diff --git a/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap b/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
index 1c6a552c0026b5e1d384ba046d72d610dac6dd12..3722c216ecee88cac2ce8d970542c850cc265cb8 100644
--- a/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
+++ b/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
@@ -1,19 +1,42 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP
-exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns alerts and remediations 1`] = `
+exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns github actions alerts 1`] = `
[
{
- "matchCurrentVersion": "= 1.8.2",
+ "allowedVersions": "1.8.3",
+ "force": {
+ "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
+ "commitMessageSuffix": "[SECURITY]",
+ "dependencyDashboardApproval": false,
+ "groupName": null,
+ "minimumReleaseAge": null,
+ "prCreation": "immediate",
+ "rangeStrategy": "update-lockfile",
+ "schedule": [],
+ },
+ "isVulnerabilityAlert": true,
+ "matchCurrentVersion": "1.8.2",
"matchDatasources": [
- "npm",
+ "github-tags",
],
"matchFileNames": [
- "backend/package-lock.json",
+ ".github/workflows/build.yaml",
],
"matchPackageNames": [
- "electron",
+ "bar",
+ ],
+ "prBodyNotes": [
+ "### GitHub Vulnerability Alerts",
+ "#### [def]()
+
+actions",
],
},
+]
+`;
+
+exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns go alerts 1`] = `
+[
{
"allowedVersions": "1.8.3",
"force": {
@@ -44,8 +67,13 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
go",
],
},
+]
+`;
+
+exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns maven alerts 1`] = `
+[
{
- "allowedVersions": "1.8.3",
+ "allowedVersions": "2.7.9.4",
"force": {
"branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
"commitMessageSuffix": "[SECURITY]",
@@ -57,23 +85,28 @@ go",
"schedule": [],
},
"isVulnerabilityAlert": true,
- "matchCurrentVersion": "1.8.2",
+ "matchCurrentVersion": "2.4.2",
"matchDatasources": [
- "github-tags",
+ "maven",
],
"matchFileNames": [
- ".github/workflows/build.yaml",
+ "pom.xml",
],
"matchPackageNames": [
- "bar",
+ "com.fasterxml.jackson.core:jackson-databind",
],
"prBodyNotes": [
"### GitHub Vulnerability Alerts",
- "#### [def]()
+ "#### [CVE-2018-12022](https://nvd.nist.gov/vuln/detail/CVE-2018-12022)
-actions",
+An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.",
],
},
+]
+`;
+
+exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns pip alerts 1`] = `
+[
{
"allowedVersions": "==2.2.1.0",
"force": {
@@ -119,40 +152,10 @@ Ansible before version 2.2.0 fails to properly sanitize fact variables sent from
Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.",
],
},
- {
- "allowedVersions": "2.7.9.4",
- "force": {
- "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
- "commitMessageSuffix": "[SECURITY]",
- "dependencyDashboardApproval": false,
- "groupName": null,
- "minimumReleaseAge": null,
- "prCreation": "immediate",
- "rangeStrategy": "update-lockfile",
- "schedule": [],
- },
- "isVulnerabilityAlert": true,
- "matchCurrentVersion": "2.4.2",
- "matchDatasources": [
- "maven",
- ],
- "matchFileNames": [
- "pom.xml",
- ],
- "matchPackageNames": [
- "com.fasterxml.jackson.core:jackson-databind",
- ],
- "prBodyNotes": [
- "### GitHub Vulnerability Alerts",
- "#### [CVE-2018-12022](https://nvd.nist.gov/vuln/detail/CVE-2018-12022)
-
-An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.",
- ],
- },
]
`;
-exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns alerts and remediations 2`] = `
+exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns remediations 1`] = `
{
"backend/package-lock.json": [
{
diff --git a/lib/workers/repository/init/vulnerability.spec.ts b/lib/workers/repository/init/vulnerability.spec.ts
