finos / cla-bot Goto Github PK
View Code? Open in Web Editor NEWcla-bot is a GitHub bot for automation of Contributor Licence Agreements (CLAs).
Home Page: https://finos.github.io/cla-bot/
License: Apache License 2.0
cla-bot's People
Contributors
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "mend-for-github-com[bot]")
Stargazers
Watchers
Forkers
zabil schloerke colineberhardt nikoganev maoo mcleo-d elikkatzgit jcampbell fossabot sclassen zhuhan930821 stjordanis spector-in-london syllogycla-bot's Issues
Add error notifications for repository or organization owner
We had a typo in our contributors file which broke the CLA bot for us for several days. It would be nice if CLA bot could email us about such issues.
lowercase check is causing a runtime error
Bot doesn't seem to recheck a branch if it's pushed to again
When a pull request is first put in, the bot signs it correctly. However, if someone amends a commit or rebases then pushes again, the bot doesn't resign the branch.
Add the ability to whitelist members of an org
It would be quite useful if we could whitelist an org. Each commit author would be verified to see if they are a member of a given GitHub org.
cla-bot adds multiple tags to repo after rebases
The bot adds the same tag multiple times if the pull request has been rebased (possibly pushed to as well). This could clutter up the pull request page if there were multiple rebases, although its not a big issue.
Example:
If a whitelisted user deletes their account - an 'imposter' can adopt it
via email from @maoo
What if a GitHub user, that is "whitelisted" by the bot (since covered by a CLA) and therefore part of the "contributorListGithubUrl", deletes the GitHub account and another person creates a GitHub account with the same GitHub ID later on?
This is a very good point, and a bit of a design flaw! Usernames (called login in the GitHub API response) are unique, but can be relinquished when accounts are deleted.
However, users also have a unique ID which is returned by the API, and is visible in your avatar URL for example, https://avatars0.githubusercontent.com/u/1098110?s=460&v=4.
We could list user IDs in the whitelist file, but that would make it much harder to configure. We'd still experience the issues relating to #74, where git commits can be from authors that do not have GitHub accounts.
I can't see a good fix for this one!
Similar to #99
How to get user name in comment
I would like to get the user name who has not signed the CLA in the comment. It becomes important when there a re multiple committers in same pull request. Mentioning the user who has not sign would be really good.
Is there any way to do that?
Sorry for raising an issue for a question but didn't find any chat medium.
Handle GitHub API Redirects
e.g. https://developer.github.com/v3/#http-redirects
Can use the slabot-test => clabot-test project to test this code
Allow to define .clabot at organisation level
I am evaluating the cla-bot to validate Pull Requests across different projects that are hosted in our github org; for this reason, I need to be able to define a .clabot configuration at organisation level and avoid the project to overrule it.
The solution can be composed by 2 blocks:
- If cla-bot fails resolving the project's
.clabotfile, it will fallback intohttps://github.com/<user/org_name>/clabot-config/.clabot - A configuration flag (ie
forceOrgConfig) that forces.clabotto be resolved at organisation level
I am submitting a PR that I've tested against a test repo; configuration is stored in ssf-admin/clabot-config.
Please note; the PR is not ready for merge; documentation and testing is missing; feedback is welcome, especially considering my entry-level node skills.
Bot does not post status check when contributors file is broken
We had a typo in the contributors file, which caused the CLA bot to (silently) stop posting status checks to new PRs. I would expect the bot to post a failed status check with the log file showing the error.
CVE-2012-6708 (Medium) detected in jquery-1.7.2.min.js
CVE-2012-6708 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to dependency file: /tmp/ws-scm/cla-bot/node_modules/jmespath/index.html
Path to vulnerable library: /cla-bot/node_modules/jmespath/index.html
Dependency Hierarchy:
- โ jquery-1.7.2.min.js (Vulnerable Library)
Found in HEAD commit: ac92065be8dcbcf0a25d76cc219ab554b541ef87
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Integrate with probot?
Ensure it works for squashed commits
There are various ways in which git can have multiple users associated with a commit. This bot should handle them!
WS-2019-0291 (High) detected in handlebars-4.2.0.tgz
WS-2019-0291 - High Severity Vulnerability
Vulnerable Library - handlebars-4.2.0.tgz
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.2.0.tgz
Path to dependency file: /tmp/ws-scm/cla-bot/package.json
Path to vulnerable library: /cla-bot/node_modules/handlebars/package.json
Dependency Hierarchy:
- โ handlebars-4.2.0.tgz (Vulnerable Library)
Vulnerability Details
handlebars before 4.3.0 is vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Publish Date: 2019-10-06
URL: WS-2019-0291
CVSS 2 Score Details (7.3)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1164
Release Date: 2019-10-06
Fix Resolution: 4.3.0
Migrate this repo to FINOS
This bot is being contributed to FINOS, which is a good home for this project. However, despite the code changing location, it will continue to be made available to current and new users through the same cla-bot app.
This issue tracks the various tasks around this move.
Steps required for the move to FINOS:
- Change from MIT to Apache 2 licence
- Add required notices to project, and update contributors etc ...
