From eb5ccffdcd26ff45768c6855960f22ac8ac3e96f Mon Sep 17 00:00:00 2001
From: Rhys Arkins <rhys@arkins.net>
Date: Sat, 9 Mar 2019 07:16:12 +0100
Subject: [PATCH] fix: update GitHub vulnerability alerts parsing
Closes #3340
---
lib/platform/github/index.js | 24 ++++++++------
lib/workers/repository/init/vulnerability.js | 33 +++++++++++++++----
.../__snapshots__/vulnerability.spec.js.snap | 9 +++--
.../repository/init/vulnerability.spec.js | 16 +++++++--
4 files changed, 60 insertions(+), 22 deletions(-)
diff --git a/lib/platform/github/index.js b/lib/platform/github/index.js
index af1d74cf44..7612bc202d 100644
--- a/lib/platform/github/index.js
+++ b/lib/platform/github/index.js
@@ -1481,17 +1481,21 @@ async function getVulnerabilityAlerts() {
const query = `
query {
repository(owner:"${config.repositoryOwner}", name:"${config.repositoryName}") {
- vulnerabilityAlerts(last: 100) {
- edges {
- node {
- externalIdentifier
- externalReference
- packageName
- affectedRange
- fixedIn
- }
- }
+ vulnerabilityAlerts(last: 100) {
+ edges {
+ node {
+ dismissReason
+ vulnerableManifestFilename
+ vulnerableManifestPath
+ vulnerableRequirements
+ securityVulnerability {
+ package { name ecosystem }
+ firstPatchedVersion { identifier }
+ vulnerableVersionRange
+ }
+ }
}
+ }
}
}`;
const options = {
diff --git a/lib/workers/repository/init/vulnerability.js b/lib/workers/repository/init/vulnerability.js
index ed7746752e..6d5956a1ce 100644
--- a/lib/workers/repository/init/vulnerability.js
+++ b/lib/workers/repository/init/vulnerability.js
@@ -20,17 +20,36 @@ async function detectVulnerabilityAlerts(input) {
}
const config = { ...input };
const alertPackageRules = alerts
+ .filter(alert => !alert.dismissReason)
+ .filter(
+ alert =>
+ alert.securityVulnerability &&
+ alert.securityVulnerability.firstPatchedVersion &&
+ alert.securityVulnerability.package
+ )
.map(alert => {
- if (!alert.fixedIn) {
- logger.info({ alert }, 'Vulnerability alert has no fixedIn version');
- return null;
- }
const rule = {};
- rule.packageNames = [alert.packageName];
+ const languageMapping = {
+ MAVEN: ['java'],
+ NPM: ['js'],
+ NUGET: ['dotnet'],
+ PIP: ['python'],
+ RUBYGEMS: ['ruby'],
+ };
+ const languages =
+ languageMapping[alert.securityVulnerability.package.ecosystem];
+ if (languages) {
+ rule.languages = languages;
+ }
+ rule.packageNames = [alert.securityVulnerability.package.name];
// Raise only for where the currentVersion is vulnerable
- rule.matchCurrentVersion = `< ${alert.fixedIn}`;
+ rule.matchCurrentVersion = `< ${
+ alert.securityVulnerability.firstPatchedVersion.identifier
+ }`;
// Don't propose upgrades to any versions that are still vulnerable
- rule.allowedVersions = `>= ${alert.fixedIn}`;
+ rule.allowedVersions = `>= ${
+ alert.securityVulnerability.firstPatchedVersion.identifier
+ }`;
rule.force = {
...config.vulnerabilityAlerts,
vulnerabilityAlert: true,
diff --git a/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap b/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
index 81370c8986..c4793b921d 100644
--- a/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
+++ b/test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
@@ -3,7 +3,7 @@
exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns alerts 1`] = `
Array [
Object {
- "allowedVersions": ">= 1.1.0",
+ "allowedVersions": ">= 1.8.3",
"force": Object {
"commitMessageSuffix": "[SECURITY]",
"groupName": null,
@@ -12,9 +12,12 @@ Array [
"schedule": Array [],
"vulnerabilityAlert": true,
},
- "matchCurrentVersion": "< 1.1.0",
+ "languages": Array [
+ "js",
+ ],
+ "matchCurrentVersion": "< 1.8.3",
"packageNames": Array [
- "some-package",
+ "electron",
],
},
]
diff --git a/test/workers/repository/init/vulnerability.spec.js b/test/workers/repository/init/vulnerability.spec.js
index b6ca18b0bb..bc0dde2981 100644
--- a/test/workers/repository/init/vulnerability.spec.js
+++ b/test/workers/repository/init/vulnerability.spec.js
@@ -31,8 +31,20 @@ describe('workers/repository/init/vulnerability', () => {
platform.getVulnerabilityAlerts.mockReturnValue([
{},
{
- packageName: 'some-package',
- fixedIn: '1.1.0',
+ dismissReason: null,
+ vulnerableManifestFilename: 'package-lock.json',
+ vulnerableManifestPath: 'package-lock.json',
+ vulnerableRequirements: '= 1.8.2',
+ securityVulnerability: {
+ package: {
+ name: 'electron',
+ ecosystem: 'NPM',
+ },
+ firstPatchedVersion: {
+ identifier: '1.8.3',
+ },
+ vulnerableVersionRange: '>= 1.8, < 1.8.3',
+ },
},
{},
]);
--
GitLab