Skip to content

Commit

Permalink
🔄 synced local '.github/scripts/security-checker.mjs' with remote 'sc…
Browse files Browse the repository at this point in the history
…ripts/security-checker.mjs'
  • Loading branch information
testcafe-build-bot committed Dec 7, 2023
1 parent c6a8503 commit d34f52c
Showing 1 changed file with 19 additions and 16 deletions.
35 changes: 19 additions & 16 deletions .github/scripts/security-checker.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,11 @@ const LABELS = {
security: 'security notification',
};

const ALERT_TYPES = {
dependabot: 'dependabot',
codeq: 'codeql',
}

class SecurityChecker {
constructor (github, context, issueRepo) {
this.github = github;
Expand All @@ -27,8 +32,8 @@ class SecurityChecker {
this.alertDictionary = this.createAlertDictionary(existedIssues);

await this.closeSpoiledIssues();
this.createDependabotlIssues(dependabotAlerts);
this.createCodeqlIssues(codeqlAlerts);
await this.createDependabotlIssues(dependabotAlerts);
await this.createCodeqlIssues(codeqlAlerts);
}

async getDependabotAlerts () {
Expand Down Expand Up @@ -64,15 +69,13 @@ class SecurityChecker {

createAlertDictionary (existedIssues) {
return existedIssues.reduce((res, issue) => {
const [, url, number] = issue.body.match(/Link:\s*(https.*?(\d+)$)/);
const [, repo] = issue.body.match(/Repository:\s*`(.*)`/);
const [, url, type, number] = issue.body.match(/Link:\s*(https:.*\/(dependabot|code-scanning)\/(\d+))/);

if (!url)
if (!url || repo !== this.context.repo)
return res;

res[url] = {
issue, number,
isDependabot: url.includes('dependabot'),
};
res[url] = { issue, number, type };

return res;
}, {});
Expand All @@ -82,7 +85,7 @@ class SecurityChecker {
for (const key in this.alertDictionary) {
const alert = this.alertDictionary[key];

if (alert.isDependabot) {
if (alert.type === ALERT_TYPES.dependabot) {
const isAlertOpened = await this.isDependabotAlertOpened(alert.number);

if (isAlertOpened)
Expand Down Expand Up @@ -123,38 +126,38 @@ class SecurityChecker {
}

async createDependabotlIssues (dependabotAlerts) {
dependabotAlerts.forEach(alert => {
for (const alert of dependabotAlerts) {
if (!this.needCreateIssue(alert))
return;

this.createIssue({
await this.createIssue({
labels: [LABELS.dependabot, LABELS.security, alert.dependency.scope],
originRepo: this.context.repo,
summary: alert.security_advisory.summary,
description: alert.security_advisory.description,
link: alert.html_url,
issuePackage: alert.dependency.package.name,
});
});
}
}

async createCodeqlIssues (codeqlAlerts) {
codeqlAlerts.forEach(alert => {
for (const alert of codeqlAlerts) {
if (!this.needCreateIssue(alert))
return;

this.createIssue({
await this.createIssue({
labels: [LABELS.codeql, LABELS.security],
originRepo: this.context.repo,
summary: alert.rule.description,
description: alert.most_recent_instance.message.text,
link: alert.html_url,
});
});
}
}

needCreateIssue (alert) {
return !this.alertDictionary[alert.html_url] && Date.now() - new Date(alert.created_at) <= 1000 * 60 * 60 * 24;;
return !this.alertDictionary[alert.html_url] && Date.now() - new Date(alert.created_at) <= 1000 * 60 * 60 * 24;
}

async createIssue ({ labels, originRepo, summary, description, link, issuePackage = '' }) {
Expand Down

0 comments on commit d34f52c

Please sign in to comment.