actions / dependency-review-action Goto Github PK
View Code? Open in Web Editor NEWA GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs
License: MIT License
A GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs
License: MIT License
Setting up dependancy-review to use an external repo for its config.
I can't get the config file settings to actually be used/applied
I have confirmed that the repo is accessable and the config file is being loaded by changing the name of the config file to something that doesn't exist and got an error: "Error: Unable to fetch or parse config file: Error fetching remote config file"
Putting a bad, yaml syntax also generates an error:
Unable to fetch or parse config file: Implicit keys need to be on a single line at line 3, column 1: # Possible values: "critical", "high", "moderate", "low" this-is-notused-bad ^
But no matter what setting I put in the config.yml dependancy-review always reports using its default settings, "fail-on-severity: low", "fail-on-scopes: runtime" not the settings in the config file.
Config that we are testing with, remote repo with the following config:
fail-on-severity: 'critical'
fail-on-scopes:
- development
- runtime
Repo that will be using the above config:
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
with:
config-file: 'org/sec-github-actions-config/dependancy-review/config.yml@master'
external-repo-token: ${{ secrets.SEC_DEPENDANCY_REVIEW }}
But when the action runs it always reports the following in the action:
Run actions/dependency-review-action@v3
with:
config-file: org/sec-github-actions-config/dependancy-review/config.yml@master
external-repo-token: ***
repo-token: ***
fail-on-severity: low
fail-on-scopes: runtime
So my custom setting are not being used/applied but I get no error loading/parsing the file. Running the action in debug mode didn't give any extra info/errors.
I'm testing with a Pipfile that only has a 'high' issue in it related to the lxml package.
[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true
[[source]]
[dev-packages]
[packages]
python-json-logger = "==2.0.1"
lxml = "==4.6.1"
boto3 = "*"
[requires]
python_version = "3.8"
Any ideas on what am I missing/doing wrong?
I am seeing the same error as #386 in that nested folders are not scanned.
The action exited with a success but no output.
2023-02-01T12:11:13.1721349Z ##[group]Run actions/dependency-review-action@v3
2023-02-01T12:11:13.1721586Z with:
2023-02-01T12:11:13.1721808Z allow-licenses: MIT
2023-02-01T12:11:13.1722159Z repo-token: ***
2023-02-01T12:11:13.1722367Z fail-on-severity: low
2023-02-01T12:11:13.1722580Z fail-on-scopes: runtime
2023-02-01T12:11:13.1722783Z ##[endgroup]
2023-02-01T12:11:36.2620407Z ##[debug]Node Action run completed with exit code 0
But as you can see there was no output.
I re-ran the job by closing and re-opening the PR and now I get a server error but with no information.
2023-02-01T12:19:44.9155116Z ##[group]Run actions/dependency-review-action@v3
2023-02-01T12:19:44.9155401Z with:
2023-02-01T12:19:44.9155651Z allow-licenses: MIT
2023-02-01T12:19:44.9156004Z repo-token: ***
2023-02-01T12:19:44.9156245Z fail-on-severity: low
2023-02-01T12:19:44.9156492Z fail-on-scopes: runtime
2023-02-01T12:19:44.9156725Z ##[endgroup]
2023-02-01T12:20:40.6476468Z ##[error]Server Error
2023-02-01T12:20:40.6521886Z ##[debug]Node Action run completed with exit code 1
I tried to reproduce this on a public repository but it works without a problem.
https://github.com/ChrisC-testorg/public-dependency-review/pull/1
Any ideas what could cause this, can we enable more logging to see what the server error is?
For context I'm trying to review all dependencies - so I'm copying the package files from different repositories. Is there another way to set the basehead
to review all dependencies instead of just those that have changed - that would resolve this problem for me.
After adding this action to one of my project I was curious what it was scanning. Unfortunately I was not able to figure out what is actually being scanned (other than the image from the README, suggesting it's scanning package.json
; and a log about a GitHub Actions workflow, suggesting it's scanning GitHub Actions workflow files). I tried enabling debug logging, but the logs still didn't tell me what was being analyzed.
