fix: validate RepositoryVulnerabilityAlert to getVulnerability

lib/platform/github/index.spec.ts

@@ -5,6 +5,7 @@ import {
   REPOSITORY_NOT_FOUND,
   REPOSITORY_RENAMED,
 } from '../../constants/error-messages';
+import * as _logger from '../../logger';
 import { BranchStatus, PrState, VulnerabilityAlert } from '../../types';
 import * as _git from '../../util/git';
 import type { CreatePRConfig, Platform } from '../types';
@@ -15,6 +16,7 @@ describe('platform/github/index', () => {
   let github: Platform;
   let hostRules: jest.Mocked<typeof import('../../util/host-rules')>;
   let git: jest.Mocked<typeof _git>;
+  let logger: jest.Mocked<typeof _logger>;
   beforeEach(async () => {
     // reset module
     jest.resetModules();
@@ -25,6 +27,7 @@ describe('platform/github/index', () => {
     hostRules = mocked(await import('../../util/host-rules'));
     jest.mock('../../util/git');
     git = mocked(await import('../../util/git'));
+    logger = mocked(await import('../../logger'));
     git.branchExists.mockReturnValue(true);
     git.isBranchStale.mockResolvedValue(true);
     git.getBranchCommit.mockReturnValue(
@@ -2444,6 +2447,50 @@ describe('platform/github/index', () => {
       expect(res).toHaveLength(0);
       expect(httpMock.getTrace()).toMatchSnapshot();
     });
+    it('calls logger.debug with only items that include securityVulnerability', async () => {
+      httpMock
+        .scope(githubApiHost)
+        .post('/graphql')
+        .reply(200, {
+          data: {
+            repository: {
+              vulnerabilityAlerts: {
+                edges: [
+                  {
+                    node: {
+                      securityAdvisory: { severity: 'HIGH', references: [] },
+                      securityVulnerability: {
+                        package: {
+                          ecosystem: 'NPM',
+                          name: 'left-pad',
+                        },
+                        vulnerableVersionRange: '0.0.2',
+                        firstPatchedVersion: { identifier: '0.0.3' },
+                      },
+                      vulnerableManifestFilename: 'foo',
+                      vulnerableManifestPath: 'bar',
+                    },
+                  },
+                  {
+                    node: {
+                      securityAdvisory: { severity: 'HIGH', references: [] },
+                      securityVulnerability: null,
+                      vulnerableManifestFilename: 'foo',
+                      vulnerableManifestPath: 'bar',
+                    },
+                  },
+                ],
+              },
+            },
+          },
+        });
+      await github.getVulnerabilityAlerts();
+      expect(logger.logger.debug).toHaveBeenCalledWith(
+        { alerts: { 'npm/left-pad': { '0.0.2': '0.0.3' } } },
+        'GitHub vulnerability details'
+      );
+      expect(logger.logger.error).not.toHaveBeenCalled();
+    });
   });
 
   describe('getJsonFile()', () => {

lib/platform/github/index.ts

@@ -1706,6 +1706,12 @@ export async function getVulnerabilityAlerts(): Promise<VulnerabilityAlert[]> {
       if (alerts.length) {
         logger.trace({ alerts }, 'GitHub vulnerability details');
         for (const alert of alerts) {
+          if (alert.securityVulnerability === null) {
+            // As described in the documentation, there are cases in which
+            // GitHub API responds with `"securityVulnerability": null`.
+            // But it's may be faulty, so skip processing it here.
+            continue;
+          }
           const {
             package: { name, ecosystem },
             vulnerableVersionRange,