Merge pull request #733 from actions/deny-list-version

deny-packages configuration option can deny specified version or all packages
This commit is contained in:
Brandon Teng
2024-04-24 20:38:16 -05:00
committed by GitHub
11 changed files with 330 additions and 214 deletions

View File

@@ -80,7 +80,7 @@ Here are a few things you can do that will increase the likelihood of your pull
- Add unit tests for new features.
- Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests.
- Write a [good commit message](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html).
- Add examples of the usage to [examples.md](examples.md)
- Add examples of the usage to [examples.md](docs/examples.md)
- Link to a sample PR in a custom repository running your version of the Action.
## Cutting a new release

View File

@@ -66,25 +66,25 @@ jobs:
Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.
| Option | Usage | Possible values | Default value |
| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
| `show-openssf-scorecard` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
| Option | Usage | Possible values | Default value |
| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes` | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job the `pull-requests: write` permission. | `always`, `on-failure`, `never` | `never` |
| `deny-packages` | Any number of packages to block in a PR. This option will match on the exact version provided. If no version is provided, the option will treat the specified package as a wildcard and deny all versions. | Package(s) in [purl](https://github.com/package-url/purl-spec) format | empty |
| `deny-groups` | Any number of groups (namespaces) to block in a PR. | Namespace(s) in [purl](https://github.com/package-url/purl-spec) format (no package name, no version number) | empty |
| `retry-on-snapshot-warnings`\* | Enable or disable retrying the action every 10 seconds while waiting for dependency submission actions to complete. | `true`, `false` | `false` |
| `retry-on-snapshot-warnings-timeout`\* | Maximum amount of time (in seconds) to retry the action while waiting for dependency submission actions to complete. | Any positive integer | 120 |
| `warn-only`+ | When set to `true`, the action will log all vulnerabilities as warnings regardless of the severity, and the action will complete with a `success` status. This overrides the `fail-on-severity` option. | `true`, `false` | `false` |
| `show-openssf-scorecard-levels` | When set to `true`, the action will output information about all the known OpenSSF Scorecard scores for the dependencies changed in this pull request. | `true`, `false` | `true` |
| `warn-on-openssf-scorecard-level` | When `show-openssf-scorecard-levels` is set to `true`, this option lets you configure the threshold for when a score is considered too low and gets a :warning: warning in the CI. | Any positive integer | 3 |
\*not supported for use with GitHub Enterprise Server

View File

@@ -1,100 +1,7 @@
import {expect, jest, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
let getDeniedChanges: Function
const npmChange: Change = {
manifest: 'package.json',
change_type: 'added',
ecosystem: 'npm',
name: 'Reeuhq',
version: '1.0.2',
package_url: 'pkg:npm/reeuhq@1.0.2',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'first-random_string',
advisory_summary: 'very dangerous',
advisory_url: 'github.com/future-funk'
}
]
}
const rubyChange: Change = {
change_type: 'added',
manifest: 'Gemfile.lock',
ecosystem: 'rubygems',
name: 'actionsomething',
version: '3.2.0',
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
const pipChange: Change = {
change_type: 'added',
manifest: 'requirements.txt',
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pypi/package-1@1.1.1',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
const mvnChange: Change = {
change_type: 'added',
manifest: 'pom.xml',
ecosystem: 'maven',
name: 'org.apache.logging.log4j:log4j-core',
version: '2.15.0',
package_url: 'pkg:maven/org.apache.logging.log4j/log4j-core@2.14.7',
license: 'Apache-2.0',
source_repository_url:
'https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core',
scope: 'unknown',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
}
]
}
import {createTestChange, createTestPURLs} from './fixtures/create-test-change'
import {getDeniedChanges} from '../src/deny'
jest.mock('@actions/core')
@@ -108,6 +15,11 @@ const mockOctokit = {
}
}
let npmChange: Change
let rubyChange: Change
let pipChange: Change
let mvnChange: Change
jest.mock('octokit', () => {
return {
// eslint-disable-next-line @typescript-eslint/no-extraneous-class
@@ -126,40 +38,84 @@ beforeEach(async () => {
// true for BSD, false for all others
return jest.fn((license: string, _: string): boolean => license === 'BSD')
})
// eslint-disable-next-line @typescript-eslint/no-require-imports
;({getDeniedChanges} = require('../src/deny'))
npmChange = createTestChange({ecosystem: 'npm'})
rubyChange = createTestChange({ecosystem: 'rubygems'})
pipChange = createTestChange({ecosystem: 'pip'})
mvnChange = createTestChange({ecosystem: 'maven'})
})
test('it adds packages in the deny packages list', async () => {
test('denies packages from the deny packages list', async () => {
const changes: Changes = [npmChange, rubyChange]
const deniedChanges = await getDeniedChanges(
changes,
['pkg:gem/actionsomething'],
[]
)
const deniedPackages = createTestPURLs(['pkg:gem/actionsomething@3.2.0'])
const deniedChanges = await getDeniedChanges(changes, deniedPackages)
expect(deniedChanges[0]).toBe(rubyChange)
expect(deniedChanges.length).toEqual(1)
})
test('it adds packages in the deny group list', async () => {
const changes: Changes = [mvnChange, rubyChange]
test('denies packages only for the specified version from deny packages list', async () => {
const deniedPackageWithDifferentVersion = createTestPURLs([
'pkg:npm/lodash@1.2.3'
])
const changes: Changes = [npmChange]
const deniedChanges = await getDeniedChanges(
changes,
[],
['pkg:maven/org.apache.logging.log4j']
deniedPackageWithDifferentVersion
)
expect(deniedChanges.length).toEqual(0)
})
test('if no specified version from deny packages list, it will treat package as wildcard and deny all versions', async () => {
const changes: Changes = [
createTestChange({name: 'lodash', version: '1.2.3'}),
createTestChange({name: 'lodash', version: '4.5.6'}),
createTestChange({name: 'lodash', version: '7.8.9'})
]
const denyAllLodashVersions = createTestPURLs(['pkg:npm/lodash'])
const deniedChanges = await getDeniedChanges(changes, denyAllLodashVersions)
expect(deniedChanges.length).toEqual(3)
})
test('denies packages from the deny group list', async () => {
const changes: Changes = [mvnChange, rubyChange]
const deniedGroups = createTestPURLs(['pkg:maven/org.apache.logging.log4j/'])
const deniedChanges = await getDeniedChanges(changes, [], deniedGroups)
expect(deniedChanges[0]).toBe(mvnChange)
expect(deniedChanges.length).toEqual(1)
})
test('it adds packages outside of the deny lists', async () => {
test('denies packages that match the deny group list exactly', async () => {
const changes: Changes = [
createTestChange({
package_url: 'pkg:npm/org.test.pass/pass-this@1.0.0',
ecosystem: 'npm'
}),
createTestChange({
package_url: 'pkg:npm/org.test/deny-this@1.0.0',
ecosystem: 'npm'
})
]
const deniedGroups = createTestPURLs(['pkg:npm/org.test/'])
const deniedChanges = await getDeniedChanges(changes, [], deniedGroups)
expect(deniedChanges.length).toEqual(1)
expect(deniedChanges[0]).toBe(changes[1])
})
test('allows packages not defined in the deny packages and groups list', async () => {
const changes: Changes = [npmChange, pipChange]
const deniedPackages = createTestPURLs([
'pkg:gem/package-not-in-changes@1.0.0'
])
const deniedGroups = createTestPURLs(['pkg:maven/group.not.in.changes/'])
const deniedChanges = await getDeniedChanges(
changes,
['pkg:gem/actionsomething'],
['pkg:maven:org.apache.logging.log4j']
deniedPackages,
deniedGroups
)
expect(deniedChanges.length).toEqual(0)