In that light, I have two suggestions:
Running it on my private github and it fails with:
dependency-review
failed 2 minutes ago in 3s
Run actions/dependency-review-action@v1
Error: Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see https://github.com/grndvl1/BGB/settings/security_analysis
I have all the setting set to true
When a GitHub repository is newly forked, it has the dependency graph feature disabled by default. If dependency-review-action
is used on one of these freshly cloned repositories, it errors with the following message:
Error: Forbidden
The error handling code that produces this unclear message is:
} catch (error) {
if (error instanceof RequestError && error.status === 404) {
core.setFailed(
`Dependency review could not obtain dependency data for the specified owner, repository, or revision range.`
)
} else if (error instanceof RequestError && error.status === 403) {
core.setFailed(
`Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see https://github.com/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
)
} else {
if (error instanceof Error) {
core.setFailed(error.message)
} else {
core.setFailed('Unexpected fatal error')
}
}
}
Specifically, it's the core.setFailed(error.message)
fallback that is responsible.
Printing out the error message using core.debug(JSON.stringify(error, Object.getOwnPropertyNames(error)))
results in the following:
{
stack: 'HttpError: Forbidden\n' +
' at /home/runner/work/_actions/WillDaSilva/dependency-review-action/main/webpack:/dependency-review-action/node_modules/@octokit/request/dist-node/index.js:86:1\n' +
' at processTicksAndRejections (node:internal/process/task_queues:96:5)\n' +
' at Job.doExecute (/home/runner/work/_actions/WillDaSilva/dependency-review-action/main/webpack:/dependency-review-action/node_modules/bottleneck/light.js:405:1)',
message: 'Forbidden',
name: 'HttpError',
status: 403,
response: { status: 403, headers: {} },
request: { request: {}, headers: {} },
code: 403,
headers: {}
}
It's clear that this ought to result in the Dependency review is not supported on this repository [...]
error message, but for some reason isn't.
We are running into an issue with libraries which don't define their license in a format that dependency-review can accept. For example:
https://github.com/BurntSushi/same-file/blob/5799cd323b8eefd17a089c950dac113f66c89c9e/Cargo.toml#L13
https://github.com/BurntSushi/aho-corasick/blob/979cf735e267c361806dd34224699430531626ab/Cargo.toml#L10
https://github.com/rayon-rs/rayon/blob/7413495e3307f7fbf945b7742f9fce9b1aa2ff58/Cargo.toml#L9
Several of these have been been updated with PR's to help address the issue within the projects. But this is not a sustainable process and it is severely inhibiting the ability to use dependency review.
We need an ability to define exceptions for these specific (but invalid) license formats or these specific dependencies.
I see this previous PR: #133
However it looks to have only addressed whitelisting CVE's, and not an ability to whitelist dependencies.
Thank you!
Because it is so difficult to build and maintain a database of all licenses for all packages, it would be great if there were some options for what to do when a package with an unknown license is added.
Option 1: Comment on the PR so someone at least gets a heads up to double check the license manually
Option 2: Allow the option to explicitly deny packages with unknown licenses.
I'm open to other options, too :)
Thanks
Add the value none
as the possible values for the fail-on-severity
parameter
none
value that can be used in the "Code Scanning" options
none
as the possible values for the fail-on-severity
parameternone
the action will:
low
We ran into an issue where actions/dependency-review-action@v2 was blocking based on a report that [email protected] had a high severity finding and linked here GHSA-gh88-3pxp-6fm8 but the CVE-2021-23567 only impacts versions of colors >= 1.4.1.
Based on my understanding with our version currently being 1.0.3 this CVE should not be attached to the PR and the action should not be blocking our pipeline.
(And note no where else in the project was there any reference to colors >= 1.4.1)
Having to manually build the dist/
files when changing the code is tedious and prone to error.
We should add a Git hook that checks for changes in src/
that don't have the equivalent changes in dist/
(in the same way we already do for PRs with the check-dist
check).
I am trying out the new version of this action, specifically the license checking. This is what my workflow looks like:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v2
with:
# Possible values: "critical", "high", "moderate", "low"
fail-on-severity: high
#
# You can only include one of these two options: `allow-licenses` and `deny-licences`
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# allow-licenses: GPL-3.0, BSD-3-Clause, MIT
#
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
deny-licenses: AGPL-3.0, GPL-2.0, GPL-3.0
So I am trying to block adding GPL dependencies.
I then make a PR where I add this Python dependency to my requirements.txt:
https://github.com/aspiers/git-deps
The PR seems to recognize the package and if you click it links to the above URL which says it is GPL 2.0 licensed.
The action succeeds though:
Am I doing anything wrong here?
