actions / dependency-review-action Goto Github PK

I’d like to allow alerts of low or moderate priority, but block PRs introducing high or critical alerts.

Right now I have a PR bumping a dependency from 10 to 11 for a high alert, but the checks fail due to a moderate priority alert which is not ideal.

Hi guys,

My team is using Dependency Review in our pipeline and we are receiving an error for a vulnerability that is not supposed to exist for the dependency in case: color 1.4.0

Here it is the link to the failed item:
https://github.com/EYBlockchain/nightfall_3/actions/runs/3088956171/jobs/4996018312

According to the docs (GHSA-gh88-3pxp-6fm8) only versions >= 1.4.1 for colors are affected.

I guess that might be an issue in Dep. Rev. Action.

Please, let me know your thoughts.

Thanks in advance!

Looks like this action only scans package.json in the root folder. There are may projects which have package.json in the subdirectories and it looks like that they are not scanned.

Setting a list of licenses that are ok or not for a particular project is not trivial without also some legal knowledge.

Especially for open source maintainers it is not always possible to consult someone with the needed knowledge to make a correct list of licenses.

Would it be possible to instead configure a list of constraints?

I am basing this of the abstraction that GitHub already provides for well known licenses :

Users could for example state that they want their product to be open to commercial use.

• if a dependency is added with a license that prohibits/limits commercial use, the action would fail.
• if a dependency is added with a license the maintainer doesn't know, they can rely on the outcome of the action.

Problem

Whenever GitHub's Dependency Review API returns a 502, the Action fails with a Server error message. This provides the user no information on what went wrong/what to do

Proposed enhancement

It would be nice to have a clearer message explaining what went wrong and where to direct bug reports. The action must still fail since we don't know what's in the changes.

I'm getting the following error:

Error: Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see https://github.com/codemeistre/backend/settings/security_analysis

even tho we do I have Dependency graph enabled in the repository:

On private repositories (under free plan), should we do something besides the usual setup? 🤔 Thanks in advance.

I am trying out the new version of this action, specifically the license checking. This is what my workflow looks like:

  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v2
        with:
          # Possible values: "critical", "high", "moderate", "low"
          fail-on-severity: high
          #
          # You can only include one of these two options: `allow-licenses` and `deny-licences`
          #
          # Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
          # allow-licenses: GPL-3.0, BSD-3-Clause, MIT
          #
          # Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses
          deny-licenses: AGPL-3.0, GPL-2.0, GPL-3.0

So I am trying to block adding GPL dependencies.

I then make a PR where I add this Python dependency to my requirements.txt:

https://github.com/aspiers/git-deps

The PR seems to recognize the package and if you click it links to the above URL which says it is GPL 2.0 licensed.

The action succeeds though:

Am I doing anything wrong here?

I will note that the above workflow is configured in a reusable workflow that lives in a different organization/repository. This has worked for the vulnerability parts of the action when testing so I assume it is not an issue.

Thank you 🙇‍♀ for wanting to create an issue in this repository. Before you do, please ensure you are filing the issue in the right place. Issues should only be opened on if the issue relates to code in this repository.

• If you have found a security issue please submit it here
• If you have questions about writing workflows or action files, then please visit the GitHub Community Forum's Actions Board
• If you are having an issue or question about GitHub Actions then please contact customer support

If your issue is relevant to this repository, please delete this text and continue to create this issue. Thank you in advance.

I wanted to run this action on pushes, so I needed to specify base-ref and head-ref. I wasn't sure how to do it, so I searched GitHub for uses. A few things there seemed not right, because they set the two refs to be the same, but they are a comparison, so don't they have to be different?

https://github.com/fixator10/Fixator10-Cogs/blob/b6fd04ab5490862be71f3e31a7c1aa70282eead2/.github/workflows/dependency-review.yml#LL21-L22C76

          base-ref: ${{ github.event.pull_request.base.ref || github.ref }}
          head-ref: ${{ github.event.pull_request.head.ref || github.ref }}

https://github.com/marinchuck/test3/blob/6c0eaa622f8e2236a5f4bec5c16d822457225017/.github/workflows/ci-pipeline.yml#L79-L80

                    base-ref: main
                    head-ref: main

Others had more elaborate settings, but often hard-coded the base ref:
https://github.com/Infineon/ek-based-onboarding-optiga-tpm/blob/b00aefa07591394210d39fe306d704b52a23c270/.github/workflows/main.yml#L24-L25

          head-ref: ${{ github.ref }}
          base-ref: ec53ee4956ff702efdf1f7a06c87fdfe821dff0f

