diff --git a/index.js b/index.js
index f3b3557..87d2810 100644
--- a/index.js
+++ b/index.js
@@ -68,48 +68,53 @@ async function getVulnerabilities(context) {
try {
let context = github.context
- if((context.eventName==`pull_request` || context.eventName==`pull_request_target`) && context.actor==`dependabot[bot]` && context.payload.pull_request.title.startsWith(`Bump `)) {
+ let isDep = false;
+ if((context.eventName==`pull_request` || context.eventName==`pull_request_target`) && context.payload.pull_request.title.startsWith(`Bump `)) {
let [ ,depName, ,versionFrom, , versionTo] = context.payload.pull_request.title.split(` `);
- console.log(`Searching for Vulnerability Alerts with package name "${depName}" to patch to "${versionTo}"`);
- getVulnerabilities(context).then(vulnerabilities => {
- let vulnerability = undefined;
- vulnerabilities.repository.vulnerabilityAlerts.nodes.forEach(n => {
- console.log(`Found package name "${n.securityVulnerability.package.name}" to patch to "${n.securityVulnerability.firstPatchedVersion.identifier}"`);
- if(n.securityVulnerability.package.name==depName) {
- if (vulnerability == undefined || n.securityVulnerability.firstPatchedVersion.identifier==versionTo) {
- vulnerability = n.securityVulnerability;
+ if (depName && versionTo) {
+ isDep = true;
+ console.log(`Searching for Vulnerability Alerts with package name "${depName}" to patch to "${versionTo}"`);
+ getVulnerabilities(context).then(vulnerabilities => {
+ let vulnerability = undefined;
+ vulnerabilities.repository.vulnerabilityAlerts.nodes.forEach(n => {
+ console.log(`Found package name "${n.securityVulnerability.package.name}" to patch to "${n.securityVulnerability.firstPatchedVersion.identifier}"`);
+ if(n.securityVulnerability.package.name==depName || n.securityVulnerability.package.name.endsWith(':'+depName)) {
+ if (vulnerability == undefined || n.securityVulnerability.firstPatchedVersion.identifier==versionTo) {
+ vulnerability = n.securityVulnerability;
+ }
}
+ });
+ if(vulnerability) {
+ let priority = (vulnerability.severity==`CRITICAL`||vulnerability.severity==`HIGH`)?1:vulnerability.severity==`MODERATE`?2:3
+ console.log(`Creating issue with...
+ Title: ${context.payload.pull_request.title}
+ Severity: ${priority} (${vulnerability.severity})
+ Description: ${context.payload.pull_request.html_url}\n${vulnerability.advisory.description}
+ `);
+ createIssue(
+ process.env.AZURE_PERSONAL_ACCESS_TOKEN,
+ process.env.ORG_URL,
+ process.env.PROJECT_NAME,
+ context.payload.pull_request.title,
+ `${context.payload.pull_request.title}
${vulnerability.advisory.description}`,
+ priority
+ ).then(workItem => {
+ console.log(workItem)
+ core.setOutput(`id`, `${workItem.id}`);
+ }).catch(error => {
+ core.setFailed(error.message);
+ });
+ } else {
+ console.log(`No matching vulnerabilities found:
+ ${JSON.stringify(vulnerabilities,undefined,2)}
+ `)
}
+ }).catch(error => {
+ core.setFailed(error.message);
});
- if(vulnerability) {
- let priority = (vulnerability.severity==`CRITICAL`||vulnerability.severity==`HIGH`)?1:vulnerability.severity==`MODERATE`?2:3
- console.log(`Creating issue with...
- Title: ${context.payload.pull_request.title}
- Severity: ${priority} (${vulnerability.severity})
- Description: ${context.payload.pull_request.html_url}\n${vulnerability.advisory.description}
- `);
- createIssue(
- process.env.AZURE_PERSONAL_ACCESS_TOKEN,
- process.env.ORG_URL,
- process.env.PROJECT_NAME,
- context.payload.pull_request.title,
- `${context.payload.pull_request.title}
${vulnerability.advisory.description}`,
- priority
- ).then(workItem => {
- console.log(workItem)
- core.setOutput(`id`, `${workItem.id}`);
- }).catch(error => {
- core.setFailed(error.message);
- });
- } else {
- console.log(`No matching vulnerabilities found:
- ${JSON.stringify(vulnerabilities,undefined,2)}
- `)
- }
- }).catch(error => {
- core.setFailed(error.message);
- });
- } else {
+ }
+ }
+ if(!isDep) {
console.log(`This is not a Pull Request generated by Dependabot...
Event: ${context.eventName}
Actor: ${context.actor}