-
Notifications
You must be signed in to change notification settings - Fork 3k
Expand file tree
/
Copy pathschema.ts
More file actions
133 lines (116 loc) · 3.39 KB
/
schema.ts
File metadata and controls
133 lines (116 loc) · 3.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
import { z } from 'zod/v3';
import { logger } from '../../../logger/index.ts';
import { LooseArray } from '../../../util/schema-utils/index.ts';
const Ecosystem = z.enum([
'actions',
'composer',
'go',
'maven',
'npm',
'nuget',
'pip',
'rubygems',
'rust',
]);
export type Ecosystem = z.infer<typeof Ecosystem>;
const Package = z.object({
ecosystem: Ecosystem.catch((ctx) => {
logger.debug(
{ ecosystem: ctx.input },
'Skipping vulnerability alert with unsupported ecosystem',
);
return undefined as any;
}),
name: z.string(),
});
const SecurityVulnerability = z
.object({
first_patched_version: z.object({ identifier: z.string() }).nullish(),
package: Package,
vulnerable_version_range: z.string(),
})
.nullable();
const SecurityAdvisory = z.object({
description: z.string(),
identifiers: z.array(
z.object({
type: z.string(),
value: z.string(),
}),
),
references: z.array(z.object({ url: z.string() })).optional(),
});
export const GithubVulnerabilityAlert = LooseArray(
z.object({
dismissed_reason: z.string().nullish(),
security_advisory: SecurityAdvisory,
security_vulnerability: SecurityVulnerability,
dependency: z.object({
manifest_path: z.string(),
}),
}),
{
onError: ({ error }) => {
logger.debug(
{ error },
'Vulnerability Alert: Failed to parse some alerts',
);
},
},
).transform((alerts) =>
alerts.filter((alert) => alert.security_vulnerability?.package?.ecosystem),
);
export type GithubVulnerabilityAlert = z.infer<typeof GithubVulnerabilityAlert>;
// https://docs.github.com/en/rest/repos/contents?apiVersion=2022-11-28#get-repository-content
const GithubResponseMetadata = z.object({
name: z.string(),
path: z.string(),
});
export const GithubFileMeta = GithubResponseMetadata.extend({
type: z.literal('file'),
});
export type GithubFileMeta = z.infer<typeof GithubFileMeta>;
export const GithubFile = GithubFileMeta.extend({
content: z.string(),
encoding: z.string(),
});
export type GithubFile = z.infer<typeof GithubFile>;
export const GithubDirectory = GithubResponseMetadata.extend({
type: z.literal('dir'),
});
export type GithubDirectory = z.infer<typeof GithubDirectory>;
export const GithubOtherContent = GithubResponseMetadata.extend({
type: z.literal('symlink').or(z.literal('submodule')),
});
export type GithubOtherContent = z.infer<typeof GithubOtherContent>;
export const GithubElement = GithubFile.or(GithubFileMeta)
.or(GithubDirectory)
.or(GithubOtherContent);
export type GithubElement = z.infer<typeof GithubElement>;
export const GithubContentResponse = z.array(GithubElement).or(GithubElement);
export const GithubBranchProtection = z.object({
required_status_checks: z
.object({
strict: z.boolean(),
})
.nullish()
.optional(),
});
export type GithubBranchProtection = z.infer<typeof GithubBranchProtection>;
const GithubRulesetRule = z.discriminatedUnion('type', [
z.object({
type: z.literal('non_fast_forward'),
}),
z.object({
type: z.literal('required_status_checks'),
parameters: z.object({
strict_required_status_checks_policy: z.boolean().optional(),
}),
}),
// prevents deletion
z.object({
type: z.literal('deletion'),
}),
]);
export const GithubBranchRulesets = LooseArray(GithubRulesetRule);
export type GithubBranchRulesets = z.infer<typeof GithubBranchRulesets>;