renovatebot · secustor · May 17, 2023 · Apr 23, 2023 · Apr 23, 2023 · Apr 23, 2023
diff --git a/docs/usage/configuration-options.md b/docs/usage/configuration-options.md
@@ -702,6 +702,16 @@ It is pointless to edit the labels, as Renovate bot restores the labels on each
 
 Configure this option if you prefer a different title for the Dependency Dashboard.
 
+## dependencyDashboardVulnerabilitySummary
+
+Set this function to control if a summary of the CVEs affected should be added to the dependency dashboard.
+
+Available options are:
+
+- `none` ( default ) no section will be added.
+- `unresolved` only vulnerabilities will be added if there are no fixes available.
+- `all` list all vulnerabilities which affect this repository.
+
 ## description
 
 The description field can be used inside any configuration object to add a human-readable description of the object's config purpose.

diff --git a/lib/config/options/index.ts b/lib/config/options/index.ts
@@ -520,6 +520,15 @@ const options: RenovateOptions[] = [
     subType: 'string',
     default: null,
   },
+  {
+    name: 'dependencyDashboardVulnerabilitySummary',
+    description:
+      'These labels will always be applied on the Dependency Dashboard issue, even when they have been removed manually.',
+    type: 'string',
+    allowedValues: ['none', 'all', 'unresolved'],
+    default: 'none',
+    experimental: true,
+  },
   {
     name: 'configWarningReuseIssue',
     description:

diff --git a/lib/config/types.ts b/lib/config/types.ts
@@ -231,6 +231,7 @@ export interface RenovateConfig
   dependencyDashboardHeader?: string;
   dependencyDashboardFooter?: string;
   dependencyDashboardLabels?: string[];
+  dependencyDashboardVulnerabilitySummary?: 'none' | 'all' | 'unresolved';
   packageFile?: string;
   packageRules?: PackageRule[];
   postUpdateOptions?: string[];

diff --git a/lib/workers/repository/dependency-dashboard.spec.ts b/lib/workers/repository/dependency-dashboard.spec.ts
@@ -21,7 +21,18 @@ import {
 import { regEx } from '../../util/regex';
 import type { BranchConfig, BranchUpgradeConfig } from '../types';
 import * as dependencyDashboard from './dependency-dashboard';
+import { getDashboardMarkdownVulnerabilities } from './dependency-dashboard';
 import { PackageFiles } from './package-files';
+// import { Vulnerabilities } from './process/vulnerabilities';
+//
+// jest.mock('./process/vulnerabilities', () => {
+//   return {
+//     Vulnerabilities: {
+//       create: jest.fn(),
+//       fetchVulnerabilities: jest.fn(),
+//     },
+//   };
+// });
 
 type PrUpgrade = BranchUpgradeConfig;
 
@@ -994,4 +1005,62 @@ describe('workers/repository/dependency-dashboard', () => {
       });
     });
   });
+
+  describe('getDashboardMarkdownVulnerabilities()', () => {
+    const packageFiles = Fixtures.getJson<Record<string, PackageFile[]>>(
+      './package-files.json'
+    );
+
+    it('return empty string if summary is empty', async () => {
+      const result = await getDashboardMarkdownVulnerabilities(
+        config,
+        packageFiles
+      );
+      expect(result).toBeEmpty();
+    });
+
+    it('return empty string if summary is set to none', async () => {
+      const result = await getDashboardMarkdownVulnerabilities(
+        {
+          ...config,
+          dependencyDashboardVulnerabilitySummary: 'none',
+        },
+        packageFiles
+      );
+      expect(result).toBeEmpty();
+    });
+
+    it('return no data section if summary is set to all and no vulnerabilities', async () => {
+      const result = await getDashboardMarkdownVulnerabilities(
+        {
+          ...config,
+          dependencyDashboardVulnerabilitySummary: 'all',
+        },
+        {}
+      );
+      expect(result).toBe(`## Vulnerabilities\n\nNone detected.\n\n`);
+    });
+
+    it('return all vulnerabilities if set to all', async () => {
+      const result = await getDashboardMarkdownVulnerabilities(
+        {
+          ...config,
+          dependencyDashboardVulnerabilitySummary: 'all',
+        },
+        packageFiles
+      );
+      expect(result).toBe(`## Vulnerabilities\n\n TODO add list`);
+    });
+
+    it('return unresolved vulnerabilities if set to "unresolved"', async () => {
+      const result = await getDashboardMarkdownVulnerabilities(
+        {
+          ...config,
+          dependencyDashboardVulnerabilitySummary: 'unresolved',
+        },
+        packageFiles
+      );
+      expect(result).toBe(`## Vulnerabilities\n\n TODO add list`);
+    });
+  });
 });
diff --git a/lib/workers/repository/dependency-dashboard.ts b/lib/workers/repository/dependency-dashboard.ts
@@ -11,6 +11,8 @@
 import type { BranchConfig, SelectAllConfig } from '../types';
 import { getDepWarningsDashboard } from './errors-warnings';
 import { PackageFiles } from './package-files';
+import type { Vulnerability } from './process/types';
+import { Vulnerabilities } from './process/vulnerabilities';
 
