From 99cc62fa3ca89bf9de83a41a46c41d1525a46548 Mon Sep 17 00:00:00 2001 From: Johannes Feichtner <343448+Churro@users.noreply.github.com> Date: Sun, 16 Jun 2024 15:32:13 +0200 Subject: [PATCH] fix(vulnerabilities): do not force exact patch version in GitHub alerts (#29700) --- .../__snapshots__/vulnerability.spec.ts.snap | 10 ++++----- .../repository/init/vulnerability.spec.ts | 22 +++++++++++++++++-- lib/workers/repository/init/vulnerability.ts | 22 +++++++++++++++---- 3 files changed, 43 insertions(+), 11 deletions(-) diff --git a/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap b/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap index 7eedf6348e62c8..9d4d76022c9a54 100644 --- a/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap +++ b/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap @@ -3,7 +3,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns github actions alerts 1`] = ` [ { - "allowedVersions": "1.8.3", + "allowedVersions": ">= 1.8.3", "force": { "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability", "commitMessageSuffix": "[SECURITY]", @@ -38,7 +38,7 @@ actions", exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns go alerts 1`] = ` [ { - "allowedVersions": "1.8.3", + "allowedVersions": ">= 1.8.3", "force": { "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability", "commitMessageSuffix": "[SECURITY]", @@ -73,7 +73,7 @@ go", exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns maven alerts 1`] = ` [ { - "allowedVersions": "2.7.9.4", + "allowedVersions": "[2.7.9.4,)", "force": { "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability", "commitMessageSuffix": "[SECURITY]", @@ -108,7 +108,7 @@ An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2 exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns pip alerts 1`] = ` [ { - "allowedVersions": ">=2.2.1.0", + "allowedVersions": ">= 2.2.1.0", "force": { "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability", "commitMessageSuffix": "[SECURITY]", @@ -162,7 +162,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur "currentVersion": "1.8.2", "datasource": "npm", "depName": "electron", - "newVersion": "1.8.3", + "newVersion": ">= 1.8.3", "prBodyNotes": [ "### GitHub Vulnerability Alerts", "#### [GHSA-8xwg-wv7v-4vqp](https://nvd.nist.gov/vuln/detail/CVE-2018-1000136) diff --git a/lib/workers/repository/init/vulnerability.spec.ts b/lib/workers/repository/init/vulnerability.spec.ts index ddf2496b2ed590..b4658f915fe8cd 100644 --- a/lib/workers/repository/init/vulnerability.spec.ts +++ b/lib/workers/repository/init/vulnerability.spec.ts @@ -1,8 +1,14 @@ import { RenovateConfig, partial, platform } from '../../../../test/util'; import { getConfig } from '../../../config/defaults'; import { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages'; +import { MavenDatasource } from '../../../modules/datasource/maven'; +import { NpmDatasource } from '../../../modules/datasource/npm'; +import { NugetDatasource } from '../../../modules/datasource/nuget'; import type { VulnerabilityAlert } from '../../../types'; -import { detectVulnerabilityAlerts } from './vulnerability'; +import { + detectVulnerabilityAlerts, + getFixedVersionByDatasource, +} from './vulnerability'; let config: RenovateConfig; @@ -495,7 +501,7 @@ describe('workers/repository/init/vulnerability', () => { currentVersion: '1.8.2', datasource: 'npm', depName: 'electron', - newVersion: '1.8.3', + newVersion: '>= 1.8.3', }, ], }); @@ -533,4 +539,16 @@ describe('workers/repository/init/vulnerability', () => { expect(res.remediations).toBeEmptyObject(); }); }); + + describe('getFixedVersionByDatasource', () => { + it.each` + version | datasource | result + ${'1.2.3'} | ${MavenDatasource.id} | ${'[1.2.3,)'} + ${'1.2.3'} | ${NugetDatasource.id} | ${'1.2.3'} + ${'1.2.3'} | ${NpmDatasource.id} | ${'>= 1.2.3'} + `('$version | $datasource', ({ version, datasource, result }) => { + const res = getFixedVersionByDatasource(version, datasource); + expect(res).toStrictEqual(result); + }); + }); }); diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts index 20bf8914ae8b19..5316cf134b5b53 100644 --- a/lib/workers/repository/init/vulnerability.ts +++ b/lib/workers/repository/init/vulnerability.ts @@ -46,6 +46,21 @@ type CombinedAlert = Record< > >; +export function getFixedVersionByDatasource( + fixedVersion: string, + datasource: string, +): string { + if (datasource === MavenDatasource.id) { + return `[${fixedVersion},)`; + } else if (datasource === NugetDatasource.id) { + // TODO: add support for nuget version ranges when #26150 is merged + return fixedVersion; + } + + // crates.io, Go, Hex, npm, RubyGems, PyPI + return `>= ${fixedVersion}`; +} + // TODO can return `null` and `undefined` (#22198) export async function detectVulnerabilityAlerts( input: RenovateConfig, @@ -206,10 +221,9 @@ export async function detectVulnerabilityAlerts( logger.warn({ err }, 'Error generating vulnerability PR notes'); } // TODO: types (#22198) - const allowedVersions = - datasource === PypiDatasource.id - ? `>=${val.firstPatchedVersion!}` - : val.firstPatchedVersion; + const allowedVersions = val.firstPatchedVersion + ? getFixedVersionByDatasource(val.firstPatchedVersion, datasource) + : /* istanbul ignore next: cannot happen */ undefined; const matchFileNames = datasource === GoDatasource.id ? [fileName.replace('go.sum', 'go.mod')]