I used this:

          base-ref: ${{ github.event.pull_request.base.ref || 'master' }}
          head-ref: ${{ github.event.pull_request.head.ref || github.ref }}

What is the right way to do this? An example in the README would help people a lot I think.

name: 'Dependency Review'
on: [pull_request]

permissions:
contents: read

jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v1Thank you 🙇‍♀ for wanting to create an issue in this repository. Before you do, please ensure you are filing the issue in the right place. Issues should only be opened on if the issue relates to code in this repository.

• If you have found a security issue please submit it here
• If you have questions about writing workflows or action files, then please visit the GitHub Community Forum's Actions Board
• If you are having an issue or question about GitHub Actions then please contact customer support

If your issue is relevant to this repository, please delete this text and continue to create this issue. Thank you in advance.

There should be an option to disable devDependencies because some people just have testing frameworks and build tools in their devDependencies.

Hi Guys,
Dependency graph is enabled in our repo. But still it shows an error in Github actions.

My build.yaml looks like,
- name: 'Dependency Review'
uses: actions/dependency-review-action@v1

Could someone help me to fix this issue?

Tagging policy commonly used by GitHub for actions is "not great but not terrible": typically the repositories tag releases with specific tags (like "v1.0.2") and then also have a major version tag (like "v1") that is usually moved to match the latest specific release tag. This enables using @v1 in workflow files.

This repository has a v1 tag leading users to think that they can use the same strategy here. Unfortunately that tag points to the initial commit and not the latest release (at the moment of writing "v1.0.2"). So if someone has uses: actions/dependency-review-action@v1 they are using the initial commit of this repository. This seems like the worst option: either the tag should not exist or it should get moved on every release.

I've tried to update our Dependency Review Action to use a config file, but trying to use a config file in our org-wide .github repo (see: 10up/insert-special-characters#164). However the error I'm seeing in that action run seems to point to the config file needing to be within the report. Can you clarify if the config file can be in a different repo and if so what the correct format is for that? Thanks!

This run was triggered by the "push" event, which is unsupported. Please ensure you are using the "pull_request" event for this workflow.

Consider adding support for a list of GHSA (or CVE) listing that would be considered unacceptable risk and not allow via policy.

Ex: want to fail on any CVE listed in the CISA KEV catalog

Thank you 🙇‍♀ for wanting to create an issue in this repository. Before you do, please ensure you are filing the issue in the right place. Issues should only be opened on if the issue relates to code in this repository.

• If you have found a security issue please submit it here
• If you have questions about writing workflows or action files, then please visit the GitHub Community Forum's Actions Board
• If you are having an issue or question about GitHub Actions then please contact customer support

If your issue is relevant to this repository, please delete this text and continue to create this issue. Thank you in advance.

I have been testing dependency-review-action on a public repo with only python requirements.txt and dev_requirements.txt
The action does detect vulnerabilities but could not find any of the licenses.

Is there something special that is needed to be done for it work?

We are running into an issue with libraries which don't define their license in a format that dependency-review can accept. For example:
https://github.com/BurntSushi/same-file/blob/5799cd323b8eefd17a089c950dac113f66c89c9e/Cargo.toml#L13
https://github.com/BurntSushi/aho-corasick/blob/979cf735e267c361806dd34224699430531626ab/Cargo.toml#L10
https://github.com/rayon-rs/rayon/blob/7413495e3307f7fbf945b7742f9fce9b1aa2ff58/Cargo.toml#L9

Several of these have been been updated with PR's to help address the issue within the projects. But this is not a sustainable process and it is severely inhibiting the ability to use dependency review.

We need an ability to define exceptions for these specific (but invalid) license formats or these specific dependencies.

I see this previous PR: #133

However it looks to have only addressed whitelisting CVE's, and not an ability to whitelist dependencies.

Thank you!

Using an external config file from an internal repo in the same org gives back the error

Is there something wrong in my config? Does it have to be in a .github folder?

