renovate/renovate
1
0
Fork 0
mirror of https://github.com/renovatebot/renovate.git synced 2025-01-11 22:46:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

fix(vulnerability-alerts): use datasources, not managers

Browse source
This commit is contained in:
Rhys Arkins 2019-05-19 07:06:16 +02:00
parent 546a21d10b
commit 6d86bbd353
2 changed files with 34 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
lib/workers/repository/init/vulnerability.js
View file

@ -34,29 +34,31 @@ async function detectVulnerabilityAlerts(input) {
); );
continue; // eslint-disable-line no-continue continue; // eslint-disable-line no-continue
} }
const managerMapping = { const datasourceMapping = {
MAVEN: 'maven', MAVEN: 'maven',
NPM: 'npm', NPM: 'npm',
NUGET: 'nuget', NUGET: 'nuget',
PIP: 'pip_requirements', PIP: 'pypi',
RUBYGEMS: 'bundler', RUBYGEMS: 'bundler',
}; };
const manager = const datasource =
managerMapping[alert.securityVulnerability.package.ecosystem]; datasourceMapping[alert.securityVulnerability.package.ecosystem];
if (!combinedAlerts[manager]) { if (!combinedAlerts[datasource]) {
combinedAlerts[manager] = {}; combinedAlerts[datasource] = {};
} }
const depName = alert.securityVulnerability.package.name; const depName = alert.securityVulnerability.package.name;
if (!combinedAlerts[manager][depName]) { if (!combinedAlerts[datasource][depName]) {
combinedAlerts[manager][depName] = { combinedAlerts[datasource][depName] = {
advisories: [], advisories: [],
fileNames: [], fileNames: [],
}; };
} }
combinedAlerts[manager][depName].advisories.push(alert.securityAdvisory); combinedAlerts[datasource][depName].advisories.push(
alert.securityAdvisory
);
const fileName = alert.vulnerableManifestFilename; const fileName = alert.vulnerableManifestFilename;
if (!combinedAlerts[manager][depName].fileNames.includes(fileName)) { if (!combinedAlerts[datasource][depName].fileNames.includes(fileName)) {
combinedAlerts[manager][depName].fileNames.push(fileName); combinedAlerts[datasource][depName].fileNames.push(fileName);
} }
const firstPatchedVersion = const firstPatchedVersion =
alert.securityVulnerability.firstPatchedVersion.identifier; alert.securityVulnerability.firstPatchedVersion.identifier;
@ -67,21 +69,21 @@ async function detectVulnerabilityAlerts(input) {
pip_requirements: 'pep440', pip_requirements: 'pep440',
rubygems: 'ruby', rubygems: 'ruby',
}; };
const versionScheme = versioning.get(versionSchemes[manager]); const versionScheme = versioning.get(versionSchemes[datasource]);
if (versionScheme.isVersion(firstPatchedVersion)) { if (versionScheme.isVersion(firstPatchedVersion)) {
if (combinedAlerts[manager][depName].firstPatchedVersion) { if (combinedAlerts[datasource][depName].firstPatchedVersion) {
if ( if (
versionScheme.isGreaterThan( versionScheme.isGreaterThan(
firstPatchedVersion, firstPatchedVersion,
combinedAlerts[manager][depName].firstPatchedVersion combinedAlerts[datasource][depName].firstPatchedVersion
) )
) { ) {
combinedAlerts[manager][ combinedAlerts[datasource][
depName depName
].firstPatchedVersion = firstPatchedVersion; ].firstPatchedVersion = firstPatchedVersion;
} }
} else { } else {
combinedAlerts[manager][ combinedAlerts[datasource][
depName depName
].firstPatchedVersion = firstPatchedVersion; ].firstPatchedVersion = firstPatchedVersion;
} }
@ -93,7 +95,7 @@ async function detectVulnerabilityAlerts(input) {
} }
} }
const alertPackageRules = []; const alertPackageRules = [];
for (const [manager, dependencies] of Object.entries(combinedAlerts)) { for (const [datasource, dependencies] of Object.entries(combinedAlerts)) {
for (const [depName, val] of Object.entries(dependencies)) { for (const [depName, val] of Object.entries(dependencies)) {
let prBodyNotes = []; let prBodyNotes = [];
try { try {
@ -122,21 +124,21 @@ async function detectVulnerabilityAlerts(input) {
logger.warn({ err }, 'Error generating vulnerability PR notes'); logger.warn({ err }, 'Error generating vulnerability PR notes');
} }
const matchRule = { const matchRule = {
managers: [manager], datasources: [datasource],
packageNames: [depName], packageNames: [depName],
matchCurrentVersion: `< ${val.firstPatchedVersion}`, matchCurrentVersion: `< ${val.firstPatchedVersion}`,
prBodyNotes, prBodyNotes,
force: { force: {
...config.vulnerabilityAlerts, ...config.vulnerabilityAlerts,
vulnerabilityAlert: true, vulnerabilityAlert: true,
branchTopic: `${manager}-${depName}-vulnerability`, branchTopic: `${datasource}-${depName}-vulnerability`,
}, },
}; };
alertPackageRules.push(matchRule); alertPackageRules.push(matchRule);
const allowedRule = JSON.parse(JSON.stringify(matchRule)); const allowedRule = JSON.parse(JSON.stringify(matchRule));
delete allowedRule.matchCurrentVersion; delete allowedRule.matchCurrentVersion;
delete allowedRule.force; delete allowedRule.force;
if (manager === 'npm') { if (datasource === 'npm') {
allowedRule.allowedVersions = `^${val.firstPatchedVersion}`; allowedRule.allowedVersions = `^${val.firstPatchedVersion}`;
} else { } else {
allowedRule.allowedVersions = `>= ${val.firstPatchedVersion}`; allowedRule.allowedVersions = `>= ${val.firstPatchedVersion}`;

