renovate 41.106.0 → 41.107.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/workers/repository/process/vulnerabilities.d.ts +1 -1
  2. package/dist/workers/repository/process/vulnerabilities.js +13 -8
  3. package/dist/workers/repository/process/vulnerabilities.js.map +1 -1
  4. package/package.json +3 -3
package/dist/workers/repository/process/vulnerabilities.d.ts CHANGED
@@ -25,7 +25,7 @@ export declare class Vulnerabilities {
25
25
  private isVersionGt;
26
26
  private isVersionGtOrEq;
27
27
  private vulnerabilityToPackageRules;
28
- private evaluateCvssVector;
28
+ static evaluateCvssVector(vector: string): [string, string];
29
29
  private generatePrBodyNotes;
30
30
  private extractSeverityDetails;
31
31
  }
package/dist/workers/repository/process/vulnerabilities.js CHANGED
@@ -4,7 +4,8 @@ exports.Vulnerabilities = void 0;
4
4
  const tslib_1 = require("tslib");
5
5
  const osv_offline_1 = require("@renovatebot/osv-offline");
6
6
  const is_1 = tslib_1.__importDefault(require("@sindresorhus/is"));
7
- const vuln_vects_1 = require("vuln-vects");
7
+ const ae_cvss_calculator_1 = require("ae-cvss-calculator");
8
+ const zod_1 = require("zod");
8
9
  const config_1 = require("../../../config");
9
10
  const logger_1 = require("../../../logger");
10
11
  const common_1 = require("../../../modules/datasource/common");
@@ -284,11 +285,15 @@ class Vulnerabilities {
284
285
  },
285
286
  };
286
287
  }
287
- evaluateCvssVector(vector) {
288
+ static evaluateCvssVector(vector) {
289
+ const CvssJsonSchema = zod_1.z.object({
290
+ baseScore: zod_1.z.number().default(0.0),
291
+ baseSeverity: zod_1.z.string().toUpperCase().default('UNKNOWN'),
292
+ });
288
293
  try {
289
- const parsedCvss = (0, vuln_vects_1.parseCvssVector)(vector);
290
- const severityLevel = parsedCvss.cvss3OverallSeverityText;
291
- return [parsedCvss.baseScore.toFixed(1), severityLevel];
294
+ const parsedCvssScore = (0, ae_cvss_calculator_1.fromVector)(vector);
295
+ const res = CvssJsonSchema.parse(parsedCvssScore?.createJsonSchema());
296
+ return [res.baseScore.toFixed(1), res.baseSeverity];
292
297
  }
293
298
  catch {
294
299
  logger_1.logger.debug(`Error processing CVSS vector ${vector}`);
@@ -352,11 +357,11 @@ class Vulnerabilities {
352
357
  extractSeverityDetails(vulnerability, affected) {
353
358
  let severityLevel = 'UNKNOWN';
354
359
  let score = 'Unknown';
355
- const cvssVector = vulnerability.severity?.find((e) => e.type === 'CVSS_V3')?.score ??
356
- vulnerability.severity?.[0]?.score ??
360
+ const cvssVector = vulnerability.severity?.find((e) => e.type === 'CVSS_V4')?.score ??
361
+ vulnerability.severity?.find((e) => e.type === 'CVSS_V3')?.score ??
357
362
  affected.database_specific?.cvss; // RUSTSEC
358
363
  if (cvssVector) {
359
- const [baseScore, severity] = this.evaluateCvssVector(cvssVector);
364
+ const [baseScore, severity] = Vulnerabilities.evaluateCvssVector(cvssVector);
360
365
  severityLevel = severity ? severity.toUpperCase() : 'UNKNOWN';
361
366
  score = baseScore
362
367
  ? `${baseScore} / 10 (${(0, string_1.titleCase)(severityLevel)})`
package/dist/workers/repository/process/vulnerabilities.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"vulnerabilities.js","sourceRoot":"","sources":["../../../../lib/workers/repository/process/vulnerabilities.ts"],"names":[],"mappings":";;;;AAEA,0DAAsD;AACtD,kEAAkC;AAElC,2CAA6C;AAC7C,4CAAqE;AAErE,4CAAyC;AACzC,+DAA0E;AAM1E,4DAAmE;AACnE,qDAA0D;AAC1D,kEAA4C;AAC5C,+CAA4C;AAC5C,iDAAiD;AAOjD,MAAa,eAAe;IAClB,UAAU,CAAyB;IAEnC,MAAM,CAAU,sBAAsB,GAG1C;QACF,KAAK,EAAE,WAAW;QAClB,EAAE,EAAE,IAAI;QACR,OAAO,EAAE,SAAS;QAClB,GAAG,EAAE,KAAK;QACV,KAAK,EAAE,OAAO;QACd,GAAG,EAAE,KAAK;QACV,KAAK,EAAE,OAAO;QACd,SAAS,EAAE,WAAW;QACtB,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,UAAU;KACrB,CAAC;IAEF;QACE,sBAAsB;IACxB,CAAC;IAEO,KAAK,CAAC,UAAU;QACtB,IAAI,CAAC,UAAU,GAAG,MAAM,wBAAU,CAAC,MAAM,EAAE,CAAC;IAC9C,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM;QACjB,MAAM,QAAQ,GAAG,IAAI,eAAe,EAAE,CAAC;QACvC,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;QAC5B,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,+BAA+B,CACnC,MAAsB,EACtB,YAA2C;QAE3C,MAAM,yBAAyB,GAAG,MAAM,IAAI,CAAC,8BAA8B,CACzE,MAAM,EACN,YAAY,CACb,CAAC;QAEF,MAAM,CAAC,YAAY,KAAK,EAAE,CAAC;QAC3B,KAAK,MAAM,EACT,eAAe,EACf,aAAa,GACd,IAAI,yBAAyB,EAAE,CAAC;YAC/B,MAAM,iBAAiB,GAAkB,EAAE,CAAC;YAC5C,KAAK,MAAM,aAAa,IAAI,eAAe,EAAE,CAAC;gBAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,2BAA2B,CAAC,aAAa,CAAC,CAAC;gBAC7D,IAAI,YAAE,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC7B,SAAS;gBACX,CAAC;gBACD,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC;YACD,IAAI,CAAC,kBAAkB,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;YAE1D,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,oBAAoB,CACxB,MAAsB,EACtB,YAA2C;QAE3C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,8BAA8B,CACtD,MAAM,EACN,YAAY,CACb,CAAC;QACF,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IAC1D,CAAC;IAEO,KAAK,CAAC,8BAA8B,CAC1C,MAAsB,EACtB,YAA2C;QAE3C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3C,MAAM,cAAc,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAC9C,IAAI,CAAC,2BAA2B,CAAC,MAAM,EAAE,YAAY,EAAE,OAAO,CAAC,CAChE,CAAC;QACF,OAAO,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACpD,CAAC;IAEO,KAAK,CAAC,2BAA2B,CACvC,MAAsB,EACtB,YAA2C,EAC3C,OAAe;QAEf,MAAM,aAAa,GAAG,IAAA,yBAAgB,EAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACxD,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC,GAAG,CACrC,CAAC,KAAK,EAAE,EAAE,CAAC,GAAyC,EAAE,CACpD,IAAI,CAAC,sCAAsC,CAAC,aAAa,EAAE,KAAK,CAAC,CACpE,CAAC;QACF,eAAM,CAAC,KAAK,CACV,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,CAAC,MAAM,EAAE,EACtC,sCAAsC,CACvC,CAAC;QACF,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3C,eAAM,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,EAAE,sCAAsC,CAAC,CAAC;QAClE,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,KAAK,CAAC,sCAAsC,CAClD,aAA6B,EAC7B,KAAkB;QAElB,MAAM,EAAE,WAAW,EAAE,GAAG,KAAK,CAAC;QAC9B,MAAM,iBAAiB,GAAG,IAAA,yBAAgB,EAAC,aAAa,EAAE,KAAK,CAAC,CAAC;QACjE,MAAM,EAAE,OAAO,EAAE,GAAG,iBAAiB,CAAC;QACtC,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAC1B,CAAC,GAAG,EAAE,EAAE,CAAC,GAA8C,EAAE,CACvD,IAAI,CAAC,4BAA4B,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAC5D,CAAC;QACF,eAAM,CAAC,KAAK,CACV,EAAE,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,KAAK,CAAC,MAAM,EAAE,EACnD,kEAAkE,CACnE,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAClC,eAAM,CAAC,KAAK,CACV,EAAE,WAAW,EAAE,EACf,iDAAiD,CAClD,CAAC;QAEF,OAAO,MAAM,CAAC,MAAM,CAAC,YAAE,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IAEO,KAAK,CAAC,4BAA4B,CACxC,iBAA+C,EAC/C,GAAsB;QAEtB,MAAM,SAAS,GAAG,eAAe,CAAC,sBAAsB,CAAC,GAAG,CAAC,UAAW,CAAC,CAAC;QAC1E,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,eAAM,CAAC,KAAK,CAAC,yBAAyB,GAAG,CAAC,UAAW,mBAAmB,CAAC,CAAC;YAC1E,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,WAAW,GAAG,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,OAAQ,CAAC;QAClD,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;YACzB,qDAAqD;YACrD,WAAW,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAA,aAAK,EAAC,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC;QACzE,CAAC;QAED,IAAI,CAAC;YACH,MAAM,kBAAkB,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,kBAAkB,CAClE,SAAS,EACT,WAAW,CACZ,CAAC;YACF,IACE,YAAE,CAAC,eAAe,CAAC,kBAAkB,CAAC;gBACtC,YAAE,CAAC,UAAU,CAAC,kBAAkB,CAAC,EACjC,CAAC;gBACD,eAAM,CAAC,KAAK,CACV,gDAAgD,WAAW,EAAE,CAC9D,CAAC;gBACF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,UAAU,GACd,GAAG,CAAC,aAAa,IAAI,GAAG,CAAC,cAAc,IAAI,GAAG,CAAC,YAAa,CAAC;YAE/D,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,IAAI,IAAA,6BAAoB,EAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC1E,MAAM,aAAa,GAAG,IAAA,gBAAa,EAAC,UAAU,CAAC,CAAC;YAEhD,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;gBACzC,eAAM,CAAC,KAAK,CACV,6CAA6C,WAAW,+BAA+B,UAAU,EAAE,CACpG,CAAC;gBACF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,eAAe,GAAoB,EAAE,CAAC;YAC5C,KAAK,MAAM,gBAAgB,IAAI,kBAAkB,EAAE,CAAC;gBAClD,IAAI,gBAAgB,CAAC,SAAS,EAAE,CAAC;oBAC/B,eAAM,CAAC,KAAK,CACV,oCAAoC,gBAAgB,CAAC,EAAE,EAAE,CAC1D,CAAC;oBACF,SAAS;gBACX,CAAC;gBAED,KAAK,MAAM,QAAQ,IAAI,gBAAgB,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;oBACvD,MAAM,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAC3C,SAAS,EACT,WAAW,EACX,UAAU,EACV,QAAQ,EACR,aAAa,CACd,CAAC;oBACF,IAAI,CAAC,YAAY,EAAE,CAAC;wBAClB,SAAS;oBACX,CAAC;oBAED,eAAM,CAAC,KAAK,CACV,iBAAiB,gBAAgB,CAAC,EAAE,YAAY,WAAW,IAAI,UAAU,EAAE,CAC5E,CAAC;oBACF,MAAM,YAAY,GAAG,IAAI,CAAC,eAAe,CACvC,SAAS,EACT,UAAU,EACV,QAAQ,EACR,aAAa,CACd,CAAC;oBAEF,eAAe