renovate/renovate
1
0
Fork 0
mirror of https://github.com/renovatebot/renovate.git synced 2025-01-12 23:16:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

fix(github): Ignore vulnerability alerts in FIXED or DISMISSED states (#14431)

Browse source
This commit is contained in:
nyg 2022-03-28 14:16:25 +02:00 committed by GitHub
parent 39471b57ad
commit 18b884d4a7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 77 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
lib/modules/platform/github/__snapshots__/index.spec.ts.snap
View file

@ -6493,6 +6493,9 @@ Array [
"vulnerabilityAlerts": Object {
"__args": Object {
"last": "100",
"states": Array [
"OPEN",
],
},
"edges": Object {
"node": Object {
@ -6532,7 +6535,7 @@ Array [
"accept": "application/vnd.github.vixen-preview+json, application/vnd.github.v3+json",
"accept-encoding": "gzip, deflate, br",
"authorization": "token 123test",
"content-length": "684",
"content-length": "700",
"content-type": "application/json",
"host": "api.github.com",
"user-agent": "RenovateBot/0.0.0-semantic-release (https://github.com/renovatebot/renovate)",
@ -6560,6 +6563,9 @@ Array [
"vulnerabilityAlerts": Object {
"__args": Object {
"last": "100",
"states": Array [
"OPEN",
],
},
"edges": Object {
"node": Object {
@ -6599,7 +6605,7 @@ Array [
"accept": "application/vnd.github.vixen-preview+json, application/vnd.github.v3+json",
"accept-encoding": "gzip, deflate, br",
"authorization": "token 123test",
"content-length": "684",
"content-length": "700",
"content-type": "application/json",
"host": "api.github.com",
"user-agent": "RenovateBot/0.0.0-semantic-release (https://github.com/renovatebot/renovate)",
@ -6627,6 +6633,9 @@ Array [
"vulnerabilityAlerts": Object {
"__args": Object {
"last": "100",
"states": Array [
"OPEN",
],
},
"edges": Object {
"node": Object {
@ -6666,7 +6675,7 @@ Array [
"accept": "application/vnd.github.vixen-preview+json, application/vnd.github.v3+json",
"accept-encoding": "gzip, deflate, br",
"authorization": "token 123test",
"content-length": "684",
"content-length": "700",
"content-type": "application/json",
"host": "api.github.com",
"user-agent": "RenovateBot/0.0.0-semantic-release (https://github.com/renovatebot/renovate)",
@ -6694,6 +6703,9 @@ Array [
"vulnerabilityAlerts": Object {
"__args": Object {
"last": "100",
"states": Array [
"OPEN",
],
},
"edges": Object {
"node": Object {
@ -6733,7 +6745,7 @@ Array [
"accept": "application/vnd.github.vixen-preview+json, application/vnd.github.v3+json",
"accept-encoding": "gzip, deflate, br",
"authorization": "token 123test",
"content-length": "684",
"content-length": "700",
"content-type": "application/json",
"host": "api.github.com",
"user-agent": "RenovateBot/0.0.0-semantic-release (https://github.com/renovatebot/renovate)",

4
lib/modules/platform/github/graphql.ts
View file

@ -121,10 +121,10 @@ query(
}
`;
export const vulnerabilityAlertsQuery = `
export const vulnerabilityAlertsQuery = (filterByState: boolean): string => `
query($owner: String!, $name: String!) {
repository(owner: $owner, name: $name) {
vulnerabilityAlerts(last: 100) {
vulnerabilityAlerts(last: 100, ${filterByState ? 'states: [OPEN]' : ''}) {
edges {
node {
dismissReason

50
lib/modules/platform/github/index.spec.ts
View file

@ -2462,6 +2462,56 @@ describe('modules/platform/github/index', () => {
expect(res).toHaveLength(1);
expect(httpMock.getTrace()).toMatchSnapshot();
});
it('returns array if found on GHE', async () => {
const gheApiHost = 'https://ghe.renovatebot.com';
httpMock
.scope(gheApiHost)
.head('/')
.reply(200, '', { 'x-github-enterprise-version': '3.0.15' })
.get('/user')
.reply(200, { login: 'renovate-bot' })
.get('/user/emails')
.reply(200, {});
httpMock
.scope(gheApiHost)
.post('/graphql')
.reply(200, {
data: {
repository: {
vulnerabilityAlerts: {
edges: [
{
node: {
securityAdvisory: { severity: 'HIGH', references: [] },
securityVulnerability: {
package: {
ecosystem: 'NPM',
name: 'left-pad',
range: '0.0.2',
},
vulnerableVersionRange: '0.0.2',
firstPatchedVersion: { identifier: '0.0.3' },
},
vulnerableManifestFilename: 'foo',
vulnerableManifestPath: 'bar',
} as VulnerabilityAlert,
},
],
},
},
},
});
await github.initPlatform({
endpoint: gheApiHost,
token: '123test',
});
const res = await github.getVulnerabilityAlerts();
expect(res).toHaveLength(1);
});
it('returns empty if disabled', async () => {
// prettier-ignore
httpMock.scope(githubApiHost).post('/graphql').reply(200, {data: {repository: {}}});

10
lib/modules/platform/github/index.ts
View file

@ -1677,10 +1677,18 @@ export function massageMarkdown(input: string): string {
export async function getVulnerabilityAlerts(): Promise<VulnerabilityAlert[]> {
let vulnerabilityAlerts: { node: VulnerabilityAlert }[];
const gheSupportsStateFilter = semver.satisfies(
platformConfig.gheVersion,
'~3.0.25 || ~3.1.17 || ~3.2.9 || >=3.3.4'
);
const filterByState = !platformConfig.isGhe || gheSupportsStateFilter;
const query = vulnerabilityAlertsQuery(filterByState);
try {
vulnerabilityAlerts = await githubApi.queryRepoField<{
node: VulnerabilityAlert;
}>(vulnerabilityAlertsQuery, 'vulnerabilityAlerts', {
}>(query, 'vulnerabilityAlerts', {
variables: { owner: config.repositoryOwner, name: config.repositoryName },
paginate: false,
acceptHeader: 'application/vnd.github.vixen-preview+json',