 interface DependencyDashboard {
   dependencyDashboardChecks: Record<string, string>;
@@ -396,6 +398,9 @@
       'This repository currently has no open or pending branches.\n\n';
   }
 
+  // add CVE section
+  issueBody += await getDashboardMarkdownVulnerabilities(config, packageFiles);
+
   // fit the detected dependencies section
   const footer = getFooter(config);
   issueBody += PackageFiles.getDashboardMarkdown(
@@ -453,3 +458,94 @@
 
   return footer;
 }
+
+export async function getDashboardMarkdownVulnerabilities(
+  config: RenovateConfig,
+  packageFiles: Record<string, PackageFile[]>
+): Promise<string> {
+  let result = '';
+
+  if (
+    is.nullOrUndefined(config.dependencyDashboardVulnerabilitySummary) ||
+    config.dependencyDashboardVulnerabilitySummary === 'none'
+  ) {
+    return result;
+  }
+
+  result += '## Vulnerabilities\n\n';
+
+  const vulnerabilityFetcher = await Vulnerabilities.create();
+  const vulnerabilities = await vulnerabilityFetcher.fetchVulnerabilities(
+    config,
+    packageFiles
+  );
+
+  if (vulnerabilities.length === 0) {
+    result += 'None detected.\n\n';
+    return result;
+  }
+
+  const unresolvedVulnerabilities = vulnerabilities.filter((value) =>
+    is.nullOrUndefined(value.fixedVersion)
+  );
+
+  result += `${unresolvedVulnerabilities.length} of a total of ${vulnerabilities.length} CVEs have no fixes in this repository.\n`;
+
+  let renderedVulnerabilities: Vulnerability[];
+  switch (config.dependencyDashboardVulnerabilitySummary) {
+    // filter vulnerabilities to display based on configuration
+    case 'unresolved':
+      renderedVulnerabilities = unresolvedVulnerabilities;
+      break;
+    default:
+      renderedVulnerabilities = vulnerabilities;
+  }
+
+  const managerRecords: Record<
+    string,
+    Record<string, Record<string, Vulnerability[]>>
+  > = {};
+  for (const vulnerability of renderedVulnerabilities) {
+    const { manager, packageFile } = vulnerability.packageFileConfig;
+    if (is.nullOrUndefined(managerRecords[manager!])) {
+      managerRecords[manager!] = {};
+    }
+    if (is.nullOrUndefined(managerRecords[manager!][packageFile])) {
+      managerRecords[manager!][packageFile] = {};
+    }
+    if (
+      is.nullOrUndefined(
+        managerRecords[manager!][packageFile][vulnerability.packageName]
+      )
+    ) {
+      managerRecords[manager!][packageFile][vulnerability.packageName] = [];
+    }
+    managerRecords[manager!][packageFile][vulnerability.packageName].push(
+      vulnerability
+    );
+  }
+
+  for (const [manager, packageFileRecords] of Object.entries(managerRecords)) {
+    result += `<details><summary>${manager}</summary>\n<blockquote>\n\n`;
+    for (const [packageFile, packageNameRecords] of Object.entries(
+      packageFileRecords
+    )) {
+      result += `<details><summary>${packageFile}</summary>\n<blockquote>\n\n`;
+      for (const [packageName, cves] of Object.entries(packageNameRecords)) {
+        result += `<details><summary>${packageName}</summary>\n<blockquote>\n\n`;
+        for (const vul of cves) {
+          const id = vul.vulnerability.id;
+          const suffix = is.nonEmptyString(vul.fixedVersion)
+            ? `(fixed in ${vul.fixedVersion})`
+            : '';
+          result += `- [${id}](https://osv.dev/vulnerability/${id}) ${suffix}\n`;
+        }
+        result += `</blockquote>\n</details>\n\n`;
+      }
+      result += `</blockquote>\n</details>\n\n`;
+    }
+    result += `</blockquote>\n</details>\n\n`;
+  }
+
+  return result;
+}