Skip to content

Commit 0ca01a5

Browse files
brrygrdnbrrygrdn
authored
Merge pull request #146 from pangaeatech/get_compat_score
Return compatibility score
2 parents f4b2d0d + e050770 commit 0ca01a5

File tree

12 files changed

+160
-22
lines changed

12 files changed

+160
-22
lines changed

README.md

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ jobs:
2525
uses: dependabot/[email protected]
2626
with:
2727
alert-lookup: true
28+
compat-lookup: true
2829
```
2930
3031
Supported inputs are:
@@ -33,7 +34,10 @@ Supported inputs are:
3334
- The `GITHUB_TOKEN` secret
3435
- Defaults to `${{ github.token }}`
3536
- `alert-lookup` (boolean)
36-
- If `true`, then call populate the `alert-state`, `ghsa-id` and `cvss` outputs.
37+
- If `true`, then populate the `alert-state`, `ghsa-id` and `cvss` outputs.
38+
- Defaults to `false`
39+
- `compat-lookup` (boolean)
40+
- If `true`, then populate the `compatibility-score` output.
3741
- Defaults to `false`
3842

3943
Subsequent actions will have access to the following outputs:
@@ -62,6 +66,8 @@ Subsequent actions will have access to the following outputs:
6266
- If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the GHSA-ID of that alert.
6367
- `steps.dependabot-metadata.outputs.cvss`
6468
- If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the CVSS value of that alert (otherwise it contains 0).
69+
- `steps.dependabot-metadata.outputs.compatibility-score`
70+
- If this PR has a known compatibility score and `compat-lookup` is `true`, this contains the compatibility score (otherwise it contains 0).
6571

6672
**Note:** These outputs will only be populated if the target Pull Request was opened by Dependabot and contains
6773
**only** Dependabot-created commits.

action.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,10 @@ branding:
66
inputs:
77
alert-lookup:
88
type: boolean
9-
description: 'If true, then call populate the `alert-state`, `ghsa-id` and `cvss` outputs'
9+
description: 'If true, then populate the `alert-state`, `ghsa-id` and `cvss` outputs'
10+
compat-lookup:
11+
type: boolean
12+
description: 'If true, then populate the `compatibility-score` output'
1013
github-token:
1114
description: 'The GITHUB_TOKEN secret'
1215
default: ${{ github.token }}
@@ -35,6 +38,8 @@ outputs:
3538
description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the GHSA-ID of that alert.'
3639
cvss:
3740
description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the CVSS value of that alert (otherwise it contains 0).'
41+
compatibility-score:
42+
description: 'If this PR has a known compatibility score and `compat-lookup` is `true`, this contains the compatibility score (otherwise it contains 0).'
3843
runs:
3944
using: 'node12'
4045
main: 'dist/index.js'

dist/index.js

Lines changed: 29 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/dependabot/output.test.ts

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ const baseDependency = {
1818
targetBranch: '',
1919
prevVersion: '',
2020
newVersion: '',
21+
compatScore: 0,
2122
alertState: '',
2223
ghsaId: '',
2324
cvss: 0
@@ -34,6 +35,7 @@ test('when given a single dependency it sets its values', async () => {
3435
targetBranch: 'main',
3536
prevVersion: '1.0.2',
3637
newVersion: '1.1.3-beta',
38+
compatScore: 43,
3739
alertState: 'FIXED',
3840
ghsaId: 'VERY_LONG_ID',
3941
cvss: 4.6
@@ -56,6 +58,7 @@ test('when given a single dependency it sets its values', async () => {
5658
expect(core.setOutput).toBeCalledWith('target-branch', 'main')
5759
expect(core.setOutput).toBeCalledWith('previous-version', '1.0.2')
5860
expect(core.setOutput).toBeCalledWith('new-version', '1.1.3-beta')
61+
expect(core.setOutput).toBeCalledWith('compatibility-score', 43)
5962
expect(core.setOutput).toBeCalledWith('alert-state', 'FIXED')
6063
expect(core.setOutput).toBeCalledWith('ghsa-id', 'VERY_LONG_ID')
6164
expect(core.setOutput).toBeCalledWith('cvss', 4.6)
@@ -101,6 +104,7 @@ test('when given a multiple dependencies, it uses the highest values for types',
101104
expect(core.setOutput).toBeCalledWith('target-branch', '')
102105
expect(core.setOutput).toBeCalledWith('previous-version', '')
103106
expect(core.setOutput).toBeCalledWith('new-version', '')
107+
expect(core.setOutput).toBeCalledWith('compatibility-score', 0)
104108
expect(core.setOutput).toBeCalledWith('alert-state', '')
105109
expect(core.setOutput).toBeCalledWith('ghsa-id', '')
106110
