Users who are not using dependency snapshots should not be seeing this warning message

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

I just saw this warning for the first time here <a class="issue-link js-issue-link" da

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Hide snapshot warning messages if not needed about dependency-review-action HOT 12 CLOSED

febuiles commented on June 29, 2024 1

Hide snapshot warning messages if not needed

from dependency-review-action.

Comments (12)

virangdoshi commented on June 29, 2024 2

@febuiles The "snapshot warning" header field contains the following error: No snapshots were found for the head SHA <The actual SHA> That is the same message that shows up in the Actions run log

Can the snapshot checks be disabled (or not added to the summary) with a configuration option or some other mechanism?

from dependency-review-action.

febuiles commented on June 29, 2024 2

@lucacome that's very useful, thank you!

Here's the API output of running DR on that PR:

$ gh api --verbose repos/nginxinc/nginx-gateway-fabric/dependency-graph/compare/main...bbe5d8e
* Request at 2024-02-15 07:15:27.983708 +0100 CET m=+0.067214959
* Request to https://api.github.com/repos/nginxinc/nginx-gateway-fabric/dependency-graph/compare/main...bbe5d8e
> GET /repos/nginxinc/nginx-gateway-fabric/dependency-graph/compare/main...bbe5d8e HTTP/1.1
> Host: api.github.com
> Accept:
> Authorization: token ...
> Content-Type: application/json; charset=utf-8

< HTTP/2.0 200 OK
< Access-Control-Allow-Origin: *
< Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
< Cache-Control: private, max-age=60, s-maxage=60
< Content-Security-Policy: default-src 'none'
< Content-Type: application/json; charset=utf-8
< Date: Thu, 15 Feb 2024 06:15:28 GMT
< Etag: W/"fdd68e99f804c0b800278fd1d2cbc3081625e07df7c8515db7ac36d2dbebb2e9"
< Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
< Server: GitHub.com
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< Vary: Accept, Authorization, Cookie, X-GitHub-OTP
< Vary: Accept-Encoding, Accept, X-Requested-With
< X-Accepted-Oauth-Scopes:
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-Github-Api-Version-Selected: 2022-11-28
< X-Github-Dependency-Graph-Snapshot-Warnings: Tm8gc25hcHNob3RzIHdlcmUgZm91bmQgZm9yIHRoZSBoZWFkIFNIQSBiYmU1ZDhlMGE0OTk2ZmU2OWMzYTU4YjU1YjE2MGVhOTU5NDQ1Y2E1Lg==
< X-Github-Media-Type: github.v3; format=json
< X-Github-Request-Id: F047:0FB0:9FFED:A2818:65CDAC00
< X-Oauth-Client-Id: 178c6fc778ccc68e1d6a
< X-Oauth-Scopes: admin:public_key, codespace, gist, read:org, repo
...

[
  {
    "change_type": "added",
    "manifest": ".github/workflows/fossa.yml",
    "ecosystem": "actions",
    "name": "fossas/fossa-action",
    "version": "32c7979e971182f1e7602ed5d2b9ae0f5a6933d1",
    "package_url": "pkg:githubactions/fossas/fossa-action@32c7979e971182f1e7602ed5d2b9ae0f5a6933d1",
    "license": null,
    "source_repository_url": "https://github.com/fossas/fossa-action",
    "scope": "runtime",
    "vulnerabilities": []
  },
  {
    "change_type": "removed",
    "manifest": ".github/workflows/fossa.yml",
    "ecosystem": "actions",
    "name": "fossas/fossa-action",
    "version": "f61a4c0c263690f2ddb54b9822a719c25a7b608f",
    "package_url": "pkg:githubactions/fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f",
    "license": null,
    "source_repository_url": "https://github.com/fossas/fossa-action",
    "scope": "runtime",
    "vulnerabilities": []
  }
]

* Request took 271.863292ms

The snapshots warning matches the error being displayed:

< X-Github-Dependency-Graph-Snapshot-Warnings: Tm8gc25hcHNob3RzIHdlcmUgZm91bmQgZm9yIHRoZSBoZWFkIFNIQSBiYmU1ZDhlMGE0OTk2ZmU2OWMzYTU4YjU1YjE2MGVhOTU5NDQ1Y2E1Lg== 
# decodes to No snapshots were found for the head SHA bbe5d8e0a4996fe69c3a58b55b160ea959445ca5.

@juxtin The repo (nginxinc/nginx-gateway-fabric) contains a single snapshot generated in 2023-03-29: https://gist.github.com/febuiles/b99c8d92ead98029495b4b014cff9f9b. The only "weird" thing I see in the snapshot is that the lockfile referenced in it now lives somewhere else in the repo. Do you see anything that could be generating the warnings?

from dependency-review-action.

lucacome commented on June 29, 2024 1

I just saw this warning for the first time here nginxinc/nginx-gateway-fabric#1581 if it can help fix this.

from dependency-review-action.

febuiles commented on June 29, 2024 1

@lucacome I'm sorry you ran into this. You can read more about dependency snapshots here. They provide a way to capture build-time information of projects to complement the static analysis Dependency Graph does.

Looking at the detector name (GitHub Dependabot Push-Time Snapshot) it looks like this came from a GitHub internal tool/experiment. I'll make sure this snapshot is disabled from your repo. Maybe snapshots generated by this tool are the ones causing issues (cc @juxtin)

from dependency-review-action.

juxtin commented on June 29, 2024 1

Thanks everyone, I've merged a fix for this on the service side, so we shouldn't see any more of these spurious warnings.

from dependency-review-action.

juxtin commented on June 29, 2024

Do we have an example repository where this is happening?

from dependency-review-action.

febuiles commented on June 29, 2024

@virangdoshi is this happening on a public repo, or do you have a way to reproduce it and share the result?

I don't mind considering the idea of disabling snapshots with an option, but would like to see if we can't fix this in the first place.

from dependency-review-action.

virangdoshi commented on June 29, 2024

@febuiles I am not familiar with snapshots and do not have a way to reproduce this in a public repo.

from dependency-review-action.

lucacome commented on June 29, 2024

Sorry to hijack the conversation for a second, but I'm still not sure what this dependency snapshot is and why it was only generated on 2023-03-29. Should it be generated more frequently? Is it something that we're missing in the repo?

from dependency-review-action.

febuiles commented on June 29, 2024

@lucacome can you try to re-run the Action? You don't need to merge, but I think the problem has resolved for your repo. The Github-Dependency-Graph-Snapshot-Warnings header is now empty when calling the API manually

gh api --verbose repos/nginxinc/nginx-gateway-fabric/dependency-graph/compare/main...bbe5d8e

from dependency-review-action.

lucacome commented on June 29, 2024

@febuiles the warning is gone, thanks! 🎉

from dependency-review-action.

wjglerum commented on June 29, 2024

It seems like we still get this error in our workflow:
⚠️: No snapshots were found for the head SHA 1234.

If I query the REST API I do get an empty array as response (which makes sense as no dependencies have changed)

gh api --verbose repos/foo/bar/dependency-graph/compare/main...1234

which simply returns []

Shouldn't this action handle this case gracefully instead?

Cause this is quite confusing for our users who see this error on their PRs or as annotation in their checks on their PR.

from dependency-review-action.

Hide snapshot warning messages if not needed about dependency-review-action HOT 12 CLOSED

Comments (12)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent