renovate/renovate
1
0
Fork 0
mirror of https://github.com/renovatebot/renovate.git synced 2025-01-12 06:56:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

feat(github-actions): support vulnerability alerts (#18735)

Browse source
This commit is contained in:
Rhys Arkins 2022-11-03 16:42:42 +01:00 committed by GitHub
parent d281319f4d
commit e651fd34a5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 56 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
View file

@ -44,6 +44,36 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
go", go",
], ],
}, },
{
"allowedVersions": "1.8.3",
"force": {
"branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
"commitMessageSuffix": "[SECURITY]",
"dependencyDashboardApproval": false,
"groupName": null,
"prCreation": "immediate",
"rangeStrategy": "update-lockfile",
"schedule": [],
"stabilityDays": 0,
},
"isVulnerabilityAlert": true,
"matchCurrentVersion": "1.8.2",
"matchDatasources": [
"github-tags",
],
"matchFiles": [
".github/workflows/build.yaml",
],
"matchPackageNames": [
"bar",
],
"prBodyNotes": [
"### GitHub Vulnerability Alerts",
"#### [def]()
actions",
],
},
{ {
"allowedVersions": "==2.2.1.0", "allowedVersions": "==2.2.1.0",
"force": { "force": {

20
lib/workers/repository/init/vulnerability.spec.ts
View file

@ -86,6 +86,23 @@ describe('workers/repository/init/vulnerability', () => {
vulnerableVersionRange: '>= 1.8, < 1.8.3', vulnerableVersionRange: '>= 1.8, < 1.8.3',
}, },
}, },
{
dismissReason: null,
vulnerableManifestFilename: '.github/workflows/build.yaml',
vulnerableManifestPath: '.github/workflows/build.yaml',
vulnerableRequirements: '= 1.8.2',
securityAdvisory: {
description: 'actions',
identifiers: [{ type: 'GHSA', value: 'def' }],
references: [{ url: '' }],
severity: 'HIGH',
},
securityVulnerability: {
package: { name: 'bar', ecosystem: 'ACTIONS' },
firstPatchedVersion: { identifier: '1.8.3' },
vulnerableVersionRange: '>= 1.8, < 1.8.3',
},
},
{ {
// this will be ignored // this will be ignored
dismissReason: null, dismissReason: null,
@ -313,8 +330,9 @@ describe('workers/repository/init/vulnerability', () => {
]); ]);
const res = await detectVulnerabilityAlerts(config); const res = await detectVulnerabilityAlerts(config);
expect(res.packageRules).toMatchSnapshot(); expect(res.packageRules).toMatchSnapshot();
expect(res.packageRules).toHaveLength(4); expect(res.packageRules).toHaveLength(5);
expect(res.packageRules?.[1]?.matchFiles?.[0]).toBe('go.mod'); expect(res.packageRules?.[1]?.matchFiles?.[0]).toBe('go.mod');
expect(res.packageRules?.[2]?.matchCurrentVersion).toBe('1.8.2');
expect(res.remediations).toMatchSnapshot({ expect(res.remediations).toMatchSnapshot({
'backend/package-lock.json': [ 'backend/package-lock.json': [
{ {

7
lib/workers/repository/init/vulnerability.ts
View file

@ -2,6 +2,7 @@ import type { PackageRule, RenovateConfig } from '../../../config/types';
import { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages'; import { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages';
import { logger } from '../../../logger'; import { logger } from '../../../logger';
import { CrateDatasource } from '../../../modules/datasource/crate'; import { CrateDatasource } from '../../../modules/datasource/crate';
import { GithubTagsDatasource } from '../../../modules/datasource/github-tags';
import { GoDatasource } from '../../../modules/datasource/go'; import { GoDatasource } from '../../../modules/datasource/go';
import { MavenDatasource } from '../../../modules/datasource/maven'; import { MavenDatasource } from '../../../modules/datasource/maven';
import { NpmDatasource } from '../../../modules/datasource/npm'; import { NpmDatasource } from '../../../modules/datasource/npm';
@ -65,6 +66,7 @@ export async function detectVulnerabilityAlerts(
} }
const config = { ...input }; const config = { ...input };
const versionings: Record<string, string> = { const versionings: Record<string, string> = {
'github-tags': semverVersioning.id,
go: semverVersioning.id, go: semverVersioning.id,
packagist: composerVersioning.id, packagist: composerVersioning.id,
maven: mavenVersioning.id, maven: mavenVersioning.id,
@ -94,6 +96,7 @@ export async function detectVulnerabilityAlerts(
continue; continue;
} }
const datasourceMapping: Record<string, string> = { const datasourceMapping: Record<string, string> = {
ACTIONS: GithubTagsDatasource.id,
COMPOSER: PackagistDatasource.id, COMPOSER: PackagistDatasource.id,
GO: GoDatasource.id, GO: GoDatasource.id,
MAVEN: MavenDatasource.id, MAVEN: MavenDatasource.id,
@ -127,6 +130,10 @@ export async function detectVulnerabilityAlerts(
'== ' '== '
); );
} }
if (datasource === GithubTagsDatasource.id) {
// GitHub Actions uses docker versioning, which doesn't support `= 1.2.3` matching, so we strip the equals
vulnerableRequirements = vulnerableRequirements.replace(/^=\s*/, '');
}
combinedAlerts[fileName] ||= {}; combinedAlerts[fileName] ||= {};
combinedAlerts[fileName][datasource] ||= {}; combinedAlerts[fileName][datasource] ||= {};
combinedAlerts[fileName][datasource][depName] ||= {}; combinedAlerts[fileName][datasource][depName] ||= {};