mirror of
https://github.com/renovatebot/renovate.git
synced 2025-01-12 06:56:24 +00:00
fix(vulnerabilities): prevent exception due to invalid OSV event version (#20512)
This commit is contained in:
Johannes Feichtner
GitHub
parent
59432b4129
commit
199124225b
2 changed files with 43 additions and 10 deletions
|
|
@ -136,8 +136,32 @@ describe('workers/repository/process/vulnerabilities', () => {
|
|||
);
|
||||
});
|
||||
|
||||
it('exception due to invalid version upon comparison', async () => {
|
||||
const err = new TypeError('Invalid Version: ^1.1.0');
|
||||
it('exception while fetching vulnerabilities', async () => {
|
||||
const err = new Error('unknown');
|
||||
const packageFiles: Record<string, PackageFileContent[]> = {
|
||||
npm: [
|
||||
{
|
||||
deps: [
|
||||
{
|
||||
depName: 'lodash',
|
||||
currentValue: '4.17.11',
|
||||
datasource: 'npm',
|
||||
},
|
||||
],
|
||||
},
|
||||
],
|
||||
};
|
||||
getVulnerabilitiesMock.mockRejectedValueOnce(err);
|
||||
|
||||
await vulnerabilities.fetchVulnerabilities(config, packageFiles);
|
||||
expect(logger.logger.warn).toHaveBeenCalledWith(
|
||||
{ err },
|
||||
'Error fetching vulnerability information for lodash'
|
||||
);
|
||||
});
|
||||
|
||||
it('log event with invalid version', async () => {
|
||||
const event = { fixed: '^6.0' };
|
||||
const packageFiles: Record<string, PackageFileContent[]> = {
|
||||
npm: [
|
||||
{
|
||||
|
|
@ -165,7 +189,7 @@ describe('workers/repository/process/vulnerabilities', () => {
|
|||
ranges: [
|
||||
{
|
||||
type: 'SEMVER',
|
||||
events: [{ introduced: '^0' }, { fixed: '^1.1.0' }],
|
||||
events: [{ introduced: '0' }, event],
|
||||
},
|
||||
],
|
||||
},
|
||||
|
|
@ -175,8 +199,8 @@ describe('workers/repository/process/vulnerabilities', () => {
|
|||
|
||||
await vulnerabilities.fetchVulnerabilities(config, packageFiles);
|
||||
expect(logger.logger.debug).toHaveBeenCalledWith(
|
||||
{ err },
|
||||
'Error fetching vulnerability information for lodash'
|
||||
{ event },
|
||||
'Skipping OSV event with invalid version'
|
||||
);
|
||||
});
|
||||
|
||||
|
|
|
|||
|
|
@ -199,10 +199,11 @@ export class Vulnerabilities {
|
|||
|
||||
this.sortByFixedVersion(packageRules, versioningApi);
|
||||
} catch (err) {
|
||||
logger.debug(
|
||||
logger.warn(
|
||||
{ err },
|
||||
`Error fetching vulnerability information for ${packageName}`
|
||||
);
|
||||
return [];
|
||||
}
|
||||
|
||||
return packageRules;
|
||||
|
|
@ -237,9 +238,11 @@ export class Vulnerabilities {
|
|||
for (const event of events) {
|
||||
if (event.introduced === '0') {
|
||||
zeroEvent = event;
|
||||
continue;
|
||||
}
|
||||
} else if (versioningApi.isVersion(Object.values(event)[0])) {
|
||||
sortedCopy.push(event);
|
||||
} else {
|
||||
logger.debug({ event }, 'Skipping OSV event with invalid version');
|
||||
}
|
||||
}
|
||||
|
||||
sortedCopy.sort((a, b) =>
|
||||
|
|
@ -341,9 +344,15 @@ export class Vulnerabilities {
|
|||
}
|
||||
|
||||
for (const event of range.events) {
|
||||
if (is.nonEmptyString(event.fixed)) {
|
||||
if (
|
||||
is.nonEmptyString(event.fixed) &&
|
||||
versioningApi.isVersion(event.fixed)
|
||||
) {
|
||||
fixedVersions.push(event.fixed);
|
||||
} else if (is.nonEmptyString(event.last_affected)) {
|
||||
} else if (
|
||||
is.nonEmptyString(event.last_affected) &&
|
||||
versioningApi.isVersion(event.last_affected)
|
||||
) {
|
||||
lastAffectedVersions.push(event.last_affected);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue