From ca66b34aaaa893fde5e2eb2567a1f4a3a46063d6 Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Mon, 11 Mar 2019 11:45:41 +0100
Subject: [PATCH] fix(github): handle no firstPatchedVersion

---
 lib/workers/repository/init/vulnerability.js               | 7 +++++++
 .../init/__snapshots__/vulnerability.spec.js.snap          | 6 ------
 test/workers/repository/init/vulnerability.spec.js         | 1 -
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/lib/workers/repository/init/vulnerability.js b/lib/workers/repository/init/vulnerability.js
index 5c38bcbb4b..65075fcc33 100644
--- a/lib/workers/repository/init/vulnerability.js
+++ b/lib/workers/repository/init/vulnerability.js
@@ -27,6 +27,13 @@ async function detectVulnerabilityAlerts(input) {
       if (alert.dismissReason) {
         continue; // eslint-disable-line no-continue
       }
+      if (!alert.securityVulnerability.firstPatchedVersion) {
+        logger.info(
+          { alert },
+          'Vulnerability alert has no firstPatchedVersion - skipping'
+        );
+        continue; // eslint-disable-line no-continue
+      }
       const managerMapping = {
         MAVEN: 'maven',
         NPM: 'npm',
diff --git a/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap b/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
index df5ba3d489..88cf06aab3 100644
--- a/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
+++ b/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
@@ -63,9 +63,6 @@ Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3
       "#### [CVE-2017-7481](https://nvd.nist.gov/vuln/detail/CVE-2017-7481)
 
 Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.",
-      "#### [CVE-2016-3096](https://nvd.nist.gov/vuln/detail/CVE-2016-3096)
-
-The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.",
       "#### [CVE-2015-3908](https://nvd.nist.gov/vuln/detail/CVE-2015-3908)
 
 Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
@@ -96,9 +93,6 @@ Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validati
       "#### [CVE-2017-7481](https://nvd.nist.gov/vuln/detail/CVE-2017-7481)
 
 Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.",
-      "#### [CVE-2016-3096](https://nvd.nist.gov/vuln/detail/CVE-2016-3096)
-
-The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.",
       "#### [CVE-2015-3908](https://nvd.nist.gov/vuln/detail/CVE-2015-3908)
 
 Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
diff --git a/test/workers/repository/init/vulnerability.spec.js b/test/workers/repository/init/vulnerability.spec.js
index e2321af3ab..a251da79f0 100644
--- a/test/workers/repository/init/vulnerability.spec.js
+++ b/test/workers/repository/init/vulnerability.spec.js
@@ -119,7 +119,6 @@ describe('workers/repository/init/vulnerability', () => {
           },
           securityVulnerability: {
             package: { name: 'ansible', ecosystem: 'PIP' },
-            firstPatchedVersion: { identifier: '1.9.6.1' },
             vulnerableVersionRange: '< 1.9.6.1',
           },
         },
-- 
GitLab