Closed mauritz-lovgren closed 2 months ago
Same here. I guess the severity is not read at all in the const severity = getInput('severity')
or smth 🤔 (These might be related: https://github.com/actions/toolkit/issues/1624 https://github.com/actions/toolkit/issues/1576)
@mauritz-lovgren @jarkkotuovinen - would it be possible for you folks to create a public repo to test this with?
Also, do you see the severity
in the action run? Like so with another key?
@kunalnagar Possibly could create a public repo at some point but a I'm a bit busy atm with other stuff.
Yes, the severity is in there:
Run kunalnagarco/action-cve@v1.13.2 with: token: slack_webhook: severity: critical email_transport_smtp_host: smtp.gmail.com email_transport_smtp_port: 587 count: 20
From my debugging, the severity is being passed through fine. However, the SDK does not seem to respect the severity
. I've opened up an issue in the SDK: https://github.com/octokit/rest.js/issues/458
Hope to learn more about the issue soon. It's possible I may be missing something.
@jarkkotuovinen @mauritz-lovgren Update on this thread: It seems like the culprit is an invalid value passed to the ecosystem
key. I have opened up another issue in the actual GitHub API discussion section: https://github.com/orgs/community/discussions/134561
Meanwhile, I will add a null/undefined/empty check in the action - if an ecosystem value does not exist, it will not be passed along. It should resolve this issue 🙂
Edit: Feel free to review - I'll keep it open for the next few days: https://github.com/kunalnagarco/action-cve/pull/188
:tada: This issue has been resolved in version 1.13.3 :tada:
The release is available on GitHub release
Your semantic-release bot :package::rocket:
Hi,
I am getting vulnerabilities with MEDIUM severity even though I have specified the following:
Received in my target Slack channel:
Is this to be expected, or have I specified the severity attribute wrong?