I will note that the above workflow is configured in a reusable workflow that lives in a different organization/repository. This has worked for the vulnerability parts of the action when testing so I assume it is not an issue.
I've tried to update our Dependency Review Action to use a config file, but trying to use a config file in our org-wide .github repo (see: 10up/insert-special-characters#164). However the error I'm seeing in that action run seems to point to the config file needing to be within the report. Can you clarify if the config file can be in a different repo and if so what the correct format is for that? Thanks!
Tagging policy commonly used by GitHub for actions is "not great but not terrible": typically the repositories tag releases with specific tags (like "v1.0.2") and then also have a major version tag (like "v1") that is usually moved to match the latest specific release tag. This enables using @v1
in workflow files.
This repository has a v1 tag leading users to think that they can use the same strategy here. Unfortunately that tag points to the initial commit and not the latest release (at the moment of writing "v1.0.2"). So if someone has uses: actions/dependency-review-action@v1
they are using the initial commit of this repository. This seems like the worst option: either the tag should not exist or it should get moved on every release.
Hi there,
The following PR is updating an NPM dependency and is removing a transitive dependency, string-similarity
, from package-lock.json
at the same time: fastify/fastify-passport#597
string-similarity
has a disallowed license, which is causing the action to throw an error, even though said dependency is being removed in the PR:
Not too sure if working as intended, or a bug?
Looks like this action only scans package.json in the root folder. There are may projects which have package.json in the subdirectories and it looks like that they are not scanned.
One of the packages we're importing has multiple licenses based on dependent projects. The Github dependency-graph API returns all 3 licenses. We have each of the 3 licenses in our allow-list
, but because this is a single string response, it's failing the dependency review.
Response from the depency-graph API:
{
"change_type": "added",
"manifest": "package-lock.json",
"ecosystem": "npm",
"name": "@fortawesome/fontawesome-free",
"version": "5.15.4",
"package_url": "pkg:npm/%40fortawesome/[email protected]",
"license": "CC-BY-4.0 AND MIT AND OFL-1.1",
"source_repository_url": "https://github.com/FortAwesome/Font-Awesome",
"scope": "runtime",
"vulnerabilities": []
},
Proposal
For a situation like this, the action would parse the license field and use the operator (AND) to check that all 3 licenses are in our allow-list. I can see the possibility of a dual-licensed package including an OR
(e.g.: CC-BY-4.0 OR MIT
) and so we'd want to use the operator (AND or OR) to validate against the allow-list
or deny-list
appropriately.
Thanks for your consideration!
I wanted to run this action on pushes, so I needed to specify base-ref
and head-ref
. I wasn't sure how to do it, so I searched GitHub for uses. A few things there seemed not right, because they set the two refs to be the same, but they are a comparison, so don't they have to be different?
base-ref: ${{ github.event.pull_request.base.ref || github.ref }}
head-ref: ${{ github.event.pull_request.head.ref || github.ref }}
base-ref: main
head-ref: main
Others had more elaborate settings, but often hard-coded the base ref:
https://github.com/Infineon/ek-based-onboarding-optiga-tpm/blob/b00aefa07591394210d39fe306d704b52a23c270/.github/workflows/main.yml#L24-L25
head-ref: ${{ github.ref }}
base-ref: ec53ee4956ff702efdf1f7a06c87fdfe821dff0f
I used this:
base-ref: ${{ github.event.pull_request.base.ref || 'master' }}
head-ref: ${{ github.event.pull_request.head.ref || github.ref }}
What is the right way to do this? An example in the README would help people a lot I think.
There should be an option to disable devDependencies
because some people just have testing frameworks and build tools in their devDependencies
.
Setting a list of licenses that are ok or not for a particular project is not trivial without also some legal knowledge.
Especially for open source maintainers it is not always possible to consult someone with the needed knowledge to make a correct list of licenses.
Would it be possible to instead configure a list of constraints?
I am basing this of the abstraction that GitHub already provides for well known licenses :
Users could for example state that they want their product to be open to commercial use.
👋 Hi! My team has been using this action, and we were wondering if it's possible to get the summary output from the action to use in subsequent workflow steps. A fake example:
We'd like to have this summary output available as output from the action itself, so that we can do things like post it as a comment on the PR that corresponds to the workflow run, notify people in Slack, etc. Is that supported today and I'm just missing it? If not, I would be happy to put together a pull request to support this.
I’d like to allow alerts of low or moderate priority, but block PRs introducing high or critical alerts.
Right now I have a PR bumping a dependency from 10 to 11 for a high alert, but the checks fail due to a moderate priority alert which is not ideal.
Hi guys,
My team is using Dependency Review in our pipeline and we are receiving an error for a vulnerability that is not supposed to exist for the dependency in case: color 1.4.0
Here it is the link to the failed item:
https://github.com/EYBlockchain/nightfall_3/actions/runs/3088956171/jobs/4996018312
According to the docs (GHSA-gh88-3pxp-6fm8) only versions >= 1.4.1 for colors are affected.
I guess that might be an issue in Dep. Rev. Action.
Please, let me know your thoughts.
Thanks in advance!
Consider adding support for a list of GHSA (or CVE) listing that would be considered unacceptable risk and not allow via policy.
Ex: want to fail on any CVE listed in the CISA KEV catalog
fail-ghsas | Contains a list of GitHub Advisory Database IDs that will fail the policy check regardless of severity. | Any GHSAs from the GitHub Advisory Database | none |
---|
Right now, only the pull_request
and pull_request_target
workflow events are supported. It would be great to also support push
to catch any commits that may not have gone through a PR.
I'm aware of the base-ref/head-ref support, but it would be nice if this was supported by default without any special configuration.
Using an external config file from an internal repo in the same org gives back the error
Is there something wrong in my config? Does it have to be in a .github
folder?
I have allowed Actions access to the config repo.
- name: Dependency Review
uses: actions/dependency-review-action@v3
with:
# external config file
config-file: name-of-org/name-of-repo/.github/dependency-review-config.yml@main
dependency-review-config.yml
# Possible values: "critical", "high", "moderate", "low"
fail-on-severity: 'low'
# You can only can only include one of these two options: `allow-licenses` and `deny-licences`
# ([String]). Only allow these licenses (optional)
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
allow-licenses:
- 'GPL-3.0'
- 'BSD-3-Clause'
- 'MIT'
# ([String]). Block the pull request on these licenses (optional)
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
# deny-licenses:
# - 'LGPL-2.0'
# - 'BSD-2-Clause'
I try to deploy my dependency-review action file but get Error: Forbidden
My dependency-review-action.yml
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v1
When using this action with the new merge queue feature, I get the following error:
Error: Both a base ref and head ref must be provided, either via the `base_ref`/`head_ref` config options, or by running a `pull_request`/`pull_request_target` workflow.
It would be awesome, if this action can support the merge_group
trigger out of the box.
Thank you 🙇♀ for wanting to create an issue in this repository. Before you do, please ensure you are filing the issue in the right place. Issues should only be opened on if the issue relates to code in this repository.
If your issue is relevant to this repository, please delete this text and continue to create this issue. Thank you in advance.
The output of this action prints actions/dependency-review-action has an unknown license
.
https://github.com/hfhbd/routing-compose/actions/runs/2891020667/attempts/2#summary-7922844964
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v1Thank you 🙇♀ for wanting to create an issue in this repository. Before you do, please ensure you are filing the issue in the right place. Issues should only be opened on if the issue relates to code in this repository.
If your issue is relevant to this repository, please delete this text and continue to create this issue. Thank you in advance.
I was testing with deny-licenses option and found that it failed to detect a license from https://www.npmjs.com/package/spook.js. The workflow I added was:
name: Dependency Check
on:
pull_request:
types: [opened, synchronize, reopened]
branches: ['main']
jobs:
CheckDependency:
runs-on: ubuntu-latest
steps:
- name: 'Checkout'
uses: actions/checkout@v3
- name: 'Check dependencies for known security issues'
uses: actions/dependency-review-action@v2
with:
deny-licenses: GPL-1.0, GPL-2.0, GPL-3.0, LGPL-2.0, LGPL-2.1, LGPL-3.0, AGPL-1.0, AGPL-2.0, AGPL-3.0
And my test PR made these changes:
package.json
"spook.js": "0.0.1"
package-lock.json
"spook.js": {
"version": "0.0.1",
"resolved": "https://registry.npmjs.org/spook.js/-/spook.js-0.0.1.tgz",
"integrity": "sha512-D1/7VxEuQ7xk6z/kAROe4SUbd9CzxY4zOwVGnGHerd/SgLIVU5f4esDzQUsOCeArn933BZfWMKydH7l7dPEp0g=="
}
However, the action run for the PR didn't fail. Instead, it reported that it couldn't detect a license for spook.js.
