renovate 42.26.11 → 42.27.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/workers/global/limits.js +1 -1
  2. package/dist/workers/global/limits.js.map +1 -1
  3. package/dist/workers/repository/process/vulnerabilities.js.map +1 -1
  4. package/package.json +2 -2
  5. package/renovate-schema.json +2 -2
package/dist/workers/global/limits.js CHANGED
@@ -95,7 +95,7 @@ function calcLimit(upgrades, limitName) {
95
95
  }
96
96
  // no limit
97
97
  if (limit === 0 || limit === null) {
98
- logger_1.logger.debug(`${limitName} of this branch is unlimited, because atleast one of the upgrade has it's ${limitName} set to "No limit" ie. 0 or null`);
98
+ logger_1.logger.debug(`${limitName} of this branch is unlimited, because at least one of the upgrade has it's ${limitName} set to "No limit" ie. 0 or null`);
99
99
  return 0;
100
100
  }
101
101
  // limit is set
package/dist/workers/global/limits.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"limits.js","sourceRoot":"","sources":["../../../lib/workers/global/limits.ts"],"names":[],"mappings":";;;AAYA,wCAEC;AAED,kCAIC;AAED,0CAMC;AAsBD,4BAQC;AAED,4BAGC;AAED,sCAGC;AA4BD,8BAkDC;AAED,8CA4BC;AAOD,wCAgBC;AAvMD,yCAAoE;AACpE,yCAAsC;AAStC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;AAE5C,SAAgB,cAAc;IAC5B,MAAM,CAAC,KAAK,EAAE,CAAC;AACjB,CAAC;AAED,SAAgB,WAAW,CAAC,GAAU,EAAE,GAAY;IAClD,MAAM,GAAG,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9D,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;IACrC,eAAM,CAAC,KAAK,CAAC,GAAG,GAAG,YAAY,GAAI,EAAE,CAAC,CAAC;AACzC,CAAC;AAED,SAAgB,eAAe,CAAC,GAAU,EAAE,KAAK,GAAG,CAAC;IACnD,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;IAC3D,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE;QACd,GAAG,KAAK;QACR,OAAO,EAAE,KAAK,CAAC,OAAO,GAAG,KAAK;KAC/B,CAAC,CAAC;AACL,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACpC,gBAAgB;IAChB,oEAAoE;IACpE,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,KAAK,CAAC;IAC/B,OAAO,GAAG,GAAG,OAAO,IAAI,CAAC,CAAC;AAC5B,CAAC;AASY,QAAA,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;AAEnD,SAAgB,QAAQ,CAAC,GAAc;IACrC,MAAM,KAAK,GAAG,cAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC9B,wCAAwC;IACxC,IAAI,CAAC,IAAA,cAAS,EAAC,KAAK,CAAC,EAAE,CAAC;QACtB,eAAM,CAAC,KAAK,CAAC,kCAAkC,GAAG,mBAAmB,CAAC,CAAC;QACvE,OAAO,CAAC,CAAC;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAgB,QAAQ,CAAC,GAAc,EAAE,GAAW;IAClD,cAAM,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACrB,eAAM,CAAC,KAAK,CAAC,GAAG,GAAG,YAAY,GAAG,EAAE,CAAC,CAAC;AACxC,CAAC;AAED,SAAgB,aAAa,CAAC,GAAc,EAAE,KAAK,GAAG,CAAC;IACrD,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC5B,cAAM,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,GAAG,KAAK,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,sBAAsB,CAC7B,GAAoC,EACpC,MAAoB;IAEpB,MAAM,QAAQ,GACZ,GAAG,KAAK,UAAU,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,mBAAmB,CAAC;IAErE,uCAAuC;IACvC,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAChE,MAAM,aAAa,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC;IAE5C,wFAAwF;IACxF,IAAI,WAAW,IAAI,aAAa,IAAI,WAAW,EAAE,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACxD,MAAM,YAAY,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAEnC,IAAI,UAAU,IAAI,YAAY,IAAI,UAAU,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAgB,SAAS,CACvB,QAA+B,EAC/B,SAA0B;IAE1B,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACpE,eAAM,CAAC,KAAK,CACV;QACE,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YACtD,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;QAC/D,CAAC,CAAC;KACH,EACD,GAAG,SAAS,yCAAyC,CACtD,CAAC;IAEF,IAAI,iBAAiB,CAAC,QAAQ,EAAE,SAAS,CAAC,EAAE,CAAC;QAC3C,eAAM,CAAC,IAAI,CAAC,KAAK,CACf,uBAAuB,SAAS,mDAAmD,CACpF,CAAC;IACJ,CAAC;IAED,IAAI,WAAW,GAAG,MAAM,CAAC,gBAAgB,CAAC;IAC1C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,KAAK,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;QAE/B,uEAAuE;QACvE,IAAI,CAAC,IAAA,aAAQ,EAAC,KAAK,CAAC,IAAI,SAAS,KAAK,uBAAuB,EAAE,CAAC;YAC9D,KAAK,GAAG,OAAO,CAAC,iBAAiB,CAAC;QACpC,CAAC;QAED,4EAA4E;QAC5E,IAAI,IAAA,gBAAW,EAAC,KAAK,CAAC,EAAE,CAAC;YACvB,KAAK,GAAG,MAAM,CAAC,gBAAgB,CAAC;QAClC,CAAC;QAED,WAAW;QACX,IAAI,KAAK,KAAK,CAAC,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YAClC,eAAM,CAAC,KAAK,CACV,GAAG,SAAS,6EAA6E,SAAS,kCAAkC,CACrI,CAAC;YACF,OAAO,CAAC,CAAC;QACX,CAAC;QAED,eAAe;QACf,WAAW,GAAG,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC;IAC1D,CAAC;IAED,eAAM,CAAC,KAAK,CACV,qBAAqB,SAAS,iDAAiD,WAAW,GAAG,CAC9F,CAAC;IACF,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,SAAgB,iBAAiB,CAC/B,QAA+B,EAC/B,SAA0B;IAE1B,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC;IACzC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;QAEpC,uEAAuE;QACvE,IAAI,SAAS,KAAK,uBAAuB,IAAI,CAAC,IAAA,aAAQ,EAAC,UAAU,CAAC,EAAE,CAAC;YACnE,UAAU,GAAG,OAAO,CAAC,iBAAiB,CAAC;QACzC,CAAC;QAED,yEAAyE;QACzE,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;YACxB,UAAU,GAAG,CAAC,CAAC;QACjB,CAAC;QAED,IAAI,CAAC,IAAA,gBAAW,EAAC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;YAChE,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IAED,OAAO,cAAc,CAAC,IAAI,GAAG,CAAC,CAAC;AACjC,CAAC;AAOD,SAAgB,cAAc,CAC5B,KAA+C,EAC/C,MAAqB;IAErB,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,OAAO,kBAAkB,EAAE,CAAC;IAC9B,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC/C,CAAC;IAED,0CAA0C;IAC1C,MAAM,IAAI,KAAK,CACb,uEAAuE,CACxE,CAAC;AACJ,CAAC","sourcesContent":["import { isInteger, isNumber, isUndefined } from '@sindresorhus/is';\nimport { logger } from '../../logger';\nimport type { BranchConfig, BranchUpgradeConfig } from '../types';\n\nexport type Limit = 'Commits';\ninterface LimitValue {\n max: number | null;\n current: number;\n}\n\nconst limits = new Map<Limit, LimitValue>();\n\nexport function resetAllLimits(): void {\n limits.clear();\n}\n\nexport function setMaxLimit(key: Limit, val: unknown): void {\n const max = typeof val === 'number' ? Math.max(0, val) : null;\n limits.set(key, { current: 0, max });\n logger.debug(`${key} limit = ${max!}`);\n}\n\nexport function incLimitedValue(key: Limit, incBy = 1): void {\n const limit = limits.get(key) ?? { max: null, current: 0 };\n limits.set(key, {\n ...limit,\n current: limit.current + incBy,\n });\n}\n\nfunction handleCommitsLimit(): boolean {\n const limit = limits.get('Commits');\n // TODO: fix me?\n // eslint-disable-next-line @typescript-eslint/prefer-optional-chain\n if (!limit || limit.max === null) {\n return false;\n }\n const { max, current } = limit;\n return max - current <= 0;\n}\n\nexport type CountName = 'ConcurrentPRs' | 'HourlyPRs' | 'Branches';\n\ntype BranchLimitName =\n | 'branchConcurrentLimit'\n | 'prConcurrentLimit'\n | 'prHourlyLimit';\n\nexport const counts = new Map<CountName, number>();\n\nexport function getCount(key: CountName): number {\n const count = counts.get(key);\n // istanbul ignore if: should not happen\n if (!isInteger(count)) {\n logger.debug(`Could not compute the count of ${key}, returning zero.`);\n return 0;\n }\n return count;\n}\n\nexport function setCount(key: CountName, val: number): void {\n counts.set(key, val);\n logger.debug(`${key} count = ${val}`);\n}\n\nexport function incCountValue(key: CountName, incBy = 1): void {\n const count = getCount(key);\n counts.set(key, count + incBy);\n}\n\nfunction handleConcurrentLimits(\n key: Exclude<CountName, 'HourlyPRs'>,\n config: BranchConfig,\n): boolean {\n const limitKey =\n key === 'Branches' ? 'branchConcurrentLimit' : 'prConcurrentLimit';\n\n // calculate the limits for this branch\n const hourlyLimit = calcLimit(config.upgrades, 'prHourlyLimit');\n const hourlyPrCount = getCount('HourlyPRs');\n\n // if a limit is defined ( >0 ) and limit reached return true ie. limit has been reached\n if (hourlyLimit && hourlyPrCount >= hourlyLimit) {\n return true;\n }\n\n const limitValue = calcLimit(config.upgrades, limitKey);\n const currentCount = getCount(key);\n\n if (limitValue && currentCount >= limitValue) {\n return true;\n }\n\n return false;\n}\n\nexport function calcLimit(\n upgrades: BranchUpgradeConfig[],\n limitName: BranchLimitName,\n): number {\n const uniqueUpgrades = new Map(upgrades.map((u) => [u.depName, u]));\n logger.debug(\n {\n limits: Array.from(uniqueUpgrades.values()).map((upg) => {\n return { depName: upg.depName, [limitName]: upg[limitName] };\n }),\n },\n `${limitName} of the upgrades present in this branch`,\n );\n\n if (hasMultipleLimits(upgrades, limitName)) {\n logger.once.debug(\n `Branch has multiple ${limitName} limits. The lowest among these will be selected.`,\n );\n }\n\n let lowestLimit = Number.MAX_SAFE_INTEGER;\n for (const upgrade of upgrades) {\n let limit = upgrade[limitName];\n\n // inherit prConcurrentLimit value incase branchConcurrentLimit is null\n if (!isNumber(limit) && limitName === 'branchConcurrentLimit') {\n limit = upgrade.prConcurrentLimit;\n }\n\n // istanbul ignore if: should never happen as all limits get a default value\n if (isUndefined(limit)) {\n limit = Number.MAX_SAFE_INTEGER;\n }\n\n // no limit\n if (limit === 0 || limit === null) {\n logger.debug(\n `${limitName} of this branch is unlimited, because atleast one of the upgrade has it's ${limitName} set to \"No limit\" ie. 0 or null`,\n );\n return 0;\n }\n\n // limit is set\n lowestLimit = limit < lowestLimit ? limit : lowestLimit;\n }\n\n logger.debug(\n `Calculated lowest ${limitName} among the upgrades present in this branch is ${lowestLimit}.`,\n );\n return lowestLimit;\n}\n\nexport function hasMultipleLimits(\n upgrades: BranchUpgradeConfig[],\n limitName: BranchLimitName,\n): boolean {\n if (upgrades.length === 1) {\n return false;\n }\n\n const distinctLimits = new Set<number>();\n for (const upgrade of upgrades) {\n let limitValue = upgrade[limitName];\n\n // inherit prConcurrentLimit value incase branchConcurrentLimit is null\n if (limitName === 'branchConcurrentLimit' && !isNumber(limitValue)) {\n limitValue = upgrade.prConcurrentLimit;\n }\n\n // istanbul ignore if: should not happen as the limits are of type number\n if (limitValue === null) {\n limitValue = 0;\n }\n\n if (!isUndefined(limitValue) && !distinctLimits.has(limitValue)) {\n distinctLimits.add(limitValue);\n }\n }\n\n return distinctLimits.size > 1;\n}\n\nexport function isLimitReached(limit: 'Commits'): boolean;\nexport function isLimitReached(\n limit: 'Branches' | 'ConcurrentPRs',\n config: BranchConfig,\n): boolean;\nexport function isLimitReached(\n limit: 'Commits' | 'Branches' | 'ConcurrentPRs',\n config?: BranchConfig,\n): boolean {\n if (limit === 'Commits') {\n return handleCommitsLimit();\n }\n\n if (config) {\n return handleConcurrentLimits(limit, config);\n }\n\n // istanbul ignore next: should not happen\n throw new Error(\n 'Config is required for computing limits for Branches and PullRequests',\n );\n}\n"]}
1
