fix: not handling vulnerabilities with empty advsories

FuelLabs · Jan 28, 2025 · 7cf18a3 · 7cf18a3
1 parent 4e64a61
commit 7cf18a3
Showing 1 changed file with 28 additions and 6 deletions.
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -63,15 +63,37 @@ jobs:
           node-version: 20.11.0
           pnpm-version: 9.5.0
       - name: Install jq
-        run: sudo apt-get install jq
+        run: sudo apt-get install -y jq
       - run: |
-          pnpm audit --prod --json | jq '
+          # Run pnpm audit and save the output to audit.json
+          pnpm audit --prod --json > audit.json
+
+          # Check if the 'advisories' field exists and has entries
+          advisories_count=$(jq '.advisories | length // 0' audit.json)
+          if [ "$advisories_count" -eq "0" ]; then
+            echo "No actionable vulnerabilities"
+            exit 0
+          fi
+
+          # Extract critical vulnerabilities with patched versions
+          jq '
             .advisories | to_entries | 
-            map(select(.value.patched_versions != "<0.0.0" and .value.severity == "critical") | {package: .value.module_name, vulnerable: .value.vulnerable_versions, fixed_in: .value.patched_versions}) 
-          ' > audit_fix_packages.json
-          if [ "$(jq 'length' audit_fix_packages.json)" -gt "0" ]; then
+            map(
+              select(
+                (.value.patched_versions != "<0.0.0") and 
+                (.value.severity == "critical")
+              ) | 
+              {package: .value.module_name, vulnerable: .value.vulnerable_versions, fixed_in: .value.patched_versions}
+            )
+          ' audit.json > audit_fix_packages.json
+
+          # Check if any critical vulnerabilities were found
+          fix_count=$(jq 'length' audit_fix_packages.json)
+          if [ "$fix_count" -gt "0" ]; then
             echo "Actionable vulnerabilities found in the following packages:"
-            jq -r '.[] | "\u001b[1m\(.package)\u001b[0m vulnerable in \u001b[31m\(.vulnerable)\u001b[0m fixed in \u001b[32m\(.fixed_in)\u001b[0m"' audit_fix_packages.json | while read -r line; do echo -e "$line"; done
+            jq -r '.[] | "\u001b[1m\(.package)\u001b[0m vulnerable in \u001b[31m\(.vulnerable)\u001b[0m fixed in \u001b[32m\(.fixed_in)\u001b[0m"' audit_fix_packages.json | while read -r line; do
+              echo -e "$line"
+            done
             echo "Please run \`pnpm --prod --fix\`"
             exit 1
           else