Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify OSV alert logic (and maybe make code changes as needed) #29342

Closed
HonkingGoose opened this issue May 30, 2024 · 1 comment · Fixed by #29666
Closed

Verify OSV alert logic (and maybe make code changes as needed) #29342

HonkingGoose opened this issue May 30, 2024 · 1 comment · Fixed by #29666
Assignees
@Churro
Labels
priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others type:refactor Refactoring or improving of existing code

Comments

@HonkingGoose
Copy link
Collaborator

HonkingGoose commented May 30, 2024
edited
Loading

Describe the proposed change(s).

Check if the OSV alert logic is correct, and behaving like we want. @churro wanted to check this for us, so here's the issue to track that work.

Relevant discussion

Quotes come from:

@rarkins said:

Renovate's other vulnerability handling (GitHub alerts, or Mend's SCA products) use >= for this reason plus this logic:

renovate/lib/workers/repository/process/lookup/index.ts

Lines 364 to 366 in 9e2ca6b

if (config.isVulnerabilityAlert && !config.osvVulnerabilityAlerts) {
filteredReleases = filteredReleases.slice(0, 1);
}

In other words it becomes "take the first release which exists greater than or equal to x.y.z". Usually it's x.y.z but sometimes it can be higher due to reasons like this.

I wasn't involved in the OSV implementation although you can see from the code I linked to that @Churro was aware of it when implementing

Response from @Churro

I don't remember why back then I thought it's necessary to treat OSV alerts differently but I can verify this over the next few days.

Tip

You may want to check out our fork of @astellingwerf's reproduction for Discussion 29280 and Issue 29342 to confirm if the OSV logic is working as intended.
@HonkingGoose HonkingGoose added priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others type:refactor Refactoring or improving of existing code labels May 30, 2024
@HonkingGoose
Copy link
Collaborator Author

See comment:

@HonkingGoose HonkingGoose changed the title Verify OSV alert logic Verify OSV alert logic (and maybe make code changes as needed) Jun 6, 2024
@Churro Churro mentioned this issue Jun 13, 2024
Merged
6 tasks
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@Churro Churro

Labels
priority-3-medium Default priority, "should be done" but isn't prioritised ahead of others type:refactor Refactoring or improving of existing code
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(vulnerabilities): do not force exact patch version in OSV alerts Churro/renovate
2 participants
@Churro @HonkingGoose