From ca46facff3d35d7b3bbf6ddc7ae36492056e54f1 Mon Sep 17 00:00:00 2001 From: testcafe-build-bot Date: Wed, 6 Dec 2023 15:59:36 +0000 Subject: [PATCH 1/3] =?UTF-8?q?=F0=9F=94=84=20synced=20local=20'.github/wo?= =?UTF-8?q?rkflows/'=20with=20remote=20'workflows/'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/check-security-alerts.yml | 101 ++------------------ 1 file changed, 8 insertions(+), 93 deletions(-) diff --git a/.github/workflows/check-security-alerts.yml b/.github/workflows/check-security-alerts.yml index 2c0c022..a699fbf 100644 --- a/.github/workflows/check-security-alerts.yml +++ b/.github/workflows/check-security-alerts.yml @@ -9,101 +9,16 @@ jobs: check: runs-on: ubuntu-latest steps: - - uses: actions/github-script@v6 + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: latest + - uses: actions/github-script@v7 with: github-token: ${{ secrets.ACTIVE_TOKEN }} script: | - if (!'${{secrets.SECURITY_ISSUE_REPO}}') - return; + const {default: SecurityChecker} = await import('${{ github.workspace }}/.github/scripts/security-checker.mjs') - const { owner, repo } = context.repo; - const state = 'open'; - const dependabotLabel = 'dependabot'; - const codeqlLabel = 'codeql'; - const securityLabel = 'security notification'; + const securityChecker = new SecurityChecker(github, context, '${{secrets.SECURITY_ISSUE_REPO}}'); - async function getDependabotAlerts () { - const dependabotListAlertsUrl = `https://api.github.com/repos/${ owner }/${ repo }/dependabot/alerts?state=${ state }`; - const dependabotRequestOptions = { - headers: { 'Authorization': 'Bearer ${{ secrets.ACTIVE_TOKEN }}' } - } - - const response = await fetch(dependabotListAlertsUrl, dependabotRequestOptions); - const data = await response.json(); - - // If data isn't arry somethig goes wrong - if (Array.isArray(data)) - return data; - - return []; - } - - async function getCodeqlAlerts () { - // When CodeQL is turned of it throws error - try { - const { data } = await github.rest.codeScanning.listAlertsForRepo({ owner, repo, state }); - - return data; - } catch (_) { - return []; - } - } - - async function createIssue ({owner, repo, labels, originRepo, summary, description, link, package = ''}) { - const title = `[${originRepo}] ${summary}`; - const body = '' - + `#### Repository: \`${ originRepo }\`\n` - + (!!package ? `#### Package: \`${ package }\`\n` : '') - + `#### Description:\n` - + `${ description }\n` - + `#### Link: ${ link }` - - return github.rest.issues.create({ owner, repo, title, body, labels }); - } - - function needCreateIssue (alert) { - return !issueDictionary[alert.html_url] - && Date.now() - new Date(alert.created_at) <= 1000 * 60 * 60 * 24; - } - - const dependabotAlerts = await getDependabotAlerts(); - const codeqlAlerts = await getCodeqlAlerts(); - const {data: existedIssues} = await github.rest.issues.listForRepo({ owner, repo, labels: [securityLabel], state }); - - const issueDictionary = existedIssues.reduce((res, issue) => { - const alertUrl = issue.body.match(/Link:\s*(https.*\d*)/)?.[1]; - - if (alertUrl) - res[alertUrl] = issue; - - return res; - }, {}) - - dependabotAlerts.forEach(alert => { - if (!needCreateIssue(alert)) - return; - - createIssue({ owner, - repo: '${{ secrets.SECURITY_ISSUE_REPO }}', - labels: [dependabotLabel, securityLabel], - originRepo: repo, - summary: alert.security_advisory.summary, - description: alert.security_advisory.description, - link: alert.html_url, - package: alert.dependency.package.name - }) - }); - - codeqlAlerts.forEach(alert => { - if (!needCreateIssue(alert)) - return; - - createIssue({ owner, - repo: '${{ secrets.SECURITY_ISSUE_REPO }}', - labels: [codeqlLabel, securityLabel], - originRepo: repo, - summary: alert.rule.description, - description: alert.most_recent_instance.message.text, - link: alert.html_url, - }) - }); \ No newline at end of file + await securityChecker.check(); From 2f3a956eedb5e175a8f649ad21b7a30ab4570144 Mon Sep 17 00:00:00 2001 From: testcafe-build-bot Date: Wed, 6 Dec 2023 15:59:36 +0000 Subject: [PATCH 2/3] =?UTF-8?q?=F0=9F=94=84=20synced=20local=20'.github/la?