Add trusty scores - Githubissues

actions / dependency-review-action

A GitHub Action for detecting vulnerable dependencies and invalid licenses in your PRs

MIT License

596 stars 103 forks source link

Add trusty scores #771

Closed therealnb closed 3 months ago

therealnb commented 4 months ago

This is some work to include trusty scores in the dependency review action.

There are some more unit tests and this has been manually tested with https://github.com/StacklokLabs/DepRevTest/actions.

Many thanks.

CC @lukehinds

jonjanego commented 4 months ago

Hi @lukehinds and @therealnb !

Some initial comments and observations:

In the results, what is the "+ / -" column indicating? It seems to be including two pieces of information, a "+" or "-", then an overall stoplight measure for the package. I think this should be broken into two separate columns, although i'm not sure what the "+" or "-" indicates?
This PR also includes a change to dependency-review.yml which is the workflow definition for the repository that runs dependency review on itself. It's included a change to run it against your action - which we won't be able to merge.

I'll make some other suggestions and feedback inline in the PR

therealnb commented 4 months ago

@jonjanego thanks for the feedback.

+/- is whether the file was added or removed. The next symbol is whether this is a good idea or not. Basically, removing any file is safe (green tick). Adding one with a score lower than the configured levels might get a warning or a cross.

I did consider only showing files that were added, but it might be useful context to show the ones that are removed too (i.e. removing a high scoring one and replacing it with a low scoring one). I am open to suggestions here.

I'll work on your other comments.

Cheers

jonjanego commented 4 months ago

@jonjanego thanks for the feedback.

+/- is whether the file was added or removed. The next symbol is whether this is a good idea or not. Basically, removing any file is safe (green tick). Adding one with a score lower than the configured levels might get a warning or a cross.

I did consider only showing files that were added, but it might be useful context to show the ones that are removed too (i.e. removing a high scoring one and replacing it with a low scoring one). I am open to suggestions here.

I'll work on your other comments.

Cheers

thanks for the clarification. i think it's fine to include that, but a bit of UX feedback would be to split that information into two separate columns. it's a cleaner view that way.

therealnb commented 4 months ago

I just saw your comment after I committed this code https://github.com/StacklokLabs/trusty-dependency-review-action/commit/73dc7069e288507216620f8c7fe55dc495dc637a Which is another way to do it.

See https://github.com/StacklokLabs/DepRevTest/actions/runs/9131982560?pr=5 for an example.

If you want I can revert and we can have two columns. Let me know.

therealnb commented 4 months ago

For information these ones

Dependency Change	Version	Score	Not Malicious	Not Deprecated	Not Archived
❌ added bugsnagmw	1.0.3	0	❌	✅	✅
⚠️ added psycopg	3.1.18		✅	✅	✅	503 Service Unavailable
⚠️ added psycopg_pool	3.2.1		✅	✅	✅	200 failed
⚠️ added pyarrow	16.0.0		✅	✅	✅	503 Service Unavailable
⚠️ added python_json_logger	2.0.7		✅	✅	✅	200 failed
⚠️ added scikit_learn	1.4.2		✅	✅	✅	200 failed
⚠️ added slack_sdk	3.27.1		✅	✅	✅	200 failed

Are a bug I found in our ingestion. There is a fix for those that should be deployed next week.

jonjanego commented 3 months ago

Hi, as discussed with @lukehinds we are going to close this PR.