diff --git a/lib/platform/github/index.js b/lib/platform/github/index.js
index af1d74cf446dfc1d0a40ae0879612dc41678b2ae..7612bc202dcb3aa6cfb18dd68174090b43c25e77 100644
--- a/lib/platform/github/index.js
+++ b/lib/platform/github/index.js
@@ -1481,17 +1481,21 @@ async function getVulnerabilityAlerts() {
const query = `
query {
repository(owner:"${config.repositoryOwner}", name:"${config.repositoryName}") {
- vulnerabilityAlerts(last: 100) {
- edges {
- node {
- externalIdentifier
- externalReference
- packageName
- affectedRange
- fixedIn
- }
- }
+ vulnerabilityAlerts(last: 100) {
+ edges {
+ node {
+ dismissReason
+ vulnerableManifestFilename
+ vulnerableManifestPath
+ vulnerableRequirements
+ securityVulnerability {
+ package { name ecosystem }
+ firstPatchedVersion { identifier }
+ vulnerableVersionRange
+ }
+ }
}
+ }
}
}`;
const options = {
diff --git a/lib/workers/repository/init/vulnerability.js b/lib/workers/repository/init/vulnerability.js
index ed7746752e746542683855382bf8eaf6b6c733e7..6d5956a1ce87fcec412428e42640126a5bd0ead6 100644
--- a/lib/workers/repository/init/vulnerability.js
+++ b/lib/workers/repository/init/vulnerability.js
@@ -20,17 +20,36 @@ async function detectVulnerabilityAlerts(input) {
}
const config = { ...input };
const alertPackageRules = alerts
+ .filter(alert => !alert.dismissReason)
+ .filter(
+ alert =>
+ alert.securityVulnerability &&
+ alert.securityVulnerability.firstPatchedVersion &&
+ alert.securityVulnerability.package
+ )
.map(alert => {
- if (!alert.fixedIn) {
- logger.info({ alert }, 'Vulnerability alert has no fixedIn version');
- return null;
- }
const rule = {};
- rule.packageNames = [alert.packageName];
+ const languageMapping = {
+ MAVEN: ['java'],
+ NPM: ['js'],
+ NUGET: ['dotnet'],
+ PIP: ['python'],
+ RUBYGEMS: ['ruby'],
+ };
+ const languages =
+ languageMapping[alert.securityVulnerability.package.ecosystem];
+ if (languages) {
+ rule.languages = languages;
+ }
+ rule.packageNames = [alert.securityVulnerability.package.name];
// Raise only for where the currentVersion is vulnerable
- rule.matchCurrentVersion = `< ${alert.fixedIn}`;
+ rule.matchCurrentVersion = `< ${
+ alert.securityVulnerability.firstPatchedVersion.identifier
+ }`;
// Don't propose upgrades to any versions that are still vulnerable
- rule.allowedVersions = `>= ${alert.fixedIn}`;
+ rule.allowedVersions = `>= ${
+ alert.securityVulnerability.firstPatchedVersion.identifier
+ }`;
rule.force = {
...config.vulnerabilityAlerts,
vulnerabilityAlert: true,
diff --git a/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap b/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
index 81370c89869fc0339120c90cac172547856287d1..c4793b921db03d4feb41c9148a8a86c8d60d0395 100644
--- a/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
+++ b/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
@@ -3,7 +3,7 @@
exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns alerts 1`] = `
Array [
Object {
- "allowedVersions": ">= 1.1.0",
+ "allowedVersions": ">= 1.8.3",
"force": Object {
"commitMessageSuffix": "[SECURITY]",
"groupName": null,
@@ -12,9 +12,12 @@ Array [
"schedule": Array [],
"vulnerabilityAlert": true,
},
- "matchCurrentVersion": "< 1.1.0",
+ "languages": Array [
+ "js",
+ ],
+ "matchCurrentVersion": "< 1.8.3",
"packageNames": Array [
- "some-package",
+ "electron",
],
},
]
diff --git a/test/workers/repository/init/vulnerability.spec.js b/test/workers/repository/init/vulnerability.spec.js
index b6ca18b0bbea3238c1dc411132f3519f5fca0246..bc0dde2981174227a5ca83acc63d490f037dfce5 100644
--- a/test/workers/repository/init/vulnerability.spec.js
+++ b/test/workers/repository/init/vulnerability.spec.js
@@ -31,8 +31,20 @@ describe('workers/repository/init/vulnerability', () => {
platform.getVulnerabilityAlerts.mockReturnValue([
{},
{
- packageName: 'some-package',
- fixedIn: '1.1.0',
+ dismissReason: null,
+ vulnerableManifestFilename: 'package-lock.json',
+ vulnerableManifestPath: 'package-lock.json',
+ vulnerableRequirements: '= 1.8.2',
+ securityVulnerability: {
+ package: {
+ name: 'electron',
+ ecosystem: 'NPM',
+ },
+ firstPatchedVersion: {
+ identifier: '1.8.3',
+ },
+ vulnerableVersionRange: '>= 1.8, < 1.8.3',
+ },
},
{},
]);