mirror of
https://github.com/renovatebot/renovate.git
synced 2025-03-16 00:54:53 +00:00
fix(vulnerability-alerts): fix handling of first_patched_version: null (#31447)
This commit is contained in:
parent
5ca09edcbf
commit
b775d83830
4 changed files with 52 additions and 3 deletions
lib
modules/platform/github
types
workers/repository/init
|
@ -3808,10 +3808,28 @@ describe('modules/platform/github/index', () => {
|
|||
manifest_path: 'bar/foo',
|
||||
},
|
||||
},
|
||||
{
|
||||
security_advisory: {
|
||||
description: 'description',
|
||||
identifiers: [{ type: 'type', value: 'value' }],
|
||||
references: [],
|
||||
},
|
||||
security_vulnerability: {
|
||||
package: {
|
||||
ecosystem: 'npm',
|
||||
name: 'foo',
|
||||
},
|
||||
vulnerable_version_range: '0.0.2',
|
||||
first_patched_version: null,
|
||||
},
|
||||
dependency: {
|
||||
manifest_path: 'bar/foo',
|
||||
},
|
||||
},
|
||||
]);
|
||||
await github.initRepo({ repository: 'some/repo' });
|
||||
const res = await github.getVulnerabilityAlerts();
|
||||
expect(res).toHaveLength(1);
|
||||
expect(res).toHaveLength(2);
|
||||
});
|
||||
|
||||
it('returns empty if disabled', async () => {
|
||||
|
|
|
@ -18,7 +18,7 @@ const PackageSchema = z.object({
|
|||
|
||||
const SecurityVulnerabilitySchema = z
|
||||
.object({
|
||||
first_patched_version: z.object({ identifier: z.string() }).optional(),
|
||||
first_patched_version: z.object({ identifier: z.string() }).nullish(),
|
||||
package: PackageSchema,
|
||||
vulnerable_version_range: z.string(),
|
||||
})
|
||||
|
|
|
@ -11,7 +11,7 @@ export interface VulnerabilityPackage {
|
|||
name: string;
|
||||
}
|
||||
export interface SecurityVulnerability {
|
||||
first_patched_version?: { identifier: string };
|
||||
first_patched_version?: { identifier: string } | null;
|
||||
package: VulnerabilityPackage;
|
||||
vulnerable_version_range: string;
|
||||
}
|
||||
|
|
|
@ -116,6 +116,37 @@ describe('workers/repository/init/vulnerability', () => {
|
|||
expect(res.packageRules).toHaveLength(0);
|
||||
});
|
||||
|
||||
it('ignores alert if firstPatchVersion is null', async () => {
|
||||
delete config.vulnerabilityAlerts!.enabled;
|
||||
platform.getVulnerabilityAlerts.mockResolvedValue([
|
||||
{
|
||||
// will be ignored - firstPatchVersion is null
|
||||
dismissed_reason: null,
|
||||
dependency: {
|
||||
manifest_path: 'requirements.txt',
|
||||
},
|
||||
security_advisory: {
|
||||
description:
|
||||
'The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.',
|
||||
identifiers: [
|
||||
{ type: 'GHSA', value: 'GHSA-rh6x-qvg7-rrmj' },
|
||||
{ type: 'CVE', value: 'CVE-2016-3096' },
|
||||
],
|
||||
references: [
|
||||
{ url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-3096' },
|
||||
],
|
||||
},
|
||||
security_vulnerability: {
|
||||
package: { name: 'ansible', ecosystem: 'pip' },
|
||||
vulnerable_version_range: '< 1.9.6.1',
|
||||
first_patched_version: null,
|
||||
},
|
||||
},
|
||||
]);
|
||||
const res = await detectVulnerabilityAlerts(config);
|
||||
expect(res.packageRules).toHaveLength(0);
|
||||
});
|
||||
|
||||
it('returns go alerts', async () => {
|
||||
// TODO #22198
|
||||
delete config.vulnerabilityAlerts!.enabled;
|
||||
|
|
Loading…
Reference in a new issue