DevExpress · Aleksey28 · Dec 6, 2023 · Nov 28, 2023 · Nov 29, 2023 · Nov 29, 2023
diff --git a/workflows/check-security-alerts.yml b/workflows/check-security-alerts.yml
@@ -9,83 +9,68 @@ jobs:
   check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@v6
+      - uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.ACTIVE_TOKEN }}
           script: |
             if (!'${{secrets.SECURITY_ISSUE_REPO}}')
                return;
 
             const { owner, repo } = context.repo;
-            const state           = 'open';
-            const dependabotLabel = 'dependabot';
-            const codeqlLabel     = 'codeql';
-            const securityLabel   = 'security notification';
 
-            async function getDependabotAlerts () {
-              const dependabotListAlertsUrl  = `https://api.github.com/repos/${ owner }/${ repo }/dependabot/alerts?state=${ state }`;
-              const dependabotRequestOptions = {
-                headers: { 'Authorization': 'Bearer ${{ secrets.ACTIVE_TOKEN }}' }
-              }
-
-              const response = await fetch(dependabotListAlertsUrl, dependabotRequestOptions);
-              const data     = await response.json();
-
-              // If data isn't arry somethig goes wrong
-              if (Array.isArray(data))
-                return data;
-
-              return [];
-            }
-
-            async function getCodeqlAlerts () {
-              // When CodeQL is turned of it throws error
-              try {
-                const { data }  = await github.rest.codeScanning.listAlertsForRepo({ owner, repo, state });
-
-                return data;
-              } catch (_) {
-                return [];
-              }
-            }
-
-            async function createIssue ({owner, repo, labels, originRepo, summary, description, link, package = ''}) {
-              const title = `[${originRepo}] ${summary}`;
-              const body  = ''
-                + `#### Repository: \`${ originRepo }\`\n`
-                + (!!package ? `#### Package: \`${ package }\`\n` : '')
-                + `#### Description:\n`
-                + `${ description }\n`
-                + `#### Link: ${ link }`
+            const states = {
+              open:   'open',
+              closed: 'closed',
+            };
 
-              return github.rest.issues.create({ owner, repo, title, body, labels });
-            }
+            const labels = {
+              dependabot: 'dependabot',
+              codeq:      'codeql',
+              security:   'security notification',
+            };
 
-            function needCreateIssue (alert) {
-              return !issueDictionary[alert.html_url]
-                    && Date.now() - new Date(alert.created_at) <= 1000 * 60 * 60 * 24;
-            }
-
             const dependabotAlerts      = await getDependabotAlerts();
             const codeqlAlerts          = await getCodeqlAlerts();
-            const {data: existedIssues} = await github.rest.issues.listForRepo({ owner, repo, labels: [securityLabel], state });
+            const {data: existedIssues} = await github.rest.issues.listForRepo({ 
+              owner, 
+              repo:   '${{ secrets.SECURITY_ISSUE_REPO }}', 
+              labels: [labels.security], 
+              state:  states.open, 
+            });
 
-            const issueDictionary = existedIssues.reduce((res, issue) => {
-              const alertUrl = issue.body.match(/Link:\s*(https.*\d*)/)?.[1];
+            const alertDictionary = existedIssues.reduce((res, issue) => {
+              const [,url, number] = issue.body.match(/Link:\s*(https.*?(\d+)$)/);
 
-              if (alertUrl)
-                res[alertUrl] = issue;
+              if (!url)
+                return res;
+
+              res[url] = {
+                issue, number,
+                isDependabot: url.includes('dependabot'),
+              };
 
               return res;
             }, {})
 
+            for (const key in alertDictionary) {
+              var alert = alertDictionary[key];
+
+              if (alert.isDependabot) {
+                const isAlertOpened = await isDependabotAlertOpened(alert.number);
+
+                if (isAlertOpened)
+                  continue;
+
+                await closeIssue(alert.issue.number)
+              }
+            }
+
             dependabotAlerts.forEach(alert => {
               if (!needCreateIssue(alert))
                 return;
 
-              createIssue({ owner, 
-                repo:        '${{ secrets.SECURITY_ISSUE_REPO }}', 
-                labels:      [dependabotLabel, securityLabel], 
+              createIssue({
+                labels:      [labels.dependabot, labels.security, alert.dependency.scope], 
                 originRepo:  repo,
                 summary:     alert.security_advisory.summary, 
                 description: alert.security_advisory.description, 
@@ -98,12 +83,78 @@ jobs:
               if (!needCreateIssue(alert))
                 return;
 
-              createIssue({ owner, 
-                repo:        '${{ secrets.SECURITY_ISSUE_REPO }}', 
-                labels:      [codeqlLabel, securityLabel], 
+              createIssue({
+                labels:      [labels.codeql, labels.security], 
                 originRepo:  repo,
                 summary:     alert.rule.description, 
                 description: alert.most_recent_instance.message.text, 
                 link:        alert.html_url, 
               })
-            });
+            });
+
+            async function getDependabotAlerts () {
+              const { data }  = await github.rest.dependabot.listAlertsForRepo({ owner, repo, state: states.open });
+
+              return data;
+            }
+
+            async function getCodeqlAlerts () {
+              try {
+                const { data }  = await github.rest.codeScanning.listAlertsForRepo({ owner, repo, state: states.open });
+
+                return data;
+              } catch (e) {
+                if (e.message.includes('no analysis found'))
+                  return [];
+
+                throw e;
+              }
+            }
+
+            async function isDependabotAlertOpened (alertNumber) {
+              const alert = await getDependabotAlertInfo(alertNumber);
+
+              return alert.state === states.open;
+            }
+
+            async function getDependabotAlertInfo (alertNumber) {
+              try {
+                const { data } = await github.rest.dependabot.getAlert({ owner, repo, alert_number: alertNumber });
+
+                return data;
+              } catch (e) {
+                if (e.message.includes('No alert found for alert number'))
+                  return {};
+
+                throw e;
+              }
+            }
+
+            function needCreateIssue (alert) {
+              return !alertDictionary[alert.html_url]
+                    && Date.now() - new Date(alert.created_at) <= 1000 * 60 * 60 * 24;
+            }
+
+            async function createIssue ({labels, originRepo, summary, description, link, package = ''}) {
+              const title = `[${originRepo}] ${summary}`;
+              const body  = ''
+                + `#### Repository: \`${ originRepo }\`\n`
+                + (!!package ? `#### Package: \`${ package }\`\n` : '')
+                + `#### Description:\n`
+                + `${ description }\n`
+                + `#### Link: ${ link }`
+
+              return github.rest.issues.create({ 
+                owner, title, body, labels,
+                repo: '${{ secrets.SECURITY_ISSUE_REPO }}',
+              });
+            }
+
+            async function closeIssue (issueNumber) {
+              return github.rest.issues.update({ 
+                owner, 
+                repo:         '${{ secrets.SECURITY_ISSUE_REPO }}', 
+                issue_number: issueNumber, 
+                state:        states.closed 
+              });
+            }