Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan for Vulnerabilities + make PRs automatically #675

Merged
merged 2 commits into from
Dec 7, 2022
Merged

Scan for Vulnerabilities + make PRs automatically #675

merged 2 commits into from
Dec 7, 2022

Conversation

nickumia-reisys
Copy link
Contributor

@nickumia-reisys nickumia-reisys commented Dec 7, 2022
edited
Loading

@nickumia-reisys nickumia-reisys marked this pull request as ready for review December 7, 2022 21:17
jbrown-xentity
jbrown-xentity reviewed Dec 7, 2022
View reviewed changes
.github/workflows/snyk.yml
make update-dependencies;
exit 1
- name: Create Pull Request
if: ${{ failure() }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we want to do this on success, not failure?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The previous command succeeds if there are no vulnerabilities and fails if there are vulnerabilities.

.github/workflows/snyk.yml
scan.json | sed 'N;s/\n/>=/');

make update-dependencies;
exit 1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we exiting 1 here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exiting 1 to fail and ensure that the PR is created. Otherwise, everything would return 0 and no PR would be created.

.github/workflows/snyk.yml
sed -i "/${package}.*/d" ckan/requirements.in
sed -i "/${package}.*/d" ckan/requirements.txt
echo $fix >> ckan/requirements.in
done <<< $(jq -r '.vulnerabilities[] | .moduleName,.fixedIn[]'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if there's no fix, does this for loop run?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there's no fix, we are testing what will happen, most likely a bad PR will be created.. But in that case, we'd have to make a PR to ignore it, we can add the functionality in the future. But I feel like that doesn't happen often.

@nickumia-reisys nickumia-reisys merged commit bc2c711 into main Dec 7, 2022
@nickumia-reisys nickumia-reisys deleted the snyk-prs branch December 7, 2022 21:20
@nickumia-reisys nickumia-reisys mentioned this pull request Dec 7, 2022
Merged
@nickumia-reisys
Copy link
Contributor Author

Superseded by

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jbrown-xentity jbrown-xentity jbrown-xentity left review comments

@btylerburton btylerburton btylerburton approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nickumia-reisys @jbrown-xentity @btylerburton