View File

@@ -1,7 +1,9 @@
import {PackageURL} from 'packageurl-js'
import {Change} from '../../src/schemas'
import {createTestVulnerability} from './create-test-vulnerability'
import {parsePURL} from '../../src/utils'
const defaultChange: Change = {
const defaultNpmChange: Change = {
change_type: 'added',
manifest: 'package.json',
ecosystem: 'npm',
@@ -28,9 +30,98 @@ const defaultChange: Change = {
]
}
const createTestChange = (overwrites: Partial<Change> = {}): Change => ({
...defaultChange,
...overwrites
})
const defaultRubyChange: Change = {
change_type: 'added',
manifest: 'Gemfile.lock',
ecosystem: 'rubygems',
name: 'actionsomething',
version: '3.2.0',
package_url: 'pkg:gem/actionsomething@3.2.0',
license: 'BSD',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
export {createTestChange}
const defaultPipChange: Change = {
change_type: 'added',
manifest: 'requirements.txt',
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pypi/package-1@1.1.1',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: [
{
severity: 'moderate',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
},
{
severity: 'low',
advisory_ghsa_id: 'third-random_string',
advisory_summary: 'dont page me',
advisory_url: 'github.com/future-funk'
}
]
}
const defaultMavenChange: Change = {
change_type: 'added',
manifest: 'pom.xml',
ecosystem: 'maven',
name: 'org.apache.logging.log4j:log4j-core',
version: '2.15.0',
package_url: 'pkg:maven/org.apache.logging.log4j/log4j-core@2.14.7',
license: 'Apache-2.0',
source_repository_url:
'https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core',
scope: 'unknown',
vulnerabilities: [
{
severity: 'critical',
advisory_ghsa_id: 'second-random_string',
advisory_summary: 'not so dangerous',
advisory_url: 'github.com/future-funk'
}
]
}
const ecosystemToDefaultChange: {[key: string]: Change} = {
npm: defaultNpmChange,
rubygems: defaultRubyChange,
pip: defaultPipChange,
maven: defaultMavenChange
}
const createTestChange = (overwrites: Partial<Change> = {}): Change => {
const ecosystem = overwrites.ecosystem || 'npm'
return {
...ecosystemToDefaultChange[ecosystem],
...overwrites
}
}
const createTestPURLs = (list: string[]): PackageURL[] => {
return list.map(purl => {
return parsePURL(purl)
})
}
export {createTestChange, createTestPURLs}

View File

@@ -56,7 +56,7 @@ inputs:
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
required: false
deny-packages:
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). If version specified, only deny matching packages and version; else, deny all regardless of version.
required: false
deny-groups:
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")