+ {"version":3,"file":"limits.js","sourceRoot":"","sources":["../../../lib/workers/global/limits.ts"],"names":[],"mappings":";;;AAYA,wCAEC;AAED,kCAIC;AAED,0CAMC;AAsBD,4BAQC;AAED,4BAGC;AAED,sCAGC;AA4BD,8BAkDC;AAED,8CA4BC;AAOD,wCAgBC;AAvMD,yCAAoE;AACpE,yCAAsC;AAStC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;AAE5C,SAAgB,cAAc;IAC5B,MAAM,CAAC,KAAK,EAAE,CAAC;AACjB,CAAC;AAED,SAAgB,WAAW,CAAC,GAAU,EAAE,GAAY;IAClD,MAAM,GAAG,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9D,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;IACrC,eAAM,CAAC,KAAK,CAAC,GAAG,GAAG,YAAY,GAAI,EAAE,CAAC,CAAC;AACzC,CAAC;AAED,SAAgB,eAAe,CAAC,GAAU,EAAE,KAAK,GAAG,CAAC;IACnD,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;IAC3D,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE;QACd,GAAG,KAAK;QACR,OAAO,EAAE,KAAK,CAAC,OAAO,GAAG,KAAK;KAC/B,CAAC,CAAC;AACL,CAAC;AAED,SAAS,kBAAkB;IACzB,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACpC,gBAAgB;IAChB,oEAAoE;IACpE,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,KAAK,CAAC;IAC/B,OAAO,GAAG,GAAG,OAAO,IAAI,CAAC,CAAC;AAC5B,CAAC;AASY,QAAA,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;AAEnD,SAAgB,QAAQ,CAAC,GAAc;IACrC,MAAM,KAAK,GAAG,cAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC9B,wCAAwC;IACxC,IAAI,CAAC,IAAA,cAAS,EAAC,KAAK,CAAC,EAAE,CAAC;QACtB,eAAM,CAAC,KAAK,CAAC,kCAAkC,GAAG,mBAAmB,CAAC,CAAC;QACvE,OAAO,CAAC,CAAC;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAgB,QAAQ,CAAC,GAAc,EAAE,GAAW;IAClD,cAAM,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACrB,eAAM,CAAC,KAAK,CAAC,GAAG,GAAG,YAAY,GAAG,EAAE,CAAC,CAAC;AACxC,CAAC;AAED,SAAgB,aAAa,CAAC,GAAc,EAAE,KAAK,GAAG,CAAC;IACrD,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC5B,cAAM,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,GAAG,KAAK,CAAC,CAAC;AACjC,CAAC;AAED,SAAS,sBAAsB,CAC7B,GAAoC,EACpC,MAAoB;IAEpB,MAAM,QAAQ,GACZ,GAAG,KAAK,UAAU,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,mBAAmB,CAAC;IAErE,uCAAuC;IACvC,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IAChE,MAAM,aAAa,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC;IAE5C,wFAAwF;IACxF,IAAI,WAAW,IAAI,aAAa,IAAI,WAAW,EAAE,CAAC;QAChD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACxD,MAAM,YAAY,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAEnC,IAAI,UAAU,IAAI,YAAY,IAAI,UAAU,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAgB,SAAS,CACvB,QAA+B,EAC/B,SAA0B;IAE1B,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACpE,eAAM,CAAC,KAAK,CACV;QACE,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YACtD,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;QAC/D,CAAC,CAAC;KACH,EACD,GAAG,SAAS,yCAAyC,CACtD,CAAC;IAEF,IAAI,iBAAiB,CAAC,QAAQ,EAAE,SAAS,CAAC,EAAE,CAAC;QAC3C,eAAM,CAAC,IAAI,CAAC,KAAK,CACf,uBAAuB,SAAS,mDAAmD,CACpF,CAAC;IACJ,CAAC;IAED,IAAI,WAAW,GAAG,MAAM,CAAC,gBAAgB,CAAC;IAC1C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,KAAK,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;QAE/B,uEAAuE;QACvE,IAAI,CAAC,IAAA,aAAQ,EAAC,KAAK,CAAC,IAAI,SAAS,KAAK,uBAAuB,EAAE,CAAC;YAC9D,KAAK,GAAG,OAAO,CAAC,iBAAiB,CAAC;QACpC,CAAC;QAED,4EAA4E;QAC5E,IAAI,IAAA,gBAAW,EAAC,KAAK,CAAC,EAAE,CAAC;YACvB,KAAK,GAAG,MAAM,CAAC,gBAAgB,CAAC;QAClC,CAAC;QAED,WAAW;QACX,IAAI,KAAK,KAAK,CAAC,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YAClC,eAAM,CAAC,KAAK,CACV,GAAG,SAAS,8EAA8E,SAAS,kCAAkC,CACtI,CAAC;YACF,OAAO,CAAC,CAAC;QACX,CAAC;QAED,eAAe;QACf,WAAW,GAAG,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC;IAC1D,CAAC;IAED,eAAM,CAAC,KAAK,CACV,qBAAqB,SAAS,iDAAiD,WAAW,GAAG,CAC9F,CAAC;IACF,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,SAAgB,iBAAiB,CAC/B,QAA+B,EAC/B,SAA0B;IAE1B,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC;IACzC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;QAEpC,uEAAuE;QACvE,IAAI,SAAS,KAAK,uBAAuB,IAAI,CAAC,IAAA,aAAQ,EAAC,UAAU,CAAC,EAAE,CAAC;YACnE,UAAU,GAAG,OAAO,CAAC,iBAAiB,CAAC;QACzC,CAAC;QAED,yEAAyE;QACzE,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;YACxB,UAAU,GAAG,CAAC,CAAC;QACjB,CAAC;QAED,IAAI,CAAC,IAAA,gBAAW,EAAC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;YAChE,cAAc,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IAED,OAAO,cAAc,CAAC,IAAI,GAAG,CAAC,CAAC;AACjC,CAAC;AAOD,SAAgB,cAAc,CAC5B,KAA+C,EAC/C,MAAqB;IAErB,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,OAAO,kBAAkB,EAAE,CAAC;IAC9B,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,sBAAsB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC/C,CAAC;IAED,0CAA0C;IAC1C,MAAM,IAAI,KAAK,CACb,uEAAuE,CACxE,CAAC;AACJ,CAAC","sourcesContent":["import { isInteger, isNumber, isUndefined } from '@sindresorhus/is';\nimport { logger } from '../../logger';\nimport type { BranchConfig, BranchUpgradeConfig } from '../types';\n\nexport type Limit = 'Commits';\ninterface LimitValue {\n max: number | null;\n current: number;\n}\n\nconst limits = new Map<Limit, LimitValue>();\n\nexport function resetAllLimits(): void {\n limits.clear();\n}\n\nexport function setMaxLimit(key: Limit, val: unknown): void {\n const max = typeof val === 'number' ? Math.max(0, val) : null;\n limits.set(key, { current: 0, max });\n logger.debug(`${key} limit = ${max!}`);\n}\n\nexport function incLimitedValue(key: Limit, incBy = 1): void {\n const limit = limits.get(key) ?? { max: null, current: 0 };\n limits.set(key, {\n ...limit,\n current: limit.current + incBy,\n });\n}\n\nfunction handleCommitsLimit(): boolean {\n const limit = limits.get('Commits');\n // TODO: fix me?\n // eslint-disable-next-line @typescript-eslint/prefer-optional-chain\n if (!limit || limit.max === null) {\n return false;\n }\n const { max, current } = limit;\n return max - current <= 0;\n}\n\nexport type CountName = 'ConcurrentPRs' | 'HourlyPRs' | 'Branches';\n\ntype BranchLimitName =\n | 'branchConcurrentLimit'\n | 'prConcurrentLimit'\n | 'prHourlyLimit';\n\nexport const counts = new Map<CountName, number>();\n\nexport function getCount(key: CountName): number {\n const count = counts.get(key);\n // istanbul ignore if: should not happen\n if (!isInteger(count)) {\n logger.debug(`Could not compute the count of ${key}, returning zero.`);\n return 0;\n }\n return count;\n}\n\nexport function setCount(key: CountName, val: number): void {\n counts.set(key, val);\n logger.debug(`${key} count = ${val}`);\n}\n\nexport function incCountValue(key: CountName, incBy = 1): void {\n const count = getCount(key);\n counts.set(key, count + incBy);\n}\n\nfunction handleConcurrentLimits(\n key: Exclude<CountName, 'HourlyPRs'>,\n config: BranchConfig,\n): boolean {\n const limitKey =\n key === 'Branches' ? 'branchConcurrentLimit' : 'prConcurrentLimit';\n\n // calculate the limits for this branch\n const hourlyLimit = calcLimit(config.upgrades, 'prHourlyLimit');\n const hourlyPrCount = getCount('HourlyPRs');\n\n // if a limit is defined ( >0 ) and limit reached return true ie. limit has been reached\n if (hourlyLimit && hourlyPrCount >= hourlyLimit) {\n return true;\n }\n\n const limitValue = calcLimit(config.upgrades, limitKey);\n const currentCount = getCount(key);\n\n if (limitValue && currentCount >= limitValue) {\n return true;\n }\n\n return false;\n}\n\nexport function calcLimit(\n upgrades: BranchUpgradeConfig[],\n limitName: BranchLimitName,\n): number {\n const uniqueUpgrades = new Map(upgrades.map((u) => [u.depName, u]));\n logger.debug(\n {\n limits: Array.from(uniqueUpgrades.values()).map((upg) => {\n return { depName: upg.depName, [limitName]: upg[limitName] };\n }),\n },\n `${limitName} of the upgrades present in this branch`,\n );\n\n if (hasMultipleLimits(upgrades, limitName)) {\n logger.once.debug(\n `Branch has multiple ${limitName} limits. The lowest among these will be selected.`,\n );\n }\n\n let lowestLimit = Number.MAX_SAFE_INTEGER;\n for (const upgrade of upgrades) {\n let limit = upgrade[limitName];\n\n // inherit prConcurrentLimit value incase branchConcurrentLimit is null\n if (!isNumber(limit) && limitName === 'branchConcurrentLimit') {\n limit = upgrade.prConcurrentLimit;\n }\n\n // istanbul ignore if: should never happen as all limits get a default value\n if (isUndefined(limit)) {\n limit = Number.MAX_SAFE_INTEGER;\n }\n\n // no limit\n if (limit === 0 || limit === null) {\n logger.debug(\n `${limitName} of this branch is unlimited, because at least one of the upgrade has it's ${limitName} set to \"No limit\" ie. 0 or null`,\n );\n return 0;\n }\n\n // limit is set\n lowestLimit = limit < lowestLimit ? limit : lowestLimit;\n }\n\n logger.debug(\n `Calculated lowest ${limitName} among the upgrades present in this branch is ${lowestLimit}.`,\n );\n return lowestLimit;\n}\n\nexport function hasMultipleLimits(\n upgrades: BranchUpgradeConfig[],\n limitName: BranchLimitName,\n): boolean {\n if (upgrades.length === 1) {\n return false;\n }\n\n const distinctLimits = new Set<number>();\n for (const upgrade of upgrades) {\n let limitValue = upgrade[limitName];\n\n // inherit prConcurrentLimit value incase branchConcurrentLimit is null\n if (limitName === 'branchConcurrentLimit' && !isNumber(limitValue)) {\n limitValue = upgrade.prConcurrentLimit;\n }\n\n // istanbul ignore if: should not happen as the limits are of type number\n if (limitValue === null) {\n limitValue = 0;\n }\n\n if (!isUndefined(limitValue) && !distinctLimits.has(limitValue)) {\n distinctLimits.add(limitValue);\n }\n }\n\n return distinctLimits.size > 1;\n}\n\nexport function isLimitReached(limit: 'Commits'): boolean;\nexport function isLimitReached(\n limit: 'Branches' | 'ConcurrentPRs',\n config: BranchConfig,\n): boolean;\nexport function isLimitReached(\n limit: 'Commits' | 'Branches' | 'ConcurrentPRs',\n config?: BranchConfig,\n): boolean {\n if (limit === 'Commits') {\n return handleCommitsLimit();\n }\n\n if (config) {\n return handleConcurrentLimits(limit, config);\n }\n\n // istanbul ignore next: should not happen\n throw new Error(\n 'Config is required for computing limits for Branches and PullRequests',\n );\n}\n"]}
package/dist/workers/repository/process/vulnerabilities.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"vulnerabilities.js","sourceRoot":"","sources":["../../../../lib/workers/repository/process/vulnerabilities.ts"],"names":[],"mappings":";;;;AAEA,0DAAsD;AACtD,yCAK0B;AAE1B,2DAAgD;AAChD,6BAAwB;AACxB,4CAAqE;AAErE,4CAAyC;AACzC,+DAA0E;AAM1E,4DAAmE;AACnE,qDAA0D;AAC1D,kEAA4C;AAC5C,+CAA4C;AAC5C,iDAAiD;AAOjD,MAAa,eAAe;IAClB,UAAU,CAAyB;IAEnC,MAAM,CAAU,sBAAsB,GAG1C;QACF,KAAK,EAAE,WAAW;QAClB,EAAE,EAAE,IAAI;QACR,OAAO,EAAE,SAAS;QAClB,GAAG,EAAE,KAAK;QACV,KAAK,EAAE,OAAO;QACd,GAAG,EAAE,KAAK;QACV,KAAK,EAAE,OAAO;QACd,SAAS,EAAE,WAAW;QACtB,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,UAAU;KACrB,CAAC;IAEF;QACE,sBAAsB;IACxB,CAAC;IAEO,KAAK,CAAC,UAAU;QACtB,IAAI,CAAC,UAAU,GAAG,MAAM,wBAAU,CAAC,MAAM,EAAE,CAAC;IAC9C,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM;QACjB,MAAM,QAAQ,GAAG,IAAI,eAAe,EAAE,CAAC;QACvC,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;QAC5B,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,+BAA+B,CACnC,MAAsB,EACtB,YAA2C;QAE3C,MAAM,yBAAyB,GAAG,MAAM,IAAI,CAAC,8BAA8B,CACzE,MAAM,EACN,YAAY,CACb,CAAC;QAEF,MAAM,CAAC,YAAY,KAAK,EAAE,CAAC;QAC3B,KAAK,MAAM,EACT,eAAe,EACf,aAAa,GACd,IAAI,yBAAyB,EAAE,CAAC;YAC/B,MAAM,iBAAiB,GAAkB,EAAE,CAAC;YAC5C,KAAK,MAAM,aAAa,IAAI,eAAe,EAAE,CAAC;gBAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,2BAA2B,CAAC,aAAa,CAAC,CAAC;gBAC7D,IAAI,IAAA,sBAAiB,EAAC,IAAI,CAAC,EAAE,CAAC;oBAC5B,SAAS;gBACX,CAAC;gBACD,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC;YACD,IAAI,CAAC,kBAAkB,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;YAE1D,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,oBAAoB,CACxB,MAAsB,EACtB,YAA2C;QAE3C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,8BAA8B,CACtD,MAAM,EACN,YAAY,CACb,CAAC;QACF,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IAC1D,CAAC;IAEO,KAAK,CAAC,8BAA8B,CAC1C,MAAsB,EACtB,YAA2C;QAE3C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3C,MAAM,cAAc,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAC9C,IAAI,CAAC,2BAA2B,CAAC,MAAM,EAAE,YAAY,EAAE,OAAO,CAAC,CAChE,CAAC;QACF,OAAO,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACpD,CAAC;IAEO,KAAK,CAAC,2BAA2B,CACvC,MAAsB,EACtB,YAA2C,EAC3C,OAAe;QAEf,MAAM,aAAa,GAAG,IAAA,yBAAgB,EAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACxD,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC,GAAG,CACrC,CAAC,KAAK,EAAE,EAAE,CAAC,GAAyC,EAAE,CACpD,IAAI,CAAC,sCAAsC,CAAC,aAAa,EAAE,KAAK,CAAC,CACpE,CAAC;QACF,eAAM,CAAC,KAAK,CACV,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,CAAC,MAAM,EAAE,EACtC,sCAAsC,CACvC,CAAC;QACF,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3C,eAAM,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,EAAE,sCAAsC,CAAC,CAAC;QAClE,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,KAAK,CAAC,sCAAsC,CAClD,aAA6B,EAC7B,KAAkB;QAElB,MAAM,EAAE,WAAW,EAAE,GAAG,KAAK,CAAC;QAC9B,MAAM,iBAAiB,GAAG,IAAA,yBAAgB,EAAC,aAAa,EAAE,KAAK,CAAC,CAAC;QACjE,MAAM,EAAE,OAAO,EAAE,GAAG,iBAAiB,CAAC;QACtC,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAC1B,CAAC,GAAG,EAAE,EAAE,CAAC,GAA8C,EAAE,CACvD,IAAI,CAAC,4BAA4B,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAC5D,CAAC;QACF,eAAM,CAAC,KAAK,CACV,EAAE,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,KAAK,CAAC,MAAM,EAAE,EACnD,kEAAkE,CACnE,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAClC,eAAM,CAAC,KAAK,CACV,EAAE,WAAW,EAAE,EACf,iDAAiD,CAClD,CAAC;QAEF,OAAO,MAAM,CAAC,MAAM,CAAC,aAAQ,CAAC,CAAC;IACjC,CAAC;IAEO,KAAK,CAAC,4BAA4B,CACxC,iBAA+C,EAC/C,GAAsB;QAEtB,MAAM,SAAS,GAAG,eAAe,CAAC,sBAAsB,CAAC,GAAG,CAAC,UAAW,CAAC,CAAC;QAC1E,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,eAAM,CAAC,KAAK,CAAC,yBAAyB,GAAG,CAAC,UAAW,mBAAmB,CAAC,CAAC;YAC1E,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,WAAW,GAAG,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,OAAQ,CAAC;QAClD,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;YACzB,qDAAqD;YACrD,WAAW,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAA,aAAK,EAAC,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC;QACzE,CAAC;QAED,IAAI,CAAC;YACH,MAAM,kBAAkB,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,kBAAkB,CAClE,SAAS,EACT,WAAW,CACZ,CAAC;YACF,IACE,IAAA,sBAAiB,EAAC,kBAAkB,CAAC;gBACrC,IAAA,iBAAY,EAAC,kBAAkB,CAAC,EAChC,CAAC;gBACD,eAAM,CAAC,KAAK,CACV,gDAAgD,WAAW,EAAE,CAC9D,CAAC;gBACF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,UAAU,GACd,GAAG,CAAC,aAAa,IAAI,GAAG,CAAC,cAAc,IAAI,GAAG,CAAC,YAAa,CAAC;YAE/D,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,IAAI,IAAA,6BAAoB,EAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC1E,MAAM,aAAa,GAAG,IAAA,gBAAa,EAAC,UAAU,CAAC,CAAC;YAEhD,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;gBACzC,eAAM,CAAC,KAAK,CACV,6CAA6C,WAAW,+BAA+B,UAAU,EAAE,CACpG,CAAC;gBACF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,eAAe,GAAoB,EAAE,CAAC;YAC5C,KAAK,MAAM,gBAAgB,IAAI,kBAAkB,EAAE,CAAC;gBAClD,IAAI,gBAAgB,CAAC,SAAS,EAAE,CAAC;oBAC/B,eAAM,CAAC,KAAK,CACV,oCAAoC,gBAAgB,CAAC,EAAE,EAAE,CAC1D,CAAC;oBACF,SAAS;gBACX,CAAC;gBAED,KAAK,MAAM,QAAQ,IAAI,gBAAgB,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;oBACvD,MAAM,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAC3C,SAAS,EACT,WAAW,EACX,UAAU,EACV,QAAQ,EACR,aAAa,CACd,CAAC;oBACF,IAAI,CAAC,YAAY,EAAE,CAAC;wBAClB,SAAS;oBACX,CAAC;oBAED,eAAM,CAAC,KAAK,CACV,iBAAiB,gBAAgB,CAAC,EAAE,YAAY,WAAW,IAAI,UAAU,EAAE,CAC5E,CAAC;oBACF,MAAM,YAAY,GAAG,IAAI,CAAC,eAAe,CACvC,SAAS,EACT,UAAU,EACV,QAAQ,EACR,aAAa,CACd,CAAC;oBAEF,eAAe,CAAC,IAAI,CAAC;wBACnB,WAAW;wBACX,aAAa,EAAE,gBAAgB;wBAC/B,QAAQ;wBACR,UAAU;wBACV,YAAY;wBACZ,UAAU,EAAE,GAAG,CAAC,UAAW;wBAC3B,iBAAiB;qBAClB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,CAAC;QAC5C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAM,CAAC,IAAI,CACT,EAAE,GAAG,EAAE,WAAW,EAAE,EACpB,sDAAsD,CACvD,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,kBAAkB,CACxB,YAA2B,EAC3B,aAA4B;QAE5B,MAAM,eAAe,GAA2B,EAAE,CAAC;QACnD,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;YAChC,MAAM,OAAO,GAAG,IAAI,CAAC,eAAyB,CAAC;YAC/C,eAAe,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,IAAA,aAAK,EAAC,YAAY,CAAC,EAAE,EAAE,CAAC,CAAC;QACtE,CAAC;QACD,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACzB,aAAa,CAAC,YAAY,CACxB,eAAe,CAAC,CAAC,CAAC,eAAyB,CAAC,EAC5C,eAAe,CAAC,CAAC,CAAC,eAAyB,CAAC,CAC7C,CACF,CAAC;IACJ,CAAC;IAED,iEAAiE;IACzD,UAAU,CAChB,MAAmB,EACnB,aAA4B;QAE5B,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,IAAI,SAAS,GAAqB,IAAI,CAAC;QAEvC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;gBAC7B,SAAS,GAAG,KAAK,CAAC;YACpB,CAAC;iBAAM,IAAI,aAAa,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5D,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACzB,CAAC;iBAAM,CAAC;gBACN,eAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,EAAE,yCAAyC,CAAC,CAAC;YACrE,CAAC;QACH,CAAC;QAED,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACvB,+DAA+D;QAC/D,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACrE,CAAC;QAEF,IAAI,SAAS,EAAE,CAAC;YACd,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAChC,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;IAEO,iBAAiB,CACvB,SAAoB,EACpB,WAAmB,EACnB,QAAsB;QAEtB,OAAO,CACL,QAAQ,CAAC,OAAO,EAAE,IAAI,KAAK,WAAW;YACtC,QAAQ,CAAC,OAAO,EAAE,SAAS,KAAK,SAAS,CAC1C,CAAC;IACJ,CAAC;IAEO,kBAAkB,CACxB,UAAkB,EAClB,QAAsB;QAEtB,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC;IACnD,CAAC;IAEO,gBAAgB,CACtB,UAAkB,EAClB,QAAsB,EACtB,aAA4B;QAE5B,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC1C,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;gBACzB,SAAS;YACX,CAAC;YAED,IAAI,UAAU,GAAG,KAAK,CAAC;YACvB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,aAAa,CAAC,EAAE,CAAC;gBACjE,IACE,IAAA,qBAAgB,EAAC,KAAK,CAAC,UAAU,CAAC;oBAClC,CAAC,KAAK,CAAC,UAAU,KAAK,GAAG;wBACvB,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC,EACpE,CAAC;oBACD,UAAU,GAAG,IAAI,CAAC;gBACpB,CAAC;qBAAM,IACL,IAAA,qBAAgB,EAAC,KAAK,CAAC,KAAK,CAAC;oBAC7B,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,KAAK,CAAC,KAAK,EAAE,aAAa,CAAC,EAC5D,CAAC;oBACD,UAAU,GAAG,KAAK,CAAC;gBACrB,CAAC;qBAAM,IACL,IAAA,qBAAgB,EAAC,KAAK,CAAC,aAAa,CAAC;oBACrC,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,KAAK,CAAC,aAAa,EAAE,aAAa,CAAC,EAChE,CAAC;oBACD,UAAU,GAAG,KAAK,CAAC;gBACrB,CAAC;YACH,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,gDAAgD;IACxC,mBAAmB,CACzB,SAAoB,EACpB,WAAmB,EACnB,UAAkB,EAClB,QAAsB,EACtB,aAA4B;QAE5B,OAAO,CACL,IAAI,CAAC,iBAAiB,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC;YACxD,CAAC,IAAI,CAAC,kBAAkB,CAAC,UAAU,EAAE,QAAQ,CAAC;gBAC5C,IAAI,CAAC,gBAAgB,CAAC,UAAU,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC,CAC9D,CAAC;IACJ,CAAC;IAEO,eAAe,CACrB,SAAoB,EACpB,UAAkB,EAClB,QAAsB,EACtB,aAA4B;QAE5B,MAAM,aAAa,GAAa,EAAE,CAAC;QACnC,MAAM,oBAAoB,GAAa,EAAE,CAAC;QAE1C,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC1C,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;gBACzB,SAAS;YACX,CAAC;YAED,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBACjC,IACE,IAAA,qBAAgB,EAAC,KAAK,CAAC,KAAK,CAAC;oBAC7B,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,EACpC,CAAC;oBACD,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBAClC,CAAC;qBAAM,IACL,IAAA,qBAAgB,EAAC,KAAK,CAAC,aAAa,CAAC;oBACrC,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC,aAAa,CAAC,EAC5C,CAAC;oBACD,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;QAED,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/D,MAAM,YAAY,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAClD,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,UAAU,EAAE,aAAa,CAAC,CACrD,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC,0BAA0B,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAClE,CAAC;QAED,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACtE,MAAM,YAAY,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CACzD,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,aAAa,CAAC,CACzD,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC,0BAA0B,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAClE,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,0BAA0B,CAChC,YAAoB,EACpB,SAAoB;QAEpB,IAAI,SAAS,KAAK,OAAO,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YACnD,OAAO,IAAI,YAAY,IAAI,CAAC;QAC9B,CAAC;QAED,0CAA0C;QAC1C,OAAO,MAAM,YAAY,EAAE,CAAC;IAC9B,CAAC;IAEO,0BAA0B,CAChC,YAAoB,EACpB,SAAoB;QAEpB,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YAC1B,OAAO,IAAI,YAAY,IAAI,CAAC;QAC9B,CAAC;QAED,0CAA0C;QAC1C,OAAO,KAAK,YAAY,EAAE,CAAC;IAC7B,CAAC;IAEO,WAAW,CACjB,OAAe,EACf,KAAa,EACb,aAA4B;QAE5B,OAAO,CACL,aAAa,CAAC,SAAS,CAAC,OAAO,CAAC;YAChC,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC;YAC9B,aAAa,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAC5C,CAAC;IACJ,CAAC;IAEO,eAAe,CACrB,OAAe,EACf,KAAa,EACb,aAA4B;QAE5B,OAAO,CACL,aAAa,CAAC,SAAS,CAAC,OAAO,CAAC;YAChC,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC;YAC9B,CAAC,aAAa,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC;gBACnC,aAAa,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAC/C,CAAC;IACJ,CAAC;IAEO,2BAA2B,CAAC,GAAkB;QACpD,MAAM,EACJ,aAAa,EACb,QAAQ,EACR,WAAW,EACX,UAAU,EACV,YAAY,EACZ,UAAU,EACV,iBAAiB,GAClB,GAAG,GAAG,CAAC;QACR,IAAI,IAAA,sBAAiB,EAAC,YAAY,CAAC,EAAE,CAAC;YACpC,eAAM,CAAC,KAAK,CACV,gDAAgD,aAAa,CAAC,EAAE,OAAO,WAAW,IAAI,UAAU,EAAE,CACnG,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,eAAM,CAAC,KAAK,CACV,2BAA2B,YAAY,yBAAyB,aAAa,CAAC,EAAE,OAAO,WAAW,IAAI,UAAU,EAAE,CACnH,CAAC;QAEF,MAAM,eAAe,GAAG,IAAI,CAAC,sBAAsB,CACjD,aAAa,EACb,QAAQ,CACT,CAAC;QAEF,OAAO;YACL,gBAAgB,EAAE,CAAC,UAAU,CAAC;YAC9B,iBAAiB,EAAE,CAAC,WAAW,CAAC;YAChC,mBAAmB,EAAE,UAAU;YAC/B,eAAe,EAAE,YAAY;YAC7B,oBAAoB,EAAE,IAAI;YAC1B,qBAAqB,EAAE,eAAe,CAAC,aAAa;YACpD,WAAW,EAAE,IAAI,CAAC,mBAAmB,CAAC,aAAa,EAAE,QAAQ,CAAC;YAC9D,KAAK,EAAE;gBACL,GAAG,iBAAiB,CAAC,mBAAmB;aACzC;SACF,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,kBAAkB,CAAC,MAAc;QACtC,MAAM,cAAc,GAAG,OAAC,CAAC,MAAM,CAAC;YAC9B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC;YAClC,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;SAC1D,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,eAAe,GAA2B,IAAA,+BAAU,EAAC,MAAM,CAAC,CAAC;YACnE,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,CAAC,eAAe,EAAE,gBAAgB,EAAE,CAAC,CAAC;YAEtE,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC;QACtD,CAAC;QAAC,MAAM,CAAC;YACP,eAAM,CAAC,KAAK,CAAC,gCAAgC,MAAM,EAAE,CAAC,CAAC;QACzD,CAAC;QAED,OAAO,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAClB,CAAC;IAEO,mBAAmB,CACzB,aAAgC,EAChC,QAAsB;QAEtB,IAAI,OAAO,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5E,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE;YAC3B,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC1B,OAAO,IAAI,EAAE,sCAAsC,EAAE,GAAG,CAAC;YAC3D,CAAC;iBAAM,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClC,OAAO,IAAI,EAAE,mCAAmC,EAAE,GAAG,CAAC;YACxD,CAAC;iBAAM,IAAI,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,OAAO,IAAI,EAAE,6BAA6B,EAAE,GAAG,CAAC;YAClD,CAAC;iBAAM,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBACrC,OAAO,IAAI,EAAE,oCAAoC,EAAE,QAAQ,CAAC;YAC9D,CAAC;YAED,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;QAEH,IAAI,OAAO,GAAG,iBAAiB,CAAC;QAChC,OAAO,IAAI,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QACrE,OAAO,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;QACtC,OAAO,IAAI,oDAAoD,CAAC;QAEhE,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,EAAE,OAAO,CAC5C,IAAA,aAAK,EAAC,YAAY,CAAC,EACnB,QAAQ,CACT,CAAC;QACF,OAAO,IAAI,iBAAiB,OAAO,IAAI,aAAa,IAAI,CAAC;QAEzD,OAAO,IAAI,iBAAiB,CAAC;QAC7B,MAAM,eAAe,GAAG,IAAI,CAAC,sBAAsB,CACjD,aAAa,EACb,QAAQ,CACT,CAAC;QAEF,IAAI,eAAe,CAAC,UAAU,EAAE,CAAC;YAC/B,OAAO,IAAI,iBAAiB,eAAe,CAAC,KAAK,IAAI,CAAC;YACtD,OAAO,IAAI,sBAAsB,eAAe,CAAC,UAAU,MAAM,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,GAAG,IAAA,kBAAS,EAAC,eAAe,CAAC,aAAa,CAAC,IAAI,CAAC;QAC7D,CAAC;QAED,OAAO,IAAI,sBACT,aAAa,CAAC,UAAU;YACtB,EAAE,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YACZ,OAAO,MAAM,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,GAAG,GAAG,CAAC;QACtC,CAAC,CAAC;aACD,IAAI,CAAC,IAAI,CAAC,IAAI,gBACnB,EAAE,CAAC;QAEH,IAAI,WAAW,GAAG,EAAE,CAAC;QACrB,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACzC,WAAW,GAAG,kKAAkK,CAAC;QACnL,CAAC;aAAM,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9C,WAAW,GAAG,gIAAgI,CAAC;QACjJ,CAAC;aAAM,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjD,WAAW,GAAG,yJAAyJ,CAAC;QAC1K,CAAC;aAAM,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACnD,WAAW,GAAG,qJAAqJ,CAAC;QACtK,CAAC;QACD,OAAO,IAAI,oEAAoE,aAAa,CAAC,EAAE,IAAI,WAAW,KAAK,CAAC;QACpH,OAAO,IAAI,YAAY,CAAC;QAExB,OAAO,CAAC,IAAA,2BAAgB,EAAC,OAAO,CAAC,CAAC,CAAC;IACrC,CAAC;IAEO,sBAAsB,CAC5B,aAAgC,EAChC,QAAsB;QAEtB,IAAI,aAAa,GAAG,SAAS,CAAC;QAC9B,IAAI,KAAK,GAAG,SAAS,CAAC;QAEtB,MAAM,UAAU,GACd,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,EAAE,KAAK;YAChE,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,EAAE,KAAK;YAC/D,QAAQ,CAAC,iBAAiB,EAAE,IAAe,CAAC,CAAC,UAAU;QAE1D,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,GACzB,eAAe,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC;YACjD,aAAa,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9D,KAAK,GAAG,SAAS;gBACf,CAAC,CAAC,GAAG,SAAS,UAAU,IAAA,kBAAS,EAAC,aAAa,CAAC,GAAG;gBACnD,CAAC,CAAC,SAAS,CAAC;QAChB,CAAC;aAAM,IACL,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;YACpC,aAAa,CAAC,iBAAiB,EAAE,QAAQ,EACzC,CAAC;YACD,MAAM,QAAQ,GAAG,aAAa,CAAC,iBAAiB,CAAC,QAAkB,CAAC;YACpE,aAAa,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;QACzC,CAAC;QAED,OAAO;YACL,UAAU;YACV,KAAK;YACL,aAAa;SACd,CAAC;IACJ,CAAC;;AArlBH,0CAslBC","sourcesContent":["// TODO #22198\nimport type { Ecosystem, Osv } from '@renovatebot/osv-offline';\nimport { OsvOffline } from '@renovatebot/osv-offline';\nimport {\n isEmptyArray,\n isNonEmptyString,\n isNullOrUndefined,\n isTruthy,\n} from '@sindresorhus/is';\nimport type { CvssVector } from 'ae-cvss-calculator';\nimport { fromVector } from 'ae-cvss-calculator';\nimport { z } from 'zod';\nimport { getManagerConfig, mergeChildConfig } from '../../../config';\nimport type { PackageRule, RenovateConfig } from '../../../config/types';\nimport { logger } from '../../../logger';\nimport { getDefaultVersioning } from '../../../modules/datasource/common';\nimport type {\n PackageDependency,\n PackageFile,\n} from '../../../modules/manager/types';\nimport type { VersioningApi } from '../../../modules/versioning';\nimport { get as getVersioning } from '../../../modules/versioning';\nimport { sanitizeMarkdown } from '../../../util/markdown';\nimport * as p from '../../../util/promises';\nimport { regEx } from '../../../util/regex';\nimport { titleCase } from '../../../util/string';\nimport type {\n DependencyVulnerabilities,\n SeverityDetails,\n Vulnerability,\n} from './types';\n\nexport class Vulnerabilities {\n private osvOffline: OsvOffline | undefined;\n\n private static readonly datasourceEcosystemMap: Record<\n string,\n Ecosystem | undefined\n > = {\n crate: 'crates.io',\n go: 'Go',\n hackage: 'Hackage',\n hex: 'Hex',\n maven: 'Maven',\n npm: 'npm',\n nuget: 'NuGet',\n packagist: 'Packagist',\n pypi: 'PyPI',\n rubygems: 'RubyGems',\n };\n\n private constructor() {\n // private constructor\n }\n\n private async initialize(): Promise<void> {\n this.osvOffline = await OsvOffline.create();\n }\n\n static async create(): Promise<Vulnerabilities> {\n const instance = new Vulnerabilities();\n await instance.initialize();\n return instance;\n }\n\n async appendVulnerabilityPackageRules(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n ): Promise<void> {\n const dependencyVulnerabilities = await this.fetchDependencyVulnerabilities(\n config,\n packageFiles,\n );\n\n config.packageRules ??= [];\n for (const {\n vulnerabilities,\n versioningApi,\n } of dependencyVulnerabilities) {\n const groupPackageRules: PackageRule[] = [];\n for (const vulnerability of vulnerabilities) {\n const rule = this.vulnerabilityToPackageRules(vulnerability);\n if (isNullOrUndefined(rule)) {\n continue;\n }\n groupPackageRules.push(rule);\n }\n this.sortByFixedVersion(groupPackageRules, versioningApi);\n\n config.packageRules.push(...groupPackageRules);\n }\n }\n\n async fetchVulnerabilities(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n ): Promise<Vulnerability[]> {\n const groups = await this.fetchDependencyVulnerabilities(\n config,\n packageFiles,\n );\n return groups.flatMap((group) => group.vulnerabilities);\n }\n\n private async fetchDependencyVulnerabilities(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n ): Promise<DependencyVulnerabilities[]> {\n const managers = Object.keys(packageFiles);\n const allManagerJobs = managers.map((manager) =>\n this.fetchManagerVulnerabilities(config, packageFiles, manager),\n );\n return (await Promise.all(allManagerJobs)).flat();\n }\n\n private async fetchManagerVulnerabilities(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n manager: string,\n ): Promise<DependencyVulnerabilities[]> {\n const managerConfig = getManagerConfig(config, manager);\n const queue = packageFiles[manager].map(\n (pFile) => (): Promise<DependencyVulnerabilities[]> =>\n this.fetchManagerPackageFileVulnerabilities(managerConfig, pFile),\n );\n logger.trace(\n { manager, queueLength: queue.length },\n 'fetchManagerVulnerabilities starting',\n );\n const result = (await p.all(queue)).flat();\n logger.trace({ manager }, 'fetchManagerVulnerabilities finished');\n return result;\n }\n\n private async fetchManagerPackageFileVulnerabilities(\n managerConfig: RenovateConfig,\n pFile: PackageFile,\n ): Promise<DependencyVulnerabilities[]> {\n const { packageFile } = pFile;\n const packageFileConfig = mergeChildConfig(managerConfig, pFile);\n const { manager } = packageFileConfig;\n const queue = pFile.deps.map(\n (dep) => (): Promise<DependencyVulnerabilities | null> =>\n this.fetchDependencyVulnerability(packageFileConfig, dep),\n );\n logger.trace(\n { manager, packageFile, queueLength: queue.length },\n 'fetchManagerPackageFileVulnerabilities starting with concurrency',\n );\n\n const result = await p.all(queue);\n logger.trace(\n { packageFile },\n 'fetchManagerPackageFileVulnerabilities finished',\n );\n\n return result.filter(isTruthy);\n }\n\n private async fetchDependencyVulnerability(\n packageFileConfig: RenovateConfig & PackageFile,\n dep: PackageDependency,\n ): Promise<DependencyVulnerabilities | null> {\n const ecosystem = Vulnerabilities.datasourceEcosystemMap[dep.datasource!];\n if (!ecosystem) {\n logger.trace(`Cannot map datasource ${dep.datasource!} to OSV ecosystem`);\n return null;\n }\n\n let packageName = dep.packageName ?? dep.depName!;\n if (ecosystem === 'PyPI') {\n // https://peps.python.org/pep-0503/#normalized-names\n packageName = packageName.toLowerCase().replace(regEx(/[_.-]+/g), '-');\n }\n\n try {\n const osvVulnerabilities = await this.osvOffline?.getVulnerabilities(\n ecosystem,\n packageName,\n );\n if (\n isNullOrUndefined(osvVulnerabilities) ||\n isEmptyArray(osvVulnerabilities)\n ) {\n logger.trace(\n `No vulnerabilities found in OSV database for ${packageName}`,\n );\n return null;\n }\n\n const depVersion =\n dep.lockedVersion ?? dep.currentVersion ?? dep.currentValue!;\n\n const versioning = dep.versioning ?? getDefaultVersioning(dep.datasource);\n const versioningApi = getVersioning(versioning);\n\n if (!versioningApi.isVersion(depVersion)) {\n logger.debug(\n `Skipping vulnerability lookup for package ${packageName} due to unsupported version ${depVersion}`,\n );\n return null;\n }\n\n const vulnerabilities: Vulnerability[] = [];\n for (const osvVulnerability of osvVulnerabilities) {\n if (osvVulnerability.withdrawn) {\n logger.trace(\n `Skipping withdrawn vulnerability ${osvVulnerability.id}`,\n );\n continue;\n }\n\n for (const affected of osvVulnerability.affected ?? []) {\n const isVulnerable = this.isPackageVulnerable(\n ecosystem,\n packageName,\n depVersion,\n affected,\n versioningApi,\n );\n if (!isVulnerable) {\n continue;\n }\n\n logger.debug(\n `Vulnerability ${osvVulnerability.id} affects ${packageName} ${depVersion}`,\n );\n const fixedVersion = this.getFixedVersion(\n ecosystem,\n depVersion,\n affected,\n versioningApi,\n );\n\n vulnerabilities.push({\n packageName,\n vulnerability: osvVulnerability,\n affected,\n depVersion,\n fixedVersion,\n datasource: dep.datasource!,\n packageFileConfig,\n });\n }\n }\n\n return { vulnerabilities, versioningApi };\n } catch (err) {\n logger.warn(\n { err, packageName },\n 'Error fetching vulnerability information for package',\n );\n return null;\n }\n }\n\n private sortByFixedVersion(\n packageRules: PackageRule[],\n versioningApi: VersioningApi,\n ): void {\n const versionsCleaned: Record<string, string> = {};\n for (const rule of packageRules) {\n const version = rule.allowedVersions as string;\n versionsCleaned[version] = version.replace(regEx(/[(),=> ]+/g), '');\n }\n packageRules.sort((a, b) =>\n versioningApi.sortVersions(\n