@fabasoad/sarif-to-slack 1.2.0 → 1.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/workflows/security.yml +10 -2
- package/.github/workflows/send-sarif-to-slack.yml +6 -1
- package/.tool-versions +1 -1
- package/dist/SarifToSlackClient.d.ts +3 -4
- package/dist/SarifToSlackClient.d.ts.map +1 -1
- package/dist/SarifToSlackClient.js +4 -5
- package/dist/index.cjs +34 -21
- package/dist/model/Color.d.ts +2 -3
- package/dist/model/Color.d.ts.map +1 -1
- package/dist/model/Color.js +29 -19
- package/dist/representations/CompactGroupByRepresentation.js +1 -1
- package/dist/representations/CompactGroupByRunPerLevelRepresentation.js +1 -1
- package/dist/representations/CompactGroupByRunPerSeverityRepresentation.js +1 -1
- package/dist/representations/CompactGroupByRunRepresentation.js +1 -1
- package/dist/representations/CompactGroupBySarifRepresentation.js +1 -1
- package/dist/representations/CompactGroupByToolNameRepresentation.js +1 -1
- package/dist/representations/CompactTotalRepresentation.js +1 -1
- package/dist/sarif-to-slack.d.ts +5 -7
- package/package.json +2 -2
- package/src/SarifToSlackClient.ts +4 -5
- package/src/model/Color.ts +30 -22
- package/src/representations/CompactGroupByRepresentation.ts +1 -1
- package/src/representations/CompactGroupByRunPerLevelRepresentation.ts +1 -1
- package/src/representations/CompactGroupByRunPerSeverityRepresentation.ts +1 -1
- package/src/representations/CompactGroupByRunRepresentation.ts +1 -1
- package/src/representations/CompactGroupBySarifRepresentation.ts +1 -1
- package/src/representations/CompactGroupByToolNameRepresentation.ts +1 -1
- package/src/representations/CompactTotalRepresentation.ts +1 -1
- package/test-data/sarif/osv-scanner-yarn.sarif +4 -4
- package/tests/integration/SendSarifToSlack.spec.ts +21 -4
|
@@ -6,6 +6,14 @@ on: # yamllint disable-line rule:truthy
|
|
|
6
6
|
push:
|
|
7
7
|
branches:
|
|
8
8
|
- main
|
|
9
|
+
workflow_dispatch:
|
|
10
|
+
inputs:
|
|
11
|
+
security-type:
|
|
12
|
+
description: What Security scanning you would like to run?
|
|
13
|
+
required: false
|
|
14
|
+
default: "all"
|
|
15
|
+
type: choice
|
|
16
|
+
options: ["all", "sca", "code-scanning"]
|
|
9
17
|
|
|
10
18
|
jobs:
|
|
11
19
|
sast:
|
|
@@ -15,5 +23,5 @@ jobs:
|
|
|
15
23
|
security-events: write
|
|
16
24
|
uses: fabasoad/reusable-workflows/.github/workflows/wf-security-sast.yml@main
|
|
17
25
|
with:
|
|
18
|
-
code-scanning:
|
|
19
|
-
sca:
|
|
26
|
+
code-scanning: ${{ (inputs.security-type || 'all') == 'all' || inputs.security-type == 'code-scanning' }}
|
|
27
|
+
sca: ${{ (inputs.security-type || 'all') == 'all' || inputs.security-type == 'sca' }}
|
|
@@ -281,8 +281,13 @@ jobs:
|
|
|
281
281
|
SARIF_TO_SLACK_USERNAME: "${{ inputs.username }}"
|
|
282
282
|
SARIF_TO_SLACK_ICON_URL: "https://cdn-icons-png.flaticon.com/512/9070/9070006.png"
|
|
283
283
|
SARIF_TO_SLACK_COLOR: "${{ inputs.color }}"
|
|
284
|
-
|
|
284
|
+
SARIF_TO_SLACK_COLOR_EMPTY: "#008000"
|
|
285
|
+
SARIF_TO_SLACK_SARIF_PATH: "test-data/sarif/${{ steps.sarif-file.outputs.value }}"
|
|
286
|
+
SARIF_TO_SLACK_SARIF_PATH_RECURSIVE: "false"
|
|
287
|
+
SARIF_TO_SLACK_SARIF_FILE_EXTENSION: "sarif"
|
|
285
288
|
SARIF_TO_SLACK_LOG_LEVEL: "${{ inputs.log-level }}"
|
|
289
|
+
SARIF_TO_SLACK_LOG_TEMPLATE: "[{{logLevelName}}] [{{name}}] {{dateIsoStr}} "
|
|
290
|
+
SARIF_TO_SLACK_LOG_COLORED: "true"
|
|
286
291
|
SARIF_TO_SLACK_HEADER: "${{ inputs.header }}"
|
|
287
292
|
SARIF_TO_SLACK_FOOTER: "${{ inputs.footer }}"
|
|
288
293
|
SARIF_TO_SLACK_ACTOR: "${{ inputs.actor }}"
|
package/.tool-versions
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
nodejs 24.
|
|
1
|
+
nodejs 24.6.0
|
|
@@ -14,11 +14,10 @@ export declare class SarifToSlackClient {
|
|
|
14
14
|
/**
|
|
15
15
|
* The main function to initialize a list of {@link SlackMessage} objects based
|
|
16
16
|
* on the given SARIF file(s).
|
|
17
|
-
* @param sarifModel An instance of
|
|
18
|
-
* @param opts An instance of {@link SarifToSlackClientOptions} object.
|
|
17
|
+
* @param sarifModel - An instance of SarifModel object.
|
|
18
|
+
* @param opts - An instance of {@link SarifToSlackClientOptions} object.
|
|
19
19
|
* @returns A map where key is the SARIF file and value is an instance of
|
|
20
|
-
* {@link SlackMessage} object
|
|
21
|
-
* @private
|
|
20
|
+
* {@link SlackMessage} object.
|
|
22
21
|
*/
|
|
23
22
|
private static initialize;
|
|
24
23
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"SarifToSlackClient.d.ts","sourceRoot":"","sources":["../src/SarifToSlackClient.ts"],"names":[],"mappings":"AAGA,OAAO,EAKL,yBAAyB,EAG1B,MAAM,SAAS,CAAA;AAWhB;;;GAGG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,CAAc;IAC/B,OAAO,CAAC,WAAW,CAAC,CAAY;IAEhC,OAAO,CAAC,OAAO,CAAwB;IAEvC,OAAO;IAKP,OAAO,CAAC,MAAM,CAAE,oBAAoB;WAOhB,MAAM,CAAC,IAAI,EAAE,yBAAyB,GAAG,OAAO,CAAC,kBAAkB,CAAC;mBAQnE,UAAU;IAgC/B
|
|
1
|
+
{"version":3,"file":"SarifToSlackClient.d.ts","sourceRoot":"","sources":["../src/SarifToSlackClient.ts"],"names":[],"mappings":"AAGA,OAAO,EAKL,yBAAyB,EAG1B,MAAM,SAAS,CAAA;AAWhB;;;GAGG;AACH,qBAAa,kBAAkB;IAC7B,OAAO,CAAC,QAAQ,CAAC,CAAc;IAC/B,OAAO,CAAC,WAAW,CAAC,CAAY;IAEhC,OAAO,CAAC,OAAO,CAAwB;IAEvC,OAAO;IAKP,OAAO,CAAC,MAAM,CAAE,oBAAoB;WAOhB,MAAM,CAAC,IAAI,EAAE,yBAAyB,GAAG,OAAO,CAAC,kBAAkB,CAAC;mBAQnE,UAAU;IAgC/B;;;;;;;OAOG;mBACkB,UAAU;IAyB/B;;;;;OAKG;IACU,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAelC,OAAO,KAAK,iBAAiB,GAyD5B;CACF"}
|
|
@@ -67,11 +67,10 @@ export class SarifToSlackClient {
|
|
|
67
67
|
/**
|
|
68
68
|
* The main function to initialize a list of {@link SlackMessage} objects based
|
|
69
69
|
* on the given SARIF file(s).
|
|
70
|
-
* @param sarifModel An instance of
|
|
71
|
-
* @param opts An instance of {@link SarifToSlackClientOptions} object.
|
|
70
|
+
* @param sarifModel - An instance of SarifModel object.
|
|
71
|
+
* @param opts - An instance of {@link SarifToSlackClientOptions} object.
|
|
72
72
|
* @returns A map where key is the SARIF file and value is an instance of
|
|
73
|
-
* {@link SlackMessage} object
|
|
74
|
-
* @private
|
|
73
|
+
* {@link SlackMessage} object.
|
|
75
74
|
*/
|
|
76
75
|
static async initialize(sarifModel, opts) {
|
|
77
76
|
const message = createSlackMessage(opts.webhookUrl, {
|
|
@@ -173,4 +172,4 @@ export class SarifToSlackClient {
|
|
|
173
172
|
}
|
|
174
173
|
}
|
|
175
174
|
}
|
|
176
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
175
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiU2FyaWZUb1NsYWNrQ2xpZW50LmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vc3JjL1NhcmlmVG9TbGFja0NsaWVudC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEVBQUUsUUFBUSxJQUFJLEVBQUUsRUFBRSxNQUFNLElBQUksQ0FBQTtBQUVuQyxPQUFPLE1BQU0sTUFBTSxVQUFVLENBQUE7QUFDN0IsT0FBTyxFQU1MLGFBQWEsRUFDYixnQkFBZ0IsRUFDakIsTUFBTSxTQUFTLENBQUE7QUFDaEIsT0FBTyxNQUFNLE1BQU0sVUFBVSxDQUFBO0FBQzdCLE9BQU8sRUFBRSxrQkFBa0IsRUFBRSxNQUFNLG1CQUFtQixDQUFBO0FBQ3RELE9BQU8sRUFBRSxvQkFBb0IsRUFBRSxNQUFNLHlDQUF5QyxDQUFBO0FBQzlFLE9BQU8sRUFBRSxhQUFhLEVBQUUsTUFBTSxpQkFBaUIsQ0FBQTtBQUMvQyxPQUFPLEVBQUUsaUJBQWlCLEVBQUUsdUJBQXVCLEVBQUUsTUFBTSxvQkFBb0IsQ0FBQTtBQUMvRSxPQUFPLEVBQUUsYUFBYSxFQUFFLE1BQU0sZUFBZSxDQUFBO0FBQzdDLE9BQU8sWUFBWSxNQUFNLHNCQUFzQixDQUFBO0FBQy9DLE9BQU8sRUFBRSxrQkFBa0IsRUFBZ0IsTUFBTSxzQkFBc0IsQ0FBQTtBQUN2RSxPQUFPLEVBQUUsTUFBTSxFQUFFLGdCQUFnQixFQUFFLE1BQU0sZ0JBQWdCLENBQUE7QUFFekQ7OztHQUdHO0FBQ0gsTUFBTSxPQUFPLGtCQUFrQjtJQUNyQixRQUFRLENBQWU7SUFDdkIsV0FBVyxDQUFhO0lBRXhCLE9BQU8sR0FBVyxNQUFNLENBQUMsTUFBTSxDQUFBO0lBRXZDLFlBQW9CLEdBQWdCO1FBQ2xDLE1BQU0sQ0FBQyxVQUFVLENBQUMsR0FBRyxDQUFDLENBQUE7UUFDdEIsTUFBTSxDQUFDLFVBQVUsRUFBRSxDQUFBO0lBQ3JCLENBQUM7SUFFTyxNQUFNLENBQUMsQ0FBQyxvQkFBb0I7UUFDbEMsSUFBSSxLQUFLLEdBQVcsQ0FBQyxDQUFBO1FBQ3JCLE9BQU8sSUFBSSxFQUFFLENBQUM7WUFDWixNQUFNLEtBQUssRUFBRSxDQUFBO1FBQ2YsQ0FBQztJQUNILENBQUM7SUFFTSxNQUFNLENBQUMsS0FBSyxDQUFDLE1BQU0sQ0FBQyxJQUErQjtRQUN4RCxNQUFNLFFBQVEsR0FBRyxJQUFJLGtCQUFrQixDQUFDLElBQUksQ0FBQyxHQUFHLENBQUMsQ0FBQTtRQUNqRCxRQUFRLENBQUMsT0FBTyxHQUFHLElBQUksQ0FBQyxNQUFNLElBQUksUUFBUSxDQUFDLE9BQU8sQ0FBQTtRQUNsRCxRQUFRLENBQUMsV0FBVyxHQUFHLE1BQU0sa0JBQWtCLENBQUMsVUFBVSxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQTtRQUN0RSxRQUFRLENBQUMsUUFBUSxHQUFHLE1BQU0sa0JBQWtCLENBQUMsVUFBVSxDQUFDLFFBQVEsQ0FBQyxXQUFXLEVBQUUsSUFBSSxDQUFDLENBQUE7UUFDbkYsT0FBTyxRQUFRLENBQUE7SUFDakIsQ0FBQztJQUVPLE1BQU0sQ0FBQyxLQUFLLENBQUMsVUFBVSxDQUFDLFNBQXVCO1FBQ3JELE1BQU0sVUFBVSxHQUFhLGtCQUFrQixDQUFDLFNBQVMsQ0FBQyxDQUFBO1FBQzFELElBQUksVUFBVSxDQUFDLE1BQU0sS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUM1QixNQUFNLElBQUksS0FBSyxDQUFDLDhDQUE4QyxTQUFTLENBQUMsSUFBSSxFQUFFLENBQUMsQ0FBQTtRQUNqRixDQUFDO1FBRUQsTUFBTSxLQUFLLEdBQWUsRUFBRSxVQUFVLEVBQUUsSUFBSSxFQUFFLEVBQUUsRUFBRSxRQUFRLEVBQUUsSUFBSSxZQUFZLEVBQUUsRUFBRSxDQUFBO1FBQ2hGLE1BQU0sY0FBYyxHQUFzQixrQkFBa0IsQ0FBQyxvQkFBb0IsRUFBRSxDQUFBO1FBQ25GLEtBQUssTUFBTSxTQUFTLElBQUksVUFBVSxFQUFFLENBQUM7WUFDbkMsTUFBTSxTQUFTLEdBQVcsTUFBTSxFQUFFLENBQUMsUUFBUSxDQUFDLFNBQVMsRUFBRSxNQUFNLENBQUMsQ0FBQTtZQUM5RCxNQUFNLFFBQVEsR0FBUSxJQUFJLENBQUMsS0FBSyxDQUFDLFNBQVMsQ0FBUSxDQUFBO1lBRWxELEtBQUssTUFBTSxHQUFHLElBQUksUUFBUSxDQUFDLElBQUksRUFBRSxDQUFDO2dCQUNoQyxNQUFNLEtBQUssR0FBMkIsY0FBYyxDQUFDLElBQUksRUFBRSxDQUFBO2dCQUMzRCxJQUFJLFdBQVcsR0FBd0IsU0FBUyxDQUFBO2dCQUNoRCxLQUFLLE1BQU0sTUFBTSxJQUFJLEdBQUcsQ0FBQyxPQUFPLElBQUksRUFBRSxFQUFFLENBQUM7b0JBQ3ZDLFdBQVcsR0FBRzt3QkFDWixFQUFFLEVBQUUsS0FBSyxDQUFDLEtBQUs7d0JBQ2YsR0FBRzt3QkFDSCxRQUFRLEVBQUUsaUJBQWlCLENBQUMsR0FBRyxFQUFFLE1BQU0sQ0FBQyxDQUFDLElBQUk7cUJBQzlDLENBQUE7b0JBQ0QsS0FBSyxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLEVBQUUsU0FBUyxFQUFFLE1BQU0sRUFBRSxXQUFXLEVBQUUsQ0FBQyxDQUFDLENBQUE7Z0JBQ3hFLENBQUM7Z0JBQ0QsV0FBVyxLQUFLO29CQUNkLEVBQUUsRUFBRSxLQUFLLENBQUMsS0FBSyxFQUFFLEdBQUcsRUFBRSxRQUFRLEVBQUUsdUJBQXVCLENBQUMsR0FBRyxDQUFDLENBQUMsSUFBSTtpQkFDbEUsQ0FBQTtnQkFDRCxLQUFLLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxXQUFXLENBQUMsQ0FBQTtZQUM5QixDQUFDO1FBQ0gsQ0FBQztRQUNELE9BQU8sS0FBSyxDQUFBO0lBQ2QsQ0FBQztJQUVEOzs7Ozs7O09BT0c7SUFDSyxNQUFNLENBQUMsS0FBSyxDQUFDLFVBQVUsQ0FDN0IsVUFBc0IsRUFDdEIsSUFBaUU7UUFFakUsTUFBTSxPQUFPLEdBQWlCLGtCQUFrQixDQUFDLElBQUksQ0FBQyxVQUFVLEVBQUU7WUFDaEUsUUFBUSxFQUFFLElBQUksQ0FBQyxRQUFRO1lBQ3ZCLE9BQU8sRUFBRSxJQUFJLENBQUMsT0FBTztZQUNyQixLQUFLLEVBQUUsYUFBYSxDQUFDLFVBQVUsQ0FBQyxRQUFRLEVBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQztZQUNyRCxjQUFjLEVBQUUsb0JBQW9CLENBQUMsVUFBVSxFQUFFLElBQUksQ0FBQyxjQUFjLENBQUM7U0FDdEUsQ0FBQyxDQUFBO1FBQ0YsSUFBSSxJQUFJLENBQUMsTUFBTSxFQUFFLE9BQU8sRUFBRSxDQUFDO1lBQ3pCLE9BQU8sQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLE1BQU0sRUFBRSxLQUFLLENBQUMsQ0FBQTtRQUN4QyxDQUFDO1FBQ0QsSUFBSSxJQUFJLENBQUMsTUFBTSxFQUFFLE9BQU8sRUFBRSxDQUFDO1lBQ3pCLE9BQU8sQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLE1BQU0sRUFBRSxLQUFLLEVBQUUsSUFBSSxDQUFDLE1BQU0sRUFBRSxJQUFJLENBQUMsQ0FBQTtRQUMzRCxDQUFDO1FBQ0QsSUFBSSxJQUFJLENBQUMsS0FBSyxFQUFFLE9BQU8sRUFBRSxDQUFDO1lBQ3hCLE9BQU8sQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLEtBQUssRUFBRSxLQUFLLENBQUMsQ0FBQTtRQUN0QyxDQUFDO1FBQ0QsSUFBSSxJQUFJLENBQUMsR0FBRyxFQUFFLE9BQU8sRUFBRSxDQUFDO1lBQ3RCLE9BQU8sQ0FBQyxPQUFPLEVBQUUsQ0FBQTtRQUNuQixDQUFDO1FBQ0QsT0FBTyxPQUFPLENBQUE7SUFDaEIsQ0FBQztJQUVEOzs7OztPQUtHO0lBQ0ksS0FBSyxDQUFDLElBQUk7UUFDZixJQUFJLElBQUksQ0FBQyxXQUFXLElBQUksSUFBSSxFQUFFLENBQUM7WUFDN0IsTUFBTSxJQUFJLEtBQUssQ0FBQyxnQ0FBZ0MsQ0FBQyxDQUFBO1FBQ25ELENBQUM7UUFDRCxJQUFJLElBQUksQ0FBQyxpQkFBaUIsRUFBRSxDQUFDO1lBQzNCLElBQUksSUFBSSxDQUFDLFFBQVEsSUFBSSxJQUFJLEVBQUUsQ0FBQztnQkFDMUIsTUFBTSxJQUFJLEtBQUssQ0FBQyxpQ0FBaUMsQ0FBQyxDQUFBO1lBQ3BELENBQUM7WUFDRCxNQUFNLElBQUksR0FBVyxNQUFNLElBQUksQ0FBQyxRQUFRLENBQUMsSUFBSSxFQUFFLENBQUE7WUFDL0MsTUFBTSxDQUFDLElBQUksQ0FBQyx1QkFBdUIsRUFBRSxJQUFJLENBQUMsQ0FBQTtRQUM1QyxDQUFDO2FBQU0sQ0FBQztZQUNOLE1BQU0sQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUE7UUFDN0MsQ0FBQztJQUNILENBQUM7SUFFRCxJQUFZLGlCQUFpQjtRQUMzQixJQUFJLElBQUksQ0FBQyxPQUFPLElBQUksSUFBSSxFQUFFLENBQUM7WUFDekIsT0FBTyxJQUFJLENBQUE7UUFDYixDQUFDO1FBRUQsUUFBUSxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDckIsS0FBSyxNQUFNLENBQUMsZ0JBQWdCO2dCQUMxQixPQUFPLElBQUksQ0FBQyxXQUFXLEVBQUUsUUFBUSxDQUFDLGNBQWMsQ0FBQyxVQUFVLEVBQUUsZ0JBQWdCLENBQUMsUUFBUSxDQUFDLElBQUksSUFBSSxDQUFBO1lBQ2pHLEtBQUssTUFBTSxDQUFDLFlBQVk7Z0JBQ3RCLE9BQU8sSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsY0FBYyxDQUFDLFVBQVUsRUFBRSxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsSUFBSSxJQUFJLENBQUE7WUFDN0YsS0FBSyxNQUFNLENBQUMsb0JBQW9CO2dCQUM5QixPQUFPLENBQUMsQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxtQkFBbUIsQ0FBQyxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsQ0FBQTtZQUNoRixLQUFLLE1BQU0sQ0FBQyxjQUFjO2dCQUN4QixPQUFPLElBQUksQ0FBQyxXQUFXLEVBQUUsUUFBUSxDQUFDLGNBQWMsQ0FBQyxVQUFVLEVBQUUsZ0JBQWdCLENBQUMsTUFBTSxDQUFDLElBQUksSUFBSSxDQUFBO1lBQy9GLEtBQUssTUFBTSxDQUFDLHNCQUFzQjtnQkFDaEMsT0FBTyxDQUFDLENBQUMsSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsbUJBQW1CLENBQUMsZ0JBQWdCLENBQUMsTUFBTSxDQUFDLENBQUE7WUFDbEYsS0FBSyxNQUFNLENBQUMsV0FBVztnQkFDckIsT0FBTyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxjQUFjLENBQUMsVUFBVSxFQUFFLGdCQUFnQixDQUFDLEdBQUcsQ0FBQyxJQUFJLElBQUksQ0FBQTtZQUM1RixLQUFLLE1BQU0sQ0FBQyxtQkFBbUI7Z0JBQzdCLE9BQU8sQ0FBQyxDQUFDLElBQUksQ0FBQyxXQUFXLEVBQUUsUUFBUSxDQUFDLG1CQUFtQixDQUFDLGdCQUFnQixDQUFDLEdBQUcsQ0FBQyxDQUFBO1lBQy9FLEtBQUssTUFBTSxDQUFDLFlBQVk7Z0JBQ3RCLE9BQU8sSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsY0FBYyxDQUFDLFVBQVUsRUFBRSxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsSUFBSSxJQUFJLENBQUE7WUFDN0YsS0FBSyxNQUFNLENBQUMsb0JBQW9CO2dCQUM5QixPQUFPLENBQUMsQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxtQkFBbUIsQ0FBQyxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsQ0FBQTtZQUNoRixLQUFLLE1BQU0sQ0FBQyxlQUFlO2dCQUN6QixPQUFPLElBQUksQ0FBQyxXQUFXLEVBQUUsUUFBUSxDQUFDLGNBQWMsQ0FBQyxVQUFVLEVBQUUsZ0JBQWdCLENBQUMsT0FBTyxDQUFDLElBQUksSUFBSSxDQUFBO1lBQ2hHLEtBQUssTUFBTSxDQUFDLHVCQUF1QjtnQkFDakMsT0FBTyxDQUFDLENBQUMsSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsbUJBQW1CLENBQUMsZ0JBQWdCLENBQUMsT0FBTyxDQUFDLENBQUE7WUFDbkYsS0FBSyxNQUFNLENBQUMsVUFBVTtnQkFDcEIsT0FBTyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxjQUFjLENBQUMsT0FBTyxFQUFFLGFBQWEsQ0FBQyxLQUFLLENBQUMsSUFBSSxJQUFJLENBQUE7WUFDeEYsS0FBSyxNQUFNLENBQUMsWUFBWTtnQkFDdEIsT0FBTyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxjQUFjLENBQUMsT0FBTyxFQUFFLGFBQWEsQ0FBQyxPQUFPLENBQUMsSUFBSSxJQUFJLENBQUE7WUFDMUYsS0FBSyxNQUFNLENBQUMsb0JBQW9CO2dCQUM5QixPQUFPLENBQUMsQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxnQkFBZ0IsQ0FBQyxhQUFhLENBQUMsT0FBTyxDQUFDLENBQUE7WUFDN0UsS0FBSyxNQUFNLENBQUMsU0FBUztnQkFDbkIsT0FBTyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxjQUFjLENBQUMsT0FBTyxFQUFFLGFBQWEsQ0FBQyxJQUFJLENBQUMsSUFBSSxJQUFJLENBQUE7WUFDdkYsS0FBSyxNQUFNLENBQUMsaUJBQWlCO2dCQUMzQixPQUFPLENBQUMsQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxnQkFBZ0IsQ0FBQyxhQUFhLENBQUMsSUFBSSxDQUFDLENBQUE7WUFDMUUsS0FBSyxNQUFNLENBQUMsU0FBUztnQkFDbkIsT0FBTyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxjQUFjLENBQUMsT0FBTyxFQUFFLGFBQWEsQ0FBQyxJQUFJLENBQUMsSUFBSSxJQUFJLENBQUE7WUFDdkYsS0FBSyxNQUFNLENBQUMsaUJBQWlCO2dCQUMzQixPQUFPLENBQUMsQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxnQkFBZ0IsQ0FBQyxhQUFhLENBQUMsSUFBSSxDQUFDLENBQUE7WUFDMUUsS0FBSyxNQUFNLENBQUMsWUFBWTtnQkFDdEIsT0FBTyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxjQUFjLENBQUMsT0FBTyxFQUFFLGFBQWEsQ0FBQyxPQUFPLENBQUMsSUFBSSxJQUFJLENBQUE7WUFDMUYsS0FBSyxNQUFNLENBQUMsb0JBQW9CO2dCQUM5QixPQUFPLENBQUMsQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxnQkFBZ0IsQ0FBQyxhQUFhLENBQUMsT0FBTyxDQUFDLENBQUE7WUFDN0UsS0FBSyxNQUFNLENBQUMsTUFBTTtnQkFDaEIsT0FBTyxJQUFJLENBQUE7WUFDYixLQUFLLE1BQU0sQ0FBQyxJQUFJO2dCQUNkLE9BQU8sQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLFFBQVEsQ0FBQyxNQUFNLElBQUksQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFBO1lBQ3JELEtBQUssTUFBTSxDQUFDLEtBQUs7Z0JBQ2YsT0FBTyxDQUFDLElBQUksQ0FBQyxXQUFXLEVBQUUsUUFBUSxDQUFDLE1BQU0sSUFBSSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUE7WUFDdkQsS0FBSyxNQUFNLENBQUMsS0FBSztnQkFDZixPQUFPLEtBQUssQ0FBQTtZQUNkO2dCQUNFLE1BQU0sSUFBSSxLQUFLLENBQUMsNkJBQTZCLElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFBO1FBQ2hFLENBQUM7SUFDSCxDQUFDO0NBQ0YifQ==
|
package/dist/index.cjs
CHANGED
|
@@ -90,9 +90,9 @@ var Color = class {
|
|
|
90
90
|
/**
|
|
91
91
|
* Creates an instance of {@link Color} class. Before creating an instance of
|
|
92
92
|
* {@link Color} class, it (if applicable) maps CI status into the hex color,
|
|
93
|
-
* and also validates
|
|
93
|
+
* and also validates color parameter to be a valid string that represents a
|
|
94
94
|
* color in hex format.
|
|
95
|
-
* @param color Can be either undefined, valid color in hex format or GitHub
|
|
95
|
+
* @param color - Can be either undefined, valid color in hex format or GitHub
|
|
96
96
|
* CI status (one of: success, failure, cancelled, skipped)
|
|
97
97
|
* @public
|
|
98
98
|
*/
|
|
@@ -107,7 +107,7 @@ var Color = class {
|
|
|
107
107
|
return this._color;
|
|
108
108
|
}
|
|
109
109
|
assertHexColor() {
|
|
110
|
-
if (this._color
|
|
110
|
+
if (this._color) {
|
|
111
111
|
const hexColorRegex = /^#(?:[0-9A-Fa-f]{3}|[0-9A-Fa-f]{4}|[0-9A-Fa-f]{6}|[0-9A-Fa-f]{8})$/;
|
|
112
112
|
if (!hexColorRegex.test(this._color)) {
|
|
113
113
|
throw new Error(`Invalid hex color: "${this._color}"`);
|
|
@@ -129,16 +129,16 @@ var Color = class {
|
|
|
129
129
|
}
|
|
130
130
|
}
|
|
131
131
|
};
|
|
132
|
-
function identifyColorCommon(findings, prop, none, unknown, color
|
|
132
|
+
function identifyColorCommon(findings, prop, none, unknown, color) {
|
|
133
133
|
if (color.none != null && findings.findByProperty(prop, none) != null) {
|
|
134
134
|
return color.none.value;
|
|
135
135
|
}
|
|
136
136
|
if (color.unknown != null && findings.findByProperty(prop, unknown) != null) {
|
|
137
137
|
return color.unknown.value;
|
|
138
138
|
}
|
|
139
|
-
return
|
|
139
|
+
return void 0;
|
|
140
140
|
}
|
|
141
|
-
function identifyColorBySeverity(findings, color
|
|
141
|
+
function identifyColorBySeverity(findings, color) {
|
|
142
142
|
if (color.critical != null && findings.findByProperty("severity", 5 /* Critical */) != null) {
|
|
143
143
|
return color.critical.value;
|
|
144
144
|
}
|
|
@@ -151,9 +151,9 @@ function identifyColorBySeverity(findings, color, defaultColor) {
|
|
|
151
151
|
if (color.low != null && findings.findByProperty("severity", 2 /* Low */) != null) {
|
|
152
152
|
return color.low.value;
|
|
153
153
|
}
|
|
154
|
-
return identifyColorCommon(findings, "severity", 1 /* None */, 0 /* Unknown */, color
|
|
154
|
+
return identifyColorCommon(findings, "severity", 1 /* None */, 0 /* Unknown */, color);
|
|
155
155
|
}
|
|
156
|
-
function identifyColorByLevel(findings, color
|
|
156
|
+
function identifyColorByLevel(findings, color) {
|
|
157
157
|
if (color.error != null && findings.findByProperty("level", 4 /* Error */) != null) {
|
|
158
158
|
return color.error.value;
|
|
159
159
|
}
|
|
@@ -163,14 +163,28 @@ function identifyColorByLevel(findings, color, defaultColor) {
|
|
|
163
163
|
if (color.note != null && findings.findByProperty("level", 2 /* Note */) != null) {
|
|
164
164
|
return color.note.value;
|
|
165
165
|
}
|
|
166
|
-
return identifyColorCommon(findings, "level", 1 /* None */, 0 /* Unknown */, color
|
|
166
|
+
return identifyColorCommon(findings, "level", 1 /* None */, 0 /* Unknown */, color);
|
|
167
167
|
}
|
|
168
168
|
function identifyColor(findings, colorOpts) {
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
169
|
+
if (!colorOpts) {
|
|
170
|
+
return void 0;
|
|
171
|
+
}
|
|
172
|
+
if (colorOpts.bySeverity) {
|
|
173
|
+
const color = identifyColorBySeverity(findings, colorOpts.bySeverity);
|
|
174
|
+
if (color !== void 0) {
|
|
175
|
+
return color;
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
if (colorOpts.byLevel) {
|
|
179
|
+
const color = identifyColorByLevel(findings, colorOpts.byLevel);
|
|
180
|
+
if (color !== void 0) {
|
|
181
|
+
return color;
|
|
182
|
+
}
|
|
183
|
+
}
|
|
184
|
+
if (findings.length === 0 && colorOpts.empty?.value !== void 0) {
|
|
185
|
+
return colorOpts.empty.value;
|
|
186
|
+
}
|
|
187
|
+
return colorOpts?.default?.value;
|
|
174
188
|
}
|
|
175
189
|
|
|
176
190
|
// src/model/SendIf.ts
|
|
@@ -260,9 +274,9 @@ function sendIfLogMessage(sendIf) {
|
|
|
260
274
|
var import_webhook = require("@slack/webhook");
|
|
261
275
|
|
|
262
276
|
// src/metadata.json
|
|
263
|
-
var version = "1.2.
|
|
264
|
-
var sha = "
|
|
265
|
-
var buildAt = "2025-08-
|
|
277
|
+
var version = "1.2.2";
|
|
278
|
+
var sha = "9b1eb78a551a7afd49036e4721c93ff9a6c18a9b";
|
|
279
|
+
var buildAt = "2025-08-18T15:22:58Z";
|
|
266
280
|
|
|
267
281
|
// src/model/SlackMessage.ts
|
|
268
282
|
function createSlackMessage(url, opts) {
|
|
@@ -940,11 +954,10 @@ var SarifToSlackClient = class _SarifToSlackClient {
|
|
|
940
954
|
/**
|
|
941
955
|
* The main function to initialize a list of {@link SlackMessage} objects based
|
|
942
956
|
* on the given SARIF file(s).
|
|
943
|
-
* @param sarifModel An instance of
|
|
944
|
-
* @param opts An instance of {@link SarifToSlackClientOptions} object.
