Adding logic to filter by vulnerability severity.

2022-05-31 16:50:39 +02:00
parent e622e72c6f
commit f0a04841ce
8 changed files with 8510 additions and 8 deletions
--- a/tests/config.test.ts
+++ b/tests/config.test.ts
@@ -11,7 +11,7 @@ test('has a default config filepath', async () => {
    expect(true).toEqual(true)
 })

-test('can read files with both extensions', async () => {
+test('the default config path handles .yml and .yaml', async () => {
    expect(true).toEqual(true)
 })

--- a/tests/filter.test.ts
+++ b/tests/filter.test.ts
@@ -0,0 +1,54 @@
+import { expect, test } from '@jest/globals'
+import { Change, Changes } from '../src/schemas'
+import { filterChangesBySeverity } from '../src/filter'
+
+let npmChange: Change = {
+    manifest: "package.json",
+    change_type: "added",
+    ecosystem: "npm",
+    name: "Reeuhq",
+    version: "1.0.2",
+    package_url: "somepurl",
+    license: "MIT",
+    source_repository_url: "github.com/some-repo",
+    vulnerabilities: [
+        {
+            severity: "critical",
+            advisory_ghsa_id: "first-random_string",
+            advisory_summary: "very dangerouns",
+            advisory_url: "github.com/future-funk"
+        }
+    ]
+}
+
+let rubyChange: Change = {
+    change_type: "added",
+    manifest: "Gemfile.lock",
+    ecosystem: "rubygems",
+    name: "actionsomething",
+    version: "3.2.0",
+    package_url: "somerubypurl",
+    license: "BSD",
+    source_repository_url: "github.com/some-repo",
+    vulnerabilities: [
+        {
+            severity: "moderate",
+            advisory_ghsa_id: "second-random_string",
+            advisory_summary: "not so dangerouns",
+            advisory_url: "github.com/future-funk"
+        },
+        {
+            severity: "low",
+            advisory_ghsa_id: "third-random_string",
+            advisory_summary: "dont page me",
+            advisory_url: "github.com/future-funk"
+        },
+    ]
+}
+
+test('it properly filters changes by severity', async () => {
+    let changes: Changes = [npmChange, rubyChange]
+    const expectedChanges: Changes = [npmChange]
+    changes = filterChangesBySeverity('high', changes)
+    expect(changes).toEqual(expectedChanges)
+})
--- a/dist/index.js
+++ b/dist/index.js
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/dist/licenses.txt
+++ b/dist/licenses.txt
@@ -684,6 +684,23 @@ ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
 IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.


+yaml
+ISC
+Copyright Eemeli Aro <eemeli@gmail.com>
+
+Permission to use, copy, modify, and/or distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright notice
+and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
+OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
+TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
+THIS SOFTWARE.
+
+
 zod
 MIT
 MIT License
--- a/src/config.ts
+++ b/src/config.ts
@@ -1,13 +1,12 @@
 import * as fs from 'fs'
-import * as core from '@actions/core'
 import YAML from 'yaml'
 import * as z from 'zod'
 import path from 'path'
-import { type } from 'os'

+export type Severity = "critical" | "high" | "moderate" | "low"

-const CONFIG_FILEPATH = "./.github/dep-review.yml"
-const SEVERITIES = ["critical", "high", "moderate", "low"] as const
+export const SEVERITIES = ["critical", "high", "moderate", "low"] as const
+export const CONFIG_FILEPATH = "./.github/dep-review.yml"

 type ConfigurationOptions = {
    fail_on_severity: string,
@@ -24,7 +23,6 @@ export function readConfigFile(filePath: string = CONFIG_FILEPATH): Configuratio
    }

    try {
-        console.log(path.resolve(filePath))
        var data = fs.readFileSync(path.resolve(filePath), "utf-8");

    } catch (error: any) {
@@ -47,4 +45,4 @@ export function readConfigFile(filePath: string = CONFIG_FILEPATH): Configuratio
        .parse(values)

    return <ConfigurationOptions>parsed;
-}
+}
--- a/src/filter.ts
+++ b/src/filter.ts
@@ -0,0 +1,25 @@
+import { Changes } from './schemas'
+import { Severity, SEVERITIES } from './config'
+
+export function filterChangesBySeverity(severity: Severity, changes: Changes): Changes {
+    const severityIdx = SEVERITIES.indexOf(severity)
+
+    for (let change of changes) {
+        if (change === undefined ||
+            change.vulnerabilities === undefined ||
+            change.vulnerabilities.length === 0) {
+            continue
+        }
+        change.vulnerabilities = change.vulnerabilities.filter((vuln: any) => {
+            const vulnIdx = SEVERITIES.indexOf(vuln.severity)
+            if (vulnIdx <= severityIdx) {
+                return true
+            }
+        })
+
+    }
+
+    // don't want to deal with changes with no vulnerabilities
+    changes = changes.filter((change: any) => change.vulnerabilities.length > 0)
+    return changes
+}
--- a/src/main.ts
+++ b/src/main.ts
@@ -4,6 +4,8 @@ import * as github from '@actions/github'
 import styles from 'ansi-styles'
 import { RequestError } from '@octokit/request-error'
 import { Change, PullRequestSchema } from './schemas'
+import { Severity, readConfigFile } from '../src/config'
+import { filterChangesBySeverity } from '../src/filter'

 async function run(): Promise<void> {
  try {
@@ -24,8 +26,12 @@ async function run(): Promise<void> {
      headRef: pull_request.head.sha
    })

+    let config = readConfigFile()
+    let minSeverity = config.fail_on_severity
    let failed = false

+    let filteredChanges = filterChangesBySeverity(minSeverity as Severity, changes)
+
    for (const change of changes) {
      if (
        change.change_type === 'added' &&