From cfcd55c7b988422ec3f3f4de9a0f8aa10a06b717 Mon Sep 17 00:00:00 2001 From: Michael Waddell Date: Mon, 21 Feb 2022 19:09:53 -0600 Subject: [PATCH] Make new "get-alerts" functionality off by default --- README.md | 15 ++++++++++++--- action.yml | 9 ++++++--- dist/index.js | 8 ++++++-- src/dependabot/update_metadata.test.ts | 3 +-- src/dependabot/update_metadata.ts | 5 +++-- src/dry-run.ts | 4 ++-- src/main.test.ts | 14 +++++++------- src/main.ts | 5 ++++- 8 files changed, 41 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index b6e7402..82c6a6c 100644 --- a/README.md +++ b/README.md @@ -25,8 +25,17 @@ jobs: uses: dependabot/fetch-metadata@v1.1.1 with: github-token: "${{ secrets.GITHUB_TOKEN }}" + alert-lookup: true ``` +Supported inputs are: + +- `github-token` (REQUIRED string) + - The `GITHUB_TOKEN` secret +- `alert-lookup` (boolean) + - If `true`, then call populate the `alert-state`, `ghsa-id` and `cvss` outputs. + - Defaults to `false` + Subsequent actions will have access to the following outputs: - `steps.dependabot-metadata.outputs.dependency-names` @@ -48,11 +57,11 @@ Subsequent actions will have access to the following outputs: - `steps.dependabot-metadata.outputs.new-version` - The version that this PR updates the dependency to. - `steps.dependabot-metadata.outputs.alert-state` - - If this PR is associated with a security alert, this contains the current state of that alert (OPEN, FIXED or DISMISSED). + - If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the current state of that alert (OPEN, FIXED or DISMISSED). - `steps.dependabot-metadata.outputs.ghsa-id` - - If this PR is associated with a security alert, this contains the GHSA-ID of that alert. + - If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the GHSA-ID of that alert. - `steps.dependabot-metadata.outputs.cvss` - - If this PR is associated with a security alert, this contains the CVSS value of that alert (otherwise it contains 0). + - If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the CVSS value of that alert (otherwise it contains 0). **Note:** These outputs will only be populated if the target Pull Request was opened by Dependabot and contains **only** Dependabot-created commits. diff --git a/action.yml b/action.yml index 9fea5f8..87a8f0a 100644 --- a/action.yml +++ b/action.yml @@ -4,6 +4,9 @@ branding: icon: 'search' color: 'blue' inputs: + alert-lookup: + type: boolean + description: 'If true, then call populate the `alert-state`, `ghsa-id` and `cvss` outputs' github-token: description: 'The GITHUB_TOKEN secret' required: true @@ -27,11 +30,11 @@ outputs: new-version: description: 'The version that this PR updates the dependency to.' alert-state: - description: 'If this PR is associated with a security alert, this contains the current state of that alert (OPEN, FIXED or DISMISSED).' + description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the current state of that alert (OPEN, FIXED or DISMISSED).' ghsa-id: - description: 'If this PR is associated with a security alert, this contains the GHSA-ID of that alert.' + description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the GHSA-ID of that alert.' cvss: - description: 'If this PR is associated with a security alert, this contains the CVSS value of that alert (otherwise it contains 0).' + description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the CVSS value of that alert (otherwise it contains 0).' runs: using: 'node12' main: 'dist/index.js' diff --git a/dist/index.js b/dist/index.js index 1f3f4b8..258e57c 100644 --- a/dist/index.js +++ b/dist/index.js @@ -13457,6 +13457,7 @@ function parse(commitMessage, branchName, mainBranch, lookup) { return update_metadata_awaiter(this, void 0, void 0, function* () { const bumpFragment = commitMessage.match(/^Bumps .