From 18b884d4a7a5cbe3e2ed59a6c8654922748e5119 Mon Sep 17 00:00:00 2001
From: nyg <nyg@users.noreply.github.com>
Date: Mon, 28 Mar 2022 14:16:25 +0200
Subject: [PATCH] fix(github): Ignore vulnerability alerts in FIXED or
 DISMISSED states (#14431)

---
 .../github/__snapshots__/index.spec.ts.snap   | 20 ++++++--
 lib/modules/platform/github/graphql.ts        |  4 +-
 lib/modules/platform/github/index.spec.ts     | 50 +++++++++++++++++++
 lib/modules/platform/github/index.ts          | 10 +++-
 4 files changed, 77 insertions(+), 7 deletions(-)

diff --git a/lib/modules/platform/github/__snapshots__/index.spec.ts.snap b/lib/modules/platform/github/__snapshots__/index.spec.ts.snap
index 2b4ce9a03e..31f05cd7da 100644
--- a/lib/modules/platform/github/__snapshots__/index.spec.ts.snap
+++ b/lib/modules/platform/github/__snapshots__/index.spec.ts.snap
@@ -6493,6 +6493,9 @@ Array [
           "vulnerabilityAlerts": Object {
             "__args": Object {
               "last": "100",
+              "states": Array [
+                "OPEN",
+              ],
             },
             "edges": Object {
               "node": Object {
@@ -6532,7 +6535,7 @@ Array [
       "accept": "application/vnd.github.vixen-preview+json, application/vnd.github.v3+json",
       "accept-encoding": "gzip, deflate, br",
       "authorization": "token 123test",
-      "content-length": "684",
+      "content-length": "700",
       "content-type": "application/json",
       "host": "api.github.com",
       "user-agent": "RenovateBot/0.0.0-semantic-release (https://github.com/renovatebot/renovate)",
@@ -6560,6 +6563,9 @@ Array [
           "vulnerabilityAlerts": Object {
             "__args": Object {
               "last": "100",
+              "states": Array [
+                "OPEN",
+              ],
             },
             "edges": Object {
               "node": Object {
@@ -6599,7 +6605,7 @@ Array [
       "accept": "application/vnd.github.vixen-preview+json, application/vnd.github.v3+json",
       "accept-encoding": "gzip, deflate, br",
       "authorization": "token 123test",
-      "content-length": "684",
+      "content-length": "700",
       "content-type": "application/json",
       "host": "api.github.com",
       "user-agent": "RenovateBot/0.0.0-semantic-release (https://github.com/renovatebot/renovate)",
@@ -6627,6 +6633,9 @@ Array [
           "vulnerabilityAlerts": Object {
             "__args": Object {
               "last": "100",
+              "states": Array [
+                "OPEN",
+              ],
             },
             "edges": Object {
               "node": Object {
@@ -6666,7 +6675,7 @@ Array [
       "accept": "application/vnd.github.vixen-preview+json, application/vnd.github.v3+json",
       "accept-encoding": "gzip, deflate, br",
       "authorization": "token 123test",
-      "content-length": "684",
+      "content-length": "700",
       "content-type": "application/json",
       "host": "api.github.com",
       "user-agent": "RenovateBot/0.0.0-semantic-release (https://github.com/renovatebot/renovate)",
@@ -6694,6 +6703,9 @@ Array [
           "vulnerabilityAlerts": Object {
             "__args": Object {
               "last": "100",
+              "states": Array [
+                "OPEN",
+              ],
             },
             "edges": Object {
               "node": Object {
@@ -6733,7 +6745,7 @@ Array [
       "accept": "application/vnd.github.vixen-preview+json, application/vnd.github.v3+json",
       "accept-encoding": "gzip, deflate, br",
       "authorization": "token 123test",
-      "content-length": "684",
+      "content-length": "700",
       "content-type": "application/json",
       "host": "api.github.com",
       "user-agent": "RenovateBot/0.0.0-semantic-release (https://github.com/renovatebot/renovate)",
diff --git a/lib/modules/platform/github/graphql.ts b/lib/modules/platform/github/graphql.ts
index c32e6137f1..df5d807cbc 100644
--- a/lib/modules/platform/github/graphql.ts
+++ b/lib/modules/platform/github/graphql.ts
@@ -121,10 +121,10 @@ query(
 }
 `;
 
