fix(vulnerabilities): set matchCurrentVersion for github alerts (#31612)

b2e2b0d4 · Rhys Arkins · GitHub · f96ecc18 · b2e2b0d4 · b2e2b0d4
Unverified Commit b2e2b0d4 authored 7 months ago by Rhys Arkins Committed by GitHub 7 months ago
--- a/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
+++ b/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
@@ -15,6 +15,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
      "vulnerabilityFixStrategy": "lowest",
    },
    "isVulnerabilityAlert": true,
+    "matchCurrentVersion": "< 1.8.3",
    "matchDatasources": [
      "go",
    ],
@@ -50,6 +51,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
      "vulnerabilityFixStrategy": "lowest",
    },
    "isVulnerabilityAlert": true,
+    "matchCurrentVersion": "(,2.7.9.4)",
    "matchDatasources": [
      "maven",
    ],
@@ -85,6 +87,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
      "vulnerabilityFixStrategy": "lowest",
    },
    "isVulnerabilityAlert": true,
+    "matchCurrentVersion": "< 2.2.1.0",
    "matchDatasources": [
      "pypi",
    ],

--- a/lib/workers/repository/init/vulnerability.ts
+++ b/lib/workers/repository/init/vulnerability.ts
@@ -184,9 +184,15 @@ export async function detectVulnerabilityAlerts(
          matchFileNames,
        };

+        let matchCurrentVersion = `< ${val.firstPatchedVersion}`;
+        if (datasource === MavenDatasource.id) {
+          matchCurrentVersion = `(,${val.firstPatchedVersion})`;
+        }
+
        // Remediate only direct dependencies
        matchRule = {
          ...matchRule,
+          matchCurrentVersion,
          vulnerabilityFixVersion: val.firstPatchedVersion,
          prBodyNotes,
          isVulnerabilityAlert: true,