,CAAC,IAAI,CAAC;wBACnB,WAAW;wBACX,aAAa,EAAE,gBAAgB;wBAC/B,QAAQ;wBACR,UAAU;wBACV,YAAY;wBACZ,UAAU,EAAE,GAAG,CAAC,UAAW;wBAC3B,iBAAiB;qBAClB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,CAAC;QAC5C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAM,CAAC,IAAI,CACT,EAAE,GAAG,EAAE,WAAW,EAAE,EACpB,sDAAsD,CACvD,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,kBAAkB,CACxB,YAA2B,EAC3B,aAA4B;QAE5B,MAAM,eAAe,GAA2B,EAAE,CAAC;QACnD,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;YAChC,MAAM,OAAO,GAAG,IAAI,CAAC,eAAyB,CAAC;YAC/C,eAAe,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,IAAA,aAAK,EAAC,YAAY,CAAC,EAAE,EAAE,CAAC,CAAC;QACtE,CAAC;QACD,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACzB,aAAa,CAAC,YAAY,CACxB,eAAe,CAAC,CAAC,CAAC,eAAyB,CAAC,EAC5C,eAAe,CAAC,CAAC,CAAC,eAAyB,CAAC,CAC7C,CACF,CAAC;IACJ,CAAC;IAED,iEAAiE;IACzD,UAAU,CAChB,MAAmB,EACnB,aAA4B;QAE5B,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,IAAI,SAAS,GAAqB,IAAI,CAAC;QAEvC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;gBAC7B,SAAS,GAAG,KAAK,CAAC;YACpB,CAAC;iBAAM,IAAI,aAAa,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5D,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACzB,CAAC;iBAAM,CAAC;gBACN,eAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,EAAE,yCAAyC,CAAC,CAAC;YACrE,CAAC;QACH,CAAC;QAED,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACvB,+DAA+D;QAC/D,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACrE,CAAC;QAEF,IAAI,SAAS,EAAE,CAAC;YACd,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAChC,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;IAEO,iBAAiB,CACvB,SAAoB,EACpB,WAAmB,EACnB,QAAsB;QAEtB,OAAO,CACL,QAAQ,CAAC,OAAO,EAAE,IAAI,KAAK,WAAW;YACtC,QAAQ,CAAC,OAAO,EAAE,SAAS,KAAK,SAAS,CAC1C,CAAC;IACJ,CAAC;IAEO,kBAAkB,CACxB,UAAkB,EAClB,QAAsB;QAEtB,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC;IACnD,CAAC;IAEO,gBAAgB,CACtB,UAAkB,EAClB,QAAsB,EACtB,aAA4B;QAE5B,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC1C,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;gBACzB,SAAS;YACX,CAAC;YAED,IAAI,UAAU,GAAG,KAAK,CAAC;YACvB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,aAAa,CAAC,EAAE,CAAC;gBACjE,IACE,YAAE,CAAC,cAAc,CAAC,KAAK,CAAC,UAAU,CAAC;oBACnC,CAAC,KAAK,CAAC,UAAU,KAAK,GAAG;wBACvB,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC,EACpE,CAAC;oBACD,UAAU,GAAG,IAAI,CAAC;gBACpB,CAAC;qBAAM,IACL,YAAE,CAAC,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC;oBAC9B,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,KAAK,CAAC,KAAK,EAAE,aAAa,CAAC,EAC5D,CAAC;oBACD,UAAU,GAAG,KAAK,CAAC;gBACrB,CAAC;qBAAM,IACL,YAAE,CAAC,cAAc,CAAC,KAAK,CAAC,aAAa,CAAC;oBACtC,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,KAAK,CAAC,aAAa,EAAE,aAAa,CAAC,EAChE,CAAC;oBACD,UAAU,GAAG,KAAK,CAAC;gBACrB,CAAC;YACH,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,gDAAgD;IACxC,mBAAmB,CACzB,SAAoB,EACpB,WAAmB,EACnB,UAAkB,EAClB,QAAsB,EACtB,aAA4B;QAE5B,OAAO,CACL,IAAI,CAAC,iBAAiB,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC;YACxD,CAAC,IAAI,CAAC,kBAAkB,CAAC,UAAU,EAAE,QAAQ,CAAC;gBAC5C,IAAI,CAAC,gBAAgB,CAAC,UAAU,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC,CAC9D,CAAC;IACJ,CAAC;IAEO,eAAe,CACrB,SAAoB,EACpB,UAAkB,EAClB,QAAsB,EACtB,aAA4B;QAE5B,MAAM,aAAa,GAAa,EAAE,CAAC;QACnC,MAAM,oBAAoB,GAAa,EAAE,CAAC;QAE1C,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC1C,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;gBACzB,SAAS;YACX,CAAC;YAED,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBACjC,IACE,YAAE,CAAC,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC;oBAC9B,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,EACpC,CAAC;oBACD,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBAClC,CAAC;qBAAM,IACL,YAAE,CAAC,cAAc,CAAC,KAAK,CAAC,aAAa,CAAC;oBACtC,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC,aAAa,CAAC,EAC5C,CAAC;oBACD,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;QAED,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/D,MAAM,YAAY,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAClD,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,UAAU,EAAE,aAAa,CAAC,CACrD,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC,0BAA0B,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAClE,CAAC;QAED,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACtE,MAAM,YAAY,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CACzD,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,aAAa,CAAC,CACzD,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC,0BAA0B,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAClE,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,0BAA0B,CAChC,YAAoB,EACpB,SAAoB;QAEpB,IAAI,SAAS,KAAK,OAAO,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YACnD,OAAO,IAAI,YAAY,IAAI,CAAC;QAC9B,CAAC;QAED,0CAA0C;QAC1C,OAAO,MAAM,YAAY,EAAE,CAAC;IAC9B,CAAC;IAEO,0BAA0B,CAChC,YAAoB,EACpB,SAAoB;QAEpB,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YAC1B,OAAO,IAAI,YAAY,IAAI,CAAC;QAC9B,CAAC;QAED,0CAA0C;QAC1C,OAAO,KAAK,YAAY,EAAE,CAAC;IAC7B,CAAC;IAEO,WAAW,CACjB,OAAe,EACf,KAAa,EACb,aAA4B;QAE5B,OAAO,CACL,aAAa,CAAC,SAAS,CAAC,OAAO,CAAC;YAChC,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC;YAC9B,aAAa,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAC5C,CAAC;IACJ,CAAC;IAEO,eAAe,CACrB,OAAe,EACf,KAAa,EACb,aAA4B;QAE5B,OAAO,CACL,aAAa,CAAC,SAAS,CAAC,OAAO,CAAC;YAChC,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC;YAC9B,CAAC,aAAa,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC;gBACnC,aAAa,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAC/C,CAAC;IACJ,CAAC;IAEO,2BAA2B,CAAC,GAAkB;QACpD,MAAM,EACJ,aAAa,EACb,QAAQ,EACR,WAAW,EACX,UAAU,EACV,YAAY,EACZ,UAAU,EACV,iBAAiB,GAClB,GAAG,GAAG,CAAC;QACR,IAAI,YAAE,CAAC,eAAe,CAAC,YAAY,CAAC,EAAE,CAAC;YACrC,eAAM,CAAC,KAAK,CACV,gDAAgD,aAAa,CAAC,EAAE,OAAO,WAAW,IAAI,UAAU,EAAE,CACnG,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,eAAM,CAAC,KAAK,CACV,2BAA2B,YAAY,yBAAyB,aAAa,CAAC,EAAE,OAAO,WAAW,IAAI,UAAU,EAAE,CACnH,CAAC;QAEF,MAAM,eAAe,GAAG,IAAI,CAAC,sBAAsB,CACjD,aAAa,EACb,QAAQ,CACT,CAAC;QAEF,OAAO;YACL,gBAAgB,EAAE,CAAC,UAAU,CAAC;YAC9B,iBAAiB,EAAE,CAAC,WAAW,CAAC;YAChC,mBAAmB,EAAE,UAAU;YAC/B,eAAe,EAAE,YAAY;YAC7B,oBAAoB,EAAE,IAAI;YAC1B,qBAAqB,EAAE,eAAe,CAAC,aAAa;YACpD,WAAW,EAAE,IAAI,CAAC,mBAAmB,CAAC,aAAa,EAAE,QAAQ,CAAC;YAC9D,KAAK,EAAE;gBACL,GAAG,iBAAiB,CAAC,mBAAmB;aACzC;SACF,CAAC;IACJ,CAAC;IAEO,kBAAkB,CAAC,MAAc;QACvC,IAAI,CAAC;YACH,MAAM,UAAU,GAAc,IAAA,4BAAe,EAAC,MAAM,CAAC,CAAC;YACtD,MAAM,aAAa,GAAG,UAAU,CAAC,wBAAwB,CAAC;YAE1D,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,aAAa,CAAC,CAAC;QAC1D,CAAC;QAAC,MAAM,CAAC;YACP,eAAM,CAAC,KAAK,CAAC,gCAAgC,MAAM,EAAE,CAAC,CAAC;QACzD,CAAC;QAED,OAAO,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAClB,CAAC;IAEO,mBAAmB,CACzB,aAAgC,EAChC,QAAsB;QAEtB,IAAI,OAAO,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5E,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE;YAC3B,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC1B,OAAO,IAAI,EAAE,sCAAsC,EAAE,GAAG,CAAC;YAC3D,CAAC;iBAAM,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClC,OAAO,IAAI,EAAE,mCAAmC,EAAE,GAAG,CAAC;YACxD,CAAC;iBAAM,IAAI,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,OAAO,IAAI,EAAE,6BAA6B,EAAE,GAAG,CAAC;YAClD,CAAC;iBAAM,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBACrC,OAAO,IAAI,EAAE,oCAAoC,EAAE,QAAQ,CAAC;YAC9D,CAAC;YAED,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;QAEH,IAAI,OAAO,GAAG,iBAAiB,CAAC;QAChC,OAAO,IAAI,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QACrE,OAAO,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;QACtC,OAAO,IAAI,oDAAoD,CAAC;QAEhE,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,EAAE,OAAO,CAC5C,IAAA,aAAK,EAAC,YAAY,CAAC,EACnB,QAAQ,CACT,CAAC;QACF,OAAO,IAAI,iBAAiB,OAAO,IAAI,aAAa,IAAI,CAAC;QAEzD,OAAO,IAAI,iBAAiB,CAAC;QAC7B,MAAM,eAAe,GAAG,IAAI,CAAC,sBAAsB,CACjD,aAAa,EACb,QAAQ,CACT,CAAC;QAEF,IAAI,eAAe,CAAC,UAAU,EAAE,CAAC;YAC/B,OAAO,IAAI,iBAAiB,eAAe,CAAC,KAAK,IAAI,CAAC;YACtD,OAAO,IAAI,sBAAsB,eAAe,CAAC,UAAU,MAAM,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,GAAG,IAAA,kBAAS,EAAC,eAAe,CAAC,aAAa,CAAC,IAAI,CAAC;QAC7D,CAAC;QAED,OAAO,IAAI,sBACT,aAAa,CAAC,UAAU;YACtB,EAAE,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YACZ,OAAO,MAAM,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,GAAG,GAAG,CAAC;QACtC,CAAC,CAAC;aACD,IAAI,CAAC,IAAI,CAAC,IAAI,gBACnB,EAAE,CAAC;QAEH,IAAI,WAAW,GAAG,EAAE,CAAC;QACrB,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACzC,WAAW,GAAG,kKAAkK,CAAC;QACnL,CAAC;aAAM,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9C,WAAW,GAAG,gIAAgI,CAAC;QACjJ,CAAC;aAAM,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjD,WAAW,GAAG,yJAAyJ,CAAC;QAC1K,CAAC;aAAM,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACnD,WAAW,GAAG,qJAAqJ,CAAC;QACtK,CAAC;QACD,OAAO,IAAI,oEAAoE,aAAa,CAAC,EAAE,IAAI,WAAW,KAAK,CAAC;QACpH,OAAO,IAAI,YAAY,CAAC;QAExB,OAAO,CAAC,IAAA,2BAAgB,EAAC,OAAO,CAAC,CAAC,CAAC;IACrC,CAAC;IAEO,sBAAsB,CAC5B,aAAgC,EAChC,QAAsB;QAEtB,IAAI,aAAa,GAAG,SAAS,CAAC;QAC9B,IAAI,KAAK,GAAG,SAAS,CAAC;QAEtB,MAAM,UAAU,GACd,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,EAAE,KAAK;YAChE,aAAa,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK;YACjC,QAAQ,CAAC,iBAAiB,EAAE,IAAe,CAAC,CAAC,UAAU;QAE1D,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,GAAG,IAAI,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC;YAClE,aAAa,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9D,KAAK,GAAG,SAAS;gBACf,CAAC,CAAC,GAAG,SAAS,UAAU,IAAA,kBAAS,EAAC,aAAa,CAAC,GAAG;gBACnD,CAAC,CAAC,SAAS,CAAC;QAChB,CAAC;aAAM,IACL,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;YACpC,aAAa,CAAC,iBAAiB,EAAE,QAAQ,EACzC,CAAC;YACD,MAAM,QAAQ,GAAG,aAAa,CAAC,iBAAiB,CAAC,QAAkB,CAAC;YACpE,aAAa,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;QACzC,CAAC;QAED,OAAO;YACL,UAAU;YACV,KAAK;YACL,aAAa;SACd,CAAC;IACJ,CAAC;;AA/kBH,0CAglBC","sourcesContent":["// TODO #22198\nimport type { Ecosystem, Osv } from '@renovatebot/osv-offline';\nimport { OsvOffline } from '@renovatebot/osv-offline';\nimport is from '@sindresorhus/is';\nimport type { CvssScore } from 'vuln-vects';\nimport { parseCvssVector } from 'vuln-vects';\nimport { getManagerConfig, mergeChildConfig } from '../../../config';\nimport type { PackageRule, RenovateConfig } from '../../../config/types';\nimport { logger } from '../../../logger';\nimport { getDefaultVersioning } from '../../../modules/datasource/common';\nimport type {\n PackageDependency,\n PackageFile,\n} from '../../../modules/manager/types';\nimport type { VersioningApi } from '../../../modules/versioning';\nimport { get as getVersioning } from '../../../modules/versioning';\nimport { sanitizeMarkdown } from '../../../util/markdown';\nimport * as p from '../../../util/promises';\nimport { regEx } from '../../../util/regex';\nimport { titleCase } from '../../../util/string';\nimport type {\n DependencyVulnerabilities,\n SeverityDetails,\n Vulnerability,\n} from './types';\n\nexport class Vulnerabilities {\n private osvOffline: OsvOffline | undefined;\n\n private static readonly datasourceEcosystemMap: Record<\n string,\n Ecosystem | undefined\n > = {\n crate: 'crates.io',\n go: 'Go',\n hackage: 'Hackage',\n hex: 'Hex',\n maven: 'Maven',\n npm: 'npm',\n nuget: 'NuGet',\n packagist: 'Packagist',\n pypi: 'PyPI',\n rubygems: 'RubyGems',\n };\n\n private constructor() {\n // private constructor\n }\n\n private async initialize(): Promise<void> {\n this.osvOffline = await OsvOffline.create();\n }\n\n static async create(): Promise<Vulnerabilities> {\n const instance = new Vulnerabilities();\n await instance.initialize();\n return instance;\n }\n\n async appendVulnerabilityPackageRules(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n ): Promise<void> {\n const dependencyVulnerabilities = await this.fetchDependencyVulnerabilities(\n config,\n packageFiles,\n );\n\n config.packageRules ??= [];\n for (const {\n vulnerabilities,\n versioningApi,\n } of dependencyVulnerabilities) {\n const groupPackageRules: PackageRule[] = [];\n for (const vulnerability of vulnerabilities) {\n const rule = this.vulnerabilityToPackageRules(vulnerability);\n if (is.nullOrUndefined(rule)) {\n continue;\n }\n groupPackageRules.push(rule);\n }\n this.sortByFixedVersion(groupPackageRules, versioningApi);\n\n config.packageRules.push(...groupPackageRules);\n }\n }\n\n async fetchVulnerabilities(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n ): Promise<Vulnerability[]> {\n const groups = await this.fetchDependencyVulnerabilities(\n config,\n packageFiles,\n );\n return groups.flatMap((group) => group.vulnerabilities);\n }\n\n private async fetchDependencyVulnerabilities(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n ): Promise<DependencyVulnerabilities[]> {\n const managers = Object.keys(packageFiles);\n const allManagerJobs = managers.map((manager) =>\n this.fetchManagerVulnerabilities(config, packageFiles, manager),\n );\n return (await Promise.all(allManagerJobs)).flat();\n }\n\n private async fetchManagerVulnerabilities(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n manager: string,\n ): Promise<DependencyVulnerabilities[]> {\n const managerConfig = getManagerConfig(config, manager);\n const queue = packageFiles[manager].map(\n (pFile) => (): Promise<DependencyVulnerabilities[]> =>\n this.fetchManagerPackageFileVulnerabilities(managerConfig, pFile),\n );\n logger.trace(\n { manager, queueLength: queue.length },\n 'fetchManagerVulnerabilities starting',\n );\n const result = (await p.all(queue)).flat();\n logger.trace({ manager }, 'fetchManagerVulnerabilities finished');\n return result;\n }\n\n private async fetchManagerPackageFileVulnerabilities(\n managerConfig: RenovateConfig,\n pFile: PackageFile,\n ): Promise<DependencyVulnerabilities[]> {\n const { packageFile } = pFile;\n const packageFileConfig = mergeChildConfig(managerConfig, pFile);\n const { manager } = packageFileConfig;\n const queue = pFile.deps.map(\n (dep) => (): Promise<DependencyVulnerabilities | null> =>\n this.fetchDependencyVulnerability(packageFileConfig, dep),\n );\n logger.trace(\n { manager, packageFile, queueLength: queue.length },\n 'fetchManagerPackageFileVulnerabilities starting with concurrency',\n );\n\n const result = await p.all(queue);\n logger.trace(\n { packageFile },\n 'fetchManagerPackageFileVulnerabilities finished',\n );\n\n return result.filter(is.truthy);\n }\n\n private async fetchDependencyVulnerability(\n packageFileConfig: RenovateConfig & PackageFile,\n dep: PackageDependency,\n ): Promise<DependencyVulnerabilities | null> {\n const ecosystem = Vulnerabilities.datasourceEcosystemMap[dep.datasource!];\n if (!ecosystem) {\n logger.trace(`Cannot map datasource ${dep.datasource!} to OSV ecosystem`);\n return null;\n }\n\n let packageName = dep.packageName ?? dep.depName!;\n if (ecosystem === 'PyPI') {\n // https://peps.python.org/pep-0503/#normalized-names\n packageName = packageName.toLowerCase().replace(regEx(/[_.-]+/g), '-');\n }\n\n try {\n const osvVulnerabilities = await this.osvOffline?.getVulnerabilities(\n ecosystem,\n packageName,\n );\n if (\n is.nullOrUndefined(osvVulnerabilities) ||\n is.emptyArray(osvVulnerabilities)\n ) {\n logger.trace(\n `No vulnerabilities found in OSV database for ${packageName}`,\n );\n return null;\n }\n\n const depVersion =\n dep.lockedVersion ?? dep.currentVersion ?? dep.currentValue!;\n\n const versioning = dep.versioning ?? getDefaultVersioning(dep.datasource);\n const versioningApi = getVersioning(versioning);\n\n if (!versioningApi.isVersion(depVersion)) {\n logger.debug(\n `Skipping vulnerability lookup for package ${packageName} due to unsupported version ${depVersion}`,\n );\n return null;\n }\n\n const vulnerabilities: Vulnerability[] = [];\n for (const osvVulnerability of osvVulnerabilities) {\n if (osvVulnerability.withdrawn) {\n logger.trace(\n `Skipping withdrawn vulnerability ${osvVulnerability.id}`,\n );\n continue;\n }\n\n for (const affected of osvVulnerability.affected ?? []) {\n const isVulnerable = this.isPackageVulnerable(\n ecosystem,\n packageName,\n depVersion,\n affected,\n versioningApi,\n );\n if (!isVulnerable) {\n continue;\n }\n\n logger.debug(\n `Vulnerability ${osvVulnerability.id} affects ${packageName} ${depVersion}`,\n );\n const fixedVersion = this.getFixedVersion(\n ecosystem,\n depVersion,\n affected,\n versioningApi,\n );\n\n vulnerabilities.push({\n packageName,\n vulnerability: osvVulnerability,\n affected,\n depVersion,\n fixedVersion,\n datasource: dep.datasource!,\n packageFileConfig,\n });\n }\n }\n\n return { vulnerabilities, versioningApi };\n } catch (err) {\n logger.warn(\n { err, packageName },\n 'Error fetching vulnerability information for package',\n );\n return null;\n }\n }\n\n private sortByFixedVersion(\n packageRules: PackageRule[],\n versioningApi: VersioningApi,\n ): void {\n const versionsCleaned: Record<string, string> = {};\n for (const rule of packageRules) {\n const version = rule.allowedVersions as string;\n versionsCleaned[version] = version.replace(regEx(/[(),=> ]+/g), '');\n }\n packageRules.sort((a, b) =>\n versioningApi.sortVersions(\n versionsCleaned[a.allowedVersions as string],\n versionsCleaned[b.allowedVersions as string],\n ),\n );\n }\n\n // https://ossf.github.io/osv-schema/#affectedrangesevents-fields\n private sortEvents(\n