diff --git a/lib/workers/repository/process/vulnerabilities.spec.ts b/lib/workers/repository/process/vulnerabilities.spec.ts
index f182547149dc72e430418a768ee08ab5c99a8486..c5e1da3c67271f69c1a328babc7f071c4682741b 100644
--- a/lib/workers/repository/process/vulnerabilities.spec.ts
+++ b/lib/workers/repository/process/vulnerabilities.spec.ts
@@ -136,8 +136,32 @@ describe('workers/repository/process/vulnerabilities', () => {
);
});
- it('exception due to invalid version upon comparison', async () => {
- const err = new TypeError('Invalid Version: ^1.1.0');
+ it('exception while fetching vulnerabilities', async () => {
+ const err = new Error('unknown');
+ const packageFiles: Record<string, PackageFileContent[]> = {
+ npm: [
+ {
+ deps: [
+ {
+ depName: 'lodash',
+ currentValue: '4.17.11',
+ datasource: 'npm',
+ },
+ ],
+ },
+ ],
+ };
+ getVulnerabilitiesMock.mockRejectedValueOnce(err);
+
+ await vulnerabilities.fetchVulnerabilities(config, packageFiles);
+ expect(logger.logger.warn).toHaveBeenCalledWith(
+ { err },
+ 'Error fetching vulnerability information for lodash'
+ );
+ });
+
+ it('log event with invalid version', async () => {
+ const event = { fixed: '^6.0' };
const packageFiles: Record<string, PackageFileContent[]> = {
npm: [
{
@@ -165,7 +189,7 @@ describe('workers/repository/process/vulnerabilities', () => {
ranges: [
{
type: 'SEMVER',
- events: [{ introduced: '^0' }, { fixed: '^1.1.0' }],
+ events: [{ introduced: '0' }, event],
},
],
},
@@ -175,8 +199,8 @@ describe('workers/repository/process/vulnerabilities', () => {
await vulnerabilities.fetchVulnerabilities(config, packageFiles);
expect(logger.logger.debug).toHaveBeenCalledWith(
- { err },
- 'Error fetching vulnerability information for lodash'
+ { event },
+ 'Skipping OSV event with invalid version'
);
});
diff --git a/lib/workers/repository/process/vulnerabilities.ts b/lib/workers/repository/process/vulnerabilities.ts
index c359f2344358720fa9c6ef08114430dc16ac0e7f..8c0375e7a2bb8b91c00cffdc4392974f25e8b5ef 100644
--- a/lib/workers/repository/process/vulnerabilities.ts
+++ b/lib/workers/repository/process/vulnerabilities.ts
@@ -199,10 +199,11 @@ export class Vulnerabilities {
this.sortByFixedVersion(packageRules, versioningApi);
} catch (err) {
- logger.debug(
+ logger.warn(
{ err },
`Error fetching vulnerability information for ${packageName}`
);
+ return [];
}
return packageRules;
@@ -237,9 +238,11 @@ export class Vulnerabilities {
for (const event of events) {
if (event.introduced === '0') {
zeroEvent = event;
- continue;
+ } else if (versioningApi.isVersion(Object.values(event)[0])) {
+ sortedCopy.push(event);
+ } else {
+ logger.debug({ event }, 'Skipping OSV event with invalid version');
}
- sortedCopy.push(event);
}
sortedCopy.sort((a, b) =>
@@ -341,9 +344,15 @@ export class Vulnerabilities {
}
for (const event of range.events) {
- if (is.nonEmptyString(event.fixed)) {
+ if (
+ is.nonEmptyString(event.fixed) &&
+ versioningApi.isVersion(event.fixed)
+ ) {
fixedVersions.push(event.fixed);
- } else if (is.nonEmptyString(event.last_affected)) {
+ } else if (
+ is.nonEmptyString(event.last_affected) &&
+ versioningApi.isVersion(event.last_affected)
+ ) {
lastAffectedVersions.push(event.last_affected);
}
}