index e6562c86d16e96f4f12436b2b00f7c005e0c36be..c5e375bfceec333dd7357a1c0718e28ed87788fc 100644
--- a/lib/workers/repository/init/vulnerability.spec.ts
+++ b/lib/workers/repository/init/vulnerability.spec.ts
@@ -38,50 +38,101 @@ describe('workers/repository/init/vulnerability', () => {
);
});
- it('returns alerts and remediations', async () => {
- config.transitiveRemediation = true;
+ it('ignores yargs-parser special case', async () => {
// TODO #22198
delete config.vulnerabilityAlerts!.enabled;
delete config.packageRules; // test coverage
platform.getVulnerabilityAlerts.mockResolvedValue([
partial<VulnerabilityAlert>(),
{
+ // this will be ignored
dismissReason: null,
vulnerableManifestFilename: 'package-lock.json',
vulnerableManifestPath: 'backend/package-lock.json',
+ securityAdvisory: {
+ references: [],
+ severity: '',
+ },
+ securityVulnerability: {
+ package: { ecosystem: 'NPM', name: 'yargs-parser' },
+ vulnerableVersionRange: '>5.0.0-security.0',
+ },
+ vulnerableRequirements: '= 5.0.1',
+ },
+ ]);
+ const res = await detectVulnerabilityAlerts(config);
+ expect(res.packageRules).toHaveLength(0);
+ });
+
+ it('ignores alert if dismissReason is not null', async () => {
+ // TODO #22198
+ delete config.vulnerabilityAlerts!.enabled;
+ platform.getVulnerabilityAlerts.mockResolvedValue([
+ {
+ dismissReason: 'some reason',
+ vulnerableManifestFilename: 'package-lock.json',
+ vulnerableManifestPath: 'package-lock.json',
vulnerableRequirements: '= 1.8.2',
securityAdvisory: {
description:
- 'Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.',
- identifiers: [{ type: 'GHSA', value: 'GHSA-8xwg-wv7v-4vqp' }],
+ 'GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution.',
+ identifiers: [
+ { type: 'GHSA', value: 'GHSA-hv9c-qwqg-qj3v' },
+ { type: 'CVE', value: 'CVE-2018-15685' },
+ ],
references: [
- { url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-1000136' },
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-15685' },
],
severity: 'HIGH',
},
securityVulnerability: {
package: { name: 'electron', ecosystem: 'NPM' },
- firstPatchedVersion: { identifier: '1.8.3' },
- vulnerableVersionRange: '>= 1.8, < 1.8.3',
+ firstPatchedVersion: { identifier: '1.8.8' },
+ vulnerableVersionRange: '>= 1.8.0, < 1.8.8',
},
},
+ ]);
+ const res = await detectVulnerabilityAlerts(config);
+ expect(res.packageRules).toHaveLength(0);
+ });
+
+ it('ignores alert if firstPatchVersion not found', async () => {
+ // TODO #22198
+ delete config.vulnerabilityAlerts!.enabled;
+ platform.getVulnerabilityAlerts.mockResolvedValue([
{
+ // will be ignored - no firstPatchVersion
dismissReason: null,
- vulnerableManifestFilename: 'go.sum',
- vulnerableManifestPath: 'go.sum',
- vulnerableRequirements: '= 1.8.2',
+ vulnerableManifestFilename: 'requirements.txt',
+ vulnerableManifestPath: 'requirements.txt',
+ vulnerableRequirements: '= 1.6.7',
securityAdvisory: {
- description: 'go',
- identifiers: [{ type: 'GHSA', value: 'abc' }],
- references: [{ url: '' }],
+ description:
+ 'The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.',
+ identifiers: [
+ { type: 'GHSA', value: 'GHSA-rh6x-qvg7-rrmj' },
+ { type: 'CVE', value: 'CVE-2016-3096' },
+ ],
+ references: [
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-3096' },
+ ],
severity: 'HIGH',
},
securityVulnerability: {
- package: { name: 'foo', ecosystem: 'GO' },
- firstPatchedVersion: { identifier: '1.8.3' },
- vulnerableVersionRange: '>= 1.8, < 1.8.3',
+ package: { name: 'ansible', ecosystem: 'PIP' },
+ vulnerableVersionRange: '< 1.9.6.1',
},
},
+ ]);
+ const res = await detectVulnerabilityAlerts(config);
+ expect(res.packageRules).toHaveLength(0);
+ });
+