events: Osv.Event[],\n versioningApi: VersioningApi,\n ): Osv.Event[] {\n const sortedCopy: Osv.Event[] = [];\n let zeroEvent: Osv.Event | null = null;\n\n for (const event of events) {\n if (event.introduced === '0') {\n zeroEvent = event;\n } else if (versioningApi.isVersion(Object.values(event)[0])) {\n sortedCopy.push(event);\n } else {\n logger.debug({ event }, 'Skipping OSV event with invalid version');\n }\n }\n\n sortedCopy.sort((a, b) =>\n // no pre-processing, as there are only very few values to sort\n versioningApi.sortVersions(Object.values(a)[0], Object.values(b)[0]),\n );\n\n if (zeroEvent) {\n sortedCopy.unshift(zeroEvent);\n }\n\n return sortedCopy;\n }\n\n private isPackageAffected(\n ecosystem: Ecosystem,\n packageName: string,\n affected: Osv.Affected,\n ): boolean {\n return (\n affected.package?.name === packageName &&\n affected.package?.ecosystem === ecosystem\n );\n }\n\n private includedInVersions(\n depVersion: string,\n affected: Osv.Affected,\n ): boolean {\n return !!affected.versions?.includes(depVersion);\n }\n\n private includedInRanges(\n depVersion: string,\n affected: Osv.Affected,\n versioningApi: VersioningApi,\n ): boolean {\n for (const range of affected.ranges ?? []) {\n if (range.type === 'GIT') {\n continue;\n }\n\n let vulnerable = false;\n for (const event of this.sortEvents(range.events, versioningApi)) {\n if (\n is.nonEmptyString(event.introduced) &&\n (event.introduced === '0' ||\n this.isVersionGtOrEq(depVersion, event.introduced, versioningApi))\n ) {\n vulnerable = true;\n } else if (\n is.nonEmptyString(event.fixed) &&\n this.isVersionGtOrEq(depVersion, event.fixed, versioningApi)\n ) {\n vulnerable = false;\n } else if (\n is.nonEmptyString(event.last_affected) &&\n this.isVersionGt(depVersion, event.last_affected, versioningApi)\n ) {\n vulnerable = false;\n }\n }\n\n if (vulnerable) {\n return true;\n }\n }\n\n return false;\n }\n\n // https://ossf.github.io/osv-schema/#evaluation\n private isPackageVulnerable(\n ecosystem: Ecosystem,\n packageName: string,\n depVersion: string,\n affected: Osv.Affected,\n versioningApi: VersioningApi,\n ): boolean {\n return (\n this.isPackageAffected(ecosystem, packageName, affected) &&\n (this.includedInVersions(depVersion, affected) ||\n this.includedInRanges(depVersion, affected, versioningApi))\n );\n }\n\n private getFixedVersion(\n ecosystem: Ecosystem,\n depVersion: string,\n affected: Osv.Affected,\n versioningApi: VersioningApi,\n ): string | null {\n const fixedVersions: string[] = [];\n const lastAffectedVersions: string[] = [];\n\n for (const range of affected.ranges ?? []) {\n if (range.type === 'GIT') {\n continue;\n }\n\n for (const event of range.events) {\n if (\n is.nonEmptyString(event.fixed) &&\n versioningApi.isVersion(event.fixed)\n ) {\n fixedVersions.push(event.fixed);\n } else if (\n is.nonEmptyString(event.last_affected) &&\n versioningApi.isVersion(event.last_affected)\n ) {\n lastAffectedVersions.push(event.last_affected);\n }\n }\n }\n\n fixedVersions.sort((a, b) => versioningApi.sortVersions(a, b));\n const fixedVersion = fixedVersions.find((version) =>\n this.isVersionGt(version, depVersion, versioningApi),\n );\n if (fixedVersion) {\n return this.getFixedVersionByEcosystem(fixedVersion, ecosystem);\n }\n\n lastAffectedVersions.sort((a, b) => versioningApi.sortVersions(a, b));\n const lastAffected = lastAffectedVersions.find((version) =>\n this.isVersionGtOrEq(version, depVersion, versioningApi),\n );\n if (lastAffected) {\n return this.getLastAffectedByEcosystem(lastAffected, ecosystem);\n }\n\n return null;\n }\n\n private getFixedVersionByEcosystem(\n fixedVersion: string,\n ecosystem: Ecosystem,\n ): string {\n if (ecosystem === 'Maven' || ecosystem === 'NuGet') {\n return `[${fixedVersion},)`;\n }\n\n // crates.io, Go, Hex, npm, RubyGems, PyPI\n return `>= ${fixedVersion}`;\n }\n\n private getLastAffectedByEcosystem(\n lastAffected: string,\n ecosystem: Ecosystem,\n ): string {\n if (ecosystem === 'Maven') {\n return `(${lastAffected},)`;\n }\n\n // crates.io, Go, Hex, npm, RubyGems, PyPI\n return `> ${lastAffected}`;\n }\n\n private isVersionGt(\n version: string,\n other: string,\n versioningApi: VersioningApi,\n ): boolean {\n return (\n versioningApi.isVersion(version) &&\n versioningApi.isVersion(other) &&\n versioningApi.isGreaterThan(version, other)\n );\n }\n\n private isVersionGtOrEq(\n version: string,\n other: string,\n versioningApi: VersioningApi,\n ): boolean {\n return (\n versioningApi.isVersion(version) &&\n versioningApi.isVersion(other) &&\n (versioningApi.equals(version, other) ||\n versioningApi.isGreaterThan(version, other))\n );\n }\n\n private vulnerabilityToPackageRules(vul: Vulnerability): PackageRule | null {\n const {\n vulnerability,\n affected,\n packageName,\n depVersion,\n fixedVersion,\n datasource,\n packageFileConfig,\n } = vul;\n if (is.nullOrUndefined(fixedVersion)) {\n logger.debug(\n `No fixed version available for vulnerability ${vulnerability.id} in ${packageName} ${depVersion}`,\n );\n return null;\n }\n\n logger.debug(\n `Setting allowed version ${fixedVersion} to fix vulnerability ${vulnerability.id} in ${packageName} ${depVersion}`,\n );\n\n const severityDetails = this.extractSeverityDetails(\n vulnerability,\n affected,\n );\n\n return {\n matchDatasources: [datasource],\n matchPackageNames: [packageName],\n matchCurrentVersion: depVersion,\n allowedVersions: fixedVersion,\n isVulnerabilityAlert: true,\n vulnerabilitySeverity: severityDetails.severityLevel,\n prBodyNotes: this.generatePrBodyNotes(vulnerability, affected),\n force: {\n ...packageFileConfig.vulnerabilityAlerts,\n },\n };\n }\n\n private evaluateCvssVector(vector: string): [string, string] {\n try {\n const parsedCvss: CvssScore = parseCvssVector(vector);\n const severityLevel = parsedCvss.cvss3OverallSeverityText;\n\n return [parsedCvss.baseScore.toFixed(1), severityLevel];\n } catch {\n logger.debug(`Error processing CVSS vector ${vector}`);\n }\n\n return ['', ''];\n }\n\n private generatePrBodyNotes(\n vulnerability: Osv.Vulnerability,\n affected: Osv.Affected,\n ): string[] {\n let aliases = [vulnerability.id].concat(vulnerability.aliases ?? []).sort();\n aliases = aliases.map((id) => {\n if (id.startsWith('CVE-')) {\n return `[${id}](https://nvd.nist.gov/vuln/detail/${id})`;\n } else if (id.startsWith('GHSA-')) {\n return `[${id}](https://github.com/advisories/${id})`;\n } else if (id.startsWith('GO-')) {\n return `[${id}](https://pkg.go.dev/vuln/${id})`;\n } else if (id.startsWith('RUSTSEC-')) {\n return `[${id}](https://rustsec.org/advisories/${id}.html)`;\n }\n\n return id;\n });\n\n let content = '\\n\\n---\\n\\n### ';\n content += vulnerability.summary ? `${vulnerability.summary}\\n` : '';\n content += `${aliases.join(' / ')}\\n`;\n content += `\\n<details>\\n<summary>More information</summary>\\n`;\n\n const details = vulnerability.details?.replace(\n regEx(/^#{1,4} /gm),\n '##### ',\n );\n content += `#### Details\\n${details ?? 'No details.'}\\n`;\n\n content += '#### Severity\\n';\n const severityDetails = this.extractSeverityDetails(\n vulnerability,\n affected,\n );\n\n if (severityDetails.cvssVector) {\n content += `- CVSS Score: ${severityDetails.score}\\n`;\n content += `- Vector String: \\`${severityDetails.cvssVector}\\`\\n`;\n } else {\n content += `${titleCase(severityDetails.severityLevel)}\\n`;\n }\n\n content += `\\n#### References\\n${\n vulnerability.references\n ?.map((ref) => {\n return `- [${ref.url}](${ref.url})`;\n })\n .join('\\n') ?? 'No references.'\n }`;\n\n let attribution = '';\n if (vulnerability.id.startsWith('GHSA-')) {\n attribution = ` and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md))`;\n } else if (vulnerability.id.startsWith('GO-')) {\n attribution = ` and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license))`;\n } else if (vulnerability.id.startsWith('PYSEC-')) {\n attribution = ` and the [PyPI Advisory Database](https://github.com/pypa/advisory-database) ([CC-BY 4.0](https://github.com/pypa/advisory-database/blob/main/LICENSE))`;\n } else if (vulnerability.id.startsWith('RUSTSEC-')) {\n attribution = ` and the [Rust Advisory Database](https://github.com/RustSec/advisory-db) ([CC0 1.0](https://github.com/rustsec/advisory-db/blob/main/LICENSE.txt))`;\n }\n content += `\\n\\nThis data is provided by [OSV](https://osv.dev/vulnerability/${vulnerability.id})${attribution}.\\n`;\n content += `</details>`;\n\n return [sanitizeMarkdown(content)];\n }\n\n private extractSeverityDetails(\n vulnerability: Osv.Vulnerability,\n affected: Osv.Affected,\n ): SeverityDetails {\n let severityLevel = 'UNKNOWN';\n let score = 'Unknown';\n\n const cvssVector =\n vulnerability.severity?.find((e) => e.type === 'CVSS_V3')?.score ??\n vulnerability.severity?.[0]?.score ??\n (affected.database_specific?.cvss as string); // RUSTSEC\n\n if (cvssVector) {\n const [baseScore, severity] = this.evaluateCvssVector(cvssVector);\n severityLevel = severity ? severity.toUpperCase() : 'UNKNOWN';\n score = baseScore\n ? `${baseScore} / 10 (${titleCase(severityLevel)})`\n : 'Unknown';\n } else if (\n vulnerability.id.startsWith('GHSA-') &&\n vulnerability.database_specific?.severity\n ) {\n const severity = vulnerability.database_specific.severity as string;\n severityLevel = severity.toUpperCase();\n }\n\n return {\n cvssVector,\n score,\n severityLevel,\n };\n }\n}\n"]}
