Generate a GitHub Pull Request

Clone GitHub repository

Software development is performed locally on a developers laptop. Using the git CLI clone the Goof application to your laptop.

git clone https://github.com/omearaj/goof.git
Cloning into 'goof'...
remote: Enumerating objects: 326, done.
remote: Counting objects: 100% (326/326), done.
remote: Compressing objects: 100% (177/177), done.
remote: Total 326 (delta 156), reused 291 (delta 132), pack-reused 0
Receiving objects: 100% (326/326), 248.40 KiB | 1.67 MiB/s, done.
Resolving deltas: 100% (156/156), done.

Use your forked version in the command above.

Create a new branch

We are going to create a new branch, use the new branch to make changes, and then merge our changes back to GitHub as a Pull Request. Using the git CLI execute the commands to create the branch and checkout the new branch.

git branch add_vulns
git checkout add_vulns
Switched to branch 'add_vulns'

Adding a new open source dependency

Applications are built using Open Source frameworks and libraries. For our sample Node application, Goof, we have the following dependencies selected by the developer. You will notice we have 27 dependencies listed below but these 27 dependencies have additional libraries that they depend on. This is called transitive dependency and it is common to see the total number of dependencies increase considerable as developers include open-source in their project. In fact, the majority of code in a given application built in the last 25 years comes from open-source communities with developers focusing on writing business logic.

{
"name": "goof",
"version": "1.0.1",
"description": "A vulnerable todo demo application",
"homepage": "https://snyk.io/",
"repository": {
"type": "git",
"url": "https://github.com/Snyk/snyk-todo-list-demo-app/"
},
"scripts": {
"start": "node app.js",
"build": "browserify -r jquery > public/js/bundle.js",
"cleanup": "mongo express-todo --eval 'db.todos.remove({});'",
"test": "snyk test"
},
"engines": {
"node": "6.14.1"
},
"dependencies": {
"adm-zip": "0.4.7",
"body-parser": "1.9.0",
"cfenv": "^1.0.4",
"consolidate": "0.14.5",
"cookie-parser": "1.3.3",
"dustjs-helpers": "1.5.0",
"dustjs-linkedin": "2.5.0",
"ejs": "1.0.0",
"ejs-locals": "1.0.2",
"errorhandler": "1.2.0",
"express": "4.12.4",
"express-fileupload": "0.0.5",
"file-type": "^8.1.0",
"humanize-ms": "1.0.1",
"jquery": "^2.2.4",
"lodash": "4.17.4",
"marked": "0.3.5",
"method-override": "latest",
"moment": "2.15.1",
"mongoose": "4.2.4",
"morgan": "latest",
"ms": "^0.7.1",
"npmconf": "0.0.24",
"optional": "^0.1.3",
"st": "0.2.4",
"stream-buffers": "^3.0.1",
"tap": "^11.1.3"
},
"devDependencies": {
"browserify": "^13.1.1",
"snyk": "^1.244.0"
},
"license": "Apache-2.0"
}

In our sample application Goof, we've decided to add another library to our list of dependencies to fulfill a new feature. This library is called "tinymce": "4.1.0" and we will add it to the bottom of the dependencies section in the JSON file.

{
"name": "goof",
"version": "1.0.1",
"description": "A vulnerable todo demo application",
"homepage": "https://snyk.io/",
"repository": {
"type": "git",
"url": "https://github.com/Snyk/snyk-todo-list-demo-app/"
},
"scripts": {
"start": "node app.js",
"build": "browserify -r jquery > public/js/bundle.js",
"cleanup": "mongo express-todo --eval 'db.todos.remove({});'",
"test": "snyk test"
},
"engines": {
"node": "6.14.1"
},
"dependencies": {
"adm-zip": "0.4.7",
"body-parser": "1.9.0",
"cfenv": "^1.0.4",
"consolidate": "0.14.5",
"cookie-parser": "1.3.3",
"dustjs-helpers": "1.5.0",
"dustjs-linkedin": "2.5.0",
"ejs": "1.0.0",
"ejs-locals": "1.0.2",
"errorhandler": "1.2.0",
"express": "4.12.4",
"express-fileupload": "0.0.5",
"file-type": "^8.1.0",
"humanize-ms": "1.0.1",
"jquery": "^2.2.4",
"lodash": "4.17.4",
"marked": "0.3.5",
"method-override": "latest",
"moment": "2.15.1",
"mongoose": "4.2.4",
"morgan": "latest",
"ms": "^0.7.1",
"npmconf": "0.0.24",
"optional": "^0.1.3",
"st": "0.2.4",
"stream-buffers": "^3.0.1",
"tap": "^11.1.3",
"tinymce": "4.1.0"
},
"devDependencies": {
"browserify": "^13.1.1",
"snyk": "^1.244.0"
},
"license": "Apache-2.0"
}

Don't forget to place a comma after "tap": "^11.1.3" after adding the "tinymce" dependency

Create a package JSON lock file.

Let's create a package lock file for our Node application. For more details on the purpose of a package lock file see this Node documentation.

npm install --package-lock

If file already exists issue rm package-lock.json to remove it.

Commit your changes to local git repository

Git is a distributed source control system which means we need to commit our code locally and push the local version of git to a remote version like GitHub. Let's first check the status of the changes in your local git repository using the status command and then we will add the changes to our local git and commit them.

git status
On branch add_vulns
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: package-lock.json
modified: package.json
git add package*
git commit -m "adding tinymce v4.1.0"
2 files changed, 680 insertions(+), 781 deletions(-)

Push your changes to GitHub

This is the final step in committing your local code changes to Github by performing a git push. This will transfer the files and history to your upstream git repository on GitHub. GitHub becomes the central location for source code, branches, and history and the best place for new developers to start future work.

git push --set-upstream origin add_vulns
Enumerating objects: 7, done.
Counting objects: 100% (7/7), done.
Delta compression using up to 12 threads
Compressing objects: 100% (4/4), done.
Writing objects: 100% (4/4), 10.31 KiB | 2.58 MiB/s, done.
Total 4 (delta 3), reused 0 (delta 0)
remote: Resolving deltas: 100% (3/3), completed with 3 local objects.
remote:
remote: Create a pull request for 'add_vulns' on GitHub by visiting:
remote: https://github.com/omearaj/goof/pull/new/add_vulns
remote:
remote:
remote:
remote: GitHub found 29 vulnerabilities on omearaj/goof's default branch (1 critical, 10 high, 16 moderate, 2 low). To find out more, visit:
remote: https://github.com/omearaj/goof/network/alerts
remote:
To https://github.com/omearaj/goof.git
* [new branch] add_vulns -> add_vulns
Branch 'add_vulns' set up to track remote branch 'add_vulns' from 'origin'.

Review your changes on GitHub

GitHub has received your changes on your branch (add_vulns) and you can compare the add_vulns branch with the master branch to generate a pull request. The master branch in git is the default branch for your repository.

GitHub displays an option to compare the add_vulns branch to the master branch and generate a pull request workflow at the top of the repository. Select this button to start the pull request workflow.

This will take you to the screen below which displays a drop down dialog box to select the branches to compare, a description of you change, a longer dialog box for more details, and a color coded list of changes to specific files (not shown). Use the Create pull request to complete the creation of the pull request (PR)

If you have access to the original repository, Snyk/Goof in this case, make sure you are comparing the master branch from the fork and not the upstream repository. You can change the repository and branch by selecting it in the drop down below. If you compare it against the upstream your pull request will be generated on that repository.

For a detailed explanation of branches please refer to Git documentation