Skip to content

Commit

Permalink
Merge pull request #725 from actions/issue-718
Browse files Browse the repository at this point in the history
Bug fixes to #718
  • Loading branch information
febuiles authored Mar 24, 2024
2 parents 02b13f6 + 35b83b4 commit 9093495
Show file tree
Hide file tree
Showing 4 changed files with 41 additions and 5 deletions.
21 changes: 21 additions & 0 deletions __tests__/scorecard.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,19 @@ const npmChange: Change = {
]
}

const actionsChange: Change = {
manifest: 'workflow.yml',
change_type: 'added',
ecosystem: 'actions',
name: 'actions/checkout/',
version: 'v3',
package_url: 'pkg:githubactions/actions@v3',
license: 'MIT',
source_repository_url: 'null',
scope: 'runtime',
vulnerabilities: []
}

test('Get scorecard from API', async () => {
const changes: Changes = [npmChange]
const scorecard = await getScorecardLevels(changes)
Expand All @@ -38,3 +51,11 @@ test('Get project URL from deps.dev API', async () => {
)
expect(result).not.toBeNull()
})

test('Handles Actions special case', async () => {
const changes: Changes = [actionsChange]
const result = await getScorecardLevels(changes)
expect(result).not.toBeNull()
expect(result.dependencies).toHaveLength(1)
expect(result.dependencies[0].scorecard?.score).toBeGreaterThan(0)
})
11 changes: 9 additions & 2 deletions dist/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/index.js.map

Large diffs are not rendered by default.

12 changes: 10 additions & 2 deletions src/scorecard.ts
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,16 @@ export async function getScorecardLevels(
repositoryUrl = repositoryUrl.replace('https://', '')
}

// Handle the special case for GitHub Actions, where the repository URL is null
if (ecosystem === 'actions') {
// The package name for GitHub Actions in the API is in the format `owner/repo/`, so we can use that to get the repository URL
// If the package name has more than 2 slashes, it's referencing a sub-action, and we need to strip the last part out
const parts = packageName.split('/')
repositoryUrl = `github.com/${parts[0]}/${parts[1]}` // e.g. github.com/actions/checkout
}

// If GitHub API doesn't have the repository URL, query deps.dev for it.
if (repositoryUrl) {
if (!repositoryUrl) {
// Call the deps.dev API to get the repository URL from there
repositoryUrl = await getProjectUrl(ecosystem, packageName, version)
}
Expand All @@ -41,7 +49,7 @@ export async function getScorecardLevels(
}

async function getScorecard(repositoryUrl: string): Promise<ScorecardApi> {
const apiRoot = 'https://api.securityscorecards.dev/'
const apiRoot = 'https://api.securityscorecards.dev'
let scorecardResponse: ScorecardApi = {} as ScorecardApi

const url = `${apiRoot}/projects/${repositoryUrl}`
Expand Down

0 comments on commit 9093495

Please sign in to comment.