diff --git a/lib/platform/github/index.js b/lib/platform/github/index.js
index 7612bc202dcb3aa6cfb18dd68174090b43c25e77..b1865a6a2d5cbd912360f671590750526cb07e9d 100644
--- a/lib/platform/github/index.js
+++ b/lib/platform/github/index.js
@@ -1488,6 +1488,12 @@ async function getVulnerabilityAlerts() {
vulnerableManifestFilename
vulnerableManifestPath
vulnerableRequirements
+ securityAdvisory {
+ description
+ identifiers { type value }
+ references { url }
+ severity
+ }
securityVulnerability {
package { name ecosystem }
firstPatchedVersion { identifier }
diff --git a/lib/workers/repository/init/vulnerability.js b/lib/workers/repository/init/vulnerability.js
index fbfd6989fb8b0763df68e889d97baee2f8d00540..d9f87c054d444414019a88d20e9890b6f612c0b1 100644
--- a/lib/workers/repository/init/vulnerability.js
+++ b/lib/workers/repository/init/vulnerability.js
@@ -42,9 +42,11 @@ async function detectVulnerabilityAlerts(input) {
const depName = alert.securityVulnerability.package.name;
if (!combinedAlerts[manager][depName]) {
combinedAlerts[manager][depName] = {
+ advisories: [],
fileNames: [],
};
}
+ combinedAlerts[manager][depName].advisories.push(alert.securityAdvisory);
const fileName = alert.vulnerableManifestFilename;
if (!combinedAlerts[manager][depName].fileNames.includes(fileName)) {
combinedAlerts[manager][depName].fileNames.push(fileName);
@@ -86,10 +88,37 @@ async function detectVulnerabilityAlerts(input) {
const alertPackageRules = [];
for (const [manager, dependencies] of Object.entries(combinedAlerts)) {
for (const [depName, val] of Object.entries(dependencies)) {
+ let prBodyNotes = [];
+ try {
+ prBodyNotes = ['### GitHub Vulnerability Alerts'].concat(
+ val.advisories.map(advisory => {
+ let content = '#### ';
+ let heading;
+ if (advisory.identifiers.some(id => id.type === 'CVE')) {
+ heading = advisory.identifiers
+ .filter(id => id.type === 'CVE')
+ .map(id => id.value)
+ .join(' / ');
+ } else {
+ heading = advisory.identifiers.map(id => id.value).join(' / ');
+ }
+ if (advisory.references.length) {
+ heading = `[${heading}](${advisory.references[0].url})`;
+ }
+ content += heading;
+ content += '\n\n';
+ content += advisory.description;
+ return content;
+ })
+ );
+ } catch (err) /* istanbul ignore next */ {
+ logger.warn({ err }, 'Error generating vulnerability PR notes');
+ }
const matchRule = {
managers: [manager],
packageNames: [depName],
matchCurrentVersion: `< ${val.firstPatchedVersion}`,
+ prBodyNotes,
force: {
...config.vulnerabilityAlerts,
vulnerabilityAlert: true,
diff --git a/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap b/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
index b96521c9ac4b74464b725d01416b098d18d918e0..a93d143219c472ce1e2dec0d07949aa8709834ac 100644
--- a/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
+++ b/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
@@ -14,19 +14,31 @@ Array [
"managers": Array [
"npm",
],
- "matchCurrentVersion": "< 1.8.8",
+ "matchCurrentVersion": "< 1.8.3",
"packageNames": Array [
"electron",
],
+ "prBodyNotes": Array [
+ "### GitHub Vulnerability Alerts",
+ "#### [GHSA-8xwg-wv7v-4vqp](https://nvd.nist.gov/vuln/detail/CVE-2018-1000136)
+
+Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.",
+ ],
},
Object {
- "allowedVersions": "^1.8.8",
+ "allowedVersions": "^1.8.3",
"managers": Array [
"npm",
],
"packageNames": Array [
"electron",
],
+ "prBodyNotes": Array [
+ "### GitHub Vulnerability Alerts",