I have allowed Actions access to the config repo.

- name: Dependency Review
        uses: actions/dependency-review-action@v3
        with:
          # external config file
          config-file: name-of-org/name-of-repo/.github/dependency-review-config.yml@main

dependency-review-config.yml

# Possible values: "critical", "high", "moderate", "low" 
fail-on-severity: 'low'

# You can only can only include one of these two options: `allow-licenses` and `deny-licences`
# ([String]). Only allow these licenses (optional)
# Possible values: Any `spdx_id` value(s) from https://docs.github.com/en/rest/licenses 
allow-licenses:
  - 'GPL-3.0'
  - 'BSD-3-Clause'
  - 'MIT'
  
# ([String]). Block the pull request on these licenses (optional)
# Possible values: Any  `spdx_id` value(s) from https://docs.github.com/en/rest/licenses 
# deny-licenses: 
# - 'LGPL-2.0'
# - 'BSD-2-Clause'

After adding this action to one of my project I was curious what it was scanning. Unfortunately I was not able to figure out what is actually being scanned (other than the image from the README, suggesting it's scanning package.json; and a log about a GitHub Actions workflow, suggesting it's scanning GitHub Actions workflow files). I tried enabling debug logging, but the logs still didn't tell me what was being analyzed.

In that light, I have two suggestions:

1. Document which sources can be analyzed in the README (or similar).
2. Log which sources are being analyzed during a run of the Action.

👋 Hi! My team has been using this action, and we were wondering if it's possible to get the summary output from the action to use in subsequent workflow steps. A fake example:

We'd like to have this summary output available as output from the action itself, so that we can do things like post it as a comment on the PR that corresponds to the workflow run, notify people in Slack, etc. Is that supported today and I'm just missing it? If not, I would be happy to put together a pull request to support this.

Quoting https://github.com/anmol098/waka-readme-stats/actions/runs/4378777323/jobs/7663945367#step:3:1 from anmol098/waka-readme-stats#415 :

Unexpected input(s) 'comment-summary-in-pr', valid inputs are ['repo-token', 'fail-on-severity', 'fail-on-scopes', 'base-ref', 'head-ref', 'config-file', 'allow-licenses', 'deny-licenses', 'allow-ghsas', 'external-repo-token', 'license-check', 'vulnerability-check']

It would be nice to be able to ignore / whitelist certain dependencies. This way we can keep working if no fix exist yet/

Suggestion to add support to disable either the vulnerability or license check. From the user perspective, something along the lines of:

- name: Dependency Review
  uses: actions/dependency-review-action@v2
  with:
    dependency-check: false   # `true` to enable, `false` to disable
    license-check: true       # `true` to enable, `false` to disable

I believe this is useful when you already use a different tool to do one of these checks. For example, say I use npm audit for vulnerability scanning and I need a tool for license checking. In this scenario, using this Action is possible but I don't really need the dependency check. Moreover, it would likely lead to duplicate alerts, which can get noisy. Hence, I would want to disable the vulnerability scanning. One can imagine the same could be true for the license check.

#184 looks related as it would allow you to make only one of the two checks required. I still believe completely disabling one of the two checks would be a preferable solution in order to reduce noise.

Setting up dependancy-review to use an external repo for its config.
I can't get the config file settings to actually be used/applied
I have confirmed that the repo is accessable and the config file is being loaded by changing the name of the config file to something that doesn't exist and got an error: "Error: Unable to fetch or parse config file: Error fetching remote config file"
Putting a bad, yaml syntax also generates an error:
Unable to fetch or parse config file: Implicit keys need to be on a single line at line 3, column 1: # Possible values: "critical", "high", "moderate", "low" this-is-notused-bad ^

But no matter what setting I put in the config.yml dependancy-review always reports using its default settings, "fail-on-severity: low", "fail-on-scopes: runtime" not the settings in the config file.

