fix(vulnerability-alerts): pypi allowedVersions syntax

renovatebot · May 19, 2019 · eac3c92 · eac3c92
1 parent 31bd248
commit eac3c92
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 70 deletions.
diff --git a/lib/workers/repository/init/vulnerability.js b/lib/workers/repository/init/vulnerability.js
@@ -129,10 +129,15 @@ async function detectVulnerabilityAlerts(input) {
       } else {
         matchCurrentVersion = `< ${val.firstPatchedVersion}`;
       }
+      const allowedVersions =
+        datasource === 'pypi'
+          ? `==${val.firstPatchedVersion}`
+          : val.firstPatchedVersion;
       const matchRule = {
         datasources: [datasource],
         packageNames: [depName],
         matchCurrentVersion,
+        allowedVersions,
         prBodyNotes,
         force: {
           ...config.vulnerabilityAlerts,
@@ -141,17 +146,9 @@ async function detectVulnerabilityAlerts(input) {
         },
       };
       alertPackageRules.push(matchRule);
-      const allowedRule = JSON.parse(JSON.stringify(matchRule));
-      delete allowedRule.matchCurrentVersion;
-      delete allowedRule.force;
-      if (datasource === 'npm') {
-        allowedRule.allowedVersions = `^${val.firstPatchedVersion}`;
-      } else {
-        allowedRule.allowedVersions = `>= ${val.firstPatchedVersion}`;
-      }
-      alertPackageRules.push(allowedRule);
     }
   }
+  logger.debug({ alertPackageRules }, 'alert package rules');
   config.packageRules = (config.packageRules || []).concat(alertPackageRules);
   return config;
 }
diff --git a/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap b/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
@@ -3,6 +3,7 @@
 exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns alerts 1`] = `
 Array [
   Object {
+    "allowedVersions": "1.8.3",
     "datasources": Array [
       "npm",
     ],
@@ -27,21 +28,7 @@ Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3
     ],
   },
   Object {
-    "allowedVersions": "^1.8.3",
-    "datasources": Array [
-      "npm",
-    ],
-    "packageNames": Array [
-      "electron",
-    ],
-    "prBodyNotes": Array [
-      "### GitHub Vulnerability Alerts",
-      "#### [GHSA-8xwg-wv7v-4vqp](https://nvd.nist.gov/vuln/detail/CVE-2018-1000136)
-
-Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.",
-    ],
-  },
-  Object {
+    "allowedVersions": "==2.2.0",
     "datasources": Array [
       "pypi",
     ],
@@ -81,36 +68,7 @@ Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validati
     ],
   },
   Object {
-    "allowedVersions": ">= 2.2.0",
-    "datasources": Array [
-      "pypi",
-    ],
-    "packageNames": Array [
-      "ansible",
-    ],
-    "prBodyNotes": Array [
-      "### GitHub Vulnerability Alerts",
-      "#### [CVE-2017-7481](https://nvd.nist.gov/vuln/detail/CVE-2017-7481)
-
-Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.",
-      "#### [CVE-2015-3908](https://nvd.nist.gov/vuln/detail/CVE-2015-3908)
-
-Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
-      "#### [CVE-2016-8647](https://nvd.nist.gov/vuln/detail/CVE-2016-8647)
-
-An input validation vulnerability was found in Ansible's mysql_user module before 2.2.1.0, which may fail to correctly change a password in certain circumstances. Thus the previous password would still be active when it should have been changed.",
-      "#### [CVE-2016-8614](https://nvd.nist.gov/vuln/detail/CVE-2016-8614)
-
-A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.",
-      "#### [CVE-2016-8628](https://nvd.nist.gov/vuln/detail/CVE-2016-8628)
-
-Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.",
-      "#### [CVE-2016-9587](https://nvd.nist.gov/vuln/detail/CVE-2016-9587)
-
-Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.",
-    ],
-  },
-  Object {
+    "allowedVersions": "2.7.9.4",
     "datasources": Array [
       "maven",
     ],
@@ -131,21 +89,6 @@ Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validati
       "### GitHub Vulnerability Alerts",
       "#### [CVE-2018-12022](https://nvd.nist.gov/vuln/detail/CVE-2018-12022)
 
-An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.",
-    ],
-  },
-  Object {
-    "allowedVersions": ">= 2.7.9.4",
-    "datasources": Array [
-      "maven",
-    ],
-    "packageNames": Array [
-      "com.fasterxml.jackson.core:jackson-databind",
-    ],
-    "prBodyNotes": Array [
-      "### GitHub Vulnerability Alerts",
-      "#### [CVE-2018-12022](https://nvd.nist.gov/vuln/detail/CVE-2018-12022)
-
 An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.",
     ],
   },

diff --git a/test/workers/repository/init/vulnerability.spec.js b/test/workers/repository/init/vulnerability.spec.js
@@ -268,7 +268,7 @@ describe('workers/repository/init/vulnerability', () => {
       ]);
       const res = await detectVulnerabilityAlerts(config);
       expect(res.packageRules).toMatchSnapshot();
-      expect(res.packageRules).toHaveLength(6);
+      expect(res.packageRules).toHaveLength(3);
     });
   });
 });