New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(vulnerabilities): add feature-flagged support for OSV #20226
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Really like to see this implemented.
Co-authored-by: Sebastian Poxhofer <secustor@users.noreply.github.com>
Co-authored-by: Sebastian Poxhofer <secustor@users.noreply.github.com>
Co-authored-by: Sebastian Poxhofer <secustor@users.noreply.github.com>
…ed on last_affected. This is only relevant if a package rule is based on last_affected, e.g. "> 29.0", for regular fixed versions the list is already condensed to just one item at this point. The version of the first entry here is compatible version-wise. It may hold a version suffix though which could be incompatible, e.g. 30.0-android, whereas 30.0-jre would be correct.
Thanks for getting this across the line 🎉 Can't wait to see this in Renovate. |
Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com>
Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com>
Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com>
Co-authored-by: HonkingGoose <34918129+HonkingGoose@users.noreply.github.com>
…deBlock tag for easier maintainability
e4ce5e4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
otherwise LGTM.
🎉 This PR is included in version 34.129.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
You mentioned testing it with
So, is it even getting information for composer now? |
packagist is the composer datasource 😉 |
Haha lol. Yes ofc. I totally overlooked that one. Nevermind. Maybe my brain was not functioning well at the time 😂🙈 |
@rarkins and @JamieMagee The docs for
The admonition links to this issue, which we resolved. The source for the admonition: renovate/lib/config/options/index.ts Lines 1673 to 1680 in 3eb96c9
Should we drop these lines? - experimental: true,
- experimentalIssues: [6562], |
@HonkingGoose I'd still consider the feature experimental for a little while, and would like to keep the feature flag. What about opening a new issue to centralise feedback collection? |
@JamieMagee If you mean "feature flag". Does it mean it has to be set to true while Because I can't figure that out from the docs. |
@icanhazstring this feature only requires |
The "feature flag" comment means this {
name: 'osvVulnerabilityAlerts',
description: 'Use vulnerability alerts from `osv.dev`.',
type: 'boolean',
default: false,
experimental: true, // <--- This is the "feature flag"
experimentalIssues: [6562],
}, We look for the |
Changes
Adds integration for vulnerability alerts based on data renovate finds in the osv.dev database. This PR continues the work @JamieMagee initiated in #15159 and further augments it by addressing previous TODOs, test coverage and support for a larger set of ecosystems and versioning schemes.
There are 3 building blocks realized in this PR:
limit
is missing on purpose, as it is only used with "versions" that are Git hashesInline with #15159, the feature is opt-in and needs to be enabled using the
osvVulnerabilityAlerts
config flag.Context
Documentation (please check one with an [x])
How I've tested my work (please select one)
I have verified these changes via:
Test repos (split because GH enforces secondary rate limits when creating > 10 PRs):
enabledManagers: ['bundler', 'cargo', 'composer', 'gomod', 'gradle', 'maven']
enabledManagers: ['mix', 'npm', 'nuget', 'pip_requirements', 'poetry']