fix(vulnerabilities): prevent exception due to invalid OSV event vers…

…ion (renovatebot#20512)
Chumper · Feb 20, 2023 · 1991242 · 1991242
1 parent 59432b4
commit 1991242
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 10 deletions.
diff --git a/lib/workers/repository/process/vulnerabilities.spec.ts b/lib/workers/repository/process/vulnerabilities.spec.ts
@@ -136,8 +136,32 @@ describe('workers/repository/process/vulnerabilities', () => {
       );
     });
 
-    it('exception due to invalid version upon comparison', async () => {
-      const err = new TypeError('Invalid Version: ^1.1.0');
+    it('exception while fetching vulnerabilities', async () => {
+      const err = new Error('unknown');
+      const packageFiles: Record<string, PackageFileContent[]> = {
+        npm: [
+          {
+            deps: [
+              {
+                depName: 'lodash',
+                currentValue: '4.17.11',
+                datasource: 'npm',
+              },
+            ],
+          },
+        ],
+      };
+      getVulnerabilitiesMock.mockRejectedValueOnce(err);
+
+      await vulnerabilities.fetchVulnerabilities(config, packageFiles);
+      expect(logger.logger.warn).toHaveBeenCalledWith(
+        { err },
+        'Error fetching vulnerability information for lodash'
+      );
+    });
+
+    it('log event with invalid version', async () => {
+      const event = { fixed: '^6.0' };
       const packageFiles: Record<string, PackageFileContent[]> = {
         npm: [
           {
@@ -165,7 +189,7 @@ describe('workers/repository/process/vulnerabilities', () => {
               ranges: [
                 {
                   type: 'SEMVER',
-                  events: [{ introduced: '^0' }, { fixed: '^1.1.0' }],
+                  events: [{ introduced: '0' }, event],
                 },
               ],
             },
@@ -175,8 +199,8 @@ describe('workers/repository/process/vulnerabilities', () => {
 
       await vulnerabilities.fetchVulnerabilities(config, packageFiles);
       expect(logger.logger.debug).toHaveBeenCalledWith(
-        { err },
-        'Error fetching vulnerability information for lodash'
+        { event },
+        'Skipping OSV event with invalid version'
       );
     });
 

diff --git a/lib/workers/repository/process/vulnerabilities.ts b/lib/workers/repository/process/vulnerabilities.ts
@@ -199,10 +199,11 @@ export class Vulnerabilities {
 
       this.sortByFixedVersion(packageRules, versioningApi);
     } catch (err) {
-      logger.debug(
+      logger.warn(
         { err },
         `Error fetching vulnerability information for ${packageName}`
       );
+      return [];
     }
 
     return packageRules;
@@ -237,9 +238,11 @@ export class Vulnerabilities {
     for (const event of events) {
       if (event.introduced === '0') {
         zeroEvent = event;
-        continue;
+      } else if (versioningApi.isVersion(Object.values(event)[0])) {
+        sortedCopy.push(event);
+      } else {
+        logger.debug({ event }, 'Skipping OSV event with invalid version');
       }
-      sortedCopy.push(event);
     }
 
     sortedCopy.sort((a, b) =>
@@ -341,9 +344,15 @@ export class Vulnerabilities {
       }
 
       for (const event of range.events) {
-        if (is.nonEmptyString(event.fixed)) {
+        if (
+          is.nonEmptyString(event.fixed) &&
+          versioningApi.isVersion(event.fixed)
+        ) {
           fixedVersions.push(event.fixed);
-        } else if (is.nonEmptyString(event.last_affected)) {
+        } else if (
+          is.nonEmptyString(event.last_affected) &&
+          versioningApi.isVersion(event.last_affected)
+        ) {
           lastAffectedVersions.push(event.last_affected);
         }
       }