Comments (12)
@febuiles The "snapshot warning" header field contains the following error: No snapshots were found for the head SHA <The actual SHA>
That is the same message that shows up in the Actions run log
Can the snapshot checks be disabled (or not added to the summary) with a configuration option or some other mechanism?
from dependency-review-action.
@lucacome that's very useful, thank you!
Here's the API output of running DR on that PR:
$ gh api --verbose repos/nginxinc/nginx-gateway-fabric/dependency-graph/compare/main...bbe5d8e
* Request at 2024-02-15 07:15:27.983708 +0100 CET m=+0.067214959
* Request to https://api.github.com/repos/nginxinc/nginx-gateway-fabric/dependency-graph/compare/main...bbe5d8e
> GET /repos/nginxinc/nginx-gateway-fabric/dependency-graph/compare/main...bbe5d8e HTTP/1.1
> Host: api.github.com
> Accept:
> Authorization: token ...
> Content-Type: application/json; charset=utf-8
< HTTP/2.0 200 OK
< Access-Control-Allow-Origin: *
< Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
< Cache-Control: private, max-age=60, s-maxage=60
< Content-Security-Policy: default-src 'none'
< Content-Type: application/json; charset=utf-8
< Date: Thu, 15 Feb 2024 06:15:28 GMT
< Etag: W/"fdd68e99f804c0b800278fd1d2cbc3081625e07df7c8515db7ac36d2dbebb2e9"
< Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
< Server: GitHub.com
< Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
< Vary: Accept, Authorization, Cookie, X-GitHub-OTP
< Vary: Accept-Encoding, Accept, X-Requested-With
< X-Accepted-Oauth-Scopes:
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-Github-Api-Version-Selected: 2022-11-28
< X-Github-Dependency-Graph-Snapshot-Warnings: Tm8gc25hcHNob3RzIHdlcmUgZm91bmQgZm9yIHRoZSBoZWFkIFNIQSBiYmU1ZDhlMGE0OTk2ZmU2OWMzYTU4YjU1YjE2MGVhOTU5NDQ1Y2E1Lg==
< X-Github-Media-Type: github.v3; format=json
< X-Github-Request-Id: F047:0FB0:9FFED:A2818:65CDAC00
< X-Oauth-Client-Id: 178c6fc778ccc68e1d6a
< X-Oauth-Scopes: admin:public_key, codespace, gist, read:org, repo
...
[
{
"change_type": "added",
"manifest": ".github/workflows/fossa.yml",
"ecosystem": "actions",
"name": "fossas/fossa-action",
"version": "32c7979e971182f1e7602ed5d2b9ae0f5a6933d1",
"package_url": "pkg:githubactions/fossas/fossa-action@32c7979e971182f1e7602ed5d2b9ae0f5a6933d1",
"license": null,
"source_repository_url": "https://github.com/fossas/fossa-action",
"scope": "runtime",
"vulnerabilities": []
},
{
"change_type": "removed",
"manifest": ".github/workflows/fossa.yml",
"ecosystem": "actions",
"name": "fossas/fossa-action",
"version": "f61a4c0c263690f2ddb54b9822a719c25a7b608f",
"package_url": "pkg:githubactions/fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f",
"license": null,
"source_repository_url": "https://github.com/fossas/fossa-action",
"scope": "runtime",
"vulnerabilities": []
}
]
* Request took 271.863292ms
The snapshots warning matches the error being displayed:
< X-Github-Dependency-Graph-Snapshot-Warnings: Tm8gc25hcHNob3RzIHdlcmUgZm91bmQgZm9yIHRoZSBoZWFkIFNIQSBiYmU1ZDhlMGE0OTk2ZmU2OWMzYTU4YjU1YjE2MGVhOTU5NDQ1Y2E1Lg==
# decodes to No snapshots were found for the head SHA bbe5d8e0a4996fe69c3a58b55b160ea959445ca5.
@juxtin The repo (nginxinc/nginx-gateway-fabric
) contains a single snapshot generated in 2023-03-29: https://gist.github.com/febuiles/b99c8d92ead98029495b4b014cff9f9b. The only "weird" thing I see in the snapshot is that the lockfile referenced in it now lives somewhere else in the repo. Do you see anything that could be generating the warnings?
from dependency-review-action.