144
dist/index.js generated vendored
View File

@@ -179,31 +179,29 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.getDeniedChanges = void 0;
const core = __importStar(__nccwpck_require__(2186));
function getDeniedChanges(changes, deniedPackages, deniedGroups) {
return __awaiter(this, void 0, void 0, function* () {
const packageurl_js_1 = __nccwpck_require__(8915);
function getDeniedChanges(changes_1) {
return __awaiter(this, arguments, void 0, function* (changes, deniedPackages = [], deniedGroups = []) {
const changesDenied = [];
let failed = false;
let hasDeniedPackage = false;
for (const change of changes) {
change.name = change.name.toLowerCase();
const packageUrl = change.package_url.toLowerCase().split('@')[0];
if (deniedPackages) {
for (const denied of deniedPackages) {
if (packageUrl === denied.split('@')[0].toLowerCase()) {
changesDenied.push(change);
failed = true;
}
const changedPackage = packageurl_js_1.PackageURL.fromString(change.package_url);
for (const denied of deniedPackages) {
if ((!denied.version || changedPackage.version === denied.version) &&
changedPackage.name === denied.name) {
changesDenied.push(change);
hasDeniedPackage = true;
}
}
if (deniedGroups) {
for (const denied of deniedGroups) {
if (packageUrl.startsWith(denied.toLowerCase())) {
changesDenied.push(change);
failed = true;
}
for (const denied of deniedGroups) {
if (changedPackage.namespace &&
changedPackage.namespace === denied.namespace) {
changesDenied.push(change);
hasDeniedPackage = true;
}
}
}
if (failed) {
if (hasDeniedPackage) {
core.setFailed('Dependency review detected denied packages.');
}
else {
@@ -862,9 +860,13 @@ var __importStar = (this && this.__importStar) || function (mod) {
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.ScorecardSchema = exports.ScorecardApiSchema = exports.ComparisonResponseSchema = exports.ChangesSchema = exports.ConfigurationOptionsSchema = exports.PullRequestSchema = exports.ChangeSchema = exports.SeveritySchema = exports.SCOPES = exports.SEVERITIES = void 0;
const z = __importStar(__nccwpck_require__(3301));
const utils_1 = __nccwpck_require__(918);
exports.SEVERITIES = ['critical', 'high', 'moderate', 'low'];
exports.SCOPES = ['unknown', 'runtime', 'development'];
exports.SeveritySchema = z.enum(exports.SEVERITIES).default('low');
const PackageURL = z.string().transform(purlString => {
return (0, utils_1.parsePURL)(purlString);
});
exports.ChangeSchema = z.object({
change_type: z.enum(['added', 'removed']),
manifest: z.string(),
@@ -898,8 +900,8 @@ exports.ConfigurationOptionsSchema = z
deny_licenses: z.array(z.string()).optional(),
allow_dependencies_licenses: z.array(z.string()).optional(),
allow_ghsas: z.array(z.string()).default([]),
deny_packages: z.array(z.string()).default([]),
deny_groups: z.array(z.string()).default([]),
deny_packages: z.array(PackageURL).default([]),
deny_groups: z.array(PackageURL).default([]),
license_check: z.boolean().default(true),
vulnerability_check: z.boolean().default(true),
config_file: z.string().optional(),
@@ -1453,10 +1455,11 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.octokitClient = exports.isSPDXValid = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
exports.parsePURL = exports.octokitClient = exports.isSPDXValid = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
const core = __importStar(__nccwpck_require__(2186));
const octokit_1 = __nccwpck_require__(7467);
const spdx_expression_parse_1 = __importDefault(__nccwpck_require__(1620));
const packageurl_js_1 = __nccwpck_require__(8915);