Config that we are testing with, remote repo with the following config:

fail-on-severity: 'critical'
fail-on-scopes:
  - development
  - runtime

Repo that will be using the above config:

name: 'Dependency Review'
on: [pull_request]

permissions:
  contents: read

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v3
        with:
          config-file: 'org/sec-github-actions-config/dependancy-review/config.yml@master'
          external-repo-token: ${{ secrets.SEC_DEPENDANCY_REVIEW }}

But when the action runs it always reports the following in the action:

Run actions/dependency-review-action@v3
  with:
    config-file: org/sec-github-actions-config/dependancy-review/config.yml@master
    external-repo-token: ***
    repo-token: ***
    fail-on-severity: low
    fail-on-scopes: runtime

So my custom setting are not being used/applied but I get no error loading/parsing the file. Running the action in debug mode didn't give any extra info/errors.

I'm testing with a Pipfile that only has a 'high' issue in it related to the lxml package.

[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true

[[source]]

[dev-packages]

[packages]
python-json-logger = "==2.0.1"
lxml = "==4.6.1"
boto3 = "*"

[requires]
python_version = "3.8"

Any ideas on what am I missing/doing wrong?

I was testing with deny-licenses option and found that it failed to detect a license from https://www.npmjs.com/package/spook.js. The workflow I added was:

name: Dependency Check

on:
  pull_request:
    types: [opened, synchronize, reopened]
    branches: ['main']

jobs:
  CheckDependency:
    runs-on: ubuntu-latest

    steps:
      - name: 'Checkout'
        uses: actions/checkout@v3

      - name: 'Check dependencies for known security issues'
        uses: actions/dependency-review-action@v2
        with:
          deny-licenses: GPL-1.0, GPL-2.0, GPL-3.0, LGPL-2.0, LGPL-2.1, LGPL-3.0, AGPL-1.0, AGPL-2.0, AGPL-3.0

And my test PR made these changes:
package.json

"spook.js": "0.0.1"

package-lock.json

    "spook.js": {
      "version": "0.0.1",
      "resolved": "https://registry.npmjs.org/spook.js/-/spook.js-0.0.1.tgz",
      "integrity": "sha512-D1/7VxEuQ7xk6z/kAROe4SUbd9CzxY4zOwVGnGHerd/SgLIVU5f4esDzQUsOCeArn933BZfWMKydH7l7dPEp0g=="
    }

However, the action run for the PR didn't fail. Instead, it reported that it couldn't detect a license for spook.js.

  We could not detect a license for the following dependencies:
  
  Python/blu-ring-viewer/package-lock.json » [email protected]
  Python/blu-ring-viewer/package.json » [email protected]

If I manually grab the file from https://registry.npmjs.org/spook.js/-/spook.js-0.0.1.tgz I can see LICENSE.md in it which is GPL-3.0. I can also use GitHub License API to check its license and it is "gpl-3.0": https://api.github.com/repos/arthurakay/spook.js/license

{
  "name": "LICENSE.md",
  "path": "LICENSE.md",
  "sha": "e72bfddabc15be5718a7cc061ac10e47741d8219",
  "size": 35148,
  "url": "https://api.github.com/repos/arthurakay/spook.js/contents/LICENSE.md?ref=master",
  "html_url": "https://github.com/arthurakay/spook.js/blob/master/LICENSE.md",
  "git_url": "https://api.github.com/repos/arthurakay/spook.js/git/blobs/e72bfddabc15be5718a7cc061ac10e47741d8219",
  "download_url": "https://raw.githubusercontent.com/arthurakay/spook.js/master/LICENSE.md",
  "type": "file",
  "content": "...removed...",
  "encoding": "base64",
  "_links": {
    "self": "https://api.github.com/repos/arthurakay/spook.js/contents/LICENSE.md?ref=master",
    "git": "https://api.github.com/repos/arthurakay/spook.js/git/blobs/e72bfddabc15be5718a7cc061ac10e47741d8219",
    "html": "https://github.com/arthurakay/spook.js/blob/master/LICENSE.md"
  },
  "license": {
    "key": "gpl-3.0",
    "name": "GNU General Public License v3.0",
    "spdx_id": "GPL-3.0",
    "url": "https://api.github.com/licenses/gpl-3.0",
    "node_id": "MDc6TGljZW5zZTk="
  }
}

Did I do something wrong?

Because it is so difficult to build and maintain a database of all licenses for all packages, it would be great if there were some options for what to do when a package with an unknown license is added.

