Skip to content

feat: dependency-check-plugin-revision#1529

Open
RichardUri wants to merge 2 commits intofinos:mainfrom
RichardUri:main
Open

feat: dependency-check-plugin-revision#1529
RichardUri wants to merge 2 commits intofinos:mainfrom
RichardUri:main

Conversation

@RichardUri
Copy link
Copy Markdown

@RichardUri RichardUri commented May 10, 2026

Description

Revises and addresses review feedback on #799, adding dependency vulnerability scanner plugin.

The plugin is intended to intercept pushes and scans changed dependency files against the OWASP Vuln database. If a vulnerability is found at or above a severity threshold, the push will be held for review.

Made changes according to reviewer comments on original PR.
General changes:

  • Severity threshold configured via DEPENDENCY_VULN_THRESHOLD environment variable (default: HIGH) rather than a top-level config schema entry
  • Fixed git diff argument order (Previously showed removals instead of additions)
  • Fixed git show using HEAD instead of the pushed commit SHA
  • Fixed missing parent directory creation for nested file paths (e.g. src/lib/foo.json)
  • deleteTempRepo now deletes the entire .tempRepo/ directory instead of only the current push's subdirectory
  • Added exit code check for dependency-check to prevent silent false negatives on failure
  • Replaced spawnSync for the clone operation with async spawn to avoid blocking
    the Node.js event loop
  • Removed dead variables and unneeded aliases.
  • Added Basic auth credential forwarding on the clone URL, similar one used in pullRemote processor
  • Blocked message now includes CVE ID, severity, and description
  • 'temporaryRepo.js' removed and is now directly included into the main file.
  • Added exports entry and README documentation for the new plugin

Related Issue

Revises #799

Checklist

General

Documentation

  • Documentation has been added/updated for any new features

Configuration

  • If configuration schema (config.schema.json) was modified:
    • TypeScript types regenerated (npm run generate-config-types)
    • Schema reference docs regenerated (npm run gen-schema-doc)

Tests

  • Tests have been added/updated for new functionality
  • Unit tests pass (npm test)
  • Linting and formatting pass (npm run lint and npm run format:check)
  • Type checks pass (npm run check-types)

@RichardUri RichardUri requested a review from a team as a code owner May 10, 2026 20:05
@netlify
Copy link
Copy Markdown

netlify Bot commented May 10, 2026
edited
Loading

Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name Link
🔨 Latest commit 7405dd1
🔍 Latest deploy log https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/6a00e521255cd40008d8f1aa

@RichardUri RichardUri mentioned this pull request May 10, 2026
Open
kriswest
kriswest reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@kriswest kriswest left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems odd to have a plug-in to a complete extra clone of the repository and compute its own diff in order to run scanning tools on it, when when the built-in scanners already do both of these things... Can this not be written to use the data from the existing clone and diff operations?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kriswest kriswest kriswest left review comments

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RichardUri @kriswest