= =?UTF-8?q?bels.yml'=20with=20remote=20'configs/labels.yml'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/labels.yml | 35 +++++++++++++++++++---------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/.github/labels.yml b/.github/labels.yml index 6c5e66b..6cc435a 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -5,9 +5,9 @@ : # Post a comment comment: | - Thank you for your inquiry. This issue looks like a question that would be best [asked on StackOverflow](https://stackoverflow.com/questions/ask?tags=testcafe) - an amazing platform for users to ask and answer questions. We try to keep the GitHub issues tracker for bugs and feature requests only (see [Contributing](https://github.com/DevExpress/testcafe#contributing)). + Thank you for your inquiry. It looks like you're asking a question. We use GitHub to track bug reports and enhancement requests (see [Contributing](https://github.com/DevExpress/testcafe#contributing)). Address your question to the TestCafe community on [StackOverflow](https://stackoverflow.com/questions/ask?tags=testcafe) instead. - If you think that this issue is a bug, feel free to [open a new issue](https://github.com/DevExpress/testcafe/issues/new?template=bug-report.md), but please make sure to follow the issue template. Thank you in advance. + If you encountered a bug, [open a new issue](https://github.com/DevExpress/testcafe/issues/new?template=bug-report.md), and follow the "bug report" template. Thank you in advance. unlabel: 'STATE: Need response' close: true @@ -15,7 +15,7 @@ : # Post a comment comment: | - Thank you for submitting this issue. Since you are using an outdated version of TestCafe, we recommend you update TestCafe to the [latest version](https://github.com/DevExpress/testcafe/releases/latest) to check if this issue has been addressed. We constantly improve our tools, and there is a chance that this issue has been already resolved and/or is no longer reproducible in the latest version. We look forward to your response. + Thank you for submitting a bug report. It looks like you're using an outdated version of TestCafe. Every TestCafe update contains bug fixes and enhancements. Install [the latest version](https://github.com/DevExpress/testcafe/releases/latest) of TestCafe and see if you can reproduce the bug. We look forward to your response. label: 'STATE: Need clarification' unlabel: - 'STATE: Non-latest version' @@ -25,7 +25,7 @@ : # Post a comment comment: | - Thank you for submitting this issue. We would love to assist you and diagnose it. However, we need a simple sample that we can easily run on our side in order to replicate the issue and research its cause. Without a sample, we are not able to figure out what's going on and why this issue occurs. Refer to this article to create the best example: [How To: Create a Minimal Working Example When You Submit an Issue](https://testcafe.io/402636/faq#how-to-create-a-minimal-working-example-when-you-submit-an-issue). We look forward to your response. + Thank you for submitting a bug report. We would love to help you investigate the issue. Please share a *simple* code example that reliably reproduces the bug. For more information, read the following article: [How To Create a Minimal Working Example When You Submit an Issue](https://testcafe.io/documentation/402636/faq/general-info#how-to-create-a-minimal-working-example-when-you-submit-an-issue). We look forward to your response. label: 'STATE: Need clarification' unlabel: - 'STATE: Need simple sample' @@ -35,9 +35,10 @@ : # Post a comment comment: | - Thank you for submitting this issue. We would love to assist you and diagnose this issue. However, since your website sits behind a proxy and/or requires authentication, I will not be able to access it. Our policy prevents us from accessing a customer's internal resources without prior written approval from the entity that owns the server/web resource. + Thank you for submitting a bug report. We would love to help you investigate the issue. Unfortunately, we cannot reproduce the bug, because your code example accesses a web resource that requires authentication. - If you want us to research the problem further, we'll need access to the server/web resource. Please ask the website owner to send us ([support@devexpress.com](mailto:support@devexpress.com)) written confirmation. It must permit DevExpress personnel to remotely access the website and its internal resources for research/testing and debugging purposes. + Please create a [Minimal Example](https://testcafe.io/documentation/402636/faq/general-info#how-to-create-a-minimal-working-example-when-you-submit-an-issue) that works locally or without authentication. Do not share any private data - the DevExpress support team cannot access private resources. We look forward to your response. + label: 'STATE: Need clarification' unlabel: - 'STATE: Need access confirmation' @@ -47,7 +48,7 @@ : # Post a comment comment: | - Thank you for submitting this issue. However, the information you shared is insufficient to determine its cause. Please submit a new issue and fill the issue template completely - specify your TestCafe version and share a sample application with a test case that we can run on our side to reproduce and research the issue. + Thank you for submitting a bug report. The information you