- Move this repo to the FINOS organisation
- Check the website still works and add redirects if required
Following this, FINOS can remove their own fork of cla-bot, by updating the configuration of this repository with their required build settings.
- Branch out
developbranch tofinos-deployment-prodandfinos-deployment-staging - Send PR from finos fork to new branches branch
- Merge PR
- Enable bot staging app CD from finos-deployment-staging branch and test
- Enable bot production app CD from finos-deployment-prod branch and test
- Test moving app from a user to an org (as preparation for next steps)
Once the repo is successfully deploying to both FINOS and my AWS accounts, we can discuss whether the current public cla-bot should run on FINOS AWS infrastructure
- update the cla-bot app to use the FINOS hosted API
- create a new branch, with the settings required to deploy to the FINOS AWS account - the existing
masteranddevelopbranches should remain unchanged - Change
User authorization callback URLtohttps://finos-fdx.github.io/cla-bot/on GitHub App configuration - (optional) purchase a suitable domain for both the website and the API.
Create a dev deployment of the log bot
Currently the log bot only has a single deployed instance, pointing at the prod logs
Make it possible to determine where the bot is installed!
Checking the webhook logs there are quite a few installations, it would be great to be able to list these!
Improved error handling
There are a number of places where more user-friendly errors could be provided.
Currently if .clabot lacks the token the webhook fails with Error during decryption (probably incorrect key). There are a whole class of errors around configuration that could be improved.
the webhook shouldn't have to return the username
see the comment here: https://github.com/ColinEberhardt/cla-bot/issues/64#issuecomment-320902328
Question: is it possible for cla-bot to block merging of a PR?
Question: is it possible for cla-bot to block merging of a PR when a CLA isn't found for the submitter?
Currently cla-bot is advisory in nature - a project team member is able to overrule a cla-bot violation and merge a PR from a submitter who doesn't have a CLA, and there are cases where this should be prevented.
path must be a string or Buffer
When running npm run execute I get the following:
> [email protected] execute /Users/m/w/projects/cla-bot
> node-lambda run --configFile deploy.env
fs.js:640
return binding.open(pathModule._makeLong(path), stringToFlags(flags), mode);
^
TypeError: path must be a string or Buffer
at TypeError (native)
at Object.fs.openSync (fs.js:640:18)
at Object.fs.readFileSync (fs.js:508:33)
at Object.<anonymous> (/Users/m/w/projects/cla-bot/installationToken.js:7:17)
at Module._compile (module.js:570:32)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
at Module.require (module.js:497:17)
My deploy.env looks includes:
GITHUB_ACCESS_TOKEN=--token--
INTEGRATION_ENABLED=false
Submitting PR to avoid const init, if process.env.INTEGRATION_KEY is not set.
cla-bot should support renaming GitHub usernames
Github usernames can change, cla-bot should store and deal with Github user IDs as an immutable token that relates to a GitHub account, rather than using the username.
Consider the following situation:
@bpscottsigns a CLA and gets their name added to a cla list@bpscottmakes some contributions and they get signed off- User
@bpscott(Id 227292) changes his user name @bpscott-zzz. - The same user now fails CLA checks
- A new account can sign up as
@bpscottmake contributions and they get signed off despite this user having never signed a CLA
The configuration instructions for clabot-config on the website is wrong
The instructions at https://colineberhardt.github.io/cla-bot/#configuration-options
says
If you have multiple repositories within the same organization, or user account, that have the same contributors, you can create a single configuration by adding a project called clabot-config. For example, for my personal projects I could configure the bot via https://github.com/ColinEberhardt/cla-config/.clabot.
Should be
If you have multiple repositories within the same organization, or user account, that have the same contributors, you can create a single configuration by adding a project called clabot-config. For example, for my personal projects I could configure the bot via https://github.com/ColinEberhardt/clabot-config/.clabot.
Same here
Note, if you do not want the list of contributors to be public, the cla-config project can be private.
should be
Note, if you do not want the list of contributors to be public, the clabot-config project can be private.
Create a cla-bot badge
Doesn't do anything functionally, but would be cool to have :-)
remove node-lambda
I'm no longer using it for deployment, just for execution. This should be really easy to do via a very simple 'bootstrap' script, so I could probably remove node-lambda altogether
cla-bot-log should be configurable regarding the deployed bot
the cla-bot-log should take a parameter to indicate whether the correlationKey is from the dev or prod logs.
Add status page for service
It would be helpful to have a page status page (like https://www.githubstatus.com/) that shows the current state of the service. We had an issue where our contributors file had a typo, and knowing the service was still running would have narrowed down the troubleshooting process.
remove the need for the bot access token
The bot currently uses the access token to fetch .clabot before getting the installation key. Flipping this round would remove the need for this
license
This is very cool project. But oops, I don't see a LICENSE file on it. Kind of ironic, considering the purpose(!)
Anyhoo. Please put an MIT or public domain statement in the repo to confirm what the blog seems to suggest, that you intend to make this freely available to the public.
JSON double parse issue when GitHub contributors list is used
Hi, I think #90 might have introduced a bug. We use a GitHub-based contributors URL with cla-bot and are seeing these logs lately:
...
INFO: A total of 1 were found, checking CLA status for committers
INFO: Checking contributors against the github URL supplied in the .clabot file
ERROR: SyntaxError: Unexpected token e in JSON at position 0
This same error results if you try a simple double-parse in the console:
> JSON.parse(JSON.parse('["e"]'))
VM339:1 Uncaught SyntaxError: Unexpected token e in JSON at position 0
at JSON.parse (<anonymous>)
at <anonymous>:1:6
I think the change causing this was ColinEberhardt@7c13355. I've not verified it, but tracing the code we see that githubRequest() passes json: true to requestp unless it's overridden in opts. Maybe the fix is to change getFile to return json: false?
cla-bot times out while trying to fetch the logs
While trying test cla-bot on my repo it fails to check cla.
For e.g. zabil/listhandling#8
The details page fails with the XHR.
{"errorMessage":"2017-08-08T08:50:17.254Z 90fec5cf-7c16-11e7-962f-e18b63415a86 Task timed out after 15.00 seconds"}
Is there a way to check status of the cla-bot?
Thanks!
cla-bot not reacting on pull request
I've enabled cla-bot on https://github.com/symphonyoss account (only for 1 project, https://github.com/symphonyoss/clabot-test) and defined https://github.com/symphonyoss/clabot-config (private) project.
For testing purposes, I've created https://github.com/symphonyoss/clabot-test/pull/1.
Since the list of contributors is currently empty, I'd have expected the cla-bot to post a comment in the issue, but nothing happened.
Below is reported the .clabot contained in https://github.com/symphonyoss/clabot-config:
{
"contributorListGithubUrl": "https://api.github.com/repos/symphonyoss/clabot-config/contents/contributors.json",
"label": "cla-signed",
"message": "Thank you for your pull request and welcome to our community! ...."
}
The content of contributors.json is [].
TypeError: Cannot read property 'login' of null
The error occurs on line 134, which was introduced by issue #70 .
Basically, there are some PRs that come with no author or committer values, therefore it fails with the error mentioned on the title; an example of such PR is finos/SymphonyElectron#195 (JSON reported below, emails hidden)
Any idea why this happens?
{
"time": "2017-09-28T13:30:44.627Z",
"correlationKey": "39f34540-a451-11e7-ba7e-71a0befdf45c",
"level": "DEBUG",
"message": "API Response https://api.github.com/repos/symphonyoss/SymphonyElectron/pulls/195/commits",
"detail": [
{
"sha": "1ff558af8121487cdbc0302b4b8efb8e930b33af",
"commit": {
"author": {
"name": "Vishwas Shashidhar",
"email": "[hidden]",
"date": "2017-09-28T13:12:47Z"
},
"committer": {
"name": "Vishwas Shashidhar",
"email": "[hidden]",
"date": "2017-09-28T13:12:47Z"
},
"message": "electron-145: fixes the issue with invalid json config upon repair",
"tree": {
"sha": "a6019abb4fdac84dfcdc56572b128429e8d91b37",
"url": "https://api.github.com/repos/symphonyoss/SymphonyElectron/git/trees/a6019abb4fdac84dfcdc56572b128429e8d91b37"
},
"url": "https://api.github.com/repos/symphonyoss/SymphonyElectron/git/commits/1ff558af8121487cdbc0302b4b8efb8e930b33af",
"comment_count": 0
},
"url": "https://api.github.com/repos/symphonyoss/SymphonyElectron/commits/1ff558af8121487cdbc0302b4b8efb8e930b33af",
"html_url": "https://github.com/symphonyoss/SymphonyElectron/commit/1ff558af8121487cdbc0302b4b8efb8e930b33af",
"comments_url": "https://api.github.com/repos/symphonyoss/SymphonyElectron/commits/1ff558af8121487cdbc0302b4b8efb8e930b33af/comments",
"author": null,
"committer": null,
"parents": [
{
"sha": "1a312544d7223b7aa041219cd91958f83bfa235c",
"url": "https://api.github.com/repos/symphonyoss/SymphonyElectron/commits/1a312544d7223b7aa041219cd91958f83bfa235c",
"html_url": "https://github.com/symphonyoss/SymphonyElectron/commit/1a312544d7223b7aa041219cd91958f83bfa235c"
}
]
}
]
}
Hitting "back" on browser bypasses checks
Issue:
PR -> click random link -> click "back" from browser -> no checks are run.
How to reproduce
- Create a PR with CLA enforced.
- Check out the PR, looks fine:
- Click on any link to go to another page in the same tab you were just viewing the PR.
- Click "back" on the browser to go back to the PR page you were just on.
- You should now see this:
- All ready to merge.
What should happen
Checks should be run and merging should be prevented.
Support file/path exclusions
It would be great if cla-bot supported configuring what type and/or locations of files to monitor for changes.
E.g. if you can specify *.md or /docs/**/* to exclude particular files or folders from CLA checks.
