Skip to content
Snippets Groups Projects
Unverified Commit 32c96360 authored by Johannes Feichtner's avatar Johannes Feichtner Committed by GitHub
Browse files

fix(vulnerabilities): strip equals for nuget in Github alerts (#29693)

parent f91b9cf5
No related branches found
No related tags found
No related merge requests found
...@@ -220,6 +220,63 @@ describe('workers/repository/init/vulnerability', () => { ...@@ -220,6 +220,63 @@ describe('workers/repository/init/vulnerability', () => {
expect(res.packageRules).toHaveLength(1); expect(res.packageRules).toHaveLength(1);
}); });
it('returns nuget alerts', async () => {
// TODO #22198
delete config.vulnerabilityAlerts!.enabled;
platform.getVulnerabilityAlerts.mockResolvedValue([
{
dismissReason: null,
vulnerableManifestFilename: 'test.csproj',
vulnerableManifestPath: 'test.csproj',
vulnerableRequirements: '= 2.0.0',
securityAdvisory: {
description:
'.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack.',
identifiers: [
{ type: 'GHSA', value: 'GHSA-7mfr-774f-w5r9' },
{ type: 'CVE', value: 'CVE-2017-11770' },
],
references: [],
severity: 'HIGH',
},
securityVulnerability: {
package: {
name: 'Microsoft.NETCore.App',
ecosystem: 'NUGET',
},
firstPatchedVersion: { identifier: '2.0.3' },
vulnerableVersionRange: '>= 1.0.0, < 2.0.3',
},
},
]);
const res = await detectVulnerabilityAlerts(config);
expect(res.packageRules).toStrictEqual([
{
matchDatasources: ['nuget'],
matchPackageNames: ['Microsoft.NETCore.App'],
matchCurrentVersion: '2.0.0',
matchFileNames: ['test.csproj'],
allowedVersions: '2.0.3',
prBodyNotes: [
'### GitHub Vulnerability Alerts',
'#### CVE-2017-11770\n\n.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack.',
],
isVulnerabilityAlert: true,
force: {
groupName: null,
schedule: [],
dependencyDashboardApproval: false,
minimumReleaseAge: null,
rangeStrategy: 'update-lockfile',
commitMessageSuffix: '[SECURITY]',
branchTopic: '{{{datasource}}}-{{{depName}}}-vulnerability',
prCreation: 'immediate',
},
},
]);
});
it('returns pip alerts', async () => { it('returns pip alerts', async () => {
// TODO #22198 // TODO #22198
delete config.vulnerabilityAlerts!.enabled; delete config.vulnerabilityAlerts!.enabled;
......
...@@ -133,7 +133,8 @@ export async function detectVulnerabilityAlerts( ...@@ -133,7 +133,8 @@ export async function detectVulnerabilityAlerts(
} }
if ( if (
datasource === GithubTagsDatasource.id || datasource === GithubTagsDatasource.id ||
datasource === MavenDatasource.id datasource === MavenDatasource.id ||
datasource === NugetDatasource.id
) { ) {
// GitHub Actions uses docker versioning, which doesn't support `= 1.2.3` matching, so we strip the equals // GitHub Actions uses docker versioning, which doesn't support `= 1.2.3` matching, so we strip the equals
vulnerableRequirements = vulnerableRequirements.replace(/^=\s*/, ''); vulnerableRequirements = vulnerableRequirements.replace(/^=\s*/, '');
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment