fix(vulnerabilities): do not force exact patch version in GitHub aler…

…ts (#29700)
renovatebot · Jun 16, 2024 · 99cc62f · 99cc62f
1 parent c3bd354
commit 99cc62f
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 11 deletions.
diff --git a/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap b/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
@@ -3,7 +3,7 @@
 exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns github actions alerts 1`] = `
 [
   {
-    "allowedVersions": "1.8.3",
+    "allowedVersions": ">= 1.8.3",
     "force": {
       "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
       "commitMessageSuffix": "[SECURITY]",
@@ -38,7 +38,7 @@ actions",
 exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns go alerts 1`] = `
 [
   {
-    "allowedVersions": "1.8.3",
+    "allowedVersions": ">= 1.8.3",
     "force": {
       "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
       "commitMessageSuffix": "[SECURITY]",
@@ -73,7 +73,7 @@ go",
 exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns maven alerts 1`] = `
 [
   {
-    "allowedVersions": "2.7.9.4",
+    "allowedVersions": "[2.7.9.4,)",
     "force": {
       "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
       "commitMessageSuffix": "[SECURITY]",
@@ -108,7 +108,7 @@ An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2
 exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns pip alerts 1`] = `
 [
   {
-    "allowedVersions": ">=2.2.1.0",
+    "allowedVersions": ">= 2.2.1.0",
     "force": {
       "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
       "commitMessageSuffix": "[SECURITY]",
@@ -162,7 +162,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
       "currentVersion": "1.8.2",
       "datasource": "npm",
       "depName": "electron",
-      "newVersion": "1.8.3",
+      "newVersion": ">= 1.8.3",
       "prBodyNotes": [
         "### GitHub Vulnerability Alerts",
         "#### [GHSA-8xwg-wv7v-4vqp](https://nvd.nist.gov/vuln/detail/CVE-2018-1000136)

diff --git a/lib/workers/repository/init/vulnerability.spec.ts b/lib/workers/repository/init/vulnerability.spec.ts
@@ -1,8 +1,14 @@
 import { RenovateConfig, partial, platform } from '../../../../test/util';
 import { getConfig } from '../../../config/defaults';
 import { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages';
+import { MavenDatasource } from '../../../modules/datasource/maven';
+import { NpmDatasource } from '../../../modules/datasource/npm';
+import { NugetDatasource } from '../../../modules/datasource/nuget';
 import type { VulnerabilityAlert } from '../../../types';
-import { detectVulnerabilityAlerts } from './vulnerability';
+import {
+  detectVulnerabilityAlerts,
+  getFixedVersionByDatasource,
+} from './vulnerability';
 
 let config: RenovateConfig;
 
@@ -495,7 +501,7 @@ describe('workers/repository/init/vulnerability', () => {
             currentVersion: '1.8.2',
             datasource: 'npm',
             depName: 'electron',
-            newVersion: '1.8.3',
+            newVersion: '>= 1.8.3',
           },
         ],
       });
@@ -533,4 +539,16 @@ describe('workers/repository/init/vulnerability', () => {
       expect(res.remediations).toBeEmptyObject();
     });
   });
+
+  describe('getFixedVersionByDatasource', () => {
+    it.each`
+      version    | datasource            | result
+      ${'1.2.3'} | ${MavenDatasource.id} | ${'[1.2.3,)'}
+      ${'1.2.3'} | ${NugetDatasource.id} | ${'1.2.3'}
+      ${'1.2.3'} | ${NpmDatasource.id}   | ${'>= 1.2.3'}
+    `('$version | $datasource', ({ version, datasource, result }) => {
+      const res = getFixedVersionByDatasource(version, datasource);
+      expect(res).toStrictEqual(result);
+    });
+  });
 });
diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts
@@ -46,6 +46,21 @@ type CombinedAlert = Record<
   >
 >;
 
+export function getFixedVersionByDatasource(
+  fixedVersion: string,
+  datasource: string,
+): string {
+  if (datasource === MavenDatasource.id) {
+    return `[${fixedVersion},)`;
+  } else if (datasource === NugetDatasource.id) {
+    // TODO: add support for nuget version ranges when #26150 is merged
+    return fixedVersion;
+  }
+
+  // crates.io, Go, Hex, npm, RubyGems, PyPI
+  return `>= ${fixedVersion}`;
+}
+
 // TODO can return `null` and `undefined` (#22198)
 export async function detectVulnerabilityAlerts(
   input: RenovateConfig,
@@ -206,10 +221,9 @@ export async function detectVulnerabilityAlerts(
             logger.warn({ err }, 'Error generating vulnerability PR notes');
           }
           // TODO: types (#22198)
-          const allowedVersions =
-            datasource === PypiDatasource.id
-              ? `>=${val.firstPatchedVersion!}`
-              : val.firstPatchedVersion;
+          const allowedVersions = val.firstPatchedVersion
+            ? getFixedVersionByDatasource(val.firstPatchedVersion, datasource)
+            : /* istanbul ignore next: cannot happen */ undefined;
           const matchFileNames =
             datasource === GoDatasource.id
               ? [fileName.replace('go.sum', 'go.mod')]