1
+ {"version":3,"file":"vulnerabilities.js","sourceRoot":"","sources":["../../../../lib/workers/repository/process/vulnerabilities.ts"],"names":[],"mappings":";;;;AAEA,0DAAsD;AACtD,kEAAkC;AAElC,2DAAgD;AAChD,6BAAwB;AACxB,4CAAqE;AAErE,4CAAyC;AACzC,+DAA0E;AAM1E,4DAAmE;AACnE,qDAA0D;AAC1D,kEAA4C;AAC5C,+CAA4C;AAC5C,iDAAiD;AAOjD,MAAa,eAAe;IAClB,UAAU,CAAyB;IAEnC,MAAM,CAAU,sBAAsB,GAG1C;QACF,KAAK,EAAE,WAAW;QAClB,EAAE,EAAE,IAAI;QACR,OAAO,EAAE,SAAS;QAClB,GAAG,EAAE,KAAK;QACV,KAAK,EAAE,OAAO;QACd,GAAG,EAAE,KAAK;QACV,KAAK,EAAE,OAAO;QACd,SAAS,EAAE,WAAW;QACtB,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,UAAU;KACrB,CAAC;IAEF;QACE,sBAAsB;IACxB,CAAC;IAEO,KAAK,CAAC,UAAU;QACtB,IAAI,CAAC,UAAU,GAAG,MAAM,wBAAU,CAAC,MAAM,EAAE,CAAC;IAC9C,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM;QACjB,MAAM,QAAQ,GAAG,IAAI,eAAe,EAAE,CAAC;QACvC,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;QAC5B,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,+BAA+B,CACnC,MAAsB,EACtB,YAA2C;QAE3C,MAAM,yBAAyB,GAAG,MAAM,IAAI,CAAC,8BAA8B,CACzE,MAAM,EACN,YAAY,CACb,CAAC;QAEF,MAAM,CAAC,YAAY,KAAK,EAAE,CAAC;QAC3B,KAAK,MAAM,EACT,eAAe,EACf,aAAa,GACd,IAAI,yBAAyB,EAAE,CAAC;YAC/B,MAAM,iBAAiB,GAAkB,EAAE,CAAC;YAC5C,KAAK,MAAM,aAAa,IAAI,eAAe,EAAE,CAAC;gBAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,2BAA2B,CAAC,aAAa,CAAC,CAAC;gBAC7D,IAAI,YAAE,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC7B,SAAS;gBACX,CAAC;gBACD,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC;YACD,IAAI,CAAC,kBAAkB,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;YAE1D,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,oBAAoB,CACxB,MAAsB,EACtB,YAA2C;QAE3C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,8BAA8B,CACtD,MAAM,EACN,YAAY,CACb,CAAC;QACF,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IAC1D,CAAC;IAEO,KAAK,CAAC,8BAA8B,CAC1C,MAAsB,EACtB,YAA2C;QAE3C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3C,MAAM,cAAc,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAC9C,IAAI,CAAC,2BAA2B,CAAC,MAAM,EAAE,YAAY,EAAE,OAAO,CAAC,CAChE,CAAC;QACF,OAAO,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACpD,CAAC;IAEO,KAAK,CAAC,2BAA2B,CACvC,MAAsB,EACtB,YAA2C,EAC3C,OAAe;QAEf,MAAM,aAAa,GAAG,IAAA,yBAAgB,EAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACxD,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC,GAAG,CACrC,CAAC,KAAK,EAAE,EAAE,CAAC,GAAyC,EAAE,CACpD,IAAI,CAAC,sCAAsC,CAAC,aAAa,EAAE,KAAK,CAAC,CACpE,CAAC;QACF,eAAM,CAAC,KAAK,CACV,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,CAAC,MAAM,EAAE,EACtC,sCAAsC,CACvC,CAAC;QACF,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3C,eAAM,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,EAAE,sCAAsC,CAAC,CAAC;QAClE,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,KAAK,CAAC,sCAAsC,CAClD,aAA6B,EAC7B,KAAkB;QAElB,MAAM,EAAE,WAAW,EAAE,GAAG,KAAK,CAAC;QAC9B,MAAM,iBAAiB,GAAG,IAAA,yBAAgB,EAAC,aAAa,EAAE,KAAK,CAAC,CAAC;QACjE,MAAM,EAAE,OAAO,EAAE,GAAG,iBAAiB,CAAC;QACtC,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAC1B,CAAC,GAAG,EAAE,EAAE,CAAC,GAA8C,EAAE,CACvD,IAAI,CAAC,4BAA4B,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAC5D,CAAC;QACF,eAAM,CAAC,KAAK,CACV,EAAE,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,KAAK,CAAC,MAAM,EAAE,EACnD,kEAAkE,CACnE,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAClC,eAAM,CAAC,KAAK,CACV,EAAE,WAAW,EAAE,EACf,iDAAiD,CAClD,CAAC;QAEF,OAAO,MAAM,CAAC,MAAM,CAAC,YAAE,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IAEO,KAAK,CAAC,4BAA4B,CACxC,iBAA+C,EAC/C,GAAsB;QAEtB,MAAM,SAAS,GAAG,eAAe,CAAC,sBAAsB,CAAC,GAAG,CAAC,UAAW,CAAC,CAAC;QAC1E,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,eAAM,CAAC,KAAK,CAAC,yBAAyB,GAAG,CAAC,UAAW,mBAAmB,CAAC,CAAC;YAC1E,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,WAAW,GAAG,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,OAAQ,CAAC;QAClD,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;YACzB,qDAAqD;YACrD,WAAW,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAA,aAAK,EAAC,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC;QACzE,CAAC;QAED,IAAI,CAAC;YACH,MAAM,kBAAkB,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,kBAAkB,CAClE,SAAS,EACT,WAAW,CACZ,CAAC;YACF,IACE,YAAE,CAAC,eAAe,CAAC,kBAAkB,CAAC;gBACtC,YAAE,CAAC,UAAU,CAAC,kBAAkB,CAAC,EACjC,CAAC;gBACD,eAAM,CAAC,KAAK,CACV,gDAAgD,WAAW,EAAE,CAC9D,CAAC;gBACF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,UAAU,GACd,GAAG,CAAC,aAAa,IAAI,GAAG,CAAC,cAAc,IAAI,GAAG,CAAC,YAAa,CAAC;YAE/D,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,IAAI,IAAA,6BAAoB,EAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC1E,MAAM,aAAa,GAAG,IAAA,gBAAa,EAAC,UAAU,CAAC,CAAC;YAEhD,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;gBACzC,eAAM,CAAC,KAAK,CACV,6CAA6C,WAAW,+BAA+B,UAAU,EAAE,CACpG,CAAC;gBACF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,eAAe,GAAoB,EAAE,CAAC;YAC5C,KAAK,MAAM,gBAAgB,IAAI,kBAAkB,EAAE,CAAC;gBAClD,IAAI,gBAAgB,CAAC,SAAS,EAAE,CAAC;oBAC/B,eAAM,CAAC,KAAK,CACV,oCAAoC,gBAAgB,CAAC,EAAE,EAAE,CAC1D,CAAC;oBACF,SAAS;gBACX,CAAC;gBAED,KAAK,MAAM,QAAQ,IAAI,gBAAgB,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;oBACvD,MAAM,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAC3C,SAAS,EACT,WAAW,EACX,UAAU,EACV,QAAQ,EACR,aAAa,CACd,CAAC;oBACF,IAAI,CAAC,YAAY,EAAE,CAAC;wBAClB,SAAS;oBACX,CAAC;oBAED,eAAM,CAAC,KAAK,CACV,iBAAiB,gBAAgB,CAAC,EAAE,YAAY,WAAW,IAAI,UAAU,EAAE,CAC5E,CAAC;oBACF,MAAM,YAAY,GAAG,IAAI,CAAC,eAAe,CACvC,SAAS,EACT,UAAU,EACV,QAAQ,EACR,aAAa,CACd,CAAC;oBAEF,eAAe,CAAC,IAAI,CAAC;wBACnB,WAAW;wBACX,aAAa,EAAE,gBAAgB;wBAC/B,QAAQ;wBACR,UAAU;wBACV,YAAY;wBACZ,UAAU,EAAE,GAAG,CAAC,UAAW;wBAC3B,iBAAiB;qBAClB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,CAAC;QAC5C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAM,CAAC,IAAI,CACT,EAAE,GAAG,EAAE,WAAW,EAAE,EACpB,sDAAsD,CACvD,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,kBAAkB,CACxB,YAA2B,EAC3B,aAA4B;QAE5B,MAAM,eAAe,GAA2B,EAAE,CAAC;QACnD,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;YAChC,MAAM,OAAO,GAAG,IAAI,CAAC,eAAyB,CAAC;YAC/C,eAAe,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,IAAA,aAAK,EAAC,YAAY,CAAC,EAAE,EAAE,CAAC,CAAC;QACtE,CAAC;QACD,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACzB,aAAa,CAAC,YAAY,CACxB,eAAe,CAAC,CAAC,CAAC,eAAyB,CAAC,EAC5C,eAAe,CAAC,CAAC,CAAC,eAAyB,CAAC,CAC7C,CACF,CAAC;IACJ,CAAC;IAED,iEAAiE;IACzD,UAAU,CAChB,MAAmB,EACnB,aAA4B;QAE5B,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,IAAI,SAAS,GAAqB,IAAI,CAAC;QAEvC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;gBAC7B,SAAS,GAAG,KAAK,CAAC;YACpB,CAAC;iBAAM,IAAI,aAAa,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5D,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACzB,CAAC;iBAAM,CAAC;gBACN,eAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,EAAE,yCAAyC,CAAC,CAAC;YACrE,CAAC;QACH,CAAC;QAED,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACvB,+DAA+D;QAC/D,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACrE,CAAC;QAEF,IAAI,SAAS,EAAE,CAAC;YACd,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAChC,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;IAEO,iBAAiB,CACvB,SAAoB,EACpB,WAAmB,EACnB,QAAsB;QAEtB,OAAO,CACL,QAAQ,CAAC,OAAO,EAAE,IAAI,KAAK,WAAW;YACtC,QAAQ,CAAC,OAAO,EAAE,SAAS,KAAK,SAAS,CAC1C,CAAC;IACJ,CAAC;IAEO,kBAAkB,CACxB,UAAkB,EAClB,QAAsB;QAEtB,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC;IACnD,CAAC;IAEO,gBAAgB,CACtB,UAAkB,EAClB,QAAsB,EACtB,aAA4B;QAE5B,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC1C,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;gBACzB,SAAS;YACX,CAAC;YAED,IAAI,UAAU,GAAG,KAAK,CAAC;YACvB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,aAAa,CAAC,EAAE,CAAC;gBACjE,IACE,YAAE,CAAC,cAAc,CAAC,KAAK,CAAC,UAAU,CAAC;oBACnC,CAAC,KAAK,CAAC,UAAU,KAAK,GAAG;wBACvB,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC,EACpE,CAAC;oBACD,UAAU,GAAG,IAAI,CAAC;gBACpB,CAAC;qBAAM,IACL,YAAE,CAAC,