Merge pull request #107 from github/xavier-patch

Check for duplicates

Author: xcorail

.github/actions/replicate/__tests__/replicate.test.js

@@ -1,5 +1,6 @@
 import * as core from '@actions/core'
 import * as replicate from '../replicate'
+import * as issues from '../issues'
 import { WebhookPayload, PayloadRepository } from '@actions/github/lib/interfaces'
 
 const TEST_ISSUE_1 = 1
@@ -71,8 +72,9 @@ This is the issue body second line
 }
 
 const TEST_GENERATED_ISSUE: replicate.Issue = {
-  title: '[BOUNTY - All For One] Issue Title',
+  title: '[All For One] Issue Title',
   labels: ['All For One','not-a-bounty-label'],
+  bountyType: 'All For One',
   body: `Original external [issue](https://github.com/test_owner/test_repo/issues/1)
 
 Sumitted by [ghsecuritylab](https://github.com/ghsecuritylab)
@@ -118,3 +120,20 @@ describe('generates proper content', () => {
   })
 })
 
+describe('check for duplicates', () => {
+  it('can find duplicates', async () => {
+    const TEST_REF: number = 31
+    const TEST_BODY1 = `Original external [issue](https://github.com/owner/repo/issues/1)\n\nThen there is some text`
+    const TEST_BODY2 = `Original external [issue](https://github.com/owner/repo/issues/2)\n\nThen there is some text`
+    const TEST_INTERNAL_ISSUES: issues.Issue_info[] = [
+      {title: 'issue 1', author: 'author1', body: TEST_BODY1, number: 31},
+      {title: 'issue 2', author: 'author2', body: TEST_BODY2, number: 33}
+    ]
+    let foundRef: number | undefined = issues.internalIssueAlreadyCreated('https://github.com/owner/repo/issues/1', TEST_INTERNAL_ISSUES)
+    expect(foundRef).toEqual(TEST_REF)
+    foundRef = issues.internalIssueAlreadyCreated('https://github.com/owner/repo/issues/3', TEST_INTERNAL_ISSUES)
+    expect(foundRef).toBeUndefined()
+  })
+})
+
+

.github/actions/replicate/__tests__/replicate.test.ts

@@ -5,7 +5,7 @@ import * as replicate from './replicate'
 export type Issue_info = {title: string, author: string, body: string, number: number}
 type Issue_state = 'open' | 'all' | 'closed' | undefined
 
-export const getIssueList = async (owner: string, repo: string, token: string | undefined, open: boolean) : Promise<Issue_info[] | undefined> => {
+export const getIssueList = async (owner: string, repo: string, token: string | undefined, open: boolean, checkBountyLabels: boolean, per_page?: number) : Promise<Issue_info[] | undefined> => {
     if(!token) {
         core.debug("No valid token for creating issues on the internal repo")
         return
@@ -19,14 +19,15 @@ export const getIssueList = async (owner: string, repo: string, token: string |
             owner, 
             repo,
             state: issueState,
+            per_page: per_page? per_page : 100 // TODO: implement proper pagination
             // labels: labelFilter -- Does not work properly
         })
 
         issues.data.forEach(issue => {
-            const bountyLabel = issue.labels.some(label => {
-                return replicate.BOUNTY_LABELS.includes(label.name)
-            })
-            if(bountyLabel){
+            const bountyLabel = checkBountyLabels? issue.labels.some(label => {
+                return replicate.BOUNTY_LABELS.includes(label.name as replicate.BountyType)
+            }) : undefined
+            if(!checkBountyLabels || bountyLabel){
                 let item: Issue_info = {
                     title: issue.title,
                     author: issue.user?.login,
@@ -52,8 +53,12 @@ export const isUserAlreadyParticipant = (user: string, externalSubmissions: Issu
     return check
 }
 
+function escapeRegExp(text: string) {
+    return text.replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&')
+}
+
 export const internalIssueAlreadyCreated = (externalSubmissionUrl: string | undefined, internalIssues: Issue_info[]) : number | undefined => {
-    const searchString = `/Original external [issue](${externalSubmissionUrl})/`
+    const searchString = new RegExp(escapeRegExp(`Original external [issue](${externalSubmissionUrl})`))
     let ref: number | undefined = undefined
     internalIssues.some( element => {
         if(element.body.search(searchString) != -1) {

