Skip to content
Snippets Groups Projects
Unverified Commit 99cc62fa authored by Johannes Feichtner's avatar Johannes Feichtner Committed by GitHub
Browse files

fix(vulnerabilities): do not force exact patch version in GitHub alerts (#29700)

parent c3bd3547
No related branches found
No related tags found
No related merge requests found
......@@ -3,7 +3,7 @@
exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns github actions alerts 1`] = `
[
{
"allowedVersions": "1.8.3",
"allowedVersions": ">= 1.8.3",
"force": {
"branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
"commitMessageSuffix": "[SECURITY]",
......@@ -38,7 +38,7 @@ actions",
exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns go alerts 1`] = `
[
{
"allowedVersions": "1.8.3",
"allowedVersions": ">= 1.8.3",
"force": {
"branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
"commitMessageSuffix": "[SECURITY]",
......@@ -73,7 +73,7 @@ go",
exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns maven alerts 1`] = `
[
{
"allowedVersions": "2.7.9.4",
"allowedVersions": "[2.7.9.4,)",
"force": {
"branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
"commitMessageSuffix": "[SECURITY]",
......@@ -162,7 +162,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
"currentVersion": "1.8.2",
"datasource": "npm",
"depName": "electron",
"newVersion": "1.8.3",
"newVersion": ">= 1.8.3",
"prBodyNotes": [
"### GitHub Vulnerability Alerts",
"#### [GHSA-8xwg-wv7v-4vqp](https://nvd.nist.gov/vuln/detail/CVE-2018-1000136)
......
import { RenovateConfig, partial, platform } from '../../../../test/util';
import { getConfig } from '../../../config/defaults';
import { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages';
import { MavenDatasource } from '../../../modules/datasource/maven';
import { NpmDatasource } from '../../../modules/datasource/npm';
import { NugetDatasource } from '../../../modules/datasource/nuget';
import type { VulnerabilityAlert } from '../../../types';
import { detectVulnerabilityAlerts } from './vulnerability';
import {
detectVulnerabilityAlerts,
getFixedVersionByDatasource,
} from './vulnerability';
let config: RenovateConfig;
......@@ -495,7 +501,7 @@ describe('workers/repository/init/vulnerability', () => {
currentVersion: '1.8.2',
datasource: 'npm',
depName: 'electron',
newVersion: '1.8.3',
newVersion: '>= 1.8.3',
},
],
});
......@@ -533,4 +539,16 @@ describe('workers/repository/init/vulnerability', () => {
expect(res.remediations).toBeEmptyObject();
});
});
describe('getFixedVersionByDatasource', () => {
it.each`
version | datasource | result
${'1.2.3'} | ${MavenDatasource.id} | ${'[1.2.3,)'}
${'1.2.3'} | ${NugetDatasource.id} | ${'1.2.3'}
${'1.2.3'} | ${NpmDatasource.id} | ${'>= 1.2.3'}
`('$version | $datasource', ({ version, datasource, result }) => {
const res = getFixedVersionByDatasource(version, datasource);
expect(res).toStrictEqual(result);
});
});
});
......@@ -46,6 +46,21 @@ type CombinedAlert = Record<
>
>;
export function getFixedVersionByDatasource(
fixedVersion: string,
datasource: string,
): string {
if (datasource === MavenDatasource.id) {
return `[${fixedVersion},)`;
} else if (datasource === NugetDatasource.id) {
// TODO: add support for nuget version ranges when #26150 is merged
return fixedVersion;
}
// crates.io, Go, Hex, npm, RubyGems, PyPI
return `>= ${fixedVersion}`;
}
// TODO can return `null` and `undefined` (#22198)
export async function detectVulnerabilityAlerts(
input: RenovateConfig,
......@@ -206,10 +221,9 @@ export async function detectVulnerabilityAlerts(
logger.warn({ err }, 'Error generating vulnerability PR notes');
}
// TODO: types (#22198)
const allowedVersions =
datasource === PypiDatasource.id
? `>=${val.firstPatchedVersion!}`
: val.firstPatchedVersion;
const allowedVersions = val.firstPatchedVersion
? getFixedVersionByDatasource(val.firstPatchedVersion, datasource)
: /* istanbul ignore next: cannot happen */ undefined;
const matchFileNames =
datasource === GoDatasource.id
? [fileName.replace('go.sum', 'go.mod')]
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment