From b2e2b0d47bb47f30a6820bf39e53426920b6b935 Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Wed, 25 Sep 2024 18:39:56 +0200
Subject: [PATCH] fix(vulnerabilities): set matchCurrentVersion for github
 alerts (#31612)

---
 .../init/__snapshots__/vulnerability.spec.ts.snap           | 3 +++
 lib/workers/repository/init/vulnerability.ts                | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap b/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
index 1d7868498b..755f67ba3d 100644
--- a/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
+++ b/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
@@ -15,6 +15,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
       "vulnerabilityFixStrategy": "lowest",
     },
     "isVulnerabilityAlert": true,
+    "matchCurrentVersion": "< 1.8.3",
     "matchDatasources": [
       "go",
     ],
@@ -50,6 +51,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
       "vulnerabilityFixStrategy": "lowest",
     },
     "isVulnerabilityAlert": true,
+    "matchCurrentVersion": "(,2.7.9.4)",
     "matchDatasources": [
       "maven",
     ],
@@ -85,6 +87,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
       "vulnerabilityFixStrategy": "lowest",
     },
     "isVulnerabilityAlert": true,
+    "matchCurrentVersion": "< 2.2.1.0",
     "matchDatasources": [
       "pypi",
     ],
diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts
index 13f796020c..7f7dab37d7 100644
--- a/lib/workers/repository/init/vulnerability.ts
+++ b/lib/workers/repository/init/vulnerability.ts
@@ -184,9 +184,15 @@ export async function detectVulnerabilityAlerts(
           matchFileNames,
         };
 
+        let matchCurrentVersion = `< ${val.firstPatchedVersion}`;
+        if (datasource === MavenDatasource.id) {
+          matchCurrentVersion = `(,${val.firstPatchedVersion})`;
+        }
+
         // Remediate only direct dependencies
         matchRule = {
           ...matchRule,
+          matchCurrentVersion,
           vulnerabilityFixVersion: val.firstPatchedVersion,
           prBodyNotes,
           isVulnerabilityAlert: true,
-- 
GitLab