We could not detect a license for the following dependencies:
Python/blu-ring-viewer/package-lock.json » [email protected]
Python/blu-ring-viewer/package.json » [email protected]
If I manually grab the file from https://registry.npmjs.org/spook.js/-/spook.js-0.0.1.tgz I can see LICENSE.md in it which is GPL-3.0. I can also use GitHub License API to check its license and it is "gpl-3.0": https://api.github.com/repos/arthurakay/spook.js/license
{
"name": "LICENSE.md",
"path": "LICENSE.md",
"sha": "e72bfddabc15be5718a7cc061ac10e47741d8219",
"size": 35148,
"url": "https://api.github.com/repos/arthurakay/spook.js/contents/LICENSE.md?ref=master",
"html_url": "https://github.com/arthurakay/spook.js/blob/master/LICENSE.md",
"git_url": "https://api.github.com/repos/arthurakay/spook.js/git/blobs/e72bfddabc15be5718a7cc061ac10e47741d8219",
"download_url": "https://raw.githubusercontent.com/arthurakay/spook.js/master/LICENSE.md",
"type": "file",
"content": "...removed...",
"encoding": "base64",
"_links": {
"self": "https://api.github.com/repos/arthurakay/spook.js/contents/LICENSE.md?ref=master",
"git": "https://api.github.com/repos/arthurakay/spook.js/git/blobs/e72bfddabc15be5718a7cc061ac10e47741d8219",
"html": "https://github.com/arthurakay/spook.js/blob/master/LICENSE.md"
},
"license": {
"key": "gpl-3.0",
"name": "GNU General Public License v3.0",
"spdx_id": "GPL-3.0",
"url": "https://api.github.com/licenses/gpl-3.0",
"node_id": "MDc6TGljZW5zZTk="
}
}
Did I do something wrong?
This run was triggered by the "push" event, which is unsupported. Please ensure you are using the "pull_request" event for this workflow.
dependency-review-action/src/main.ts
Line 12 in 0e68684
It would be nice to be able to ignore / whitelist certain dependencies. This way we can keep working if no fix exist yet/
I'm getting the following error:
Error: Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see https://github.com/codemeistre/backend/settings/security_analysis
even tho we do I have Dependency graph enabled in the repository:
On private repositories (under free plan), should we do something besides the usual setup? 🤔 Thanks in advance.
Whenever GitHub's Dependency Review API returns a 502, the Action fails with a Server error
message. This provides the user no information on what went wrong/what to do
It would be nice to have a clearer message explaining what went wrong and where to direct bug reports. The action must still fail since we don't know what's in the changes.
Quoting https://github.com/anmol098/waka-readme-stats/actions/runs/4378777323/jobs/7663945367#step:3:1 from anmol098/waka-readme-stats#415 :
Unexpected input(s) 'comment-summary-in-pr', valid inputs are ['repo-token', 'fail-on-severity', 'fail-on-scopes', 'base-ref', 'head-ref', 'config-file', 'allow-licenses', 'deny-licenses', 'allow-ghsas', 'external-repo-token', 'license-check', 'vulnerability-check']
I have been testing dependency-review-action
on a public repo with only python requirements.txt
and dev_requirements.txt
The action does detect vulnerabilities but could not find any of the licenses.
Is there something special that is needed to be done for it work?
Dependencies that are distributed as source (most of them) will also have specific runtime or compiler version requirements.
Would it be within the scope of this package to also verify those?
Example :
Example :
On the first run this Action did in one of my repositories (first time using it) I looked at the output and noticed a curious log (full logs here):
We could not detect a license for the following dependencies:
.github/workflows/deps-analysis.yml » actions/[email protected]
From what I can tell, this repositories' license is present and well-formed (there's a LICENSE file, as well as the "license"
entry in package.json
, and GitHub displays the correct license in the UI).
I'm not sure what exactly the problem is, but I would not expect this Action to log a "problem" with itself.
Thank you 🙇♀ for wanting to create an issue in this repository. Before you do, please ensure you are filing the issue in the right place. Issues should only be opened on if the issue relates to code in this repository.
If your issue is relevant to this repository, please delete this text and continue to create this issue. Thank you in advance.