+ it('returns github actions alerts', async () => {
+ delete config.vulnerabilityAlerts!.enabled;
+ platform.getVulnerabilityAlerts.mockResolvedValue([
+ partial<VulnerabilityAlert>(),
+
{
dismissReason: null,
vulnerableManifestFilename: '.github/workflows/build.yaml',
@@ -99,44 +150,80 @@ describe('workers/repository/init/vulnerability', () => {
vulnerableVersionRange: '>= 1.8, < 1.8.3',
},
},
+ ]);
+ const res = await detectVulnerabilityAlerts(config);
+ expect(res.packageRules).toMatchSnapshot();
+ expect(res.packageRules).toHaveLength(1);
+ });
+
+ it('returns go alerts', async () => {
+ // TODO #22198
+ delete config.vulnerabilityAlerts!.enabled;
+ platform.getVulnerabilityAlerts.mockResolvedValue([
+ partial<VulnerabilityAlert>(),
{
- // this will be ignored
dismissReason: null,
- vulnerableManifestFilename: 'package-lock.json',
- vulnerableManifestPath: 'backend/package-lock.json',
+ vulnerableManifestFilename: 'go.sum',
+ vulnerableManifestPath: 'go.sum',
+ vulnerableRequirements: '= 1.8.2',
securityAdvisory: {
- references: [],
- severity: '',
+ description: 'go',
+ identifiers: [{ type: 'GHSA', value: 'abc' }],
+ references: [{ url: '' }],
+ severity: 'HIGH',
},
securityVulnerability: {
- package: { ecosystem: 'NPM', name: 'yargs-parser' },
- vulnerableVersionRange: '>5.0.0-security.0',
+ package: { name: 'foo', ecosystem: 'GO' },
+ firstPatchedVersion: { identifier: '1.8.3' },
+ vulnerableVersionRange: '>= 1.8, < 1.8.3',
},
- vulnerableRequirements: '= 5.0.1',
},
+ ]);
+ const res = await detectVulnerabilityAlerts(config);
+ expect(res.packageRules).toMatchSnapshot();
+ expect(res.packageRules).toHaveLength(1);
+ });
+
+ it('returns maven alerts', async () => {
+ // TODO #22198
+ delete config.vulnerabilityAlerts!.enabled;
+ platform.getVulnerabilityAlerts.mockResolvedValue([
{
- dismissReason: 'some reason',
- vulnerableManifestFilename: 'package-lock.json',
- vulnerableManifestPath: 'package-lock.json',
- vulnerableRequirements: '= 1.8.2',
+ dismissReason: null,
+ vulnerableManifestFilename: 'pom.xml',
+ vulnerableManifestPath: 'pom.xml',
+ vulnerableRequirements: '= 2.4.2',
securityAdvisory: {
description:
- 'GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution.',
+ 'An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.',
identifiers: [
- { type: 'GHSA', value: 'GHSA-hv9c-qwqg-qj3v' },
- { type: 'CVE', value: 'CVE-2018-15685' },
+ { type: 'GHSA', value: 'GHSA-cjjf-94ff-43w7' },
+ { type: 'CVE', value: 'CVE-2018-12022' },
],
references: [
- { url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-15685' },
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-12022' },
],
severity: 'HIGH',
},
securityVulnerability: {
- package: { name: 'electron', ecosystem: 'NPM' },
- firstPatchedVersion: { identifier: '1.8.8' },
- vulnerableVersionRange: '>= 1.8.0, < 1.8.8',
+ package: {
+ name: 'com.fasterxml.jackson.core:jackson-databind',
+ ecosystem: 'MAVEN',
+ },
+ firstPatchedVersion: { identifier: '2.7.9.4' },
+ vulnerableVersionRange: '< 2.7.9.4',
},
},
+ ]);
+ const res = await detectVulnerabilityAlerts(config);
+ expect(res.packageRules).toMatchSnapshot();
+ expect(res.packageRules).toHaveLength(1);
+ });
+
+ it('returns pip alerts', async () => {
+ // TODO #22198
+ delete config.vulnerabilityAlerts!.enabled;
+ platform.getVulnerabilityAlerts.mockResolvedValue([
{
dismissReason: null,
vulnerableManifestFilename: 'requirements.txt',
@@ -160,28 +247,6 @@ describe('workers/repository/init/vulnerability', () => {
vulnerableVersionRange: '< 2.3.1.0',
},
},
- {
- dismissReason: null,
- vulnerableManifestFilename: 'requirements.txt',
- vulnerableManifestPath: 'requirements.txt',
- vulnerableRequirements: '= 1.6.7',
- securityAdvisory: {