expect(core.setOutput).toBeCalledWith('cvss', 0)
@@ -131,6 +135,7 @@ test('when the dependency has no update type', async () => {
131135
expect(core.setOutput).toBeCalledWith('target-branch', '')
132136
expect(core.setOutput).toBeCalledWith('previous-version', '')
133137
expect(core.setOutput).toBeCalledWith('new-version', '')
138+
expect(core.setOutput).toBeCalledWith('compatibility-score', 0)
134139
expect(core.setOutput).toBeCalledWith('alert-state', '')
135140
expect(core.setOutput).toBeCalledWith('ghsa-id', '')
136141
expect(core.setOutput).toBeCalledWith('cvss', 0)
@@ -174,6 +179,7 @@ test('when given a multiple dependencies, and some do not have update types', as
174179
expect(core.setOutput).toBeCalledWith('target-branch', '')
175180
expect(core.setOutput).toBeCalledWith('previous-version', '')
176181
expect(core.setOutput).toBeCalledWith('new-version', '')
182+
expect(core.setOutput).toBeCalledWith('compatibility-score', 0)
177183
expect(core.setOutput).toBeCalledWith('alert-state', '')
178184
expect(core.setOutput).toBeCalledWith('ghsa-id', '')
179185
expect(core.setOutput).toBeCalledWith('cvss', 0)

src/dependabot/output.ts

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
2626
const target = firstDependency?.targetBranch
2727
const prevVersion = firstDependency?.prevVersion
2828
const newVersion = firstDependency?.newVersion
29+
const compatScore = firstDependency?.compatScore
2930
const alertState = firstDependency?.alertState
3031
const ghsaId = firstDependency?.ghsaId
3132
const cvss = firstDependency?.cvss
@@ -39,6 +40,7 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
3940
core.info(`outputs.target-branch: ${target}`)
4041
core.info(`outputs.previous-version: ${prevVersion}`)
4142
core.info(`outputs.new-version: ${newVersion}`)
43+
core.info(`outputs.compatibility-score: ${compatScore}`)
4244
core.info(`outputs.alert-state: ${alertState}`)
4345
core.info(`outputs.ghsa-id: ${ghsaId}`)
4446
core.info(`outputs.cvss: ${cvss}`)
@@ -53,6 +55,7 @@ export function set (updatedDependencies: Array<updatedDependency>): void {
5355
core.setOutput('target-branch', target)
5456
core.setOutput('previous-version', prevVersion)
5557
core.setOutput('new-version', newVersion)
58+
core.setOutput('compatibility-score', compatScore)
5659
core.setOutput('alert-state', alertState)
5760
core.setOutput('ghsa-id', ghsaId)
5861
core.setOutput('cvss', cvss)

src/dependabot/update_metadata.test.ts

Lines changed: 23 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,8 @@ import * as updateMetadata from './update_metadata'
22

33
test('it returns an empty array for a blank string', async () => {
44
const getAlert = async () => Promise.resolve({ alertState: 'DISMISSED', ghsaId: 'GHSA-III-BBB', cvss: 4.6 })
5-
expect(updateMetadata.parse('', 'dependabot/nuget/coffee-rails', 'main', getAlert)).resolves.toEqual([])
5+
const getScore = async () => Promise.resolve(43)
6+
expect(updateMetadata.parse('', 'dependabot/nuget/coffee-rails', 'main', getAlert, getScore)).resolves.toEqual([])
67
})
78

89
test('it returns an empty array for commit message with no dependabot yaml fragment', async () => {
@@ -14,7 +15,8 @@ test('it returns an empty array for commit message with no dependabot yaml fragm
1415
Signed-off-by: dependabot[bot] <[email protected]>`
1516

1617
const getAlert = async () => Promise.resolve({ alertState: 'DISMISSED', ghsaId: 'GHSA-III-BBB', cvss: 4.6 })
17-
expect(updateMetadata.parse(commitMessage, 'dependabot/nuget/coffee-rails', 'main', getAlert)).resolves.toEqual([])
18+
const getScore = async () => Promise.resolve(43)
19+
expect(updateMetadata.parse(commitMessage, 'dependabot/nuget/coffee-rails', 'main', getAlert, getScore)).resolves.toEqual([])
1820
})
1921

2022
test('it returns the updated dependency information when there is a yaml fragment', async () => {
@@ -34,7 +36,8 @@ test('it returns the updated dependency information when there is a yaml fragmen
3436
'Signed-off-by: dependabot[bot] <[email protected]>'
3537

3638
const getAlert = async () => Promise.resolve({ alertState: 'DISMISSED', ghsaId: 'GHSA-III-BBB', cvss: 4.6 })
37-
const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot/nuget/coffee-rails', 'main', getAlert)
39+
const getScore = async () => Promise.resolve(43)
40+
const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot/nuget/coffee-rails', 'main', getAlert, getScore)
3841

3942
expect(updatedDependencies).toHaveLength(1)
4043