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC;oBAC9B,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,KAAK,CAAC,KAAK,EAAE,aAAa,CAAC,EAC5D,CAAC;oBACD,UAAU,GAAG,KAAK,CAAC;gBACrB,CAAC;qBAAM,IACL,YAAE,CAAC,cAAc,CAAC,KAAK,CAAC,aAAa,CAAC;oBACtC,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,KAAK,CAAC,aAAa,EAAE,aAAa,CAAC,EAChE,CAAC;oBACD,UAAU,GAAG,KAAK,CAAC;gBACrB,CAAC;YACH,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,gDAAgD;IACxC,mBAAmB,CACzB,SAAoB,EACpB,WAAmB,EACnB,UAAkB,EAClB,QAAsB,EACtB,aAA4B;QAE5B,OAAO,CACL,IAAI,CAAC,iBAAiB,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC;YACxD,CAAC,IAAI,CAAC,kBAAkB,CAAC,UAAU,EAAE,QAAQ,CAAC;gBAC5C,IAAI,CAAC,gBAAgB,CAAC,UAAU,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC,CAC9D,CAAC;IACJ,CAAC;IAEO,eAAe,CACrB,SAAoB,EACpB,UAAkB,EAClB,QAAsB,EACtB,aAA4B;QAE5B,MAAM,aAAa,GAAa,EAAE,CAAC;QACnC,MAAM,oBAAoB,GAAa,EAAE,CAAC;QAE1C,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC1C,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;gBACzB,SAAS;YACX,CAAC;YAED,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBACjC,IACE,YAAE,CAAC,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC;oBAC9B,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,EACpC,CAAC;oBACD,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBAClC,CAAC;qBAAM,IACL,YAAE,CAAC,cAAc,CAAC,KAAK,CAAC,aAAa,CAAC;oBACtC,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC,aAAa,CAAC,EAC5C,CAAC;oBACD,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;QAED,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/D,MAAM,YAAY,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAClD,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,UAAU,EAAE,aAAa,CAAC,CACrD,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC,0BAA0B,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAClE,CAAC;QAED,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACtE,MAAM,YAAY,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CACzD,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,aAAa,CAAC,CACzD,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC,0BAA0B,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAClE,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,0BAA0B,CAChC,YAAoB,EACpB,SAAoB;QAEpB,IAAI,SAAS,KAAK,OAAO,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YACnD,OAAO,IAAI,YAAY,IAAI,CAAC;QAC9B,CAAC;QAED,0CAA0C;QAC1C,OAAO,MAAM,YAAY,EAAE,CAAC;IAC9B,CAAC;IAEO,0BAA0B,CAChC,YAAoB,EACpB,SAAoB;QAEpB,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YAC1B,OAAO,IAAI,YAAY,IAAI,CAAC;QAC9B,CAAC;QAED,0CAA0C;QAC1C,OAAO,KAAK,YAAY,EAAE,CAAC;IAC7B,CAAC;IAEO,WAAW,CACjB,OAAe,EACf,KAAa,EACb,aAA4B;QAE5B,OAAO,CACL,aAAa,CAAC,SAAS,CAAC,OAAO,CAAC;YAChC,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC;YAC9B,aAAa,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAC5C,CAAC;IACJ,CAAC;IAEO,eAAe,CACrB,OAAe,EACf,KAAa,EACb,aAA4B;QAE5B,OAAO,CACL,aAAa,CAAC,SAAS,CAAC,OAAO,CAAC;YAChC,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC;YAC9B,CAAC,aAAa,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC;gBACnC,aAAa,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAC/C,CAAC;IACJ,CAAC;IAEO,2BAA2B,CAAC,GAAkB;QACpD,MAAM,EACJ,aAAa,EACb,QAAQ,EACR,WAAW,EACX,UAAU,EACV,YAAY,EACZ,UAAU,EACV,iBAAiB,GAClB,GAAG,GAAG,CAAC;QACR,IAAI,YAAE,CAAC,eAAe,CAAC,YAAY,CAAC,EAAE,CAAC;YACrC,eAAM,CAAC,KAAK,CACV,gDAAgD,aAAa,CAAC,EAAE,OAAO,WAAW,IAAI,UAAU,EAAE,CACnG,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,eAAM,CAAC,KAAK,CACV,2BAA2B,YAAY,yBAAyB,aAAa,CAAC,EAAE,OAAO,WAAW,IAAI,UAAU,EAAE,CACnH,CAAC;QAEF,MAAM,eAAe,GAAG,IAAI,CAAC,sBAAsB,CACjD,aAAa,EACb,QAAQ,CACT,CAAC;QAEF,OAAO;YACL,gBAAgB,EAAE,CAAC,UAAU,CAAC;YAC9B,iBAAiB,EAAE,CAAC,WAAW,CAAC;YAChC,mBAAmB,EAAE,UAAU;YAC/B,eAAe,EAAE,YAAY;YAC7B,oBAAoB,EAAE,IAAI;YAC1B,qBAAqB,EAAE,eAAe,CAAC,aAAa;YACpD,WAAW,EAAE,IAAI,CAAC,mBAAmB,CAAC,aAAa,EAAE,QAAQ,CAAC;YAC9D,KAAK,EAAE;gBACL,GAAG,iBAAiB,CAAC,mBAAmB;aACzC;SACF,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,kBAAkB,CAAC,MAAc;QACtC,MAAM,cAAc,GAAG,OAAC,CAAC,MAAM,CAAC;YAC9B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC;YAClC,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;SAC1D,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,eAAe,GAA2B,IAAA,+BAAU,EAAC,MAAM,CAAC,CAAC;YACnE,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,CAAC,eAAe,EAAE,gBAAgB,EAAE,CAAC,CAAC;YAEtE,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC;QACtD,CAAC;QAAC,MAAM,CAAC;YACP,eAAM,CAAC,KAAK,CAAC,gCAAgC,MAAM,EAAE,CAAC,CAAC;QACzD,CAAC;QAED,OAAO,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAClB,CAAC;IAEO,mBAAmB,CACzB,aAAgC,EAChC,QAAsB;QAEtB,IAAI,OAAO,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5E,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE;YAC3B,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC1B,OAAO,IAAI,EAAE,sCAAsC,EAAE,GAAG,CAAC;YAC3D,CAAC;iBAAM,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClC,OAAO,IAAI,EAAE,mCAAmC,EAAE,GAAG,CAAC;YACxD,CAAC;iBAAM,IAAI,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,OAAO,IAAI,EAAE,6BAA6B,EAAE,GAAG,CAAC;YAClD,CAAC;iBAAM,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBACrC,OAAO,IAAI,EAAE,oCAAoC,EAAE,QAAQ,CAAC;YAC9D,CAAC;YAED,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;QAEH,IAAI,OAAO,GAAG,iBAAiB,CAAC;QAChC,OAAO,IAAI,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QACrE,OAAO,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;QACtC,OAAO,IAAI,oDAAoD,CAAC;QAEhE,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,EAAE,OAAO,CAC5C,IAAA,aAAK,EAAC,YAAY,CAAC,EACnB,QAAQ,CACT,CAAC;QACF,OAAO,IAAI,iBAAiB,OAAO,IAAI,aAAa,IAAI,CAAC;QAEzD,OAAO,IAAI,iBAAiB,CAAC;QAC7B,MAAM,eAAe,GAAG,IAAI,CAAC,sBAAsB,CACjD,aAAa,EACb,QAAQ,CACT,CAAC;QAEF,IAAI,eAAe,CAAC,UAAU,EAAE,CAAC;YAC/B,OAAO,IAAI,iBAAiB,eAAe,CAAC,KAAK,IAAI,CAAC;YACtD,OAAO,IAAI,sBAAsB,eAAe,CAAC,UAAU,MAAM,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,GAAG,IAAA,kBAAS,EAAC,eAAe,CAAC,aAAa,CAAC,IAAI,CAAC;QAC7D,CAAC;QAED,OAAO,IAAI,sBACT,aAAa,CAAC,UAAU;YACtB,EAAE,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YACZ,OAAO,MAAM,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,GAAG,GAAG,CAAC;QACtC,CAAC,CAAC;aACD,IAAI,CAAC,IAAI,CAAC,IAAI,gBACnB,EAAE,CAAC;QAEH,IAAI,WAAW,GAAG,EAAE,CAAC;QACrB,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACzC,WAAW,GAAG,kKAAkK,CAAC;QACnL,CAAC;aAAM,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9C,WAAW,GAAG,gIAAgI,CAAC;QACjJ,CAAC;aAAM,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjD,WAAW,GAAG,yJAAyJ,CAAC;QAC1K,CAAC;aAAM,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACnD,WAAW,GAAG,qJAAqJ,CAAC;QACtK,CAAC;QACD,OAAO,IAAI,oEAAoE,aAAa,CAAC,EAAE,IAAI,WAAW,KAAK,CAAC;QACpH,OAAO,IAAI,YAAY,CAAC;QAExB,OAAO,CAAC,IAAA,2BAAgB,EAAC,OAAO,CAAC,CAAC,CAAC;IACrC,CAAC;IAEO,sBAAsB,CAC5B,aAAgC,EAChC,QAAsB;QAEtB,IAAI,aAAa,GAAG,SAAS,CAAC;QAC9B,IAAI,KAAK,GAAG,SAAS,CAAC;QAEtB,MAAM,UAAU,GACd,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,EAAE,KAAK;YAChE,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,EAAE,KAAK;YAC/D,QAAQ,CAAC,iBAAiB,EAAE,IAAe,CAAC,CAAC,UAAU;QAE1D,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,GACzB,eAAe,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC;YACjD,aAAa,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9D,KAAK,GAAG,SAAS;gBACf,CAAC,CAAC,GAAG,SAAS,UAAU,IAAA,kBAAS,EAAC,aAAa,CAAC,GAAG;gBACnD,CAAC,CAAC,SAAS,CAAC;QAChB,CAAC;aAAM,IACL,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;YACpC,aAAa,CAAC,iBAAiB,EAAE,QAAQ,EACzC,CAAC;YACD,MAAM,QAAQ,GAAG,aAAa,CAAC,iBAAiB,CAAC,QAAkB,CAAC;YACpE,aAAa,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;QACzC,CAAC;QAED,OAAO;YACL,UAAU;YACV,KAAK;YACL,aAAa;SACd,CAAC;IACJ,CAAC;;AArlBH,0CAslBC","sourcesContent":["// TODO #22198\nimport type { Ecosystem, Osv } from '@renovatebot/osv-offline';\nimport { OsvOffline } from '@renovatebot/osv-offline';\nimport is from '@sindresorhus/is';\nimport type { CvssVector } from 'ae-cvss-calculator';\nimport { fromVector } from 'ae-cvss-calculator';\nimport { z } from 'zod';\nimport { getManagerConfig, mergeChildConfig } from '../../../config';\nimport type { PackageRule, RenovateConfig } from '../../../config/types';\nimport { logger } from '../../../logger';\nimport { getDefaultVersioning } from '../../../modules/datasource/common';\nimport type {\n PackageDependency,\n PackageFile,\n} from '../../../modules/manager/types';\nimport type { VersioningApi } from '../../../modules/versioning';\nimport { get as getVersioning } from '../../../modules/versioning';\nimport { sanitizeMarkdown } from '../../../util/markdown';\nimport * as p from '../../../util/promises';\nimport { regEx } from '../../../util/regex';\nimport { titleCase } from '../../../util/string';\nimport type {\n DependencyVulnerabilities,\n SeverityDetails,\n Vulnerability,\n} from './types';\n\nexport class Vulnerabilities {\n private osvOffline: OsvOffline | undefined;\n\n private static readonly datasourceEcosystemMap: Record<\n string,\n Ecosystem | undefined\n > = {\n crate: 'crates.io',\n go: 'Go',\n hackage: 'Hackage',\n hex: 'Hex',\n maven: 'Maven',\n npm: 'npm',\n nuget: 'NuGet',\n packagist: 'Packagist',\n pypi: 'PyPI',\n rubygems: 'RubyGems',\n };\n\n private constructor() {\n // private constructor\n }\n\n private async initialize(): Promise<void> {\n this.osvOffline = await OsvOffline.create();\n }\n\n static async create(): Promise<Vulnerabilities> {\n const instance = new Vulnerabilities();\n await instance.initialize();\n return instance;\n }\n\n async appendVulnerabilityPackageRules(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n ): Promise<void> {\n const dependencyVulnerabilities = await this.fetchDependencyVulnerabilities(\n config,\n packageFiles,\n );\n\n config.packageRules ??