dependency-review-action icon indicating copy to clipboard operation
dependency-review-action copied to clipboard

Published 20 hours ago verified publisher icon actions

Log/document which sources are being analyzed/supported

Open ericcornelissen opened this issue 2 years ago • 4 comments

After adding this action to one of my project I was curious what it was scanning. Unfortunately I was not able to figure out what is actually being scanned (other than the image from the README, suggesting it's scanning package.json; and a log about a GitHub Actions workflow, suggesting it's scanning GitHub Actions workflow files). I tried enabling debug logging, but the logs still didn't tell me what was being analyzed.

In that light, I have two suggestions:

  1. Document which sources can be analyzed in the README (or similar).
  2. Log which sources are being analyzed during a run of the Action.

ericcornelissen avatar Aug 04 '22 19:08 ericcornelissen

@ericcornelissen thanks for the callout, I'll update the README to include these details. In the meantime: The action uses the same set of files that Dependabot and Dependency Graph uses to determine your dependencies, you can see a full list of supported ecosystems/manifest types in https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems.

The sources that were analyzed during a run should already be logged, if nothing shows up please assume no candidates to scan were found.

febuiles avatar Aug 05 '22 15:08 febuiles

thanks for the callout, I'll update the README to include these details.

:+1:

In the meantime: The action uses the same set of files that Dependabot and Dependency Graph uses to determine your dependencies, you can see a full list of supported ecosystems/manifest types in docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems.

Thanks for the information.

The sources that were analyzed during a run should already be logged, if nothing shows up please assume no candidates to scan were found.

Apologies for not including a link to example logs, here's one https://github.com/ericcornelissen/git-tag-annotation-action/runs/7679515582 (corresponding workflow). Based on the fact that it logs something about a potential issue with a GitHub Actions workflow, I would assume it scanned something. However, I'm not spotting any logs listing what was scanned.

ericcornelissen avatar Aug 05 '22 19:08 ericcornelissen

@ericcornelissen thanks for the link, it definitely isn't super clear that .github/workflows/deps-analysis.yml was scanned in the message from that run (it's worse in this case due to the licensing issue you reported in #182). @tspascoal opened a PR yesterday to include a better output format, would you mind taking a look at the screenshot in the comments and seeing if this helps out?

febuiles avatar Aug 05 '22 21:08 febuiles

@febuiles from my understanding of #181 it still wouldn't log the manifests that were analyzed if no vulnerabilities or license issues were detected, is that correct?

I would expect, even if only in debug mode, that a list of the analyzed manifests was presented (in the logs or summary), even if there's no issues found. If that's not the case, I can't tell whether no issue was found or whether nothing was scanned.

ericcornelissen avatar Aug 06 '22 11:08 ericcornelissen

@ericcornelissen There should be a new release of the action by next week containing a couple of new features, one of them being a summary of everything that was scanned. See https://github.com/actions/dependency-review-action/pull/248 for more details.

febuiles avatar Sep 28 '22 08:09 febuiles