From a4fa9d04267ad1b1cb2544d0f3d2e9b67026b7fd Mon Sep 17 00:00:00 2001 From: Janus Troelsen Date: Sun, 29 Dec 2024 09:15:30 -0600 Subject: [PATCH] feat(vulnerabilities): Add Hackage support --- docs/usage/configuration-options.md | 1 + lib/workers/repository/init/vulnerability.ts | 2 +- .../process/vulnerabilities.spec.ts | 57 +++++++++++++++++++ .../repository/process/vulnerabilities.ts | 1 + 4 files changed, 60 insertions(+), 1 deletion(-) diff --git a/docs/usage/configuration-options.md b/docs/usage/configuration-options.md index a55d0fa601e80e..fa7e36e0107e0d 100644 --- a/docs/usage/configuration-options.md +++ b/docs/usage/configuration-options.md @@ -2426,6 +2426,7 @@ Renovate only queries the OSV database for dependencies that use one of these da - [`crate`](./modules/datasource/crate/index.md) - [`go`](./modules/datasource/go/index.md) +- [`hackage`](./modules/datasource/hackage/index.md) - [`hex`](./modules/datasource/hex/index.md) - [`maven`](./modules/datasource/maven/index.md) - [`npm`](./modules/datasource/npm/index.md) diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts index 1d90436a9e42b4..dd93c1bee860f9 100644 --- a/lib/workers/repository/init/vulnerability.ts +++ b/lib/workers/repository/init/vulnerability.ts @@ -47,7 +47,7 @@ export function getFixedVersionByDatasource( return `[${fixedVersion},)`; } - // crates.io, Go, Hex, npm, RubyGems, PyPI + // crates.io, Go, Hackage, Hex, npm, RubyGems, PyPI return `>= ${fixedVersion}`; } diff --git a/lib/workers/repository/process/vulnerabilities.spec.ts b/lib/workers/repository/process/vulnerabilities.spec.ts index e5599201820eaa..db30414b2edfa9 100644 --- a/lib/workers/repository/process/vulnerabilities.spec.ts +++ b/lib/workers/repository/process/vulnerabilities.spec.ts @@ -840,6 +840,63 @@ describe('workers/repository/process/vulnerabilities', () => { ]); }); + it('returns packageRules for Hackage', async () => { + const packageFiles: Record = { + hackage: [ + { + deps: [ + { + depName: 'aeson', + currentValue: '0.4.0.0', + datasource: 'hackage', + }, + ], + packageFile: 'some-file', + }, + ], + }; + getVulnerabilitiesMock.mockResolvedValueOnce([ + { + id: 'HSEC-2023-0001', + summary: 'Hash flooding vulnerability in aeson', + details: + '# Hash flooding vulnerability in aeson\n\n*aeson* was vulnerable to hash flooding (a.k.a. hash DoS). The\nissue is a consequence of the HashMap implementation from\n*unordered-containers*. It results in a denial of service through\nCPU consumption. This technique has been used in real-world attacks\nagainst a variety of languages, libraries and frameworks over the\nyears.\n', + aliases: ['CVE-2022-3433'], + modified: '2023-06-13T09:03:52Z', + affected: [ + { + package: { + ecosystem: 'Hackage', + name: 'aeson', + }, + ranges: [ + { + type: 'ECOSYSTEM', + events: [{ introduced: '0.4.0.0' }, { fixed: '2.0.1.0' }], + }, + ], + }, + ], + }, + ]); + + await vulnerabilities.appendVulnerabilityPackageRules( + config, + packageFiles, + ); + + expect(config.packageRules).toHaveLength(1); + expect(config.packageRules).toMatchObject([ + { + matchDatasources: ['hackage'], + matchPackageNames: ['aeson'], + matchCurrentVersion: '0.4.0.0', + allowedVersions: '>= 2.0.1.0', + isVulnerabilityAlert: true, + }, + ]); + }); + it('filters not applicable vulnerability based on last_affected version', async () => { const packageFiles: Record = { poetry: [ diff --git a/lib/workers/repository/process/vulnerabilities.ts b/lib/workers/repository/process/vulnerabilities.ts index b3ed9b565632c1..48991ea669bbcf 100644 --- a/lib/workers/repository/process/vulnerabilities.ts +++ b/lib/workers/repository/process/vulnerabilities.ts @@ -35,6 +35,7 @@ export class Vulnerabilities { > = { crate: 'crates.io', go: 'Go', + hackage: 'Hackage', hex: 'Hex', maven: 'Maven', npm: 'npm',