Version 2.1.0
supports pull requests. I use the same workflow for building the master branch as well as creating a pull request.
Do I really have to configure the action like this?
- uses: actions/dependency-review-action@v2
if: github.event_name == 'push'
- name: Dependency Review
uses: actions/dependency-review-action@v2
if: github.event_name == 'pull_request'
with:
base-ref: ${{ github.event.pull_request.base.ref }}
head-ref: ${{ github.event.pull_request.head.ref }}
If so, this action has access to the github event, hasn't it? So it could set the base/head-ref by itself?
I noticed that quite often I get messages like:
We could not detect a license for the following dependencies:
package.json » eslint-plugin-unicorn@^43.0.0
package.json » eslint-plugin-unicorn@^42.0.0
When running my setup:
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
fail-on-severity: moderate
deny-licenses: GPL-2.0, GPL-3.0, AGPL-1.0, AGPL-3.0
I wanted to figure out why, so I dug into the code and realized that while license is available to for modules with "manifest": "package-lock.json"
, not "manifest": "package.json"
, in the response for diffed modules from /dependency-graph/compare
.
I replicated the data for the messages above by running:
gh api \
-H "Accept: application/vnd.github+json" \
/repos/voxpelli/eslint-config/dependency-graph/compare/8b05c37a68ad3d1c5a5b2a0b822a74f704c45732...189fed958307f1101fee5e3e2902a886a31bca5d
And got this response, which made me suspect the above conclusion:
[
{
"change_type": "added",
"manifest": "package-lock.json",
"ecosystem": "npm",
"name": "eslint",
"version": "8.19.0",
"package_url": "pkg:npm/[email protected]",
"license": "MIT",
"source_repository_url": "https://github.com/eslint/eslint",
"vulnerabilities": []
},
{
"change_type": "added",
"manifest": "package-lock.json",
"ecosystem": "npm",
"name": "eslint-plugin-unicorn",
"version": "43.0.0",
"package_url": "pkg:npm/[email protected]",
"license": "MIT",
"source_repository_url": "https://github.com/sindresorhus/eslint-plugin-unicorn",
"vulnerabilities": []
},
{
"change_type": "added",
"manifest": "package-lock.json",
"ecosystem": "npm",
"name": "type-fest",
"version": "2.16.0",
"package_url": "pkg:npm/[email protected]",
"license": "CC0-1.0 OR MIT OR (CC0-1.0 AND MIT)",
"source_repository_url": "https://github.com/sindresorhus/type-fest",
"vulnerabilities": []
},
{
"change_type": "removed",
"manifest": "package-lock.json",
"ecosystem": "npm",
"name": "eslint",
"version": "8.18.0",
"package_url": "pkg:npm/[email protected]",
"license": "MIT",
"source_repository_url": "https://github.com/eslint/eslint",
"vulnerabilities": []
},
{
"change_type": "removed",
"manifest": "package-lock.json",
"ecosystem": "npm",
"name": "eslint-plugin-unicorn",
"version": "42.0.0",
"package_url": "pkg:npm/[email protected]",
"license": "MIT",
"source_repository_url": "https://github.com/sindresorhus/eslint-plugin-unicorn",
"vulnerabilities": []
},
{
"change_type": "removed",
"manifest": "package-lock.json",
"ecosystem": "npm",
"name": "type-fest",
"version": "2.15.1",
"package_url": "pkg:npm/[email protected]",
"license": "CC0-1.0 OR MIT OR (CC0-1.0 AND MIT)",
"source_repository_url": "https://github.com/sindresorhus/type-fest",
"vulnerabilities": []
},
{
"change_type": "added",
"manifest": "package.json",
"ecosystem": "npm",
"name": "eslint-plugin-unicorn",
"version": "^43.0.0",
"package_url": "",
"license": null,
"source_repository_url": "https://github.com/sindresorhus/eslint-plugin-unicorn",
"vulnerabilities": []
},
{
"change_type": "removed",
"manifest": "package.json",
"ecosystem": "npm",
"name": "eslint-plugin-unicorn",
"version": "^42.0.0",
"package_url": "",
"license": null,
"source_repository_url": "https://github.com/sindresorhus/eslint-plugin-unicorn",
"vulnerabilities": []
}
]
Then tried on another repository of mine with a PR that contains more package changes, to rule out this being a fluke for an individual package:
gh api \
-H "Accept: application/vnd.github+json" \
/repos/voxpelli/async-htm-to-string/dependency-graph/compare/f1fb2a044cb7bc7c0adde9bf6fca72cb06e3e203...e3b4d72fc4dfdc8eef3c8a3fdd33f62a20c6d0c2
And got a response containing nothing but "manifest": "package.json"
(since the project lacks a lockfile) and all "license": null
(and "package_url": ""
, maybe related?)
