diff --git a/docs/usage/configuration-options.md b/docs/usage/configuration-options.md
index a55d0fa601e80e2d0abd90f3507be64dfb74297b..fa7e36e0107e0daa51939a387ca3957462b6b495 100644
--- a/docs/usage/configuration-options.md
+++ b/docs/usage/configuration-options.md
@@ -2426,6 +2426,7 @@ Renovate only queries the OSV database for dependencies that use one of these da
- [`crate`](./modules/datasource/crate/index.md)
- [`go`](./modules/datasource/go/index.md)
+- [`hackage`](./modules/datasource/hackage/index.md)
- [`hex`](./modules/datasource/hex/index.md)
- [`maven`](./modules/datasource/maven/index.md)
- [`npm`](./modules/datasource/npm/index.md)
diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts
index 1d90436a9e42b44ce5c08416ed32bedf7bb07951..dd93c1bee860f92ad29a781778db9ef095ab0694 100644
--- a/lib/workers/repository/init/vulnerability.ts
+++ b/lib/workers/repository/init/vulnerability.ts
@@ -47,7 +47,7 @@ export function getFixedVersionByDatasource(
return `[${fixedVersion},)`;
}
- // crates.io, Go, Hex, npm, RubyGems, PyPI
+ // crates.io, Go, Hackage, Hex, npm, RubyGems, PyPI
return `>= ${fixedVersion}`;
}
diff --git a/lib/workers/repository/process/vulnerabilities.spec.ts b/lib/workers/repository/process/vulnerabilities.spec.ts
index e5599201820eaa03754a73ca51f7b6311e5837ab..db30414b2edfa90d78fd87a88285d691e263e0ed 100644
--- a/lib/workers/repository/process/vulnerabilities.spec.ts
+++ b/lib/workers/repository/process/vulnerabilities.spec.ts
@@ -840,6 +840,63 @@ describe('workers/repository/process/vulnerabilities', () => {
]);
});
+ it('returns packageRules for Hackage', async () => {
+ const packageFiles: Record<string, PackageFile[]> = {
+ hackage: [
+ {
+ deps: [
+ {
+ depName: 'aeson',
+ currentValue: '0.4.0.0',
+ datasource: 'hackage',
+ },
+ ],
+ packageFile: 'some-file',
+ },
+ ],
+ };
+ getVulnerabilitiesMock.mockResolvedValueOnce([
+ {
+ id: 'HSEC-2023-0001',
+ summary: 'Hash flooding vulnerability in aeson',
+ details:
+ '# Hash flooding vulnerability in aeson\n\n*aeson* was vulnerable to hash flooding (a.k.a. hash DoS). The\nissue is a consequence of the HashMap implementation from\n*unordered-containers*. It results in a denial of service through\nCPU consumption. This technique has been used in real-world attacks\nagainst a variety of languages, libraries and frameworks over the\nyears.\n',
+ aliases: ['CVE-2022-3433'],
+ modified: '2023-06-13T09:03:52Z',
+ affected: [
+ {
+ package: {
+ ecosystem: 'Hackage',
+ name: 'aeson',
+ },
+ ranges: [
+ {
+ type: 'ECOSYSTEM',
+ events: [{ introduced: '0.4.0.0' }, { fixed: '2.0.1.0' }],
+ },
+ ],
+ },
+ ],
+ },
+ ]);
+
+ await vulnerabilities.appendVulnerabilityPackageRules(
+ config,
+ packageFiles,
+ );
+
+ expect(config.packageRules).toHaveLength(1);
+ expect(config.packageRules).toMatchObject([
+ {
+ matchDatasources: ['hackage'],
+ matchPackageNames: ['aeson'],
+ matchCurrentVersion: '0.4.0.0',
+ allowedVersions: '>= 2.0.1.0',
+ isVulnerabilityAlert: true,
+ },
+ ]);
+ });
+
it('filters not applicable vulnerability based on last_affected version', async () => {
const packageFiles: Record<string, PackageFile[]> = {
poetry: [
diff --git a/lib/workers/repository/process/vulnerabilities.ts b/lib/workers/repository/process/vulnerabilities.ts
index b3ed9b565632c1dd041e6ec4d10b84946506bc72..48991ea669bbcfc600f4c64cfba8edccc0c41d6f 100644
--- a/lib/workers/repository/process/vulnerabilities.ts
+++ b/lib/workers/repository/process/vulnerabilities.ts
@@ -35,6 +35,7 @@ export class Vulnerabilities {
> = {
crate: 'crates.io',
go: 'Go',
+ hackage: 'Hackage',
hex: 'Hex',
maven: 'Maven',
npm: 'npm',