= [];\n for (const {\n vulnerabilities,\n versioningApi,\n } of dependencyVulnerabilities) {\n const groupPackageRules: PackageRule[] = [];\n for (const vulnerability of vulnerabilities) {\n const rule = this.vulnerabilityToPackageRules(vulnerability);\n if (is.nullOrUndefined(rule)) {\n continue;\n }\n groupPackageRules.push(rule);\n }\n this.sortByFixedVersion(groupPackageRules, versioningApi);\n\n config.packageRules.push(...groupPackageRules);\n }\n }\n\n async fetchVulnerabilities(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n ): Promise<Vulnerability[]> {\n const groups = await this.fetchDependencyVulnerabilities(\n config,\n packageFiles,\n );\n return groups.flatMap((group) => group.vulnerabilities);\n }\n\n private async fetchDependencyVulnerabilities(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n ): Promise<DependencyVulnerabilities[]> {\n const managers = Object.keys(packageFiles);\n const allManagerJobs = managers.map((manager) =>\n this.fetchManagerVulnerabilities(config, packageFiles, manager),\n );\n return (await Promise.all(allManagerJobs)).flat();\n }\n\n private async fetchManagerVulnerabilities(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n manager: string,\n ): Promise<DependencyVulnerabilities[]> {\n const managerConfig = getManagerConfig(config, manager);\n const queue = packageFiles[manager].map(\n (pFile) => (): Promise<DependencyVulnerabilities[]> =>\n this.fetchManagerPackageFileVulnerabilities(managerConfig, pFile),\n );\n logger.trace(\n { manager, queueLength: queue.length },\n 'fetchManagerVulnerabilities starting',\n );\n const result = (await p.all(queue)).flat();\n logger.trace({ manager }, 'fetchManagerVulnerabilities finished');\n return result;\n }\n\n private async fetchManagerPackageFileVulnerabilities(\n managerConfig: RenovateConfig,\n pFile: PackageFile,\n ): Promise<DependencyVulnerabilities[]> {\n const { packageFile } = pFile;\n const packageFileConfig = mergeChildConfig(managerConfig, pFile);\n const { manager } = packageFileConfig;\n const queue = pFile.deps.map(\n (dep) => (): Promise<DependencyVulnerabilities | null> =>\n this.fetchDependencyVulnerability(packageFileConfig, dep),\n );\n logger.trace(\n { manager, packageFile, queueLength: queue.length },\n 'fetchManagerPackageFileVulnerabilities starting with concurrency',\n );\n\n const result = await p.all(queue);\n logger.trace(\n { packageFile },\n 'fetchManagerPackageFileVulnerabilities finished',\n );\n\n return result.filter(is.truthy);\n }\n\n private async fetchDependencyVulnerability(\n packageFileConfig: RenovateConfig & PackageFile,\n dep: PackageDependency,\n ): Promise<DependencyVulnerabilities | null> {\n const ecosystem = Vulnerabilities.datasourceEcosystemMap[dep.datasource!];\n if (!ecosystem) {\n logger.trace(`Cannot map datasource ${dep.datasource!} to OSV ecosystem`);\n return null;\n }\n\n let packageName = dep.packageName ?? dep.depName!;\n if (ecosystem === 'PyPI') {\n // https://peps.python.org/pep-0503/#normalized-names\n packageName = packageName.toLowerCase().replace(regEx(/[_.-]+/g), '-');\n }\n\n try {\n const osvVulnerabilities = await this.osvOffline?.getVulnerabilities(\n ecosystem,\n packageName,\n );\n if (\n is.nullOrUndefined(osvVulnerabilities) ||\n is.emptyArray(osvVulnerabilities)\n ) {\n logger.trace(\n `No vulnerabilities found in OSV database for ${packageName}`,\n );\n return null;\n }\n\n const depVersion =\n dep.lockedVersion ?? dep.currentVersion ?? dep.currentValue!;\n\n const versioning = dep.versioning ?? getDefaultVersioning(dep.datasource);\n const versioningApi = getVersioning(versioning);\n\n if (!versioningApi.isVersion(depVersion)) {\n logger.debug(\n `Skipping vulnerability lookup for package ${packageName} due to unsupported version ${depVersion}`,\n );\n return null;\n }\n\n const vulnerabilities: Vulnerability[] = [];\n for (const osvVulnerability of osvVulnerabilities) {\n if (osvVulnerability.withdrawn) {\n logger.trace(\n `Skipping withdrawn vulnerability ${osvVulnerability.id}`,\n );\n continue;\n }\n\n for (const affected of osvVulnerability.affected ?? []) {\n const isVulnerable = this.isPackageVulnerable(\n ecosystem,\n packageName,\n depVersion,\n affected,\n versioningApi,\n );\n if (!isVulnerable) {\n continue;\n }\n\n logger.debug(\n `Vulnerability ${osvVulnerability.id} affects ${packageName} ${depVersion}`,\n );\n const fixedVersion = this.getFixedVersion(\n ecosystem,\n depVersion,\n affected,\n versioningApi,\n );\n\n vulnerabilities.push({\n packageName,\n vulnerability: osvVulnerability,\n affected,\n depVersion,\n fixedVersion,\n datasource: dep.datasource!,\n packageFileConfig,\n });\n }\n }\n\n return { vulnerabilities, versioningApi };\n } catch (err) {\n logger.warn(\n { err, packageName },\n 'Error fetching vulnerability information for package',\n );\n return null;\n }\n }\n\n private sortByFixedVersion(\n packageRules: PackageRule[],\n versioningApi: VersioningApi,\n ): void {\n const versionsCleaned: Record<string, string> = {};\n for (const rule of packageRules) {\n const version = rule.allowedVersions as string;\n versionsCleaned[version] = version.replace(regEx(/[(),=> ]+/g), '');\n }\n packageRules.sort((a, b) =>\n versioningApi.sortVersions(\n versionsCleaned[a.allowedVersions as string],\n versionsCleaned[b.allowedVersions as string],\n ),\n );\n }\n\n // https://ossf.github.io/osv-schema/#affectedrangesevents-fields\n private sortEvents(\n events: Osv.Event[],\n versioningApi: VersioningApi,\n ): Osv.Event[] {\n const sortedCopy: Osv.Event[] = [];\n let zeroEvent: Osv.Event | null = null;\n\n for (const event of events) {\n if (event.introduced === '0') {\n zeroEvent = event;\n } else if (versioningApi.isVersion(Object.values(event)[0])) {\n sortedCopy.push(event);\n } else {\n logger.debug({ event }, 'Skipping OSV event with invalid version');\n }\n }\n\n sortedCopy.sort((a, b) =>\n // no pre-processing, as there are only very few values to sort\n versioningApi.sortVersions(Object.values(a)[0], Object.values(b)[0]),\n );\n\n if (zeroEvent) {\n sortedCopy.unshift(zeroEvent);\n }\n\n return sortedCopy;\n }\n\n private isPackageAffected(\n ecosystem: Ecosystem,\n packageName: string,\n affected: Osv.Affected,\n ): boolean {\n return (\n affected.package?.name === packageName &&\n affected.package?.ecosystem === ecosystem\n );\n }\n\n private includedInVersions(\n depVersion: string,\n affected: Osv.Affected,\n ): boolean {\n return !!affected.versions?.includes(depVersion);\n }\n\n private includedInRanges(\n depVersion: string,\n affected: Osv.Affected,\n versioningApi: VersioningApi,\n ): boolean {\n for (const range of affected.ranges ?? []) {\n if (range.type === 'GIT') {\n continue;\n }\n\n let vulnerable = false;\n for (const event of this.sortEvents(range.events, versioningApi)) {\n if (\n is.nonEmptyString(event.introduced) &&\n (event.introduced === '0' ||\n this.isVersionGtOrEq(depVersion, event.introduced, versioningApi))\n ) {\n vulnerable = true;\n } else if (\n is.nonEmptyString(event.fixed) &&\n this.isVersionGtOrEq(depVersion, event.fixed, versioningApi)\n ) {\n vulnerable = false;\n } else if (\n is.nonEmptyString(event.last_affected) &&\n this.isVersionGt(depVersion, event.last_affected, versioningApi)\n ) {\n vulnerable = false;\n }\n }\n\n if (vulnerable) {\n return true;\n }\n }\n\n return false;\n }\n\n // https://ossf.github.io/osv-schema/#evaluation\n private isPackageVulnerable(\n ecosystem: Ecosystem,\n packageName: string,\n depVersion: string,\n