Fixing a bug with GHSA filtering.

Co-authored-by: Christine Nagadya <cnagadya@github.com>
actions · Oct 11, 2022 · 2dd6c6a · 2dd6c6a
1 parent 1d9bfbb
commit 2dd6c6a
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 10 deletions.
diff --git a/__tests__/filter.test.ts b/__tests__/filter.test.ts
@@ -3,7 +3,7 @@ import {Change, Changes} from '../src/schemas'
 import {
   filterChangesBySeverity,
   filterChangesByScopes,
-  filterOutAllowedAdvisories
+  filterAllowedAdvisories
 } from '../src/filter'
 
 let npmChange: Change = {
@@ -90,28 +90,34 @@ test('it properly filters changes by scope', async () => {
   expect(result).toEqual([npmChange, rubyChange])
 })
 
+test('it properly handles undefined advisory IDs', async () => {
+  const changes = [npmChange, rubyChange, noVulnNpmChange]
+  let result = filterAllowedAdvisories(undefined, changes)
+  expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
+})
+
 test('it properly filters changes with allowed vulnerabilities', async () => {
   const changes = [npmChange, rubyChange, noVulnNpmChange]
 
-  let result = filterOutAllowedAdvisories(['notrealGHSAID'], changes)
+  let result = filterAllowedAdvisories(['notrealGHSAID'], changes)
   expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
 
-  result = filterOutAllowedAdvisories(['first-random_string'], changes)
+  result = filterAllowedAdvisories(['first-random_string'], changes)
   expect(result).toEqual([rubyChange, noVulnNpmChange])
 
-  result = filterOutAllowedAdvisories(
+  result = filterAllowedAdvisories(
     ['second-random_string', 'third-random_string'],
     changes
   )
   expect(result).toEqual([npmChange, noVulnNpmChange])
 
-  result = filterOutAllowedAdvisories(
+  result = filterAllowedAdvisories(
     ['first-random_string', 'second-random_string', 'third-random_string'],
     changes
   )
   expect(result).toEqual([noVulnNpmChange])
 
   // if we have a change with multiple vulnerabilities but only one is allowed, we still should not filter out that change
-  result = filterOutAllowedAdvisories(['second-random_string'], changes)
+  result = filterAllowedAdvisories(['second-random_string'], changes)
   expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
 })
diff --git a/src/filter.ts b/src/filter.ts
@@ -52,16 +52,19 @@ export function filterChangesByScopes(
 }
 
 /**
+ * Filter out changes that are allowed by the allow_ghsas config
+ * option. We want to remove these changes before we do any
+ * processing.
  * @param ghsas - list of GHSA IDs to allow
  * @param changes - list of changes to filter
  * @returns a list of changes with the allowed GHSAs removed
  */
-export function removeAllowedAdvisories(
+export function filterAllowedAdvisories(
   ghsas: string[] | undefined,
   changes: Changes
 ): Changes {
   if (ghsas === undefined) {
-    return []
+    return changes
   }
 
   const filteredChanges = changes.filter(change => {

diff --git a/src/main.ts b/src/main.ts
@@ -8,7 +8,7 @@ import {readConfig} from '../src/config'
 import {
   filterChangesBySeverity,
   filterChangesByScopes,
-  removeAllowedAdvisories
+  filterAllowedAdvisories
 } from '../src/filter'
 import {getDeniedLicenseChanges} from './licenses'
 import * as summary from './summary'
@@ -30,7 +30,7 @@ async function run(): Promise<void> {
 
     const minSeverity = config.fail_on_severity as Severity
     const scopedChanges = filterChangesByScopes(config.fail_on_scopes, changes)
-    const filteredChanges = removeAllowedAdvisories(
+    const filteredChanges = filterAllowedAdvisories(
       config.allow_ghsas,
       scopedChanges
     )