Sometimes the logs contain messages from other repos
see: https://s3.amazonaws.com/cla-bot/ColinEberhardt-78527442-a6ac-47ec-ac4b-e24b8fb86729
It contains log messages from two different repos:
2019-02-02T14:10:08.483Z INFO Checking CLAs for pull request https://api.github.com/repos/evolvedbinary/pebble-extension/pulls/39
2019-02-02T14:10:08.484Z INFO Bot installed as an integration, obtaining installation token
2019-02-02T14:10:08.519Z INFO API Request https://api.github.com/installations/426748/access_tokens
2019-02-02T14:10:08.633Z INFO Attempting to obtain organisation level .clabot file URL
2019-02-02T14:10:08.634Z INFO API Request https://api.github.com/repos/evolvedbinary/clabot-config/contents/.clabot
2019-02-02T14:10:08.698Z INFO Organisation configuration not found, resolving .clabot URL at project level
2019-02-02T14:10:08.698Z INFO API Request https://api.github.com/repos/evolvedbinary/pebble-extension/contents/.clabot
2019-02-02T14:10:08.778Z INFO Obtaining .clabot configuration file from https://raw.githubusercontent.com/evolvedbinary/pebble-extension/master/.clabot
2019-02-02T14:10:08.778Z INFO API Request https://raw.githubusercontent.com/evolvedbinary/pebble-extension/master/.clabot
2019-02-02T14:10:08.952Z INFO Obtaining the list of commits for the pull request
2019-02-02T14:10:08.952Z INFO API Request https://api.github.com/repos/evolvedbinary/pebble-extension/pulls/39/commits
2019-02-02T14:10:09.068Z INFO Total Commits: 1, checking CLA status for committers
2019-02-02T14:10:09.068Z INFO All contributors have a signed CLA, adding success status to the pull request and a label
2019-02-02T14:10:09.069Z INFO API Request https://api.github.com/repos/evolvedbinary/pebble-extension/issues/39/labels
2019-02-02T14:10:09.217Z INFO API Request https://api.github.com/repos/evolvedbinary/pebble-extension/issues/39/labels
2019-02-02T14:10:09.218Z INFO API Request https://api.github.com/repos/evolvedbinary/pebble-extension/statuses/1074c8402c52811f19e80fb23c25081199e3932b
2019-02-02T14:49:38.054Z INFO Checking CLAs for pull request https://api.github.com/repos/ColinEberhardt/clabot-prod-test/pulls/10
2019-02-02T14:49:38.054Z INFO Bot installed as an integration, obtaining installation token
2019-02-02T14:49:38.059Z INFO API Request https://api.github.com/installations/39490/access_tokens
2019-02-02T14:49:38.110Z INFO Attempting to obtain organisation level .clabot file URL
2019-02-02T14:49:38.110Z INFO API Request https://api.github.com/repos/ColinEberhardt/clabot-config/contents/.clabot
2019-02-02T14:49:38.172Z INFO Organisation configuration found!
2019-02-02T14:49:38.172Z INFO Obtaining .clabot configuration file from https://raw.githubusercontent.com/ColinEberhardt/clabot-config/master/.clabot
2019-02-02T14:49:38.172Z INFO API Request https://raw.githubusercontent.com/ColinEberhardt/clabot-config/master/.clabot
2019-02-02T14:49:38.676Z INFO Obtaining the list of commits for the pull request
2019-02-02T14:49:38.676Z INFO API Request https://api.github.com/repos/ColinEberhardt/clabot-prod-test/pulls/10/commits
2019-02-02T14:49:38.849Z INFO Total Commits: 1, checking CLA status for committers
2019-02-02T14:49:38.866Z INFO API Request https://gist.githubusercontent.com/ColinEberhardt/293439a97af26a64f8d588ca9e242fad/raw/eab0ce188744e6aa757eaa1b559e2561e1d12e1a/contributors?colineberhardt
2019-02-02T14:49:38.891Z INFO All contributors have a signed CLA, adding success status to the pull request and a label
2019-02-02T14:49:38.891Z INFO API Request https://api.github.com/repos/ColinEberhardt/clabot-prod-test/issues/10/labels
2019-02-02T14:49:39.021Z INFO API Request https://api.github.com/repos/ColinEberhardt/clabot-prod-test/issues/10/labels
2019-02-02T14:49:39.022Z INFO API Request https://api.github.com/repos/ColinEberhardt/clabot-prod-test/statuses/928c73218299bdb16d8df77a07852fd8943d5766
cla-bot duplicates GitHub user ids
When generating a message as a result of a CLA being missing, the cla-bot duplicates the same GitHub user id in some cases.
CVE-2019-8331 (Medium) detected in bootstrap-4.3.0.tgz
CVE-2019-8331 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-4.3.0.tgz
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://registry.npmjs.org/bootstrap/-/bootstrap-4.3.0.tgz
Path to dependency file: /cla-bot/package.json
Path to vulnerable library: /cla-bot/node_modules/bootstrap/package.json
Dependency Hierarchy:
- โ bootstrap-4.3.0.tgz (Vulnerable Library)
Found in HEAD commit: 028d5fbb020bd766723483bfc18189e3f59f46b7
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: 3.4.1, 4.3.1
cla-bot-logs deployment - Cannot read property 'Items' of null
Hi,
I'm trying to deploy the cla-bot-logs module, but it fails trying to resolve the correlationKey against the DynamoDB:
2018-03-19T17:53:58.607Z 7f23cdb2-2b9e-11e8-a4fb-3998bce88dc7 TypeError: Cannot read property 'Items' of null
at Response.dynamodb.query (/var/task/index.js:23:22)
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:364:18)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:685:12)
The issue refers to this code block:
dynamodb.query(params, (err, data) => {
data.Items = data.Items.filter(d => d.level !== 'DEBUG');
if (err) {
console.log(err, err.stack);
} else {
loggingCallback(null, data.Items);
}
});
I know - by adding console.info statements, that correlationKey and process.env.LOGGING_TABLE are correctly resolved (which means lambda mapping template should be correctly defined); I've also added full access on DynamoDB tables to the AWS IAM role used to connect the AWS Lambda function with the API Gateway, to exclude permission issues.
Any idea what may be wrong with my setup?
Thanks!
cla-bot is case-sensitive, but GitHub is not
Just realised that cla-bot is case-sensitive when comparing whitelisted GitHub IDs with PR contributors; code is on https://github.com/ColinEberhardt/cla-bot/blob/develop/cla-bot/contributionVerifier.js#L7
Wondering if we could/should change to:
const contributorArrayVerifier = contributors =>
committers =>
Promise.resolve(committers.filter(c => contributors.indexOf(c.toLowerCase()) === -1));
Another change must be applied when populating the list of committers, to force lowercase there too - https://github.com/ColinEberhardt/cla-bot/blob/develop/cla-bot/index.js#L127
const committers = sortUnique(commits.map(c => c.author.login.toLowerCase()));
I can easily send a PR, but wanted to gather some thoughts first.
Thanks! /cc @ColinEberhardt
foo
[gifbot:chickens]
Transfer cla-bot GitHub App to github.com/finos-fdx org
As a follow up of issue #113 , the CLA bot application should be migrated to github.com/finos-fdx Organization.
I've tested the process and documented it below, step by step; for each step, a screenshot is attached.
- Created a
FINOS test github appfrom my GitHub user account (maoo)
2/3. Configured theFINOS test github appin my GitHub user account and enabled on one repository
4/5. Transferred theFINOS test github apptofinos-fdxorg - Received and confirmed transfer approval as
finos-fdxorg owner - Update
Homepage URLandWebhook URL(User authorization callback URLshould not be needed, @ColinEberhardt , can you please confirm?)
I didn't receive any notification of the transfer as GitHub App user, which means that current cla-bot users should not be notified of this change either.
I would suggest the following ordered actions:
- Update
Homepage URLandWebhook URLon thecla-botGitHub App and test that everything is still working as expected, using a test repository withcla-botapp installed (step 7 of the test) - Transfer the
cla-botapp (steps 4, 5 and 6) and monitor test repo - Uninstall finos-cla-bot and install
cla-botGitHub App on github.com/finos Organization - Apply same changes to all other FINOS GitHub Organizations (starting from
finos-fdx)
Am I missing anything?
Migrate to async / await
For better codez ...
Looks like this is supported in Node 7.6, so no icky transpilers ๐ค are required.
fragile tests
There are a few things that are making the tests fragile:
- The mock request provides a response for each request. However, there is nothing checking that each of these mocked requests are actually invoked. The tests should check that after each spec, each and every expected HTTP request was issues.
- If a request is made for a URL that is not mocked, the test failures are a little hard to follow, and often fail after the jasmine timeout.
Cannot verify commits from authors that do not have GitHub accounts
The code looks for commit.author.login, however this is the payload we see for these authors:
"commit": {
"author": {
"name": "---,
"email": "---",
"date": "2018-04-26T00:19:43Z"
},
"committer": {
"name": "---",
"email": "---",
"date": "2018-04-26T00:19:43Z"
},
"message": "Demoved duplicate quote",
"tree": {
...
},
cla-bot can summon itself, causing an infinite loop
Thanks for your work! Just wanted to share a minor bug:
I added cla-bot to my org's repo and part of my message was:
... say '@cla-bot check' to have the contributors list checked again ...
It seems like it would suffice to add a check at the same place we call commentSummonsBot() to ensure the comment author isn't the bot itself.
CVE-2019-15657 (Medium) detected in eslint-utils-1.4.0.tgz
CVE-2019-15657 - Medium Severity Vulnerability
Vulnerable Library - eslint-utils-1.4.0.tgz
Utilities for ESLint plugins.
Library home page: https://registry.npmjs.org/eslint-utils/-/eslint-utils-1.4.0.tgz
Path to dependency file: /cla-bot/package.json
Path to vulnerable library: /tmp/git/cla-bot/node_modules/eslint-utils/package.json
Dependency Hierarchy:
- eslint-5.16.0.tgz (Root Library)
- โ eslint-utils-1.4.0.tgz (Vulnerable Library)
Vulnerability Details
In eslint-utils before 1.4.1, the getStaticValue function can execute arbitrary code.
Publish Date: 2019-08-26
URL: CVE-2019-15657
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15657
Release Date: 2019-08-26
Fix Resolution: 1.4.1
Cannot deploy using serverless, getting AccessDenied on S3
I'm trying to deploy cla-bot using serverless, following docs on DEPLOY.md
Deployment runs smooth:
$ serverless deploy --stage staging
Serverless: Packaging service...
