Updates for CLI release 1.2.0 and new authentication system (#2)

* Rebasing brad's changes in master into 1.2.0-rc1

* update to point to phylum-dev repo

* enable tmate

* disable tmate

* WIP - fix json parsing for 1.2.0-rc2

* Update README.md

* Update action.yml

* enable tmate

* disable tmate

* cleanup

Author: peterjmorgan

README.md

@@ -31,8 +31,7 @@ jobs:
           eng_threshold: 0.6
           lic_threshold: 0.6
           aut_threshold: 0.6
-          phylum_username: ${{ secrets.PHYLUM_USER }}
-          phylum_password: ${{ secrets.PHYLUM_PASS }}
+          phylum_token: ${{ secrets.PHYLUM_TOKEN }}
 ```
 
 ### Supported lockfiles:
@@ -43,7 +42,7 @@ jobs:
 
 ### Requirements:
 - active Phylum account ([Register here](https://app.phylum.io/auth/registration))
-- repository secrets defined: PHYLUM_USER and PHYLUM_PASS
+- repository secret defined: PHYLUM_TOKEN (extracted from Phylum CLI configuration file "offline_access")
 - concrete package versions (only applicable for requirements.txt)
 - existing Phylum project for repository (`.phylum_project` must be present)
 

action.yml

@@ -22,11 +22,8 @@ inputs:
   aut_threshold:
     description: "Author risk score threshold value"
     required: true
-  phylum_username:
-    description: "Phylum username"
-    required: true
-  phylum_password:
-    description: "Phylum password"
+  phylum_token:
+    description: "Phylum token"
     required: true
   phylum_version:
     description: "Phylum version"
@@ -38,10 +35,9 @@ runs:
   using: "composite"
   steps:
     - id: phylum-test
-      uses: phylum-dev/install-phylum-latest-action@master
+      uses: phylum-dev/install-phylum-latest-action@v1.3
       with:
-        phylum_username: ${{ inputs.phylum_username }}
-        phylum_password: ${{ inputs.phylum_password }}
+        phylum_token: ${{ inputs.phylum_token }}
         phylum_version: ${{ inputs.phylum_version }}
 
     - name: Check for existing project
@@ -103,8 +99,6 @@ runs:
           echo "[*] Analyzed ${{ steps.get-prtype.outputs.prtype }} under label ${PHYLUM_LABEL} and wrote results to ~/phylum_analysis.json"
         popd
 
-    # - name: Setup tmate session
-      # uses: mxschmitt/action-tmate@v3
 
     - name: python script analyze.py
       shell: bash
@@ -150,7 +144,6 @@ runs:
       with:
         issue-number: ${{ github.event.pull_request.number }}
         body: ${{ steps.get-comment-body.outputs.body }}
-        # comment-author: 'Phylum[bot]'
 
     - name: return 1 for risk analysis failure
       shell: bash

analyze.py

@@ -334,13 +334,13 @@ def check_risk_scores(self, package_json):
     def build_issues_list(self, package_json, issue_flags: list):
         issues = list()
         pkg_issues = package_json.get("issues")
-        pkg_vulns = package_json.get("vulnerabilities")
+        # pkg_vulns = package_json.get("vulnerabilities")
 
-        if 'vul' in issue_flags:
-            for vuln in pkg_vulns:
-                risk_level = vuln.get("risk_level")
-                title = vuln.get("title")
-                issues.append(('VUL', risk_level,title))
+        #  if 'vul' in issue_flags:
+            #  for vuln in pkg_vulns:
+                #  risk_level = vuln.get("risk_level")
+                #  title = vuln.get("title")
+                #  issues.append(('VUL', risk_level,title))
 
         for flag in issue_flags:
             for pkg_issue in pkg_issues: