fix(vulnerability-alerts): maven matchCurrentVersion syntax

renovatebot · May 19, 2019 · 31bd248 · 31bd248
1 parent 6d86bbd
commit 31bd248
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 2 deletions.
diff --git a/lib/workers/repository/init/vulnerability.js b/lib/workers/repository/init/vulnerability.js
@@ -123,10 +123,16 @@ async function detectVulnerabilityAlerts(input) {
       } catch (err) /* istanbul ignore next */ {
         logger.warn({ err }, 'Error generating vulnerability PR notes');
       }
+      let matchCurrentVersion;
+      if (datasource === 'maven') {
+        matchCurrentVersion = `(,${val.firstPatchedVersion})`;
+      } else {
+        matchCurrentVersion = `< ${val.firstPatchedVersion}`;
+      }
       const matchRule = {
         datasources: [datasource],
         packageNames: [depName],
-        matchCurrentVersion: `< ${val.firstPatchedVersion}`,
+        matchCurrentVersion,
         prBodyNotes,
         force: {
           ...config.vulnerabilityAlerts,

diff --git a/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap b/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
@@ -110,5 +110,44 @@ Ansible before version 2.2.0 fails to properly sanitize fact variables sent from
 Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.",
     ],
   },
+  Object {
+    "datasources": Array [
+      "maven",
+    ],
+    "force": Object {
+      "branchTopic": "maven-com.fasterxml.jackson.core:jackson-databind-vulnerability",
+      "commitMessageSuffix": "[SECURITY]",
+      "groupName": null,
+      "masterIssueApproval": false,
+      "rangeStrategy": "update-lockfile",
+      "schedule": Array [],
+      "vulnerabilityAlert": true,
+    },
+    "matchCurrentVersion": "(,2.7.9.4)",
+    "packageNames": Array [
+      "com.fasterxml.jackson.core:jackson-databind",
+    ],
+    "prBodyNotes": Array [
+      "### GitHub Vulnerability Alerts",
+      "#### [CVE-2018-12022](https://nvd.nist.gov/vuln/detail/CVE-2018-12022)
+
+An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.",
+    ],
+  },
+  Object {
+    "allowedVersions": ">= 2.7.9.4",
+    "datasources": Array [
+      "maven",
+    ],
+    "packageNames": Array [
+      "com.fasterxml.jackson.core:jackson-databind",
+    ],
+    "prBodyNotes": Array [
+      "### GitHub Vulnerability Alerts",
+      "#### [CVE-2018-12022](https://nvd.nist.gov/vuln/detail/CVE-2018-12022)
+
+An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.",
+    ],
+  },
 ]
 `;
diff --git a/test/workers/repository/init/vulnerability.spec.js b/test/workers/repository/init/vulnerability.spec.js
@@ -239,10 +239,36 @@ describe('workers/repository/init/vulnerability', () => {
             vulnerableVersionRange: '< 2.1.4',
           },
         },
+        {
+          dismissReason: null,
+          vulnerableManifestFilename: 'pom.xml',
+          vulnerableManifestPath: 'pom.xml',
+          vulnerableRequirements: '= 2.4.2',
+          securityAdvisory: {
+            description:
+              'An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.',
+            identifiers: [
+              { type: 'GHSA', value: 'GHSA-cjjf-94ff-43w7' },
+              { type: 'CVE', value: 'CVE-2018-12022' },
+            ],
+            references: [
+              { url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-12022' },
+            ],
+            severity: 'HIGH',
+          },
+          securityVulnerability: {
+            package: {
+              name: 'com.fasterxml.jackson.core:jackson-databind',
+              ecosystem: 'MAVEN',
+            },
+            firstPatchedVersion: { identifier: '2.7.9.4' },
+            vulnerableVersionRange: '< 2.7.9.4',
+          },
+        },
       ]);
       const res = await detectVulnerabilityAlerts(config);
       expect(res.packageRules).toMatchSnapshot();
-      expect(res.packageRules).toHaveLength(4);
+      expect(res.packageRules).toHaveLength(6);
     });
   });
 });