From 486f5747f60d05cad90989039443d94f43aaf8ef Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Mon, 5 Apr 2021 13:49:33 +0200
Subject: [PATCH] refactor(github): vulnerability alerts warning (#9398)
---
docs/usage/configuration-options.md | 12 ++++++++++--
lib/platform/github/index.ts | 24 +++++++++++++++++++-----
2 files changed, 29 insertions(+), 7 deletions(-)
diff --git a/docs/usage/configuration-options.md b/docs/usage/configuration-options.md
index a8f43c2a7c..21c10e0cd9 100644
--- a/docs/usage/configuration-options.md
+++ b/docs/usage/configuration-options.md
@@ -2229,7 +2229,15 @@ In most cases it would not be recommended, but there are some cases such as Dock
## vulnerabilityAlerts
-Use this object to customise PRs that are raised when vulnerability alerts are detected (GitHub-only).
+Renovate can read from GitHub's Vulnerability Alerts and customize Pull Requests accordingly.
+For this to work, you must first ensure you have enabled "[Dependency graph](https://docs.github.com/en/code-security/supply-chain-security/about-the-dependency-graph#enabling-the-dependency-graph)" and "[Dependabot alerts](https://docs.github.com/en/github/administering-a-repository/managing-security-and-analysis-settings-for-your-repository)" under the "Security & analysis" section of the repository's "Settings" tab.
+
+Additionally, if you are running Renovate in app mode then you must make sure that the app has been granted the permissions to read "Vulnerability alerts".
+If you are the account admin, browse to the app (e.g. [https://github.com/apps/renovate](https://github.com/apps/renovate)), select "Configure", and then scroll down to the "Permissions" section and verify that read access to "vulnerability alerts" is mentioned.
+
+Once the above conditions are met, and you have received one or more vulnerability alerts from GitHub for this repository, then Renovate will attempt to raise fix PRs accordingly.
+
+Use the `vulnerabilityAlerts` configuration object if you want to customise vulnerability-fix PRs specifically.
For example, to configure custom labels and assignees:
```json
@@ -2241,7 +2249,7 @@ For example, to configure custom labels and assignees:
}
```
-To disable vulnerability alerts completely, configure like this:
+To disable the vulnerability alerts functionality completely, configure like this:
```json
{
diff --git a/lib/platform/github/index.ts b/lib/platform/github/index.ts
index bb5f4256df..d3a10b78b2 100644
--- a/lib/platform/github/index.ts
+++ b/lib/platform/github/index.ts
@@ -1682,14 +1682,28 @@ export async function getVulnerabilityAlerts(): Promise<VulnerabilityAlert[]> {
}
}
}`;
- let alerts: VulnerabilityAlert[] = [];
+ let vulnerabilityAlerts: {
+ node: VulnerabilityAlert;
+ }[];
try {
- const vulnerabilityAlerts = await githubApi.queryRepoField<{
+ vulnerabilityAlerts = await githubApi.queryRepoField<{
node: VulnerabilityAlert;
}>(query, 'vulnerabilityAlerts', {
paginate: false,
acceptHeader: 'application/vnd.github.vixen-preview+json',
});
+ } catch (err) {
+ logger.debug({ err }, 'Error retrieving vulnerability alerts');
+ logger.warn(
+ {
+ url:
+ 'https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts',
+ },
+ 'Cannot access vulnerability alerts. Please ensure permissions have been granted.'
+ );
+ }
+ let alerts: VulnerabilityAlert[] = [];
+ try {
if (vulnerabilityAlerts?.length) {
alerts = vulnerabilityAlerts.map((edge) => edge.node);
const shortAlerts: AggregatedVulnerabilities = {};
@@ -1712,10 +1726,10 @@ export async function getVulnerabilityAlerts(): Promise<VulnerabilityAlert[]> {
logger.debug({ alerts: shortAlerts }, 'GitHub vulnerability details');
}
} else {
- logger.debug('Cannot read vulnerability alerts');
+ logger.debug('No vulnerability alerts found');
}
- } catch (err) {
- logger.debug({ err }, 'Error retrieving vulnerability alerts');
+ } catch (err) /* istanbul ignore next */ {
+ logger.error({ err }, 'Error processing vulnerabity alerts');
}
return alerts;
}
--
GitLab