|
|
957
|
+
* @param sarifModel - An instance of SarifModel object.
|
|
958
|
+
* @param opts - An instance of {@link SarifToSlackClientOptions} object.
|
|
945
959
|
* @returns A map where key is the SARIF file and value is an instance of
|
|
946
|
-
* {@link SlackMessage} object
|
|
947
|
-
* @private
|
|
960
|
+
* {@link SlackMessage} object.
|
|
948
961
|
*/
|
|
949
962
|
static async initialize(sarifModel, opts) {
|
|
950
963
|
const message = createSlackMessage(opts.webhookUrl, {
|
package/dist/model/Color.d.ts
CHANGED
|
@@ -7,9 +7,9 @@ export declare class Color {
|
|
|
7
7
|
/**
|
|
8
8
|
* Creates an instance of {@link Color} class. Before creating an instance of
|
|
9
9
|
* {@link Color} class, it (if applicable) maps CI status into the hex color,
|
|
10
|
-
* and also validates
|
|
10
|
+
* and also validates color parameter to be a valid string that represents a
|
|
11
11
|
* color in hex format.
|
|
12
|
-
* @param color Can be either undefined, valid color in hex format or GitHub
|
|
12
|
+
* @param color - Can be either undefined, valid color in hex format or GitHub
|
|
13
13
|
* CI status (one of: success, failure, cancelled, skipped)
|
|
14
14
|
* @public
|
|
15
15
|
*/
|
|
@@ -24,7 +24,6 @@ export declare class Color {
|
|
|
24
24
|
/**
|
|
25
25
|
* Base type that has common fields for both {@link ColorGroupByLevel} and
|
|
26
26
|
* {@link ColorGroupBySeverity}.
|
|
27
|
-
* @private
|
|
28
27
|
*/
|
|
29
28
|
type ColorGroupCommon = {
|
|
30
29
|
none?: Color;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"Color.d.ts","sourceRoot":"","sources":["../../src/model/Color.ts"],"names":[],"mappings":"AAIA;;;GAGG;AACH,qBAAa,KAAK;IAChB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAQ;IAEhC;;;;;;;;OAQG;gBACgB,KAAK,CAAC,EAAE,MAAM;IAKjC;;OAEG;IACH,IAAW,KAAK,IAAI,MAAM,GAAG,SAAS,CAErC;IAED,OAAO,CAAC,cAAc;IAUtB,OAAO,CAAC,QAAQ;CAcjB;AAED
|
|
1
|
+
{"version":3,"file":"Color.d.ts","sourceRoot":"","sources":["../../src/model/Color.ts"],"names":[],"mappings":"AAIA;;;GAGG;AACH,qBAAa,KAAK;IAChB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAQ;IAEhC;;;;;;;;OAQG;gBACgB,KAAK,CAAC,EAAE,MAAM;IAKjC;;OAEG;IACH,IAAW,KAAK,IAAI,MAAM,GAAG,SAAS,CAErC;IAED,OAAO,CAAC,cAAc;IAUtB,OAAO,CAAC,QAAQ;CAcjB;AAED;;;GAGG;AACH,KAAK,gBAAgB,GAAG;IACtB,IAAI,CAAC,EAAE,KAAK,CAAC;IACb,OAAO,CAAC,EAAE,KAAK,CAAC;CACjB,CAAA;AAED;;;;;;GAMG;AACH,MAAM,MAAM,iBAAiB,GAAG,gBAAgB,GAAG;IACjD,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,OAAO,CAAC,EAAE,KAAK,CAAC;IAChB,IAAI,CAAC,EAAE,KAAK,CAAC;CACd,CAAA;AAED;;;;;;GAMG;AACH,MAAM,MAAM,oBAAoB,GAAG,gBAAgB,GAAG;IACpD,QAAQ,CAAC,EAAE,KAAK,CAAC;IACjB,IAAI,CAAC,EAAE,KAAK,CAAC;IACb,MAAM,CAAC,EAAE,KAAK,CAAC;IACf,GAAG,CAAC,EAAE,KAAK,CAAC;CACb,CAAA;AAED;;;;;GAKG;AACH,MAAM,MAAM,YAAY,GAAG;IACzB;;OAEG;IACH,OAAO,CAAC,EAAE,KAAK,CAAC;IAChB;;OAEG;IACH,OAAO,CAAC,EAAE,iBAAiB,CAAC;IAC5B;;OAEG;IACH,UAAU,CAAC,EAAE,oBAAoB,CAAC;IAClC;;OAEG;IACH,KAAK,CAAC,EAAE,KAAK,CAAC;CACf,CAAA"}
|
package/dist/model/Color.js
CHANGED
|
@@ -8,9 +8,9 @@ export class Color {
|
|
|
8
8
|
/**
|
|
9
9
|
* Creates an instance of {@link Color} class. Before creating an instance of
|
|
10
10
|
* {@link Color} class, it (if applicable) maps CI status into the hex color,
|
|
11
|
-
* and also validates
|
|
11
|
+
* and also validates color parameter to be a valid string that represents a
|
|
12
12
|
* color in hex format.
|
|
13
|
-
* @param color Can be either undefined, valid color in hex format or GitHub
|
|
13
|
+
* @param color - Can be either undefined, valid color in hex format or GitHub
|
|
14
14
|
* CI status (one of: success, failure, cancelled, skipped)
|
|
15
15
|
* @public
|
|
16
16
|
*/
|
|
@@ -25,7 +25,7 @@ export class Color {
|
|
|
25
25
|
return this._color;
|
|
26
26
|
}
|
|
27
27
|
assertHexColor() {
|
|
28
|
-
if (this._color
|
|
28
|
+
if (this._color) {
|
|
29
29
|
const hexColorRegex = /^#(?:[0-9A-Fa-f]{3}|[0-9A-Fa-f]{4}|[0-9A-Fa-f]{6}|[0-9A-Fa-f]{8})$/;
|
|
30
30
|
if (!hexColorRegex.test(this._color)) {
|
|
31
31
|
throw new Error(`Invalid hex color: "${this._color}"`);
|
|
@@ -47,16 +47,16 @@ export class Color {
|
|
|
47
47
|
}
|
|
48
48
|
}
|
|
49
49
|
}
|
|
50
|
-
function identifyColorCommon(findings, prop, none, unknown, color
|
|
50
|
+
function identifyColorCommon(findings, prop, none, unknown, color) {
|
|
51
51
|
if (color.none != null && findings.findByProperty(prop, none) != null) {
|
|
52
52
|
return color.none.value;
|
|
53
53
|
}
|
|
54
54
|
if (color.unknown != null && findings.findByProperty(prop, unknown) != null) {
|
|
55
55
|
return color.unknown.value;
|
|
56
56
|
}
|
|
57
|
-
return
|
|
57
|
+
return undefined;
|
|
58
58
|
}
|
|
59
|
-
function identifyColorBySeverity(findings, color
|
|
59
|
+
function identifyColorBySeverity(findings, color) {
|
|
60
60
|
if (color.critical != null && findings.findByProperty('severity', SecuritySeverity.Critical) != null) {
|
|
61
61
|
return color.critical.value;
|
|
62
62
|
}
|
|
@@ -69,9 +69,9 @@ function identifyColorBySeverity(findings, color, defaultColor) {
|
|
|
69
69
|
if (color.low != null && findings.findByProperty('severity', SecuritySeverity.Low) != null) {
|
|
70
70
|
return color.low.value;
|
|
71
71
|
}
|
|
72
|
-
return identifyColorCommon(findings, 'severity', SecuritySeverity.None, SecuritySeverity.Unknown, color
|
|
72
|
+
return identifyColorCommon(findings, 'severity', SecuritySeverity.None, SecuritySeverity.Unknown, color);
|
|
73
73
|
}
|
|
74
|
-
function identifyColorByLevel(findings, color
|
|
74
|
+
function identifyColorByLevel(findings, color) {
|
|
75
75
|
if (color.error != null && findings.findByProperty('level', SecurityLevel.Error) != null) {
|
|
76
76
|
return color.error.value;
|
|
77
77
|
}
|
|
@@ -81,7 +81,7 @@ function identifyColorByLevel(findings, color, defaultColor) {
|
|
|
81
81
|
if (color.note != null && findings.findByProperty('level', SecurityLevel.Note) != null) {
|
|
82
82
|
return color.note.value;
|
|
83
83
|
}
|
|
84
|
-
return identifyColorCommon(findings, 'level', SecurityLevel.None, SecurityLevel.Unknown, color
|
|
84
|
+
return identifyColorCommon(findings, 'level', SecurityLevel.None, SecurityLevel.Unknown, color);
|
|
85
85
|
}
|
|
86
86
|
/**
|
|
87
87
|
* Makes an ultimate decision on what color should be Slack message. The decision
|
|
@@ -92,14 +92,24 @@ function identifyColorByLevel(findings, color, defaultColor) {
|
|
|
92
92
|
* @internal
|
|
93
93
|
*/
|
|
94
94
|
export function identifyColor(findings, colorOpts) {
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
95
|
+
if (!colorOpts) {
|
|
96
|
+
return undefined;
|
|
97
|
+
}
|
|
98
|
+
if (colorOpts.bySeverity) {
|
|
99
|
+
const color = identifyColorBySeverity(findings, colorOpts.bySeverity);
|
|
100
|
+
if (color !== undefined) {
|
|
101
|
+
return color;
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
if (colorOpts.byLevel) {
|
|
105
|
+
const color = identifyColorByLevel(findings, colorOpts.byLevel);
|
|
106
|
+
if (color !== undefined) {
|
|
107
|
+
return color;
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
if (findings.length === 0 && colorOpts.empty?.value !== undefined) {
|
|
111
|
+
return colorOpts.empty.value;
|
|
112
|
+
}
|
|
113
|
+
return colorOpts?.default?.value;
|
|
104
114
|
}
|
|
105
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
115