affected: Osv.Affected,\n versioningApi: VersioningApi,\n ): boolean {\n return (\n this.isPackageAffected(ecosystem, packageName, affected) &&\n (this.includedInVersions(depVersion, affected) ||\n this.includedInRanges(depVersion, affected, versioningApi))\n );\n }\n\n private getFixedVersion(\n ecosystem: Ecosystem,\n depVersion: string,\n affected: Osv.Affected,\n versioningApi: VersioningApi,\n ): string | null {\n const fixedVersions: string[] = [];\n const lastAffectedVersions: string[] = [];\n\n for (const range of affected.ranges ?? []) {\n if (range.type === 'GIT') {\n continue;\n }\n\n for (const event of range.events) {\n if (\n is.nonEmptyString(event.fixed) &&\n versioningApi.isVersion(event.fixed)\n ) {\n fixedVersions.push(event.fixed);\n } else if (\n is.nonEmptyString(event.last_affected) &&\n versioningApi.isVersion(event.last_affected)\n ) {\n lastAffectedVersions.push(event.last_affected);\n }\n }\n }\n\n fixedVersions.sort((a, b) => versioningApi.sortVersions(a, b));\n const fixedVersion = fixedVersions.find((version) =>\n this.isVersionGt(version, depVersion, versioningApi),\n );\n if (fixedVersion) {\n return this.getFixedVersionByEcosystem(fixedVersion, ecosystem);\n }\n\n lastAffectedVersions.sort((a, b) => versioningApi.sortVersions(a, b));\n const lastAffected = lastAffectedVersions.find((version) =>\n this.isVersionGtOrEq(version, depVersion, versioningApi),\n );\n if (lastAffected) {\n return this.getLastAffectedByEcosystem(lastAffected, ecosystem);\n }\n\n return null;\n }\n\n private getFixedVersionByEcosystem(\n fixedVersion: string,\n ecosystem: Ecosystem,\n ): string {\n if (ecosystem === 'Maven' || ecosystem === 'NuGet') {\n return `[${fixedVersion},)`;\n }\n\n // crates.io, Go, Hex, npm, RubyGems, PyPI\n return `>= ${fixedVersion}`;\n }\n\n private getLastAffectedByEcosystem(\n lastAffected: string,\n ecosystem: Ecosystem,\n ): string {\n if (ecosystem === 'Maven') {\n return `(${lastAffected},)`;\n }\n\n // crates.io, Go, Hex, npm, RubyGems, PyPI\n return `> ${lastAffected}`;\n }\n\n private isVersionGt(\n version: string,\n other: string,\n versioningApi: VersioningApi,\n ): boolean {\n return (\n versioningApi.isVersion(version) &&\n versioningApi.isVersion(other) &&\n versioningApi.isGreaterThan(version, other)\n );\n }\n\n private isVersionGtOrEq(\n version: string,\n other: string,\n versioningApi: VersioningApi,\n ): boolean {\n return (\n versioningApi.isVersion(version) &&\n versioningApi.isVersion(other) &&\n (versioningApi.equals(version, other) ||\n versioningApi.isGreaterThan(version, other))\n );\n }\n\n private vulnerabilityToPackageRules(vul: Vulnerability): PackageRule | null {\n const {\n vulnerability,\n affected,\n packageName,\n depVersion,\n fixedVersion,\n datasource,\n packageFileConfig,\n } = vul;\n if (is.nullOrUndefined(fixedVersion)) {\n logger.debug(\n `No fixed version available for vulnerability ${vulnerability.id} in ${packageName} ${depVersion}`,\n );\n return null;\n }\n\n logger.debug(\n `Setting allowed version ${fixedVersion} to fix vulnerability ${vulnerability.id} in ${packageName} ${depVersion}`,\n );\n\n const severityDetails = this.extractSeverityDetails(\n vulnerability,\n affected,\n );\n\n return {\n matchDatasources: [datasource],\n matchPackageNames: [packageName],\n matchCurrentVersion: depVersion,\n allowedVersions: fixedVersion,\n isVulnerabilityAlert: true,\n vulnerabilitySeverity: severityDetails.severityLevel,\n prBodyNotes: this.generatePrBodyNotes(vulnerability, affected),\n force: {\n ...packageFileConfig.vulnerabilityAlerts,\n },\n };\n }\n\n static evaluateCvssVector(vector: string): [string, string] {\n const CvssJsonSchema = z.object({\n baseScore: z.number().default(0.0),\n baseSeverity: z.string().toUpperCase().default('UNKNOWN'),\n });\n\n try {\n const parsedCvssScore: CvssVector<any> | null = fromVector(vector);\n const res = CvssJsonSchema.parse(parsedCvssScore?.createJsonSchema());\n\n return [res.baseScore.toFixed(1), res.baseSeverity];\n } catch {\n logger.debug(`Error processing CVSS vector ${vector}`);\n }\n\n return ['', ''];\n }\n\n private generatePrBodyNotes(\n vulnerability: Osv.Vulnerability,\n affected: Osv.Affected,\n ): string[] {\n let aliases = [vulnerability.id].concat(vulnerability.aliases ?? []).sort();\n aliases = aliases.map((id) => {\n if (id.startsWith('CVE-')) {\n return `[${id}](https://nvd.nist.gov/vuln/detail/${id})`;\n } else if (id.startsWith('GHSA-')) {\n return `[${id}](https://github.com/advisories/${id})`;\n } else if (id.startsWith('GO-')) {\n return `[${id}](https://pkg.go.dev/vuln/${id})`;\n } else if (id.startsWith('RUSTSEC-')) {\n return `[${id}](https://rustsec.org/advisories/${id}.html)`;\n }\n\n return id;\n });\n\n let content = '\\n\\n---\\n\\n### ';\n content += vulnerability.summary ? `${vulnerability.summary}\\n` : '';\n content += `${aliases.join(' / ')}\\n`;\n content += `\\n<details>\\n<summary>More information</summary>\\n`;\n\n const details = vulnerability.details?.replace(\n regEx(/^#{1,4} /gm),\n '##### ',\n );\n content += `#### Details\\n${details ?? 'No details.'}\\n`;\n\n content += '#### Severity\\n';\n const severityDetails = this.extractSeverityDetails(\n vulnerability,\n affected,\n );\n\n if (severityDetails.cvssVector) {\n content += `- CVSS Score: ${severityDetails.score}\\n`;\n content += `- Vector String: \\`${severityDetails.cvssVector}\\`\\n`;\n } else {\n content += `${titleCase(severityDetails.severityLevel)}\\n`;\n }\n\n content += `\\n#### References\\n${\n vulnerability.references\n ?.map((ref) => {\n return `- [${ref.url}](${ref.url})`;\n })\n .join('\\n') ?? 'No references.'\n }`;\n\n let attribution = '';\n if (vulnerability.id.startsWith('GHSA-')) {\n attribution = ` and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md))`;\n } else if (vulnerability.id.startsWith('GO-')) {\n attribution = ` and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license))`;\n } else if (vulnerability.id.startsWith('PYSEC-')) {\n attribution = ` and the [PyPI Advisory Database](https://github.com/pypa/advisory-database) ([CC-BY 4.0](https://github.com/pypa/advisory-database/blob/main/LICENSE))`;\n } else if (vulnerability.id.startsWith('RUSTSEC-')) {\n attribution = ` and the [Rust Advisory Database](https://github.com/RustSec/advisory-db) ([CC0 1.0](https://github.com/rustsec/advisory-db/blob/main/LICENSE.txt))`;\n }\n content += `\\n\\nThis data is provided by [OSV](https://osv.dev/vulnerability/${vulnerability.id})${attribution}.\\n`;\n content += `</details>`;\n\n return [sanitizeMarkdown(content)];\n }\n\n private extractSeverityDetails(\n vulnerability: Osv.Vulnerability,\n affected: Osv.Affected,\n ): SeverityDetails {\n let severityLevel = 'UNKNOWN';\n let score = 'Unknown';\n\n const cvssVector =\n vulnerability.severity?.find((e) => e.type === 'CVSS_V4')?.score ??\n vulnerability.severity?.find((e) => e.type === 'CVSS_V3')?.score ??\n (affected.database_specific?.cvss as string); // RUSTSEC\n\n if (cvssVector) {\n const [baseScore, severity] =\n Vulnerabilities.evaluateCvssVector(cvssVector);\n severityLevel = severity ? severity.toUpperCase() : 'UNKNOWN';\n score = baseScore\n ? `${baseScore} / 10 (${titleCase(severityLevel)})`\n : 'Unknown';\n } else if (\n vulnerability.id.startsWith('GHSA-') &&\n vulnerability.database_specific?.severity\n ) {\n const severity = vulnerability.database_specific.severity as string;\n severityLevel = severity.toUpperCase();\n }\n\n return {\n cvssVector,\n score,\n severityLevel,\n };\n }\n}\n"]}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "renovate",
3
3
  "description": "Automated dependency updates. Flexible so you don't need to be.",
4
- "version": "41.106.0",
4
+ "version": "41.107.1",
5
5
  "type": "commonjs",
6
6
  "bin": {
7
7
  "renovate": "dist/renovate.js",
@@ -180,6 +180,7 @@
180
180
  "@sindresorhus/is": "7.0.2",
181
181
  "@yarnpkg/core": "4.4.3",
182
182
  "@yarnpkg/parsers": "3.0.3",
183
+ "ae-cvss-calculator": "1.0.8",
183
184
  "agentkeepalive": "4.6.0",
184
185
  "async-mutex": "0.5.0",
185
186
  "auth-header": "1.0.0",
@@ -224,7 +225,7 @@
224
225
  "jsonata": "2.1.0",
225
226
  "jsonc-parser": "3.3.1",
226
227
  "klona": "2.0.6",
227
- "luxon": "3.7.1",
228
+ "luxon": "3.7.2",
228
229
  "markdown-it": "14.1.0",
229
230
  "markdown-table": "3.0.4",
230
231
  "minimatch": "10.0.3",
@@ -260,7 +261,6 @@
260
261
  "upath": "2.0.1",
261
262
  "url-join": "5.0.0",
262
263
  "validate-npm-package-name": "6.0.2",
263
- "vuln-vects": "1.1.0",
264
264
  "xmldoc": "2.0.2",
265
265
  "yaml": "2.8.1",
266
266
  "zod": "3.25.76"