shared is not sufficient to determine the cause of the issue. Please create a new GitHub ticket and fill every section of the "bug report" template. Include the framework's version number, and don't forget to share a [Minimal Working Example](https://testcafe.io/documentation/402636/faq/general-info#how-to-create-a-minimal-working-example-when-you-submit-an-issue) that reliably reproduces the issue. unlabel: - 'STATE: Incomplete template' - 'STATE: Need response' @@ -57,7 +58,7 @@ : # Post a comment comment: | - No updates yet. Once we get any results, we will post them in this thread. + No updates yet. Once we make more progress, we will leave a comment. unlabel: - 'STATE: No updates' - 'STATE: Need response' @@ -66,7 +67,7 @@ : # Post a comment comment: | - Any personal estimate may be misleading, so we cannot currently tell it at the moment. Once we get any results, we will post them in this thread. + Personal predictions can be unreliable, so we are not ready to give you an ETA. Once we make more progress, we will leave a comment. unlabel: - 'STATE: No estimations' - 'STATE: Need response' @@ -75,7 +76,7 @@ : # Post a comment comment: | - We are focused on implementing features from our [Roadmap](https://devexpress.github.io/testcafe/roadmap/). Since this enhancement is not there, we cannot tell you any time frames on when we will be able to address it. If this feature is important for you, please submit a Pull Request with its implementation. See the [Сontribution guide](https://github.com/DevExpress/testcafe/blob/master/CONTRIBUTING.md) for more information. + The TestCafe team has yet to allocate any resources for the development of this capability. We cannot give you an ETA on its completion. If this capability is important for you, please submit a Pull Request with an implementation. See the [Сontribution guide](https://github.com/DevExpress/testcafe/blob/master/CONTRIBUTING.md) for more information. unlabel: - 'STATE: Outdated proposal' - 'STATE: Need response' @@ -84,7 +85,9 @@ : # Post a comment comment: | - We address issues according to their severity, priority, and other factors. It appears that this issue is an edge case. If this issue is important for you, please submit a Pull Request with a fix. See the [Сontribution guide](https://github.com/DevExpress/testcafe/blob/master/CONTRIBUTING.md) for more information. + When the TestCafe team decides which issues to address, it evaluates their severity, as well as the number of affected users. It appears that the issue you raised is an edge case. + + If this issue is important for you, please submit a Pull Request with a fix. See the [Сontribution guide](https://github.com/DevExpress/testcafe/blob/master/CONTRIBUTING.md) for more information. unlabel: - 'STATE: Outdated issue' - 'STATE: Need response' @@ -93,7 +96,7 @@ : # Post a comment comment: | - There are no workarounds. Once we get any updates, we will post them in this thread. + There are no workarounds at the moment. We'll leave a comment if we discover a workaround, or fix the bug. unlabel: - 'STATE: No workarounds' - 'STATE: Need response' @@ -102,7 +105,7 @@ : # Post a comment comment: | - Thank you for your contribution to TestCafe. We will review this PR. + Thank you for your contribution to TestCafe. When a member of the TestCafe team becomes available, they will review this PR. unlabel: - 'STATE: PR Review Pending' - 'STATE: Need response' @@ -111,7 +114,7 @@ : # Post a comment comment: | - We appreciate you taking the time to share the information about this issue. We replicated it, and it is currently in our internal queue. Please note that the research may take time. We'll update this thread once we have news. + We appreciate you taking the time to share information about this issue. We reproduced the bug and added this ticket to our internal task queue. We'll update this thread once we have news. unlabel: - 'STATE: Issue accepted' - 'STATE: Need response' @@ -120,7 +123,7 @@ : # Post a comment comment: | - Thank you for bringing this to our attention. We will be happy to look into this enhancement. We'll update this thread once we have news to share. In the absence of communication from us, it's safe to assume that there are no updates. + Thank you for bringing this enhancement to our attention. We will be happy to look into it. We'll update this thread once we have news. If we do not publish any new comments, it's safe to assume that there are no new updates. unlabel: - 'STATE: Enhancement accepted' - - 'STATE: Need response' \ No newline at end of file + - 'STATE: Need response' From 8330fb18ab8cca8c933e561b3b04f644af38a15b Mon Sep 17 00:00:00 2001 From: testcafe-build-bot Date: Wed, 6 Dec 2023 15:59:36 +0000 Subject: [PATCH 3/3] =?UTF-8?q?