fix(vulnerabilities): do not force exact patch version in GitHub alerts (#29700)

99cc62fa · Johannes Feichtner · GitHub · c3bd3547 · 99cc62fa · 99cc62fa
Unverified Commit 99cc62fa authored Jun 16, 2024 by Johannes Feichtner Committed by GitHub Jun 16, 2024
--- a/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
+++ b/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
@@ -3,7 +3,7 @@
 exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns github actions alerts 1`] = `
 [
  {
-    "allowedVersions": "1.8.3",
+    "allowedVersions": ">= 1.8.3",
    "force": {
      "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
      "commitMessageSuffix": "[SECURITY]",
@@ -38,7 +38,7 @@ actions",
 exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns go alerts 1`] = `
 [
  {
-    "allowedVersions": "1.8.3",
+    "allowedVersions": ">= 1.8.3",
    "force": {
      "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
      "commitMessageSuffix": "[SECURITY]",
@@ -73,7 +73,7 @@ go",
 exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns maven alerts 1`] = `
 [
  {
-    "allowedVersions": "2.7.9.4",
+    "allowedVersions": "[2.7.9.4,)",
    "force": {
      "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
      "commitMessageSuffix": "[SECURITY]",
@@ -162,7 +162,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
      "currentVersion": "1.8.2",
      "datasource": "npm",
      "depName": "electron",
-      "newVersion": "1.8.3",
+      "newVersion": ">= 1.8.3",
      "prBodyNotes": [
        "### GitHub Vulnerability Alerts",
        "#### [GHSA-8xwg-wv7v-4vqp](https://nvd.nist.gov/vuln/detail/CVE-2018-1000136)

--- a/lib/workers/repository/init/vulnerability.spec.ts
+++ b/lib/workers/repository/init/vulnerability.spec.ts
 import { RenovateConfig, partial, platform } from '../../../../test/util';
 import { getConfig } from '../../../config/defaults';
 import { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages';
+import { MavenDatasource } from '../../../modules/datasource/maven';
+import { NpmDatasource } from '../../../modules/datasource/npm';
+import { NugetDatasource } from '../../../modules/datasource/nuget';
 import type { VulnerabilityAlert } from '../../../types';
-import { detectVulnerabilityAlerts } from './vulnerability';
+import {
+  detectVulnerabilityAlerts,
+  getFixedVersionByDatasource,
+} from './vulnerability';
 let config: RenovateConfig;
@@ -495,7 +501,7 @@ describe('workers/repository/init/vulnerability', () => {
            currentVersion: '1.8.2',
            datasource: 'npm',
            depName: 'electron',
-            newVersion: '1.8.3',
+            newVersion: '>= 1.8.3',
          },
        ],
      });
@@ -533,4 +539,16 @@ describe('workers/repository/init/vulnerability', () => {
      expect(res.remediations).toBeEmptyObject();
    });
  });
+  describe('getFixedVersionByDatasource', () => {
+    it.each`
+      version    | datasource            | result
+      ${'1.2.3'} | ${MavenDatasource.id} | ${'[1.2.3,)'}
+      ${'1.2.3'} | ${NugetDatasource.id} | ${'1.2.3'}
+      ${'1.2.3'} | ${NpmDatasource.id}   | ${'>= 1.2.3'}
+    `('$version | $datasource', ({ version, datasource, result }) => {
+      const res = getFixedVersionByDatasource(version, datasource);
+      expect(res).toStrictEqual(result);
+    });
+  });
 });
--- a/lib/workers/repository/init/vulnerability.ts
+++ b/lib/workers/repository/init/vulnerability.ts
@@ -46,6 +46,21 @@ type CombinedAlert = Record<
  >
 >;
+export function getFixedVersionByDatasource(
+  fixedVersion: string,
+  datasource: string,
+): string {
+  if (datasource === MavenDatasource.id) {
+    return `[${fixedVersion},)`;
+  } else if (datasource === NugetDatasource.id) {
+    // TODO: add support for nuget version ranges when #26150 is merged
+    return fixedVersion;
+  }
+  // crates.io, Go, Hex, npm, RubyGems, PyPI
+  return `>= ${fixedVersion}`;
+}
 // TODO can return `null` and `undefined` (#22198)
 export async function detectVulnerabilityAlerts(
  input: RenovateConfig,
@@ -206,10 +221,9 @@ export async function detectVulnerabilityAlerts(
            logger.warn({ err }, 'Error generating vulnerability PR notes');
          }
          // TODO: types (#22198)
-          const allowedVersions =
+          const allowedVersions = val.firstPatchedVersion
-            datasource === PypiDatasource.id
+            ? getFixedVersionByDatasource(val.firstPatchedVersion, datasource)
-              ? `>=${val.firstPatchedVersion!}`
+            : /* istanbul ignore next: cannot happen */ undefined;
-              : val.firstPatchedVersion;
          const matchFileNames =
            datasource === GoDatasource.id
              ? [fileName.replace('go.sum', 'go.mod')]