Comments (8)
I did some digging into the filtering flow and have come up with a possible reason for the behavior. I have raised a PR with a fix based on my analysis: #622
Looking at filter here: https://github.com/actions/dependency-review-action/blob/1cbb0489072933d6823ebce2028a73d48261ea0d/src/main.ts#L85C21-L85C21, it first filters by allowed GHSAS and then by severity of vulnerability. This leads to incorrect filtering, possibly due to one of the filters now working as expected.
Switching the order seems to work and give accurate results. The order of filter matters and gives different output based on which filter is applied first. Test cases to reproduce 2 different orders of filtering give separate results: https://github.com/actions/dependency-review-action/pull/622/files#diff-fc6d7537d3a9c088f297d6b58708d0ab512e31c9dadba846573ff8a83fb4c973R128
from dependency-review-action.
@virangdoshi Can you test against the action branch fix-advisory-filters
and see if you can still reproduce this behavior?
uses: actions/dependency-review-action@fix-advisory-filters
with:
... your options
I have a PR up that I think will fix this issue: #623.
I have setup the same test harness you shared before, and it seems to be working now:
from dependency-review-action.
Thanks! @febuiles
Both my test PRs are passing and working as expected with the fix-advisory-filters
🚀
virangdoshi/juice-shop#30
virangdoshi/juice-shop#26
Can this also be applied to an older branch? At my company, we are using 3.0.8
(https://github.com/actions/dependency-review-action/releases/tag/v3.0.8). The reason for using this older tag, is that the the release after 3.0.8
is throwing snapshot warning in the summary, which is undesired. Using 3.0.8
does not throw snapshot errors and we plan to continue using this older release
from dependency-review-action.
@virangdoshi can you share a screenshot or text log of the unexpected error you're seeing in this issue: #566?
Maybe we can get that fixed for a new release too.
from dependency-review-action.
That would be awesome! Here is the screenshot of the summary
This was popping up in every summary. Tried enabling that config in the suggestion, but to no effect.
(Scrubbed the head SHA in the screenshot)
from dependency-review-action.
Closing this issue (fixed in https://github.com/actions/dependency-review-action/releases/tag/v3.1.4)
from dependency-review-action.
@febuiles Any chance this fix can be ported back to the 3.0.8
version? I am sure there might be other folks who might benefit from not having the snapshot errors show up in the summary.
from dependency-review-action.
@virangdoshi we can't modify existing versions. We need to get a reproduction case of #626 in order to release a new fix that can benefit all folks.
from dependency-review-action.
Related Issues (20)
- Hide snapshot warning messages if not needed HOT 12
- Python `purl` URLs seem incorrect, some examples don't work HOT 7
- Mark previous PR comment as outdated HOT 4
- No clear Error 403 on submit depenedncy graph for public repo HOT 1
- retry-on-snapshot-warnings - not working as expected on separate snapshot/review workflows HOT 7
- Feature Request: Ensure GitHub Action Dependencies are Pinned HOT 1
- detected a "new" vulnerbility which was already in the project HOT 1
- deny-licenses mistakenly blocking LGPL-3.0 license
- Characterization of thosomes HOT 1
- Update previous comment when failure is resolved HOT 3
- 15WeKFs8FmJrAKHs5iMhS2Mb87LqkA43HE
- Dependency repo
- B
- Properly resolve licenses with "OR" expressions HOT 4
- Failure to determine license and flag to explicitly deny unknown licenses HOT 2
- False positive detection of a vulnerability that has been fixed HOT 4
- Allow Running on PUSH events HOT 2
- Dependency review does not detect vulnerabilties in maven dependency
- Sarif output HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-review-action.