* from (?\d[^ ]*) to (?\d[^ ]*)\.$/m); const yamlFragment = commitMessage.match(/^-{3}\n(?[\S|\s]*?)\n^\.{3}\n/m); + const lookupFn = lookup !== null && lookup !== void 0 ? lookup : (() => Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 })); if ((yamlFragment === null || yamlFragment === void 0 ? void 0 : yamlFragment.groups) && branchName.startsWith('dependabot')) { const data = yaml.parse(yamlFragment.groups.dependencies); // Since we are on the `dependabot` branch (9 letters), the 10th letter in the branch name is the delimiter @@ -13467,7 +13468,7 @@ function parse(commitMessage, branchName, mainBranch, lookup) { if (data['updated-dependencies']) { return yield Promise.all(data['updated-dependencies'].map((dependency, index) => update_metadata_awaiter(this, void 0, void 0, function* () { const dirname = `/${chunks.slice(2, -1 * (1 + (dependency['dependency-name'].match(/\//g) || []).length)).join(delim) || ''}`; - return Object.assign({ dependencyName: dependency['dependency-name'], dependencyType: dependency['dependency-type'], updateType: dependency['update-type'], directory: dirname, packageEcosystem: chunks[1], targetBranch: mainBranch, prevVersion: index === 0 ? prev : '', newVersion: index === 0 ? next : '' }, yield lookup(dependency['dependency-name'], index === 0 ? prev : '', dirname)); + return Object.assign({ dependencyName: dependency['dependency-name'], dependencyType: dependency['dependency-type'], updateType: dependency['update-type'], directory: dirname, packageEcosystem: chunks[1], targetBranch: mainBranch, prevVersion: index === 0 ? prev : '', newVersion: index === 0 ? next : '' }, yield lookupFn(dependency['dependency-name'], index === 0 ? prev : '', dirname)); }))); } } @@ -13591,7 +13592,10 @@ function run() { // Validate the job const commitMessage = yield getMessage(githubClient, github.context); const branchNames = getBranchNames(github.context); - const alertLookup = (name, version, directory) => getAlert(name, version, directory, githubClient, github.context); + let alertLookup; + if (core.getInput('alert-lookup')) { + alertLookup = (name, version, directory) => getAlert(name, version, directory, githubClient, github.context); + } if (commitMessage) { // Parse metadata core.info('Parsing Dependabot metadata'); diff --git a/src/dependabot/update_metadata.test.ts b/src/dependabot/update_metadata.test.ts index 69dce18..1b32595 100644 --- a/src/dependabot/update_metadata.test.ts +++ b/src/dependabot/update_metadata.test.ts @@ -129,8 +129,7 @@ test('it only returns information within the first fragment if there are multipl '\n' + 'Signed-off-by: dependabot[bot] ' - const getAlert = async () => Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 }) - const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot|nuget|coffee-rails', 'main', getAlert) + const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot|nuget|coffee-rails', 'main', undefined) expect(updatedDependencies).toHaveLength(1) diff --git a/src/dependabot/update_metadata.ts b/src/dependabot/update_metadata.ts index 522afe2..ba57ce0 100644 --- a/src/dependabot/update_metadata.ts +++ b/src/dependabot/update_metadata.ts @@ -21,9 +21,10 @@ export interface alertLookup { (dependencyName: string, dependencyVersion: string, directory: string): Promise; } -export async function parse (commitMessage: string, branchName: string, mainBranch: string, lookup: alertLookup): Promise> { +export async function parse (commitMessage: string, branchName: string, mainBranch: string, lookup?: alertLookup): Promise> { const bumpFragment = commitMessage.match(/^Bumps .* from (?\d[^ ]*) to (?\d[^ ]*)\.$/m) const yamlFragment = commitMessage.match(/^-{3}\n(?[\S|\s]*?)\n^\.