fix(vulnerability-alerts): fix handling of first_patched_version: null (#31447)

2025-03-16 17:13:37 +00:00 · 2024-09-17 18:34:15 +02:00 · 2024-09-17 18:34:15 +02:00 · b775d83830
commit b775d83830
parent 5ca09edcbf
4 changed files with 52 additions and 3 deletions
--- a/lib/modules/platform/github/index.spec.ts
+++ b/lib/modules/platform/github/index.spec.ts
@ -3808,10 +3808,28 @@ describe('modules/platform/github/index', () => {
              manifest_path: 'bar/foo',
            },
          },
+          {
+            security_advisory: {
+              description: 'description',
+              identifiers: [{ type: 'type', value: 'value' }],
+              references: [],
+            },
+            security_vulnerability: {
+              package: {
+                ecosystem: 'npm',
+                name: 'foo',
+              },
+              vulnerable_version_range: '0.0.2',
+              first_patched_version: null,
+            },
+            dependency: {
+              manifest_path: 'bar/foo',
+            },
+          },
        ]);
      await github.initRepo({ repository: 'some/repo' });
      const res = await github.getVulnerabilityAlerts();
-      expect(res).toHaveLength(1);
+      expect(res).toHaveLength(2);
    });

    it('returns empty if disabled', async () => {
--- a/lib/modules/platform/github/schema.ts
+++ b/lib/modules/platform/github/schema.ts
@ -18,7 +18,7 @@ const PackageSchema = z.object({

 const SecurityVulnerabilitySchema = z
  .object({
-    first_patched_version: z.object({ identifier: z.string() }).optional(),
+    first_patched_version: z.object({ identifier: z.string() }).nullish(),
    package: PackageSchema,
    vulnerable_version_range: z.string(),
  })
--- a/lib/types/vulnerability-alert.ts
+++ b/lib/types/vulnerability-alert.ts
@ -11,7 +11,7 @@ export interface VulnerabilityPackage {
  name: string;
 }
 export interface SecurityVulnerability {
-  first_patched_version?: { identifier: string };
+  first_patched_version?: { identifier: string } | null;
  package: VulnerabilityPackage;
  vulnerable_version_range: string;
 }
--- a/lib/workers/repository/init/vulnerability.spec.ts
+++ b/lib/workers/repository/init/vulnerability.spec.ts
@ -116,6 +116,37 @@ describe('workers/repository/init/vulnerability', () => {
      expect(res.packageRules).toHaveLength(0);
    });

+    it('ignores alert if firstPatchVersion is null', async () => {
+      delete config.vulnerabilityAlerts!.enabled;
+      platform.getVulnerabilityAlerts.mockResolvedValue([
+        {
+          // will be ignored - firstPatchVersion is null
+          dismissed_reason: null,
+          dependency: {
+            manifest_path: 'requirements.txt',
+          },
+          security_advisory: {
+            description:
+              'The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.',
+            identifiers: [
+              { type: 'GHSA', value: 'GHSA-rh6x-qvg7-rrmj' },
+              { type: 'CVE', value: 'CVE-2016-3096' },
+            ],
+            references: [
+              { url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-3096' },
+            ],
+          },
+          security_vulnerability: {
+            package: { name: 'ansible', ecosystem: 'pip' },
+            vulnerable_version_range: '< 1.9.6.1',
+            first_patched_version: null,
+          },
+        },
+      ]);
+      const res = await detectVulnerabilityAlerts(config);
+      expect(res.packageRules).toHaveLength(0);
+    });
+
    it('returns go alerts', async () => {
      // TODO #22198
      delete config.vulnerabilityAlerts!.enabled;