Skip to content

Commit

Permalink
fix(vulnerability-alerts): fix handling of first_patched_version: null (
Browse files Browse the repository at this point in the history
  • Loading branch information
paymand authored Sep 17, 2024
1 parent 5ca09ed commit b775d83
Show file tree
Hide file tree
Showing 4 changed files with 52 additions and 3 deletions.
20 changes: 19 additions & 1 deletion lib/modules/platform/github/index.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3808,10 +3808,28 @@ describe('modules/platform/github/index', () => {
manifest_path: 'bar/foo',
},
},
{
security_advisory: {
description: 'description',
identifiers: [{ type: 'type', value: 'value' }],
references: [],
},
security_vulnerability: {
package: {
ecosystem: 'npm',
name: 'foo',
},
vulnerable_version_range: '0.0.2',
first_patched_version: null,
},
dependency: {
manifest_path: 'bar/foo',
},
},
]);
await github.initRepo({ repository: 'some/repo' });
const res = await github.getVulnerabilityAlerts();
expect(res).toHaveLength(1);
expect(res).toHaveLength(2);
});

it('returns empty if disabled', async () => {
Expand Down
2 changes: 1 addition & 1 deletion lib/modules/platform/github/schema.ts
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ const PackageSchema = z.object({

const SecurityVulnerabilitySchema = z
.object({
first_patched_version: z.object({ identifier: z.string() }).optional(),
first_patched_version: z.object({ identifier: z.string() }).nullish(),
package: PackageSchema,
vulnerable_version_range: z.string(),
})
Expand Down
2 changes: 1 addition & 1 deletion lib/types/vulnerability-alert.ts
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ export interface VulnerabilityPackage {
name: string;
}
export interface SecurityVulnerability {
first_patched_version?: { identifier: string };
first_patched_version?: { identifier: string } | null;
package: VulnerabilityPackage;
vulnerable_version_range: string;
}
Expand Down
31 changes: 31 additions & 0 deletions lib/workers/repository/init/vulnerability.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,37 @@ describe('workers/repository/init/vulnerability', () => {
expect(res.packageRules).toHaveLength(0);
});

it('ignores alert if firstPatchVersion is null', async () => {
delete config.vulnerabilityAlerts!.enabled;
platform.getVulnerabilityAlerts.mockResolvedValue([
{
// will be ignored - firstPatchVersion is null
dismissed_reason: null,
dependency: {
manifest_path: 'requirements.txt',
},
security_advisory: {
description:
'The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.',
identifiers: [
{ type: 'GHSA', value: 'GHSA-rh6x-qvg7-rrmj' },
{ type: 'CVE', value: 'CVE-2016-3096' },
],
references: [
{ url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-3096' },
],
},
security_vulnerability: {
package: { name: 'ansible', ecosystem: 'pip' },
vulnerable_version_range: '< 1.9.6.1',
first_patched_version: null,
},
},
]);
const res = await detectVulnerabilityAlerts(config);
expect(res.packageRules).toHaveLength(0);
});

it('returns go alerts', async () => {
// TODO #22198
delete config.vulnerabilityAlerts!.enabled;
Expand Down

0 comments on commit b775d83

Please # to comment.