=F0=9F=94=84=20created=20local=20'.github/s?= =?UTF-8?q?cripts/security-checker.mjs'=20from=20remote=20'scripts/securit?= =?UTF-8?q?y-checker.mjs'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/scripts/security-checker.mjs | 177 +++++++++++++++++++++++++++ 1 file changed, 177 insertions(+) create mode 100644 .github/scripts/security-checker.mjs diff --git a/.github/scripts/security-checker.mjs b/.github/scripts/security-checker.mjs new file mode 100644 index 0000000..841c82e --- /dev/null +++ b/.github/scripts/security-checker.mjs @@ -0,0 +1,177 @@ +const STATES = { + open: 'open', + closed: 'closed', +}; + +const LABELS = { + dependabot: 'dependabot', + codeq: 'codeql', + security: 'security notification', +}; + +class SecurityChecker { + constructor (github, context, issueRepo) { + this.github = github; + this.issueRepo = issueRepo; + this.context = { + owner: context.repo.owner, + repo: context.repo.repo, + }; + } + + async check () { + const dependabotAlerts = await this.getDependabotAlerts(); + const codeqlAlerts = await this.getCodeqlAlerts(); + const existedIssues = await this.getExistedIssues(); + + this.alertDictionary = this.createAlertDictionary(existedIssues); + + await this.closeSpoiledIssues(); + this.createDependabotlIssues(dependabotAlerts); + this.createCodeqlIssues(codeqlAlerts); + } + + async getDependabotAlerts () { + const { data } = await this.github.rest.dependabot.listAlertsForRepo({ state: STATES.open, ...this.context }); + + return data; + } + + async getCodeqlAlerts () { + try { + const { data } = await this.github.rest.codeScanning.listAlertsForRepo({ state: STATES.open, ...this.context }); + + return data; + } + catch (e) { + if (e.message.includes('no analysis found')) + return []; + + throw e; + } + } + + async getExistedIssues () { + const { data: existedIssues } = await this.github.rest.issues.listForRepo({ + owner: this.context.owner, + repo: this.issueRepo, + labels: [LABELS.security], + state: STATES.open, + }); + + return existedIssues; + } + + createAlertDictionary (existedIssues) { + return existedIssues.reduce((res, issue) => { + const [, url, number] = issue.body.match(/Link:\s*(https.*?(\d+)$)/); + + if (!url) + return res; + + res[url] = { + issue, number, + isDependabot: url.includes('dependabot'), + }; + + return res; + }, {}); + } + + async closeSpoiledIssues () { + for (const key in this.alertDictionary) { + const alert = this.alertDictionary[key]; + + if (alert.isDependabot) { + const isAlertOpened = await this.isDependabotAlertOpened(alert.number); + + if (isAlertOpened) + continue; + + await this.closeIssue(alert.issue.number); + } + } + } + + async isDependabotAlertOpened (alertNumber) { + const alert = await this.getDependabotAlertInfo(alertNumber); + + return alert.state === STATES.open; + } + + async getDependabotAlertInfo (alertNumber) { + try { + const { data } = await this.github.rest.dependabot.getAlert({ alert_number: alertNumber, ...this.context }); + + return data; + } + catch (e) { + if (e.message.includes('No alert found for alert number')) + return {}; + + throw e; + } + } + + async closeIssue (issueNumber) { + return this.github.rest.issues.update({ + owner: this.context.owner, + repo: this.issueRepo, + issue_number: issueNumber, + state: STATES.closed, + }); + } + + async createDependabotlIssues (dependabotAlerts) { + dependabotAlerts.forEach(alert => { + if (!this.needCreateIssue(alert)) + return; + + this.createIssue({ + labels: [LABELS.dependabot, LABELS.security, alert.dependency.scope], + originRepo: this.context.repo, + summary: alert.security_advisory.summary, + description: alert.security_advisory.description, + link: alert.html_url, + issuePackage: alert.dependency.package.name, + }); + }); + } + + async createCodeqlIssues (codeqlAlerts) { + codeqlAlerts.forEach(alert => { + if (!this.needCreateIssue(alert)) + return; + + this.createIssue({ + labels: [LABELS.codeql, LABELS.security], + originRepo: this.context.repo, + summary: alert.rule.description, + description: alert.most_recent_instance.message.text, + link: alert.html_url, + }); + }); + } + + needCreateIssue (alert) { + return !this.alertDictionary[alert.html_url]; + } + + async createIssue ({ labels, originRepo, summary, description, link, issuePackage = '' }) { + const title = `[${originRepo}] ${summary}`; + const body = '' + + `#### Repository: \`${originRepo}\`\n` + + (issuePackage ? `#### Package: \`${issuePackage}\`\n` : '') + + `#### Description:\n` + + `${description}\n` + + `#### Link: ${link}`; + + return this.github.rest.issues.create({ + title, body, labels, + owner: this.context.owner, + repo: this.issueRepo, + }); + } +} + +export default SecurityChecker;