Metadata fields alert-state, ghsa-id & cvss are never populated when the manifest file is at the root

[SalimBensiali]

If you look at https://github.com/SalimBensiali/le-blanc-jewellery/runs/5561937034?check_suite_focus=true, you would expect to see the relevant vulnerability alert metadata, but I am always getting the default data instead, ie:

outputs.alert-state: ''
outputs.ghsa-id: ''
outputs.cvss: 0

• I am using a PAT with enough permissions for successful GraphQL API calls
• I have double checked that the PR is indeed fixing a security vulnerability Bump follow-redirects from 1.14.7 to 1.14.9 SalimBensiali/le-blanc-jewellery#215

[lindan-betterment]

I am experiencing the same issue.

[mwaddell]

@SalimBensiali your repository is not configured to use Dependabot security updates and alerts:

I updated the README (see #187) to make it explicit that this feature relies upon those being enabled. My apologies for the confusion.

[SalimBensiali]

@mwaddell my repo does have dependabot security updates and alerts enabled. Look at any previously closed dependabot alerts via the auto merge workflow https://github.com/SalimBensiali/le-blanc-jewellery/pulls?q=is%3Apr+is%3Aclosed

The issue I am reporting relates the v1.3.0 new feature alert-lookup

[SalimBensiali]

I think you simply don't have the permissions to view them

[SalimBensiali]

@mwaddell I managed to run the dry-run command which successfully returned the missing metadata for me.

Could it be because your LOCAL_GITHUB_ACCESS_TOKEN does not give you permission to access the data? Which would be consistent with not seeing that dependabot security alerts and updates are enabled on https://github.com/SalimBensiali/le-blanc-jewellery/security.

[SalimBensiali]

The docs you are linking to in #187 (https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts#access-to--dependabot-alerts) do explain why you could not see any dependabot alerts on my repo.

By default, we notify people with admin permissions in the affected repositories about new Dependabot alerts. GitHub never publicly discloses identified vulnerabilities for any repository. You can also make Dependabot alerts visible to additional people or teams working repositories that you own or have admin permissions for. For more information, see "Managing security and analysis settings for your repository."

This is further confirmed here.

[SalimBensiali]

@mwaddell you could run the dry-run command off main and my branch and target a test repo you own to verify the bug and the fix. All you need is a repo with a manifest file in the root directory and any dependabot PR.

[mwaddell]

Thank you for the additional clarification - I understand now. Thank you for the PR and for updating all the unit tests, I've reviewed and approved the changes for @brrygrdn to merge.

[SalimBensiali]

👍