Skeleton for license validation.

__tests__/config.test.ts

@@ -16,3 +16,16 @@ test('returns a default config when the config file was not found', async () =>
   expect(options.fail_on_severity).toEqual('low')
   expect(options.allow_licenses).toEqual([])
 })
+
+test('it reads config files with empty options', async () => {
+  let options = readConfigFile('./__tests__/fixtures/no-licenses-config.yml')
+  expect(options.fail_on_severity).toEqual('critical')
+  expect(options.allow_licenses).toEqual(undefined)
+  expect(options.deny_licenses).toEqual(undefined)
+})
+
+test('it raises an error if both an allow and denylist are specified', async () => {
+  expect(() =>
+    readConfigFile('./__tests__/fixtures/conflictive-config.yml')
+  ).toThrow()
+})

__tests__/fixtures/conflictive-config.yml

@@ -0,0 +1,2 @@
+allow_licenses: []
+deny_licenses: []

__tests__/fixtures/no-licenses-config.yml

@@ -0,0 +1 @@
+fail_on_severity: critical

__tests__/licenses.test.ts

@@ -0,0 +1,53 @@
+import {expect, test} from '@jest/globals'
+import {Change, Changes} from '../src/schemas'
+import {hasInvalidLicenses} from '../src/licenses'
+
+let npmChange: Change = {
+  manifest: 'package.json',
+  change_type: 'added',
+  ecosystem: 'npm',
+  name: 'Reeuhq',
+  version: '1.0.2',
+  package_url: 'somepurl',
+  license: 'MIT',
+  source_repository_url: 'github.com/some-repo',
+  vulnerabilities: [
+    {
+      severity: 'critical',
+      advisory_ghsa_id: 'first-random_string',
+      advisory_summary: 'very dangerouns',
+      advisory_url: 'github.com/future-funk'
+    }
+  ]
+}
+
+let rubyChange: Change = {
+  change_type: 'added',
+  manifest: 'Gemfile.lock',
+  ecosystem: 'rubygems',
+  name: 'actionsomething',
+  version: '3.2.0',
+  package_url: 'somerubypurl',
+  license: 'BSD',
+  source_repository_url: 'github.com/some-repo',
+  vulnerabilities: [
+    {
+      severity: 'moderate',
+      advisory_ghsa_id: 'second-random_string',
+      advisory_summary: 'not so dangerouns',
+      advisory_url: 'github.com/future-funk'
+    },
+    {
+      severity: 'low',
+      advisory_ghsa_id: 'third-random_string',
+      advisory_summary: 'dont page me',
+      advisory_url: 'github.com/future-funk'
+    }
+  ]
+}
+
+test('hasInvalidLicenses fails if an unallowed license is found', async () => {
+  const changes: Changes = [npmChange, rubyChange]
+  const result = hasInvalidLicenses(changes, ['BSD'], [])
+  expect(result.length).toBe(1)
+})

src/licenses.ts

@@ -0,0 +1,34 @@
+import {Change, ChangeSchema} from './schemas'
+
+export function hasInvalidLicenses(
+  changes: Array<Change>,
+  allowLicenses: Array<string> | undefined,
+  failLicenses: Array<string> | undefined
+): Array<Change> {
+  let disallowed: Change[] = []
+
+  if (allowLicenses === undefined) {
+    allowLicenses = []
+  }
+  if (failLicenses === undefined) {
+    failLicenses = []
+  }
+
+  for (const change of changes) {
+    let license = change.license
+    // TODO: be loud about unknown licenses
+    if (license === null) {
+      continue
+    }
+
+    if (allowLicenses.includes(license)) {
+      disallowed.push(change)
+    }
+  }
+
+  return disallowed
+}
+
+export function printLicensesError(changes: Array<Change>): void {
+  return
+}

src/main.ts

@@ -6,6 +6,7 @@ import {RequestError} from '@octokit/request-error'
 import {Change, PullRequestSchema, Severity} from './schemas'
 import {readConfigFile} from '../src/config'
 import {filterChangesBySeverity} from '../src/filter'
+import {hasInvalidLicenses, printLicensesError} from './licenses'
 
 async function run(): Promise<void> {
   try {
@@ -35,6 +36,17 @@ async function run(): Promise<void> {
       changes
     )
 
+    let licenseErrors = hasInvalidLicenses(
+      changes,
+      config.allow_licenses,
+      config.deny_licenses
+    )
+
+    if (licenseErrors.length > 0) {
+      printLicensesError(licenseErrors)
+      throw new Error('Dependency review detected incompatible licenses.')
+    }
+
     for (const change of filteredChanges) {
       if (
         change.change_type === 'added' &&