mirror of
https://github.com/renovatebot/renovate.git
synced 2025-01-12 23:16:26 +00:00
304 lines
14 KiB
TypeScript
304 lines
14 KiB
TypeScript
import {
|
|
RenovateConfig,
|
|
defaultConfig,
|
|
partial,
|
|
platform,
|
|
} from '../../../../test/util';
|
|
import { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages';
|
|
import type { VulnerabilityAlert } from '../../../types';
|
|
import { detectVulnerabilityAlerts } from './vulnerability';
|
|
|
|
let config: RenovateConfig;
|
|
beforeEach(() => {
|
|
jest.resetAllMocks();
|
|
config = JSON.parse(JSON.stringify(defaultConfig));
|
|
});
|
|
|
|
describe('workers/repository/init/vulnerability', () => {
|
|
describe('detectVulnerabilityAlerts()', () => {
|
|
it('returns if alerts are missing', async () => {
|
|
delete config.vulnerabilityAlerts;
|
|
expect(await detectVulnerabilityAlerts(config)).toEqual(config);
|
|
});
|
|
it('returns if alerts are disabled', async () => {
|
|
config.vulnerabilityAlerts.enabled = false;
|
|
expect(await detectVulnerabilityAlerts(config)).toEqual(config);
|
|
});
|
|
it('returns if no alerts', async () => {
|
|
delete config.vulnerabilityAlerts.enabled;
|
|
platform.getVulnerabilityAlerts.mockResolvedValue([]);
|
|
expect(await detectVulnerabilityAlerts(config)).toEqual(config);
|
|
});
|
|
it('throws if no alerts and vulnerabilityAlertsOnly', async () => {
|
|
config.vulnerabilityAlertsOnly = true;
|
|
platform.getVulnerabilityAlerts.mockResolvedValue([]);
|
|
await expect(detectVulnerabilityAlerts(config)).rejects.toThrow(
|
|
NO_VULNERABILITY_ALERTS
|
|
);
|
|
});
|
|
it('returns alerts and remediations', async () => {
|
|
config.transitiveRemediation = true;
|
|
delete config.vulnerabilityAlerts.enabled;
|
|
platform.getVulnerabilityAlerts.mockResolvedValue([
|
|
partial<VulnerabilityAlert>({}),
|
|
{
|
|
dismissReason: null,
|
|
vulnerableManifestFilename: 'package-lock.json',
|
|
vulnerableManifestPath: 'backend/package-lock.json',
|
|
vulnerableRequirements: '= 1.8.2',
|
|
securityAdvisory: {
|
|
description:
|
|
'Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.',
|
|
identifiers: [{ type: 'GHSA', value: 'GHSA-8xwg-wv7v-4vqp' }],
|
|
references: [
|
|
{ url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-1000136' },
|
|
],
|
|
severity: 'HIGH',
|
|
},
|
|
securityVulnerability: {
|
|
package: { name: 'electron', ecosystem: 'NPM' },
|
|
firstPatchedVersion: { identifier: '1.8.3' },
|
|
vulnerableVersionRange: '>= 1.8, < 1.8.3',
|
|
},
|
|
},
|
|
{
|
|
// this will be ignored
|
|
dismissReason: null,
|
|
vulnerableManifestFilename: 'package-lock.json',
|
|
vulnerableManifestPath: 'backend/package-lock.json',
|
|
securityAdvisory: {
|
|
references: [],
|
|
severity: null,
|
|
},
|
|
securityVulnerability: {
|
|
package: { ecosystem: 'NPM', name: 'yargs-parser' },
|
|
vulnerableVersionRange: '>5.0.0-security.0',
|
|
},
|
|
vulnerableRequirements: '= 5.0.1',
|
|
},
|
|
{
|
|
dismissReason: 'some reason',
|
|
vulnerableManifestFilename: 'package-lock.json',
|
|
vulnerableManifestPath: 'package-lock.json',
|
|
vulnerableRequirements: '= 1.8.2',
|
|
securityAdvisory: {
|
|
description:
|
|
'GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution.',
|
|
identifiers: [
|
|
{ type: 'GHSA', value: 'GHSA-hv9c-qwqg-qj3v' },
|
|
