dependency-review-action icon indicating copy to clipboard operation
dependency-review-action copied to clipboard
verified publisher icon actions

Package Deny List Ignores Version

Open AlexWilson-GIS opened this issue 1 year ago • 1 comments

https://github.com/actions/dependency-review-action/blob/40eb2b8b00a215a5a327a2de3fdf3d6ab861c1fb/src/deny.ts#L14 https://github.com/actions/dependency-review-action/blob/40eb2b8b00a215a5a327a2de3fdf3d6ab861c1fb/src/deny.ts#L18

After losing hours trying to figure out if there's some syntax error in my configuration file causing 1 package not on my deny list to be denied over and over, I crack open the source code to discover that the action doesn't actually pay attention to versions in the purl notation. This is quite surprising, as the use case in my test repo of denying older versions of a package where we specifically want to avoid regressions is a huge reason to use this action. It's also strange that this isn't documented in the README, which simply states that you can specify packages to be denied using the purl format, and the purl format includes an optional version string. I know that there is a draft spec for annotating version ranges in purl format, but until that is done, can this action please be enhanced to at least check the hardcoded version if one exists? Only being able to deny entire packages, regardless of version, is way too broad for us to make use of in many situations. If someone wants to ban an entire package, regardless of version, they could simply not provide a version string, and the current behavior could handle that situation.

AlexWilson-GIS avatar Feb 28 '24 00:02 AlexWilson-GIS

@AlexWilson-GIS thanks for bringing this to our attention. I was under the impression that PURL denylists would also take versions into account too, and wrote some of the docs with that assumption in mind!

We'll update the issue once we have some free cycles to work on this, but if you want to PR the change and need some support feel free to reach out, I'd be more than happy to help get this fixed.

febuiles avatar Feb 28 '24 11:02 febuiles

So I see three options here, each with pros and cons:

  1. Do nothing. I think this is probably not acceptable for the reasons that @AlexWilson-GIS pointed out. It sounds perfectly reasonable to me to allow people to deny some versions of a package without denying all of them.
  2. Match on the exact version provided in the deny list, if provided. If there's no version provided, treat it as a wildcard and deny all versions. This would be pretty simple to implement.
  3. One way or another, make it possible to deny a specified range of versions. This would be easy if the purl spec supported version ranges, but it does not.

For an initial fix, I'll give my vote to option 2. I would certainly be open to supporting ranges somehow in the future, but I don't think the team has the bandwidth for that at the moment.

juxtin avatar Apr 02 '24 21:04 juxtin

agree with your assessment @juxtin

jonjanego avatar Apr 03 '24 18:04 jonjanego