licenses', deny_licenses);
    const allow_ghsas = parseList(getOptionalInput('allow-ghsas'));
+    const license_check = z
+        .boolean()
+        .default(true)
+        .parse(getOptionalBoolean('license-check'));
+    const vulnerability_check = z
+        .boolean()
+        .default(true)
+        .parse(getOptionalBoolean('vulnerability-check'));
+    if (license_check === false && vulnerability_check === false) {
+        throw new Error("Can't disable both license-check and vulnerability-check");
+    }
    const base_ref = getOptionalInput('base-ref');
    const head_ref = getOptionalInput('head-ref');
    return {
@@ -27456,6 +27483,8 @@ function readInlineConfig() {
        allow_licenses,
        deny_licenses,
        allow_ghsas,
+        license_check,
+        vulnerability_check,
        base_ref,
        head_ref
    };
@@ -27632,6 +27661,8 @@ exports.ConfigurationOptionsSchema = z
    allow_licenses: z.array(z.string()).default([]),
    deny_licenses: z.array(z.string()).default([]),
    allow_ghsas: z.array(z.string()).default([]),
+    license_check: z.boolean().default(true),
+    vulnerability_check: z.boolean().default(true),
    config_file: z.string().optional().default('false'),
    base_ref: z.string(),
    head_ref: z.string()
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/src/config.ts
+++ b/src/config.ts
@@ -13,6 +13,11 @@ import {isSPDXValid} from './utils'

 type licenseKey = 'allow-licenses' | 'deny-licenses'

+function getOptionalBoolean(name: string): boolean | undefined {
+  const value = core.getInput(name)
+  return value.length > 0 ? core.getBooleanInput(name) : undefined
+}
+
 function getOptionalInput(name: string): string | undefined {
  const value = core.getInput(name)
  return value.length > 0 ? value : undefined
@@ -77,6 +82,18 @@ export function readInlineConfig(): ConfigurationOptions {

  const allow_ghsas = parseList(getOptionalInput('allow-ghsas'))

+  const license_check = z
+    .boolean()
+    .default(true)
+    .parse(getOptionalBoolean('license-check'))
+  const vulnerability_check = z
+    .boolean()
+    .default(true)
+    .parse(getOptionalBoolean('vulnerability-check'))
+  if (license_check === false && vulnerability_check === false) {
+    throw new Error("Can't disable both license-check and vulnerability-check")
+  }
+
  const base_ref = getOptionalInput('base-ref')
  const head_ref = getOptionalInput('head-ref')

@@ -86,6 +103,8 @@ export function readInlineConfig(): ConfigurationOptions {
    allow_licenses,
    deny_licenses,
    allow_ghsas,
+    license_check,
+    vulnerability_check,
    base_ref,
    head_ref
  }
--- a/src/main.ts
+++ b/src/main.ts
@@ -53,13 +53,21 @@ async function run(): Promise<void> {
      }
    )

-    summary.addSummaryToSummary(addedChanges, invalidLicenseChanges)
-    summary.addChangeVulnerabilitiesToSummary(addedChanges, minSeverity)
-    summary.addLicensesToSummary(invalidLicenseChanges, config)
-    summary.addScannedDependencies(changes)
+    summary.addSummaryToSummary(
+      config.vulnerability_check ? addedChanges : null,
+      config.license_check ? invalidLicenseChanges : null
+    )

-    printVulnerabilitiesBlock(addedChanges, minSeverity)
-    printLicensesBlock(invalidLicenseChanges)
+    if (config.vulnerability_check) {
+      summary.addChangeVulnerabilitiesToSummary(addedChanges, minSeverity)
+      printVulnerabilitiesBlock(addedChanges, minSeverity)
+    }
+    if (config.license_check) {
+      summary.addLicensesToSummary(invalidLicenseChanges, config)
+      printLicensesBlock(invalidLicenseChanges)
+    }
+
+    summary.addScannedDependencies(changes)
    printScannedDependencies(changes)
  } catch (error) {
    if (error instanceof RequestError && error.status === 404) {
--- a/src/schemas.ts
+++ b/src/schemas.ts
@@ -41,6 +41,8 @@ export const ConfigurationOptionsSchema = z
    allow_licenses: z.array(z.string()).default([]),
    deny_licenses: z.array(z.string()).default([]),
    allow_ghsas: z.array(z.string()).default([]),
+    license_check: z.boolean().default(true),
+    vulnerability_check: z.boolean().default(true),
    config_file: z.string().optional().default('false'),
    base_ref: z.string(),
    head_ref: z.string()
--- a/src/summary.ts
+++ b/src/summary.ts
@@ -4,17 +4,23 @@ import {SummaryTableRow} from '@actions/core/lib/summary'
 import {groupDependenciesByManifest, getManifestsSet, renderUrl} from './utils'

 export function addSummaryToSummary(
-  addedPackages: Changes,
-  invalidLicenseChanges: Record<string, Changes>
+  addedPackages: Changes | null,
+  invalidLicenseChanges: Record<string, Changes> | null
 ): void {
  core.summary
    .addHeading('Dependency Review')
    .addRaw('We found:')
    .addList([
-      `${addedPackages.length} vulnerable package(s)`,
-      `${invalidLicenseChanges.unresolved.length} package(s) with invalid SPDX license definitions`,
-      `${invalidLicenseChanges.forbidden.length} package(s) with incompatible licenses`,
-      `${invalidLicenseChanges.unlicensed.length} package(s) with unknown licenses.`
+      ...(addedPackages
+        ? [`${addedPackages.length} vulnerable package(s)`]
+        : []),
+      ...(invalidLicenseChanges
+        ? [
+            `${invalidLicenseChanges.unresolved.length} package(s) with invalid SPDX license definitions`,
+            `${invalidLicenseChanges.forbidden.length} package(s) with incompatible licenses`,
+            `${invalidLicenseChanges.unlicensed.length} package(s) with unknown licenses.`
+          ]
+        : [])
    ])
 }