renovatebot · JamieMagee · May 16, 2023 · May 15, 2023 · May 16, 2023 · May 16, 2023
diff --git a/lib/util/template/index.ts b/lib/util/template/index.ts
@@ -145,7 +145,7 @@ export const allowedFields = {
   versioning: 'The versioning scheme in use',
   versions: 'An array of ChangeLogRelease objects in the upgrade',
   vulnerabilitySeverity:
-    'The severity for a vulnerability alert upgrade (eg: LOW, MODERATE, HIGH, CRITICAL)',
+    'The severity for a vulnerability alert upgrade (LOW, MEDIUM, MODERATE, HIGH, CRITICAL, UNKNOWN)',
 };
 
 const prBodyFields = [

diff --git a/lib/util/vulnerability/utils.spec.ts b/lib/util/vulnerability/utils.spec.ts
@@ -85,6 +85,20 @@ describe('util/vulnerability/utils', () => {
     expect(severity).toBe('MODERATE');
   });
 
+  it('child MEDIUM vulnerability severity rating is maintained', () => {
+    const parentConfig = {
+      vulnerabilitySeverity: 'LOW',
+    };
+
+    const childConfig = {
+      vulnerabilitySeverity: 'MEDIUM',
+    };
+
+    const severity = getHighestVulnerabilitySeverity(parentConfig, childConfig);
+
+    expect(severity).toBe('MEDIUM');
+  });
+
   it('parent LOW vulnerability severity rating is maintained', () => {
     const parentConfig = {
       vulnerabilitySeverity: 'LOW',
@@ -113,6 +127,20 @@ describe('util/vulnerability/utils', () => {
     expect(severity).toBe('LOW');
   });
 
+  it('child UNKNOWN vulnerability severity rating is maintained', () => {
+    const parentConfig = {
+      vulnerabilitySeverity: 'CRITICAL',
+    };
+
+    const childConfig = {
+      vulnerabilitySeverity: 'UNKNOWN',
+    };
+
+    const severity = getHighestVulnerabilitySeverity(parentConfig, childConfig);
+
+    expect(severity).toBe('UNKNOWN');
+  });
+
   it('handled undefined parent and child vulnerability severity', () => {
     const parentConfig = {
       vulnerabilitySeverity: undefined,

diff --git a/lib/util/vulnerability/utils.ts b/lib/util/vulnerability/utils.ts
@@ -1,8 +1,10 @@
 const severityOrder: Record<string, number> = {
   LOW: 1,
+  MEDIUM: 2,
   MODERATE: 2,
   HIGH: 3,
   CRITICAL: 4,
+  UNKNOWN: 5,
 };
 
 export function getHighestVulnerabilitySeverity<

diff --git a/lib/workers/repository/process/types.ts b/lib/workers/repository/process/types.ts
@@ -21,5 +21,5 @@ export interface DependencyVulnerabilities {
 export interface SeverityDetails {
   cvssVector: string;
   score: string;
-  severityLevel?: string;
+  severityLevel: string;
 }
diff --git a/lib/workers/repository/process/vulnerabilities.ts b/lib/workers/repository/process/vulnerabilities.ts
@@ -532,10 +532,8 @@ export class Vulnerabilities {
     if (severityDetails.cvssVector) {
       content += `- CVSS Score: ${severityDetails.score}\n`;
       content += `- Vector String: \`${severityDetails.cvssVector}\`\n`;
-    } else if (severityDetails.severityLevel) {
-      content += `${severityDetails.severityLevel}\n`;
     } else {
-      content += 'Unknown severity.\n';
+      content += `${severityDetails.severityLevel}\n`;
     }
 
     content += `\n#### References\n${
@@ -566,8 +564,8 @@ export class Vulnerabilities {
     vulnerability: Osv.Vulnerability,
     affected: Osv.Affected
   ): SeverityDetails {
-    let severityLevel: string | undefined;
-    let score = 'Unknown';
+    let severityLevel = 'UNKNOWN';
+    let score = 'Unknown severity';
 
     const cvssVector =
       vulnerability.severity?.find((e) => e.type === 'CVSS_V3')?.score ??
@@ -585,6 +583,7 @@ export class Vulnerabilities {
       const severity = vulnerability.database_specific.severity as string;
       severityLevel =
         severity.charAt(0).toUpperCase() + severity.slice(1).toLowerCase();
+      score = severityLevel;
     }
 
     return {