{ type: 'CVE', value: 'CVE-2018-15685' },
|
|
],
|
|
references: [
|
|
{ url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-15685' },
|
|
],
|
|
severity: 'HIGH',
|
|
},
|
|
securityVulnerability: {
|
|
package: { name: 'electron', ecosystem: 'NPM' },
|
|
firstPatchedVersion: { identifier: '1.8.8' },
|
|
vulnerableVersionRange: '>= 1.8.0, < 1.8.8',
|
|
},
|
|
},
|
|
{
|
|
dismissReason: null,
|
|
vulnerableManifestFilename: 'requirements.txt',
|
|
vulnerableManifestPath: 'requirements.txt',
|
|
vulnerableRequirements: '= 1.6.7',
|
|
securityAdvisory: {
|
|
description:
|
|
"Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.",
|
|
identifiers: [
|
|
{ type: 'GHSA', value: 'GHSA-w578-j992-554x' },
|
|
{ type: 'CVE', value: 'CVE-2017-7481' },
|
|
],
|
|
references: [
|
|
{ url: 'https://nvd.nist.gov/vuln/detail/CVE-2017-7481' },
|
|
],
|
|
severity: 'MODERATE',
|
|
},
|
|
securityVulnerability: {
|
|
package: { name: 'ansible', ecosystem: 'PIP' },
|
|
firstPatchedVersion: { identifier: 'abc-2.3.1.0' },
|
|
vulnerableVersionRange: '< 2.3.1.0',
|
|
},
|
|
},
|
|
{
|
|
dismissReason: null,
|
|
vulnerableManifestFilename: 'requirements.txt',
|
|
vulnerableManifestPath: 'requirements.txt',
|
|
vulnerableRequirements: '= 1.6.7',
|
|
securityAdvisory: {
|
|
description:
|
|
'The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.',
|
|
identifiers: [
|
|
{ type: 'GHSA', value: 'GHSA-rh6x-qvg7-rrmj' },
|
|
{ type: 'CVE', value: 'CVE-2016-3096' },
|
|
],
|
|
references: [
|
|
{ url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-3096' },
|
|
],
|
|
severity: 'HIGH',
|
|
},
|
|
securityVulnerability: {
|
|
package: { name: 'ansible', ecosystem: 'PIP' },
|
|
vulnerableVersionRange: '< 1.9.6.1',
|
|
},
|
|
},
|
|
{
|
|
dismissReason: null,
|
|
vulnerableManifestFilename: 'requirements.txt',
|
|
vulnerableManifestPath: 'requirements.txt',
|
|
vulnerableRequirements: '= 1.6.7',
|
|
securityAdvisory: {
|
|
description:
|
|
"Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
|
|
identifiers: [
|
|
{ type: 'GHSA', value: 'GHSA-w64c-pxjj-h866' },
|
|
{ type: 'CVE', value: 'CVE-2015-3908' },
|
|
],
|
|
references: [
|
|
{ url: 'https://nvd.nist.gov/vuln/detail/CVE-2015-3908' },
|
|
],
|
|
severity: 'MODERATE',
|
|
},
|
|
securityVulnerability: {
|
|
package: { name: 'ansible', ecosystem: 'PIP' },
|
|
firstPatchedVersion: { identifier: '1.9.2' },
|
|
vulnerableVersionRange: '< 1.9.2',
|
|
},
|
|
},
|
|
{
|
|
dismissReason: null,
|
|
vulnerableManifestFilename: 'requirements.txt',
|
|
vulnerableManifestPath: 'requirements.txt',
|
|
vulnerableRequirements: '= 1.6.7',
|
|
securityAdvisory: {
|
|
description:
|
|
"An input validation vulnerability was found in Ansible's mysql_user module before 2.2.1.0, which may fail to correctly change a password in certain circumstances. Thus the previous password would still be active when it should have been changed.",
|
|
identifiers: [
|
|
{ type: 'GHSA', value: 'GHSA-x4cm-m36h-c6qj' },
|
|
{ type: 'CVE', value: 'CVE-2016-8647' },
|
|
],
|
|
references: [
|
|
{ url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-8647' },
|
|
],
|
|
severity: 'MODERATE',
|
|
},
|
|
securityVulnerability: {
|
|
package: { name: 'ansible', ecosystem: 'PIP' },
|
|
firstPatchedVersion: { identifier: '2.2.1.0' },
|
|
