Skip to content

Commit

Permalink
fix(vulnerabilities): strip equals for nuget in Github alerts (#29693)
Browse files Browse the repository at this point in the history
  • Loading branch information
Churro authored Jun 16, 2024
1 parent f91b9cf commit 32c9636
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 1 deletion.
57 changes: 57 additions & 0 deletions lib/workers/repository/init/vulnerability.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,63 @@ describe('workers/repository/init/vulnerability', () => {
expect(res.packageRules).toHaveLength(1);
});

it('returns nuget alerts', async () => {
// TODO #22198
delete config.vulnerabilityAlerts!.enabled;
platform.getVulnerabilityAlerts.mockResolvedValue([
{
dismissReason: null,
vulnerableManifestFilename: 'test.csproj',
vulnerableManifestPath: 'test.csproj',
vulnerableRequirements: '= 2.0.0',
securityAdvisory: {
description:
'.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack.',
identifiers: [
{ type: 'GHSA', value: 'GHSA-7mfr-774f-w5r9' },
{ type: 'CVE', value: 'CVE-2017-11770' },
],
references: [],
severity: 'HIGH',
},
securityVulnerability: {
package: {
name: 'Microsoft.NETCore.App',
ecosystem: 'NUGET',
},
firstPatchedVersion: { identifier: '2.0.3' },
vulnerableVersionRange: '>= 1.0.0, < 2.0.3',
},
},
]);

const res = await detectVulnerabilityAlerts(config);
expect(res.packageRules).toStrictEqual([
{
matchDatasources: ['nuget'],
matchPackageNames: ['Microsoft.NETCore.App'],
matchCurrentVersion: '2.0.0',
matchFileNames: ['test.csproj'],
allowedVersions: '2.0.3',
prBodyNotes: [
'### GitHub Vulnerability Alerts',
'#### CVE-2017-11770\n\n.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack.',
],
isVulnerabilityAlert: true,
force: {
groupName: null,
schedule: [],
dependencyDashboardApproval: false,
minimumReleaseAge: null,
rangeStrategy: 'update-lockfile',
commitMessageSuffix: '[SECURITY]',
branchTopic: '{{{datasource}}}-{{{depName}}}-vulnerability',
prCreation: 'immediate',
},
},
]);
});

it('returns pip alerts', async () => {
// TODO #22198
delete config.vulnerabilityAlerts!.enabled;
Expand Down
3 changes: 2 additions & 1 deletion lib/workers/repository/init/vulnerability.ts
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,8 @@ export async function detectVulnerabilityAlerts(
}
if (
datasource === GithubTagsDatasource.id ||
datasource === MavenDatasource.id
datasource === MavenDatasource.id ||
datasource === NugetDatasource.id
) {
// GitHub Actions uses docker versioning, which doesn't support `= 1.2.3` matching, so we strip the equals
vulnerableRequirements = vulnerableRequirements.replace(/^=\s*/, '');
Expand Down

0 comments on commit 32c9636

Please sign in to comment.