feat(vulnerabilities): add option to add summary to dashboard

[secustor]

Changes

This PR adds a configuration option dependencyDashboardVulnerabilitySummary to allow to add a summary to the dependency dashboard.

Avaiable options are:

• none no section is added
• unresolved only vulnerabilities without fixes are displayed
• all all vulnerabilities affecting the repository are listed

Context

Fixes #20242

Documentation (please check one with an [x])

• I have updated the documentation, or
• No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

• Code inspection only, or
• Newly added/modified unit tests, or
• No unit tests but ran on a real repository, or
• Both unit tests + ran on a real repository

secustor/renovate-security-dashboard#8

[rarkins]

We already hit character limits sometimes, how much will this add?

[secustor]

With the default configuration ( none ) there are no additional chars added.

If we are talking about extreme edge cases e.g. big monorepos with a lot of CVEs, then the section can become big.

As this is also marked as experimental, I think this fine as first iteration.

[secustor]

@rarkins @viceice Any chance you will able to take a look at this PR next week?

[HonkingGoose]

How about something like:

There are 7 CVEs.
All of your CVEs have Renovate fixes.

And if there's a mix of CVEs, so with and without fixes:

You are 7 CVEs.
Of those 1 needs to be fixed by you, because ....

[secustor]

How about:

• osvVulnerabilityAlerts === true
• unresolvedVulnterabilities.length === 0

There are 7 CVEs.
All of your CVEs have Renovate fixes.

• osvVulnerabilityAlerts === true
• unresolvedVulnterabilities.length !== 0

There are 7 CVEs.
2 of your CVEs have no Renovate fixes.

• osvVulnerabilityAlerts === false
• unresolvedVulnterabilities.length === 0

There are 7 CVEs.
No Renovate fixes have been opened. See osvVulnerabilityAlerts to allow Renovate to supply fixes.

• osvVulnerabilityAlerts === false
• unresolvedVulnterabilities.length !== 0

There are 7 CVEs.
None of 5 Renovate fixes have been opened. See osvVulnerabilityAlerts to allow Renovate to supply fixes.

[rarkins]

Can we state how many have fixes rather than how many don't have fixes?

[secustor]

Sure, that is possible. If we do that, the users have to compare the values in their head to find out if action from their side is necessary tough.

With my proposal they would only need to glance at the section to see two highlighted numbers and they would know manual actions are necessary.

[rarkins]

Can it be like "7 of 7" then, so that you can still tell from a glance if action is required?

[secustor]

Not sure, what the difference then to my initial proposal is tbh.

Maybe we can fix that up then?
Do you have a suggestion?

[secustor]

To keep this moving ,here an adaption based on your feedback @rarkins .

• osvVulnerabilityAlerts === true
• unresolvedVulnterabilities.length === 0

There are 7 CVEs.
All of your CVEs have Renovate fixes.

• osvVulnerabilityAlerts === true
• unresolvedVulnterabilities.length !== 0

There are 2/7 CVEs without Renovate fixes.

• osvVulnerabilityAlerts === false
• unresolvedVulnterabilities.length === 0

There are 7 CVEs.
No Renovate fixes have been opened. See osvVulnerabilityAlerts to allow Renovate to supply fixes.

• osvVulnerabilityAlerts === false
• unresolvedVulnterabilities.length !== 0

There are 5/7 CVEs with possible Renovate fixes.
See osvVulnerabilityAlerts to allow Renovate to supply fixes.

[rarkins]

Is there really a need to support osvVulnerabilityAlerts=false in combination with this feature? What's the use case for that?

[secustor]

One use case would be that only a summary and no PRs are expected.

TBH 90% cases users will activate this with osvVulnerabilityAlerts enabled.

[rarkins]

I think users can still turn off PRs other ways (and if not we could make that happen). I'd like to simplify this so that it always prints a summary in the dashboard if that feature is enabled.

[secustor]

Following up on your valid concerns in #20242 (comment), I think we shouldn't tightly couple these two config.

Rather I can image that we provide presets for the different use cases.

Or do you mean that dependencyDashboardVulnerabilitySummary !== 'none' forces creation of vulnerability PRs?
That would be IMO unintuitive.

[setchy]

I kinda like the simplicity of something along these lines:

• x / y CVEs have possible Renovate fixes.
  See osvVulnerabilityAlerts to allow Renovate to supply fixes.
• x / y CVEs have Renovate fixes.

[secustor]

@rarkins Does the concerns regarding publishing the CVEs for public projects have changed your mind?

I'm in favor of keeping this a separated option to osvVulnerabilityAlerts and use the formulation of @setchy.
WDYT?

I would like to get this out and gather feedback.

[rarkins]

Good point, let's keep it opt in with a second option

[secustor]

@rarkins I have implemented the suggestion of setchy.
From my perspective this contains everything we have discussed:

• positive formulation ( mentioning the fixes rather than what we can not do )
• easy readablility
• and referencing osvVulnerabilityAlerts if the feature is turned off.

[renovate-release]

🎉 This PR is included in version 35.90.0 🎉

The release is available on:

• GitHub release
• 35.90.0

Your semantic-release bot 📦🚀