vulnerableVersionRange: '< 2.2.1.0',
|
|
},
|
|
},
|
|
{
|
|
dismissReason: null,
|
|
vulnerableManifestFilename: 'requirements.txt',
|
|
vulnerableManifestPath: 'requirements.txt',
|
|
vulnerableRequirements: '= 1.6.7',
|
|
securityAdvisory: {
|
|
description:
|
|
'A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.',
|
|
identifiers: [
|
|
{ type: 'GHSA', value: 'GHSA-cmwx-9m2h-x7v4' },
|
|
{ type: 'CVE', value: 'CVE-2016-8614' },
|
|
],
|
|
references: [
|
|
{ url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-8614' },
|
|
],
|
|
severity: 'MODERATE',
|
|
},
|
|
securityVulnerability: {
|
|
package: { name: 'ansible', ecosystem: 'PIP' },
|
|
firstPatchedVersion: { identifier: '2.2.0' },
|
|
vulnerableVersionRange: '< 2.2.0',
|
|
},
|
|
},
|
|
{
|
|
dismissReason: null,
|
|
vulnerableManifestFilename: 'requirements.txt',
|
|
vulnerableManifestPath: 'requirements.txt',
|
|
vulnerableRequirements: '= 1.6.7',
|
|
securityAdvisory: {
|
|
description:
|
|
'Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.',
|
|
identifiers: [
|
|
{ type: 'GHSA', value: 'GHSA-jg4f-jqm5-4mgq' },
|
|
{ type: 'CVE', value: 'CVE-2016-8628' },
|
|
],
|
|
references: [
|
|
{ url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-8628' },
|
|
],
|
|
severity: 'MODERATE',
|
|
},
|
|
securityVulnerability: {
|
|
package: { name: 'ansible', ecosystem: 'PIP' },
|
|
firstPatchedVersion: { identifier: '2.2.0' },
|
|
vulnerableVersionRange: '< 2.2.0',
|
|
},
|
|
},
|
|
{
|
|
dismissReason: null,
|
|
vulnerableManifestFilename: 'requirements.txt',
|
|
vulnerableManifestPath: 'requirements.txt',
|
|
vulnerableRequirements: '= 1.6.7',
|
|
securityAdvisory: {
|
|
description:
|
|
"Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.",
|
|
identifiers: [
|
|
{ type: 'GHSA', value: 'GHSA-m956-frf4-m2wr' },
|
|
{ type: 'CVE', value: 'CVE-2016-9587' },
|
|
],
|
|
references: [
|
|
{ url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-9587' },
|
|
],
|
|
severity: 'MODERATE',
|
|
},
|
|
securityVulnerability: {
|
|
package: { name: 'ansible', ecosystem: 'PIP' },
|
|
firstPatchedVersion: { identifier: '2.1.4' },
|
|
vulnerableVersionRange: '< 2.1.4',
|
|
},
|
|
},
|
|
{
|
|
dismissReason: null,
|
|
vulnerableManifestFilename: 'pom.xml',
|
|
vulnerableManifestPath: 'pom.xml',
|
|
vulnerableRequirements: '= 2.4.2',
|
|
securityAdvisory: {
|
|
description:
|
|
'An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.',
|
|
identifiers: [
|
|
{ type: 'GHSA', value: 'GHSA-cjjf-94ff-43w7' },
|
|
{ type: 'CVE', value: 'CVE-2018-12022' },
|
|
],
|
|
references: [
|
|
{ url: 'https://nvd.nist.gov/vuln/detail/CVE-2018-12022' },
|
|
],
|
|
severity: 'HIGH',
|
|
},
|
|
securityVulnerability: {
|
|
package: {
|
|
name: 'com.fasterxml.jackson.core:jackson-databind',
|
|
ecosystem: 'MAVEN',
|
|
},
|
|
firstPatchedVersion: { identifier: '2.7.9.4' },
|
|
vulnerableVersionRange: '< 2.7.9.4',
|
|
},
|
|
},
|
|
]);
|
|
const res = await detectVulnerabilityAlerts(config);
|
|
expect(res.packageRules).toMatchSnapshot();
|
|
expect(res.packageRules).toHaveLength(3);
|
|
expect(res.remediations).toMatchSnapshot({
|
|
'backend/package-lock.json': [
|
|
{
|
|
currentVersion: '1.8.2',
|
|
datasource: 'npm',
|
|
depName: 'electron',
|
|
newVersion: '1.8.3',
|
|
},
|
|
],
|
|
});
|
|
});
|
|
});
|
|
});
|