24
test/workers/repository/init/__snapshots__/vulnerability.spec.js.snap
View file

@ -3,6 +3,9 @@
exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns alerts 1`] = ` exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns alerts 1`] = `
Array [ Array [
Object { Object {
"datasources": Array [
"npm",
],
"force": Object { "force": Object {
"branchTopic": "npm-electron-vulnerability", "branchTopic": "npm-electron-vulnerability",
"commitMessageSuffix": "[SECURITY]", "commitMessageSuffix": "[SECURITY]",
@ -12,9 +15,6 @@ Array [
"schedule": Array [], "schedule": Array [],
"vulnerabilityAlert": true, "vulnerabilityAlert": true,
}, },
"managers": Array [
"npm",
],
"matchCurrentVersion": "< 1.8.3", "matchCurrentVersion": "< 1.8.3",
"packageNames": Array [ "packageNames": Array [
"electron", "electron",
@ -28,7 +28,7 @@ Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3
}, },
Object { Object {
"allowedVersions": "^1.8.3", "allowedVersions": "^1.8.3",
"managers": Array [ "datasources": Array [
"npm", "npm",
], ],
"packageNames": Array [ "packageNames": Array [
@ -42,8 +42,11 @@ Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3
], ],
}, },
Object { Object {
"datasources": Array [
"pypi",
],
"force": Object { "force": Object {
"branchTopic": "pip_requirements-ansible-vulnerability", "branchTopic": "pypi-ansible-vulnerability",
"commitMessageSuffix": "[SECURITY]", "commitMessageSuffix": "[SECURITY]",
"groupName": null, "groupName": null,
"masterIssueApproval": false, "masterIssueApproval": false,
@ -51,10 +54,7 @@ Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3
"schedule": Array [], "schedule": Array [],
"vulnerabilityAlert": true, "vulnerabilityAlert": true,
}, },
"managers": Array [ "matchCurrentVersion": "< 2.2.0",
"pip_requirements",
],
"matchCurrentVersion": "< 2.2.1.0",
"packageNames": Array [ "packageNames": Array [
"ansible", "ansible",
], ],
@ -81,9 +81,9 @@ Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validati
], ],
}, },
Object { Object {
"allowedVersions": ">= 2.2.1.0", "allowedVersions": ">= 2.2.0",
"managers": Array [ "datasources": Array [
"pip_requirements", "pypi",
], ],
"packageNames": Array [ "packageNames": Array [
"ansible", "ansible",