Giter VIP home page Giter VIP logo

Comments (5)

febuiles avatar febuiles commented on July 17, 2024

@AlexWilson-GIS thank you for the very detailed report. Can you test the Action with the branch remove-warn-default and see if it fixes the issue?

    uses: actions/dependency-review-action@remove-warn-default

Pull request up here: #722

from dependency-review-action.

AlexWilson-GIS avatar AlexWilson-GIS commented on July 17, 2024

Unfortunately, it appears to still be failing.

from dependency-review-action.

febuiles avatar febuiles commented on July 17, 2024

@AlexWilson-GIS thanks for the update, we'll try to go through it this week and see what's up. If possible, please leave the reproduction repo up!

from dependency-review-action.

febuiles avatar febuiles commented on July 17, 2024

@AlexWilson-GIS I think I understand what the problem is now: If you take a look at the raw log for your PR, the error you are running into is Error: Dependency review detected denied packages.. The denylist contains the faulty log4j package, so it'll fail regardless of warn_only or fail_on_severity.

I created this PR with the same pom.xml you are using, but without providing a denylist for log4j. You can see it has been marked as a successful run. If you dig into the logs however, you can see the vulnerable package:

Vulnerabilities
  pom.xml » org.apache.logging.log4j:[email protected] – Improper Input Validation and Injection in Apache Log4j2 (moderate severity)
    ↪ https://github.com/advisories/GHSA-8489-44mv-ggj8
  Warning: Dependency review detected vulnerable packages.

These are two different issues:

  1. There is a problem in the latest release and in main with the handling of external config files (and other options). This PR provides a fix for that.
  2. warn_only does not work in conjunction with deny_list. This is not a bug, but we might want to reconsider this interaction. The reasons for this behavior are historical, not technical.

I'm marking this as closed and will be merging the PR/doing a new release in the morning. If you feel we should change the behavior of warn_only to take deny_list into account (understandable!) please open a new issue (cc @jonjanego).

from dependency-review-action.

AlexWilson-GIS avatar AlexWilson-GIS commented on July 17, 2024

Sounds good, thanks. I will open a new issue to request that.

from dependency-review-action.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.