Skip to content

Commit

Permalink
change from name of the package to the package url to avoid conflict …
Browse files Browse the repository at this point in the history 
…between 2 dependencies with the same name but for different ecosystems
  • Loading branch information
@adrienpessu
adrienpessu committed Aug 8, 2023
1 parent c462e2e commit 1db9156
Show file tree
Hide file tree
Showing 6 changed files with 34 additions and 30 deletions.
28 changes: 14 additions & 14 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,20 +66,20 @@ jobs:

Configure this action by either inlining these options in your workflow file, or by using an external configuration file. All configuration options are optional.

| Option | Usage | Possible values | Default value |
|---------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|---------------|
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `true`, `false` | `false` |
| `deny-packages` | Contains a list of denied package's name. | Any packages complete names | empty |
| `deny-groups` | Contains a list of denied groups package's name. | Any packages's group names | empty |
| Option | Usage | Possible values | Default value |
|---------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------|---------------|
| `fail-on-severity` | Defines the threshold for the level of severity. The action will fail on any pull requests that introduce vulnerabilities of the specified severity level or higher. | `low`, `moderate`, `high`, `critical` | `low` |
| `allow-licenses`\* | Contains a list of allowed licenses. The action will fail on pull requests that introduce dependencies with licenses that do not match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `deny-licenses`\* | Contains a list of prohibited licenses. The action will fail on pull requests that introduce dependencies with licenses that match the list. | Any [SPDX-compliant identifier(s)](https://spdx.org/licenses/) | none |
| `fail-on-scopes`† | Contains a list of strings of the build environments you want to support. The action will fail on pull requests that introduce vulnerabilities in the scopes that match the list. | `runtime`, `development`, `unknown` | `runtime` |
| `allow-ghsas` | Contains a list of GitHub Advisory Database IDs that can be skipped during detection. | Any GHSAs from the [GitHub Advisory Database](https://github.com/advisories) | none |
| `license-check` | Enable or disable the license check performed by the action. | `true`, `false` | `true` |
| `vulnerability-check` | Enable or disable the vulnerability check performed by the action. | `true`, `false` | `true` |
| `allow-dependencies-licenses`\* | Contains a list of packages that will be excluded from license checks. | Any package(s) in [purl](https://github.com/package-url/purl-spec) format | none |
| `base-ref`/`head-ref` | Provide custom git references for the git base/head when performing the comparison check. This is only used for event types other than `pull_request` and `pull_request_target`. | Any valid git ref(s) in your project | none |
| `comment-summary-in-pr` | Enable or disable reporting the review summary as a comment in the pull request. If enabled, you must give the workflow or job permission `pull-requests: write`. | `true`, `false` | `false` |
| `deny-packages` | Contains a list of denied package's URL. | Any packages [purl](https://github.com/package-url/purl-spec) without the version | empty |
| `deny-groups` | Contains a list of denied groups package's name. | Any packages [purl](https://github.com/package-url/purl-spec) without the version and the name | empty |

\*not supported for use with GitHub Enterprise Server

Expand Down
14 changes: 9 additions & 5 deletions __tests__/deny.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ const mvnChange: Change = {
ecosystem: 'maven',
name: 'org.apache.logging.log4j:log4j-core',
version: '2.15.0',
package_url: 'pkg:org.apache.logging.log4j:log4j-core@1.1.1',
package_url: 'pkg:maven/org.apache.logging.log4j/log4j-core@2.14.7',
license: 'Apache-2.0',
source_repository_url:
'https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core',
Expand Down Expand Up @@ -132,7 +132,11 @@ beforeEach(async () => {

test('it adds packages in the deny packages list', async () => {
const changes: Changes = [npmChange, rubyChange]
const deniedChanges = await getDeniedChanges(changes, ['actionsomething'], [])
const deniedChanges = await getDeniedChanges(
changes,
['pkg:gem/actionsomething'],
[]
)

expect(deniedChanges[0]).toBe(rubyChange)
expect(deniedChanges.length).toEqual(1)
Expand All @@ -143,7 +147,7 @@ test('it adds packages in the deny group list', async () => {
const deniedChanges = await getDeniedChanges(
changes,
[],
['org.apache.logging.log4j']
['pkg:maven/org.apache.logging.log4j']
)

expect(deniedChanges[0]).toBe(mvnChange)
Expand All @@ -154,8 +158,8 @@ test('it adds packages outside of the deny lists', async () => {
const changes: Changes = [npmChange, pipChange]
const deniedChanges = await getDeniedChanges(
changes,
['actionsomething'],
['org.apache.logging.log4j']
['pkg:gem/actionsomething'],
['pkg:maven:org.apache.logging.log4j']
)

expect(deniedChanges.length).toEqual(0)
Expand Down
6 changes: 3 additions & 3 deletions dist/index.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/index.js.map
View file

Large diffs are not rendered by default.

8 changes: 4 additions & 4 deletions docs/examples.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -233,8 +233,8 @@ jobs:

## Exclude dependencies from their name or groups

Using the `deny-packages` you can exclude dependencies by their full name. You can add multiple values separated by a comma.
Using the `deny-groups` you can exclude dependencies by their group name. You can add multiple values separated by a comma.
Using the `deny-packages` you can exclude dependencies by their full package name. You can add multiple values separated by a comma.
Using the `deny-groups` you can exclude dependencies by their package group name. You can add multiple values separated by a comma.

In this example, we are excluding `log4j-api` and `log4j-code` from `maven` and `requests` from `pip` dependencies from the license check

Expand All @@ -255,6 +255,6 @@ jobs:
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
deny-packages: 'org.apache.logging.log4j:log4j-api,org.apache.logging.log4j:log4j-core'
deny-groups: 'com.bazaarvoice.maven'
deny-packages: 'pkg:maven/org.apache.logging.log4j:log4j-api,pkg:maven/org.apache.logging.log4j:log4j-core'
deny-groups: 'pkg:maven/com.bazaarvoice.maven'
```
6 changes: 3 additions & 3 deletions src/deny.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,11 @@ export async function getDeniedChanges(
let failed = false
for (const change of changes) {
change.name = change.name.toLowerCase()
change.package_url = change.package_url.toLowerCase()
const packageUrl = change.package_url.toLowerCase().split('@')[0]

if (deniedPackages) {
for (const denied of deniedPackages) {
if (change.name === denied.toLowerCase()) {
if (packageUrl === denied.split('@')[0].toLowerCase()) {
changesDenied.push(change)
failed = true
}
Expand All @@ -24,7 +24,7 @@ export async function getDeniedChanges(

if (deniedGroups) {
for (const denied of deniedGroups) {
if (change.name.startsWith(denied.toLowerCase())) {
if (packageUrl.startsWith(denied.toLowerCase())) {
changesDenied.push(change)
failed = true
}
Expand Down

0 comments on commit 1db9156

Please sign in to comment.