Serverless: Excluding development dependencies...
Serverless: Uploading CloudFormation file to S3...
Serverless: Uploading artifacts...
Serverless: Uploading service .zip file to S3 (11.5 MB)...
Serverless: Validating template...
Serverless: Updating Stack...
Serverless: Checking Stack update progress...
................
Serverless: Stack update finished...
Service Information
service: cla-bot
stage: staging
region: us-east-1
stack: cla-bot-staging
api keys:
None
endpoints:
POST - https://********.execute-api.us-east-1.amazonaws.com/staging/cla-check
functions:
cla-bot: cla-bot-staging-cla-bot
However, when I take the POST endpoint, copy into the GitHub App Endpoint URL and comment an issue, I get an AccessDenied error on CloudWatch:
2018-10-12T14:17:10.542Z 81f88a00-ce29-11e8-9c4d-a9fcf2832d13 (node:1) UnhandledPromiseRejectionWarning: AccessDenied: Access Denied
at Request.extractError (/var/task/cla-bot/node_modules/aws-sdk/lib/services/s3.js:580:35)
at Request.callListeners (/var/task/cla-bot/node_modules/aws-sdk/lib/sequential_executor.js:109:20)
at Request.emit (/var/task/cla-bot/node_modules/aws-sdk/lib/sequential_executor.js:81:10)
at Request.emit (/var/task/cla-bot/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/var/task/cla-bot/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/task/cla-bot/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/task/cla-bot/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/task/cla-bot/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/task/cla-bot/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/var/task/cla-bot/node_modules/aws-sdk/lib/sequential_executor.js:119:18)
I checked AWS resources and everything seems to be in place; the only strange thing seems to be the API Gateway configuration, which doesn't seem to have an Execution Role set; I tried to copy the ARN from the role created by the serverless deployment, but doesn't allow me to paste and save.
Any idea what is going on? Any help is appreciated, thanks.
Report status via Checks API
It'd be cool to visualize the status and instructions on the Checks page.
Issue creation webhook causes an error
Here is the error:
2017-11-14T06:06:08.779Z e7cafe78-c901-11e7-b660-1db3f47536fa TypeError: Cannot read property 'url' of undefined
at gitHubUrls (/var/task/index.js:29:46)
at exports.handler (/var/task/index.js:60:17)
And the offending webhook:
{
"time": "2017-11-14T06:06:08.022Z",
"uuid": "62e4bd02-6b9e-454e-95df-6a4d44a514e9",
"correlationKey": "23a37f06-51b6-4d1a-944f-c1d3e8740351",
"level": "DEBUG",
"message": "clabot lambda invoked by webhook",
"detail": {
"action": "created",
"issue": {
"url": "https://api.github.com/repos/getgauge/gauge/issues/823",
"repository_url": "https://api.github.com/repos/getgauge/gauge",
"labels_url": "https://api.github.com/repos/getgauge/gauge/issues/823/labels{/name}",
"comments_url": "https://api.github.com/repos/getgauge/gauge/issues/823/comments",
"events_url": "https://api.github.com/repos/getgauge/gauge/issues/823/events",
"html_url": "https://github.com/getgauge/gauge/issues/823",
"id": 260930510,
"number": 823,
"title": "Show Diagnostics LSP",
"user": {
"login": "BugDiver",
"id": 15309877,
"avatar_url": "https://avatars2.githubusercontent.com/u/15309877?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/BugDiver",
"html_url": "https://github.com/BugDiver",
"followers_url": "https://api.github.com/users/BugDiver/followers",
"following_url": "https://api.github.com/users/BugDiver/following{/other_user}",
"gists_url": "https://api.github.com/users/BugDiver/gists{/gist_id}",
"starred_url": "https://api.github.com/users/BugDiver/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/BugDiver/subscriptions",
"organizations_url": "https://api.github.com/users/BugDiver/orgs",
"repos_url": "https://api.github.com/users/BugDiver/repos",
"events_url": "https://api.github.com/users/BugDiver/events{/privacy}",
"received_events_url": "https://api.github.com/users/BugDiver/received_events",
"type": "User",
"site_admin": false
},
"labels": [
{
"id": 705114299,
"url": "https://api.github.com/repos/getgauge/gauge/labels/lsp",
"name": "lsp",
"color": "d4c5f9",
"default": false
},
{
"id": 363702930,
"url": "https://api.github.com/repos/getgauge/gauge/labels/ready%20for%20QA",
"name": "ready for QA",
"color": "005b00",
"default": false
}
],
"state": "open",
"locked": false,
"assignee": {
"login": "BugDiver",
"id": 15309877,
"avatar_url": "https://avatars2.githubusercontent.com/u/15309877?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/BugDiver",
"html_url": "https://github.com/BugDiver",
"followers_url": "https://api.github.com/users/BugDiver/followers",
"following_url": "https://api.github.com/users/BugDiver/following{/other_user}",
"gists_url": "https://api.github.com/users/BugDiver/gists{/gist_id}",
