mirror of
https://github.com/renovatebot/renovate.git
synced 2025-01-11 22:46:27 +00:00
fix(vulnerability-alerts): use datasources, not managers
This commit is contained in:
parent
546a21d10b
commit
6d86bbd353
2 changed files with 34 additions and 32 deletions
|
@ -34,29 +34,31 @@ async function detectVulnerabilityAlerts(input) {
|
||||||
);
|
);
|
||||||
continue; // eslint-disable-line no-continue
|
continue; // eslint-disable-line no-continue
|
||||||
}
|
}
|
||||||
const managerMapping = {
|
const datasourceMapping = {
|
||||||
MAVEN: 'maven',
|
MAVEN: 'maven',
|
||||||
NPM: 'npm',
|
NPM: 'npm',
|
||||||
NUGET: 'nuget',
|
NUGET: 'nuget',
|
||||||
PIP: 'pip_requirements',
|
PIP: 'pypi',
|
||||||
RUBYGEMS: 'bundler',
|
RUBYGEMS: 'bundler',
|
||||||
};
|
};
|
||||||
const manager =
|
const datasource =
|
||||||
managerMapping[alert.securityVulnerability.package.ecosystem];
|
datasourceMapping[alert.securityVulnerability.package.ecosystem];
|
||||||
if (!combinedAlerts[manager]) {
|
if (!combinedAlerts[datasource]) {
|
||||||
combinedAlerts[manager] = {};
|
combinedAlerts[datasource] = {};
|
||||||
}
|
}
|
||||||
const depName = alert.securityVulnerability.package.name;
|
const depName = alert.securityVulnerability.package.name;
|
||||||
if (!combinedAlerts[manager][depName]) {
|
if (!combinedAlerts[datasource][depName]) {
|
||||||
combinedAlerts[manager][depName] = {
|
combinedAlerts[datasource][depName] = {
|
||||||
advisories: [],
|
advisories: [],
|
||||||
fileNames: [],
|
fileNames: [],
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
combinedAlerts[manager][depName].advisories.push(alert.securityAdvisory);
|
combinedAlerts[datasource][depName].advisories.push(
|
||||||
|
alert.securityAdvisory
|
||||||
|
);
|
||||||
const fileName = alert.vulnerableManifestFilename;
|
const fileName = alert.vulnerableManifestFilename;
|
||||||
if (!combinedAlerts[manager][depName].fileNames.includes(fileName)) {
|
if (!combinedAlerts[datasource][depName].fileNames.includes(fileName)) {
|
||||||
combinedAlerts[manager][depName].fileNames.push(fileName);
|
combinedAlerts[datasource][depName].fileNames.push(fileName);
|
||||||
}
|
}
|
||||||
const firstPatchedVersion =
|
const firstPatchedVersion =
|
||||||
alert.securityVulnerability.firstPatchedVersion.identifier;
|
alert.securityVulnerability.firstPatchedVersion.identifier;
|
||||||
|
@ -67,21 +69,21 @@ async function detectVulnerabilityAlerts(input) {
|
||||||
pip_requirements: 'pep440',
|
pip_requirements: 'pep440',
|
||||||
rubygems: 'ruby',
|
rubygems: 'ruby',
|
||||||
};
|
};
|
||||||
const versionScheme = versioning.get(versionSchemes[manager]);
|
const versionScheme = versioning.get(versionSchemes[datasource]);
|
||||||
if (versionScheme.isVersion(firstPatchedVersion)) {
|
if (versionScheme.isVersion(firstPatchedVersion)) {
|
||||||
if (combinedAlerts[manager][depName].firstPatchedVersion) {
|
if (combinedAlerts[datasource][depName].firstPatchedVersion) {
|
||||||
if (
|
if (
|
||||||
versionScheme.isGreaterThan(
|
versionScheme.isGreaterThan(
|
||||||
firstPatchedVersion,
|
firstPatchedVersion,
|
||||||
combinedAlerts[manager][depName].firstPatchedVersion
|
combinedAlerts[datasource][depName].firstPatchedVersion
|
||||||
)
|
)
|
||||||
) {
|
) {
|
||||||
combinedAlerts[manager][
|
combinedAlerts[datasource][
|
||||||
depName
|
depName
|
||||||
].firstPatchedVersion = firstPatchedVersion;
|
].firstPatchedVersion = firstPatchedVersion;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
combinedAlerts[manager][
|
combinedAlerts[datasource][
|
||||||
depName
|
depName
|
||||||
].firstPatchedVersion = firstPatchedVersion;
|
].firstPatchedVersion = firstPatchedVersion;
|
||||||
}
|
}
|
||||||
|
@ -93,7 +95,7 @@ async function detectVulnerabilityAlerts(input) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
const alertPackageRules = [];
|
const alertPackageRules = [];
|
||||||
for (const [manager, dependencies] of Object.entries(combinedAlerts)) {
|
for (const [datasource, dependencies] of Object.entries(combinedAlerts)) {
|
||||||
for (const [depName, val] of Object.entries(dependencies)) {
|
for (const [depName, val] of Object.entries(dependencies)) {
|
||||||
let prBodyNotes = [];
|
let prBodyNotes = [];
|
||||||
try {
|
try {
|
||||||
|
@ -122,21 +124,21 @@ async function detectVulnerabilityAlerts(input) {
|
||||||
logger.warn({ err }, 'Error generating vulnerability PR notes');
|
logger.warn({ err }, 'Error generating vulnerability PR notes');
|
||||||
}
|
}
|
||||||
const matchRule = {
|
const matchRule = {
|
||||||
managers: [manager],
|
datasources: [datasource],
|
||||||
packageNames: [depName],
|
packageNames: [depName],
|
||||||
matchCurrentVersion: `< ${val.firstPatchedVersion}`,
|
matchCurrentVersion: `< ${val.firstPatchedVersion}`,
|
||||||
prBodyNotes,
|
prBodyNotes,
|
||||||
force: {
|
force: {
|
||||||
...config.vulnerabilityAlerts,
|
...config.vulnerabilityAlerts,
|
||||||
vulnerabilityAlert: true,
|
vulnerabilityAlert: true,
|
||||||
branchTopic: `${manager}-${depName}-vulnerability`,
|
branchTopic: `${datasource}-${depName}-vulnerability`,
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
alertPackageRules.push(matchRule);
|
alertPackageRules.push(matchRule);
|
||||||
const allowedRule = JSON.parse(JSON.stringify(matchRule));
|
const allowedRule = JSON.parse(JSON.stringify(matchRule));
|
||||||
delete allowedRule.matchCurrentVersion;
|
delete allowedRule.matchCurrentVersion;
|
||||||
delete allowedRule.force;
|
delete allowedRule.force;
|
||||||
if (manager === 'npm') {
|
if (datasource === 'npm') {
|
||||||
allowedRule.allowedVersions = `^${val.firstPatchedVersion}`;
|
allowedRule.allowedVersions = `^${val.firstPatchedVersion}`;
|
||||||
} else {
|
} else {
|
||||||
allowedRule.allowedVersions = `>= ${val.firstPatchedVersion}`;
|
allowedRule.allowedVersions = `>= ${val.firstPatchedVersion}`;
|
||||||
|
|
|
@ -3,6 +3,9 @@
|
||||||
exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns alerts 1`] = `
|
exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() returns alerts 1`] = `
|
||||||
Array [
|
Array [
|
||||||
Object {
|
Object {
|
||||||
|
"datasources": Array [
|
||||||
|
"npm",
|
||||||
|
],
|
||||||
"force": Object {
|
"force": Object {
|
||||||
"branchTopic": "npm-electron-vulnerability",
|
"branchTopic": "npm-electron-vulnerability",
|
||||||
"commitMessageSuffix": "[SECURITY]",
|
"commitMessageSuffix": "[SECURITY]",
|
||||||
|
@ -12,9 +15,6 @@ Array [
|
||||||
"schedule": Array [],
|
"schedule": Array [],
|
||||||
"vulnerabilityAlert": true,
|
"vulnerabilityAlert": true,
|
||||||
},
|
},
|
||||||
"managers": Array [
|
|
||||||
"npm",
|
|
||||||
],
|
|
||||||
"matchCurrentVersion": "< 1.8.3",
|
"matchCurrentVersion": "< 1.8.3",
|
||||||
"packageNames": Array [
|
"packageNames": Array [
|
||||||
"electron",
|
"electron",
|
||||||
|
@ -28,7 +28,7 @@ Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3
|
||||||
},
|
},
|
||||||
Object {
|
Object {
|
||||||
"allowedVersions": "^1.8.3",
|
"allowedVersions": "^1.8.3",
|
||||||
"managers": Array [
|
"datasources": Array [
|
||||||
"npm",
|
"npm",
|
||||||
],
|
],
|
||||||
"packageNames": Array [
|
"packageNames": Array [
|
||||||
|
@ -42,8 +42,11 @@ Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
Object {
|
Object {
|
||||||
|
"datasources": Array [
|
||||||
|
"pypi",
|
||||||
|
],
|
||||||
"force": Object {
|
"force": Object {
|
||||||
"branchTopic": "pip_requirements-ansible-vulnerability",
|
"branchTopic": "pypi-ansible-vulnerability",
|
||||||
"commitMessageSuffix": "[SECURITY]",
|
"commitMessageSuffix": "[SECURITY]",
|
||||||
"groupName": null,
|
"groupName": null,
|
||||||
"masterIssueApproval": false,
|
"masterIssueApproval": false,
|
||||||
|
@ -51,10 +54,7 @@ Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3
|
||||||
"schedule": Array [],
|
"schedule": Array [],
|
||||||
"vulnerabilityAlert": true,
|
"vulnerabilityAlert": true,
|
||||||
},
|
},
|
||||||
"managers": Array [
|
"matchCurrentVersion": "< 2.2.0",
|
||||||
"pip_requirements",
|
|
||||||
],
|
|
||||||
"matchCurrentVersion": "< 2.2.1.0",
|
|
||||||
"packageNames": Array [
|
"packageNames": Array [
|
||||||
"ansible",
|
"ansible",
|
||||||
],
|
],
|
||||||
|
@ -81,9 +81,9 @@ Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validati
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
Object {
|
Object {
|
||||||
"allowedVersions": ">= 2.2.1.0",
|
"allowedVersions": ">= 2.2.0",
|
||||||
"managers": Array [
|
"datasources": Array [
|
||||||
"pip_requirements",
|
"pypi",
|
||||||
],
|
],
|
||||||
"packageNames": Array [
|
"packageNames": Array [
|
||||||
"ansible",
|
"ansible",
|
||||||
|
|
Loading…
Reference in a new issue