Skip to content

Commit

Permalink
fix(vulnerabilities): do not force exact patch version in OSV alerts (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
Churro authored Jun 15, 2024
1 parent c60880b commit 26337ac
Show file tree
Hide file tree
Showing 3 changed files with 155 additions and 15 deletions.
2 changes: 1 addition & 1 deletion lib/workers/repository/process/lookup/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -361,7 +361,7 @@ export async function lookupUpdates(
unconstrainedValue ||
versioning.isCompatible(v.version, compareValue),
);
if (config.isVulnerabilityAlert && !config.osvVulnerabilityAlerts) {
if (config.isVulnerabilityAlert) {
filteredReleases = filteredReleases.slice(0, 1);
}
const buckets: Record<string, [Release]> = {};
Expand Down
151 changes: 138 additions & 13 deletions lib/workers/repository/process/vulnerabilities.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -104,13 +104,13 @@ describe('workers/repository/process/vulnerabilities', () => {
{
packageName: 'django',
depVersion: '3.2',
fixedVersion: '==3.3.8',
fixedVersion: '>= 3.3.8',
datasource: 'pypi',
},
{
packageName: 'django',
depVersion: '3.2',
fixedVersion: '==3.2.16',
fixedVersion: '>= 3.2.16',
datasource: 'pypi',
},
]);
Expand Down Expand Up @@ -501,15 +501,15 @@ describe('workers/repository/process/vulnerabilities', () => {
'Vulnerability GO-2022-0187 affects stdlib 1.7.5',
);
expect(logger.logger.debug).toHaveBeenCalledWith(
'Setting allowed version 1.7.6 to fix vulnerability GO-2022-0187 in stdlib 1.7.5',
'Setting allowed version >= 1.7.6 to fix vulnerability GO-2022-0187 in stdlib 1.7.5',
);
expect(config.packageRules).toHaveLength(1);
expect(config.packageRules).toMatchObject([
{
matchDatasources: ['go'],
matchPackageNames: ['stdlib'],
matchCurrentVersion: '1.7.5',
allowedVersions: '1.7.6',
allowedVersions: '>= 1.7.6',
isVulnerabilityAlert: true,
},
]);
Expand Down Expand Up @@ -581,7 +581,7 @@ describe('workers/repository/process/vulnerabilities', () => {
matchDatasources: ['pypi'],
matchPackageNames: ['django'],
matchCurrentVersion: '3.2',
allowedVersions: '==3.2.16',
allowedVersions: '>= 3.2.16',
isVulnerabilityAlert: true,
},
]);
Expand Down Expand Up @@ -643,14 +643,14 @@ describe('workers/repository/process/vulnerabilities', () => {
matchDatasources: ['pypi'],
matchPackageNames: ['django'],
matchCurrentVersion: '3.2',
allowedVersions: '==3.2.16',
allowedVersions: '>= 3.2.16',
isVulnerabilityAlert: true,
},
{
matchDatasources: ['pypi'],
matchPackageNames: ['django'],
matchCurrentVersion: '3.2',
allowedVersions: '==3.3.8',
allowedVersions: '>= 3.3.8',
isVulnerabilityAlert: true,
},
]);
Expand Down Expand Up @@ -744,7 +744,7 @@ describe('workers/repository/process/vulnerabilities', () => {
matchDatasources: ['crate'],
matchPackageNames: ['tiny_http'],
matchCurrentVersion: '0.1.2',
allowedVersions: '0.6.3',
allowedVersions: '>= 0.6.3',
isVulnerabilityAlert: true,
prBodyNotes: [
'\n\n' +
Expand Down Expand Up @@ -826,14 +826,14 @@ describe('workers/repository/process/vulnerabilities', () => {
matchDatasources: ['npm'],
matchPackageNames: ['lodash'],
matchCurrentVersion: '4.17.10',
allowedVersions: '4.17.11',
allowedVersions: '>= 4.17.11',
isVulnerabilityAlert: true,
},
{
matchDatasources: ['npm'],
matchPackageNames: ['lodash'],
matchCurrentVersion: '4.17.10',
allowedVersions: '4.17.20',
allowedVersions: '>= 4.17.20',
isVulnerabilityAlert: true,
},
]);
Expand Down Expand Up @@ -882,6 +882,131 @@ describe('workers/repository/process/vulnerabilities', () => {
expect(config.packageRules).toHaveLength(0);
});

it('describe fixed version as ecosystem-specific version constraint', async () => {
const packageFiles: Record<string, PackageFile[]> = {
maven: [
{
deps: [
{
depName: 'com.guicedee.services:log4j-core',
currentValue: '1.0.10.1',
datasource: 'maven',
},
],
packageFile: 'some-file1',
},
],
nuget: [
{
deps: [
{
depName: 'SharpZipLib',
currentValue: '1.3.0',
datasource: 'nuget',
},
],
packageFile: 'some-file2',
},
],
npm: [
{
deps: [
{
depName: 'lodash',
currentValue: '4.17.15',
datasource: 'npm',
},
],
packageFile: 'some-file3',
},
],
};
getVulnerabilitiesMock.mockResolvedValue([
{
id: 'GHSA-jfh8-c2jp-5v3q',
modified: '',
affected: [
{
package: {
name: 'com.guicedee.services:log4j-core',
ecosystem: 'Maven',
purl: 'pkg:maven/com.guicedee.services/log4j-core',
},
ranges: [
{
type: 'ECOSYSTEM',
events: [{ introduced: '0' }, { fixed: '1.2.1.2-jre17' }],
},
],
},
],
},
{
id: ' GHSA-mm6g-mmq6-53ff',
modified: '',
affected: [
{
package: {
name: 'SharpZipLib',
ecosystem: 'NuGet',
purl: 'pkg:nuget/SharpZipLib',
},
ranges: [
{
type: 'ECOSYSTEM',
events: [{ introduced: '0' }, { fixed: '1.3.3' }],
},
],
},
],
},
{
id: 'GHSA-29mw-wpgm-hmr9',
modified: '',
affected: [
{
package: {
name: 'lodash',
ecosystem: 'npm',
purl: 'pkg:npm/lodash',
},
ranges: [
{
type: 'SEMVER',
events: [{ introduced: '0' }, { fixed: '4.17.21' }],
},
],
},
],
},
]);

await vulnerabilities.appendVulnerabilityPackageRules(
config,
packageFiles,
);
expect(config.packageRules).toMatchObject([
{
matchDatasources: ['maven'],
matchPackageNames: ['com.guicedee.services:log4j-core'],
matchCurrentVersion: '1.0.10.1',
allowedVersions: '[1.2.1.2-jre17,)',
},
{
matchDatasources: ['nuget'],
matchPackageNames: ['SharpZipLib'],
matchCurrentVersion: '1.3.0',
allowedVersions: '1.3.3',
},
{
matchDatasources: ['npm'],
matchPackageNames: ['lodash'],
matchCurrentVersion: '4.17.15',
allowedVersions: '>= 4.17.21',
},
]);
});

it('describe last_affected version as ecosystem-specific version constraint', async () => {
const packageFiles: Record<string, PackageFile[]> = {
maven: [
Expand Down Expand Up @@ -1065,7 +1190,7 @@ describe('workers/repository/process/vulnerabilities', () => {
matchDatasources: ['pypi'],
matchPackageNames: ['django-mfa2'],
matchCurrentVersion: '2.5.0',
allowedVersions: '==2.5.1',
allowedVersions: '>= 2.5.1',
isVulnerabilityAlert: true,
prBodyNotes: [
'\n\n' +
Expand Down Expand Up @@ -1127,7 +1252,7 @@ describe('workers/repository/process/vulnerabilities', () => {
matchDatasources: ['npm'],
matchPackageNames: ['lodash'],
matchCurrentVersion: '4.17.10',
allowedVersions: '4.17.11',
allowedVersions: '>= 4.17.11',
isVulnerabilityAlert: true,
prBodyNotes: [
'\n\n' +
Expand Down Expand Up @@ -1212,7 +1337,7 @@ describe('workers/repository/process/vulnerabilities', () => {
matchDatasources: ['crate'],
matchPackageNames: ['sys-info'],
matchCurrentVersion: '0.6.0',
allowedVersions: '0.8.0',
allowedVersions: '>= 0.8.0',
isVulnerabilityAlert: true,
prBodyNotes: [
'\n\n' +
Expand Down
17 changes: 16 additions & 1 deletion lib/workers/repository/process/vulnerabilities.ts
Original file line number Diff line number Diff line change
Expand Up @@ -409,7 +409,7 @@ export class Vulnerabilities {
this.isVersionGt(version, depVersion, versioningApi),
);
if (fixedVersion) {
return ecosystem === 'PyPI' ? `==${fixedVersion}` : fixedVersion;
return this.getFixedVersionByEcosystem(fixedVersion, ecosystem);
}

lastAffectedVersions.sort((a, b) => versioningApi.sortVersions(a, b));
Expand All @@ -423,6 +423,21 @@ export class Vulnerabilities {
return null;
}

private getFixedVersionByEcosystem(
fixedVersion: string,
ecosystem: Ecosystem,
): string {
if (ecosystem === 'Maven') {
return `[${fixedVersion},)`;
} else if (ecosystem === 'NuGet') {
// TODO: add support for nuget version ranges when #26150 is merged
return fixedVersion;
}

// crates.io, Go, Hex, npm, RubyGems, PyPI
return `>= ${fixedVersion}`;
}

private getLastAffectedByEcosystem(
lastAffected: string,
ecosystem: Ecosystem,
Expand Down

0 comments on commit 26337ac

Please sign in to comment.