Skip to content

Commit 1a503a0

Browse files
zkoppertzkoppert
authored
Merge pull request #514 from github-community-projects/fix/validate-exempt-ecosystems
fix: validate EXEMPT_ECOSYSTEMS against supported package ecosystems
2 parents a631988 + b384c04 commit 1a503a0

File tree

3 files changed

+97
-18
lines changed

3 files changed

+97
-18
lines changed

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,7 @@ The needed GitHub app permissions are the following under `Repository permission
129129
| `FILTER_VISIBILITY` | False | "public,private,internal" | Use this flag to filter repositories in scope by their visibility (`public`, `private`, `internal`). By default all repository are targeted. ex: to ignore public repositories set this value to `private,internal`. |
130130
| `BATCH_SIZE` | False | None | Set this to define the maximum amount of eligible repositories for every run. This is useful if you are targeting large organizations and you don't want to flood repositories with pull requests / issues. ex: if you want to target 20 repositories per time, set this to 20. |
131131
| `ENABLE_SECURITY_UPDATES` | False | true | If set to true, Evergreen will enable [Dependabot security updates](https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates) on target repositories. Note that the GitHub token needs to have the `administration:write` permission on every repository in scope to successfully enable security updates. |
132-
| `EXEMPT_ECOSYSTEMS` | False | "" | A list of [package ecosystems](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) to exempt from the generated dependabot configuration. To ignore ecosystems set this to one or more of `bundler`,`cargo`, `composer`, `pip`, `docker`, `npm`, `gomod`, `mix`, `nuget`, `maven`, `github-actions` and `terraform`. ex: if you don't want Dependabot to update Dockerfiles and Github Actions you can set this to `docker,github-actions`. |
132+
| `EXEMPT_ECOSYSTEMS` | False | "" | A list of [package ecosystems](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem) to exempt from the generated dependabot configuration. To ignore ecosystems set this to one or more of `bundler`, `cargo`, `composer`, `devcontainers`, `docker`, `github-actions`, `gomod`, `gradle`, `maven`, `mix`, `npm`, `nuget`, `pip` and `terraform`. Unrecognized values will raise a `ValueError`. ex: if you don't want Dependabot to update Dockerfiles and Github Actions you can set this to `docker,github-actions`. |
133133
| `REPO_SPECIFIC_EXEMPTIONS` | False | "" | A list of repositories that should be exempt from specific package ecosystems similar to EXEMPT_ECOSYSTEMS but those apply to all repositories. ex: `org1/repo1:docker,github-actions;org1/repo2:pip` would set exempt_ecosystems for `org1/repo1` to be `['docker', 'github-actions']`, and for `org1/repo2` it would be `['pip']`, while for every other repository evaluated, it would be set by the env variable `EXEMPT_ECOSYSTEMS`. NOTE: If you want specific exemptions to be added on top of the already specified global exemptions, you need to add the global exemptions to each repo specific exemption. |
134134
| `SCHEDULE` | False | `weekly` | Schedule interval by which to check for dependency updates via Dependabot. Allowed values are `daily`, `weekly`, or `monthly` |
135135
| `SCHEDULE_DAY` | False | '' | Scheduled day by which to check for dependency updates via Dependabot. Allowed values are days of the week full names (i.e., `monday`) |

env.py

Lines changed: 28 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,23 @@
1212
MAX_BODY_LENGTH = 65536
1313
MAX_COMMIT_MESSAGE_LENGTH = 65536
1414

15+
SUPPORTED_PACKAGE_ECOSYSTEMS = [
16+
"bundler",
17+
"cargo",
18+
"composer",
19+
"devcontainers",
20+
"docker",
21+
"github-actions",
22+
"gomod",
23+
"gradle",
24+
"maven",
25+
"mix",
26+
"npm",
27+
"nuget",
28+
"pip",
29+
"terraform",
30+
]
31+
1532