function groupDependenciesByManifest(changes) {
var _a;
const dependencies = new Map();
@@ -1516,6 +1519,23 @@ function octokitClient(token = 'repo-token', required = true) {
return new octokit_1.Octokit(opts);
}
exports.octokitClient = octokitClient;
const parsePURL = (purlString) => {
try {
return packageurl_js_1.PackageURL.fromString(purlString);
}
catch (error) {
if (error.message ===
`purl is missing the required "name" component.`) {
//packageurl-js does not support empty names, so will manually override it for deny-groups
//https://github.com/package-url/packageurl-js/blob/master/src/package-url.js#L216
const purl = packageurl_js_1.PackageURL.fromString(`${purlString}TEMP_NAME`);
purl.name = '';
return purl;
}
throw error;
}
};
exports.parsePURL = parsePURL;
/***/ }),
@@ -5400,11 +5420,11 @@ __export(dist_src_exports, {
module.exports = __toCommonJS(dist_src_exports);
var import_universal_user_agent = __nccwpck_require__(5030);
var import_request = __nccwpck_require__(6234);
var import_auth_oauth_app = __nccwpck_require__(4098);
var import_auth_oauth_app = __nccwpck_require__(8459);
// pkg/dist-src/auth.js
var import_deprecation = __nccwpck_require__(8932);
var OAuthAppAuth = __toESM(__nccwpck_require__(4098));
var OAuthAppAuth = __toESM(__nccwpck_require__(8459));
// pkg/dist-src/get-app-authentication.js
var import_universal_github_app_jwt = __nccwpck_require__(4419);
@@ -5852,7 +5872,7 @@ function createAppAuth(options) {
/***/ }),
/***/ 4098:
/***/ 8459:
/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
"use strict";
@@ -7362,7 +7382,7 @@ __export(dist_src_exports, {
unknownRouteResponse: () => unknownRouteResponse
});
module.exports = __toCommonJS(dist_src_exports);
var import_auth_oauth_app = __nccwpck_require__(4098);
var import_auth_oauth_app = __nccwpck_require__(8459);
// pkg/dist-src/version.js
var VERSION = "6.0.0";
@@ -7450,7 +7470,7 @@ function getWebFlowAuthorizationUrlWithState(state, options) {
}
// pkg/dist-src/methods/create-token.js
var OAuthAppAuth = __toESM(__nccwpck_require__(4098));
var OAuthAppAuth = __toESM(__nccwpck_require__(8459));
async function createTokenWithState(state, options) {
const authentication = await state.octokit.auth({
type: "oauth-user",
@@ -19431,7 +19451,7 @@ const { MAX_LENGTH, MAX_SAFE_INTEGER } = __nccwpck_require__(2293)
const { safeRe: re, t } = __nccwpck_require__(9523)
const parseOptions = __nccwpck_require__(785)
const { compareIdentifiers } = __nccwpck_require__(5865)
const { compareIdentifiers } = __nccwpck_require__(2463)
class SemVer {
constructor (version, options) {
options = parseOptions(options)
@@ -19804,7 +19824,7 @@ module.exports = cmp
/***/ }),
/***/ 5280:
/***/ 3466:
/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
const SemVer = __nccwpck_require__(9087)
@@ -20190,7 +20210,7 @@ module.exports = valid
const internalRe = __nccwpck_require__(9523)
const constants = __nccwpck_require__(2293)
const SemVer = __nccwpck_require__(9087)
const identifiers = __nccwpck_require__(5865)
const identifiers = __nccwpck_require__(2463)
const parse = __nccwpck_require__(5925)
const valid = __nccwpck_require__(9601)
const clean = __nccwpck_require__(8848)
@@ -20213,7 +20233,7 @@ const neq = __nccwpck_require__(6017)
const gte = __nccwpck_require__(5930)
const lte = __nccwpck_require__(7520)
const cmp = __nccwpck_require__(5098)
const coerce = __nccwpck_require__(5280)
const coerce = __nccwpck_require__(3466)
const Comparator = __nccwpck_require__(1532)
const Range = __nccwpck_require__(9828)
const satisfies = __nccwpck_require__(6055)
@@ -20337,7 +20357,7 @@ module.exports = debug
/***/ }),
/***/ 5865:
/***/ 2463:
/***/ ((module) => {
const numeric = /^[0-9]+$/
@@ -50021,9 +50041,13 @@ var __importStar = (this && this.__importStar) || function (mod) {
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.ScorecardSchema = exports.ScorecardApiSchema = exports.ComparisonResponseSchema = exports.ChangesSchema = exports.ConfigurationOptionsSchema = exports.PullRequestSchema = exports.ChangeSchema = exports.SeveritySchema = exports.SCOPES = exports.SEVERITIES = void 0;
const z = __importStar(__nccwpck_require__(3301));
const utils_1 = __nccwpck_require__(1314);
exports.SEVERITIES = ['critical', 'high', 'moderate', 'low'];
exports.SCOPES = ['unknown', 'runtime', 'development'];
exports.SeveritySchema = z.enum(exports.SEVERITIES).default('low');
const PackageURL = z.string().transform(purlString => {
return (0, utils_1.parsePURL)(purlString);
});
exports.ChangeSchema = z.object({
change_type: z.enum(['added', 'removed']),
manifest: z.string(),
@@ -50057,8 +50081,8 @@ exports.ConfigurationOptionsSchema = z
deny_licenses: z.array(z.string()).optional(),
allow_dependencies_licenses: z.array(z.string()).optional(),
allow_ghsas: z.array(z.string()).default([]),
deny_packages: z.array(z.string()).default([]),
deny_groups: z.array(z.string()).default([]),
deny_packages: z.array(PackageURL).default([]),
deny_groups: z.array(PackageURL).default([]),
license_check: z.boolean().default(true),
vulnerability_check: z.boolean().default(true),
config_file: z.string().optional(),
@@ -50181,10 +50205,11 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", ({ value: true }));
exports.octokitClient = exports.isSPDXValid = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
exports.parsePURL = exports.octokitClient = exports.isSPDXValid = exports.renderUrl = exports.getManifestsSet = exports.groupDependenciesByManifest = void 0;
const core = __importStar(__nccwpck_require__(2186));
const octokit_1 = __nccwpck_require__(7467);
const spdx_expression_parse_1 = __importDefault(__nccwpck_require__(1620));
const packageurl_js_1 = __nccwpck_require__(8915);
function groupDependenciesByManifest(changes) {
var _a;
const dependencies = new Map();
@@ -50244,6 +50269,23 @@ function octokitClient(token = 'repo-token', required = true) {
return new octokit_1.Octokit(opts);
}
exports.octokitClient = octokitClient;
const parsePURL = (purlString) => {
try {
return packageurl_js_1.PackageURL.fromString(purlString);
}
catch (error) {
if (error.message ===
`purl is missing the required "name" component.`) {
//packageurl-js does not support empty names, so will manually override it for deny-groups
//https://github.com/package-url/packageurl-js/blob/master/src/package-url.js#L216
const purl = packageurl_js_1.PackageURL.fromString(`${purlString}TEMP_NAME`);
purl.name = '';
return purl;
}
throw error;
}
};
exports.parsePURL = parsePURL;
/***/ }),
@@ -53633,13 +53675,13 @@ exports.mapIncludes = mapIncludes;
var Alias = __nccwpck_require__(5639);
var Collection = __nccwpck_require__(3466);
var Collection = __nccwpck_require__(2240);
var identity = __nccwpck_require__(5589);
var Pair = __nccwpck_require__(246);
var toJS = __nccwpck_require__(2463);
var toJS = __nccwpck_require__(979);
var Schema = __nccwpck_require__(6831);
var stringifyDocument = __nccwpck_require__(5225);
var anchors = __nccwpck_require__(8459);
var anchors = __nccwpck_require__(2723);
var applyReviver = __nccwpck_require__(3412);
var createNode = __nccwpck_require__(9652);
