From 32c96360d1e5309ef22f178edb85b21daa838809 Mon Sep 17 00:00:00 2001
From: Johannes Feichtner <343448+Churro@users.noreply.github.com>
Date: Sun, 16 Jun 2024 07:14:31 +0200
Subject: [PATCH] fix(vulnerabilities): strip equals for nuget in Github alerts
 (#29693)

---
 .../repository/init/vulnerability.spec.ts     | 57 +++++++++++++++++++
 lib/workers/repository/init/vulnerability.ts  |  3 +-
 2 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/lib/workers/repository/init/vulnerability.spec.ts b/lib/workers/repository/init/vulnerability.spec.ts
index db6ca1ca50..ddf2496b2e 100644
--- a/lib/workers/repository/init/vulnerability.spec.ts
+++ b/lib/workers/repository/init/vulnerability.spec.ts
@@ -220,6 +220,63 @@ describe('workers/repository/init/vulnerability', () => {
       expect(res.packageRules).toHaveLength(1);
     });
 
+    it('returns nuget alerts', async () => {
+      // TODO #22198
+      delete config.vulnerabilityAlerts!.enabled;
+      platform.getVulnerabilityAlerts.mockResolvedValue([
+        {
+          dismissReason: null,
+          vulnerableManifestFilename: 'test.csproj',
+          vulnerableManifestPath: 'test.csproj',
+          vulnerableRequirements: '= 2.0.0',
+          securityAdvisory: {
+            description:
+              '.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack.',
+            identifiers: [
+              { type: 'GHSA', value: 'GHSA-7mfr-774f-w5r9' },
+              { type: 'CVE', value: 'CVE-2017-11770' },
+            ],
+            references: [],
+            severity: 'HIGH',
+          },
+          securityVulnerability: {
+            package: {
+              name: 'Microsoft.NETCore.App',
+              ecosystem: 'NUGET',
+            },
+            firstPatchedVersion: { identifier: '2.0.3' },
+            vulnerableVersionRange: '>= 1.0.0, < 2.0.3',
+          },
+        },
+      ]);
+
+      const res = await detectVulnerabilityAlerts(config);
+      expect(res.packageRules).toStrictEqual([
+        {
+          matchDatasources: ['nuget'],
+          matchPackageNames: ['Microsoft.NETCore.App'],
+          matchCurrentVersion: '2.0.0',
+          matchFileNames: ['test.csproj'],
+          allowedVersions: '2.0.3',
+          prBodyNotes: [
+            '### GitHub Vulnerability Alerts',
+            '#### CVE-2017-11770\n\n.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack.',
+          ],
+          isVulnerabilityAlert: true,
+          force: {
+            groupName: null,
+            schedule: [],
+            dependencyDashboardApproval: false,
+            minimumReleaseAge: null,
+            rangeStrategy: 'update-lockfile',
+            commitMessageSuffix: '[SECURITY]',
+            branchTopic: '{{{datasource}}}-{{{depName}}}-vulnerability',
+            prCreation: 'immediate',
+          },
+        },
+      ]);
+    });
+
     it('returns pip alerts', async () => {
       // TODO #22198
       delete config.vulnerabilityAlerts!.enabled;
diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts
index f009c48f00..20bf8914ae 100644
--- a/lib/workers/repository/init/vulnerability.ts
+++ b/lib/workers/repository/init/vulnerability.ts
@@ -133,7 +133,8 @@ export async function detectVulnerabilityAlerts(
       }
       if (
         datasource === GithubTagsDatasource.id ||
-        datasource === MavenDatasource.id
+        datasource === MavenDatasource.id ||
+        datasource === NugetDatasource.id
       ) {
         // GitHub Actions uses docker versioning, which doesn't support `= 1.2.3` matching, so we strip the equals
         vulnerableRequirements = vulnerableRequirements.replace(/^=\s*/, '');
-- 
GitLab