-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue #618 Change order of filtering to get correct list of vulnerabilities #622
Conversation
@virangdoshi thanks for this PR! After looking closer at this issue, I have noticed that the current behavior of the Action when dealing with GHSAs is to entirely drop the dependency change, instead of dropping the specific vulnerability. Given this example from your test repo:
If we add I've opened a PR in #623 and would appreciate your feedback. |
Re:
Agreed! Same with license issues (GHSAs have nothing to do with those). Feel free to create an issue, or better yet, submit a PR :) |
Closing (fixed in |
This PR attempts to resolve Issue 618, where filtering by severity and allowed ghsas does not seem to work as expected.
Currently filtering by allowed advisory first then by severity, yields different (incorrect) output. Changing the order of filtering --> filter by severity first then by allowed advisory seems to resolve the issue. Added 2 test cases to reproduce the scenario.
[Needs review] "Deny packages" check and "Invalid License" check to run against the unfiltered changes. This is to ensure that it does not have incorrect output from the trimmed/filtered list. Also, these 2 checks should run independently of vulnerability/severity checks and not on a subset of the changes, since they are kind of unrelated. For example, a filtered change might have an incompatible/restrictive license issue