- description:
- 'The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.',
- identifiers: [
- { type: 'GHSA', value: 'GHSA-rh6x-qvg7-rrmj' },
- { type: 'CVE', value: 'CVE-2016-3096' },
- ],
- references: [
- { url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-3096' },
- ],
- severity: 'HIGH',
- },
- securityVulnerability: {
- package: { name: 'ansible', ecosystem: 'PIP' },
- vulnerableVersionRange: '< 1.9.6.1',
- },
- },
{
dismissReason: null,
vulnerableManifestFilename: 'requirements.txt',
@@ -297,38 +362,41 @@ describe('workers/repository/init/vulnerability', () => {
vulnerableVersionRange: '< 2.1.4',
},
},
+ ]);
+ const res = await detectVulnerabilityAlerts(config);
+ expect(res.packageRules).toMatchSnapshot();
+ expect(res.packageRules).toHaveLength(1);
+ });
+
+ it('returns remediations', async () => {
+ config.transitiveRemediation = true;
+ // TODO #22198
+ delete config.vulnerabilityAlerts!.enabled;
+ platform.getVulnerabilityAlerts.mockResolvedValue([
+ partial<VulnerabilityAlert>(),
{
dismissReason: null,
- vulnerableManifestFilename: 'pom.xml',
- vulnerableManifestPath: 'pom.xml',
- vulnerableRequirements: '= 2.4.2',
+ vulnerableManifestFilename: 'package-lock.json',
+ vulnerableManifestPath: 'backend/package-lock.json',
+ vulnerableRequirements: '= 1.8.2',
securityAdvisory: {
description:
- 'An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.',
- identifiers: [
- { type: 'GHSA', value: 'GHSA-cjjf-94ff-43w7' },
- { type: 'CVE', value: 'CVE-2018-12022' },
- ],
+ 'Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.',
+ identifiers: [{ type: 'GHSA', value: 'GHSA-8xwg-wv7v-4vqp' }],
references: [
- { url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-12022' },
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-1000136' },
],
severity: 'HIGH',
},
securityVulnerability: {
- package: {
- name: 'com.fasterxml.jackson.core:jackson-databind',
- ecosystem: 'MAVEN',
- },
- firstPatchedVersion: { identifier: '2.7.9.4' },
- vulnerableVersionRange: '< 2.7.9.4',
+ package: { name: 'electron', ecosystem: 'NPM' },
+ firstPatchedVersion: { identifier: '1.8.3' },
+ vulnerableVersionRange: '>= 1.8, < 1.8.3',
},
},
]);
const res = await detectVulnerabilityAlerts(config);
- expect(res.packageRules).toMatchSnapshot();
- expect(res.packageRules).toHaveLength(5);
- expect(res.packageRules?.[1]?.matchFileNames?.[0]).toBe('go.mod');
- expect(res.packageRules?.[2]?.matchCurrentVersion).toBe('1.8.2');
+ expect(res.packageRules).toHaveLength(1);
expect(res.remediations).toMatchSnapshot({
'backend/package-lock.json': [
{
@@ -340,5 +408,37 @@ describe('workers/repository/init/vulnerability', () => {
],
});
});
+
+ it('ignores unsupported remediation file types', async () => {
+ config.transitiveRemediation = true;
+ // TODO #22198
+ delete config.vulnerabilityAlerts!.enabled;
+ platform.getVulnerabilityAlerts.mockResolvedValue([
+ partial<VulnerabilityAlert>(),
+ {
+ dismissReason: null,
+ vulnerableManifestFilename: 'package.json',
+ vulnerableManifestPath: 'backend/package.json',
+ vulnerableRequirements: '= 1.8.2',
+ securityAdvisory: {
+ description:
+ 'Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.',
+ identifiers: [{ type: 'GHSA', value: 'GHSA-8xwg-wv7v-4vqp' }],
+ references: [
+ { url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-1000136' },
+ ],
+ severity: 'HIGH',
+ },
+ securityVulnerability: {
+ package: { name: 'electron', ecosystem: 'NPM' },
+ firstPatchedVersion: { identifier: '1.8.3' },
+ vulnerableVersionRange: '>= 1.8, < 1.8.3',
+ },
+ },
+ ]);
+ const res = await detectVulnerabilityAlerts(config);
+ expect(res.packageRules).toHaveLength(1);
+ expect(res.remediations).toBeEmptyObject();
+ });
});
});