var directives = __nccwpck_require__(5400);
@@ -53970,7 +54012,7 @@ exports.Document = Document;
/***/ }),
/***/ 8459:
/***/ 2723:
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
"use strict";
@@ -54565,11 +54607,11 @@ exports.warn = warn;
"use strict";
var anchors = __nccwpck_require__(8459);
var anchors = __nccwpck_require__(2723);
var visit = __nccwpck_require__(6796);
var identity = __nccwpck_require__(5589);
var Node = __nccwpck_require__(1399);
var toJS = __nccwpck_require__(2463);
var toJS = __nccwpck_require__(979);
class Alias extends Node.NodeBase {
constructor(source) {
@@ -54670,7 +54712,7 @@ exports.Alias = Alias;
/***/ }),
/***/ 3466:
/***/ 2240:
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
"use strict";
@@ -54838,7 +54880,7 @@ exports.isEmptyPath = isEmptyPath;
var applyReviver = __nccwpck_require__(3412);
var identity = __nccwpck_require__(5589);
var toJS = __nccwpck_require__(2463);
var toJS = __nccwpck_require__(979);
class NodeBase {
constructor(type) {
@@ -54933,7 +54975,7 @@ exports.createPair = createPair;
var identity = __nccwpck_require__(5589);
var Node = __nccwpck_require__(1399);
var toJS = __nccwpck_require__(2463);
var toJS = __nccwpck_require__(979);
const isScalarValue = (value) => !value || (typeof value !== 'function' && typeof value !== 'object');
class Scalar extends Node.NodeBase {
@@ -54968,7 +55010,7 @@ exports.isScalarValue = isScalarValue;
var stringifyCollection = __nccwpck_require__(2466);
var addPairToJSMap = __nccwpck_require__(4676);
var Collection = __nccwpck_require__(3466);
var Collection = __nccwpck_require__(2240);
var identity = __nccwpck_require__(5589);
var Pair = __nccwpck_require__(246);
var Scalar = __nccwpck_require__(9338);
@@ -55123,10 +55165,10 @@ exports.findPair = findPair;
var createNode = __nccwpck_require__(9652);
var stringifyCollection = __nccwpck_require__(2466);
var Collection = __nccwpck_require__(3466);
var Collection = __nccwpck_require__(2240);
var identity = __nccwpck_require__(5589);
var Scalar = __nccwpck_require__(9338);
var toJS = __nccwpck_require__(2463);
var toJS = __nccwpck_require__(979);
class YAMLSeq extends Collection.Collection {
static get tagName() {
@@ -55248,7 +55290,7 @@ var log = __nccwpck_require__(6909);
var stringify = __nccwpck_require__(8409);
var identity = __nccwpck_require__(5589);
var Scalar = __nccwpck_require__(9338);
var toJS = __nccwpck_require__(2463);
var toJS = __nccwpck_require__(979);
const MERGE_KEY = '<<';
function addPairToJSMap(ctx, map, { key, value }) {
@@ -55413,7 +55455,7 @@ exports.isSeq = isSeq;
/***/ }),
/***/ 2463:
/***/ 979:
/***/ ((__unused_webpack_module, exports, __nccwpck_require__) => {
"use strict";
@@ -58564,7 +58606,7 @@ exports.intOct = intOct;
var identity = __nccwpck_require__(5589);
var toJS = __nccwpck_require__(2463);
var toJS = __nccwpck_require__(979);
var YAMLMap = __nccwpck_require__(6011);
var YAMLSeq = __nccwpck_require__(5161);
var pairs = __nccwpck_require__(9841);
@@ -59150,7 +59192,7 @@ exports.foldFlowLines = foldFlowLines;
"use strict";
var anchors = __nccwpck_require__(8459);
var anchors = __nccwpck_require__(2723);
var identity = __nccwpck_require__(5589);
var stringifyComment = __nccwpck_require__(5182);
var stringifyString = __nccwpck_require__(6226);
@@ -59285,7 +59327,7 @@ exports.stringify = stringify;
"use strict";
var Collection = __nccwpck_require__(3466);
var Collection = __nccwpck_require__(2240);
var identity = __nccwpck_require__(5589);
var stringify = __nccwpck_require__(8409);
var stringifyComment = __nccwpck_require__(5182);

