From 31bd24869df2e08fb0742003d0adf20c0c6405fb Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Sun, 19 May 2019 07:10:37 +0200
Subject: [PATCH] fix(vulnerability-alerts): maven matchCurrentVersion syntax
---
lib/workers/repository/init/vulnerability.js | 8 +++-
.../__snapshots__/vulnerability.spec.js.snap | 39 +++++++++++++++++++
.../repository/init/vulnerability.spec.js | 28 ++++++++++++-
3 files changed, 73 insertions(+), 2 deletions(-)
diff --git a/lib/workers/repository/init/vulnerability.js b/lib/workers/repository/init/vulnerability.js
index 6163ae5d61..fbb891835a 100644
--- a/lib/workers/repository/init/vulnerability.js
+++ b/lib/workers/repository/init/vulnerability.js
@@ -123,10 +123,16 @@ async function detectVulnerabilityAlerts(input) {
} catch (err) /* istanbul ignore next */ {
logger.warn({ err }, 'Error generating vulnerability PR notes');
}
+ let matchCurrentVersion;
+ if (datasource === 'maven') {
+ matchCurrentVersion = `(,${val.firstPatchedVersion})`;
+ } else {
+ matchCurrentVersion = `< ${val.firstPatchedVersion}`;
+ }
const matchRule = {
datasources: [datasource],
packageNames: [depName],
- matchCurrentVersion: `< ${val.firstPatchedVersion}`,
+ matchCurrentVersion,
prBodyNotes,
force: {
...config.vulnerabilityAlerts,
diff --git a/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap b/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
index 40b80a4b97..25496d3e62 100644
--- a/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
+++ b/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
@@ -110,5 +110,44 @@ Ansible before version 2.2.0 fails to properly sanitize fact variables sent from
Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.",
],
},
+ Object {
+ "datasources": Array [
+ "maven",
+ ],
+ "force": Object {
+ "branchTopic": "maven-com.fasterxml.jackson.core:jackson-databind-vulnerability",
+ "commitMessageSuffix": "[SECURITY]",
+ "groupName": null,
+ "masterIssueApproval": false,
+ "rangeStrategy": "update-lockfile",
+ "schedule": Array [],
+ "vulnerabilityAlert": true,
+ },
+ "matchCurrentVersion": "(,2.7.9.4)",
+ "packageNames": Array [
+ "com.fasterxml.jackson.core:jackson-databind",
+ ],
+ "prBodyNotes": Array [
+ "### GitHub Vulnerability Alerts",
+ "#### [CVE-2018-12022](https://nvd.nist.gov/vuln/detail/CVE-2018-12022)
+
+An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.",
+ ],
+ },
+ Object {
+ "allowedVersions": ">= 2.7.9.4",
+ "datasources": Array [
+ "maven",
+ ],
+ "packageNames": Array [
+ "com.fasterxml.jackson.core:jackson-databind",
+ ],
+ "prBodyNotes": Array [
+ "### GitHub Vulnerability Alerts",
+ "#### [CVE-2018-12022](https://nvd.nist.gov/vuln/detail/CVE-2018-12022)
+
+An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.",
+ ],
+ },
]
`;
diff --git a/test/workers/repository/init/vulnerability.spec.js b/test/workers/repository/init/vulnerability.spec.js
index 8dc35731fd..3ce3e33f75 100644
--- a/test/workers/repository/init/vulnerability.spec.js
+++ b/test/workers/repository/init/vulnerability.spec.js
@@ -239,10 +239,36 @@ describe('workers/repository/init/vulnerability', () => {
vulnerableVersionRange: '< 2.1.4',
},
},
+ {
+ dismissReason: null,
+ vulnerableManifestFilename: 'pom.xml',
+ vulnerableManifestPath: 'pom.xml',
+ vulnerableRequirements: '= 2.4.2',
+ securityAdvisory: {
+ description:
+ 'An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.',
+ identifiers: [
+ { type: 'GHSA', value: 'GHSA-cjjf-94ff-43w7' },
+ { type: 'CVE', value: 'CVE-2018-12022' },
+ ],
+ references: [
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-12022' },
+ ],
+ severity: 'HIGH',
+ },
+ securityVulnerability: {
+ package: {
+ name: 'com.fasterxml.jackson.core:jackson-databind',
+ ecosystem: 'MAVEN',
+ },
+ firstPatchedVersion: { identifier: '2.7.9.4' },
+ vulnerableVersionRange: '< 2.7.9.4',
+ },
+ },
]);
const res = await detectVulnerabilityAlerts(config);
expect(res.packageRules).toMatchSnapshot();
- expect(res.packageRules).toHaveLength(4);
+ expect(res.packageRules).toHaveLength(6);
});
});
});
--
GitLab