+ "#### [GHSA-8xwg-wv7v-4vqp](https://nvd.nist.gov/vuln/detail/CVE-2018-1000136)
+
+Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.",
+ ],
},
Object {
"force": Object {
@@ -40,19 +52,67 @@ Array [
"managers": Array [
"pip_requirements",
],
- "matchCurrentVersion": "< 1.8.8",
+ "matchCurrentVersion": "< 2.2.1.0",
"packageNames": Array [
"ansible",
],
+ "prBodyNotes": Array [
+ "### GitHub Vulnerability Alerts",
+ "#### [CVE-2017-7481](https://nvd.nist.gov/vuln/detail/CVE-2017-7481)
+
+Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.",
+ "#### [CVE-2016-3096](https://nvd.nist.gov/vuln/detail/CVE-2016-3096)
+
+The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.",
+ "#### [CVE-2015-3908](https://nvd.nist.gov/vuln/detail/CVE-2015-3908)
+
+Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
+ "#### [CVE-2016-8647](https://nvd.nist.gov/vuln/detail/CVE-2016-8647)
+
+An input validation vulnerability was found in Ansible's mysql_user module before 2.2.1.0, which may fail to correctly change a password in certain circumstances. Thus the previous password would still be active when it should have been changed.",
+ "#### [CVE-2016-8614](https://nvd.nist.gov/vuln/detail/CVE-2016-8614)
+
+A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.",
+ "#### [CVE-2016-8628](https://nvd.nist.gov/vuln/detail/CVE-2016-8628)
+
+Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.",
+ "#### [CVE-2016-9587](https://nvd.nist.gov/vuln/detail/CVE-2016-9587)
+
+Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.",
+ ],
},
Object {
- "allowedVersions": ">= 1.8.8",
+ "allowedVersions": ">= 2.2.1.0",
"managers": Array [
"pip_requirements",
],
"packageNames": Array [
"ansible",
],
+ "prBodyNotes": Array [
+ "### GitHub Vulnerability Alerts",
+ "#### [CVE-2017-7481](https://nvd.nist.gov/vuln/detail/CVE-2017-7481)
+
+Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.",
+ "#### [CVE-2016-3096](https://nvd.nist.gov/vuln/detail/CVE-2016-3096)
+
+The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.",
+ "#### [CVE-2015-3908](https://nvd.nist.gov/vuln/detail/CVE-2015-3908)
+
+Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
+ "#### [CVE-2016-8647](https://nvd.nist.gov/vuln/detail/CVE-2016-8647)
+
+An input validation vulnerability was found in Ansible's mysql_user module before 2.2.1.0, which may fail to correctly change a password in certain circumstances. Thus the previous password would still be active when it should have been changed.",
+ "#### [CVE-2016-8614](https://nvd.nist.gov/vuln/detail/CVE-2016-8614)
+
+A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.",
+ "#### [CVE-2016-8628](https://nvd.nist.gov/vuln/detail/CVE-2016-8628)
+
+Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.",
+ "#### [CVE-2016-9587](https://nvd.nist.gov/vuln/detail/CVE-2016-9587)
+
+Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.",
+ ],
},
]
`;
diff --git a/test/workers/repository/init/vulnerability.spec.js b/test/workers/repository/init/vulnerability.spec.js
index 5d15ca311afbc0860146e40b7242c051a24b7bc6..e2321af3abe9a50a56baab1e8e2582ad9dc6ba53 100644
--- a/test/workers/repository/init/vulnerability.spec.js
+++ b/test/workers/repository/init/vulnerability.spec.js
@@ -34,74 +34,210 @@ describe('workers/repository/init/vulnerability', () => {
delete config.vulnerabilityAlerts.enabled;
platform.getVulnerabilityAlerts.mockReturnValue([
{},
- {
- dismissReason: 'some reason',
- },
{
dismissReason: null,
vulnerableManifestFilename: 'package-lock.json',
vulnerableManifestPath: 'package-lock.json',
vulnerableRequirements: '= 1.8.2',
+ securityAdvisory: {
+ description:
+ 'Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.',
+ identifiers: [{ type: 'GHSA', value: 'GHSA-8xwg-wv7v-4vqp' }],
+ references: [
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-1000136' },
+ ],
+ severity: 'HIGH',
+ },
securityVulnerability: {
- package: {
- name: 'electron',
- ecosystem: 'NPM',
- },
- firstPatchedVersion: {
- identifier: '1.8.3',
- },
+ package: { name: 'electron', ecosystem: 'NPM' },
+ firstPatchedVersion: { identifier: '1.8.3' },
vulnerableVersionRange: '>= 1.8, < 1.8.3',
},
},
{
- dismissReason: null,
+ dismissReason: 'some reason',
vulnerableManifestFilename: 'package-lock.json',
vulnerableManifestPath: 'package-lock.json',
vulnerableRequirements: '= 1.8.2',
+ securityAdvisory: {
+ description:
+ 'GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution.',
+ identifiers: [
+ { type: 'GHSA', value: 'GHSA-hv9c-qwqg-qj3v' },
+ { type: 'CVE', value: 'CVE-2018-15685' },
+ ],
+ references: [
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-15685' },
+ ],
+ severity: 'HIGH',
+ },
securityVulnerability: {
- package: {
- name: 'electron',
- ecosystem: 'NPM',
- },
- firstPatchedVersion: {
- identifier: 'abc-1.8.8',
- },
- vulnerableVersionRange: '>= 1.8, < 1.8.8',
+ package: { name: 'electron', ecosystem: 'NPM' },
+ firstPatchedVersion: { identifier: '1.8.8' },
+ vulnerableVersionRange: '>= 1.8.0, < 1.8.8',
},
},
{
dismissReason: null,
- vulnerableManifestFilename: 'package-lock.json',
- vulnerableManifestPath: 'package-lock.json',
- vulnerableRequirements: '= 1.8.2',
+ vulnerableManifestFilename: 'requirements.txt',
+ vulnerableManifestPath: 'requirements.txt',
+ vulnerableRequirements: '= 1.6.7',
+ securityAdvisory: {
+ description:
+ "Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.",
+ identifiers: [
+ { type: 'GHSA', value: 'GHSA-w578-j992-554x' },
+ { type: 'CVE', value: 'CVE-2017-7481' },
+ ],
+ references: [
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2017-7481' },
+ ],
+ severity: 'MODERATE',
+ },
+ securityVulnerability: {
+ package: { name: 'ansible', ecosystem: 'PIP' },
+ firstPatchedVersion: { identifier: 'abc-2.3.1.0' },
+ vulnerableVersionRange: '< 2.3.1.0',
+ },
+ },
+ {
+ dismissReason: null,
+ vulnerableManifestFilename: 'requirements.txt',
+ vulnerableManifestPath: 'requirements.txt',
+ vulnerableRequirements: '= 1.6.7',
+ securityAdvisory: {
+ description:
+ 'The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.',
+ identifiers: [
+ { type: 'GHSA', value: 'GHSA-rh6x-qvg7-rrmj' },
+ { type: 'CVE', value: 'CVE-2016-3096' },
+ ],
+ references: [
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-3096' },
+ ],
+ severity: 'HIGH',
+ },
securityVulnerability: {
- package: {
- name: 'electron',
- ecosystem: 'NPM',
- },
- firstPatchedVersion: {
- identifier: '1.8.8',
- },
- vulnerableVersionRange: '>= 1.8, < 1.8.8',
+ package: { name: 'ansible', ecosystem: 'PIP' },
+ firstPatchedVersion: { identifier: '1.9.6.1' },
+ vulnerableVersionRange: '< 1.9.6.1',
},
},
{
dismissReason: null,
vulnerableManifestFilename: 'requirements.txt',
vulnerableManifestPath: 'requirements.txt',
- vulnerableRequirements: '== 1.8.2',
+ vulnerableRequirements: '= 1.6.7',
+ securityAdvisory: {
+ description:
+ "Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
+ identifiers: [
