Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(vulnerabilities): do not force exact patch version in OSV alerts #29666

Merged
merged 2 commits into from
Jun 15, 2024
Merged

fix(vulnerabilities): do not force exact patch version in OSV alerts #29666

merged 2 commits into from
Jun 15, 2024

Conversation

Churro
Copy link
Collaborator

@Churro Churro commented Jun 13, 2024
edited

Changes

OSV vulnerability alerts may suggest a particular patch version that could be retracted, currently resulting in no PR being created at all. This change relaxes == to >=, so that the first available version is picked.

This PR also removes an extra condition for OSV that caused advisories with last_affected field set to suggest the newest version, rather than the minimal patched version. Advisories usually populate the fixed version, not the last_affected field, so this was infrequently used. Now this the change to >= e.g., for pypi, the security fix PR would suggest version 2.32.3 to address CVE-2024-35195 in requests <= 2.32.0, whereas the minimal patched version is 2.32.2 (see test repo).

Context

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests but ran on a real repository, or
  • Both unit tests + ran on a real repository

@Churro Churro changed the title fix(vulnerabilities): do not force exact patch version for PyPI datas… fix(vulnerabilities): do not force exact patch version for PyPI datasource in OSV alerts Jun 13, 2024
viceice
viceice previously approved these changes Jun 14, 2024
View reviewed changes
@Churro Churro changed the title fix(vulnerabilities): do not force exact patch version for PyPI datasource in OSV alerts fix(vulnerabilities): do not force exact patch version in OSV alerts Jun 14, 2024
@Churro
Copy link
Collaborator Author

Churro commented Jun 14, 2024

Update: As requested, I've now extended the change to cover not only pypi but all managers.

New test repo: https://github.com/renovate-demo/29666-osv/pulls

@viceice viceice added this pull request to the merge queue Jun 15, 2024
Merged via the queue into renovatebot:main with commit 26337ac Jun 15, 2024
37 checks passed
@renovate-release
Copy link
Collaborator

🎉 This PR is included in version 37.408.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

@Churro Churro mentioned this pull request Jun 16, 2024
Merged
6 tasks
@rarkins rarkins mentioned this pull request Jun 29, 2024
Open
@github-actions github-actions bot mentioned this pull request Jul 4, 2024
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@viceice viceice viceice approved these changes

@rarkins rarkins rarkins approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Verify OSV alert logic (and maybe make code changes as needed)
4 participants
@Churro @renovate-release @viceice @rarkins