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQ29sb3IuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvbW9kZWwvQ29sb3IudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLGFBQWEsRUFBRSxnQkFBZ0IsRUFBRSxNQUFNLFVBQVUsQ0FBQTtBQUkxRDs7O0dBR0c7QUFDSCxNQUFNLE9BQU8sS0FBSztJQUNDLE1BQU0sQ0FBUztJQUVoQzs7Ozs7Ozs7T0FRRztJQUNILFlBQW1CLEtBQWM7UUFDL0IsSUFBSSxDQUFDLE1BQU0sR0FBRyxJQUFJLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFBO1FBQ2xDLElBQUksQ0FBQyxjQUFjLEVBQUUsQ0FBQTtJQUN2QixDQUFDO0lBRUQ7O09BRUc7SUFDSCxJQUFXLEtBQUs7UUFDZCxPQUFPLElBQUksQ0FBQyxNQUFNLENBQUE7SUFDcEIsQ0FBQztJQUVPLGNBQWM7UUFDcEIsSUFBSSxJQUFJLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDaEIsTUFBTSxhQUFhLEdBQUcsb0VBQW9FLENBQUE7WUFFMUYsSUFBSSxDQUFDLGFBQWEsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUM7Z0JBQ3JDLE1BQU0sSUFBSSxLQUFLLENBQUMsdUJBQXVCLElBQUksQ0FBQyxNQUFNLEdBQUcsQ0FBQyxDQUFBO1lBQ3hELENBQUM7UUFDSCxDQUFDO0lBQ0gsQ0FBQztJQUVPLFFBQVEsQ0FBQyxJQUFhO1FBQzVCLFFBQVEsSUFBSSxFQUFFLENBQUM7WUFDYixLQUFLLFNBQVM7Z0JBQ1osT0FBTyxTQUFTLENBQUE7WUFDbEIsS0FBSyxTQUFTO2dCQUNaLE9BQU8sU0FBUyxDQUFBO1lBQ2xCLEtBQUssV0FBVztnQkFDZCxPQUFPLFNBQVMsQ0FBQTtZQUNsQixLQUFLLFNBQVM7Z0JBQ1osT0FBTyxTQUFTLENBQUE7WUFDbEI7Z0JBQ0UsT0FBTyxJQUFJLENBQUE7UUFDZixDQUFDO0lBQ0gsQ0FBQztDQUNGO0FBK0RELFNBQVMsbUJBQW1CLENBQzFCLFFBQXNCLEVBQ3RCLElBQU8sRUFDUCxJQUFnQixFQUNoQixPQUFtQixFQUNuQixLQUF1QjtJQUV2QixJQUFJLEtBQUssQ0FBQyxJQUFJLElBQUksSUFBSSxJQUFJLFFBQVEsQ0FBQyxjQUFjLENBQUMsSUFBSSxFQUFFLElBQUksQ0FBQyxJQUFJLElBQUksRUFBRSxDQUFDO1FBQ3RFLE9BQU8sS0FBSyxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUE7SUFDekIsQ0FBQztJQUVELElBQUksS0FBSyxDQUFDLE9BQU8sSUFBSSxJQUFJLElBQUksUUFBUSxDQUFDLGNBQWMsQ0FBQyxJQUFJLEVBQUUsT0FBTyxDQUFDLElBQUksSUFBSSxFQUFFLENBQUM7UUFDNUUsT0FBTyxLQUFLLENBQUMsT0FBTyxDQUFDLEtBQUssQ0FBQTtJQUM1QixDQUFDO0lBRUQsT0FBTyxTQUFTLENBQUE7QUFDbEIsQ0FBQztBQUVELFNBQVMsdUJBQXVCLENBQUMsUUFBc0IsRUFBRSxLQUEyQjtJQUNsRixJQUFJLEtBQUssQ0FBQyxRQUFRLElBQUksSUFBSSxJQUFJLFFBQVEsQ0FBQyxjQUFjLENBQUMsVUFBVSxFQUFFLGdCQUFnQixDQUFDLFFBQVEsQ0FBQyxJQUFJLElBQUksRUFBRSxDQUFDO1FBQ3JHLE9BQU8sS0FBSyxDQUFDLFFBQVEsQ0FBQyxLQUFLLENBQUE7SUFDN0IsQ0FBQztJQUVELElBQUksS0FBSyxDQUFDLElBQUksSUFBSSxJQUFJLElBQUksUUFBUSxDQUFDLGNBQWMsQ0FBQyxVQUFVLEVBQUUsZ0JBQWdCLENBQUMsSUFBSSxDQUFDLElBQUksSUFBSSxFQUFFLENBQUM7UUFDN0YsT0FBTyxLQUFLLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQTtJQUN6QixDQUFDO0lBRUQsSUFBSSxLQUFLLENBQUMsTUFBTSxJQUFJLElBQUksSUFBSSxRQUFRLENBQUMsY0FBYyxDQUFDLFVBQVUsRUFBRSxnQkFBZ0IsQ0FBQyxNQUFNLENBQUMsSUFBSSxJQUFJLEVBQUUsQ0FBQztRQUNqRyxPQUFPLEtBQUssQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFBO0lBQzNCLENBQUM7SUFFRCxJQUFJLEtBQUssQ0FBQyxHQUFHLElBQUksSUFBSSxJQUFJLFFBQVEsQ0FBQyxjQUFjLENBQUMsVUFBVSxFQUFFLGdCQUFnQixDQUFDLEdBQUcsQ0FBQyxJQUFJLElBQUksRUFBRSxDQUFDO1FBQzNGLE9BQU8sS0FBSyxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUE7SUFDeEIsQ0FBQztJQUVELE9BQU8sbUJBQW1CLENBQUMsUUFBUSxFQUFFLFVBQVUsRUFBRSxnQkFBZ0IsQ0FBQyxJQUFJLEVBQUUsZ0JBQWdCLENBQUMsT0FBTyxFQUFFLEtBQUssQ0FBQyxDQUFBO0FBQzFHLENBQUM7QUFFRCxTQUFTLG9CQUFvQixDQUFDLFFBQXNCLEVBQUUsS0FBd0I7SUFDNUUsSUFBSSxLQUFLLENBQUMsS0FBSyxJQUFJLElBQUksSUFBSSxRQUFRLENBQUMsY0FBYyxDQUFDLE9BQU8sRUFBRSxhQUFhLENBQUMsS0FBSyxDQUFDLElBQUksSUFBSSxFQUFFLENBQUM7UUFDekYsT0FBTyxLQUFLLENBQUMsS0FBSyxDQUFDLEtBQUssQ0FBQTtJQUMxQixDQUFDO0lBRUQsSUFBSSxLQUFLLENBQUMsT0FBTyxJQUFJLElBQUksSUFBSSxRQUFRLENBQUMsY0FBYyxDQUFDLE9BQU8sRUFBRSxhQUFhLENBQUMsT0FBTyxDQUFDLElBQUksSUFBSSxFQUFFLENBQUM7UUFDN0YsT0FBTyxLQUFLLENBQUMsT0FBTyxDQUFDLEtBQUssQ0FBQTtJQUM1QixDQUFDO0lBRUQsSUFBSSxLQUFLLENBQUMsSUFBSSxJQUFJLElBQUksSUFBSSxRQUFRLENBQUMsY0FBYyxDQUFDLE9BQU8sRUFBRSxhQUFhLENBQUMsSUFBSSxDQUFDLElBQUksSUFBSSxFQUFFLENBQUM7UUFDdkYsT0FBTyxLQUFLLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQTtJQUN6QixDQUFDO0lBRUQsT0FBTyxtQkFBbUIsQ0FBQyxRQUFRLEVBQUUsT0FBTyxFQUFFLGFBQWEsQ0FBQyxJQUFJLEVBQUUsYUFBYSxDQUFDLE9BQU8sRUFBRSxLQUFLLENBQUMsQ0FBQTtBQUNqRyxDQUFDO0FBRUQ7Ozs7Ozs7R0FPRztBQUNILE1BQU0sVUFBVSxhQUFhLENBQUMsUUFBc0IsRUFBRSxTQUF3QjtJQUM1RSxJQUFJLENBQUMsU0FBUyxFQUFFLENBQUM7UUFDZixPQUFPLFNBQVMsQ0FBQTtJQUNsQixDQUFDO0lBRUQsSUFBSSxTQUFTLENBQUMsVUFBVSxFQUFFLENBQUM7UUFDekIsTUFBTSxLQUFLLEdBQXVCLHVCQUF1QixDQUFDLFFBQVEsRUFBRSxTQUFTLENBQUMsVUFBVSxDQUFDLENBQUE7UUFDekYsSUFBSSxLQUFLLEtBQUssU0FBUyxFQUFFLENBQUM7WUFDeEIsT0FBTyxLQUFLLENBQUE7UUFDZCxDQUFDO0lBQ0gsQ0FBQztJQUVELElBQUksU0FBUyxDQUFDLE9BQU8sRUFBRSxDQUFDO1FBQ3RCLE1BQU0sS0FBSyxHQUF1QixvQkFBb0IsQ0FBQyxRQUFRLEVBQUUsU0FBUyxDQUFDLE9BQU8sQ0FBQyxDQUFBO1FBQ25GLElBQUksS0FBSyxLQUFLLFNBQVMsRUFBRSxDQUFDO1lBQ3hCLE9BQU8sS0FBSyxDQUFBO1FBQ2QsQ0FBQztJQUNILENBQUM7SUFFRCxJQUFJLFFBQVEsQ0FBQyxNQUFNLEtBQUssQ0FBQyxJQUFJLFNBQVMsQ0FBQyxLQUFLLEVBQUUsS0FBSyxLQUFLLFNBQVMsRUFBRSxDQUFDO1FBQ2xFLE9BQU8sU0FBUyxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUE7SUFDOUIsQ0FBQztJQUVELE9BQU8sU0FBUyxFQUFFLE9BQU8sRUFBRSxLQUFLLENBQUE7QUFDbEMsQ0FBQyJ9
|
|
@@ -55,4 +55,4 @@ export default class CompactGroupByRepresentation extends Representation {
|
|
|
55
55
|
}
|
|
56
56
|
}
|
|
57
57
|
}
|
|
58
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
58
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQ29tcGFjdEdyb3VwQnlSZXByZXNlbnRhdGlvbi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9yZXByZXNlbnRhdGlvbnMvQ29tcGFjdEdyb3VwQnlSZXByZXNlbnRhdGlvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLGNBQWMsTUFBTSxrQkFBa0IsQ0FBQTtBQUU3QyxPQUFPLEVBQUUsdUJBQXVCLEVBQUUsTUFBTSxzQkFBc0IsQ0FBQTtBQUM5RCxPQUFPLEVBQUUsYUFBYSxFQUFFLGdCQUFnQixFQUFFLE1BQU0sVUFBVSxDQUFBO0FBRTFELE1BQU0sbUJBQW1CLEdBQUcsMEJBQTBCLENBQUE7QUFFdEQ7Ozs7Ozs7Ozs7Ozs7Ozs7R0FnQkc7QUFDSCxNQUFNLENBQUMsT0FBTyxPQUFnQiw0QkFBNkIsU0FBUSxjQUFjO0lBSXJFLGlCQUFpQixDQUFzRCxHQUFNO1FBQ3JGLE1BQU0sT0FBTyxHQUEyQixJQUFJLENBQUMsYUFBYSxFQUFFLENBQUE7UUFDNUQsSUFBSSxPQUFPLENBQUMsSUFBSSxLQUFLLENBQUMsRUFBRSxDQUFDO1lBQ3ZCLE9BQU8sbUJBQW1CLENBQUE7UUFDNUIsQ0FBQztRQUVELE9BQU8sS0FBSyxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUM7YUFDdkIsR0FBRyxDQUFDLENBQUMsQ0FBQyxLQUFLLEVBQUUsUUFBUSxDQUFzQixFQUFVLEVBQUU7WUFDdEQsUUFBUSxDQUFDLElBQUksQ0FBQyx1QkFBdUIsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFBO1lBQzNDLE1BQU0sT0FBTyxHQUNYLFFBQVEsQ0FBQyxNQUFNLEtBQUssQ0FBQztnQkFDckIsQ0FBQyxDQUFDLG1CQUFtQjtnQkFDckIsQ0FBQyxDQUFDLElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxRQUFRLEVBQUUsR0FBRyxDQUFDLENBQUE7WUFDNUMsT0FBTyxHQUFHLEtBQUssS0FBSyxPQUFPLEVBQUUsQ0FBQTtRQUMvQixDQUFDLENBQUM7YUFDRCxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUE7SUFDakIsQ0FBQztJQUVPLG9CQUFvQixDQUFzRCxRQUFtQixFQUFFLEdBQU07UUFDM0csT0FBTyxNQUFNO2FBQ1YsT0FBTyxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsUUFBUSxFQUFFLENBQUMsQ0FBVSxFQUFlLEVBQUUsQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFnQixDQUFDLENBQUM7YUFDckYsR0FBRyxDQUFDLENBQUMsQ0FBQyxJQUFJLEVBQUUsU0FBUyxDQUFrQyxFQUFzQixFQUFFO1lBQzlFLElBQUksU0FBUyxJQUFJLElBQUksRUFBRSxDQUFDO2dCQUN0QixPQUFPLFNBQVMsQ0FBQTtZQUNsQixDQUFDO1lBQ0QsT0FBTyxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLEdBQUcsRUFBRSxJQUFJLENBQUMsQ0FBQyxLQUFLLFNBQVMsQ0FBQyxNQUFNLEVBQUUsQ0FBQTtRQUM5RSxDQUFDLENBQUM7YUFDRCxNQUFNLENBQUMsQ0FBQyxDQUFxQixFQUFlLEVBQUUsQ0FBQyxDQUFDLElBQUksSUFBSSxDQUFDO2FBQ3pELElBQUksQ0FBQyxJQUFJLENBQUMsQ0FBQTtJQUNmLENBQUM7SUFFTyxnQkFBZ0IsQ0FBc0QsR0FBTSxFQUFFLElBQVk7UUFDaEcsUUFBUSxHQUFHLEVBQUUsQ0FBQztZQUNaLEtBQUssT0FBTyxDQUFDLENBQUMsT0FBTyxhQUFhLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUE7WUFDaEQsS0FBSyxVQUFVLENBQUMsQ0FBQyxPQUFPLGdCQUFnQixDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFBO1lBQ3RELE9BQU8sQ0FBQyxDQUFDLE1BQU0sSUFBSSxLQUFLLENBQUMsbUJBQW1CLEVBQUUsR0FBRyxDQUFDLENBQUE7UUFDcEQsQ0FBQztJQUNILENBQUM7Q0FDRiJ9
|
|
