renovate 43.120.0 → 43.120.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/logger/bunyan.js +9 -4
- package/dist/logger/bunyan.js.map +1 -1
- package/dist/logger/pretty-stdout.js +37 -16
- package/dist/logger/pretty-stdout.js.map +1 -1
- package/dist/workers/repository/init/vulnerability.js +5 -12
- package/dist/workers/repository/init/vulnerability.js.map +1 -1
- package/package.json +1 -1
- package/renovate-schema.json +2 -2
package/dist/logger/bunyan.js
CHANGED
|
@@ -17,9 +17,7 @@ function createDefaultStreams(stdoutLevel, problems, logFile) {
|
|
|
17
17
|
};
|
|
18
18
|
// v8 ignore else -- TODO: add test #40625
|
|
19
19
|
if (getEnv("LOG_FORMAT") !== "json") {
|
|
20
|
-
|
|
21
|
-
prettyStdOut.pipe(process.stdout);
|
|
22
|
-
stdout.stream = prettyStdOut;
|
|
20
|
+
stdout.stream = new RenovateStream(process.stdout);
|
|
23
21
|
stdout.type = "raw";
|
|
24
22
|
}
|
|
25
23
|
return [
|
|
@@ -42,7 +40,14 @@ function createLogFileStream(logFile) {
|
|
|
42
40
|
level: validateLogLevel(getEnv("LOG_FILE_LEVEL"), "debug")
|
|
43
41
|
};
|
|
44
42
|
const logFileFormat = getEnv("LOG_FILE_FORMAT");
|
|
45
|
-
if (isNonEmptyStringAndNotWhitespace(logFileFormat) && logFileFormat === "pretty")
|
|
43
|
+
if (isNonEmptyStringAndNotWhitespace(logFileFormat) && logFileFormat === "pretty") {
|
|
44
|
+
file.stream = new RenovateStream(fs.createWriteStream(logFile, {
|
|
45
|
+
flags: "a",
|
|
46
|
+
encoding: "utf8"
|
|
47
|
+
}), false);
|
|
48
|
+
file.type = "raw";
|
|
49
|
+
delete file.path;
|
|
50
|
+
}
|
|
46
51
|
return file;
|
|
47
52
|
}
|
|
48
53
|
function serializedSanitizedLogger(streams) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bunyan.js","names":[],"sources":["../../lib/logger/bunyan.ts"],"sourcesContent":["import {\n isNonEmptyStringAndNotWhitespace,\n isString,\n isUndefined,\n} from '@sindresorhus/is';\nimport * as bunyan from 'bunyan';\nimport fs from 'fs-extra';\nimport upath from 'upath';\nimport cmdSerializer from './cmd-serializer.ts';\nimport configSerializer from './config-serializer.ts';\nimport errSerializer from './err-serializer.ts';\nimport { RenovateStream } from './pretty-stdout.ts';\nimport type { ProblemStream } from './problem-stream.ts';\nimport type { BunyanLogLevel, BunyanLogger, BunyanStream } from './types.ts';\nimport { getEnv } from './utils.ts';\nimport { withSanitizer } from './with-sanitizer.ts';\n\nexport function createDefaultStreams(\n stdoutLevel: BunyanLogLevel,\n problems: ProblemStream,\n logFile: string | undefined,\n): BunyanStream[] {\n const stdout: BunyanStream = {\n name: 'stdout',\n level: stdoutLevel,\n stream: process.stdout,\n };\n\n // v8 ignore else -- TODO: add test #40625\n if (getEnv('LOG_FORMAT') !== 'json') {\n
|
|
1
|
+
{"version":3,"file":"bunyan.js","names":[],"sources":["../../lib/logger/bunyan.ts"],"sourcesContent":["import {\n isNonEmptyStringAndNotWhitespace,\n isString,\n isUndefined,\n} from '@sindresorhus/is';\nimport * as bunyan from 'bunyan';\nimport fs from 'fs-extra';\nimport upath from 'upath';\nimport cmdSerializer from './cmd-serializer.ts';\nimport configSerializer from './config-serializer.ts';\nimport errSerializer from './err-serializer.ts';\nimport { RenovateStream } from './pretty-stdout.ts';\nimport type { ProblemStream } from './problem-stream.ts';\nimport type { BunyanLogLevel, BunyanLogger, BunyanStream } from './types.ts';\nimport { getEnv } from './utils.ts';\nimport { withSanitizer } from './with-sanitizer.ts';\n\nexport function createDefaultStreams(\n stdoutLevel: BunyanLogLevel,\n problems: ProblemStream,\n logFile: string | undefined,\n): BunyanStream[] {\n const stdout: BunyanStream = {\n name: 'stdout',\n level: stdoutLevel,\n stream: process.stdout,\n };\n\n // v8 ignore else -- TODO: add test #40625\n if (getEnv('LOG_FORMAT') !== 'json') {\n const prettyStdOut = new RenovateStream(process.stdout);\n stdout.stream = prettyStdOut;\n stdout.type = 'raw';\n }\n\n const problemsStream: BunyanStream = {\n name: 'problems',\n level: 'warn' as BunyanLogLevel,\n stream: problems as any,\n type: 'raw',\n };\n\n const logFileStream: BunyanStream | undefined = isString(logFile)\n ? createLogFileStream(logFile)\n : undefined;\n\n return [stdout, problemsStream, logFileStream].filter(\n Boolean,\n ) as BunyanStream[];\n}\n\nfunction createLogFileStream(logFile: string): BunyanStream {\n // Ensure log file directory exists\n const directoryName = upath.dirname(logFile);\n fs.ensureDirSync(directoryName);\n\n const file: BunyanStream = {\n name: 'logfile',\n path: logFile,\n level: validateLogLevel(getEnv('LOG_FILE_LEVEL'), 'debug'),\n };\n\n const logFileFormat = getEnv('LOG_FILE_FORMAT');\n\n if (\n isNonEmptyStringAndNotWhitespace(logFileFormat) &&\n logFileFormat === 'pretty'\n ) {\n const fileStream = fs.createWriteStream(logFile, {\n flags: 'a',\n encoding: 'utf8',\n });\n const prettyFile = new RenovateStream(fileStream, false);\n file.stream = prettyFile;\n file.type = 'raw';\n delete file.path;\n }\n\n return file;\n}\n\nfunction serializedSanitizedLogger(streams: BunyanStream[]): BunyanLogger {\n return bunyan.createLogger({\n name: 'renovate',\n serializers: {\n body: configSerializer,\n cmd: cmdSerializer,\n config: configSerializer,\n migratedConfig: configSerializer,\n originalConfig: configSerializer,\n presetConfig: configSerializer,\n oldConfig: configSerializer,\n newConfig: configSerializer,\n err: errSerializer,\n },\n streams: streams.map(withSanitizer),\n });\n}\n\nexport function createLogger(\n stdoutLevel: BunyanLogLevel,\n problems: ProblemStream,\n): BunyanLogger {\n const defaultStreams = createDefaultStreams(\n stdoutLevel,\n problems,\n getEnv('LOG_FILE'),\n );\n\n return serializedSanitizedLogger(defaultStreams);\n}\n/**\n * A function that terminates execution if the log level that was entered is\n * not a valid value for the Bunyan logger.\n * @param logLevelToCheck\n * @returns returns the logLevel when the logLevelToCheck is valid or the defaultLevel passed as argument when it is undefined. Else it stops execution.\n */\nexport function validateLogLevel(\n logLevelToCheck: string | undefined,\n defaultLevel: BunyanLogLevel,\n): BunyanLogLevel {\n const allowedValues: BunyanLogLevel[] = [\n 'trace',\n 'debug',\n 'info',\n 'warn',\n 'error',\n 'fatal',\n ];\n\n if (\n isUndefined(logLevelToCheck) ||\n (isString(logLevelToCheck) &&\n allowedValues.includes(logLevelToCheck as BunyanLogLevel))\n ) {\n // log level is in the allowed values or its undefined\n return (logLevelToCheck as BunyanLogLevel) ?? defaultLevel;\n }\n\n const logger = bunyan.createLogger({\n name: 'renovate',\n streams: [\n {\n level: 'fatal',\n stream: process.stdout,\n },\n ],\n });\n logger.fatal({ logLevel: logLevelToCheck }, 'Invalid log level');\n process.exit(1);\n}\n"],"mappings":";;;;;;;;;;;AAiBA,SAAgB,qBACd,aACA,UACA,SACgB;CAChB,MAAM,SAAuB;EAC3B,MAAM;EACN,OAAO;EACP,QAAQ,QAAQ;EACjB;;AAGD,KAAI,OAAO,aAAa,KAAK,QAAQ;AAEnC,SAAO,SADc,IAAI,eAAe,QAAQ,OAAO;AAEvD,SAAO,OAAO;;AAchB,QAAO;EAAC;EAX6B;GACnC,MAAM;GACN,OAAO;GACP,QAAQ;GACR,MAAM;GACP;EAE+C,SAAS,QAAQ,GAC7D,oBAAoB,QAAQ,GAC5B,KAAA;EAE0C,CAAC,OAC7C,QACD;;AAGH,SAAS,oBAAoB,SAA+B;CAE1D,MAAM,gBAAgB,MAAM,QAAQ,QAAQ;AAC5C,IAAG,cAAc,cAAc;CAE/B,MAAM,OAAqB;EACzB,MAAM;EACN,MAAM;EACN,OAAO,iBAAiB,OAAO,iBAAiB,EAAE,QAAQ;EAC3D;CAED,MAAM,gBAAgB,OAAO,kBAAkB;AAE/C,KACE,iCAAiC,cAAc,IAC/C,kBAAkB,UAClB;AAMA,OAAK,SADc,IAAI,eAJJ,GAAG,kBAAkB,SAAS;GAC/C,OAAO;GACP,UAAU;GACX,CAAC,EACgD,MAAM;AAExD,OAAK,OAAO;AACZ,SAAO,KAAK;;AAGd,QAAO;;AAGT,SAAS,0BAA0B,SAAuC;AACxE,QAAO,OAAO,aAAa;EACzB,MAAM;EACN,aAAa;GACX,MAAM;GACN,KAAK;GACL,QAAQ;GACR,gBAAgB;GAChB,gBAAgB;GAChB,cAAc;GACd,WAAW;GACX,WAAW;GACX,KAAK;GACN;EACD,SAAS,QAAQ,IAAI,cAAc;EACpC,CAAC;;AAGJ,SAAgB,aACd,aACA,UACc;AAOd,QAAO,0BANgB,qBACrB,aACA,UACA,OAAO,WAAW,CACnB,CAE+C;;;;;;;;AAQlD,SAAgB,iBACd,iBACA,cACgB;AAUhB,KACE,YAAY,gBAAgB,IAC3B,SAAS,gBAAgB,IAXY;EACtC;EACA;EACA;EACA;EACA;EACA;EACD,CAKiB,SAAS,gBAAkC,CAG3D,QAAQ,mBAAsC;AAGjC,QAAO,aAAa;EACjC,MAAM;EACN,SAAS,CACP;GACE,OAAO;GACP,QAAQ,QAAQ;GACjB,CACF;EACF,CAAC,CACK,MAAM,EAAE,UAAU,iBAAiB,EAAE,oBAAoB;AAChE,SAAQ,KAAK,EAAE"}
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { regEx } from "../util/regex.js";
|
|
2
|
-
import {
|
|
2
|
+
import { isNonEmptyObject, isPlainObject, isString } from "@sindresorhus/is";
|
|
3
|
+
import { Writable } from "node:stream";
|
|
3
4
|
import * as util$1 from "node:util";
|
|
4
5
|
import stringify from "json-stringify-pretty-compact";
|
|
5
6
|
//#region lib/logger/pretty-stdout.ts
|
|
@@ -23,6 +24,14 @@ const metaFields = [
|
|
|
23
24
|
"branch"
|
|
24
25
|
];
|
|
25
26
|
const levels = {
|
|
27
|
+
10: "TRACE",
|
|
28
|
+
20: "DEBUG",
|
|
29
|
+
30: " INFO",
|
|
30
|
+
40: " WARN",
|
|
31
|
+
50: "ERROR",
|
|
32
|
+
60: "FATAL"
|
|
33
|
+
};
|
|
34
|
+
const colorizedLevels = {
|
|
26
35
|
10: util$1.styleText("gray", "TRACE"),
|
|
27
36
|
20: util$1.styleText("blue", "DEBUG"),
|
|
28
37
|
30: util$1.styleText("green", " INFO"),
|
|
@@ -33,13 +42,13 @@ const levels = {
|
|
|
33
42
|
function indent(str, leading = false) {
|
|
34
43
|
return (leading ? " " : "") + str.split(regEx(/\r?\n/)).join("\n ");
|
|
35
44
|
}
|
|
36
|
-
function getMeta(rec) {
|
|
45
|
+
function getMeta(rec, colorize = true) {
|
|
37
46
|
if (!rec) return "";
|
|
38
47
|
let res = rec.module ? ` [${rec.module}]` : ``;
|
|
39
48
|
const filteredMeta = metaFields.filter((elem) => rec[elem]);
|
|
40
49
|
if (!filteredMeta.length) return res;
|
|
41
50
|
res = ` (${filteredMeta.map((field) => `${field}=${String(rec[field])}`).join(", ")})${res}`;
|
|
42
|
-
return util$1.styleText("gray", res);
|
|
51
|
+
return colorize ? util$1.styleText("gray", res) : res;
|
|
43
52
|
}
|
|
44
53
|
function getDetails(rec) {
|
|
45
54
|
if (!rec) return "";
|
|
@@ -50,26 +59,38 @@ function getDetails(rec) {
|
|
|
50
59
|
});
|
|
51
60
|
const remainingKeys = Object.keys(recFiltered);
|
|
52
61
|
