New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: validate RepositoryVulnerabilityAlert to getVulnerability #13788
fix: validate RepositoryVulnerabilityAlert to getVulnerability #13788
Conversation
Can you open an issue to discuss this issue? Using |
@JamieMagee Thank you for your reply.
No,
|
My mistake! Okay, then this may well be the fix. Can you still give me a bit more information about your setup? The original issue you linked was running on GHES and for the npm package |
@JamieMagee Thank you! I'm using Renovate bot with self-hosting. The global config is the following: module.exports = {
endpoint: 'https://<my-company-ghe-domain>/api/v3/',
token: process.env.GHE_TOKEN,
platform: 'github',
logLevel: 'debug',
onboardingConfig: {
extends: ['config:base'],
},
cacheDir: __dirname + '/.renovate_cache',
dryRun: !!process.env.RENOVATE_DRYRUN,
autodiscover: false,
packageRules: [
{
matchDatasources: ['docker'],
registryUrls: ['<masked>']
}
],
repositories: [
// repositories
],
}; The config of the repository where this problem occurs is the following: {
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base"
],
"ignorePaths": [
"**/node_modules/**"
],
"packageRules": [
{
"matchDepTypes": ["major"],
"enabled": false
},
{
"matchDepTypes": ["devDependencies"],
"addLabels": ["devDependencies"]
}
],
"labels": ["renovate"]
} The screenshot of error log: |
And, I executed with
{
"name": "renovate",
"hostname": "<masked>",
"pid": 709,
"level": 10,
"logContext": "MjvOWnPA6xLTJre-KECJU",
"repository": "<masked>",
"alerts": [
{
"dismissReason": null,
"vulnerableManifestFilename": "package-lock.json",
"vulnerableManifestPath": "package-lock.json",
"vulnerableRequirements": "= 2.2.1",
"securityAdvisory": null,
"securityVulnerability": null
},
...
],
"msg": "GitHub vulnerability details",
"time": "2022-01-24T08:10:32.377Z",
"v": 0
} As you can see, the |
Seems like a faulty alert? I'd prefer to fix the validation (eg so that we can still process the non faulty ones) than simply lower the log severity |
@rarkins Thank you for your comment.
Ok, I agree with you. I will fix it later. |
@sugarshin Can you give me the package name for the malformed vulnerability alert? Maybe I can follow-up internally about it. |
@JamieMagee Thank you. I couldn't determine which package, but I have several candidates:
Could you check it? |
@rarkins I fixed it, so could you check it? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Otherwise LGTM
Co-authored-by: Michael Kriese <michael.kriese@visualon.de>
I think this will also fix #13796 |
🎉 This PR is included in version 31.53.2 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
Hi, there. This pull-request is related to #11911 and solves it.
Now, I facing this problem too. The problem of #11911 is caused by the Renovate does not null-check for it. As GitHub documentation,
securityVulnerability
is nullable. but, I think fixing it to be greatly affected, such as proper TypeScript type definitions.And, I think this line of logging with error and exiting with non-zero status code related to the above problem is not appropriate because the try-catch here is a process to parse the vulnerability alerts for just logging. It means not affected togetVulnerabilityAlerts()
return values. And is not related to the original execution behavior of the Renovate.So I thinklogger.warn
is better.Changes:
Validate for
securityVulnerability
to skip processing parse RepositoryVulnerabilityAlert entity for logger.Context:
Documentation (please check one with an [x])
How I've tested my work (please tick one)
I have verified these changes via: