renovate/renovate
1
0
Fork 0
mirror of https://github.com/renovatebot/renovate.git synced 2025-01-12 06:56:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

fix(vulnerabilities): prevent exception due to invalid OSV event version (#20512)

Browse source
This commit is contained in:
Johannes Feichtner 2023-02-20 10:43:40 +01:00 committed by GitHub
parent 59432b4129
commit 199124225b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 43 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
lib/workers/repository/process/vulnerabilities.spec.ts
View file

@ -136,8 +136,32 @@ describe('workers/repository/process/vulnerabilities', () => {
); );
}); });
it('exception due to invalid version upon comparison', async () => { it('exception while fetching vulnerabilities', async () => {
const err = new TypeError('Invalid Version: ^1.1.0'); const err = new Error('unknown');
const packageFiles: Record<string, PackageFileContent[]> = {
npm: [
{
deps: [
{
depName: 'lodash',
currentValue: '4.17.11',
datasource: 'npm',
},
],
},
],
};
getVulnerabilitiesMock.mockRejectedValueOnce(err);
await vulnerabilities.fetchVulnerabilities(config, packageFiles);
expect(logger.logger.warn).toHaveBeenCalledWith(
{ err },
'Error fetching vulnerability information for lodash'
);
});
it('log event with invalid version', async () => {
const event = { fixed: '^6.0' };
const packageFiles: Record<string, PackageFileContent[]> = { const packageFiles: Record<string, PackageFileContent[]> = {
npm: [ npm: [
{ {
@ -165,7 +189,7 @@ describe('workers/repository/process/vulnerabilities', () => {
ranges: [ ranges: [
{ {
type: 'SEMVER', type: 'SEMVER',
events: [{ introduced: '^0' }, { fixed: '^1.1.0' }], events: [{ introduced: '0' }, event],
}, },
], ],
}, },
@ -175,8 +199,8 @@ describe('workers/repository/process/vulnerabilities', () => {
await vulnerabilities.fetchVulnerabilities(config, packageFiles); await vulnerabilities.fetchVulnerabilities(config, packageFiles);
expect(logger.logger.debug).toHaveBeenCalledWith( expect(logger.logger.debug).toHaveBeenCalledWith(
{ err }, { event },
'Error fetching vulnerability information for lodash' 'Skipping OSV event with invalid version'
); );
}); });

19
lib/workers/repository/process/vulnerabilities.ts
View file

@ -199,10 +199,11 @@ export class Vulnerabilities {
this.sortByFixedVersion(packageRules, versioningApi); this.sortByFixedVersion(packageRules, versioningApi);
} catch (err) { } catch (err) {
logger.debug( logger.warn(
{ err }, { err },
`Error fetching vulnerability information for ${packageName}` `Error fetching vulnerability information for ${packageName}`
); );
return [];
} }
return packageRules; return packageRules;
@ -237,9 +238,11 @@ export class Vulnerabilities {
for (const event of events) { for (const event of events) {
if (event.introduced === '0') { if (event.introduced === '0') {
zeroEvent = event; zeroEvent = event;
continue; } else if (versioningApi.isVersion(Object.values(event)[0])) {
sortedCopy.push(event);
} else {
logger.debug({ event }, 'Skipping OSV event with invalid version');
} }
sortedCopy.push(event);
} }
sortedCopy.sort((a, b) => sortedCopy.sort((a, b) =>
@ -341,9 +344,15 @@ export class Vulnerabilities {
} }
for (const event of range.events) { for (const event of range.events) {
if (is.nonEmptyString(event.fixed)) { if (
is.nonEmptyString(event.fixed) &&
versioningApi.isVersion(event.fixed)
) {
fixedVersions.push(event.fixed); fixedVersions.push(event.fixed);
} else if (is.nonEmptyString(event.last_affected)) { } else if (
is.nonEmptyString(event.last_affected) &&
versioningApi.isVersion(event.last_affected)
) {
lastAffectedVersions.push(event.last_affected); lastAffectedVersions.push(event.last_affected);
} }
} }