Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicate comments on PR when Trusty rule is enabled #4943

Closed
eleftherias opened this issue Nov 12, 2024 · 1 comment
Closed

Duplicate comments on PR when Trusty rule is enabled #4943

eleftherias opened this issue Nov 12, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@eleftherias
Copy link
Contributor

Describe the issue

Note: I have only been able to reproduce this in production. It's possible that staging already has the fix.

When I have a profile that includes the Trusty ruletype,
And I create a PR that adds a dependency with a low Trusty score
Then I see Minder comment on the PR twice with the dependency information

This can be seen in the PR eleftherias/demo-repo-python#25
Screenshot 2024-11-12 at 11 25 20

Additional Information

I only have one instance of the Trusty ruletype in one of my profiles.

This is the YAML output when I run minder profile get:

profile:
    alert: "off"
    context:
        project: b73403a2-d409-43ea-b8f6-2b567a558a6d
    displayName: Dependencies Security
    id: 30726deb-e96c-4c4c-b92f-454660072611
    name: dependencies-github-profile
    pullRequest:
        - def:
            action: review
            ecosystem_config:
                - name: npm
                  package_repository:
                    url: https://registry.npmjs.org
                  vulnerability_database_endpoint: https://api.osv.dev/v1/query
                  vulnerability_database_type: osv
                - name: go
                  package_repository:
                    url: https://proxy.golang.org
                  sum_repository:
                    url: https://sum.golang.org
                  vulnerability_database_endpoint: https://api.osv.dev/v1/query
                  vulnerability_database_type: osv
                - name: pypi
                  package_repository:
                    url: https://pypi.org/pypi
                  vulnerability_database_endpoint: https://api.osv.dev/v1/query
                  vulnerability_database_type: osv
          name: Check pull requests for vulnerable dependencies
          type: stacklok/pr_vulnerability_check
        - def:
            action: summary
            ecosystem_config:
                - name: npm
                  score: 5
                - name: pypi
                  score: 5
          name: Check pull requests for dependencies with low Trusty Score
          type: stacklok/pr_trusty_check
    remediate: "off"
    repository:
        - def:
            apply_if_file: go.mod
            package_ecosystem: gomod
            schedule_interval: daily
          name: Dependabot configured for Go projects
          type: stacklok/dependabot_configured
        - def:
            apply_if_file: package.json
            package_ecosystem: npm
            schedule_interval: daily
          name: Dependabot configured for JavaScript projects
          type: stacklok/dependabot_configured
        - def:
            apply_if_file: requirements.txt
            package_ecosystem: pip
            schedule_interval: daily
          name: Dependabot configured for Python projects
          type: stacklok/dependabot_configured

To Reproduce

No response

What version are you using?

No response
@eleftherias eleftherias added the bug Something isn't working label Nov 12, 2024
@eleftherias
Copy link
Contributor Author

This is now fixed, I can no longer reproduce on the latest main branch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eleftherias