"starred_url": "https://api.github.com/users/BugDiver/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/BugDiver/subscriptions",
"organizations_url": "https://api.github.com/users/BugDiver/orgs",
"repos_url": "https://api.github.com/users/BugDiver/repos",
"events_url": "https://api.github.com/users/BugDiver/events{/privacy}",
"received_events_url": "https://api.github.com/users/BugDiver/received_events",
"type": "User",
"site_admin": false
},
"assignees": [
{
"login": "BugDiver",
"id": 15309877,
"avatar_url": "https://avatars2.githubusercontent.com/u/15309877?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/BugDiver",
"html_url": "https://github.com/BugDiver",
"followers_url": "https://api.github.com/users/BugDiver/followers",
"following_url": "https://api.github.com/users/BugDiver/following{/other_user}",
"gists_url": "https://api.github.com/users/BugDiver/gists{/gist_id}",
"starred_url": "https://api.github.com/users/BugDiver/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/BugDiver/subscriptions",
"organizations_url": "https://api.github.com/users/BugDiver/orgs",
"repos_url": "https://api.github.com/users/BugDiver/repos",
"events_url": "https://api.github.com/users/BugDiver/events{/privacy}",
"received_events_url": "https://api.github.com/users/BugDiver/received_events",
"type": "User",
"site_admin": false
}
],
"milestone": null,
"comments": 1,
"created_at": "2017-09-27T10:51:49Z",
"updated_at": "2017-11-14T06:06:07Z",
"closed_at": null,
"author_association": "OWNER",
"body": "Gauge LSP server should support publish diagnostics for spec and concept files.\r\nThe server should publish diagnostics when the document changes.\r\nThis story is part of [LSP support](https://github.com/getgauge/gauge/issues/717) for gauge.\r\n\r\n## Test cases\r\n\r\n- [x] Should show critical errors\r\n- [x] Should show spec parse errors\r\n- [x] Should show concept parse errors\r\n- [ ] Should show unimplemented steps\r\n- [ ] duplicate step definition"
},
"comment": {
"url": "https://api.github.com/repos/getgauge/gauge/issues/comments/344155838",
"html_url": "https://github.com/getgauge/gauge/issues/823#issuecomment-344155838",
"issue_url": "https://api.github.com/repos/getgauge/gauge/issues/823",
"id": 344155838,
"user": {
"login": "sguptatw",
"id": 6310197,
"avatar_url": "https://avatars0.githubusercontent.com/u/6310197?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/sguptatw",
"html_url": "https://github.com/sguptatw",
"followers_url": "https://api.github.com/users/sguptatw/followers",
"following_url": "https://api.github.com/users/sguptatw/following{/other_user}",
"gists_url": "https://api.github.com/users/sguptatw/gists{/gist_id}",
"starred_url": "https://api.github.com/users/sguptatw/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/sguptatw/subscriptions",
"organizations_url": "https://api.github.com/users/sguptatw/orgs",
"repos_url": "https://api.github.com/users/sguptatw/repos",
"events_url": "https://api.github.com/users/sguptatw/events{/privacy}",
"received_events_url": "https://api.github.com/users/sguptatw/received_events",
"type": "User",
"site_admin": false
},
"created_at": "2017-11-14T06:06:07Z",
"updated_at": "2017-11-14T06:06:07Z",
"author_association": "CONTRIBUTOR",
"body": "Issues\r\n- [ ] Unimplemented step is not getting highlighted\r\n- [ ] Duplicate step implementation is not being shown\r\n- [ ] Number of usages are also not displayed\r\n\r\n[test1.zip](https://github.com/getgauge/gauge/files/1469724/test1.zip)\r\n"
},
"repository": {
"id": 18055618,
"name": "gauge",
"full_name": "getgauge/gauge",
"owner": {
"login": "getgauge",
"id": 7044589,
"avatar_url": "https://avatars1.githubusercontent.com/u/7044589?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/getgauge",
"html_url": "https://github.com/getgauge",
"followers_url": "https://api.github.com/users/getgauge/followers",
"following_url": "https://api.github.com/users/getgauge/following{/other_user}",
"gists_url": "https://api.github.com/users/getgauge/gists{/gist_id}",
"starred_url": "https://api.github.com/users/getgauge/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/getgauge/subscriptions",
"organizations_url": "https://api.github.com/users/getgauge/orgs",
"repos_url": "https://api.github.com/users/getgauge/repos",
"events_url": "https://api.github.com/users/getgauge/events{/privacy}",
"received_events_url": "https://api.github.com/users/getgauge/received_events",
"type": "Organization",
"site_admin": false
},
"private": false,
"html_url": "https://github.com/getgauge/gauge",
"description": "Light weight cross-platform test automation",
"fork": false,
"url": "https://api.github.com/repos/getgauge/gauge",
"forks_url": "https://api.github.com/repos/getgauge/gauge/forks",
"keys_url": "https://api.github.com/repos/getgauge/gauge/keys{/key_id}",
"collaborators_url": "https://api.github.com/repos/getgauge/gauge/collaborators{/collaborator}",