@@ -10,4 +10,4 @@ export default class CompactGroupByRunPerLevelRepresentation extends CompactGrou
|
|
|
10
10
|
return this.composeByProperty('level');
|
|
11
11
|
}
|
|
12
12
|
}
|
|
13
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
13
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQ29tcGFjdEdyb3VwQnlSdW5QZXJMZXZlbFJlcHJlc2VudGF0aW9uLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL3JlcHJlc2VudGF0aW9ucy9Db21wYWN0R3JvdXBCeVJ1blBlckxldmVsUmVwcmVzZW50YXRpb24udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTywrQkFBK0IsTUFBTSxtQ0FBbUMsQ0FBQTtBQUUvRTs7Ozs7R0FLRztBQUNILE1BQU0sQ0FBQyxPQUFPLE9BQU8sdUNBQXdDLFNBQVEsK0JBQStCO0lBRWxGLE9BQU87UUFDckIsT0FBTyxJQUFJLENBQUMsaUJBQWlCLENBQUMsT0FBTyxDQUFDLENBQUE7SUFDeEMsQ0FBQztDQUNGIn0=
|
|
@@ -10,4 +10,4 @@ export default class CompactGroupByRunPerSeverityRepresentation extends CompactG
|
|
|
10
10
|
return this.composeByProperty('severity');
|
|
11
11
|
}
|
|
12
12
|
}
|
|
13
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
13
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQ29tcGFjdEdyb3VwQnlSdW5QZXJTZXZlcml0eVJlcHJlc2VudGF0aW9uLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL3JlcHJlc2VudGF0aW9ucy9Db21wYWN0R3JvdXBCeVJ1blBlclNldmVyaXR5UmVwcmVzZW50YXRpb24udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTywrQkFBK0IsTUFBTSxtQ0FBbUMsQ0FBQTtBQUUvRTs7Ozs7R0FLRztBQUNILE1BQU0sQ0FBQyxPQUFPLE9BQU8sMENBQTJDLFNBQVEsK0JBQStCO0lBRXJGLE9BQU87UUFDckIsT0FBTyxJQUFJLENBQUMsaUJBQWlCLENBQUMsVUFBVSxDQUFDLENBQUE7SUFDM0MsQ0FBQztDQUNGIn0=
|
|
@@ -10,10 +10,10 @@ import CompactGroupByRepresentation from './CompactGroupByRepresentation';
|
|
|
10
10
|
* [Run 2] Grype
|
|
11
11
|
* Warning: 1, Note: 20
|
|
12
12
|
* ```
|
|
13
|
-
* @internal
|
|
14
13
|
* It is an abstract class, so the only question that derived classes should
|
|
15
14
|
* "answer" is what property should be used in the compact representation, such
|
|
16
15
|
* as "level" and "severity".
|
|
16
|
+
* @internal
|
|
17
17
|
*/
|
|
18
18
|
export default class CompactGroupByRunRepresentation extends CompactGroupByRepresentation {
|
|
19
19
|
constructor(model) {
|
|
@@ -11,10 +11,10 @@ import CompactGroupByRepresentation from './CompactGroupByRepresentation';
|
|
|
11
11
|
* grype-results-02.sarif
|
|
12
12
|
* Warning: 1, Note: 20
|
|
13
13
|
* ```
|
|
14
|
-
* @internal
|
|
15
14
|
* It is an abstract class, so the only question that derived classes should
|
|
16
15
|
* "answer" is what property should be used in the compact representation, such
|
|
17
16
|
* as "level" and "severity".
|
|
17
|
+
* @internal
|
|
18
18
|
*/
|
|
19
19
|
export default class CompactGroupBySarifRepresentation extends CompactGroupByRepresentation {
|
|
20
20
|
constructor(model) {
|
|
@@ -10,10 +10,10 @@ import CompactGroupByRepresentation from './CompactGroupByRepresentation';
|
|
|
10
10
|
* Trivy
|
|
11
11
|
* Warning: 1, Note: 20
|
|
12
12
|
* ```
|
|
13
|
-
* @internal
|
|
14
13
|
* It is an abstract class, so the only question that derived classes should
|
|
15
14
|
* "answer" is what property should be used in the compact representation, such
|
|
16
15
|
* as "level" and "severity".
|
|
16
|
+
* @internal
|
|
17
17
|
*/
|
|
18
18
|
export default class CompactGroupByToolNameRepresentation extends CompactGroupByRepresentation {
|
|
19
19
|
constructor(model) {
|
|
@@ -8,10 +8,10 @@ import CompactGroupByRepresentation from './CompactGroupByRepresentation';
|
|
|
8
8
|
* Total
|
|
9
9
|
* Warning: 1, Note: 20
|
|
10
10
|
* ```
|
|
11
|
-
* @internal
|
|
12
11
|
* It is an abstract class, so the only question that derived classes should
|
|
13
12
|
* "answer" is what property should be used in the compact representation, such
|
|
14
13
|
* as "level" and "severity".
|
|
14
|
+
* @internal
|
|
15
15
|
*/
|
|
16
16
|
export default class CompactTotalRepresentation extends CompactGroupByRepresentation {
|
|
17
17
|
groupFindings() {
|
package/dist/sarif-to-slack.d.ts
CHANGED
|
@@ -85,9 +85,9 @@ export declare class Color {
|
|
|
85
85
|
/**
|
|
86
86
|
* Creates an instance of {@link Color} class. Before creating an instance of
|
|
87
87
|
* {@link Color} class, it (if applicable) maps CI status into the hex color,
|
|
88
|
-
* and also validates
|
|
88
|
+
* and also validates color parameter to be a valid string that represents a
|
|
89
89
|
* color in hex format.
|
|
90
|
-
* @param color Can be either undefined, valid color in hex format or GitHub
|
|
90
|
+
* @param color - Can be either undefined, valid color in hex format or GitHub
|
|
91
91
|
* CI status (one of: success, failure, cancelled, skipped)
|
|
92
92
|
* @public
|
|
93
93
|
*/
|
|
@@ -130,7 +130,6 @@ export declare type ColorGroupBySeverity = ColorGroupCommon & {
|
|
|
130
130
|
/**
|
|
131
131
|
* Base type that has common fields for both {@link ColorGroupByLevel} and
|
|
132
132
|
* {@link ColorGroupBySeverity}.
|
|
133
|
-
* @private
|
|
134
133
|
*/
|
|
135
134
|
declare type ColorGroupCommon = {
|
|
136
135
|
none?: Color;
|
|
@@ -380,11 +379,10 @@ export declare class SarifToSlackClient {
|
|
|
380
379
|
/**
|
|
381
380
|
* The main function to initialize a list of {@link SlackMessage} objects based
|
|
382
381
|
* on the given SARIF file(s).
|
|
383
|
-
* @param sarifModel An instance of
|
|
384
|
-
* @param opts An instance of {@link SarifToSlackClientOptions} object.
|
|
382
|
+
* @param sarifModel - An instance of SarifModel object.
|
|
383
|
+
* @param opts - An instance of {@link SarifToSlackClientOptions} object.
|
|
385
384
|
* @returns A map where key is the SARIF file and value is an instance of
|
|
386
|
-
* {@link SlackMessage} object
|
|
387
|
-
* @private
|
|
385
|
+
* {@link SlackMessage} object.
|
|
388
386
|
*/
|
|
389
387
|
private static initialize;
|
|
390
388
|
/**
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@fabasoad/sarif-to-slack",
|
|
3
|
-
"version": "1.2.
|
|
3
|
+
"version": "1.2.2",
|
|
4
4
|
"description": "TypeScript library to send results of SARIF file to Slack webhook URL.",
|
|
5
5
|
"main": "dist/index.cjs",
|
|
6
6
|
"module": "dist/index.js",
|
|
@@ -20,7 +20,7 @@
|
|
|
20
20
|
"version:minor": "npm version minor --commit-hooks --git-tag-version --message 'chore: bump to version %s'",
|
|
21
21
|
"version:major": "npm version major --commit-hooks --git-tag-version --message 'chore: bump to version %s'",
|
|
22
22
|
"preversion": "npm test",
|
|
23
|
-
"version": "npm run build && git add .",
|
|
23
|
+
"version": "npm run build && git add package.json package-lock.json",
|
|
24
24
|
"postversion": "git push && git push --tags && npm run clean"
|
|
25
25
|
},
|
|
26
26
|
"repository": {
|
|
@@ -47,7 +47,7 @@ export class SarifToSlackClient {
|
|
|
47
47
|
instance._sendIf = opts.sendIf ?? instance._sendIf
|
|
48
48
|
instance._sarifModel = await SarifToSlackClient.buildModel(opts.sarif)
|
|
49
49
|
instance._message = await SarifToSlackClient.initialize(instance._sarifModel, opts)
|
|
50
|
-
return instance
|
|
50
|
+
return instance
|
|
51
51
|
}
|
|
52
52
|
|
|
53
53
|
private static async buildModel(sarifOpts: SarifOptions): Promise<SarifModel> {
|
|
@@ -85,11 +85,10 @@ export class SarifToSlackClient {
|
|
|
85
85
|
/**
|
|
86
86
|
* The main function to initialize a list of {@link SlackMessage} objects based
|
|
87
87
|
* on the given SARIF file(s).
|
|
88
|
-
* @param sarifModel An instance of
|
|
89
|
-
* @param opts An instance of {@link SarifToSlackClientOptions} object.
