Error processing vulnerable alerts

[pofengliu]

How are you running Renovate?

Self-hosted

If you're self-hosting Renovate, tell us what version of Renovate you run.

31.0.0

Please select which platform you are using if self-hosting.

GitHub Enterprise Server

If you're self-hosting Renovate, tell us what version of the platform you run.

GitHub Enterprise Server 3.1.14

Describe the bug

Similar to issue 11911 but I found different root cause.

As many projects started to adopt Renovate here and at least 3 repos have this issue. The problem is critical cause it will fail the Jenkins pipeline which runs the Renovate-bot.

After turned on the TRACE level of debug, I found few incomplete alert objects returned from github platform:
{
"dismissReason": null,
"vulnerableManifestFilename": "package-lock.json",
"vulnerableManifestPath": "package-lock.json",
"vulnerableRequirements": "= 3.12.0",
"securityAdvisory": null,
"securityVulnerability": null
}
Full trace file will be attached later.
And it's easy to reproduce the problem, copy the "alerts" array from the trace log and store it in a fixture file. Then below test will fail with the exact the same error log. After remove the two incomplete alert objects from the array, the test can pass as expected. The test code is copied from source.

describe('getVulnerabilityAlerts()', () => {
    it('test incomplete alert handling', () => {
      const failedAlerts = JSON.parse(loadFixture('fixtures/ghe-failed-alerts.json')).alerts;
      const shortAlerts = {};
      for (const alert of failedAlerts) {
        console.log(JSON.stringify(alert));
        const {
          package: { name, ecosystem },
          vulnerableVersionRange,
          firstPatchedVersion,
        } = alert.securityVulnerability;
        const patch = firstPatchedVersion?.identifier;

        const key = `${ecosystem.toLowerCase()}/${name}`;
        const range = vulnerableVersionRange;
        const elem = shortAlerts[key] || {};
        elem[range] = patch || null;
        shortAlerts[key] = elem;
      }
      expect(Object.keys(shortAlerts).length).toEqual(30);
    });
});

Relevant debug logs

Logs

{"name":"renovate","hostname":"ed11bdad40e5","pid":9,"level":30,"logContext":"a7cptpuufl-EejVSyNCbG","loggerErrors":[{"name":"renovate","level":50,"logContext":"a7cptpuufl-EejVSyNCbG","repository":"devops/va_test2","err":{"message":"Cannot read property 'package' of null","stack":"TypeError: Cannot read property 'package' of null\n    at Proxy.getVulnerabilityAlerts (/usr/src/app/node_modules/renovate/lib/platform/github/index.ts:1711:15)\n    at processTicksAndRejections (internal/process/task_queues.js:95:5)\n    at detectVulnerabilityAlerts (/usr/src/app/node_modules/renovate/lib/workers/repository/init/vulnerability.ts:53:18)\n    at initRepo (/usr/src/app/node_modules/renovate/lib/workers/repository/init/index.ts:36:12)\n    at Object.renovateRepository (/usr/src/app/node_modules/renovate/lib/workers/repository/index.ts:44:14)\n    at Object.start (/usr/src/app/node_modules/renovate/lib/workers/global/index.ts:122:7)\n    at /usr/src/app/node_modules/renovate/lib/renovate.ts:16:22"},"msg":"Error processing vulnerabity alerts"}],"msg":"Renovate is exiting with a non-zero code due to the following logged errors","time":"2022-01-25T09:42:29.164Z","v":0}

Have you created a minimal reproduction repository?

No reproduction repository

[pofengliu]

Full trace with alerts object array:
trace.json.zip

[HonkingGoose]

This problem might be fixed with PR #13788, which is released as version 31.53.2. ¹

Can you try updating your version of Renovate and tell us if the update fixes the problem?

Footnotes

1. https://github.com/renovatebot/renovate/pull/13788#issuecomment-1021118094 ↩

[pofengliu]

This problem might be fixed with PR #13788, which is released as version 31.53.2. 1

Can you try updating your version of Renovate and tell us if the update fixes the problem?

Footnotes

1. fix: validate RepositoryVulnerabilityAlert to getVulnerability #13788 (comment) ↩

Yes, confirmed that the problem is fixed with release 31.53.2. 👍