Option 1: Comment on the PR so someone at least gets a heads up to double check the license manually

Option 2: Allow the option to explicitly deny packages with unknown licenses.

• Note - we'd probably need to also add a feature to explicitly allow specific packages in this situation...

I'm open to other options, too :)

Thanks

Dependencies that are distributed as source (most of them) will also have specific runtime or compiler version requirements.

Would it be within the scope of this package to also verify those?

Example :

• my library aims to support Go 1.16 or later
• a dependency is introduced that depends on Go 1.20
• the action fails

Example :

• my library aims to support Go 1.16 or later
• a dependency is updated and now depends on Go 1.20
• the action fails

We ran into an issue where actions/dependency-review-action@v2 was blocking based on a report that [email protected] had a high severity finding and linked here GHSA-gh88-3pxp-6fm8 but the CVE-2021-23567 only impacts versions of colors >= 1.4.1.

Based on my understanding with our version currently being 1.0.3 this CVE should not be attached to the PR and the action should not be blocking our pipeline.

(And note no where else in the project was there any reference to colors >= 1.4.1)

Add the value none as the possible values for the fail-on-severity parameter

Problem

• It would be useful to provide a parameter to the action that will only list all the anomalies and do not fail
• The idea is to match one of the none value that can be used in the "Code Scanning" options
  • Code Scanning alerts are still raised, but the PR is not failing/blocked
  • see Defining the severities causing pull request check failure

Solution

• Add the value none as the possible values for the fail-on-severity parameter
• when set to none the action will:
  • not block the PR (raise an alert) in one or more vulnerabilities, or invalid licences are found
  • a warning will be publish
  • all alerts will be printed in the summary (vulnerabilities & licences)
• Default behaviour is not changed and the value is set to low

Hi there,

The following PR is updating an NPM dependency and is removing a transitive dependency, string-similarity, from package-lock.json at the same time: fastify/fastify-passport#597

string-similarity has a disallowed license, which is causing the action to throw an error, even though said dependency is being removed in the PR:

Not too sure if working as intended, or a bug?

I noticed that quite often I get messages like:

We could not detect a license for the following dependencies:
package.json » eslint-plugin-unicorn@^43.0.0
package.json » eslint-plugin-unicorn@^42.0.0

When running my setup:

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: Dependency Review
        uses: actions/dependency-review-action@v2
        with:
          fail-on-severity: moderate
          deny-licenses: GPL-2.0, GPL-3.0, AGPL-1.0, AGPL-3.0

Reproduction

I wanted to figure out why, so I dug into the code and realized that while license is available to for modules with "manifest": "package-lock.json", not "manifest": "package.json", in the response for diffed modules from /dependency-graph/compare.

I replicated the data for the messages above by running:

gh api \
  -H "Accept: application/vnd.github+json" \
  /repos/voxpelli/eslint-config/dependency-graph/compare/8b05c37a68ad3d1c5a5b2a0b822a74f704c45732...189fed958307f1101fee5e3e2902a886a31bca5d

And got this response, which made me suspect the above conclusion:

[
  {
    "change_type": "added",
    "manifest": "package-lock.json",
    "ecosystem": "npm",
    "name": "eslint",
    "version": "8.19.0",
    "package_url": "pkg:npm/[email protected]",
    "license": "MIT",
    "source_repository_url": "https://github.com/eslint/eslint",
    "vulnerabilities": []
  },
  {
    "change_type": "added",
    "manifest": "package-lock.json",
    "ecosystem": "npm",
    "name": "eslint-plugin-unicorn",
    "version": "43.0.0",
    "package_url": "pkg:npm/[email protected]",
    "license": "MIT",
    "source_repository_url": "https://github.com/sindresorhus/eslint-plugin-unicorn",
    "vulnerabilities": []
  },
  {
    "change_type": "added",
    "manifest": "package-lock.json",
    "ecosystem": "npm",
    "name": "type-fest",
    "version": "2.16.0",
    "package_url": "pkg:npm/[email protected]",
    "license": "CC0-1.0 OR MIT OR (CC0-1.0 AND MIT)",
    "source_repository_url": "https://github.com/sindresorhus/type-fest",
    "vulnerabilities": []
  },
  {
    "change_type": "removed",
    "manifest": "package-lock.json",
    "ecosystem": "npm",
    "name": "eslint",
    "version": "8.18.0",
    "package_url": "pkg:npm/[email protected]",
    "license": "MIT",
    "source_repository_url": "https://github.com/eslint/eslint",
    "vulnerabilities": []
  },
  {
    "change_type": "removed",
    "manifest": "package-lock.json",
    "ecosystem": "npm",
    "name": "eslint-plugin-unicorn",
    "version": "42.0.0",
    "package_url": "pkg:npm/[email protected]",
    "license": "MIT",
    "source_repository_url": "https://github.com/sindresorhus/eslint-plugin-unicorn",
    "vulnerabilities": []
  },
  {
    "change_type": "removed",
    "manifest": "package-lock.json",
    "ecosystem": "npm",
    "name": "type-fest",
    "version": "2.15.1",
    "package_url": "pkg:npm/[email protected]",
    "license": "CC0-1.0 OR MIT OR (CC0-1.0 AND MIT)",
    "source_repository_url": "https://github.com/sindresorhus/type-fest",
    "vulnerabilities": []
  },
  {
    "change_type": "added",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "eslint-plugin-unicorn",
    "version": "^43.0.0",
    "package_url": "",
    "license": null,
    "source_repository_url": "https://github.com/sindresorhus/eslint-plugin-unicorn",
    "vulnerabilities": []
  },
  {
    "change_type": "removed",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "eslint-plugin-unicorn",
    "version": "^42.0.0",
    "package_url": "",
    "license": null,
    "source_repository_url": "https://github.com/sindresorhus/eslint-plugin-unicorn",
    "vulnerabilities": []
  }
]

Then tried on another repository of mine with a PR that contains more package changes, to rule out this being a fluke for an individual package:

gh api \
  -H "Accept: application/vnd.github+json" \
  /repos/voxpelli/async-htm-to-string/dependency-graph/compare/f1fb2a044cb7bc7c0adde9bf6fca72cb06e3e203...e3b4d72fc4dfdc8eef3c8a3fdd33f62a20c6d0c2

And got a response containing nothing but "manifest": "package.json" (since the project lacks a lockfile) and all "license": null (and "package_url": "", maybe related?)

[
  {
    "change_type": "added",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "dependency-check",
    "version": "^5.0.0-7",
    "package_url": "",
    "license": null,
    "source_repository_url": "https://github.com/dependency-check-team/dependency-check",
    "vulnerabilities": []
  },
  {
    "change_type": "added",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "eslint",
    "version": "^8.19.0",
    "package_url": "",
    "license": null,
    "source_repository_url": "https://github.com/eslint/eslint",
    "vulnerabilities": []
  },
  {
    "change_type": "added",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "eslint-plugin-jsdoc",
    "version": "^39.3.3",
    "package_url": "",
    "license": null,
    "source_repository_url": "https://github.com/gajus/eslint-plugin-jsdoc",
    "vulnerabilities": []
  },
  {
    "change_type": "added",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "eslint-plugin-n",
    "version": "^15.2.4",
    "package_url": "",
    "license": null,
    "source_repository_url": "https://github.com/weiran-zsd/eslint-plugin-node",
    "vulnerabilities": []
  },
  {
    "change_type": "added",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "installed-check",
    "version": "^6.0.3",
    "package_url": "",
    "license": null,
    "source_repository_url": "https://github.com/voxpelli/node-installed-check",
    "vulnerabilities": []
  },
  {
    "change_type": "removed",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "dependency-check",
    "version": "^5.0.0-6",
    "package_url": "",
    "license": null,
    "source_repository_url": "https://github.com/dependency-check-team/dependency-check",
    "vulnerabilities": []
  },
  {
    "change_type": "removed",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "eslint",
    "version": "^8.17.0",
    "package_url": "",
    "license": null,
    "source_repository_url": "https://github.com/eslint/eslint",
    "vulnerabilities": []
  },
  {
    "change_type": "removed",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "eslint-plugin-jsdoc",
    "version": "^39.3.2",
    "package_url": "",
    "license": null,
    "source_repository_url": "https://github.com/gajus/eslint-plugin-jsdoc",
    "vulnerabilities": []
  },
  {
    "change_type": "removed",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "eslint-plugin-n",
    "version": "^15.2.2",
    "package_url": "",
    "license": null,
    "source_repository_url": "https://github.com/weiran-zsd/eslint-plugin-node",
    "vulnerabilities": []
  },
  {
    "change_type": "removed",
    "manifest": "package.json",
    "ecosystem": "npm",
    "name": "installed-check",
    "version": "^6.0.0",
    "package_url": "",
    "license": null,
    "source_repository_url": "https://github.com/voxpelli/node-installed-check",
    "vulnerabilities": []
  }
]