{3}\n/m) + const lookupFn = lookup ?? (() => Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 })) if (yamlFragment?.groups && branchName.startsWith('dependabot')) { const data = YAML.parse(yamlFragment.groups.dependencies) @@ -46,7 +47,7 @@ export async function parse (commitMessage: string, branchName: string, mainBran targetBranch: mainBranch, prevVersion: index === 0 ? prev : '', newVersion: index === 0 ? next : '', - ...await lookup(dependency['dependency-name'], index === 0 ? prev : '', dirname) + ...await lookupFn(dependency['dependency-name'], index === 0 ? prev : '', dirname) } })) } diff --git a/src/dry-run.ts b/src/dry-run.ts index ae92b0d..33406ef 100755 --- a/src/dry-run.ts +++ b/src/dry-run.ts @@ -51,9 +51,9 @@ async function check (args: any): Promise { if (commitMessage) { console.log('This appears to be a valid Dependabot Pull Request.') const branchNames = getBranchNames(newContext) - const alertLookup = (name, version, directory) => getAlert(name, version, directory, githubClient, actionContext) + const lookupFn = (name, version, directory) => getAlert(name, version, directory, githubClient, actionContext) - const updatedDependencies = await parse(commitMessage, branchNames.headName, branchNames.baseName, alertLookup) + const updatedDependencies = await parse(commitMessage, branchNames.headName, branchNames.baseName, lookupFn) if (updatedDependencies.length > 0) { console.log('Updated dependencies:') diff --git a/src/main.test.ts b/src/main.test.ts index 0ac9d8c..8883468 100644 --- a/src/main.test.ts +++ b/src/main.test.ts @@ -78,7 +78,7 @@ test('it sets the updated dependency as an output for subsequent actions', async 'Signed-off-by: dependabot[bot] ' const mockAlert = { alertState: 'FIXED', ghsaId: 'GSHA', cvss: 3.4 } - jest.spyOn(core, 'getInput').mockReturnValue('mock-token') + jest.spyOn(core, 'getInput').mockImplementation(jest.fn((name) => { return name == 'github-token' ? 'mock-token' : '' })) jest.spyOn(util, 'getBranchNames').mockReturnValue({ headName: 'dependabot|nuget|feature1', baseName: 'main' }) jest.spyOn(dependabotCommits, 'getMessage').mockImplementation(jest.fn( () => Promise.resolve(mockCommitMessage) @@ -106,9 +106,9 @@ test('it sets the updated dependency as an output for subsequent actions', async targetBranch: 'main', prevVersion: '4.0.1', newVersion: '4.2.2', - alertState: 'FIXED', - ghsaId: 'GSHA', - cvss: 3.4 + alertState: '', + ghsaId: '', + cvss: 0 } ] ) @@ -121,9 +121,9 @@ test('it sets the updated dependency as an output for subsequent actions', async expect(core.setOutput).toBeCalledWith('target-branch', 'main') expect(core.setOutput).toBeCalledWith('previous-version', '4.0.1') expect(core.setOutput).toBeCalledWith('new-version', '4.2.2') - expect(core.setOutput).toBeCalledWith('alert-state', 'FIXED') - expect(core.setOutput).toBeCalledWith('ghsa-id', 'GSHA') - expect(core.setOutput).toBeCalledWith('cvss', 3.4) + expect(core.setOutput).toBeCalledWith('alert-state', '') + expect(core.setOutput).toBeCalledWith('ghsa-id', '') + expect(core.setOutput).toBeCalledWith('cvss', 0) }) test('if there are multiple dependencies, it summarizes them', async () => { diff --git a/src/main.ts b/src/main.ts index 388577a..42bda69 100644 --- a/src/main.ts +++ b/src/main.ts @@ -24,7 +24,10 @@ export async function run (): Promise { // Validate the job const commitMessage = await verifiedCommits.getMessage(githubClient, github.context) const branchNames = util.getBranchNames(github.context) - const alertLookup = (name, version, directory) => verifiedCommits.getAlert(name, version, directory, githubClient, github.context) + let alertLookup: updateMetadata.alertLookup | undefined + if (core.getInput('alert-lookup')) { + alertLookup = (name, version, directory) => verifiedCommits.getAlert(name, version, directory, githubClient, github.context) + } if (commitMessage) { // Parse metadata