Add list of resolved vulnerabilities to the PR Comment / Logs #1032
Conversation
- Add resolved vulnerabilities detection and display - Show positive feedback when vulnerabilities are resolved by removing/upgrading packages - Add resolved-vulnerabilities output for workflow automation - Include resolved vulnerabilities in PR comments and job summaries - Add comprehensive tests and documentation - Addresses GitHub issue actions#717 Co-authored-by: GitHub Copilot <copilot@github.com>
- Remove markdown bold formatting from summary counts (use plain text) - Use HTML <strong> tags instead of markdown ** for better rendering - Add celebration emoji to resolved vulnerabilities count - Clean up heading formatting for resolved vulnerabilities section - Ensure consistent formatting across summary and detailed sections
…re table, remove duplicate text - Create separate summaryListHtml and summaryListMarkdown arrays to fix ** rendering - Add newline after resolved vulnerabilities header for better spacing - Remove duplicate resolved vulnerabilities text from main summary - Ensures proper bold formatting in both GitHub Action summaries and PR comments
There was a problem hiding this comment.
Pull request overview
This PR adds functionality to track and display resolved vulnerabilities when vulnerable dependencies are removed from a project. The feature provides positive feedback to developers about the security improvements their changes introduce, without requiring any API changes. Resolved vulnerabilities are identified by examining removed dependencies that had known vulnerabilities.
Key changes:
- New
resolved-vulnerabilitiesoutput containing JSON data about resolved vulnerabilities - Visual feedback in PR summaries and logs highlighting resolved vulnerabilities with positive messaging
- Support for both HTML (Action summaries) and Markdown (PR comments) formatting
Reviewed changes
Copilot reviewed 9 out of 11 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| src/schemas.ts | Adds ResolvedVulnerability and ResolvedVulnerabilities schemas with fields for tracking resolved vulnerability details |
| src/resolved-vulnerabilities.ts | New module implementing getResolvedVulnerabilities() to extract vulnerabilities from removed dependencies |
| src/summary.ts | Adds functions to display resolved vulnerabilities in summaries, with separate HTML/Markdown formatting; updates existing summary functions to include resolved vulnerabilities |
| src/main.ts | Integrates resolved vulnerabilities feature by computing them from changes and displaying them when vulnerability_check is enabled |
| tests/resolved-vulnerabilities.test.ts | Comprehensive test suite for the getResolvedVulnerabilities() function covering various scenarios |
| tests/summary.test.ts | Updates all existing tests to pass the new emptyResolvedVulnerabilities parameter |
| scripts/create_summary.ts | Updates summary creation script to include the new resolved vulnerabilities parameter |
| docs/examples.md | Adds documentation and example workflow for accessing the resolved-vulnerabilities output |
| README.md | Documents the new resolved-vulnerabilities output in the action outputs section |
| dist/index.js | Compiled distribution file reflecting all source code changes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| const summaryListHtml: string[] = [ | ||
| // Add resolved vulnerabilities as positive feedback first | ||
| ...(resolvedVulnerabilities.length > 0 | ||
| ? [ | ||
| `${icons.check} <strong>${resolvedVulnerabilities.length}</strong> vulnerability(ies) resolved 🎉` | ||
| ] | ||
| : []), |
There was a problem hiding this comment.
Resolved vulnerabilities are shown in the summary list even when config.vulnerability_check is disabled. This is inconsistent with the treatment of other vulnerability information. Consider wrapping this section with a check for config.vulnerability_check:
...(config.vulnerability_check && resolvedVulnerabilities.length > 0
? [
`${icons.check} <strong>${resolvedVulnerabilities.length}</strong> vulnerability(ies) resolved 🎉`
]
: []),| const summaryListMarkdown: string[] = [ | ||
| // Add resolved vulnerabilities as positive feedback first | ||
| ...(resolvedVulnerabilities.length > 0 | ||
| ? [ | ||
| `${icons.check} **${resolvedVulnerabilities.length}** vulnerability(ies) resolved 🎉` | ||
| ] | ||
| : []), |
There was a problem hiding this comment.
Resolved vulnerabilities are shown in the markdown summary list even when config.vulnerability_check is disabled. This is inconsistent with the treatment of other vulnerability information. Consider wrapping this section with a check for config.vulnerability_check:
...(config.vulnerability_check && resolvedVulnerabilities.length > 0
? [
`${icons.check} **${resolvedVulnerabilities.length}** vulnerability(ies) resolved 🎉`
]
: []),| The `resolved-vulnerabilities` output is a JSON array containing information about vulnerabilities that were resolved by removing or upgrading packages. Each resolved vulnerability includes: | ||
| - `severity`: The severity level of the resolved vulnerability | ||
| - `advisory_ghsa_id`: The GitHub Advisory Database ID | ||
| - `advisory_summary`: A summary of the vulnerability | ||
| - `advisory_url`: URL to the advisory | ||
| - `package_name`: Name of the package that had the vulnerability | ||
| - `package_version`: Version of the package that had the vulnerability |
There was a problem hiding this comment.
The documentation states that resolved vulnerabilities are found "by removing or upgrading packages," but the implementation doesn't distinguish between these two scenarios. When a vulnerable package is completely removed (not upgraded to a safer version), treating this as a "resolved vulnerability" may be misleading. The vulnerability isn't technically resolved—the functionality may have been removed entirely or moved elsewhere.
Consider either:
- Updating the documentation to be more precise about what "resolved" means in this context
- Enhancing the logic to differentiate between packages that were upgraded (removed old version + added new version) vs. completely removed
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
1 participant
This is a first attempt at #717 without any changes to the API