versionsCleaned[a.allowedVersions as string],\n versionsCleaned[b.allowedVersions as string],\n ),\n );\n }\n\n // https://ossf.github.io/osv-schema/#affectedrangesevents-fields\n private sortEvents(\n events: Osv.Event[],\n versioningApi: VersioningApi,\n ): Osv.Event[] {\n const sortedCopy: Osv.Event[] = [];\n let zeroEvent: Osv.Event | null = null;\n\n for (const event of events) {\n if (event.introduced === '0') {\n zeroEvent = event;\n } else if (versioningApi.isVersion(Object.values(event)[0])) {\n sortedCopy.push(event);\n } else {\n logger.debug({ event }, 'Skipping OSV event with invalid version');\n }\n }\n\n sortedCopy.sort((a, b) =>\n // no pre-processing, as there are only very few values to sort\n versioningApi.sortVersions(Object.values(a)[0], Object.values(b)[0]),\n );\n\n if (zeroEvent) {\n sortedCopy.unshift(zeroEvent);\n }\n\n return sortedCopy;\n }\n\n private isPackageAffected(\n ecosystem: Ecosystem,\n packageName: string,\n affected: Osv.Affected,\n ): boolean {\n return (\n affected.package?.name === packageName &&\n affected.package?.ecosystem === ecosystem\n );\n }\n\n private includedInVersions(\n depVersion: string,\n affected: Osv.Affected,\n ): boolean {\n return !!affected.versions?.includes(depVersion);\n }\n\n private includedInRanges(\n depVersion: string,\n affected: Osv.Affected,\n versioningApi: VersioningApi,\n ): boolean {\n for (const range of affected.ranges ?? []) {\n if (range.type === 'GIT') {\n continue;\n }\n\n let vulnerable = false;\n for (const event of this.sortEvents(range.events, versioningApi)) {\n if (\n isNonEmptyString(event.introduced) &&\n (event.introduced === '0' ||\n this.isVersionGtOrEq(depVersion, event.introduced, versioningApi))\n ) {\n vulnerable = true;\n } else if (\n isNonEmptyString(event.fixed) &&\n this.isVersionGtOrEq(depVersion, event.fixed, versioningApi)\n ) {\n vulnerable = false;\n } else if (\n isNonEmptyString(event.last_affected) &&\n this.isVersionGt(depVersion, event.last_affected, versioningApi)\n ) {\n vulnerable = false;\n }\n }\n\n if (vulnerable) {\n return true;\n }\n }\n\n return false;\n }\n\n // https://ossf.github.io/osv-schema/#evaluation\n private isPackageVulnerable(\n ecosystem: Ecosystem,\n packageName: string,\n depVersion: string,\n affected: Osv.Affected,\n versioningApi: VersioningApi,\n ): boolean {\n return (\n this.isPackageAffected(ecosystem, packageName, affected) &&\n (this.includedInVersions(depVersion, affected) ||\n this.includedInRanges(depVersion, affected, versioningApi))\n );\n }\n\n private getFixedVersion(\n ecosystem: Ecosystem,\n depVersion: string,\n affected: Osv.Affected,\n versioningApi: VersioningApi,\n ): string | null {\n const fixedVersions: string[] = [];\n const lastAffectedVersions: string[] = [];\n\n for (const range of affected.ranges ?? []) {\n if (range.type === 'GIT') {\n continue;\n }\n\n for (const event of range.events) {\n if (\n isNonEmptyString(event.fixed) &&\n versioningApi.isVersion(event.fixed)\n ) {\n fixedVersions.push(event.fixed);\n } else if (\n isNonEmptyString(event.last_affected) &&\n versioningApi.isVersion(event.last_affected)\n ) {\n lastAffectedVersions.push(event.last_affected);\n }\n }\n }\n\n fixedVersions.sort((a, b) => versioningApi.sortVersions(a, b));\n const fixedVersion = fixedVersions.find((version) =>\n this.isVersionGt(version, depVersion, versioningApi),\n );\n if (fixedVersion) {\n return this.getFixedVersionByEcosystem(fixedVersion, ecosystem);\n }\n\n lastAffectedVersions.sort((a, b) => versioningApi.sortVersions(a, b));\n const lastAffected = lastAffectedVersions.find((version) =>\n this.isVersionGtOrEq(version, depVersion, versioningApi),\n );\n if (lastAffected) {\n return this.getLastAffectedByEcosystem(lastAffected, ecosystem);\n }\n\n return null;\n }\n\n private getFixedVersionByEcosystem(\n fixedVersion: string,\n ecosystem: Ecosystem,\n ): string {\n if (ecosystem === 'Maven' || ecosystem === 'NuGet') {\n return `[${fixedVersion},)`;\n }\n\n // crates.io, Go, Hex, npm, RubyGems, PyPI\n return `>= ${fixedVersion}`;\n }\n\n private getLastAffectedByEcosystem(\n lastAffected: string,\n ecosystem: Ecosystem,\n ): string {\n if (ecosystem === 'Maven') {\n return `(${lastAffected},)`;\n }\n\n // crates.io, Go, Hex, npm, RubyGems, PyPI\n return `> ${lastAffected}`;\n }\n\n private isVersionGt(\n version: string,\n other: string,\n versioningApi: VersioningApi,\n ): boolean {\n return (\n versioningApi.isVersion(version) &&\n versioningApi.isVersion(other) &&\n versioningApi.isGreaterThan(version, other)\n );\n }\n\n private isVersionGtOrEq(\n version: string,\n other: string,\n versioningApi: VersioningApi,\n ): boolean {\n return (\n versioningApi.isVersion(version) &&\n versioningApi.isVersion(other) &&\n (versioningApi.equals(version, other) ||\n versioningApi.isGreaterThan(version, other))\n );\n }\n\n private vulnerabilityToPackageRules(vul: Vulnerability): PackageRule | null {\n const {\n vulnerability,\n affected,\n packageName,\n depVersion,\n fixedVersion,\n datasource,\n packageFileConfig,\n } = vul;\n if (isNullOrUndefined(fixedVersion)) {\n logger.debug(\n `No fixed version available for vulnerability ${vulnerability.id} in ${packageName} ${depVersion}`,\n );\n return null;\n }\n\n logger.debug(\n `Setting allowed version ${fixedVersion} to fix vulnerability ${vulnerability.id} in ${packageName} ${depVersion}`,\n );\n\n const severityDetails = this.extractSeverityDetails(\n vulnerability,\n affected,\n );\n\n return {\n matchDatasources: [datasource],\n matchPackageNames: [packageName],\n matchCurrentVersion: depVersion,\n allowedVersions: fixedVersion,\n isVulnerabilityAlert: true,\n vulnerabilitySeverity: severityDetails.severityLevel,\n prBodyNotes: this.generatePrBodyNotes(vulnerability, affected),\n force: {\n ...packageFileConfig.vulnerabilityAlerts,\n },\n };\n }\n\n static evaluateCvssVector(vector: string): [string, string] {\n const CvssJsonSchema = z.object({\n baseScore: z.number().default(0.0),\n baseSeverity: z.string().toUpperCase().default('UNKNOWN'),\n });\n\n try {\n const parsedCvssScore: CvssVector<any> | null = fromVector(vector);\n const res = CvssJsonSchema.parse(parsedCvssScore?.createJsonSchema());\n\n return [res.baseScore.toFixed(1), res.baseSeverity];\n } catch {\n logger.debug(`Error processing CVSS vector ${vector}`);\n }\n\n return ['', ''];\n }\n\n private generatePrBodyNotes(\n vulnerability: Osv.Vulnerability,\n affected: Osv.Affected,\n ): string[] {\n let aliases = [vulnerability.id].concat(vulnerability.aliases ?? []).sort();\n aliases = aliases.map((id) => {\n if (id.startsWith('CVE-')) {\n return `[${id}](https://nvd.nist.gov/vuln/detail/${id})`;\n } else if (id.startsWith('GHSA-')) {\n return `[${id}](https://github.com/advisories/${id})`;\n } else if (id.startsWith('GO-')) {\n return `[${id}](https://pkg.go.dev/vuln/${id})`;\n } else if (id.startsWith('RUSTSEC-')) {\n return `[${id}](https://rustsec.org/advisories/${id}.html)`;\n }\n\n return id;\n });\n\n let content = '\\n\\n---\\n\\n### ';\n content += vulnerability.summary ? `${vulnerability.summary}\\n` : '';\n content += `${aliases.join(' / ')}\\n`;\n content += `\\n<details>\\n<summary>More information</summary>\\n`;\n\n const details = vulnerability.details?.replace(\n regEx(/^#{1,4} /gm),\n '##### ',\n );\n content += `#### Details\\n${details ?? 'No details.'}\\n`;\n\n content += '#### Severity\\n';\n const severityDetails = this.extractSeverityDetails(\n vulnerability,\n affected,\n );\n\n if (severityDetails.cvssVector) {\n content += `- CVSS Score: ${severityDetails.score}\\n`;\n content += `- Vector String: \\`${severityDetails.cvssVector}\\`\\n`;\n } else {\n content += `${titleCase(severityDetails.severityLevel)}\\n`;\n }\n\n content += `\\n#### References\\n${\n vulnerability.references\n ?.map((ref) => {\n return `- [${ref.url}](${ref.url})`;\n })\n .join('\\n') ?? 'No references.'\n }`;\n\n let attribution = '';\n if (vulnerability.id.startsWith('GHSA-')) {\n attribution = ` and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md))`;\n } else if (vulnerability.id.startsWith('GO-')) {\n attribution = ` and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license))`;\n } else if (vulnerability.id.startsWith('PYSEC-')) {\n attribution = ` and the [PyPI Advisory Database](https://github.com/pypa/advisory-database) ([CC-BY 4.0](https://github.com/pypa/advisory-database/blob/main/LICENSE))`;\n } else if (vulnerability.id.startsWith('RUSTSEC-')) {\n attribution = ` and the [Rust Advisory Database](https://github.com/RustSec/advisory-db) ([CC0 1.0](https://github.com/rustsec/advisory-db/blob/main/LICENSE.txt))`;\n }\n content += `\\n\\nThis data is provided by [OSV](https://osv.dev/vulnerability/${vulnerability.id})${attribution}.\\n`;\n content += `</details>`;\n\n return [sanitizeMarkdown(content)];\n }\n\n private extractSeverityDetails(\n vulnerability: Osv.Vulnerability,\n affected: Osv.Affected,\n ): SeverityDetails {\n let severityLevel = 'UNKNOWN';\n let score = 'Unknown';\n\n const cvssVector =\n vulnerability.severity?.find((e) => e.type === 'CVSS_V4')?.score ??\n vulnerability.severity?.find((e) => e.type === 'CVSS_V3')?.score ??\n (affected.database_specific?.cvss as string); // RUSTSEC\n\n if (cvssVector) {\n const [baseScore, severity] =\n Vulnerabilities.evaluateCvssVector(cvssVector);\n severityLevel = severity ? severity.toUpperCase() : 'UNKNOWN';\n score = baseScore\n ? `${baseScore} / 10 (${titleCase(severityLevel)})`\n : 'Unknown';\n } else if (\n vulnerability.id.startsWith('GHSA-') &&\n vulnerability.database_specific?.severity\n ) {\n const severity = vulnerability.database_specific.severity as string;\n severityLevel = severity.toUpperCase();\n }\n\n return {\n cvssVector,\n score,\n severityLevel,\n };\n }\n}\n"]}
1