1633
def get_bool_env_var(env_var_name: str, default: bool = False) -> bool:
1734
"""Get a boolean environment variable.
@@ -73,20 +90,8 @@ def parse_repo_specific_exemptions(repo_specific_exemptions_str: str) -> dict:
7390
repo, ecosystems = exemption.split(":")
7491
cleaned_ecosystems = []
7592
for ecosystem in ecosystems.split(","):
76-
ecosystem = ecosystem.strip()
77-
if ecosystem not in [
78-
"bundler",
79-
"cargo",
80-
"composer",
81-
"docker",
82-
"github-actions",
83-
"gomod",
84-
"mix",
85-
"npm",
86-
"nuget",
87-
"pip",
88-
"terraform",
89-
]:
93+
ecosystem = ecosystem.strip().lower()
94+
if ecosystem not in SUPPORTED_PACKAGE_ECOSYSTEMS:
9095
raise ValueError(
9196
"REPO_SPECIFIC_EXEMPTIONS environment variable not formatted correctly. Unrecognized package-ecosystem."
9297
)
@@ -297,9 +302,15 @@ def get_env_vars(
297302
exempt_ecosystems = os.getenv("EXEMPT_ECOSYSTEMS")
298303
exempt_ecosystems_list = []
299304
if exempt_ecosystems:
300-
exempt_ecosystems_list = [
301-
ecosystem.lower().strip() for ecosystem in exempt_ecosystems.split(",")
302-
]
305+
for ecosystem in exempt_ecosystems.split(","):
306+
ecosystem = ecosystem.lower().strip()
307+
if not ecosystem:
308+
continue
309+
if ecosystem not in SUPPORTED_PACKAGE_ECOSYSTEMS:
310+
raise ValueError(
311+
f"EXEMPT_ECOSYSTEMS environment variable contains an unrecognized package-ecosystem: '{ecosystem}'."
312+
)
313+
exempt_ecosystems_list.append(ecosystem)
303314

304315
project_id = os.getenv("PROJECT_ID")
305316
if project_id and not project_id.isnumeric():

test_env.py

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -904,6 +904,74 @@ def test_get_env_vars_with_repos_exempt_ecosystems(self):
904904
"Enable Dependabot",
905905
"Dependabot could be enabled for this repository. \
906906
Please enable it by merging this pull request so that \
907+
we can keep our dependencies up to date and secure.",
908+
"",
909+
False,
910+
"Create/Update dependabot.yaml",
911+
None,
912+
False,
913+
["private", "public"],
914+
None, # batch_size
915+
False, # enable_security_updates
916+
["gomod", "docker"], # exempt_ecosystems
917+
False, # update_existing
918+
{}, # repo_specific_exemptions
919+
"weekly", # schedule
920+
"", # schedule_day
921+
None, # team_name
922+
[], # labels
923+
None,
924+
)
925+
result = get_env_vars(True)
926+
self.assertEqual(result, expected_result)
927+
928+
@patch.dict(
929+
os.environ,
930+
{
931+
"ORGANIZATION": "my_organization",
932+
"GH_TOKEN": "my_token",
933+
"EXEMPT_ECOSYSTEMS": "gomod,docekr",
934+
},
935+
clear=True,
936+
)
937+
def test_get_env_vars_exempt_ecosystems_unsupported_ecosystem(self):
938+
"""Test that EXEMPT_ECOSYSTEMS raises ValueError for unrecognized ecosystems"""
939+
with self.assertRaises(ValueError) as cm:
940+
get_env_vars(True)
941+
the_exception = cm.exception
942+
self.assertEqual(
943+
str(the_exception),
944+
"EXEMPT_ECOSYSTEMS environment variable contains an unrecognized package-ecosystem: 'docekr'.",
945+
)
946+
947+
@patch.dict(
948+
os.environ,
949+
{
950+
"ORGANIZATION": "my_organization",
951+
"GH_TOKEN": "my_token",
952+
"ENABLE_SECURITY_UPDATES": "false",
953+
"FILTER_VISIBILITY": "private,public",
954+
"EXEMPT_ECOSYSTEMS": "gomod,docker,",
955+
},
956+
clear=True,
957+
)
958+
def test_get_env_vars_exempt_ecosystems_trailing_comma(self):
959+
"""Test that EXEMPT_ECOSYSTEMS tolerates trailing commas"""
960+
expected_result = (
961+
"my_organization",
962+
[],
963+
"", # search_query
964+
None,
965+
None,
966+
b"",
967+
False,
968+
"my_token",
969+
"",
970+
[],
971+
"pull",
972+
"Enable Dependabot",
973+
"Dependabot could be enabled for this repository. \
974+
Please enable it by merging this pull request so that \
907975
we can keep our dependencies up to date and secure.",
908976
"",
909977
False,

0 commit comments

Comments
 (0)