-export const vulnerabilityAlertsQuery = `
+export const vulnerabilityAlertsQuery = (filterByState: boolean): string => `
 query($owner: String!, $name: String!) {
   repository(owner: $owner, name: $name) {
-    vulnerabilityAlerts(last: 100) {
+    vulnerabilityAlerts(last: 100, ${filterByState ? 'states: [OPEN]' : ''}) {
       edges {
         node {
           dismissReason
diff --git a/lib/modules/platform/github/index.spec.ts b/lib/modules/platform/github/index.spec.ts
index 6b57871440..008ccbc3e6 100644
--- a/lib/modules/platform/github/index.spec.ts
+++ b/lib/modules/platform/github/index.spec.ts
@@ -2462,6 +2462,56 @@ describe('modules/platform/github/index', () => {
       expect(res).toHaveLength(1);
       expect(httpMock.getTrace()).toMatchSnapshot();
     });
+    it('returns array if found on GHE', async () => {
+      const gheApiHost = 'https://ghe.renovatebot.com';
+
+      httpMock
+        .scope(gheApiHost)
+        .head('/')
+        .reply(200, '', { 'x-github-enterprise-version': '3.0.15' })
+        .get('/user')
+        .reply(200, { login: 'renovate-bot' })
+        .get('/user/emails')
+        .reply(200, {});
+
+      httpMock
+        .scope(gheApiHost)
+        .post('/graphql')
+        .reply(200, {
+          data: {
+            repository: {
+              vulnerabilityAlerts: {
+                edges: [
+                  {
+                    node: {
+                      securityAdvisory: { severity: 'HIGH', references: [] },
+                      securityVulnerability: {
+                        package: {
+                          ecosystem: 'NPM',
+                          name: 'left-pad',
+                          range: '0.0.2',
+                        },
+                        vulnerableVersionRange: '0.0.2',
+                        firstPatchedVersion: { identifier: '0.0.3' },
+                      },
+                      vulnerableManifestFilename: 'foo',
+                      vulnerableManifestPath: 'bar',
+                    } as VulnerabilityAlert,
+                  },
+                ],
+              },
+            },
+          },
+        });
+
+      await github.initPlatform({
+        endpoint: gheApiHost,
+        token: '123test',
+      });
+
+      const res = await github.getVulnerabilityAlerts();
+      expect(res).toHaveLength(1);
+    });
     it('returns empty if disabled', async () => {
       // prettier-ignore
       httpMock.scope(githubApiHost).post('/graphql').reply(200, {data: {repository: {}}});
diff --git a/lib/modules/platform/github/index.ts b/lib/modules/platform/github/index.ts
index 8a8f8f697f..ae0fd2ecfb 100644
--- a/lib/modules/platform/github/index.ts
+++ b/lib/modules/platform/github/index.ts
@@ -1677,10 +1677,18 @@ export function massageMarkdown(input: string): string {
 
 export async function getVulnerabilityAlerts(): Promise<VulnerabilityAlert[]> {
   let vulnerabilityAlerts: { node: VulnerabilityAlert }[];
+
+  const gheSupportsStateFilter = semver.satisfies(
+    platformConfig.gheVersion,
+    '~3.0.25 || ~3.1.17 || ~3.2.9 || >=3.3.4'
+  );
+  const filterByState = !platformConfig.isGhe || gheSupportsStateFilter;
+  const query = vulnerabilityAlertsQuery(filterByState);
+
   try {
     vulnerabilityAlerts = await githubApi.queryRepoField<{
       node: VulnerabilityAlert;
-    }>(vulnerabilityAlertsQuery, 'vulnerabilityAlerts', {
+    }>(query, 'vulnerabilityAlerts', {
       variables: { owner: config.repositoryOwner, name: config.repositoryName },
       paginate: false,
       acceptHeader: 'application/vnd.github.vixen-preview+json',