Dismiss stale reviews when reviewing PRs with vulnerable dependencies #934
Conversation
jhrozek
force-pushed
the
vuln_review
branch
from
20f3bf9
to
8e714a6
Compare
|
Thanks @jhrozek , was just thinking about this. At some point (up to you if its in this patch) we should add details of the vulnerability to the initial comment. We can include the CVE number, its severity etc and perhaps a link to the osv advisory page. |
This part of the workflow was always included in the acceptance criteria for the epic, there was just not enough time last week :-) I'll look into providing the details. |
I'll include this in a separate PR if you don't mind, I wanted to refactor the parsing of the OSV vulnerability anyway so I'll do those in one PR which will also make the formatting easier for the commit status action (as opposed to the PR review action) |
jhrozek
force-pushed
the
vuln_review
branch
from
8e714a6
to
684fd3a
Compare
When the user accepts mediator's suggestions on PRs that container vulnerable dependencies, we need to re-review the PR. This patch dismisses the earlier review and adds a new one, either just commenting that no vulnerable packages were found or listing the remainign vulnerabilities. Also moves the package review code behind an interface that will be used later to just add comments and optionally set commit status to prevent merge with vulnerable commits. Fixes: #914
jhrozek
force-pushed
the
vuln_review
branch
from
684fd3a
to
c19b074
Compare
When the user accepts mediator's suggestions on PRs that container
vulnerable dependencies, we need to re-review the PR. This patch
dismisses the earlier review and adds a new one, either just commenting
that no vulnerable packages were found or listing the remainign
vulnerabilities.
Also moves the package review code behind an interface that will be used
later to just add comments and optionally set commit status to prevent
merge with vulnerable commits.
Fixes: #914