From dfbb054aeb5743b1a04f521956116ca7be31af82 Mon Sep 17 00:00:00 2001 From: Norbert Szulc Date: Thu, 18 Apr 2024 18:26:04 +0200 Subject: [PATCH] fix(worker/repository): add normalized match for pip alertPackageRules (#28214) --- .../repository/init/vulnerability.spec.ts | 35 +++++++++++++++++++ lib/workers/repository/init/vulnerability.ts | 7 ++++ 2 files changed, 42 insertions(+) diff --git a/lib/workers/repository/init/vulnerability.spec.ts b/lib/workers/repository/init/vulnerability.spec.ts index c5e375bfceec33..db6ca1ca50bf87 100644 --- a/lib/workers/repository/init/vulnerability.spec.ts +++ b/lib/workers/repository/init/vulnerability.spec.ts @@ -368,6 +368,41 @@ describe('workers/repository/init/vulnerability', () => { expect(res.packageRules).toHaveLength(1); }); + it('returns pip alerts with normalized name', async () => { + // TODO #22198 + delete config.vulnerabilityAlerts!.enabled; + platform.getVulnerabilityAlerts.mockResolvedValue([ + { + dismissReason: null, + vulnerableManifestFilename: 'requirements.txt', + vulnerableManifestPath: 'requirements.txt', + vulnerableRequirements: '= 1.6.7', + securityAdvisory: { + description: 'Description', + identifiers: [ + { type: 'GHSA', value: 'GHSA-m956-frf4-m2wr' }, + { type: 'CVE', value: 'CVE-2016-2137' }, + ], + references: [ + { url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-9587' }, + ], + severity: 'MODERATE', + }, + securityVulnerability: { + package: { name: 'Pillow', ecosystem: 'PIP' }, + firstPatchedVersion: { identifier: '2.1.4' }, + vulnerableVersionRange: '< 2.1.4', + }, + }, + ]); + const res = await detectVulnerabilityAlerts(config); + expect(res.packageRules).toHaveLength(1); + expect(res.packageRules![0].matchPackageNames).toEqual([ + 'Pillow', + 'pillow', + ]); + }); + it('returns remediations', async () => { config.transitiveRemediation = true; // TODO #22198 diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts index 4f1c0242dc37f7..4297a97c37b6d2 100644 --- a/lib/workers/repository/init/vulnerability.ts +++ b/lib/workers/repository/init/vulnerability.ts @@ -9,6 +9,7 @@ import { NpmDatasource } from '../../../modules/datasource/npm'; import { NugetDatasource } from '../../../modules/datasource/nuget'; import { PackagistDatasource } from '../../../modules/datasource/packagist'; import { PypiDatasource } from '../../../modules/datasource/pypi'; +import { normalizeDepName } from '../../../modules/datasource/pypi/common'; import { RubyGemsDatasource } from '../../../modules/datasource/rubygems'; import { platform } from '../../../modules/platform'; import * as allVersioning from '../../../modules/versioning'; @@ -218,6 +219,12 @@ export async function detectVulnerabilityAlerts( matchCurrentVersion, matchFileNames, }; + if ( + datasource === PypiDatasource.id && + normalizeDepName(depName) !== depName + ) { + matchRule.matchPackageNames?.push(normalizeDepName(depName)); + } const supportedRemediationFileTypes = ['package-lock.json']; if ( config.transitiveRemediation &&