broaden triggering conditions

peckjon · Mar 19, 2021 · 50a0ba2 · 50a0ba2
1 parent 705a90f
commit 50a0ba2
Showing 1 changed file with 43 additions and 38 deletions.
diff --git a/index.js b/index.js
@@ -68,48 +68,53 @@ async function getVulnerabilities(context) {
 
 try {
   let context = github.context
-  if((context.eventName==`pull_request` || context.eventName==`pull_request_target`) && context.actor==`dependabot[bot]` && context.payload.pull_request.title.startsWith(`Bump `)) {
+  let isDep = false;
+  if((context.eventName==`pull_request` || context.eventName==`pull_request_target`) && context.payload.pull_request.title.startsWith(`Bump `)) {
     let [ ,depName, ,versionFrom, , versionTo] = context.payload.pull_request.title.split(` `);
-    console.log(`Searching for Vulnerability Alerts with package name "${depName}" to patch to "${versionTo}"`);
-    getVulnerabilities(context).then(vulnerabilities => {
-      let vulnerability = undefined;
-      vulnerabilities.repository.vulnerabilityAlerts.nodes.forEach(n => {
-        console.log(`Found package name "${n.securityVulnerability.package.name}" to patch to "${n.securityVulnerability.firstPatchedVersion.identifier}"`);
-        if(n.securityVulnerability.package.name==depName) {
-          if (vulnerability == undefined || n.securityVulnerability.firstPatchedVersion.identifier==versionTo) {
-            vulnerability = n.securityVulnerability;
+    if (depName && versionTo) {
+      isDep = true;
+      console.log(`Searching for Vulnerability Alerts with package name "${depName}" to patch to "${versionTo}"`);
+      getVulnerabilities(context).then(vulnerabilities => {
+        let vulnerability = undefined;
+        vulnerabilities.repository.vulnerabilityAlerts.nodes.forEach(n => {
+          console.log(`Found package name "${n.securityVulnerability.package.name}" to patch to "${n.securityVulnerability.firstPatchedVersion.identifier}"`);
+          if(n.securityVulnerability.package.name==depName || n.securityVulnerability.package.name.endsWith(':'+depName)) {
+            if (vulnerability == undefined || n.securityVulnerability.firstPatchedVersion.identifier==versionTo) {
+              vulnerability = n.securityVulnerability;
+            }
           }
+        });
+        if(vulnerability) {
+          let priority = (vulnerability.severity==`CRITICAL`||vulnerability.severity==`HIGH`)?1:vulnerability.severity==`MODERATE`?2:3
+          console.log(`Creating issue with...
+          Title: ${context.payload.pull_request.title}
+          Severity: ${priority} (${vulnerability.severity})
+          Description: ${context.payload.pull_request.html_url}\n${vulnerability.advisory.description}
+          `);
+          createIssue(
+            process.env.AZURE_PERSONAL_ACCESS_TOKEN,
+            process.env.ORG_URL,
+            process.env.PROJECT_NAME,
+            context.payload.pull_request.title,
+            `<a href="${context.payload.pull_request.html_url}">${context.payload.pull_request.title}</a><br/>${vulnerability.advisory.description}`,
+            priority
+            ).then(workItem => {
+            console.log(workItem)
+            core.setOutput(`id`, `${workItem.id}`);
+          }).catch(error => {
+            core.setFailed(error.message);
+          });
+        } else {
+          console.log(`No matching vulnerabilities found:
+          ${JSON.stringify(vulnerabilities,undefined,2)}
+          `)
         }
+      }).catch(error => {
+        core.setFailed(error.message);
       });
-      if(vulnerability) {
-        let priority = (vulnerability.severity==`CRITICAL`||vulnerability.severity==`HIGH`)?1:vulnerability.severity==`MODERATE`?2:3
-        console.log(`Creating issue with...
-        Title: ${context.payload.pull_request.title}
-        Severity: ${priority} (${vulnerability.severity})
-        Description: ${context.payload.pull_request.html_url}\n${vulnerability.advisory.description}
-        `);
-        createIssue(
-          process.env.AZURE_PERSONAL_ACCESS_TOKEN,
-          process.env.ORG_URL,
-          process.env.PROJECT_NAME,
-          context.payload.pull_request.title,
-          `<a href="${context.payload.pull_request.html_url}">${context.payload.pull_request.title}</a><br/>${vulnerability.advisory.description}`,
-          priority
-          ).then(workItem => {
-          console.log(workItem)
-          core.setOutput(`id`, `${workItem.id}`);
-        }).catch(error => {
-          core.setFailed(error.message);
-        });
-      } else {
-        console.log(`No matching vulnerabilities found:
-        ${JSON.stringify(vulnerabilities,undefined,2)}
-        `)
-      }
-    }).catch(error => {
-      core.setFailed(error.message);
-    });
-  } else {
+    }
+  }
+  if(!isDep) {
     console.log(`This is not a Pull Request generated by Dependabot...
     Event: ${context.eventName}
     Actor: ${context.actor}