Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(vulnerabilities): Add Hackage support #33328

Merged
merged 3 commits into from
Jan 1, 2025
Merged

feat(vulnerabilities): Add Hackage support #33328

merged 3 commits into from
Jan 1, 2025

Conversation

ysangkok
Copy link
Contributor

Changes

This adds support for detecting vulnerabilities using Hackage/PVP. It relies on

Context

You can view the discussion on Haskell support at:

You can track the addition of the Haskell manager at:

The example vulnerability in the tests of this PR is extracted from a real vulnerability. You can see it rendered on:

You can see the OSV JSON representation of it at:

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests but ran on a real repository, or
  • Both unit tests + ran on a real repository

@ysangkok ysangkok mentioned this pull request Dec 29, 2024
Merged
viceice
viceice reviewed Dec 30, 2024
View reviewed changes
Copy link
Member

@viceice viceice left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it seems this is blocked by osv offline missing type

@ysangkok
Copy link
Contributor Author

@viceice I think osv-offline isn't released automatically. So even though the linked PR was merged, I can't, from this PR reference a released version that contains the change in osv-offline.

@rarkins
Copy link
Collaborator

rarkins commented Dec 31, 2024

I forget exactly how the osv-offline works. I do see new tags being published though: https://github.com/renovatebot/osv-offline/tags

@ysangkok
Copy link
Contributor Author

I tried replacing the line in package.json with this:

"@renovatebot/osv-offline": "github:renovatebot/osv-offline#1-2024123105",

But that doesn't seem to work, as compilation errors:

lib/workers/repository/process/types.ts:1:26 - error TS2307: Cannot find module '@renovatebot/osv-offline' or its corresponding type declarations.

1 import type { Osv } from '@renovatebot/osv-offline';
                           ~~~~~~~~~~~~~~~~~~~~~~~~~~

@viceice
Copy link
Member

viceice commented Jan 1, 2025

https://github.com/renovatebot/osv-offline/actions/runs/12537436239/job/34961520018

it seems it didn't released the changes.
from git blame I see last release is 4 months ago. 🫣
I'll try to look into it tomorrow.

@viceice
Copy link
Member

viceice commented Jan 1, 2025

it misses a proper semantic release prefix, so no release happened. will send a new pr to force a release

@viceice
Copy link
Member

viceice commented Jan 1, 2025

@viceice viceice added this pull request to the merge queue Jan 1, 2025
Merged via the queue into renovatebot:main with commit 1caffcc Jan 1, 2025
39 checks passed
@renovate-release
Copy link
Collaborator

🎉 This PR is included in version 39.87.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@ysangkok ysangkok deleted the haskell-vulnerabilities branch January 2, 2025 02:52
@ysangkok
Copy link
Contributor Author

ysangkok commented Jan 2, 2025

Ah sorry for missing the semantic commit message prefix! And thank you for fixing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rarkins rarkins rarkins approved these changes

@viceice viceice viceice approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ysangkok @rarkins @viceice @renovate-release