Metadata fields `alert-state`, `ghsa-id` & `cvss` are never populated when the manifest file is at the root

Question

Metadata fields `alert-state`, `ghsa-id` & `cvss` are never populated when the manifest file is at the root

SalimBensiali opened this issue 2 years ago · comments

If you look at https://github.com/SalimBensiali/le-blanc-jewellery/runs/5561937034?check_suite_focus=true, you would expect to see the relevant vulnerability alert metadata, but I am always getting the default data instead, ie:

outputs.alert-state: ''
outputs.ghsa-id: ''
outputs.cvss: 0

I am using a PAT with enough permissions for successful GraphQL API calls
I have double checked that the PR is indeed fixing a security vulnerability SalimBensiali/le-blanc-jewellery#215

Salim Bensiali commented 2 years ago

👍

Linda Nguyen · Answer 1 · Thu Mar 24 2022 22:39:37 GMT+0800 (China Standard Time)

I am experiencing the same issue.

Michael Waddell · Answer 2 · Sun Mar 27 2022 10:04:34 GMT+0800 (China Standard Time)

@SalimBensiali your repository is not configured to use Dependabot security updates and alerts:

I updated the README (see #187) to make it explicit that this feature relies upon those being enabled. My apologies for the confusion.

Salim Bensiali · Answer 3 · Sun Mar 27 2022 11:40:29 GMT+0800 (China Standard Time)

@mwaddell my repo does have dependabot security updates and alerts enabled. Look at any previously closed dependabot alerts via the auto merge workflow https://github.com/SalimBensiali/le-blanc-jewellery/pulls?q=is%3Apr+is%3Aclosed

The issue I am reporting relates the v1.3.0 new feature alert-lookup

Salim Bensiali · Answer 4 · Sun Mar 27 2022 11:53:23 GMT+0800 (China Standard Time)

I think you simply don't have the permissions to view them

Salim Bensiali · Answer 5 · Sun Mar 27 2022 12:48:50 GMT+0800 (China Standard Time)

@mwaddell I managed to run the dry-run command which successfully returned the missing metadata for me.

Could it be because your LOCAL_GITHUB_ACCESS_TOKEN does not give you permission to access the data? Which would be consistent with not seeing that dependabot security alerts and updates are enabled on https://github.com/SalimBensiali/le-blanc-jewellery/security.

Salim Bensiali · Answer 6 · Sun Mar 27 2022 12:52:25 GMT+0800 (China Standard Time)

The docs you are linking to in #187 (https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#access-to--dependabot-alerts) do explain why you could not see any dependabot alerts on my repo.

By default, we notify people with admin permissions in the affected repositories about new Dependabot alerts. GitHub never publicly discloses identified vulnerabilities for any repository. You can also make Dependabot alerts visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "Managing security and analysis settings for your repository."

This is further confirmed here.

Salim Bensiali · Answer 7 · Sun Mar 27 2022 17:50:45 GMT+0800 (China Standard Time)

@mwaddell you could run the dry-run command off main and my branch and target a test repo you own to verify the bug and the fix. All you need is a repo with a manifest file in the root directory and any dependabot PR.

Michael Waddell · Answer 8 · Sun Mar 27 2022 22:07:53 GMT+0800 (China Standard Time)

Thank you for the additional clarification - I understand now. Thank you for the PR and for updating all the unit tests, I've reviewed and approved the changes for @brrygrdn to merge.