mirror of
https://github.com/renovatebot/renovate.git
synced 2025-01-12 06:56:24 +00:00
feat(github-actions): support vulnerability alerts (#18735)
This commit is contained in:
parent
d281319f4d
commit
e651fd34a5
3 changed files with 56 additions and 1 deletions
|
@ -44,6 +44,36 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
|
||||||
go",
|
go",
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"allowedVersions": "1.8.3",
|
||||||
|
"force": {
|
||||||
|
"branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
|
||||||
|
"commitMessageSuffix": "[SECURITY]",
|
||||||
|
"dependencyDashboardApproval": false,
|
||||||
|
"groupName": null,
|
||||||
|
"prCreation": "immediate",
|
||||||
|
"rangeStrategy": "update-lockfile",
|
||||||
|
"schedule": [],
|
||||||
|
"stabilityDays": 0,
|
||||||
|
},
|
||||||
|
"isVulnerabilityAlert": true,
|
||||||
|
"matchCurrentVersion": "1.8.2",
|
||||||
|
"matchDatasources": [
|
||||||
|
"github-tags",
|
||||||
|
],
|
||||||
|
"matchFiles": [
|
||||||
|
".github/workflows/build.yaml",
|
||||||
|
],
|
||||||
|
"matchPackageNames": [
|
||||||
|
"bar",
|
||||||
|
],
|
||||||
|
"prBodyNotes": [
|
||||||
|
"### GitHub Vulnerability Alerts",
|
||||||
|
"#### [def]()
|
||||||
|
|
||||||
|
actions",
|
||||||
|
],
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"allowedVersions": "==2.2.1.0",
|
"allowedVersions": "==2.2.1.0",
|
||||||
"force": {
|
"force": {
|
||||||
|
|
|
@ -86,6 +86,23 @@ describe('workers/repository/init/vulnerability', () => {
|
||||||
vulnerableVersionRange: '>= 1.8, < 1.8.3',
|
vulnerableVersionRange: '>= 1.8, < 1.8.3',
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
dismissReason: null,
|
||||||
|
vulnerableManifestFilename: '.github/workflows/build.yaml',
|
||||||
|
vulnerableManifestPath: '.github/workflows/build.yaml',
|
||||||
|
vulnerableRequirements: '= 1.8.2',
|
||||||
|
securityAdvisory: {
|
||||||
|
description: 'actions',
|
||||||
|
identifiers: [{ type: 'GHSA', value: 'def' }],
|
||||||
|
references: [{ url: '' }],
|
||||||
|
severity: 'HIGH',
|
||||||
|
},
|
||||||
|
securityVulnerability: {
|
||||||
|
package: { name: 'bar', ecosystem: 'ACTIONS' },
|
||||||
|
firstPatchedVersion: { identifier: '1.8.3' },
|
||||||
|
vulnerableVersionRange: '>= 1.8, < 1.8.3',
|
||||||
|
},
|
||||||
|
},
|
||||||
{
|
{
|
||||||
// this will be ignored
|
// this will be ignored
|
||||||
dismissReason: null,
|
dismissReason: null,
|
||||||
|
@ -313,8 +330,9 @@ describe('workers/repository/init/vulnerability', () => {
|
||||||
]);
|
]);
|
||||||
const res = await detectVulnerabilityAlerts(config);
|
const res = await detectVulnerabilityAlerts(config);
|
||||||
expect(res.packageRules).toMatchSnapshot();
|
expect(res.packageRules).toMatchSnapshot();
|
||||||
expect(res.packageRules).toHaveLength(4);
|
expect(res.packageRules).toHaveLength(5);
|
||||||
expect(res.packageRules?.[1]?.matchFiles?.[0]).toBe('go.mod');
|
expect(res.packageRules?.[1]?.matchFiles?.[0]).toBe('go.mod');
|
||||||
|
expect(res.packageRules?.[2]?.matchCurrentVersion).toBe('1.8.2');
|
||||||
expect(res.remediations).toMatchSnapshot({
|
expect(res.remediations).toMatchSnapshot({
|
||||||
'backend/package-lock.json': [
|
'backend/package-lock.json': [
|
||||||
{
|
{
|
||||||
|
|
|
@ -2,6 +2,7 @@ import type { PackageRule, RenovateConfig } from '../../../config/types';
|
||||||
import { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages';
|
import { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages';
|
||||||
import { logger } from '../../../logger';
|
import { logger } from '../../../logger';
|
||||||
import { CrateDatasource } from '../../../modules/datasource/crate';
|
import { CrateDatasource } from '../../../modules/datasource/crate';
|
||||||
|
import { GithubTagsDatasource } from '../../../modules/datasource/github-tags';
|
||||||
import { GoDatasource } from '../../../modules/datasource/go';
|
import { GoDatasource } from '../../../modules/datasource/go';
|
||||||
import { MavenDatasource } from '../../../modules/datasource/maven';
|
import { MavenDatasource } from '../../../modules/datasource/maven';
|
||||||
import { NpmDatasource } from '../../../modules/datasource/npm';
|
import { NpmDatasource } from '../../../modules/datasource/npm';
|
||||||
|
@ -65,6 +66,7 @@ export async function detectVulnerabilityAlerts(
|
||||||
}
|
}
|
||||||
const config = { ...input };
|
const config = { ...input };
|
||||||
const versionings: Record<string, string> = {
|
const versionings: Record<string, string> = {
|
||||||
|
'github-tags': semverVersioning.id,
|
||||||
go: semverVersioning.id,
|
go: semverVersioning.id,
|
||||||
packagist: composerVersioning.id,
|
packagist: composerVersioning.id,
|
||||||
maven: mavenVersioning.id,
|
maven: mavenVersioning.id,
|
||||||
|
@ -94,6 +96,7 @@ export async function detectVulnerabilityAlerts(
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
const datasourceMapping: Record<string, string> = {
|
const datasourceMapping: Record<string, string> = {
|
||||||
|
ACTIONS: GithubTagsDatasource.id,
|
||||||
COMPOSER: PackagistDatasource.id,
|
COMPOSER: PackagistDatasource.id,
|
||||||
GO: GoDatasource.id,
|
GO: GoDatasource.id,
|
||||||
MAVEN: MavenDatasource.id,
|
MAVEN: MavenDatasource.id,
|
||||||
|
@ -127,6 +130,10 @@ export async function detectVulnerabilityAlerts(
|
||||||
'== '
|
'== '
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
if (datasource === GithubTagsDatasource.id) {
|
||||||
|
// GitHub Actions uses docker versioning, which doesn't support `= 1.2.3` matching, so we strip the equals
|
||||||
|
vulnerableRequirements = vulnerableRequirements.replace(/^=\s*/, '');
|
||||||
|
}
|
||||||
combinedAlerts[fileName] ||= {};
|
combinedAlerts[fileName] ||= {};
|
||||||
combinedAlerts[fileName][datasource] ||= {};
|
combinedAlerts[fileName][datasource] ||= {};
|
||||||
combinedAlerts[fileName][datasource][depName] ||= {};
|
combinedAlerts[fileName][datasource][depName] ||= {};
|
||||||
|
|
Loading…
Reference in a new issue