|
|
88
|
+
* @param sarifModel - An instance of SarifModel object.
|
|
89
|
+
* @param opts - An instance of {@link SarifToSlackClientOptions} object.
|
|
90
90
|
* @returns A map where key is the SARIF file and value is an instance of
|
|
91
|
-
* {@link SlackMessage} object
|
|
92
|
-
* @private
|
|
91
|
+
* {@link SlackMessage} object.
|
|
93
92
|
*/
|
|
94
93
|
private static async initialize(
|
|
95
94
|
sarifModel: SarifModel,
|
package/src/model/Color.ts
CHANGED
|
@@ -12,9 +12,9 @@ export class Color {
|
|
|
12
12
|
/**
|
|
13
13
|
* Creates an instance of {@link Color} class. Before creating an instance of
|
|
14
14
|
* {@link Color} class, it (if applicable) maps CI status into the hex color,
|
|
15
|
-
* and also validates
|
|
15
|
+
* and also validates color parameter to be a valid string that represents a
|
|
16
16
|
* color in hex format.
|
|
17
|
-
* @param color Can be either undefined, valid color in hex format or GitHub
|
|
17
|
+
* @param color - Can be either undefined, valid color in hex format or GitHub
|
|
18
18
|
* CI status (one of: success, failure, cancelled, skipped)
|
|
19
19
|
* @public
|
|
20
20
|
*/
|
|
@@ -31,11 +31,11 @@ export class Color {
|
|
|
31
31
|
}
|
|
32
32
|
|
|
33
33
|
private assertHexColor(): void {
|
|
34
|
-
if (this._color
|
|
35
|
-
const hexColorRegex = /^#(?:[0-9A-Fa-f]{3}|[0-9A-Fa-f]{4}|[0-9A-Fa-f]{6}|[0-9A-Fa-f]{8})
|
|
34
|
+
if (this._color) {
|
|
35
|
+
const hexColorRegex = /^#(?:[0-9A-Fa-f]{3}|[0-9A-Fa-f]{4}|[0-9A-Fa-f]{6}|[0-9A-Fa-f]{8})$/
|
|
36
36
|
|
|
37
37
|
if (!hexColorRegex.test(this._color)) {
|
|
38
|
-
throw new Error(`Invalid hex color: "${this._color}"`)
|
|
38
|
+
throw new Error(`Invalid hex color: "${this._color}"`)
|
|
39
39
|
}
|
|
40
40
|
}
|
|
41
41
|
}
|
|
@@ -59,7 +59,6 @@ export class Color {
|
|
|
59
59
|
/**
|
|
60
60
|
* Base type that has common fields for both {@link ColorGroupByLevel} and
|
|
61
61
|
* {@link ColorGroupBySeverity}.
|
|
62
|
-
* @private
|
|
63
62
|
*/
|
|
64
63
|
type ColorGroupCommon = {
|
|
65
64
|
none?: Color,
|
|
@@ -123,8 +122,7 @@ function identifyColorCommon<K extends keyof Finding>(
|
|
|
123
122
|
prop: K,
|
|
124
123
|
none: Finding[K],
|
|
125
124
|
unknown: Finding[K],
|
|
126
|
-
color: ColorGroupCommon
|
|
127
|
-
defaultColor?: Color
|
|
125
|
+
color: ColorGroupCommon
|
|
128
126
|
): string | undefined {
|
|
129
127
|
if (color.none != null && findings.findByProperty(prop, none) != null) {
|
|
130
128
|
return color.none.value
|
|
@@ -134,10 +132,10 @@ function identifyColorCommon<K extends keyof Finding>(
|
|
|
134
132
|
return color.unknown.value
|
|
135
133
|
}
|
|
136
134
|
|
|
137
|
-
return
|
|
135
|
+
return undefined
|
|
138
136
|
}
|
|
139
137
|
|
|
140
|
-
function identifyColorBySeverity(findings: FindingArray, color: ColorGroupBySeverity
|
|
138
|
+
function identifyColorBySeverity(findings: FindingArray, color: ColorGroupBySeverity): string | undefined {
|
|
141
139
|
if (color.critical != null && findings.findByProperty('severity', SecuritySeverity.Critical) != null) {
|
|
142
140
|
return color.critical.value
|
|
143
141
|
}
|
|
@@ -154,10 +152,10 @@ function identifyColorBySeverity(findings: FindingArray, color: ColorGroupBySeve
|
|
|
154
152
|
return color.low.value
|
|
155
153
|
}
|
|
156
154
|
|
|
157
|
-
return identifyColorCommon(findings, 'severity', SecuritySeverity.None, SecuritySeverity.Unknown, color
|
|
155
|
+
return identifyColorCommon(findings, 'severity', SecuritySeverity.None, SecuritySeverity.Unknown, color)
|
|
158
156
|
}
|
|
159
157
|
|
|
160
|
-
function identifyColorByLevel(findings: FindingArray, color: ColorGroupByLevel
|
|
158
|
+
function identifyColorByLevel(findings: FindingArray, color: ColorGroupByLevel): string | undefined {
|
|
161
159
|
if (color.error != null && findings.findByProperty('level', SecurityLevel.Error) != null) {
|
|
162
160
|
return color.error.value
|
|
163
161
|
}
|
|
@@ -170,7 +168,7 @@ function identifyColorByLevel(findings: FindingArray, color: ColorGroupByLevel,
|
|
|
170
168
|
return color.note.value
|
|
171
169
|
}
|
|
172
170
|
|
|
173
|
-
return identifyColorCommon(findings, 'level', SecurityLevel.None, SecurityLevel.Unknown, color
|
|
171
|
+
return identifyColorCommon(findings, 'level', SecurityLevel.None, SecurityLevel.Unknown, color)
|
|
174
172
|
}
|
|
175
173
|
|
|
176
174
|
/**
|
|
@@ -182,17 +180,27 @@ function identifyColorByLevel(findings: FindingArray, color: ColorGroupByLevel,
|
|
|
182
180
|
* @internal
|
|
183
181
|
*/
|
|
184
182
|
export function identifyColor(findings: FindingArray, colorOpts?: ColorOptions): string | undefined {
|
|
185
|
-
|
|
186
|
-
|
|
187
|
-
|
|
183
|
+
if (!colorOpts) {
|
|
184
|
+
return undefined
|
|
185
|
+
}
|
|
188
186
|
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
|
|
187
|
+
if (colorOpts.bySeverity) {
|
|
188
|
+
const color: string | undefined = identifyColorBySeverity(findings, colorOpts.bySeverity)
|
|
189
|
+
if (color !== undefined) {
|
|
190
|
+
return color
|
|
191
|
+
}
|
|
192
|
+
}
|
|
192
193
|
|
|
193
|
-
|
|
194
|
+
if (colorOpts.byLevel) {
|
|
195
|
+
const color: string | undefined = identifyColorByLevel(findings, colorOpts.byLevel)
|
|
196
|
+
if (color !== undefined) {
|
|
197
|
+
return color
|
|
198
|
+
}
|
|
199
|
+
}
|
|
194
200
|
|
|
195
|
-
|
|
201
|
+
if (findings.length === 0 && colorOpts.empty?.value !== undefined) {
|
|
202
|
+
return colorOpts.empty.value
|
|
203
|
+
}
|
|
196
204
|
|
|
197
|
-
return
|
|
205
|
+
return colorOpts?.default?.value
|
|
198
206
|
}
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import Representation from './Representation'
|
|
2
2
|
import Finding from '../model/Finding'
|
|
3
3
|
import { findingsComparatorByKey } from '../utils/Comparators'
|
|
4
|
-
import { SecurityLevel, SecuritySeverity } from '../types'
|
|
4
|
+
import { SecurityLevel, SecuritySeverity } from '../types'
|
|
5
5
|
|
|
6
6
|
const NO_VULNS_FOUND_TEXT = 'No vulnerabilities found'
|
|
7
7
|
|
|
@@ -13,10 +13,10 @@ import { SarifModel } from '../types'
|
|
|
13
13
|
* [Run 2] Grype
|
|
14
14
|
* Warning: 1, Note: 20
|
|
15
15
|
* ```
|
|
16
|
-
* @internal
|
|
17
16
|
* It is an abstract class, so the only question that derived classes should
|
|
18
17
|
* "answer" is what property should be used in the compact representation, such
|
|
19
18
|
* as "level" and "severity".
|
|
19
|
+
* @internal
|
|
20
20
|
*/
|
|
21
21
|
export default abstract class CompactGroupByRunRepresentation extends CompactGroupByRepresentation {
|
|
22
22
|
|
|
@@ -14,10 +14,10 @@ import { SarifModel } from '../types'
|
|
|
14
14
|
* grype-results-02.sarif
|
|
15
15
|
* Warning: 1, Note: 20
|
|
16
16
|
* ```
|
|
17
|
-
* @internal
|
|
18
17
|
* It is an abstract class, so the only question that derived classes should
|
|
19
18
|
* "answer" is what property should be used in the compact representation, such
|
|
20
19
|
* as "level" and "severity".
|
|
20
|
+
* @internal
|
|
21
21
|
*/
|
|
22
22
|
export default abstract class CompactGroupBySarifRepresentation extends CompactGroupByRepresentation {
|
|
23
23
|
|
|
@@ -13,10 +13,10 @@ import { SarifModel } from '../types'
|
|
|
13
13
|
* Trivy
|
|
14
14
|
* Warning: 1, Note: 20
|
|
15
15
|
* ```
|
|
16
|
-
* @internal
|
|
17
16
|
* It is an abstract class, so the only question that derived classes should
|
|
18
17
|
* "answer" is what property should be used in the compact representation, such
|
|
19
18
|
* as "level" and "severity".
|
|
19
|
+
* @internal
|
|
20
20
|
*/
|
|
21
21
|
export default abstract class CompactGroupByToolNameRepresentation extends CompactGroupByRepresentation {
|
|
22
22
|
|
|
@@ -10,10 +10,10 @@ import Finding from '../model/Finding'
|
|
|
10
10
|
* Total
|
|
11
11
|
* Warning: 1, Note: 20
|
|
12
12
|
* ```
|
|
13
|
-
* @internal
|
|
14
13
|
* It is an abstract class, so the only question that derived classes should
|
|
15
14
|
* "answer" is what property should be used in the compact representation, such
|
|
16
15
|
* as "level" and "severity".
|
|
16
|
+
* @internal
|
|
17
17
|
*/
|
|
18
18
|
export default abstract class CompactTotalRepresentation extends CompactGroupByRepresentation {
|
|
19
19
|
|
|
@@ -4178,12 +4178,12 @@
|
|
|
4178
4178
|
"GHSA-f5x3-32g6-xq36"
|
|
4179
4179
|
],
|
|
4180
4180
|
"fullDescription": {
|
|
4181
|
-
"markdown": "## Description: \nDuring some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\n## Steps To Reproduce:\nYou can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\n## Proof Of Concept:\nHere's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-
|
|
4182
|
-
"text": "## Description: \nDuring some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\n## Steps To Reproduce:\nYou can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\n## Proof Of Concept:\nHere's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-
|
|
4181
|
+
"markdown": "## Description: \nDuring some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\n## Steps To Reproduce:\nYou can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\n## Proof Of Concept:\nHere's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=1e8235d885f1d61529b7d6b23ea3a0780c300c91d86e925dd8310d5b661ddbe2) show-casing the exploit: \n\n## Impact\n\nDenial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources\n\n## Report resources\n[payload.txt](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/1e83ayb5dd3350fvj3gst0mqixwk?response-content-disposition=attachment%3B%20filename%3D%22payload.txt%22%3B%20filename%2A%3DUTF-8%27%27payload.txt\u0026response-content-type=text%2Fplain\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=bad9fe731f05a63a950f99828125653a8c1254750fe0ca7be882e89ecdd449ae)\n[archeive.tar.gz](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ymkuh4xnfdcf1soeyi7jc2x4yt2i?response-content-disposition=attachment%3B%20filename%3D%22archive.tar.gz%22%3B%20filename%2A%3DUTF-8%27%27archive.tar.gz\u0026response-content-type=application%2Fx-tar\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=5e2c0d4b4de40373ac0fe91908c2659141a6dd4ab850271cc26042a3885c82ea)\n\n## Note\nThis report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago",
|
|
4182
|
+
"text": "## Description: \nDuring some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\n## Steps To Reproduce:\nYou can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\n## Proof Of Concept:\nHere's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=1e8235d885f1d61529b7d6b23ea3a0780c300c91d86e925dd8310d5b661ddbe2) show-casing the exploit: \n\n## Impact\n\nDenial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources\n\n## Report resources\n[payload.txt](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/1e83ayb5dd3350fvj3gst0mqixwk?response-content-disposition=attachment%3B%20filename%3D%22payload.txt%22%3B%20filename%2A%3DUTF-8%27%27payload.txt\u0026response-content-type=text%2Fplain\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=bad9fe731f05a63a950f99828125653a8c1254750fe0ca7be882e89ecdd449ae)\n[archeive.tar.gz](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ymkuh4xnfdcf1soeyi7jc2x4yt2i?response-content-disposition=attachment%3B%20filename%3D%22archive.tar.gz%22%3B%20filename%2A%3DUTF-8%27%27archive.tar.gz\u0026response-content-type=application%2Fx-tar\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=5e2c0d4b4de40373ac0fe91908c2659141a6dd4ab850271cc26042a3885c82ea)\n\n## Note\nThis report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago"
|
|
4183
4183
|
},
|
|
4184
4184
|
"help": {
|
|
4185
|
-
"markdown": "**Your dependency is vulnerable to [CVE-2024-28863](https://osv.dev/CVE-2024-28863)**.\n\n## [GHSA-f5x3-32g6-xq36](https://osv.dev/GHSA-f5x3-32g6-xq36)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ## Description: \n\u003e During some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\u003e \n\u003e ## Steps To Reproduce:\n\u003e You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\u003e \n\u003e ## Proof Of Concept:\n\u003e Here's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-
|
|
4186
|
-
"text": "**Your dependency is vulnerable to [CVE-2024-28863](https://osv.dev/CVE-2024-28863)**.\n\n## [GHSA-f5x3-32g6-xq36](https://osv.dev/GHSA-f5x3-32g6-xq36)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ## Description: \n\u003e During some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\u003e \n\u003e ## Steps To Reproduce:\n\u003e You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\u003e \n\u003e ## Proof Of Concept:\n\u003e Here's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-
|
|
4185
|
+
"markdown": "**Your dependency is vulnerable to [CVE-2024-28863](https://osv.dev/CVE-2024-28863)**.\n\n## [GHSA-f5x3-32g6-xq36](https://osv.dev/GHSA-f5x3-32g6-xq36)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ## Description: \n\u003e During some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\u003e \n\u003e ## Steps To Reproduce:\n\u003e You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\u003e \n\u003e ## Proof Of Concept:\n\u003e Here's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=1e8235d885f1d61529b7d6b23ea3a0780c300c91d86e925dd8310d5b661ddbe2) show-casing the exploit: \n\u003e \n\u003e ## Impact\n\u003e \n\u003e Denial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources\n\u003e \n\u003e ## Report resources\n\u003e [payload.txt](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/1e83ayb5dd3350fvj3gst0mqixwk?response-content-disposition=attachment%3B%20filename%3D%22payload.txt%22%3B%20filename%2A%3DUTF-8%27%27payload.txt\u0026response-content-type=text%2Fplain\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=bad9fe731f05a63a950f99828125653a8c1254750fe0ca7be882e89ecdd449ae)\n\u003e [archeive.tar.gz](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ymkuh4xnfdcf1soeyi7jc2x4yt2i?response-content-disposition=attachment%3B%20filename%3D%22archive.tar.gz%22%3B%20filename%2A%3DUTF-8%27%27archive.tar.gz\u0026response-content-type=application%2Fx-tar\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=5e2c0d4b4de40373ac0fe91908c2659141a6dd4ab850271cc26042a3885c82ea)\n\u003e \n\u003e ## Note\n\u003e This report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/javascript/yarn/yarn.lock | tar | 4.4.10 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-f5x3-32g6-xq36 | node-tar | 6.2.1 |\n| GHSA-f5x3-32g6-xq36 | tar | 6.2.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/javascript/yarn/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-28863\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n",
|
|
4186
|
+
"text": "**Your dependency is vulnerable to [CVE-2024-28863](https://osv.dev/CVE-2024-28863)**.\n\n## [GHSA-f5x3-32g6-xq36](https://osv.dev/GHSA-f5x3-32g6-xq36)\n\n\u003cdetails\u003e\n\u003csummary\u003eDetails\u003c/summary\u003e\n\n\u003e ## Description: \n\u003e During some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\u003e \n\u003e ## Steps To Reproduce:\n\u003e You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\u003e \n\u003e ## Proof Of Concept:\n\u003e Here's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm\u0026response-content-type=video%2Fwebm\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=1e8235d885f1d61529b7d6b23ea3a0780c300c91d86e925dd8310d5b661ddbe2) show-casing the exploit: \n\u003e \n\u003e ## Impact\n\u003e \n\u003e Denial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources\n\u003e \n\u003e ## Report resources\n\u003e [payload.txt](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/1e83ayb5dd3350fvj3gst0mqixwk?response-content-disposition=attachment%3B%20filename%3D%22payload.txt%22%3B%20filename%2A%3DUTF-8%27%27payload.txt\u0026response-content-type=text%2Fplain\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=bad9fe731f05a63a950f99828125653a8c1254750fe0ca7be882e89ecdd449ae)\n\u003e [archeive.tar.gz](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ymkuh4xnfdcf1soeyi7jc2x4yt2i?response-content-disposition=attachment%3B%20filename%3D%22archive.tar.gz%22%3B%20filename%2A%3DUTF-8%27%27archive.tar.gz\u0026response-content-type=application%2Fx-tar\u0026X-Amz-Algorithm=AWS4-HMAC-SHA256\u0026X-Amz-Date=20240312T080103Z\u0026X-Amz-Expires=3600\u0026X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D\u0026X-Amz-SignedHeaders=host\u0026X-Amz-Signature=5e2c0d4b4de40373ac0fe91908c2659141a6dd4ab850271cc26042a3885c82ea)\n\u003e \n\u003e ## Note\n\u003e This report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago\n\n\u003c/details\u003e\n\n---\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Users/john.doe/projects/javascript/yarn/yarn.lock | tar | 4.4.10 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-f5x3-32g6-xq36 | node-tar | 6.2.1 |\n| GHSA-f5x3-32g6-xq36 | tar | 6.2.1 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Users/john.doe/projects/javascript/yarn/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2024-28863\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n"
|
|
4187
4187
|
},
|
|
4188
4188
|
"id": "CVE-2024-28863",
|
|
4189
4189
|
"name": "CVE-2024-28863",
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import {
|
|
2
2
|
Color,
|
|
3
3
|
LogLevel,
|
|
4
|
-
RepresentationType,
|
|
4
|
+
RepresentationType, SarifFileExtension,
|
|
5
5
|
SarifToSlackClient,
|
|
6
6
|
SendIf
|
|
7
7
|
} from '../../src'
|
|
@@ -31,6 +31,15 @@ describe('(integration): SendSarifToSlack', (): void => {
|
|
|
31
31
|
}
|
|
32
32
|
}
|
|
33
33
|
|
|
34
|
+
function processSarifExtension(extension: string): SarifFileExtension {
|
|
35
|
+
const allowed: string[] = ['sarif', 'json']
|
|
36
|
+
if (allowed.includes(extension)) {
|
|
37
|
+
return extension as SarifFileExtension
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
throw new Error(`Unknown extension: ${extension}`)
|
|
41
|
+
}
|
|
42
|
+
|
|
34
43
|
function processRepresentationType(representation?: string): RepresentationType | undefined {
|
|
35
44
|
if (representation == null) {
|
|
36
45
|
return undefined
|
|
@@ -99,6 +108,7 @@ describe('(integration): SendSarifToSlack', (): void => {
|
|
|
99
108
|
iconUrl: process.env.SARIF_TO_SLACK_ICON_URL,
|
|
100
109
|
color: {
|
|
101
110
|
default: new Color(process.env.SARIF_TO_SLACK_COLOR),
|
|
111
|
+
empty: new Color(process.env.SARIF_TO_SLACK_COLOR_EMPTY),
|
|
102
112
|
byLevel: {
|
|
103
113
|
error: new Color(process.env.SARIF_TO_SLACK_COLOR_ERROR),
|
|
104
114
|
warning: new Color(process.env.SARIF_TO_SLACK_COLOR_WARNING),
|
|
@@ -114,15 +124,22 @@ describe('(integration): SendSarifToSlack', (): void => {
|
|
|
114
124
|
none: new Color(process.env.SARIF_TO_SLACK_COLOR_NONE),
|
|
115
125
|
unknown: new Color(process.env.SARIF_TO_SLACK_COLOR_UNKNOWN),
|
|
116
126
|
},
|
|
117
|
-
empty: new Color(process.env.SARIF_TO_SLACK_COLOR_EMPTY),
|
|
118
127
|
},
|
|
119
128
|
sarif: {
|
|
120
129
|
path: process.env.SARIF_TO_SLACK_SARIF_PATH as string,
|
|
121
|
-
recursive:
|
|
122
|
-
|
|
130
|
+
recursive: process.env.SARIF_TO_SLACK_SARIF_PATH_RECURSIVE
|
|
131
|
+
? Boolean(process.env.SARIF_TO_SLACK_SARIF_PATH_RECURSIVE)
|
|
132
|
+
: false,
|
|
133
|
+
extension: process.env.SARIF_TO_SLACK_SARIF_FILE_EXTENSION
|
|
134
|
+
? processSarifExtension(process.env.SARIF_TO_SLACK_SARIF_FILE_EXTENSION)
|
|
135
|
+
: 'sarif',
|
|
123
136
|
},
|
|
124
137
|
log: {
|
|
125
138
|
level: processLogLevel(process.env.SARIF_TO_SLACK_LOG_LEVEL),
|
|
139
|
+
template: process.env.SARIF_TO_SLACK_LOG_TEMPLATE,
|
|
140
|
+
colored: process.env.SARIF_TO_SLACK_LOG_COLORED
|
|
141
|
+
? Boolean(process.env.SARIF_TO_SLACK_LOG_COLORED)
|
|
142
|
+
: true,
|
|
126
143
|
},
|
|
127
144
|
header: {
|
|
128
145
|
include: process.env.SARIF_TO_SLACK_HEADER !== 'skip',
|