[
{
"change_type": "added",
"manifest": "package.json",
"ecosystem": "npm",
"name": "dependency-check",
"version": "^5.0.0-7",
"package_url": "",
"license": null,
"source_repository_url": "https://github.com/dependency-check-team/dependency-check",
"vulnerabilities": []
},
{
"change_type": "added",
"manifest": "package.json",
"ecosystem": "npm",
"name": "eslint",
"version": "^8.19.0",
"package_url": "",
"license": null,
"source_repository_url": "https://github.com/eslint/eslint",
"vulnerabilities": []
},
{
"change_type": "added",
"manifest": "package.json",
"ecosystem": "npm",
"name": "eslint-plugin-jsdoc",
"version": "^39.3.3",
"package_url": "",
"license": null,
"source_repository_url": "https://github.com/gajus/eslint-plugin-jsdoc",
"vulnerabilities": []
},
{
"change_type": "added",
"manifest": "package.json",
"ecosystem": "npm",
"name": "eslint-plugin-n",
"version": "^15.2.4",
"package_url": "",
"license": null,
"source_repository_url": "https://github.com/weiran-zsd/eslint-plugin-node",
"vulnerabilities": []
},
{
"change_type": "added",
"manifest": "package.json",
"ecosystem": "npm",
"name": "installed-check",
"version": "^6.0.3",
"package_url": "",
"license": null,
"source_repository_url": "https://github.com/voxpelli/node-installed-check",
"vulnerabilities": []
},
{
"change_type": "removed",
"manifest": "package.json",
"ecosystem": "npm",
"name": "dependency-check",
"version": "^5.0.0-6",
"package_url": "",
"license": null,
"source_repository_url": "https://github.com/dependency-check-team/dependency-check",
"vulnerabilities": []
},
{
"change_type": "removed",
"manifest": "package.json",
"ecosystem": "npm",
"name": "eslint",
"version": "^8.17.0",
"package_url": "",
"license": null,
"source_repository_url": "https://github.com/eslint/eslint",
"vulnerabilities": []
},
{
"change_type": "removed",
"manifest": "package.json",
"ecosystem": "npm",
"name": "eslint-plugin-jsdoc",
"version": "^39.3.2",
"package_url": "",
"license": null,
"source_repository_url": "https://github.com/gajus/eslint-plugin-jsdoc",
"vulnerabilities": []
},
{
"change_type": "removed",
"manifest": "package.json",
"ecosystem": "npm",
"name": "eslint-plugin-n",
"version": "^15.2.2",
"package_url": "",
"license": null,
"source_repository_url": "https://github.com/weiran-zsd/eslint-plugin-node",
"vulnerabilities": []
},
{
"change_type": "removed",
"manifest": "package.json",
"ecosystem": "npm",
"name": "installed-check",
"version": "^6.0.0",
"package_url": "",
"license": null,
"source_repository_url": "https://github.com/voxpelli/node-installed-check",
"vulnerabilities": []
}
]
So, currently the license checks doesn't work for npm projects that lacks the package-lock.json
file?
When creating a new workflow using this button:
You get the following code:
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v1
Which contains this typo: where Pull Reqest
should be pull request
I can't find the source of this text though
Suggestion to add support to disable either the vulnerability or license check. From the user perspective, something along the lines of:
- name: Dependency Review
uses: actions/dependency-review-action@v2
with:
dependency-check: false # `true` to enable, `false` to disable
license-check: true # `true` to enable, `false` to disable
I believe this is useful when you already use a different tool to do one of these checks. For example, say I use npm audit
for vulnerability scanning and I need a tool for license checking. In this scenario, using this Action is possible but I don't really need the dependency check. Moreover, it would likely lead to duplicate alerts, which can get noisy. Hence, I would want to disable the vulnerability scanning. One can imagine the same could be true for the license check.
#184 looks related as it would allow you to make only one of the two checks required. I still believe completely disabling one of the two checks would be a preferable solution in order to reduce noise.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.