From 199124225bbce243733d7d9aa1cf893478e3af60 Mon Sep 17 00:00:00 2001 From: Johannes Feichtner <343448+Churro@users.noreply.github.com> Date: Mon, 20 Feb 2023 10:43:40 +0100 Subject: [PATCH] fix(vulnerabilities): prevent exception due to invalid OSV event version (#20512) --- .../process/vulnerabilities.spec.ts | 34 ++++++++++++++++--- .../repository/process/vulnerabilities.ts | 19 ++++++++--- 2 files changed, 43 insertions(+), 10 deletions(-) diff --git a/lib/workers/repository/process/vulnerabilities.spec.ts b/lib/workers/repository/process/vulnerabilities.spec.ts index f182547149dc72..c5e1da3c67271f 100644 --- a/lib/workers/repository/process/vulnerabilities.spec.ts +++ b/lib/workers/repository/process/vulnerabilities.spec.ts @@ -136,8 +136,32 @@ describe('workers/repository/process/vulnerabilities', () => { ); }); - it('exception due to invalid version upon comparison', async () => { - const err = new TypeError('Invalid Version: ^1.1.0'); + it('exception while fetching vulnerabilities', async () => { + const err = new Error('unknown'); + const packageFiles: Record = { + npm: [ + { + deps: [ + { + depName: 'lodash', + currentValue: '4.17.11', + datasource: 'npm', + }, + ], + }, + ], + }; + getVulnerabilitiesMock.mockRejectedValueOnce(err); + + await vulnerabilities.fetchVulnerabilities(config, packageFiles); + expect(logger.logger.warn).toHaveBeenCalledWith( + { err }, + 'Error fetching vulnerability information for lodash' + ); + }); + + it('log event with invalid version', async () => { + const event = { fixed: '^6.0' }; const packageFiles: Record = { npm: [ { @@ -165,7 +189,7 @@ describe('workers/repository/process/vulnerabilities', () => { ranges: [ { type: 'SEMVER', - events: [{ introduced: '^0' }, { fixed: '^1.1.0' }], + events: [{ introduced: '0' }, event], }, ], }, @@ -175,8 +199,8 @@ describe('workers/repository/process/vulnerabilities', () => { await vulnerabilities.fetchVulnerabilities(config, packageFiles); expect(logger.logger.debug).toHaveBeenCalledWith( - { err }, - 'Error fetching vulnerability information for lodash' + { event }, + 'Skipping OSV event with invalid version' ); }); diff --git a/lib/workers/repository/process/vulnerabilities.ts b/lib/workers/repository/process/vulnerabilities.ts index c359f234435872..8c0375e7a2bb8b 100644 --- a/lib/workers/repository/process/vulnerabilities.ts +++ b/lib/workers/repository/process/vulnerabilities.ts @@ -199,10 +199,11 @@ export class Vulnerabilities { this.sortByFixedVersion(packageRules, versioningApi); } catch (err) { - logger.debug( + logger.warn( { err }, `Error fetching vulnerability information for ${packageName}` ); + return []; } return packageRules; @@ -237,9 +238,11 @@ export class Vulnerabilities { for (const event of events) { if (event.introduced === '0') { zeroEvent = event; - continue; + } else if (versioningApi.isVersion(Object.values(event)[0])) { + sortedCopy.push(event); + } else { + logger.debug({ event }, 'Skipping OSV event with invalid version'); } - sortedCopy.push(event); } sortedCopy.sort((a, b) => @@ -341,9 +344,15 @@ export class Vulnerabilities { } for (const event of range.events) { - if (is.nonEmptyString(event.fixed)) { + if ( + is.nonEmptyString(event.fixed) && + versioningApi.isVersion(event.fixed) + ) { fixedVersions.push(event.fixed); - } else if (is.nonEmptyString(event.last_affected)) { + } else if ( + is.nonEmptyString(event.last_affected) && + versioningApi.isVersion(event.last_affected) + ) { lastAffectedVersions.push(event.last_affected); } }