From 6d86bbd3534e997ca20a832c39eb83076d603129 Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Sun, 19 May 2019 07:06:16 +0200
Subject: [PATCH] fix(vulnerability-alerts): use datasources, not managers
---
lib/workers/repository/init/vulnerability.js | 42 ++++++++++---------
.../__snapshots__/vulnerability.spec.js.snap | 24 +++++------
2 files changed, 34 insertions(+), 32 deletions(-)
diff --git a/lib/workers/repository/init/vulnerability.js b/lib/workers/repository/init/vulnerability.js
index 65075fcc33..6163ae5d61 100644
--- a/lib/workers/repository/init/vulnerability.js
+++ b/lib/workers/repository/init/vulnerability.js
@@ -34,29 +34,31 @@ async function detectVulnerabilityAlerts(input) {
);
continue; // eslint-disable-line no-continue
}
- const managerMapping = {
+ const datasourceMapping = {
MAVEN: 'maven',
NPM: 'npm',
NUGET: 'nuget',
- PIP: 'pip_requirements',
+ PIP: 'pypi',
RUBYGEMS: 'bundler',
};
- const manager =
- managerMapping[alert.securityVulnerability.package.ecosystem];
- if (!combinedAlerts[manager]) {
- combinedAlerts[manager] = {};
+ const datasource =
+ datasourceMapping[alert.securityVulnerability.package.ecosystem];
+ if (!combinedAlerts[datasource]) {
+ combinedAlerts[datasource] = {};
}
const depName = alert.securityVulnerability.package.name;
- if (!combinedAlerts[manager][depName]) {
- combinedAlerts[manager][depName] = {
+ if (!combinedAlerts[datasource][depName]) {
+ combinedAlerts[datasource][depName] = {
advisories: [],
fileNames: [],
};
}
- combinedAlerts[manager][depName].advisories.push(alert.securityAdvisory);
+ combinedAlerts[datasource][depName].advisories.push(
+ alert.securityAdvisory
+ );
const fileName = alert.vulnerableManifestFilename;
- if (!combinedAlerts[manager][depName].fileNames.includes(fileName)) {
- combinedAlerts[manager][depName].fileNames.push(fileName);
+ if (!combinedAlerts[datasource][depName].fileNames.includes(fileName)) {
+ combinedAlerts[datasource][depName].fileNames.push(fileName);
}
const firstPatchedVersion =
alert.securityVulnerability.firstPatchedVersion.identifier;
@@ -67,21 +69,21 @@ async function detectVulnerabilityAlerts(input) {
pip_requirements: 'pep440',
rubygems: 'ruby',
};
- const versionScheme = versioning.get(versionSchemes[manager]);
+ const versionScheme = versioning.get(versionSchemes[datasource]);
if (versionScheme.isVersion(firstPatchedVersion)) {
- if (combinedAlerts[manager][depName].firstPatchedVersion) {
+ if (combinedAlerts[datasource][depName].firstPatchedVersion) {
if (
versionScheme.isGreaterThan(
firstPatchedVersion,
- combinedAlerts[manager][depName].firstPatchedVersion
+ combinedAlerts[datasource][depName].firstPatchedVersion
)
) {
- combinedAlerts[manager][
+ combinedAlerts[datasource][
depName
].firstPatchedVersion = firstPatchedVersion;
}
} else {
- combinedAlerts[manager][
+ combinedAlerts[datasource][
depName
].firstPatchedVersion = firstPatchedVersion;
}
@@ -93,7 +95,7 @@ async function detectVulnerabilityAlerts(input) {
}
}
const alertPackageRules = [];
- for (const [manager, dependencies] of Object.entries(combinedAlerts)) {
+ for (const [datasource, dependencies] of Object.entries(combinedAlerts)) {
for (const [depName, val] of Object.entries(dependencies)) {
let prBodyNotes = [];
try {
@@ -122,21 +124,21 @@ async function detectVulnerabilityAlerts(input) {
logger.warn({ err }, 'Error generating vulnerability PR notes');
}
const matchRule = {
- managers: [manager],
+ datasources: [datasource],
packageNames: [depName],
matchCurrentVersion: `< ${val.firstPatchedVersion}`,
prBodyNotes,
force: {
...config.vulnerabilityAlerts,
vulnerabilityAlert: true,
- branchTopic: `${manager}-${depName}-vulnerability`,
+ branchTopic: `${datasource}-${depName}-vulnerability`,
},
};
alertPackageRules.push(matchRule);
const allowedRule = JSON.parse(JSON.stringify(matchRule));
delete allowedRule.matchCurrentVersion;
delete allowedRule.force;
- if (manager === 'npm') {
+ if (datasource === 'npm') {
allowedRule.allowedVersions = `^${val.firstPatchedVersion}`;
} else {
allowedRule.allowedVersions = `>= ${val.firstPatchedVersion}`;
diff --git a/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap b/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
index 88cf06aab3..40b80a4b97 100644
--- a/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
+++ b/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
@@ -3,6 +3,9 @@
exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns alerts 1`] = `
Array [
Object {
+ "datasources": Array [
+ "npm",
+ ],
"force": Object {
"branchTopic": "npm-electron-vulnerability",
"commitMessageSuffix": "[SECURITY]",
@@ -12,9 +15,6 @@ Array [
"schedule": Array [],
"vulnerabilityAlert": true,
},
- "managers": Array [
- "npm",
- ],
"matchCurrentVersion": "< 1.8.3",
"packageNames": Array [
"electron",
@@ -28,7 +28,7 @@ Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3
},
Object {
"allowedVersions": "^1.8.3",
- "managers": Array [
+ "datasources": Array [
"npm",
],
"packageNames": Array [
@@ -42,8 +42,11 @@ Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3
],
},
Object {
+ "datasources": Array [
+ "pypi",
+ ],
"force": Object {
- "branchTopic": "pip_requirements-ansible-vulnerability",
+ "branchTopic": "pypi-ansible-vulnerability",
"commitMessageSuffix": "[SECURITY]",
"groupName": null,
"masterIssueApproval": false,
@@ -51,10 +54,7 @@ Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3
"schedule": Array [],
"vulnerabilityAlert": true,
},
- "managers": Array [
- "pip_requirements",
- ],
- "matchCurrentVersion": "< 2.2.1.0",
+ "matchCurrentVersion": "< 2.2.0",
"packageNames": Array [
"ansible",
],
@@ -81,9 +81,9 @@ Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validati
],
},
Object {
- "allowedVersions": ">= 2.2.1.0",
- "managers": Array [
- "pip_requirements",
+ "allowedVersions": ">= 2.2.0",
+ "datasources": Array [
+ "pypi",
],
"packageNames": Array [
"ansible",
--
GitLab