Conclusion

So, currently the license checks doesn't work for npm projects that lacks the package-lock.json file?

Hi,
Why this:

Thank you in advance.

I am seeing the same error as #386 in that nested folders are not scanned.
The action exited with a success but no output.

2023-02-01T12:11:13.1721349Z ##[group]Run actions/dependency-review-action@v3
2023-02-01T12:11:13.1721586Z with:
2023-02-01T12:11:13.1721808Z   allow-licenses: MIT
2023-02-01T12:11:13.1722159Z   repo-token: ***
2023-02-01T12:11:13.1722367Z   fail-on-severity: low
2023-02-01T12:11:13.1722580Z   fail-on-scopes: runtime
2023-02-01T12:11:13.1722783Z ##[endgroup]
2023-02-01T12:11:36.2620407Z ##[debug]Node Action run completed with exit code 0

But as you can see there was no output.

I re-ran the job by closing and re-opening the PR and now I get a server error but with no information.

2023-02-01T12:19:44.9155116Z ##[group]Run actions/dependency-review-action@v3
2023-02-01T12:19:44.9155401Z with:
2023-02-01T12:19:44.9155651Z   allow-licenses: MIT
2023-02-01T12:19:44.9156004Z   repo-token: ***
2023-02-01T12:19:44.9156245Z   fail-on-severity: low
2023-02-01T12:19:44.9156492Z   fail-on-scopes: runtime
2023-02-01T12:19:44.9156725Z ##[endgroup]
2023-02-01T12:20:40.6476468Z ##[error]Server Error
2023-02-01T12:20:40.6521886Z ##[debug]Node Action run completed with exit code 1

I tried to reproduce this on a public repository but it works without a problem.

https://github.com/ChrisC-testorg/public-dependency-review/pull/1

Any ideas what could cause this, can we enable more logging to see what the server error is?

For context I'm trying to review all dependencies - so I'm copying the package files from different repositories. Is there another way to set the basehead to review all dependencies instead of just those that have changed - that would resolve this problem for me.

When using this action with the new merge queue feature, I get the following error:

Error: Both a base ref and head ref must be provided, either via the `base_ref`/`head_ref` config options, or by running a `pull_request`/`pull_request_target` workflow.

It would be awesome, if this action can support the merge_group trigger out of the box.

One of the packages we're importing has multiple licenses based on dependent projects. The Github dependency-graph API returns all 3 licenses. We have each of the 3 licenses in our allow-list, but because this is a single string response, it's failing the dependency review.

Response from the depency-graph API:

  {
    "change_type": "added",
    "manifest": "package-lock.json",
    "ecosystem": "npm",
    "name": "@fortawesome/fontawesome-free",
    "version": "5.15.4",
    "package_url": "pkg:npm/%40fortawesome/[email protected]",
    "license": "CC-BY-4.0 AND MIT AND OFL-1.1",
    "source_repository_url": "https://github.com/FortAwesome/Font-Awesome",
    "scope": "runtime",
    "vulnerabilities": []
  },

Proposal
For a situation like this, the action would parse the license field and use the operator (AND) to check that all 3 licenses are in our allow-list. I can see the possibility of a dual-licensed package including an OR (e.g.: CC-BY-4.0 OR MIT) and so we'd want to use the operator (AND or OR) to validate against the allow-list or deny-list appropriately.

Thanks for your consideration!

