diff --git a/lib/modules/platform/github/index.spec.ts b/lib/modules/platform/github/index.spec.ts
index 47127a5504c371593d856aad2e872a56f8970b5f..d22dce1ead7db28602ad3926894603b626c9d987 100644
--- a/lib/modules/platform/github/index.spec.ts
+++ b/lib/modules/platform/github/index.spec.ts
@@ -3808,10 +3808,28 @@ describe('modules/platform/github/index', () => {
manifest_path: 'bar/foo',
},
},
+ {
+ security_advisory: {
+ description: 'description',
+ identifiers: [{ type: 'type', value: 'value' }],
+ references: [],
+ },
+ security_vulnerability: {
+ package: {
+ ecosystem: 'npm',
+ name: 'foo',
+ },
+ vulnerable_version_range: '0.0.2',
+ first_patched_version: null,
+ },
+ dependency: {
+ manifest_path: 'bar/foo',
+ },
+ },
]);
await github.initRepo({ repository: 'some/repo' });
const res = await github.getVulnerabilityAlerts();
- expect(res).toHaveLength(1);
+ expect(res).toHaveLength(2);
});
it('returns empty if disabled', async () => {
diff --git a/lib/modules/platform/github/schema.ts b/lib/modules/platform/github/schema.ts
index 7e70f8905e2e2c420f06cf4d0f797754867faa14..0aab89a1e407d48f90a5c2f5a11c630623dd610f 100644
--- a/lib/modules/platform/github/schema.ts
+++ b/lib/modules/platform/github/schema.ts
@@ -18,7 +18,7 @@ const PackageSchema = z.object({
const SecurityVulnerabilitySchema = z
.object({
- first_patched_version: z.object({ identifier: z.string() }).optional(),
+ first_patched_version: z.object({ identifier: z.string() }).nullish(),
package: PackageSchema,
vulnerable_version_range: z.string(),
})
diff --git a/lib/types/vulnerability-alert.ts b/lib/types/vulnerability-alert.ts
index 5dcd261e8eecf810c6c4ae206396fcaca2c01d3b..3640a3a13fa1a80261d3c7a097141cfa9876fac3 100644
--- a/lib/types/vulnerability-alert.ts
+++ b/lib/types/vulnerability-alert.ts
@@ -11,7 +11,7 @@ export interface VulnerabilityPackage {
name: string;
}
export interface SecurityVulnerability {
- first_patched_version?: { identifier: string };
+ first_patched_version?: { identifier: string } | null;
package: VulnerabilityPackage;
vulnerable_version_range: string;
}
diff --git a/lib/workers/repository/init/vulnerability.spec.ts b/lib/workers/repository/init/vulnerability.spec.ts
index cd69bc4b72d977ea36aeced224cd8c6f389c2943..2460aa22de084b2415f14f8c13b96eacfa28e435 100644
--- a/lib/workers/repository/init/vulnerability.spec.ts
+++ b/lib/workers/repository/init/vulnerability.spec.ts
@@ -116,6 +116,37 @@ describe('workers/repository/init/vulnerability', () => {
expect(res.packageRules).toHaveLength(0);
});
+ it('ignores alert if firstPatchVersion is null', async () => {
+ delete config.vulnerabilityAlerts!.enabled;
+ platform.getVulnerabilityAlerts.mockResolvedValue([
+ {
+ // will be ignored - firstPatchVersion is null
+ dismissed_reason: null,
+ dependency: {
+ manifest_path: 'requirements.txt',
+ },
+ security_advisory: {
+ description:
+ 'The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.',
+ identifiers: [
+ { type: 'GHSA', value: 'GHSA-rh6x-qvg7-rrmj' },
+ { type: 'CVE', value: 'CVE-2016-3096' },
+ ],
+ references: [
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-3096' },
+ ],
+ },
+ security_vulnerability: {
+ package: { name: 'ansible', ecosystem: 'pip' },
+ vulnerable_version_range: '< 1.9.6.1',
+ first_patched_version: null,
+ },
+ },
+ ]);
+ const res = await detectVulnerabilityAlerts(config);
+ expect(res.packageRules).toHaveLength(0);
+ });
+
it('returns go alerts', async () => {
// TODO #22198
delete config.vulnerabilityAlerts!.enabled;