fix(vulnerabilities): strip equals for nuget in Github alerts (#29693)

renovatebot · Jun 16, 2024 · 32c9636 · 32c9636
1 parent f91b9cf
commit 32c9636
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 1 deletion.
diff --git a/lib/workers/repository/init/vulnerability.spec.ts b/lib/workers/repository/init/vulnerability.spec.ts
@@ -220,6 +220,63 @@ describe('workers/repository/init/vulnerability', () => {
       expect(res.packageRules).toHaveLength(1);
     });
 
+    it('returns nuget alerts', async () => {
+      // TODO #22198
+      delete config.vulnerabilityAlerts!.enabled;
+      platform.getVulnerabilityAlerts.mockResolvedValue([
+        {
+          dismissReason: null,
+          vulnerableManifestFilename: 'test.csproj',
+          vulnerableManifestPath: 'test.csproj',
+          vulnerableRequirements: '= 2.0.0',
+          securityAdvisory: {
+            description:
+              '.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack.',
+            identifiers: [
+              { type: 'GHSA', value: 'GHSA-7mfr-774f-w5r9' },
+              { type: 'CVE', value: 'CVE-2017-11770' },
+            ],
+            references: [],
+            severity: 'HIGH',
+          },
+          securityVulnerability: {
+            package: {
+              name: 'Microsoft.NETCore.App',
+              ecosystem: 'NUGET',
+            },
+            firstPatchedVersion: { identifier: '2.0.3' },
+            vulnerableVersionRange: '>= 1.0.0, < 2.0.3',
+          },
+        },
+      ]);
+
+      const res = await detectVulnerabilityAlerts(config);
+      expect(res.packageRules).toStrictEqual([
+        {
+          matchDatasources: ['nuget'],
+          matchPackageNames: ['Microsoft.NETCore.App'],
+          matchCurrentVersion: '2.0.0',
+          matchFileNames: ['test.csproj'],
+          allowedVersions: '2.0.3',
+          prBodyNotes: [
+            '### GitHub Vulnerability Alerts',
+            '#### CVE-2017-11770\n\n.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack.',
+          ],
+          isVulnerabilityAlert: true,
+          force: {
+            groupName: null,
+            schedule: [],
+            dependencyDashboardApproval: false,
+            minimumReleaseAge: null,
+            rangeStrategy: 'update-lockfile',
+            commitMessageSuffix: '[SECURITY]',
+            branchTopic: '{{{datasource}}}-{{{depName}}}-vulnerability',
+            prCreation: 'immediate',
+          },
+        },
+      ]);
+    });
+
     it('returns pip alerts', async () => {
       // TODO #22198
       delete config.vulnerabilityAlerts!.enabled;

diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts
@@ -133,7 +133,8 @@ export async function detectVulnerabilityAlerts(
       }
       if (
         datasource === GithubTagsDatasource.id ||
-        datasource === MavenDatasource.id
+        datasource === MavenDatasource.id ||
+        datasource === NugetDatasource.id
       ) {
         // GitHub Actions uses docker versioning, which doesn't support `= 1.2.3` matching, so we strip the equals
         vulnerableRequirements = vulnerableRequirements.replace(/^=\s*/, '');