From 32c96360d1e5309ef22f178edb85b21daa838809 Mon Sep 17 00:00:00 2001 From: Johannes Feichtner <343448+Churro@users.noreply.github.com> Date: Sun, 16 Jun 2024 07:14:31 +0200 Subject: [PATCH] fix(vulnerabilities): strip equals for nuget in Github alerts (#29693) --- .../repository/init/vulnerability.spec.ts | 57 +++++++++++++++++++ lib/workers/repository/init/vulnerability.ts | 3 +- 2 files changed, 59 insertions(+), 1 deletion(-) diff --git a/lib/workers/repository/init/vulnerability.spec.ts b/lib/workers/repository/init/vulnerability.spec.ts index db6ca1ca50bf87..ddf2496b2ed590 100644 --- a/lib/workers/repository/init/vulnerability.spec.ts +++ b/lib/workers/repository/init/vulnerability.spec.ts @@ -220,6 +220,63 @@ describe('workers/repository/init/vulnerability', () => { expect(res.packageRules).toHaveLength(1); }); + it('returns nuget alerts', async () => { + // TODO #22198 + delete config.vulnerabilityAlerts!.enabled; + platform.getVulnerabilityAlerts.mockResolvedValue([ + { + dismissReason: null, + vulnerableManifestFilename: 'test.csproj', + vulnerableManifestPath: 'test.csproj', + vulnerableRequirements: '= 2.0.0', + securityAdvisory: { + description: + '.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack.', + identifiers: [ + { type: 'GHSA', value: 'GHSA-7mfr-774f-w5r9' }, + { type: 'CVE', value: 'CVE-2017-11770' }, + ], + references: [], + severity: 'HIGH', + }, + securityVulnerability: { + package: { + name: 'Microsoft.NETCore.App', + ecosystem: 'NUGET', + }, + firstPatchedVersion: { identifier: '2.0.3' }, + vulnerableVersionRange: '>= 1.0.0, < 2.0.3', + }, + }, + ]); + + const res = await detectVulnerabilityAlerts(config); + expect(res.packageRules).toStrictEqual([ + { + matchDatasources: ['nuget'], + matchPackageNames: ['Microsoft.NETCore.App'], + matchCurrentVersion: '2.0.0', + matchFileNames: ['test.csproj'], + allowedVersions: '2.0.3', + prBodyNotes: [ + '### GitHub Vulnerability Alerts', + '#### CVE-2017-11770\n\n.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack.', + ], + isVulnerabilityAlert: true, + force: { + groupName: null, + schedule: [], + dependencyDashboardApproval: false, + minimumReleaseAge: null, + rangeStrategy: 'update-lockfile', + commitMessageSuffix: '[SECURITY]', + branchTopic: '{{{datasource}}}-{{{depName}}}-vulnerability', + prCreation: 'immediate', + }, + }, + ]); + }); + it('returns pip alerts', async () => { // TODO #22198 delete config.vulnerabilityAlerts!.enabled; diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts index f009c48f0079ff..20bf8914ae8b19 100644 --- a/lib/workers/repository/init/vulnerability.ts +++ b/lib/workers/repository/init/vulnerability.ts @@ -133,7 +133,8 @@ export async function detectVulnerabilityAlerts( } if ( datasource === GithubTagsDatasource.id || - datasource === MavenDatasource.id + datasource === MavenDatasource.id || + datasource === NugetDatasource.id ) { // GitHub Actions uses docker versioning, which doesn't support `= 1.2.3` matching, so we strip the equals vulnerableRequirements = vulnerableRequirements.replace(/^=\s*/, '');