Running it on my private github and it fails with:

dependency-review
failed 2 minutes ago in 3s
Run actions/dependency-review-action@v1
Error: Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see https://github.com/grndvl1/BGB/settings/security_analysis

I have all the setting set to true

When a GitHub repository is newly forked, it has the dependency graph feature disabled by default. If dependency-review-action is used on one of these freshly cloned repositories, it errors with the following message:

Error: Forbidden

The error handling code that produces this unclear message is:

  } catch (error) {
    if (error instanceof RequestError && error.status === 404) {
      core.setFailed(
        `Dependency review could not obtain dependency data for the specified owner, repository, or revision range.`
      )
    } else if (error instanceof RequestError && error.status === 403) {
      core.setFailed(
        `Dependency review is not supported on this repository. Please ensure that Dependency graph is enabled, see https://github.com/${github.context.repo.owner}/${github.context.repo.repo}/settings/security_analysis`
      )
    } else {
      if (error instanceof Error) {
        core.setFailed(error.message)
      } else {
        core.setFailed('Unexpected fatal error')
      }
    }
  }

Specifically, it's the core.setFailed(error.message) fallback that is responsible.

Printing out the error message using core.debug(JSON.stringify(error, Object.getOwnPropertyNames(error))) results in the following:

{
  stack: 'HttpError: Forbidden\n' +
    '    at /home/runner/work/_actions/WillDaSilva/dependency-review-action/main/webpack:/dependency-review-action/node_modules/@octokit/request/dist-node/index.js:86:1\n' +
    '    at processTicksAndRejections (node:internal/process/task_queues:96:5)\n' +
    '    at Job.doExecute (/home/runner/work/_actions/WillDaSilva/dependency-review-action/main/webpack:/dependency-review-action/node_modules/bottleneck/light.js:405:1)',
  message: 'Forbidden',
  name: 'HttpError',
  status: 403,
  response: { status: 403, headers: {} },
  request: { request: {}, headers: {} },
  code: 403,
  headers: {}
}

It's clear that this ought to result in the Dependency review is not supported on this repository [...] error message, but for some reason isn't.

Version 2.1.0 supports pull requests. I use the same workflow for building the master branch as well as creating a pull request.
Do I really have to configure the action like this?

- uses: actions/dependency-review-action@v2
   if: github.event_name == 'push'
- name: Dependency Review
   uses: actions/dependency-review-action@v2
   if: github.event_name == 'pull_request'
   with:
     base-ref: ${{ github.event.pull_request.base.ref }}
     head-ref: ${{ github.event.pull_request.head.ref }}

If so, this action has access to the github event, hasn't it? So it could set the base/head-ref by itself?

I try to deploy my dependency-review action file but get Error: Forbidden

My dependency-review-action.yml

name: 'Dependency Review'
on: [pull_request]

permissions:
  contents: read

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v1

When creating a new workflow using this button:

You get the following code:

# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
name: 'Dependency Review'
on: [pull_request]

permissions:
  contents: read

jobs:
  dependency-review:
    runs-on: ubuntu-latest
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@v3
      - name: 'Dependency Review'
        uses: actions/dependency-review-action@v1

Which contains this typo: where Pull Reqest should be pull request

I can't find the source of this text though

The output of this action prints actions/dependency-review-action has an unknown license.

https://github.com/hfhbd/routing-compose/actions/runs/2891020667/attempts/2#summary-7922844964

Having to manually build the dist/ files when changing the code is tedious and prone to error.

We should add a Git hook that checks for changes in src/ that don't have the equivalent changes in dist/ (in the same way we already do for PRs with the check-dist check).

On the first run this Action did in one of my repositories (first time using it) I looked at the output and noticed a curious log (full logs here):

We could not detect a license for the following dependencies:
.github/workflows/deps-analysis.yml » actions/[email protected]

From what I can tell, this repositories' license is present and well-formed (there's a LICENSE file, as well as the "license" entry in package.json, and GitHub displays the correct license in the UI).

I'm not sure what exactly the problem is, but I would not expect this Action to log a "problem" with itself.

Currently the only tag available for this action is v1¹. However, other official GitHub actions in the actions organization offer semantic versions².

Is it possible to add a v1.0.0 tag that is immutable, and keep the v1 tag as a mutable tag that points to the latest v1.x.x tag?

Right now, only the pull_request and pull_request_target workflow events are supported. It would be great to also support push to catch any commits that may not have gone through a PR.

I'm aware of the base-ref/head-ref support, but it would be nice if this was supported by default without any special configuration.