@@ -46,6 +49,7 @@ test('it returns the updated dependency information when there is a yaml fragmen
4649
expect(updatedDependencies[0].targetBranch).toEqual('main')
4750
expect(updatedDependencies[0].prevVersion).toEqual('4.0.1')
4851
expect(updatedDependencies[0].newVersion).toEqual('4.2.2')
52+
expect(updatedDependencies[0].compatScore).toEqual(43)
4953
expect(updatedDependencies[0].alertState).toEqual('DISMISSED')
5054
expect(updatedDependencies[0].ghsaId).toEqual('GHSA-III-BBB')
5155
expect(updatedDependencies[0].cvss).toEqual(4.6)
@@ -78,7 +82,15 @@ test('it supports multiple dependencies within a single fragment', async () => {
7882
return Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 })
7983
}
8084

81-
const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot/nuget/api/main/coffee-rails', 'main', getAlert)
85+
const getScore = async (name: string) => {
86+
if (name === 'coffee-rails') {
87+
return Promise.resolve(34)
88+
}
89+
90+
return Promise.resolve(0)
91+
}
92+
93+
const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot/nuget/api/main/coffee-rails', 'main', getAlert, getScore)
8294

8395
expect(updatedDependencies).toHaveLength(2)
8496

@@ -90,6 +102,7 @@ test('it supports multiple dependencies within a single fragment', async () => {
90102
expect(updatedDependencies[0].targetBranch).toEqual('main')
91103
expect(updatedDependencies[0].prevVersion).toEqual('4.0.1')
92104
expect(updatedDependencies[0].newVersion).toEqual('4.2.2')
105+
expect(updatedDependencies[0].compatScore).toEqual(34)
93106
expect(updatedDependencies[0].alertState).toEqual('DISMISSED')
94107
expect(updatedDependencies[0].ghsaId).toEqual('GHSA-III-BBB')
95108
expect(updatedDependencies[0].cvss).toEqual(4.6)
@@ -101,7 +114,7 @@ test('it supports multiple dependencies within a single fragment', async () => {
101114
expect(updatedDependencies[1].packageEcosystem).toEqual('nuget')
102115
expect(updatedDependencies[1].targetBranch).toEqual('main')
103116
expect(updatedDependencies[1].prevVersion).toEqual('')
104-
expect(updatedDependencies[1].newVersion).toEqual('')
117+
expect(updatedDependencies[1].compatScore).toEqual(0)
105118
expect(updatedDependencies[1].alertState).toEqual('')
106119
expect(updatedDependencies[1].ghsaId).toEqual('')
107120
expect(updatedDependencies[1].cvss).toEqual(0)
@@ -129,7 +142,7 @@ test('it only returns information within the first fragment if there are multipl
129142
'\n' +
130143
'Signed-off-by: dependabot[bot] <[email protected]>'
131144

132-
const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot|nuget|coffee-rails', 'main', undefined)
145+
const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot|nuget|coffee-rails', 'main', undefined, undefined)
133146

134147
expect(updatedDependencies).toHaveLength(1)
135148

@@ -141,6 +154,7 @@ test('it only returns information within the first fragment if there are multipl
141154
expect(updatedDependencies[0].targetBranch).toEqual('main')
142155
expect(updatedDependencies[0].prevVersion).toEqual('')
143156
expect(updatedDependencies[0].newVersion).toEqual('')
157+
expect(updatedDependencies[0].compatScore).toEqual(0)
144158
expect(updatedDependencies[0].alertState).toEqual('')
145159
expect(updatedDependencies[0].ghsaId).toEqual('')
146160
expect(updatedDependencies[0].cvss).toEqual(0)
@@ -162,7 +176,8 @@ test('it properly handles dependencies which contain slashes', async () => {
162176
'Signed-off-by: dependabot[bot] <[email protected]>'
163177

164178
const getAlert = async () => Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 })
165-
const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot/nuget/api/rails/coffee', 'main', getAlert)
179+
const getScore = async () => Promise.resolve(0)
180+
const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot/nuget/api/rails/coffee', 'main', getAlert, getScore)
166181

167182
expect(updatedDependencies).toHaveLength(1)
168183

@@ -174,6 +189,7 @@ test('it properly handles dependencies which contain slashes', async () => {
174189
expect(updatedDependencies[0].targetBranch).toEqual('main')
175190
expect(updatedDependencies[0].prevVersion).toEqual('')
176191
expect(updatedDependencies[0].newVersion).toEqual('')
192+
expect(updatedDependencies[0].compatScore).toEqual(0)
177193
expect(updatedDependencies[0].alertState).toEqual('')
178194
expect(updatedDependencies[0].ghsaId).toEqual('')
179195
expect(updatedDependencies[0].cvss).toEqual(0)

0 commit comments

Comments
 (0)