+ { type: 'GHSA', value: 'GHSA-w64c-pxjj-h866' },
+ { type: 'CVE', value: 'CVE-2015-3908' },
+ ],
+ references: [
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2015-3908' },
+ ],
+ severity: 'MODERATE',
+ },
securityVulnerability: {
- package: {
- name: 'ansible',
- ecosystem: 'PIP',
- },
- firstPatchedVersion: {
- identifier: '1.8.8',
- },
- vulnerableVersionRange: '>= 1.8, < 1.8.8',
+ package: { name: 'ansible', ecosystem: 'PIP' },
+ firstPatchedVersion: { identifier: '1.9.2' },
+ vulnerableVersionRange: '< 1.9.2',
+ },
+ },
+ {
+ dismissReason: null,
+ vulnerableManifestFilename: 'requirements.txt',
+ vulnerableManifestPath: 'requirements.txt',
+ vulnerableRequirements: '= 1.6.7',
+ securityAdvisory: {
+ description:
+ "An input validation vulnerability was found in Ansible's mysql_user module before 2.2.1.0, which may fail to correctly change a password in certain circumstances. Thus the previous password would still be active when it should have been changed.",
+ identifiers: [
+ { type: 'GHSA', value: 'GHSA-x4cm-m36h-c6qj' },
+ { type: 'CVE', value: 'CVE-2016-8647' },
+ ],
+ references: [
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-8647' },
+ ],
+ severity: 'MODERATE',
+ },
+ securityVulnerability: {
+ package: { name: 'ansible', ecosystem: 'PIP' },
+ firstPatchedVersion: { identifier: '2.2.1.0' },
+ vulnerableVersionRange: '< 2.2.1.0',
+ },
+ },
+ {
+ dismissReason: null,
+ vulnerableManifestFilename: 'requirements.txt',
+ vulnerableManifestPath: 'requirements.txt',
+ vulnerableRequirements: '= 1.6.7',
+ securityAdvisory: {
+ description:
+ 'A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.',
+ identifiers: [
+ { type: 'GHSA', value: 'GHSA-cmwx-9m2h-x7v4' },
+ { type: 'CVE', value: 'CVE-2016-8614' },
+ ],
+ references: [
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-8614' },
+ ],
+ severity: 'MODERATE',
+ },
+ securityVulnerability: {
+ package: { name: 'ansible', ecosystem: 'PIP' },
+ firstPatchedVersion: { identifier: '2.2.0' },
+ vulnerableVersionRange: '< 2.2.0',
+ },
+ },
+ {
+ dismissReason: null,
+ vulnerableManifestFilename: 'requirements.txt',
+ vulnerableManifestPath: 'requirements.txt',
+ vulnerableRequirements: '= 1.6.7',
+ securityAdvisory: {
+ description:
+ 'Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.',
+ identifiers: [
+ { type: 'GHSA', value: 'GHSA-jg4f-jqm5-4mgq' },
+ { type: 'CVE', value: 'CVE-2016-8628' },
+ ],
+ references: [
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-8628' },
+ ],
+ severity: 'MODERATE',
+ },
+ securityVulnerability: {
+ package: { name: 'ansible', ecosystem: 'PIP' },
+ firstPatchedVersion: { identifier: '2.2.0' },
+ vulnerableVersionRange: '< 2.2.0',
+ },
+ },
+ {
+ dismissReason: null,
+ vulnerableManifestFilename: 'requirements.txt',
+ vulnerableManifestPath: 'requirements.txt',
+ vulnerableRequirements: '= 1.6.7',
+ securityAdvisory: {
+ description:
+ "Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.",
+ identifiers: [
+ { type: 'GHSA', value: 'GHSA-m956-frf4-m2wr' },
+ { type: 'CVE', value: 'CVE-2016-9587' },
+ ],
+ references: [
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-9587' },
+ ],
+ severity: 'MODERATE',
+ },
+ securityVulnerability: {
+ package: { name: 'ansible', ecosystem: 'PIP' },
+ firstPatchedVersion: { identifier: '2.1.4' },
+ vulnerableVersionRange: '< 2.1.4',
},
},
- {},
]);
const res = await detectVulnerabilityAlerts(config);
expect(res.packageRules).toMatchSnapshot();