if (remainingKeys.length === 0) return "";
|
|
62
|
+
const err = recFiltered.err;
|
|
63
|
+
if (isPlainObject(err) && isString(err.stack)) {
|
|
64
|
+
const { stack, ...errRest } = err;
|
|
65
|
+
recFiltered.err = isNonEmptyObject(errRest) ? errRest : void 0;
|
|
66
|
+
const parts = [];
|
|
67
|
+
for (const key of remainingKeys) {
|
|
68
|
+
if (key === "err" && recFiltered.err === void 0) continue;
|
|
69
|
+
parts.push(indent(`"${key}": ${stringify(recFiltered[key])}`, true));
|
|
70
|
+
}
|
|
71
|
+
const jsonPart = parts.join(",\n");
|
|
72
|
+
const stackPart = indent(stack, true);
|
|
73
|
+
return jsonPart ? `${jsonPart}\n${stackPart}\n` : `${stackPart}\n`;
|
|
74
|
+
}
|
|
53
75
|
return `${remainingKeys.map((key) => `${indent(`"${key}": ${stringify(recFiltered[key])}`, true)}`).join(",\n")}\n`;
|
|
54
76
|
}
|
|
55
|
-
function formatRecord(rec) {
|
|
56
|
-
const level = levels[rec.level];
|
|
77
|
+
function formatRecord(rec, colorize = true) {
|
|
78
|
+
const level = colorize ? colorizedLevels[rec.level] : levels[rec.level];
|
|
57
79
|
const msg = `${indent(rec.msg)}`;
|
|
58
|
-
const meta = getMeta(rec);
|
|
80
|
+
const meta = getMeta(rec, colorize);
|
|
59
81
|
const details = getDetails(rec);
|
|
60
82
|
return util$1.format("%s: %s%s\n%s", level, msg, meta, details);
|
|
61
83
|
}
|
|
62
|
-
var RenovateStream = class extends
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
constructor() {
|
|
66
|
-
super();
|
|
67
|
-
this.
|
|
68
|
-
this.
|
|
84
|
+
var RenovateStream = class extends Writable {
|
|
85
|
+
colorize;
|
|
86
|
+
destination;
|
|
87
|
+
constructor(destination, colorize = true) {
|
|
88
|
+
super({ objectMode: true });
|
|
89
|
+
this.colorize = colorize;
|
|
90
|
+
this.destination = destination;
|
|
69
91
|
}
|
|
70
|
-
|
|
71
|
-
this.
|
|
72
|
-
return true;
|
|
92
|
+
_write(data, _encoding, callback) {
|
|
93
|
+
this.destination.write(formatRecord(data, this.colorize), callback);
|
|
73
94
|
}
|
|
74
95
|
};
|
|
75
96
|
//#endregion
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pretty-stdout.js","names":["util"],"sources":["../../lib/logger/pretty-stdout.ts"],"sourcesContent":["// Code originally derived from https://github.com/hadfieldn/node-bunyan-prettystream but since heavily edited\n// Neither fork nor original repo appear to be maintained\n\nimport {
|
|
1
|
+
{"version":3,"file":"pretty-stdout.js","names":["util"],"sources":["../../lib/logger/pretty-stdout.ts"],"sourcesContent":["// Code originally derived from https://github.com/hadfieldn/node-bunyan-prettystream but since heavily edited\n// Neither fork nor original repo appear to be maintained\n\nimport { Writable } from 'node:stream';\nimport * as util from 'node:util';\nimport { isNonEmptyObject, isPlainObject, isString } from '@sindresorhus/is';\nimport stringify from 'json-stringify-pretty-compact';\nimport { regEx } from '../util/regex.ts';\nimport type { BunyanRecord } from './types.ts';\n\nconst bunyanFields = [\n 'name',\n 'hostname',\n 'pid',\n 'level',\n 'v',\n 'time',\n 'msg',\n 'start_time',\n];\nconst metaFields = [\n 'repository',\n 'baseBranch',\n 'packageFile',\n 'depType',\n 'dependency',\n 'dependencies',\n 'branch',\n];\n\nconst levels: Record<number, string> = {\n 10: 'TRACE',\n 20: 'DEBUG',\n 30: ' INFO',\n 40: ' WARN',\n 50: 'ERROR',\n 60: 'FATAL',\n};\n\nconst colorizedLevels: Record<number, string> = {\n 10: util.styleText('gray', 'TRACE'),\n 20: util.styleText('blue', 'DEBUG'),\n 30: util.styleText('green', ' INFO'),\n 40: util.styleText('magenta', ' WARN'),\n 50: util.styleText('red', 'ERROR'),\n 60: util.styleText('bgRed', 'FATAL'),\n};\n\nexport function indent(str: string, leading = false): string {\n const prefix = leading ? ' ' : '';\n return prefix + str.split(regEx(/\\r?