diff --git a/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap b/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
index 1d7868498bb0b041ced226b515803fcca0603d41..755f67ba3dbcbb0088a8930d0d204a0b4950802c 100644
--- a/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
+++ b/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
@@ -15,6 +15,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
"vulnerabilityFixStrategy": "lowest",
},
"isVulnerabilityAlert": true,
+ "matchCurrentVersion": "< 1.8.3",
"matchDatasources": [
"go",
],
@@ -50,6 +51,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
"vulnerabilityFixStrategy": "lowest",
},
"isVulnerabilityAlert": true,
+ "matchCurrentVersion": "(,2.7.9.4)",
"matchDatasources": [
"maven",
],
@@ -85,6 +87,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
"vulnerabilityFixStrategy": "lowest",
},
"isVulnerabilityAlert": true,
+ "matchCurrentVersion": "< 2.2.1.0",
"matchDatasources": [
"pypi",
],
diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts
index 13f796020c9fe6dfff6bac4b07eb0c7091f41399..7f7dab37d7908d750b9c462b2ce8c9c53decda4e 100644
--- a/lib/workers/repository/init/vulnerability.ts
+++ b/lib/workers/repository/init/vulnerability.ts
@@ -184,9 +184,15 @@ export async function detectVulnerabilityAlerts(
matchFileNames,
};
+ let matchCurrentVersion = `< ${val.firstPatchedVersion}`;
+ if (datasource === MavenDatasource.id) {
+ matchCurrentVersion = `(,${val.firstPatchedVersion})`;
+ }
+
// Remediate only direct dependencies
matchRule = {
...matchRule,
+ matchCurrentVersion,
vulnerabilityFixVersion: val.firstPatchedVersion,
prBodyNotes,
isVulnerabilityAlert: true,