From 32c96360d1e5309ef22f178edb85b21daa838809 Mon Sep 17 00:00:00 2001
From: Johannes Feichtner <343448+Churro@users.noreply.github.com>
Date: Sun, 16 Jun 2024 07:14:31 +0200
Subject: [PATCH] fix(vulnerabilities): strip equals for nuget in Github alerts
(#29693)
---
.../repository/init/vulnerability.spec.ts | 57 +++++++++++++++++++
lib/workers/repository/init/vulnerability.ts | 3 +-
2 files changed, 59 insertions(+), 1 deletion(-)
diff --git a/lib/workers/repository/init/vulnerability.spec.ts b/lib/workers/repository/init/vulnerability.spec.ts
index db6ca1ca50..ddf2496b2e 100644
--- a/lib/workers/repository/init/vulnerability.spec.ts
+++ b/lib/workers/repository/init/vulnerability.spec.ts
@@ -220,6 +220,63 @@ describe('workers/repository/init/vulnerability', () => {
expect(res.packageRules).toHaveLength(1);
});
+ it('returns nuget alerts', async () => {
+ // TODO #22198
+ delete config.vulnerabilityAlerts!.enabled;
+ platform.getVulnerabilityAlerts.mockResolvedValue([
+ {
+ dismissReason: null,
+ vulnerableManifestFilename: 'test.csproj',
+ vulnerableManifestPath: 'test.csproj',
+ vulnerableRequirements: '= 2.0.0',
+ securityAdvisory: {
+ description:
+ '.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack.',
+ identifiers: [
+ { type: 'GHSA', value: 'GHSA-7mfr-774f-w5r9' },
+ { type: 'CVE', value: 'CVE-2017-11770' },
+ ],
+ references: [],
+ severity: 'HIGH',
+ },
+ securityVulnerability: {
+ package: {
+ name: 'Microsoft.NETCore.App',
+ ecosystem: 'NUGET',
+ },
+ firstPatchedVersion: { identifier: '2.0.3' },
+ vulnerableVersionRange: '>= 1.0.0, < 2.0.3',
+ },
+ },
+ ]);
+
+ const res = await detectVulnerabilityAlerts(config);
+ expect(res.packageRules).toStrictEqual([
+ {
+ matchDatasources: ['nuget'],
+ matchPackageNames: ['Microsoft.NETCore.App'],
+ matchCurrentVersion: '2.0.0',
+ matchFileNames: ['test.csproj'],
+ allowedVersions: '2.0.3',
+ prBodyNotes: [
+ '### GitHub Vulnerability Alerts',
+ '#### CVE-2017-11770\n\n.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack.',
+ ],
+ isVulnerabilityAlert: true,
+ force: {
+ groupName: null,
+ schedule: [],
+ dependencyDashboardApproval: false,
+ minimumReleaseAge: null,
+ rangeStrategy: 'update-lockfile',
+ commitMessageSuffix: '[SECURITY]',
+ branchTopic: '{{{datasource}}}-{{{depName}}}-vulnerability',
+ prCreation: 'immediate',
+ },
+ },
+ ]);
+ });
+
it('returns pip alerts', async () => {
// TODO #22198
delete config.vulnerabilityAlerts!.enabled;
diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts
index f009c48f00..20bf8914ae 100644
--- a/lib/workers/repository/init/vulnerability.ts
+++ b/lib/workers/repository/init/vulnerability.ts
@@ -133,7 +133,8 @@ export async function detectVulnerabilityAlerts(
}
if (
datasource === GithubTagsDatasource.id ||
- datasource === MavenDatasource.id
+ datasource === MavenDatasource.id ||
+ datasource === NugetDatasource.id
) {
// GitHub Actions uses docker versioning, which doesn't support `= 1.2.3` matching, so we strip the equals
vulnerableRequirements = vulnerableRequirements.replace(/^=\s*/, '');
--
GitLab