Metadata fields `alert-state`, `ghsa-id` & `cvss` are never populated when the manifest file is at the root about fetch-metadata HOT 9 CLOSED

I am experiencing the same issue.

from fetch-metadata.

@SalimBensiali your repository is not configured to use Dependabot security updates and alerts:

I updated the README (see #187) to make it explicit that this feature relies upon those being enabled. My apologies for the confusion.

from fetch-metadata.

@mwaddell my repo does have dependabot security updates and alerts enabled. Look at any previously closed dependabot alerts via the auto merge workflow https://github.com/SalimBensiali/le-blanc-jewellery/pulls?q=is%3Apr+is%3Aclosed

The issue I am reporting relates the v1.3.0 new feature alert-lookup

from fetch-metadata.

I think you simply don't have the permissions to view them

from fetch-metadata.

@mwaddell I managed to run the dry-run command which successfully returned the missing metadata for me.

Could it be because your LOCAL_GITHUB_ACCESS_TOKEN does not give you permission to access the data? Which would be consistent with not seeing that dependabot security alerts and updates are enabled on https://github.com/SalimBensiali/le-blanc-jewellery/security.

from fetch-metadata.

The docs you are linking to in #187 (https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#access-to--dependabot-alerts) do explain why you could not see any dependabot alerts on my repo.

By default, we notify people with admin permissions in the affected repositories about new Dependabot alerts. GitHub never publicly discloses identified vulnerabilities for any repository. You can also make Dependabot alerts visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "Managing security and analysis settings for your repository."

This is further confirmed here.

from fetch-metadata.

@mwaddell you could run the dry-run command off main and my branch and target a test repo you own to verify the bug and the fix. All you need is a repo with a manifest file in the root directory and any dependabot PR.

from fetch-metadata.

Thank you for the additional clarification - I understand now. Thank you for the PR and for updating all the unit tests, I've reviewed and approved the changes for @brrygrdn to merge.

from fetch-metadata.

👍

from fetch-metadata.