I just saw this warning for the first time here nginxinc/nginx-gateway-fabric#1581 if it can help fix this.
from dependency-review-action.
@lucacome I'm sorry you ran into this. You can read more about dependency snapshots here. They provide a way to capture build-time information of projects to complement the static analysis Dependency Graph does.
Looking at the detector name (GitHub Dependabot Push-Time Snapshot
) it looks like this came from a GitHub internal tool/experiment. I'll make sure this snapshot is disabled from your repo. Maybe snapshots generated by this tool are the ones causing issues (cc @juxtin)
from dependency-review-action.
Thanks everyone, I've merged a fix for this on the service side, so we shouldn't see any more of these spurious warnings.
from dependency-review-action.
Do we have an example repository where this is happening?
from dependency-review-action.
@virangdoshi is this happening on a public repo, or do you have a way to reproduce it and share the result?
I don't mind considering the idea of disabling snapshots with an option, but would like to see if we can't fix this in the first place.
from dependency-review-action.
@febuiles I am not familiar with snapshots and do not have a way to reproduce this in a public repo.
from dependency-review-action.
Sorry to hijack the conversation for a second, but I'm still not sure what this dependency snapshot is and why it was only generated on 2023-03-29. Should it be generated more frequently? Is it something that we're missing in the repo?
from dependency-review-action.
@lucacome can you try to re-run the Action? You don't need to merge, but I think the problem has resolved for your repo. The Github-Dependency-Graph-Snapshot-Warnings
header is now empty when calling the API manually
gh api --verbose repos/nginxinc/nginx-gateway-fabric/dependency-graph/compare/main...bbe5d8e
from dependency-review-action.
@febuiles the warning is gone, thanks! 🎉
from dependency-review-action.
It seems like we still get this error in our workflow:
⚠️: No snapshots were found for the head SHA 1234.
If I query the REST API I do get an empty array as response (which makes sense as no dependencies have changed)
gh api --verbose repos/foo/bar/dependency-graph/compare/main...1234
which simply returns []
Shouldn't this action handle this case gracefully instead?
Cause this is quite confusing for our users who see this error on their PRs or as annotation in their checks on their PR.
from dependency-review-action.
Related Issues (20)
- Action fails to decorate PR when text is too long HOT 2
- Deny Packages Icon should be Red X (not a yellow warning) HOT 3
- Feature Request: Block on unknown licenses HOT 1
- `warn_only` Does Not Apply When Using a Deny List HOT 1
- error "fetch failed" with v4.2.5 HOT 3
- Scorecard table URLs include duplicate https:// HOT 3
- MIT is an invalid SPDX license identifier? HOT 2
- Question: Is this action limited to revisions on the _default_ branch only? HOT 2
- Conflict between vulnerabilities in scorecard vs check
- v4.3.0 Causing PURL Processing Errors HOT 6
- Allow this action to run on branch HOT 4
- Latest release breaks dependabot HOT 3
- Configuring allow-dependencies-licenses fails the action HOT 3
- Error :- Purl String argument is required . HOT 4
- Adding a license in 'allow-dependencies-licenses' does not prevent it from being populated in "invalid-license-changes" HOT 5
- Job Summary Size Limitation aborts the job HOT 2
- `fail-on-severity` should still show lower severity vulnerabilities
- [BUG] When the report exceeds 64KB pr issue is not created since it exceeds max comment issue HOT 1
- Why is this not named `dependency-review` HOT 1
- Job Summary Size Limitation aborts the job [BUG] HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependency-review-action.