2
dist/index.js.map generated vendored

File diff suppressed because one or more lines are too long

View File

@@ -167,7 +167,7 @@ jobs:
## Getting the results of the action in a later step
- `comment-content` contains the output of the results comment for the entire run.
`dependency-changes`, `vulnerable-changes`, `invalid-license-changes` and `denied-changes` are all JSON objects that allow you to access individual sets of changes.
`dependency-changes`, `vulnerable-changes`, `invalid-license-changes` and `denied-changes` are all JSON objects that allow you to access individual sets of changes.
```yaml
name: 'Dependency Review'
@@ -276,10 +276,11 @@ jobs:
## Exclude dependencies from their name or groups
Using the `deny-packages` option you can exclude dependencies by their PURL. You can add multiple values separated by a commas.
With the `deny-packages` option, you can exclude dependencies based on their PURL (Package URL). If a specific version is provided, the action will deny packages matching that version. When no version is specified, the action treats it as a wildcard, denying all matching packages regardless of version. Multiple values can be added, separated by commas.
Using the `deny-groups` option you can exclude dependencies by their group name/namespace. You can add multiple values separated by a comma.
In this example, we are excluding `pkg:maven/org.apache.logging.log4j:log4j-api` and `pkg:maven/org.apache.logging.log4j/log4j-core` from `maven` and all packages in the group `pkg:maven/com.bazaarvoice.maven`
In this example, we are excluding all versions of `pkg:maven/org.apache.logging.log4j:log4j-api` and only `2.23.0` of log4j-core `pkg:maven/org.apache.logging.log4j/log4j-core@2.23.0` from `maven` and all packages in the group `pkg:maven/com.bazaarvoice.maven`
```yaml
name: 'Dependency Review'
@@ -298,7 +299,7 @@ jobs:
- name: 'Dependency Review'
uses: actions/dependency-review-action@v4
with:
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core'
deny-packages: 'pkg:maven/org.apache.logging.log4j/log4j-api,pkg:maven/org.apache.logging.log4j/log4j-core@2.23.0'
deny-groups: 'pkg:maven/com.bazaarvoice.jolt'
```

View File

@@ -1,38 +1,40 @@
import {Change} from './schemas'
import * as core from '@actions/core'
import {Change} from './schemas'
import {PackageURL} from 'packageurl-js'
export async function getDeniedChanges(
changes: Change[],
deniedPackages: string[],
deniedGroups: string[]
deniedPackages: PackageURL[] = [],
deniedGroups: PackageURL[] = []
): Promise<Change[]> {
const changesDenied: Change[] = []
let failed = false
let hasDeniedPackage = false
for (const change of changes) {
change.name = change.name.toLowerCase()
const packageUrl = change.package_url.toLowerCase().split('@')[0]
const changedPackage = PackageURL.fromString(change.package_url)
if (deniedPackages) {
for (const denied of deniedPackages) {
if (packageUrl === denied.split('@')[0].toLowerCase()) {
changesDenied.push(change)
failed = true
}
for (const denied of deniedPackages) {
if (
(!denied.version || changedPackage.version === denied.version) &&
changedPackage.name === denied.name
) {
changesDenied.push(change)
hasDeniedPackage = true
}
}
if (deniedGroups) {
for (const denied of deniedGroups) {
if (packageUrl.startsWith(denied.toLowerCase())) {
changesDenied.push(change)
failed = true
}
for (const denied of deniedGroups) {
if (
changedPackage.namespace &&
changedPackage.namespace === denied.namespace
) {
changesDenied.push(change)
hasDeniedPackage = true
}
}
}
if (failed) {
if (hasDeniedPackage) {
core.setFailed('Dependency review detected denied packages.')
} else {
core.info('Dependency review did not detect any denied packages')

View File

@@ -1,10 +1,15 @@
import * as z from 'zod'
import {parsePURL} from './utils'
export const SEVERITIES = ['critical', 'high', 'moderate', 'low'] as const
export const SCOPES = ['unknown', 'runtime', 'development'] as const
export const SeveritySchema = z.enum(SEVERITIES).default('low')
const PackageURL = z.string().transform(purlString => {
return parsePURL(purlString)
})
export const ChangeSchema = z.object({
change_type: z.enum(['added', 'removed']),
manifest: z.string(),
@@ -42,8 +47,8 @@ export const ConfigurationOptionsSchema = z
deny_licenses: z.array(z.string()).optional(),
allow_dependencies_licenses: z.array(z.string()).optional(),
allow_ghsas: z.array(z.string()).default([]),
deny_packages: z.array(z.string()).default([]),
deny_groups: z.array(z.string()).default([]),
deny_packages: z.array(PackageURL).default([]),
deny_groups: z.array(PackageURL).default([]),
license_check: z.boolean().default(true),
vulnerability_check: z.boolean().default(true),
config_file: z.string().optional(),

View File

@@ -1,6 +1,7 @@
import * as core from '@actions/core'
import {Octokit} from 'octokit'
import spdxParse from 'spdx-expression-parse'
import {PackageURL} from 'packageurl-js'
import {Changes} from './schemas'
export function groupDependenciesByManifest(
@@ -68,3 +69,21 @@ export function octokitClient(token = 'repo-token', required = true): Octokit {
return new Octokit(opts)
}
export const parsePURL = (purlString: string): PackageURL => {
try {
return PackageURL.fromString(purlString)
} catch (error) {
if (
(error as Error).message ===
`purl is missing the required "name" component.`
) {
//packageurl-js does not support empty names, so will manually override it for deny-groups
//https://github.com/package-url/packageurl-js/blob/master/src/package-url.js#L216
const purl = PackageURL.fromString(`${purlString}TEMP_NAME`)
purl.name = ''
return purl
}
throw error
}
}