Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(vulnerabilities): set, maintain and expose vulnerabilitySeverity for templated fields #21939

Merged
merged 22 commits into from May 11, 2023
Merged

feat(vulnerabilities): set, maintain and expose vulnerabilitySeverity for templated fields #21939

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
6e1a216
feat: optional flag to include severity in commitMessageSuffix
setchy May 2, 2023
70bdb9d
fix: update snapshot
setchy May 2, 2023
6424cc1
Update configuration-options.md
setchy May 2, 2023
c34ebaa
fix: lint issues
setchy May 3, 2023
dabd57c
refactor: make vulnerabilitySeverity a type
setchy May 3, 2023
39ba098
refactor: calculate and pass the maximum severity within package rule…
setchy May 3, 2023
767e6cb
tests: update snapshot
setchy May 3, 2023
375a2d1
Merge branch 'main' into feature/osv-severity
setchy May 3, 2023
f544ee8
remove unused config option
setchy May 3, 2023
a006bb4
tests: add test cases for calculating highest severity
setchy May 3, 2023
0c56e73
refactor: extract severity calculation logic
setchy May 3, 2023
80366c9
refactor: extract severity calculation logic
setchy May 3, 2023
1b0ef96
refactor: extract severity calculation logic
setchy May 3, 2023
7628b00
refactor: more finesse, less crowbar
setchy May 8, 2023
5f2e565
Merge branch 'main' into feature/osv-severity
setchy May 8, 2023
c745a7b
remove empty line
setchy May 8, 2023
d63b65d
tests: remove beforeEach
setchy May 8, 2023
27026ad
refactor: use object
setchy May 8, 2023
3b6bc84
tests: remove dynamic import
setchy May 8, 2023
ce104e5
refactor: update types to match lib/config/utils.ts
setchy May 8, 2023
8f09aa4
refactor: incorporate feedback from @JamieMagee
setchy May 9, 2023
c34d3f2
docs: update wording
setchy May 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/usage/configuration-options.md
View file
Open in desktop
Expand Up @@ -1563,6 +1563,8 @@ If you wish for Renovate to process only select paths in the repository, use `in
Alternatively, if you need to just _exclude_ certain paths in the repository then consider `ignorePaths` instead.
If you are more interested in including only certain package managers (e.g. `npm`), then consider `enabledManagers` instead.

## includeVulnerabilitySeverity

## internalChecksAsSuccess

By default, internal Renovate checks such as `renovate/stability-days` are not counted towards a branch being "green" or not.
Expand Down
12 changes: 11 additions & 1 deletion lib/config/options/index.ts
View file
Open in desktop
Expand Up @@ -1728,7 +1728,8 @@ const options: RenovateOptions[] = [
dependencyDashboardApproval: false,
minimumReleaseAge: null,
rangeStrategy: 'update-lockfile',
commitMessageSuffix: '[SECURITY]',
commitMessageSuffix:
'[SECURITY{{#if includeVulnerabilitySeverity}}-{{{vulnerabilitySeverity}}}{{/if}}]',
branchTopic: `{{{datasource}}}-{{{depName}}}-vulnerability`,
prCreation: 'immediate',
},
Expand Down Expand Up @@ -1838,6 +1839,14 @@ const options: RenovateOptions[] = [
cli: false,
advancedUse: true,
},
{
name: 'includeVulnerabilitySeverity',
setchy marked this conversation as resolved.
Show resolved Hide resolved
description:
'Whether to include the vulnerability severity in the PR title.',
type: 'boolean',
default: false,
cli: false,
},
{
name: 'prBodyTemplate',
description:
Expand All @@ -1864,6 +1873,7 @@ const options: RenovateOptions[] = [
default: false,
cli: false,
},

{
name: 'prHeader',
description: 'Text added here will be placed first in the PR body.',
Expand Down
2 changes: 2 additions & 0 deletions lib/config/types.ts
View file
Open in desktop
Expand Up @@ -309,6 +309,7 @@ export interface PackageRule
UpdateConfig,
Record<string, unknown> {
description?: string | string[];
isVulnerabilityAlert?: boolean;
setchy marked this conversation as resolved.
Show resolved Hide resolved
matchFiles?: string[];
matchPaths?: string[];
matchLanguages?: string[];
Expand All @@ -333,6 +334,7 @@ export interface PackageRule
matchUpdateTypes?: UpdateType[];
matchConfidence?: MergeConfidence[];
registryUrls?: string[] | null;
vulnerabilitySeverity?: string;
}