.github/actions/replicate/issues.js

@@ -3,9 +3,12 @@ import * as github from '@actions/github'
 import { WebhookPayload } from '@actions/github/lib/interfaces'
 import { getIssueList, internalIssueAlreadyCreated, isUserAlreadyParticipant } from './issues'
 
-export type Issue = {title: string, body: string, labels: string[]}
-export const BOUNTY_LABELS: string[] = ['All For One', 'The Bug Slayer']
-const COMMENT_TASK_LIST = `## Task List
+export const BOUNTY_LABELS = ['All For One', 'The Bug Slayer'] as const
+export type BountyType = typeof BOUNTY_LABELS[number]
+type CommentMap = {[K in BountyType]: string}
+export type Issue = {title: string, body: string, labels: string[], bountyType: BountyType}
+
+const COMMENT_TASK_LIST_AFO = `## Task List
 - [ ] Initial assessment - Please record your decision in the comment below
   - [ ] CodeQL
   - [ ] Security Lab
@@ -21,6 +24,20 @@ const COMMENT_TASK_LIST = `## Task List
 - [ ] Bounty Payment
 `
 
+const COMMENT_TASK_LIST_BS = `## Task List
+- [ ] Initial assessment from Security Lab
+- [ ] Security Lab assessment:
+  - [ ] Confirm the CVE 
+  - [ ] Assess the Vulnerability Impact, the Vulnerability Scope
+  - [ ] Get the CodeQL scores (False Positive ratio, Code Maturity and the Documentation) from the previous query rating
+  - [ ] PR is merged? Finalize the score
+- [ ] Bounty Payment`
+
+const COMMENT_TASK_LIST: CommentMap = {
+    'All For One': COMMENT_TASK_LIST_AFO,
+    'The Bug Slayer': COMMENT_TASK_LIST_BS
+}
+
 const COMMENT_SCORING = `## Scoring
 | Criterion | Score|
 |--- | --- |
@@ -40,7 +57,7 @@ const COMMENT_FIRST_SUBMISSION = `## :tada: First submission for this user :tada
 
 export const generateInternalIssueContentFromPayload = async (payload: WebhookPayload): Promise<Issue | undefined> => {
     const issue = payload.issue
-    let result: Issue = {title: "none", body: "none", labels: []}
+    let result: Issue = {title: 'none', body: 'none', labels: [], bountyType: 'All For One'}
     let bountyIssue: boolean = false
     let bountyType = ''
 
@@ -103,7 +120,7 @@ export const createInternalIssue = async (payload: WebhookPayload, issue: Issue)
             owner,
             repo,
             issue_number: internal_ref,
-            body: COMMENT_TASK_LIST,
+            body: COMMENT_TASK_LIST[issue.bountyType],
         })
         core.debug(`comment created ${issueCommentResponse1.data.url}`)
 
@@ -162,7 +179,7 @@ const checkDuplicates = async (payload: WebhookPayload): Promise<boolean> => {
     const internalRepoAccessToken: string | undefined = process.env['INT_REPO_TOKEN']
     const internalRepo = core.getInput('internal_repo') || '/'
     const [owner, repo] = internalRepo.split('/')
-    const internalIssues = await getIssueList(owner, repo, internalRepoAccessToken, false)
+    const internalIssues = await getIssueList(owner, repo, internalRepoAccessToken, false, false)
     if(!internalIssues) {
         core.debug('Internal error. Cannot check for duplicates. Aborting')
             return true
@@ -180,7 +197,7 @@ export const isFirstSubmission = async (payload: WebhookPayload, token : string
     const repository = payload.repository
     if(!repository)
         return false
-    const allSubmissions = await getIssueList(repository.owner.login, repository.name, token, false)
+    const allSubmissions = await getIssueList(repository.owner.login, repository.name, token, false, true)
     return !isUserAlreadyParticipant(payload.issue?.user.login, allSubmissions)
 }