feat: add feature-flagged support for osv

lib/config/options/index.ts

@@ -1499,6 +1499,38 @@ const options: RenovateOptions[] = [
     env: false,
     supportedPlatforms: ['github'],
   },
+  {
+    name: 'osvVulnerabilityAlerts',
+    description: 'Use vulnerability alerts from osv.dev',
+    type: 'boolean',
+    default: false,
+    releaseStatus: 'unpublished',
+    // GitHub is not supported as it already provides vulnerability alerts
+    supportedPlatforms: [
+      'azure',
+      'bitbucket',
+      'bitbucket-server',
+      'gitea',
+      'gitlab',
+    ],
+    supportedManagers: [
+      'bundler',
+      'cargo',
+      'gomod',
+      'gradle',
+      'maven',
+      'meteor',
+      'npm',
+      'nuget',
+      'pip-compile',
+      'pip_requirements',
+      'pip_setup',
+      'pipenv',
+      'poetry',
+      'setup-cfg',
+      'sbt',
+    ],
+  },
   // Default templates
   {
     name: 'branchName',

lib/config/types.ts

@@ -217,6 +217,7 @@ export interface RenovateConfig
 
   warnings?: ValidationMessage[];
   vulnerabilityAlerts?: RenovateSharedConfig;
+  osvVulnerabilityAlerts?: boolean;
   regexManagers?: CustomManager[];
 
   fetchReleaseNotes?: boolean;

lib/workers/repository/process/extract-update.ts

@@ -11,6 +11,7 @@ import { branchifyUpgrades } from '../updates/branchify';
 import { raiseDeprecationWarnings } from './deprecated';
 import { fetchUpdates } from './fetch';
 import { sortBranches } from './sort';
+import { Vulnerabilities } from './vulnerabilities';
 import { WriteUpdateResult, writeUpdates } from './write';
 
 export type ExtractResult = {
@@ -104,11 +105,26 @@ export async function extract(
   return packageFiles;
 }
 
+async function fetchVulnerabilities(
+  config: RenovateConfig,
+  packageFiles: Record<string, PackageFile[]>
+): Promise<void> {
+  if (config.osvVulnerabilityAlerts) {
+    try {
+      const vulnerabilities = await Vulnerabilities.create();
+      await vulnerabilities.fetchVulnerabilities(config, packageFiles);
+    } catch (err) {
+      logger.warn({ err }, 'Unable to read vulnerability information');
+    }
+  }
+}
+
 export async function lookup(
   config: RenovateConfig,
   packageFiles: Record<string, PackageFile[]>
 ): Promise<ExtractResult> {
   await fetchUpdates(config, packageFiles);
+  await fetchVulnerabilities(config, packageFiles);
   await raiseDeprecationWarnings(config, packageFiles);
   const { branches, branchList } = await branchifyUpgrades(
     config,

lib/workers/repository/process/vulnerabilities.ts

@@ -111,13 +111,15 @@ export class Vulnerabilities {
       packageDependency.depName
     );
     return this.convertToPackageRule(
+      packageFileConfig,
       vulnerabilities ?? [],
       packageDependency.depName,
       ecosystem
     );
   }
 
   private convertToPackageRule(
+    packageFileConfig: RenovateConfig & PackageFile,
     vulnerabilities: Osv.Vulnerability[],
     dependencyName: string,
     ecosystem: Ecosystem
@@ -136,6 +138,9 @@ export class Vulnerabilities {
             (event) => event.fixed !== undefined
           ).fixed,
           isVulnerabilityAlert: true,
+          force: {
+            ...packageFileConfig.vulnerabilityAlerts,
+          },
         })
       );
   }