export interface ValidationMessage {
Expand Down
1 change: 1 addition & 0 deletions lib/modules/manager/types.ts
View file
Open in desktop
Expand Up @@ -174,6 +174,7 @@ export interface Upgrade<T = Record<string, any>> extends PackageDependency<T> {
isLockFileMaintenance?: boolean;
isRemediation?: boolean;
isVulnerabilityAlert?: boolean;
vulnerabilitySeverity?: string;
registryUrls?: string[] | null;
currentVersion?: string;
replaceString?: string;
Expand Down
4 changes: 4 additions & 0 deletions lib/util/template/index.ts
View file
Open in desktop
Expand Up @@ -90,6 +90,8 @@ export const allowedFields = {
displayTo: 'The to value, formatted for display',
hasReleaseNotes: 'true if the upgrade has release notes',
indentation: 'The indentation of the dependency being updated',
includeVulnerabilitySeverity:
'true if the upgrade should include the severity',
isLockfileUpdate: 'true if the branch is a lock file update',
isMajor: 'true if the upgrade is major',
isPatch: 'true if the upgrade is a patch upgrade',
Expand All @@ -100,6 +102,7 @@ export const allowedFields = {
isRange: 'true if the new value is a range',
isSingleVersion:
'true if the upgrade is to a single version rather than a range',
isVulnerabilityAlert: 'true if the upgrade is a vulnerability alert',
logJSON: 'ChangeLogResult object for the upgrade',
manager: 'The (package) manager which detected the dependency',
newDigest: 'The new digest value',
Expand Down Expand Up @@ -143,6 +146,7 @@ export const allowedFields = {
version: 'The version number of the changelog',
versioning: 'The versioning scheme in use',
versions: 'An array of ChangeLogRelease objects in the upgrade',
vulnerabilitySeverity: 'The vulnerability severity is present',
};

const prBodyFields = [
Expand Down
8 changes: 4 additions & 4 deletions lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
View file
Open in desktop
Expand Up @@ -18,7 +18,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
"allowedVersions": "1.8.3",
"force": {
"branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
"commitMessageSuffix": "[SECURITY]",
"commitMessageSuffix": "[SECURITY{{#if includeVulnerabilitySeverity}}-{{{vulnerabilitySeverity}}}{{/if}}]",
"dependencyDashboardApproval": false,
"groupName": null,
"minimumReleaseAge": null,
Expand Down Expand Up @@ -48,7 +48,7 @@ go",
"allowedVersions": "1.8.3",
"force": {
"branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
"commitMessageSuffix": "[SECURITY]",
"commitMessageSuffix": "[SECURITY{{#if includeVulnerabilitySeverity}}-{{{vulnerabilitySeverity}}}{{/if}}]",
"dependencyDashboardApproval": false,
"groupName": null,
"minimumReleaseAge": null,
Expand Down Expand Up @@ -78,7 +78,7 @@ actions",
"allowedVersions": "==2.2.1.0",
"force": {
"branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
"commitMessageSuffix": "[SECURITY]",
"commitMessageSuffix": "[SECURITY{{#if includeVulnerabilitySeverity}}-{{{vulnerabilitySeverity}}}{{/if}}]",
"dependencyDashboardApproval": false,
"groupName": null,
"minimumReleaseAge": null,
Expand Down Expand Up @@ -123,7 +123,7 @@ Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validati
"allowedVersions": "2.7.9.4",
"force": {
"branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability",
"commitMessageSuffix": "[SECURITY]",
"commitMessageSuffix": "[SECURITY{{#if includeVulnerabilitySeverity}}-{{{vulnerabilitySeverity}}}{{/if}}]",
"dependencyDashboardApproval": false,
"groupName": null,
"minimumReleaseAge": null,
Expand Down
4 changes: 4 additions & 0 deletions lib/workers/repository/process/vulnerabilities.ts
View file
Open in desktop
Expand Up @@ -454,12 +454,16 @@ export class Vulnerabilities {
logger.debug(
`Setting allowed version ${fixedVersion} to fix vulnerability ${vulnerability.id} in ${packageName} ${depVersion}`
);

const severityLevel = vulnerability.database_specific?.severity as string;
setchy marked this conversation as resolved.
Show resolved Hide resolved

return {
matchDatasources: [datasource],
matchPackageNames: [packageName],
matchCurrentVersion: depVersion,
allowedVersions: fixedVersion,
isVulnerabilityAlert: true,
vulnerabilitySeverity: severityLevel,
prBodyNotes: this.generatePrBodyNotes(vulnerability, affected),
force: {
...packageFileConfig.vulnerabilityAlerts,
Expand Down