diff --git a/lib/modules/platform/github/index.spec.ts b/lib/modules/platform/github/index.spec.ts index 47127a5504c371..d22dce1ead7db2 100644 --- a/lib/modules/platform/github/index.spec.ts +++ b/lib/modules/platform/github/index.spec.ts @@ -3808,10 +3808,28 @@ describe('modules/platform/github/index', () => { manifest_path: 'bar/foo', }, }, + { + security_advisory: { + description: 'description', + identifiers: [{ type: 'type', value: 'value' }], + references: [], + }, + security_vulnerability: { + package: { + ecosystem: 'npm', + name: 'foo', + }, + vulnerable_version_range: '0.0.2', + first_patched_version: null, + }, + dependency: { + manifest_path: 'bar/foo', + }, + }, ]); await github.initRepo({ repository: 'some/repo' }); const res = await github.getVulnerabilityAlerts(); - expect(res).toHaveLength(1); + expect(res).toHaveLength(2); }); it('returns empty if disabled', async () => { diff --git a/lib/modules/platform/github/schema.ts b/lib/modules/platform/github/schema.ts index 7e70f8905e2e2c..0aab89a1e407d4 100644 --- a/lib/modules/platform/github/schema.ts +++ b/lib/modules/platform/github/schema.ts @@ -18,7 +18,7 @@ const PackageSchema = z.object({ const SecurityVulnerabilitySchema = z .object({ - first_patched_version: z.object({ identifier: z.string() }).optional(), + first_patched_version: z.object({ identifier: z.string() }).nullish(), package: PackageSchema, vulnerable_version_range: z.string(), }) diff --git a/lib/types/vulnerability-alert.ts b/lib/types/vulnerability-alert.ts index 5dcd261e8eecf8..3640a3a13fa1a8 100644 --- a/lib/types/vulnerability-alert.ts +++ b/lib/types/vulnerability-alert.ts @@ -11,7 +11,7 @@ export interface VulnerabilityPackage { name: string; } export interface SecurityVulnerability { - first_patched_version?: { identifier: string }; + first_patched_version?: { identifier: string } | null; package: VulnerabilityPackage; vulnerable_version_range: string; } diff --git a/lib/workers/repository/init/vulnerability.spec.ts b/lib/workers/repository/init/vulnerability.spec.ts index cd69bc4b72d977..2460aa22de084b 100644 --- a/lib/workers/repository/init/vulnerability.spec.ts +++ b/lib/workers/repository/init/vulnerability.spec.ts @@ -116,6 +116,37 @@ describe('workers/repository/init/vulnerability', () => { expect(res.packageRules).toHaveLength(0); }); + it('ignores alert if firstPatchVersion is null', async () => { + delete config.vulnerabilityAlerts!.enabled; + platform.getVulnerabilityAlerts.mockResolvedValue([ + { + // will be ignored - firstPatchVersion is null + dismissed_reason: null, + dependency: { + manifest_path: 'requirements.txt', + }, + security_advisory: { + description: + 'The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.', + identifiers: [ + { type: 'GHSA', value: 'GHSA-rh6x-qvg7-rrmj' }, + { type: 'CVE', value: 'CVE-2016-3096' }, + ], + references: [ + { url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-3096' }, + ], + }, + security_vulnerability: { + package: { name: 'ansible', ecosystem: 'pip' }, + vulnerable_version_range: '< 1.9.6.1', + first_patched_version: null, + }, + }, + ]); + const res = await detectVulnerabilityAlerts(config); + expect(res.packageRules).toHaveLength(0); + }); + it('returns go alerts', async () => { // TODO #22198 delete config.vulnerabilityAlerts!.enabled;