fix: prevent jq empty from dropping Dependabot alerts without CVE IDs

msukkari · claude · msukkari · commit da4cc71ffa22 · 2026-04-20T17:55:49.000-07:00
The jq extraction used `// empty` for cve_id and ghsa_id fields, which
silently drops the entire alert object when the field is null. Many
Dependabot alerts (especially in Go repos) only have a GHSA ID and no
CVE ID, causing all such alerts to be filtered out. Changed to
`// null` to preserve all alerts regardless of which ID fields are
populated. Also added debug logging to the fetch step.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/vulnerability-triage.yml b/.github/workflows/vulnerability-triage.yml
@@ -286,22 +286,25 @@ jobs:
               -H "Authorization: Bearer $DEPENDABOT_PAT" \
               "$URL")
 
+            echo "Dependabot API response: HTTP $HTTP_CODE"
             if [ "$HTTP_CODE" != "200" ]; then
               echo "::warning::Failed to fetch Dependabot alerts (HTTP $HTTP_CODE). Writing empty results."
+              echo "Response body: $(cat /tmp/dependabot-body.json | head -c 500)"
               echo "[]" > dependabot-alerts.json
               exit 0
             fi
 
             BODY=$(cat /tmp/dependabot-body.json)
             COUNT=$(echo "$BODY" | jq 'length')
+            echo "Page returned $COUNT alert(s)"
             if [ "$COUNT" -eq 0 ]; then
               break
             fi
 
             EXTRACTED=$(echo "$BODY" | jq '[.[] | {
               id: (.security_advisory.cve_id // .security_advisory.ghsa_id // ""),
-              cve_id: (.security_advisory.cve_id // empty),
-              ghsa_id: (.security_advisory.ghsa_id // empty),
+              cve_id: (.security_advisory.cve_id // null),
+              ghsa_id: (.security_advisory.ghsa_id // null),
               severity: (.security_advisory.severity // "medium"),
               summary: (.security_advisory.summary // ""),
               description: (.security_advisory.description // ""),
@@ -312,14 +315,17 @@ jobs:
               first_patched_version: (.security_vulnerability.first_patched_version.identifier // "")
             }]')
 
+            EXTRACTED_COUNT=$(echo "$EXTRACTED" | jq 'length')
+            echo "Extracted $EXTRACTED_COUNT alert(s) after parsing"
+
             ALL_ALERTS=$(echo "$ALL_ALERTS" "$EXTRACTED" | jq -s '.[0] + .[1]')
 
             # Parse Link header for next page URL (cursor-based pagination)
             URL=$(sed -n 's/.*<\([^>]*\)>; *rel="next".*/\1/p' /tmp/dependabot-headers.txt || true)
           done
 
           ALERT_COUNT=$(echo "$ALL_ALERTS" | jq 'length')
-          echo "Fetched $ALERT_COUNT Dependabot alert(s)"
+          echo "Fetched $ALERT_COUNT Dependabot alert(s) total"
           echo "$ALL_ALERTS" > dependabot-alerts.json
 
       - name: Write Dependabot fetch summary
