From 1caffcc310dae897b363ad59755c4a771ed51571 Mon Sep 17 00:00:00 2001
From: Janus Troelsen <ysangkok@gmail.com>
Date: Wed, 1 Jan 2025 15:17:44 -0600
Subject: [PATCH] feat(vulnerabilities): Add Hackage support (#33328)
Co-authored-by: Michael Kriese <michael.kriese@visualon.de>
---
docs/usage/configuration-options.md | 1 +
lib/workers/repository/init/vulnerability.ts | 2 +-
.../process/vulnerabilities.spec.ts | 57 +++++++++++++++++++
.../repository/process/vulnerabilities.ts | 1 +
4 files changed, 60 insertions(+), 1 deletion(-)
diff --git a/docs/usage/configuration-options.md b/docs/usage/configuration-options.md
index a55d0fa601..fa7e36e010 100644
--- a/docs/usage/configuration-options.md
+++ b/docs/usage/configuration-options.md
@@ -2426,6 +2426,7 @@ Renovate only queries the OSV database for dependencies that use one of these da
- [`crate`](./modules/datasource/crate/index.md)
- [`go`](./modules/datasource/go/index.md)
+- [`hackage`](./modules/datasource/hackage/index.md)
- [`hex`](./modules/datasource/hex/index.md)
- [`maven`](./modules/datasource/maven/index.md)
- [`npm`](./modules/datasource/npm/index.md)
diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts
index 1d90436a9e..dd93c1bee8 100644
--- a/lib/workers/repository/init/vulnerability.ts
+++ b/lib/workers/repository/init/vulnerability.ts
@@ -47,7 +47,7 @@ export function getFixedVersionByDatasource(
return `[${fixedVersion},)`;
}
- // crates.io, Go, Hex, npm, RubyGems, PyPI
+ // crates.io, Go, Hackage, Hex, npm, RubyGems, PyPI
return `>= ${fixedVersion}`;
}
diff --git a/lib/workers/repository/process/vulnerabilities.spec.ts b/lib/workers/repository/process/vulnerabilities.spec.ts
index e559920182..db30414b2e 100644
--- a/lib/workers/repository/process/vulnerabilities.spec.ts
+++ b/lib/workers/repository/process/vulnerabilities.spec.ts
@@ -840,6 +840,63 @@ describe('workers/repository/process/vulnerabilities', () => {
]);
});
+ it('returns packageRules for Hackage', async () => {
+ const packageFiles: Record<string, PackageFile[]> = {
+ hackage: [
+ {
+ deps: [
+ {
+ depName: 'aeson',
+ currentValue: '0.4.0.0',
+ datasource: 'hackage',
+ },
+ ],
+ packageFile: 'some-file',
+ },
+ ],
+ };
+ getVulnerabilitiesMock.mockResolvedValueOnce([
+ {
+ id: 'HSEC-2023-0001',
+ summary: 'Hash flooding vulnerability in aeson',
+ details:
+ '# Hash flooding vulnerability in aeson\n\n*aeson* was vulnerable to hash flooding (a.k.a. hash DoS). The\nissue is a consequence of the HashMap implementation from\n*unordered-containers*. It results in a denial of service through\nCPU consumption. This technique has been used in real-world attacks\nagainst a variety of languages, libraries and frameworks over the\nyears.\n',
+ aliases: ['CVE-2022-3433'],
+ modified: '2023-06-13T09:03:52Z',
+ affected: [
+ {
+ package: {
+ ecosystem: 'Hackage',
+ name: 'aeson',
+ },
+ ranges: [
+ {
+ type: 'ECOSYSTEM',
+ events: [{ introduced: '0.4.0.0' }, { fixed: '2.0.1.0' }],
+ },
+ ],
+ },
+ ],
+ },
+ ]);
+
+ await vulnerabilities.appendVulnerabilityPackageRules(
+ config,
+ packageFiles,
+ );
+
+ expect(config.packageRules).toHaveLength(1);
+ expect(config.packageRules).toMatchObject([
+ {
+ matchDatasources: ['hackage'],
+ matchPackageNames: ['aeson'],
+ matchCurrentVersion: '0.4.0.0',
+ allowedVersions: '>= 2.0.1.0',
+ isVulnerabilityAlert: true,
+ },
+ ]);
+ });
+
it('filters not applicable vulnerability based on last_affected version', async () => {
const packageFiles: Record<string, PackageFile[]> = {
poetry: [
diff --git a/lib/workers/repository/process/vulnerabilities.ts b/lib/workers/repository/process/vulnerabilities.ts
index b3ed9b5656..48991ea669 100644
--- a/lib/workers/repository/process/vulnerabilities.ts
+++ b/lib/workers/repository/process/vulnerabilities.ts
@@ -35,6 +35,7 @@ export class Vulnerabilities {
> = {
crate: 'crates.io',
go: 'Go',
+ hackage: 'Hackage',
hex: 'Hex',
maven: 'Maven',
npm: 'npm',
--
GitLab