+ {"version":3,"file":"vulnerabilities.js","sourceRoot":"","sources":["../../../../lib/workers/repository/process/vulnerabilities.ts"],"names":[],"mappings":";;;;AAEA,0DAAsD;AACtD,yCAK0B;AAE1B,2DAAgD;AAChD,6BAAwB;AACxB,4CAAqE;AAErE,4CAAyC;AACzC,+DAA0E;AAM1E,4DAAmE;AACnE,qDAA0D;AAC1D,kEAA4C;AAC5C,+CAA4C;AAC5C,iDAAiD;AAOjD,MAAa,eAAe;IAClB,UAAU,CAAyB;IAEnC,MAAM,CAAU,sBAAsB,GAG1C;QACF,KAAK,EAAE,WAAW;QAClB,EAAE,EAAE,IAAI;QACR,OAAO,EAAE,SAAS;QAClB,GAAG,EAAE,KAAK;QACV,KAAK,EAAE,OAAO;QACd,GAAG,EAAE,KAAK;QACV,KAAK,EAAE,OAAO;QACd,SAAS,EAAE,WAAW;QACtB,IAAI,EAAE,MAAM;QACZ,QAAQ,EAAE,UAAU;KACrB,CAAC;IAEF;QACE,sBAAsB;IACxB,CAAC;IAEO,KAAK,CAAC,UAAU;QACtB,IAAI,CAAC,UAAU,GAAG,MAAM,wBAAU,CAAC,MAAM,EAAE,CAAC;IAC9C,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,MAAM;QACjB,MAAM,QAAQ,GAAG,IAAI,eAAe,EAAE,CAAC;QACvC,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;QAC5B,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,+BAA+B,CACnC,MAAsB,EACtB,YAA2C;QAE3C,MAAM,yBAAyB,GAAG,MAAM,IAAI,CAAC,8BAA8B,CACzE,MAAM,EACN,YAAY,CACb,CAAC;QAEF,MAAM,CAAC,YAAY,KAAK,EAAE,CAAC;QAC3B,KAAK,MAAM,EACT,eAAe,EACf,aAAa,GACd,IAAI,yBAAyB,EAAE,CAAC;YAC/B,MAAM,iBAAiB,GAAkB,EAAE,CAAC;YAC5C,KAAK,MAAM,aAAa,IAAI,eAAe,EAAE,CAAC;gBAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,2BAA2B,CAAC,aAAa,CAAC,CAAC;gBAC7D,IAAI,IAAA,sBAAiB,EAAC,IAAI,CAAC,EAAE,CAAC;oBAC5B,SAAS;gBACX,CAAC;gBACD,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/B,CAAC;YACD,IAAI,CAAC,kBAAkB,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;YAE1D,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,CAAC;QACjD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,oBAAoB,CACxB,MAAsB,EACtB,YAA2C;QAE3C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,8BAA8B,CACtD,MAAM,EACN,YAAY,CACb,CAAC;QACF,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IAC1D,CAAC;IAEO,KAAK,CAAC,8BAA8B,CAC1C,MAAsB,EACtB,YAA2C;QAE3C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3C,MAAM,cAAc,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAC9C,IAAI,CAAC,2BAA2B,CAAC,MAAM,EAAE,YAAY,EAAE,OAAO,CAAC,CAChE,CAAC;QACF,OAAO,CAAC,MAAM,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACpD,CAAC;IAEO,KAAK,CAAC,2BAA2B,CACvC,MAAsB,EACtB,YAA2C,EAC3C,OAAe;QAEf,MAAM,aAAa,GAAG,IAAA,yBAAgB,EAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACxD,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC,GAAG,CACrC,CAAC,KAAK,EAAE,EAAE,CAAC,GAAyC,EAAE,CACpD,IAAI,CAAC,sCAAsC,CAAC,aAAa,EAAE,KAAK,CAAC,CACpE,CAAC;QACF,eAAM,CAAC,KAAK,CACV,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,CAAC,MAAM,EAAE,EACtC,sCAAsC,CACvC,CAAC;QACF,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3C,eAAM,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,EAAE,sCAAsC,CAAC,CAAC;QAClE,OAAO,MAAM,CAAC;IAChB,CAAC;IAEO,KAAK,CAAC,sCAAsC,CAClD,aAA6B,EAC7B,KAAkB;QAElB,MAAM,EAAE,WAAW,EAAE,GAAG,KAAK,CAAC;QAC9B,MAAM,iBAAiB,GAAG,IAAA,yBAAgB,EAAC,aAAa,EAAE,KAAK,CAAC,CAAC;QACjE,MAAM,EAAE,OAAO,EAAE,GAAG,iBAAiB,CAAC;QACtC,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAC1B,CAAC,GAAG,EAAE,EAAE,CAAC,GAA8C,EAAE,CACvD,IAAI,CAAC,4BAA4B,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAC5D,CAAC;QACF,eAAM,CAAC,KAAK,CACV,EAAE,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,KAAK,CAAC,MAAM,EAAE,EACnD,kEAAkE,CACnE,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAClC,eAAM,CAAC,KAAK,CACV,EAAE,WAAW,EAAE,EACf,iDAAiD,CAClD,CAAC;QAEF,OAAO,MAAM,CAAC,MAAM,CAAC,aAAQ,CAAC,CAAC;IACjC,CAAC;IAEO,KAAK,CAAC,4BAA4B,CACxC,iBAA+C,EAC/C,GAAsB;QAEtB,MAAM,SAAS,GAAG,eAAe,CAAC,sBAAsB,CAAC,GAAG,CAAC,UAAW,CAAC,CAAC;QAC1E,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,eAAM,CAAC,KAAK,CAAC,yBAAyB,GAAG,CAAC,UAAW,mBAAmB,CAAC,CAAC;YAC1E,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,WAAW,GAAG,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,OAAQ,CAAC;QAClD,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;YACzB,qDAAqD;YACrD,WAAW,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAA,aAAK,EAAC,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC;QACzE,CAAC;QAED,IAAI,CAAC;YACH,MAAM,kBAAkB,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,kBAAkB,CAClE,SAAS,EACT,WAAW,CACZ,CAAC;YACF,IACE,IAAA,sBAAiB,EAAC,kBAAkB,CAAC;gBACrC,IAAA,iBAAY,EAAC,kBAAkB,CAAC,EAChC,CAAC;gBACD,eAAM,CAAC,KAAK,CACV,gDAAgD,WAAW,EAAE,CAC9D,CAAC;gBACF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,UAAU,GACd,GAAG,CAAC,aAAa,IAAI,GAAG,CAAC,cAAc,IAAI,GAAG,CAAC,YAAa,CAAC;YAE/D,MAAM,UAAU,GAAG,GAAG,CAAC,UAAU,IAAI,IAAA,6BAAoB,EAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAC1E,MAAM,aAAa,GAAG,IAAA,gBAAa,EAAC,UAAU,CAAC,CAAC;YAEhD,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;gBACzC,eAAM,CAAC,KAAK,CACV,6CAA6C,WAAW,+BAA+B,UAAU,EAAE,CACpG,CAAC;gBACF,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,eAAe,GAAoB,EAAE,CAAC;YAC5C,KAAK,MAAM,gBAAgB,IAAI,kBAAkB,EAAE,CAAC;gBAClD,IAAI,gBAAgB,CAAC,SAAS,EAAE,CAAC;oBAC/B,eAAM,CAAC,KAAK,CACV,oCAAoC,gBAAgB,CAAC,EAAE,EAAE,CAC1D,CAAC;oBACF,SAAS;gBACX,CAAC;gBAED,KAAK,MAAM,QAAQ,IAAI,gBAAgB,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;oBACvD,MAAM,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAC3C,SAAS,EACT,WAAW,EACX,UAAU,EACV,QAAQ,EACR,aAAa,CACd,CAAC;oBACF,IAAI,CAAC,YAAY,EAAE,CAAC;wBAClB,SAAS;oBACX,CAAC;oBAED,eAAM,CAAC,KAAK,CACV,iBAAiB,gBAAgB,CAAC,EAAE,YAAY,WAAW,IAAI,UAAU,EAAE,CAC5E,CAAC;oBACF,MAAM,YAAY,GAAG,IAAI,CAAC,eAAe,CACvC,SAAS,EACT,UAAU,EACV,QAAQ,EACR,aAAa,CACd,CAAC;oBAEF,eAAe,CAAC,IAAI,CAAC;wBACnB,WAAW;wBACX,aAAa,EAAE,gBAAgB;wBAC/B,QAAQ;wBACR,UAAU;wBACV,YAAY;wBACZ,UAAU,EAAE,GAAG,CAAC,UAAW;wBAC3B,iBAAiB;qBAClB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,CAAC;QAC5C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,eAAM,CAAC,IAAI,CACT,EAAE,GAAG,EAAE,WAAW,EAAE,EACpB,sDAAsD,CACvD,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,kBAAkB,CACxB,YAA2B,EAC3B,aAA4B;QAE5B,MAAM,eAAe,GAA2B,EAAE,CAAC;QACnD,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;YAChC,MAAM,OAAO,GAAG,IAAI,CAAC,eAAgB,CAAC;YACtC,eAAe,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,IAAA,aAAK,EAAC,YAAY,CAAC,EAAE,EAAE,CAAC,CAAC;QACtE,CAAC;QACD,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACzB,aAAa,CAAC,YAAY,CACxB,eAAe,CAAC,CAAC,CAAC,eAAgB,CAAC,EACnC,eAAe,CAAC,CAAC,CAAC,eAAgB,CAAC,CACpC,CACF,CAAC;IACJ,CAAC;IAED,iEAAiE;IACzD,UAAU,CAChB,MAAmB,EACnB,aAA4B;QAE5B,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,IAAI,SAAS,GAAqB,IAAI,CAAC;QAEvC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,IAAI,KAAK,CAAC,UAAU,KAAK,GAAG,EAAE,CAAC;gBAC7B,SAAS,GAAG,KAAK,CAAC;YACpB,CAAC;iBAAM,IAAI,aAAa,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5D,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACzB,CAAC;iBAAM,CAAC;gBACN,eAAM,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,EAAE,yCAAyC,CAAC,CAAC;YACrE,CAAC;QACH,CAAC;QAED,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACvB,+DAA+D;QAC/D,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CACrE,CAAC;QAEF,IAAI,SAAS,EAAE,CAAC;YACd,UAAU,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAChC,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;IAEO,iBAAiB,CACvB,SAAoB,EACpB,WAAmB,EACnB,QAAsB;QAEtB,OAAO,CACL,QAAQ,CAAC,OAAO,EAAE,IAAI,KAAK,WAAW;YACtC,QAAQ,CAAC,OAAO,EAAE,SAAS,KAAK,SAAS,CAC1C,CAAC;IACJ,CAAC;IAEO,kBAAkB,CACxB,UAAkB,EAClB,QAAsB;QAEtB,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC;IACnD,CAAC;IAEO,gBAAgB,CACtB,UAAkB,EAClB,QAAsB,EACtB,aAA4B;QAE5B,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC1C,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;gBACzB,SAAS;YACX,CAAC;YAED,IAAI,UAAU,GAAG,KAAK,CAAC;YACvB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,aAAa,CAAC,EAAE,CAAC;gBACjE,IACE,IAAA,qBAAgB,EAAC,KAAK,CAAC,UAAU,CAAC;oBAClC,CAAC,KAAK,CAAC,UAAU,KAAK,GAAG;wBACvB,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC,EACpE,CAAC;oBACD,UAAU,GAAG,IAAI,CAAC;gBACpB,CAAC;qBAAM,IACL,IAAA,qBAAgB,EAAC,KAAK,CAAC,KAAK,CAAC;oBAC7B,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,KAAK,CAAC,KAAK,EAAE,aAAa,CAAC,EAC5D,CAAC;oBACD,UAAU,GAAG,KAAK,CAAC;gBACrB,CAAC;qBAAM,IACL,IAAA,qBAAgB,EAAC,KAAK,CAAC,aAAa,CAAC;oBACrC,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,KAAK,CAAC,aAAa,EAAE,aAAa,CAAC,EAChE,CAAC;oBACD,UAAU,GAAG,KAAK,CAAC;gBACrB,CAAC;YACH,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED,gDAAgD;IACxC,mBAAmB,CACzB,SAAoB,EACpB,WAAmB,EACnB,UAAkB,EAClB,QAAsB,EACtB,aAA4B;QAE5B,OAAO,CACL,IAAI,CAAC,iBAAiB,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC;YACxD,CAAC,IAAI,CAAC,kBAAkB,CAAC,UAAU,EAAE,QAAQ,CAAC;gBAC5C,IAAI,CAAC,gBAAgB,CAAC,UAAU,EAAE,QAAQ,EAAE,aAAa,CAAC,CAAC,CAC9D,CAAC;IACJ,CAAC;IAEO,eAAe,CACrB,SAAoB,EACpB,UAAkB,EAClB,QAAsB,EACtB,aAA4B;QAE5B,MAAM,aAAa,GAAa,EAAE,CAAC;QACnC,MAAM,oBAAoB,GAAa,EAAE,CAAC;QAE1C,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC1C,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;gBACzB,SAAS;YACX,CAAC;YAED,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBACjC,IACE,IAAA,qBAAgB,EAAC,KAAK,CAAC,KAAK,CAAC;oBAC7B,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,EACpC,CAAC;oBACD,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gBAClC,CAAC;qBAAM,IACL,IAAA,qBAAgB,EAAC,KAAK,CAAC,aAAa,CAAC;oBACrC,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC,aAAa,CAAC,EAC5C,CAAC;oBACD,oBAAoB,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;QAED,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/D,MAAM,YAAY,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAClD,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,UAAU,EAAE,aAAa,CAAC,CACrD,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC,0BAA0B,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAClE,CAAC;QAED,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACtE,MAAM,YAAY,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CACzD,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,UAAU,EAAE,aAAa,CAAC,CACzD,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC,0BAA0B,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;QAClE,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,0BAA0B,CAChC,YAAoB,EACpB,SAAoB;QAEpB,IAAI,SAAS,KAAK,OAAO,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YACnD,OAAO,IAAI,YAAY,IAAI,CAAC;QAC9B,CAAC;QAED,0CAA0C;QAC1C,OAAO,MAAM,YAAY,EAAE,CAAC;IAC9B,CAAC;IAEO,0BAA0B,CAChC,YAAoB,EACpB,SAAoB;QAEpB,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YAC1B,OAAO,IAAI,YAAY,IAAI,CAAC;QAC9B,CAAC;QAED,0CAA0C;QAC1C,OAAO,KAAK,YAAY,EAAE,CAAC;IAC7B,CAAC;IAEO,WAAW,CACjB,OAAe,EACf,KAAa,EACb,aAA4B;QAE5B,OAAO,CACL,aAAa,CAAC,SAAS,CAAC,OAAO,CAAC;YAChC,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC;YAC9B,aAAa,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAC5C,CAAC;IACJ,CAAC;IAEO,eAAe,CACrB,OAAe,EACf,KAAa,EACb,aAA4B;QAE5B,OAAO,CACL,aAAa,CAAC,SAAS,CAAC,OAAO,CAAC;YAChC,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC;YAC9B,CAAC,aAAa,CAAC,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC;gBACnC,aAAa,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAC/C,CAAC;IACJ,CAAC;IAEO,2BAA2B,CAAC,GAAkB;QACpD,MAAM,EACJ,aAAa,EACb,QAAQ,EACR,WAAW,EACX,UAAU,EACV,YAAY,EACZ,UAAU,EACV,iBAAiB,GAClB,GAAG,GAAG,CAAC;QACR,IAAI,IAAA,sBAAiB,EAAC,YAAY,CAAC,EAAE,CAAC;YACpC,eAAM,CAAC,KAAK,CACV,gDAAgD,aAAa,CAAC,EAAE,OAAO,WAAW,IAAI,UAAU,EAAE,CACnG,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,eAAM,CAAC,KAAK,CACV,2BAA2B,YAAY,yBAAyB,aAAa,CAAC,EAAE,OAAO,WAAW,IAAI,UAAU,EAAE,CACnH,CAAC;QAEF,MAAM,eAAe,GAAG,IAAI,CAAC,sBAAsB,CACjD,aAAa,EACb,QAAQ,CACT,CAAC;QAEF,OAAO;YACL,gBAAgB,EAAE,CAAC,UAAU,CAAC;YAC9B,iBAAiB,EAAE,CAAC,WAAW,CAAC;YAChC,mBAAmB,EAAE,UAAU;YAC/B,eAAe,EAAE,YAAY;YAC7B,oBAAoB,EAAE,IAAI;YAC1B,qBAAqB,EAAE,eAAe,CAAC,aAAa;YACpD,WAAW,EAAE,IAAI,CAAC,mBAAmB,CAAC,aAAa,EAAE,QAAQ,CAAC;YAC9D,KAAK,EAAE;gBACL,GAAG,iBAAiB,CAAC,mBAAmB;aACzC;SACF,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,kBAAkB,CAAC,MAAc;QACtC,MAAM,cAAc,GAAG,OAAC,CAAC,MAAM,CAAC;YAC9B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC;YAClC,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC;SAC1D,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,eAAe,GAA2B,IAAA,+BAAU,EAAC,MAAM,CAAC,CAAC;YACnE,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,CAAC,eAAe,EAAE,gBAAgB,EAAE,CAAC,CAAC;YAEtE,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC;QACtD,CAAC;QAAC,MAAM,CAAC;YACP,eAAM,CAAC,KAAK,CAAC,gCAAgC,MAAM,EAAE,CAAC,CAAC;QACzD,CAAC;QAED,OAAO,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAClB,CAAC;IAEO,mBAAmB,CACzB,aAAgC,EAChC,QAAsB;QAEtB,IAAI,OAAO,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5E,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE;YAC3B,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC1B,OAAO,IAAI,EAAE,sCAAsC,EAAE,GAAG,CAAC;YAC3D,CAAC;iBAAM,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClC,OAAO,IAAI,EAAE,mCAAmC,EAAE,GAAG,CAAC;YACxD,CAAC;iBAAM,IAAI,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,OAAO,IAAI,EAAE,6BAA6B,EAAE,GAAG,CAAC;YAClD,CAAC;iBAAM,IAAI,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBACrC,OAAO,IAAI,EAAE,oCAAoC,EAAE,QAAQ,CAAC;YAC9D,CAAC;YAED,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;QAEH,IAAI,OAAO,GAAG,iBAAiB,CAAC;QAChC,OAAO,IAAI,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QACrE,OAAO,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;QACtC,OAAO,IAAI,oDAAoD,CAAC;QAEhE,MAAM,OAAO,GAAG,aAAa,CAAC,OAAO,EAAE,OAAO,CAC5C,IAAA,aAAK,EAAC,YAAY,CAAC,EACnB,QAAQ,CACT,CAAC;QACF,OAAO,IAAI,iBAAiB,OAAO,IAAI,aAAa,IAAI,CAAC;QAEzD,OAAO,IAAI,iBAAiB,CAAC;QAC7B,MAAM,eAAe,GAAG,IAAI,CAAC,sBAAsB,CACjD,aAAa,EACb,QAAQ,CACT,CAAC;QAEF,IAAI,eAAe,CAAC,UAAU,EAAE,CAAC;YAC/B,OAAO,IAAI,iBAAiB,eAAe,CAAC,KAAK,IAAI,CAAC;YACtD,OAAO,IAAI,sBAAsB,eAAe,CAAC,UAAU,MAAM,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,GAAG,IAAA,kBAAS,EAAC,eAAe,CAAC,aAAa,CAAC,IAAI,CAAC;QAC7D,CAAC;QAED,OAAO,IAAI,sBACT,aAAa,CAAC,UAAU;YACtB,EAAE,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YACZ,OAAO,MAAM,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,GAAG,GAAG,CAAC;QACtC,CAAC,CAAC;aACD,IAAI,CAAC,IAAI,CAAC,IAAI,gBACnB,EAAE,CAAC;QAEH,IAAI,WAAW,GAAG,EAAE,CAAC;QACrB,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACzC,WAAW,GAAG,kKAAkK,CAAC;QACnL,CAAC;aAAM,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9C,WAAW,GAAG,gIAAgI,CAAC;QACjJ,CAAC;aAAM,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjD,WAAW,GAAG,yJAAyJ,CAAC;QAC1K,CAAC;aAAM,IAAI,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACnD,WAAW,GAAG,qJAAqJ,CAAC;QACtK,CAAC;QACD,OAAO,IAAI,oEAAoE,aAAa,CAAC,EAAE,IAAI,WAAW,KAAK,CAAC;QACpH,OAAO,IAAI,YAAY,CAAC;QAExB,OAAO,CAAC,IAAA,2BAAgB,EAAC,OAAO,CAAC,CAAC,CAAC;IACrC,CAAC;IAEO,sBAAsB,CAC5B,aAAgC,EAChC,QAAsB;QAEtB,IAAI,aAAa,GAAG,SAAS,CAAC;QAC9B,IAAI,KAAK,GAAG,SAAS,CAAC;QAEtB,MAAM,UAAU,GACd,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,EAAE,KAAK;YAChE,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,EAAE,KAAK;YAC/D,QAAQ,CAAC,iBAAiB,EAAE,IAAe,CAAC,CAAC,UAAU;QAE1D,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,GACzB,eAAe,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC;YACjD,aAAa,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;YAC9D,KAAK,GAAG,SAAS;gBACf,CAAC,CAAC,GAAG,SAAS,UAAU,IAAA,kBAAS,EAAC,aAAa,CAAC,GAAG;gBACnD,CAAC,CAAC,SAAS,CAAC;QAChB,CAAC;aAAM,IACL,aAAa,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;YACpC,aAAa,CAAC,iBAAiB,EAAE,QAAQ,EACzC,CAAC;YACD,MAAM,QAAQ,GAAG,aAAa,CAAC,iBAAiB,CAAC,QAAkB,CAAC;YACpE,aAAa,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;QACzC,CAAC;QAED,OAAO;YACL,UAAU;YACV,KAAK;YACL,aAAa;SACd,CAAC;IACJ,CAAC;;AArlBH,0CAslBC","sourcesContent":["// TODO #22198\nimport type { Ecosystem, Osv } from '@renovatebot/osv-offline';\nimport { OsvOffline } from '@renovatebot/osv-offline';\nimport {\n isEmptyArray,\n isNonEmptyString,\n isNullOrUndefined,\n isTruthy,\n} from '@sindresorhus/is';\nimport type { CvssVector } from 'ae-cvss-calculator';\nimport { fromVector } from 'ae-cvss-calculator';\nimport { z } from 'zod';\nimport { getManagerConfig, mergeChildConfig } from '../../../config';\nimport type { PackageRule, RenovateConfig } from '../../../config/types';\nimport { logger } from '../../../logger';\nimport { getDefaultVersioning } from '../../../modules/datasource/common';\nimport type {\n PackageDependency,\n PackageFile,\n} from '../../../modules/manager/types';\nimport type { VersioningApi } from '../../../modules/versioning';\nimport { get as getVersioning } from '../../../modules/versioning';\nimport { sanitizeMarkdown } from '../../../util/markdown';\nimport * as p from '../../../util/promises';\nimport { regEx } from '../../../util/regex';\nimport { titleCase } from '../../../util/string';\nimport type {\n DependencyVulnerabilities,\n SeverityDetails,\n Vulnerability,\n} from './types';\n\nexport class Vulnerabilities {\n private osvOffline: OsvOffline | undefined;\n\n private static readonly datasourceEcosystemMap: Record<\n string,\n Ecosystem | undefined\n > = {\n crate: 'crates.io',\n go: 'Go',\n hackage: 'Hackage',\n hex: 'Hex',\n maven: 'Maven',\n npm: 'npm',\n nuget: 'NuGet',\n packagist: 'Packagist',\n pypi: 'PyPI',\n rubygems: 'RubyGems',\n };\n\n private constructor() {\n // private constructor\n }\n\n private async initialize(): Promise<void> {\n this.osvOffline = await OsvOffline.create();\n }\n\n static async create(): Promise<Vulnerabilities> {\n const instance = new Vulnerabilities();\n await instance.initialize();\n return instance;\n }\n\n async appendVulnerabilityPackageRules(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n ): Promise<void> {\n const dependencyVulnerabilities = await this.fetchDependencyVulnerabilities(\n config,\n packageFiles,\n );\n\n config.packageRules ??= [];\n for (const {\n vulnerabilities,\n versioningApi,\n } of dependencyVulnerabilities) {\n const groupPackageRules: PackageRule[] = [];\n for (const vulnerability of vulnerabilities) {\n const rule = this.vulnerabilityToPackageRules(vulnerability);\n if (isNullOrUndefined(rule)) {\n continue;\n }\n groupPackageRules.push(rule);\n }\n this.sortByFixedVersion(groupPackageRules, versioningApi);\n\n config.packageRules.push(...groupPackageRules);\n }\n }\n\n async fetchVulnerabilities(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n ): Promise<Vulnerability[]> {\n const groups = await this.fetchDependencyVulnerabilities(\n config,\n packageFiles,\n );\n return groups.flatMap((group) => group.vulnerabilities);\n }\n\n private async fetchDependencyVulnerabilities(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n ): Promise<DependencyVulnerabilities[]> {\n const managers = Object.keys(packageFiles);\n const allManagerJobs = managers.map((manager) =>\n this.fetchManagerVulnerabilities(config, packageFiles, manager),\n );\n return (await Promise.all(allManagerJobs)).flat();\n }\n\n private async fetchManagerVulnerabilities(\n config: RenovateConfig,\n packageFiles: Record<string, PackageFile[]>,\n manager: string,\n ): Promise<DependencyVulnerabilities[]> {\n const managerConfig = getManagerConfig(config, manager);\n const queue = packageFiles[manager].map(\n (pFile) => (): Promise<DependencyVulnerabilities[]> =>\n this.fetchManagerPackageFileVulnerabilities(managerConfig, pFile),\n );\n logger.trace(\n { manager, queueLength: queue.length },\n 'fetchManagerVulnerabilities starting',\n );\n const result = (await p.all(queue)).flat();\n logger.trace({ manager }, 'fetchManagerVulnerabilities finished');\n return result;\n }\n\n private async fetchManagerPackageFileVulnerabilities(\n managerConfig: RenovateConfig,\n pFile: PackageFile,\n ): Promise<DependencyVulnerabilities[]> {\n const { packageFile } = pFile;\n const packageFileConfig = mergeChildConfig(managerConfig, pFile);\n const { manager } = packageFileConfig;\n const queue = pFile.deps.map(\n (dep) => (): Promise<DependencyVulnerabilities | null> =>\n this.fetchDependencyVulnerability(packageFileConfig, dep),\n );\n logger.trace(\n { manager, packageFile, queueLength: queue.length },\n 'fetchManagerPackageFileVulnerabilities starting with concurrency',\n );\n\n const result = await p.all(queue);\n logger.trace(\n { packageFile },\n 'fetchManagerPackageFileVulnerabilities finished',\n );\n\n return result.filter(isTruthy);\n }\n\n private async fetchDependencyVulnerability(\n packageFileConfig: RenovateConfig & PackageFile,\n dep: PackageDependency,\n ): Promise<DependencyVulnerabilities | null> {\n const ecosystem = Vulnerabilities.datasourceEcosystemMap[dep.datasource!];\n if (!ecosystem) {\n logger.trace(`Cannot map datasource ${dep.datasource!} to OSV ecosystem`);\n return null;\n }\n\n let packageName = dep.packageName ?? dep.depName!;\n if (ecosystem === 'PyPI') {\n // https://peps.python.org/pep-0503/#normalized-names\n packageName = packageName.toLowerCase().replace(regEx(/[_.-]+/g), '-');\n }\n\n try {\n const osvVulnerabilities = await this.osvOffline?.getVulnerabilities(\n ecosystem,\n packageName,\n );\n if (\n isNullOrUndefined(osvVulnerabilities) ||\n isEmptyArray(osvVulnerabilities)\n ) {\n logger.trace(\n `No vulnerabilities found in OSV database for ${packageName}`,\n );\n return null;\n }\n\n const depVersion =\n dep.lockedVersion ?? dep.currentVersion ?? dep.currentValue!;\n\n const versioning = dep.versioning ?? getDefaultVersioning(dep.datasource);\n const versioningApi = getVersioning(versioning);\n\n if (!versioningApi.isVersion(depVersion)) {\n logger.debug(\n `Skipping vulnerability lookup for package ${packageName} due to unsupported version ${depVersion}`,\n );\n return null;\n }\n\n const vulnerabilities: Vulnerability[] = [];\n for (const osvVulnerability of osvVulnerabilities) {\n if (osvVulnerability.withdrawn) {\n logger.trace(\n `Skipping withdrawn vulnerability ${osvVulnerability.id}`,\n );\n continue;\n }\n\n for (const affected of osvVulnerability.affected ?? []) {\n const isVulnerable = this.isPackageVulnerable(\n ecosystem,\n packageName,\n depVersion,\n affected,\n versioningApi,\n );\n if (!isVulnerable) {\n continue;\n }\n\n logger.debug(\n `Vulnerability ${osvVulnerability.id} affects ${packageName} ${depVersion}`,\n );\n const fixedVersion = this.getFixedVersion(\n ecosystem,\n depVersion,\n affected,\n versioningApi,\n );\n\n vulnerabilities.push({\n packageName,\n vulnerability: osvVulnerability,\n affected,\n depVersion,\n fixedVersion,\n datasource: dep.datasource!,\n packageFileConfig,\n });\n }\n }\n\n return { vulnerabilities, versioningApi };\n } catch (err) {\n logger.warn(\n { err, packageName },\n 'Error fetching vulnerability information for package',\n );\n return null;\n }\n }\n\n private sortByFixedVersion(\n packageRules: PackageRule[],\n versioningApi: VersioningApi,\n ): void {\n const versionsCleaned: Record<string, string> = {};\n for (const rule of packageRules) {\n const version = rule.allowedVersions!;\n versionsCleaned[version] = version.replace(regEx(/[(),=> ]+/g), '');\n }\n packageRules.sort((a, b) =>\n versioningApi.sortVersions(\n versionsCleaned[a.allowedVersions!],\n versionsCleaned[b.allowedVersions!],\n ),\n );\n }\n\n // https://ossf.github.io/osv-schema/#affectedrangesevents-fields\n private sortEvents(\n events: Osv.Event[],\n versioningApi: VersioningApi,\n ): Osv.Event[] {\n const sortedCopy: Osv.Event[] = [];\n let zeroEvent: Osv.Event | null = null;\n\n for (const event of events) {\n if (event.introduced === '0') {\n zeroEvent = event;\n } else if (versioningApi.isVersion(Object.values(event)[0])) {\n sortedCopy.push(event);\n } else {\n logger.debug({ event }, 'Skipping OSV event with invalid version');\n }\n }\n\n sortedCopy.sort((a, b) =>\n // no pre-processing, as there are only very few values to sort\n versioningApi.sortVersions(Object.values(a)[0], Object.values(b)[0]),\n );\n\n if (zeroEvent) {\n sortedCopy.unshift(zeroEvent);\n }\n\n return sortedCopy;\n }\n\n private isPackageAffected(\n ecosystem: Ecosystem,\n packageName: string,\n affected: Osv.Affected,\n ): boolean {\n return (\n affected.package?.name === packageName &&\n affected.package?.ecosystem === ecosystem\n );\n }\n\n private includedInVersions(\n depVersion: string,\n affected: Osv.Affected,\n ): boolean {\n return !!affected.versions?.includes(depVersion);\n }\n\n private includedInRanges(\n depVersion: string,\n affected: Osv.Affected,\n versioningApi: VersioningApi,\n ): boolean {\n for (const range of affected.ranges ?? []) {\n if (range.type === 'GIT') {\n continue;\n }\n\n let vulnerable = false;\n for (const event of this.sortEvents(range.events, versioningApi)) {\n if (\n isNonEmptyString(event.introduced) &&\n (event.introduced === '0' ||\n this.isVersionGtOrEq(depVersion, event.introduced, versioningApi))\n ) {\n vulnerable = true;\n } else if (\n isNonEmptyString(event.fixed) &&\n this.isVersionGtOrEq(depVersion, event.fixed, versioningApi)\n ) {\n vulnerable = false;\n } else if (\n isNonEmptyString(event.last_affected) &&\n this.isVersionGt(depVersion, event.last_affected, versioningApi)\n ) {\n vulnerable = false;\n }\n }\n\n if (vulnerable) {\n return true;\n }\n }\n\n return false;\n }\n\n // https://ossf.github.io/osv-schema/#evaluation\n private isPackageVulnerable(\n ecosystem: Ecosystem,\n packageName: string,\n depVersion: string,\n affected: Osv.Affected,\n versioningApi: VersioningApi,\n ): boolean {\n return (\n this.isPackageAffected(ecosystem, packageName, affected) &&\n (this.includedInVersions(depVersion, affected) ||\n this.includedInRanges(depVersion, affected, versioningApi))\n );\n }\n\n private getFixedVersion(\n ecosystem: Ecosystem,\n depVersion: string,\n affected: Osv.Affected,\n versioningApi: VersioningApi,\n ): string | null {\n const fixedVersions: string[] = [];\n const lastAffectedVersions: string[] = [];\n\n for (const range of affected.ranges ?? []) {\n if (range.type === 'GIT') {\n continue;\n }\n\n for (const event of range.events) {\n if (\n isNonEmptyString(event.fixed) &&\n versioningApi.isVersion(event.fixed)\n ) {\n fixedVersions.push(event.fixed);\n } else if (\n isNonEmptyString(event.last_affected) &&\n versioningApi.isVersion(event.last_affected)\n ) {\n lastAffectedVersions.push(event.last_affected);\n }\n }\n }\n\n fixedVersions.sort((a, b) => versioningApi.sortVersions(a, b));\n const fixedVersion = fixedVersions.find((version) =>\n this.isVersionGt(version, depVersion, versioningApi),\n );\n if (fixedVersion) {\n return this.getFixedVersionByEcosystem(fixedVersion, ecosystem);\n }\n\n lastAffectedVersions.sort((a, b) => versioningApi.sortVersions(a, b));\n const lastAffected = lastAffectedVersions.find((version) =>\n this.isVersionGtOrEq(version, depVersion, versioningApi),\n );\n if (lastAffected) {\n return this.getLastAffectedByEcosystem(lastAffected, ecosystem);\n }\n\n return null;\n }\n\n private getFixedVersionByEcosystem(\n fixedVersion: string,\n ecosystem: Ecosystem,\n ): string {\n if (ecosystem === 'Maven' || ecosystem === 'NuGet') {\n return `[${fixedVersion},)`;\n }\n\n // crates.io, Go, Hex, npm, RubyGems, PyPI\n return `>= ${fixedVersion}`;\n }\n\n private getLastAffectedByEcosystem(\n lastAffected: string,\n ecosystem: Ecosystem,\n ): string {\n if (ecosystem === 'Maven') {\n return `(${lastAffected},)`;\n }\n\n // crates.io, Go, Hex, npm, RubyGems, PyPI\n return `> ${lastAffected}`;\n }\n\n private isVersionGt(\n version: string,\n other: string,\n versioningApi: VersioningApi,\n ): boolean {\n return (\n versioningApi.isVersion(version) &&\n versioningApi.isVersion(other) &&\n versioningApi.isGreaterThan(version, other)\n );\n }\n\n private isVersionGtOrEq(\n version: string,\n other: string,\n versioningApi: VersioningApi,\n ): boolean {\n return (\n versioningApi.isVersion(version) &&\n versioningApi.isVersion(other) &&\n (versioningApi.equals(version, other) ||\n versioningApi.isGreaterThan(version, other))\n );\n }\n\n private vulnerabilityToPackageRules(vul: Vulnerability): PackageRule | null {\n const {\n vulnerability,\n affected,\n packageName,\n depVersion,\n fixedVersion,\n datasource,\n packageFileConfig,\n } = vul;\n if (isNullOrUndefined(fixedVersion)) {\n logger.debug(\n `No fixed version available for vulnerability ${vulnerability.id} in ${packageName} ${depVersion}`,\n );\n return null;\n }\n\n logger.debug(\n `Setting allowed version ${fixedVersion} to fix vulnerability ${vulnerability.id} in ${packageName} ${depVersion}`,\n );\n\n const severityDetails = this.extractSeverityDetails(\n vulnerability,\n affected,\n );\n\n return {\n matchDatasources: [datasource],\n matchPackageNames: [packageName],\n matchCurrentVersion: depVersion,\n allowedVersions: fixedVersion,\n isVulnerabilityAlert: true,\n vulnerabilitySeverity: severityDetails.severityLevel,\n prBodyNotes: this.generatePrBodyNotes(vulnerability, affected),\n force: {\n ...packageFileConfig.vulnerabilityAlerts,\n },\n };\n }\n\n static evaluateCvssVector(vector: string): [string, string] {\n const CvssJsonSchema = z.object({\n baseScore: z.number().default(0.0),\n baseSeverity: z.string().toUpperCase().default('UNKNOWN'),\n });\n\n try {\n const parsedCvssScore: CvssVector<any> | null = fromVector(vector);\n const res = CvssJsonSchema.parse(parsedCvssScore?.createJsonSchema());\n\n return [res.baseScore.toFixed(1), res.baseSeverity];\n } catch {\n logger.debug(`Error processing CVSS vector ${vector}`);\n }\n\n return ['', ''];\n }\n\n private generatePrBodyNotes(\n vulnerability: Osv.Vulnerability,\n affected: Osv.Affected,\n ): string[] {\n let aliases = [vulnerability.id].concat(vulnerability.aliases ?? []).sort();\n aliases = aliases.map((id) => {\n if (id.startsWith('CVE-')) {\n return `[${id}](https://nvd.nist.gov/vuln/detail/${id})`;\n } else if (id.startsWith('GHSA-')) {\n return `[${id}](https://github.com/advisories/${id})`;\n } else if (id.startsWith('GO-')) {\n return `[${id}](https://pkg.go.dev/vuln/${id})`;\n } else if (id.startsWith('RUSTSEC-')) {\n return `[${id}](https://rustsec.org/advisories/${id}.html)`;\n }\n\n return id;\n });\n\n let content = '\\n\\n---\\n\\n### ';\n content += vulnerability.summary ? `${vulnerability.summary}\\n` : '';\n content += `${aliases.join(' / ')}\\n`;\n content += `\\n<details>\\n<summary>More information</summary>\\n`;\n\n const details = vulnerability.details?.replace(\n regEx(/^#{1,4} /gm),\n '##### ',\n );\n content += `#### Details\\n${details ?? 'No details.'}\\n`;\n\n content += '#### Severity\\n';\n const severityDetails = this.extractSeverityDetails(\n vulnerability,\n affected,\n );\n\n if (severityDetails.cvssVector) {\n content += `- CVSS Score: ${severityDetails.score}\\n`;\n content += `- Vector String: \\`${severityDetails.cvssVector}\\`\\n`;\n } else {\n content += `${titleCase(severityDetails.severityLevel)}\\n`;\n }\n\n content += `\\n#### References\\n${\n vulnerability.references\n ?.map((ref) => {\n return `- [${ref.url}](${ref.url})`;\n })\n .join('\\n') ?? 'No references.'\n }`;\n\n let attribution = '';\n if (vulnerability.id.startsWith('GHSA-')) {\n attribution = ` and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md))`;\n } else if (vulnerability.id.startsWith('GO-')) {\n attribution = ` and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license))`;\n } else if (vulnerability.id.startsWith('PYSEC-')) {\n attribution = ` and the [PyPI Advisory Database](https://github.com/pypa/advisory-database) ([CC-BY 4.0](https://github.com/pypa/advisory-database/blob/main/LICENSE))`;\n } else if (vulnerability.id.startsWith('RUSTSEC-')) {\n attribution = ` and the [Rust Advisory Database](https://github.com/RustSec/advisory-db) ([CC0 1.0](https://github.com/rustsec/advisory-db/blob/main/LICENSE.txt))`;\n }\n content += `\\n\\nThis data is provided by [OSV](https://osv.dev/vulnerability/${vulnerability.id})${attribution}.\\n`;\n content += `</details>`;\n\n return [sanitizeMarkdown(content)];\n }\n\n private extractSeverityDetails(\n vulnerability: Osv.Vulnerability,\n affected: Osv.Affected,\n ): SeverityDetails {\n let severityLevel = 'UNKNOWN';\n let score = 'Unknown';\n\n const cvssVector =\n vulnerability.severity?.find((e) => e.type === 'CVSS_V4')?.score ??\n vulnerability.severity?.find((e) => e.type === 'CVSS_V3')?.score ??\n (affected.database_specific?.cvss as string); // RUSTSEC\n\n if (cvssVector) {\n const [baseScore, severity] =\n Vulnerabilities.evaluateCvssVector(cvssVector);\n severityLevel = severity ? severity.toUpperCase() : 'UNKNOWN';\n score = baseScore\n ? `${baseScore} / 10 (${titleCase(severityLevel)})`\n : 'Unknown';\n } else if (\n vulnerability.id.startsWith('GHSA-') &&\n vulnerability.database_specific?.severity\n ) {\n const severity = vulnerability.database_specific.severity as string;\n severityLevel = severity.toUpperCase();\n }\n\n return {\n cvssVector,\n score,\n severityLevel,\n };\n }\n}\n"]}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "renovate",
3
3
  "description": "Automated dependency updates. Flexible so you don't need to be.",
4
- "version": "42.26.11",
4
+ "version": "42.27.0",
5
5
  "type": "commonjs",
6
6
  "bin": {
7
7
  "renovate": "dist/renovate.js",
@@ -245,7 +245,7 @@
245
245
  "@types/js-yaml": "4.0.9",
246
246
  "@types/json-dup-key-validator": "1.0.2",
247
247
  "@types/linkify-markdown": "1.0.3",
248
- "@types/lodash": "4.17.20",
248
+ "@types/lodash": "4.17.21",
249
249
  "@types/luxon": "3.7.1",
250
250
  "@types/markdown-it": "14.1.2",
251
251
  "@types/marshal": "0.5.3",
package/renovate-schema.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
- "title": "JSON schema for Renovate 42.26.11 config files (https://renovatebot.com/)",
2
+ "title": "JSON schema for Renovate 42.27.0 config files (https://renovatebot.com/)",
3
3
  "$schema": "http://json-schema.org/draft-07/schema#",
4
- "x-renovate-version": "42.26.11",
4
+ "x-renovate-version": "42.27.0",
5
5
  "allowComments": true,
6
6
  "type": "object",
7
7
  "properties": {