fix: allow vulnerabilityAlerts to override branchTopic, prCreation

renovatebot · Feb 22, 2021 · 5c5e00c · 5c5e00c
1 parent cdffaca
commit 5c5e00c
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 11 deletions.
diff --git a/lib/config/definitions.ts b/lib/config/definitions.ts
@@ -1266,6 +1266,8 @@ const options: RenovateOptions[] = [
       dependencyDashboardApproval: false,
       rangeStrategy: 'update-lockfile',
       commitMessageSuffix: '[SECURITY]',
+      branchTopic: `{{{datasource}}}-{{{depName}}}-vulnerability`,
+      prCreation: 'immediate',
     },
     mergeable: true,
     cli: false,

diff --git a/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap b/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
@@ -5,14 +5,13 @@ Array [
   Object {
     "allowedVersions": "1.8.3",
     "force": Object {
-      "branchTopic": "npm-electron-vulnerability",
+      "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
       "commitMessageSuffix": "[SECURITY]",
       "dependencyDashboardApproval": false,
       "groupName": null,
       "prCreation": "immediate",
       "rangeStrategy": "update-lockfile",
       "schedule": Array [],
-      "vulnerabilityAlert": true,
     },
     "matchCurrentVersion": "= 1.8.2",
     "matchDatasources": Array [
@@ -30,18 +29,18 @@ Array [
 
 Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.",
     ],
+    "vulnerabilityAlert": true,
   },
   Object {
     "allowedVersions": "==2.2.0",
     "force": Object {
-      "branchTopic": "pypi-ansible-vulnerability",
+      "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
       "commitMessageSuffix": "[SECURITY]",
       "dependencyDashboardApproval": false,
       "groupName": null,
       "prCreation": "immediate",
       "rangeStrategy": "update-lockfile",
       "schedule": Array [],
-      "vulnerabilityAlert": true,
     },
     "matchCurrentVersion": "= 1.6.7",
     "matchDatasources": Array [
@@ -74,18 +73,18 @@ Ansible before version 2.2.0 fails to properly sanitize fact variables sent from
 
 Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.",
     ],
+    "vulnerabilityAlert": true,
   },
   Object {
     "allowedVersions": "2.7.9.4",
     "force": Object {
-      "branchTopic": "maven-com.fasterxml.jackson.core:jackson-databind-vulnerability",
+      "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
       "commitMessageSuffix": "[SECURITY]",
       "dependencyDashboardApproval": false,
       "groupName": null,
       "prCreation": "immediate",
       "rangeStrategy": "update-lockfile",
       "schedule": Array [],
-      "vulnerabilityAlert": true,
     },
     "matchCurrentVersion": "= 2.4.2",
     "matchDatasources": Array [
@@ -103,6 +102,7 @@ Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validati
 
 An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.",
     ],
+    "vulnerabilityAlert": true,
   },
 ]
 `;
diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts
@@ -133,7 +133,7 @@ export async function detectVulnerabilityAlerts(
   for (const [fileName, files] of Object.entries(combinedAlerts)) {
     for (const [datasource, dependencies] of Object.entries(files)) {
       for (const [depName, currentValues] of Object.entries(dependencies)) {
-        for (const [vulnerableRequirements, val] of Object.entries(
+        for (const [matchCurrentVersion, val] of Object.entries(
           currentValues
         )) {
           let prBodyNotes: string[] = [];
@@ -172,14 +172,12 @@ export async function detectVulnerabilityAlerts(
           const matchRule: PackageRule = {
             matchDatasources: [datasource],
             matchPackageNames: [depName],
-            matchCurrentVersion: vulnerableRequirements,
+            matchCurrentVersion,
             allowedVersions,
             prBodyNotes,
+            vulnerabilityAlert: true,
             force: {
               ...config.vulnerabilityAlerts,
-              vulnerabilityAlert: true,
-              branchTopic: `${datasource}-${depName}-vulnerability`,
-              prCreation: 'immediate',
             },
           };
           matchRule.matchFiles = [fileName];