Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace pip -> pypi in PURL examples #638

Merged
merged 1 commit into from Dec 11, 2023
Merged

Replace pip -> pypi in PURL examples #638

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion __tests__/deny.test.ts
View file
Open in desktop
Expand Up @@ -55,7 +55,7 @@ const pipChange: Change = {
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pip/package-1@1.1.1',
package_url: 'pkg:pypi/package-1@1.1.1',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
Expand Down
11 changes: 7 additions & 4 deletions __tests__/licenses.test.ts
View file
Open in desktop
Expand Up @@ -55,7 +55,7 @@ const pipChange: Change = {
ecosystem: 'pip',
name: 'package-1',
version: '1.1.1',
package_url: 'pkg:pip/package-1@1.1.1',
package_url: 'pkg:pypi/package-1@1.1.1',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
Expand Down Expand Up @@ -183,7 +183,7 @@ test('it does not filter out changes that are on the exclusions list', async ()
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}
const invalidLicenses = await getInvalidLicenseChanges(
changes,
Expand All @@ -199,7 +199,7 @@ test('it does not fail when the packages dont have a valid PURL', async () => {
const changes: Changes = [emptyPurlChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
licenseExclusions: ['pkg:pypi/package-1@1.1.1', 'pkg:npm/reeuhq@1.0.2']
}

const invalidLicenses = await getInvalidLicenseChanges(
Expand All @@ -213,7 +213,10 @@ test('it does filters out changes if they are not on the exclusions list', async
const changes: Changes = [pipChange, npmChange, rubyChange]
const licensesConfig = {
allow: ['BSD'],
licenseExclusions: ['pkg:pip/notmypackage-1@1.1.1', 'pkg:npm/alsonot@1.0.2']
licenseExclusions: [
'pkg:pypi/notmypackage-1@1.1.1',
'pkg:npm/alsonot@1.0.2'
]
}
const invalidLicenses = await getInvalidLicenseChanges(
changes,
Expand Down
6 changes: 3 additions & 3 deletions action.yml
View file
Open in desktop
Expand Up @@ -30,7 +30,7 @@ inputs:
description: Comma-separated list of forbidden licenses (e.g. "MIT, GPL 3.0, BSD 2 Clause")
required: false
allow-dependencies-licenses:
description: Comma-separated list of dependencies in purl format (e.g. "pkg:npm/express, pkg:pip/pycrypto"). These dependencies will be permitted to use any license, no matter what license policy is enforced otherwise.
description: Comma-separated list of dependencies in purl format (e.g. "pkg:npm/express, pkg:pypi/pycrypto"). These dependencies will be permitted to use any license, no matter what license policy is enforced otherwise.
required: false
allow-ghsas:
description: Comma-separated list of allowed GitHub Advisory IDs (e.g. "GHSA-abcd-1234-5679, GHSA-efgh-1234-5679")
Expand All @@ -48,10 +48,10 @@ inputs:
description: Determines if the summary is posted as a comment in the PR itself. Setting this to `always` or `on-failure` requires you to give the workflow the write permissions for pull-requests
required: false
deny-packages:
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto")
description: A comma-separated list of package URLs to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
required: false
deny-groups:
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pip/pycrypto")
description: A comma-separated list of package URLs for group(s)/namespace(s) to deny (e.g. "pkg:npm/express, pkg:pypi/pycrypto")
required: false
retry-on-snapshot-warnings:
description: Whether to retry on snapshot warnings
Expand Down
4 changes: 2 additions & 2 deletions docs/examples.md
View file
Open in desktop
Expand Up @@ -190,7 +190,7 @@ jobs:
fail-on-severity: critical
deny-licenses: LGPL-2.0, BSD-2-Clause
comment-summary-in-pr: always
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pip/requests'
allow-dependencies-licenses: 'pkg:npm/loadash, pkg:pypi/requests'
```

If we were to use configuration file, the configuration would look like this:
Expand All @@ -202,7 +202,7 @@ allow-licenses:
- 'BSD-2-Clause'
allow-dependencies-licenses:
- 'pkg:npm/loadash'
- 'pkg:pip/requests'
- 'pkg:pypi/requests'
```

## Only check for vulnerabilities
Expand Down
6 changes: 3 additions & 3 deletions scripts/create_summary.ts
View file
Open in desktop
Expand Up @@ -26,9 +26,9 @@ const defaultConfig: ConfigurationOptions = {
deny_groups: [],
allow_dependencies_licenses: [
'pkg:npm/express@4.17.1',
'pkg:pip/requests',
'pkg:pip/certifi',
'pkg:pip/pycrypto@2.6.1'
'pkg:pypi/requests',
'pkg:pypi/certifi',
'pkg:pypi/pycrypto@2.6.1'
],
comment_summary_in_pr: true,
retry_on_snapshot_warnings: false,
Expand Down