"teams_url": "https://api.github.com/repos/getgauge/gauge/teams",
"hooks_url": "https://api.github.com/repos/getgauge/gauge/hooks",
"issue_events_url": "https://api.github.com/repos/getgauge/gauge/issues/events{/number}",
"events_url": "https://api.github.com/repos/getgauge/gauge/events",
"assignees_url": "https://api.github.com/repos/getgauge/gauge/assignees{/user}",
"branches_url": "https://api.github.com/repos/getgauge/gauge/branches{/branch}",
"tags_url": "https://api.github.com/repos/getgauge/gauge/tags",
"blobs_url": "https://api.github.com/repos/getgauge/gauge/git/blobs{/sha}",
"git_tags_url": "https://api.github.com/repos/getgauge/gauge/git/tags{/sha}",
"git_refs_url": "https://api.github.com/repos/getgauge/gauge/git/refs{/sha}",
"trees_url": "https://api.github.com/repos/getgauge/gauge/git/trees{/sha}",
"statuses_url": "https://api.github.com/repos/getgauge/gauge/statuses/{sha}",
"languages_url": "https://api.github.com/repos/getgauge/gauge/languages",
"stargazers_url": "https://api.github.com/repos/getgauge/gauge/stargazers",
"contributors_url": "https://api.github.com/repos/getgauge/gauge/contributors",
"subscribers_url": "https://api.github.com/repos/getgauge/gauge/subscribers",
"subscription_url": "https://api.github.com/repos/getgauge/gauge/subscription",
"commits_url": "https://api.github.com/repos/getgauge/gauge/commits{/sha}",
"git_commits_url": "https://api.github.com/repos/getgauge/gauge/git/commits{/sha}",
"comments_url": "https://api.github.com/repos/getgauge/gauge/comments{/number}",
"issue_comment_url": "https://api.github.com/repos/getgauge/gauge/issues/comments{/number}",
"contents_url": "https://api.github.com/repos/getgauge/gauge/contents/{+path}",
"compare_url": "https://api.github.com/repos/getgauge/gauge/compare/{base}...{head}",
"merges_url": "https://api.github.com/repos/getgauge/gauge/merges",
"archive_url": "https://api.github.com/repos/getgauge/gauge/{archive_format}{/ref}",
"downloads_url": "https://api.github.com/repos/getgauge/gauge/downloads",
"issues_url": "https://api.github.com/repos/getgauge/gauge/issues{/number}",
"pulls_url": "https://api.github.com/repos/getgauge/gauge/pulls{/number}",
"milestones_url": "https://api.github.com/repos/getgauge/gauge/milestones{/number}",
"notifications_url": "https://api.github.com/repos/getgauge/gauge/notifications{?since,all,participating}",
"labels_url": "https://api.github.com/repos/getgauge/gauge/labels{/name}",
"releases_url": "https://api.github.com/repos/getgauge/gauge/releases{/id}",
"deployments_url": "https://api.github.com/repos/getgauge/gauge/deployments",
"created_at": "2014-03-24T08:06:58Z",
"updated_at": "2017-11-13T14:29:48Z",
"pushed_at": "2017-11-13T14:58:45Z",
"git_url": "git://github.com/getgauge/gauge.git",
"ssh_url": "[email protected]:getgauge/gauge.git",
"clone_url": "https://github.com/getgauge/gauge.git",
"svn_url": "https://github.com/getgauge/gauge",
"homepage": "https://getgauge.io",
"size": 9569,
"stargazers_count": 932,
"watchers_count": 932,
"language": "Go",
"has_issues": true,
"has_projects": false,
"has_downloads": true,
"has_wiki": true,
"has_pages": false,
"forks_count": 147,
"mirror_url": null,
"archived": false,
"open_issues_count": 146,
"forks": 147,
"open_issues": 146,
"watchers": 932,
"default_branch": "master"
},
"organization": {
"login": "getgauge",
"id": 7044589,
"url": "https://api.github.com/orgs/getgauge",
"repos_url": "https://api.github.com/orgs/getgauge/repos",
"events_url": "https://api.github.com/orgs/getgauge/events",
"hooks_url": "https://api.github.com/orgs/getgauge/hooks",
"issues_url": "https://api.github.com/orgs/getgauge/issues",
"members_url": "https://api.github.com/orgs/getgauge/members{/member}",
"public_members_url": "https://api.github.com/orgs/getgauge/public_members{/member}",
"avatar_url": "https://avatars1.githubusercontent.com/u/7044589?v=4",
"description": "A lightweight cross platform test automation tool"
},
"sender": {
"login": "sguptatw",
"id": 6310197,
"avatar_url": "https://avatars0.githubusercontent.com/u/6310197?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/sguptatw",
"html_url": "https://github.com/sguptatw",
"followers_url": "https://api.github.com/users/sguptatw/followers",
"following_url": "https://api.github.com/users/sguptatw/following{/other_user}",
"gists_url": "https://api.github.com/users/sguptatw/gists{/gist_id}",
"starred_url": "https://api.github.com/users/sguptatw/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/sguptatw/subscriptions",
"organizations_url": "https://api.github.com/users/sguptatw/orgs",
"repos_url": "https://api.github.com/users/sguptatw/repos",
"events_url": "https://api.github.com/users/sguptatw/events{/privacy}",
"received_events_url": "https://api.github.com/users/sguptatw/received_events",
"type": "User",
"site_admin": false
},
"installation": {
"id": 49371
}
}
}
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.