\\n/)).join('\\n ');\n}\n\nexport function getMeta(rec: BunyanRecord, colorize = true): string {\n if (!rec) {\n return '';\n }\n let res = rec.module ? ` [${rec.module}]` : ``;\n const filteredMeta = metaFields.filter((elem) => rec[elem]);\n if (!filteredMeta.length) {\n return res;\n }\n const metaStr = filteredMeta\n .map((field) => `${field}=${String(rec[field])}`)\n .join(', ');\n res = ` (${metaStr})${res}`;\n return colorize ? util.styleText('gray', res) : res;\n}\n\nexport function getDetails(rec: BunyanRecord): string {\n if (!rec) {\n return '';\n }\n const recFiltered = { ...rec };\n delete recFiltered.module;\n Object.keys(recFiltered).forEach((key) => {\n if (\n key === 'logContext' ||\n bunyanFields.includes(key) ||\n metaFields.includes(key)\n ) {\n delete recFiltered[key];\n }\n });\n const remainingKeys = Object.keys(recFiltered);\n if (remainingKeys.length === 0) {\n return '';\n }\n\n // Handle err.stack specially for readable multi-line output\n const err = recFiltered.err;\n if (isPlainObject(err) && isString(err.stack)) {\n const { stack, ...errRest } = err;\n recFiltered.err = isNonEmptyObject(errRest) ? errRest : undefined;\n const parts: string[] = [];\n for (const key of remainingKeys) {\n if (key === 'err' && recFiltered.err === undefined) {\n continue;\n }\n parts.push(indent(`\"${key}\": ${stringify(recFiltered[key])}`, true));\n }\n const jsonPart = parts.join(',\\n');\n const stackPart = indent(stack, true);\n return jsonPart ? `${jsonPart}\\n${stackPart}\\n` : `${stackPart}\\n`;\n }\n\n return `${remainingKeys\n .map((key) => `${indent(`\"${key}\": ${stringify(recFiltered[key])}`, true)}`)\n .join(',\\n')}\\n`;\n}\n\nexport function formatRecord(rec: BunyanRecord, colorize = true): string {\n const level = colorize ? colorizedLevels[rec.level] : levels[rec.level];\n const msg = `${indent(rec.msg)}`;\n const meta = getMeta(rec, colorize);\n const details = getDetails(rec);\n return util.format('%s: %s%s\\n%s', level, msg, meta, details);\n}\n\nexport class RenovateStream extends Writable {\n private colorize: boolean;\n private destination: NodeJS.WritableStream;\n\n constructor(destination: NodeJS.WritableStream, colorize = true) {\n super({ objectMode: true });\n this.colorize = colorize;\n this.destination = destination;\n }\n\n override _write(\n data: BunyanRecord,\n _encoding: string,\n callback: (error?: Error | null) => void,\n ): void {\n this.destination.write(formatRecord(data, this.colorize), callback);\n }\n}\n"],"mappings":";;;;;;AAUA,MAAM,eAAe;CACnB;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD;AACD,MAAM,aAAa;CACjB;CACA;CACA;CACA;CACA;CACA;CACA;CACD;AAED,MAAM,SAAiC;CACrC,IAAI;CACJ,IAAI;CACJ,IAAI;CACJ,IAAI;CACJ,IAAI;CACJ,IAAI;CACL;AAED,MAAM,kBAA0C;CAC9C,IAAIA,OAAK,UAAU,QAAQ,QAAQ;CACnC,IAAIA,OAAK,UAAU,QAAQ,QAAQ;CACnC,IAAIA,OAAK,UAAU,SAAS,QAAQ;CACpC,IAAIA,OAAK,UAAU,WAAW,QAAQ;CACtC,IAAIA,OAAK,UAAU,OAAO,QAAQ;CAClC,IAAIA,OAAK,UAAU,SAAS,QAAQ;CACrC;AAED,SAAgB,OAAO,KAAa,UAAU,OAAe;AAE3D,SADe,UAAU,YAAY,MACrB,IAAI,MAAM,MAAM,QAAQ,CAAC,CAAC,KAAK,YAAY;;AAG7D,SAAgB,QAAQ,KAAmB,WAAW,MAAc;AAClE,KAAI,CAAC,IACH,QAAO;CAET,IAAI,MAAM,IAAI,SAAS,KAAK,IAAI,OAAO,KAAK;CAC5C,MAAM,eAAe,WAAW,QAAQ,SAAS,IAAI,MAAM;AAC3D,KAAI,CAAC,aAAa,OAChB,QAAO;AAKT,OAAM,KAHU,aACb,KAAK,UAAU,GAAG,MAAM,GAAG,OAAO,IAAI,OAAO,GAAG,CAChD,KAAK,KAAK,CACM,GAAG;AACtB,QAAO,WAAWA,OAAK,UAAU,QAAQ,IAAI,GAAG;;AAGlD,SAAgB,WAAW,KAA2B;AACpD,KAAI,CAAC,IACH,QAAO;CAET,MAAM,cAAc,EAAE,GAAG,KAAK;AAC9B,QAAO,YAAY;AACnB,QAAO,KAAK,YAAY,CAAC,SAAS,QAAQ;AACxC,MACE,QAAQ,gBACR,aAAa,SAAS,IAAI,IAC1B,WAAW,SAAS,IAAI,CAExB,QAAO,YAAY;GAErB;CACF,MAAM,gBAAgB,OAAO,KAAK,YAAY;AAC9C,KAAI,cAAc,WAAW,EAC3B,QAAO;CAIT,MAAM,MAAM,YAAY;AACxB,KAAI,cAAc,IAAI,IAAI,SAAS,IAAI,MAAM,EAAE;EAC7C,MAAM,EAAE,OAAO,GAAG,YAAY;AAC9B,cAAY,MAAM,iBAAiB,QAAQ,GAAG,UAAU,KAAA;EACxD,MAAM,QAAkB,EAAE;AAC1B,OAAK,MAAM,OAAO,eAAe;AAC/B,OAAI,QAAQ,SAAS,YAAY,QAAQ,KAAA,EACvC;AAEF,SAAM,KAAK,OAAO,IAAI,IAAI,KAAK,UAAU,YAAY,KAAK,IAAI,KAAK,CAAC;;EAEtE,MAAM,WAAW,MAAM,KAAK,MAAM;EAClC,MAAM,YAAY,OAAO,OAAO,KAAK;AACrC,SAAO,WAAW,GAAG,SAAS,IAAI,UAAU,MAAM,GAAG,UAAU;;AAGjE,QAAO,GAAG,cACP,KAAK,QAAQ,GAAG,OAAO,IAAI,IAAI,KAAK,UAAU,YAAY,KAAK,IAAI,KAAK,GAAG,CAC3E,KAAK,MAAM,CAAC;;AAGjB,SAAgB,aAAa,KAAmB,WAAW,MAAc;CACvE,MAAM,QAAQ,WAAW,gBAAgB,IAAI,SAAS,OAAO,IAAI;CACjE,MAAM,MAAM,GAAG,OAAO,IAAI,IAAI;CAC9B,MAAM,OAAO,QAAQ,KAAK,SAAS;CACnC,MAAM,UAAU,WAAW,IAAI;AAC/B,QAAOA,OAAK,OAAO,gBAAgB,OAAO,KAAK,MAAM,QAAQ;;AAG/D,IAAa,iBAAb,cAAoC,SAAS;CAC3C;CACA;CAEA,YAAY,aAAoC,WAAW,MAAM;AAC/D,QAAM,EAAE,YAAY,MAAM,CAAC;AAC3B,OAAK,WAAW;AAChB,OAAK,cAAc;;CAGrB,OACE,MACA,WACA,UACM;AACN,OAAK,YAAY,MAAM,aAAa,MAAM,KAAK,SAAS,EAAE,SAAS"}
|
|
@@ -10,7 +10,6 @@ import { NugetDatasource } from "../../../modules/datasource/nuget/index.js";
|
|
|
10
10
|
import { id as id$2 } from "../../../modules/versioning/semver/index.js";
|
|
11
11
|
import "../../../modules/versioning/npm/index.js";
|
|
12
12
|
import { id as id$3 } from "../../../modules/versioning/ruby/index.js";
|
|
13
|
-
import { GoDatasource } from "../../../modules/datasource/go/index.js";
|
|
14
13
|
import { id as id$4 } from "../../../modules/versioning/composer/index.js";
|
|
15
14
|
import { get } from "../../../modules/versioning/index.js";
|
|
16
15
|
import { getHighestVulnerabilitySeverity } from "../../../util/vulnerability/utils.js";
|
|
@@ -51,27 +50,23 @@ async function detectVulnerabilityAlerts(input) {
|
|
|
51
50
|
}
|
|
52
51
|
const datasource = githubEcosystemToDatasource[alert.security_vulnerability.package.ecosystem];
|
|
53
52
|
const depName = alert.security_vulnerability.package.name;
|
|
54
|
-
const fileName = alert.dependency.manifest_path;
|
|
55
|
-
const fileType = fileName.split("/").pop();
|
|
56
53
|
const firstPatchedVersion = alert.security_vulnerability.first_patched_version.identifier;
|
|
57
54
|
const advisory = alert.security_advisory;
|
|
58
|
-
combinedAlerts[
|
|
59
|
-
combinedAlerts[
|
|
60
|
-
combinedAlerts[
|
|
61
|
-
const alertDetails = combinedAlerts[fileName][datasource][depName];
|
|
55
|
+
combinedAlerts[datasource] ??= {};
|
|
56
|
+
combinedAlerts[datasource][depName] ??= { advisories: [] };
|
|
57
|
+
const alertDetails = combinedAlerts[datasource][depName];
|
|
62
58
|
alertDetails.advisories.push(advisory);
|
|
63
59
|
alertDetails.severity = getHighestVulnerabilitySeverity({ vulnerabilitySeverity: alertDetails.severity }, { vulnerabilitySeverity: alert.security_vulnerability.severity });
|
|
64
60
|
const versioningApi = get(versionings[datasource]);
|
|
65
61
|
if (versioningApi.isVersion(firstPatchedVersion)) {
|
|
66
62
|
if (!alertDetails.firstPatchedVersion || versioningApi.isGreaterThan(firstPatchedVersion, alertDetails.firstPatchedVersion)) alertDetails.firstPatchedVersion = firstPatchedVersion;
|
|
67
63
|
} else logger.debug("Invalid firstPatchedVersion: " + firstPatchedVersion);
|
|
68
|
-
alertDetails.fileType = fileType;
|
|
69
64
|
} catch (err) {
|
|
70
65
|
logger.warn({ err }, "Error parsing vulnerability alert");
|
|
71
66
|
}
|
|
72
67
|
const alertPackageRules = [];
|
|
73
68
|
config.remediations = {};
|
|
74
|
-
for (const [
|
|
69
|
+
for (const [datasource, dependencies] of Object.entries(combinedAlerts)) for (const [depName, val] of Object.entries(dependencies)) {
|
|
75
70
|
if (!val.firstPatchedVersion) continue;
|
|
76
71
|
let prBodyNotes = [];
|
|
77
72
|
try {
|
|
@@ -98,11 +93,9 @@ async function detectVulnerabilityAlerts(input) {
|
|
|
98
93
|
} catch (err) /* istanbul ignore next */ {
|
|
99
94
|
logger.warn({ err }, "Error generating vulnerability PR notes");
|
|
100
95
|
}
|
|
101
|
-
const matchFileNames = datasource === GoDatasource.id ? [fileName.replace("go.sum", "go.mod")] : [fileName];
|
|
102
96
|
let matchRule = {
|
|
103
97
|
matchDatasources: [datasource],
|
|
104
|
-
matchPackageNames: [depName]
|
|
105
|
-
matchFileNames
|
|
98
|
+
matchPackageNames: [depName]
|
|
106
99
|
};
|
|
107
100
|
let matchCurrentVersion = `< ${val.firstPatchedVersion}`;
|
|
108
101
|
if (datasource === MavenDatasource.id || datasource === NugetDatasource.id) matchCurrentVersion = `(,${val.firstPatchedVersion})`;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vulnerability.js","names":["semverVersioning.id","composerVersioning.id","mavenVersioning.id","pep440Versioning.id","rubyVersioning.id","allVersioning.get"],"sources":["../../../../lib/workers/repository/init/vulnerability.ts"],"sourcesContent":["import is from '@sindresorhus/is';\nimport type { PackageRule, RenovateConfig } from '../../../config/types.ts';\nimport { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages.ts';\nimport { logger } from '../../../logger/index.ts';\nimport { GithubTagsDatasource } from '../../../modules/datasource/github-tags/index.ts';\nimport { GoDatasource } from '../../../modules/datasource/go/index.ts';\nimport { MavenDatasource } from '../../../modules/datasource/maven/index.ts';\nimport { NugetDatasource } from '../../../modules/datasource/nuget/index.ts';\nimport type { SecurityAdvisory } from '../../../modules/platform/github/schema.ts';\nimport { platform } from '../../../modules/platform/index.ts';\nimport * as composerVersioning from '../../../modules/versioning/composer/index.ts';\nimport * as allVersioning from '../../../modules/versioning/index.ts';\nimport * as mavenVersioning from '../../../modules/versioning/maven/index.ts';\nimport * as npmVersioning from '../../../modules/versioning/npm/index.ts';\nimport * as pep440Versioning from '../../../modules/versioning/pep440/index.ts';\nimport * as rubyVersioning from '../../../modules/versioning/ruby/index.ts';\nimport * as semverVersioning from '../../../modules/versioning/semver/index.ts';\nimport { sanitizeMarkdown } from '../../../util/markdown.ts';\nimport { escapeRegExp } from '../../../util/regex.ts';\nimport { titleCase } from '../../../util/string.ts';\nimport { githubEcosystemToDatasource } from '../../../util/vulnerability/ecosystem.ts';\nimport {\n getFixedVersionConstraint,\n getHighestVulnerabilitySeverity,\n} from '../../../util/vulnerability/utils.ts';\n\ntype Datasource = string;\ntype DependencyName = string;\ntype FileName = string;\n\ntype CombinedAlert = Record<\n FileName,\n Record<\n Datasource,\n Record<\n DependencyName,\n {\n advisories: SecurityAdvisory[];\n fileType?: string;\n firstPatchedVersion?: string;\n severity?: string;\n }\n >\n >\n>;\n\nexport function getFixedVersionByDatasource(\n fixedVersion: string,\n datasource: string,\n): string {\n return getFixedVersionConstraint(fixedVersion, datasource);\n}\n\n// TODO can return `null` and `undefined` (#22198)\nexport async function detectVulnerabilityAlerts(\n input: RenovateConfig,\n): Promise<RenovateConfig> {\n if (!input?.vulnerabilityAlerts) {\n return input;\n }\n if (input.vulnerabilityAlerts.enabled === false) {\n logger.debug('Vulnerability alerts are disabled');\n return input;\n }\n const alerts = await platform.getVulnerabilityAlerts?.();\n if (!alerts?.length) {\n logger.debug('No vulnerability alerts found');\n if (input.vulnerabilityAlertsOnly) {\n throw new Error(NO_VULNERABILITY_ALERTS);\n }\n return input;\n }\n const config = { ...input };\n const versionings: Record<string, string> = {\n 'github-tags': semverVersioning.id,\n go: semverVersioning.id,\n packagist: composerVersioning.id,\n maven: mavenVersioning.id,\n npm: npmVersioning.id,\n nuget: semverVersioning.id,\n pypi: pep440Versioning.id,\n rubygems: rubyVersioning.id,\n };\n const combinedAlerts: CombinedAlert = {};\n for (const alert of alerts) {\n try {\n if (alert.dismissed_reason) {\n continue;\n }\n if (!alert.security_vulnerability?.first_patched_version) {\n logger.debug(\n { alert },\n 'Vulnerability alert has no firstPatchedVersion - skipping',\n );\n continue;\n }\n const datasource =\n githubEcosystemToDatasource[\n alert.security_vulnerability.package.ecosystem\n ];\n const depName = alert.security_vulnerability.package.name;\n const fileName = alert.dependency.manifest_path;\n const fileType = fileName.split('/').pop();\n const firstPatchedVersion =\n alert.security_vulnerability.first_patched_version.identifier;\n const advisory = alert.security_advisory;\n\n combinedAlerts[fileName] ??= {};\n combinedAlerts[fileName][datasource] ??= {};\n combinedAlerts[fileName][datasource][depName] ??= {\n advisories: [],\n };\n const alertDetails = combinedAlerts[fileName][datasource][depName];\n alertDetails.advisories.push(advisory);\n alertDetails.severity = getHighestVulnerabilitySeverity(\n { vulnerabilitySeverity: alertDetails.severity },\n { vulnerabilitySeverity: alert.security_vulnerability.severity },\n );\n const versioningApi = allVersioning.get(versionings[datasource]);\n if (versioningApi.isVersion(firstPatchedVersion)) {\n if (\n !alertDetails.firstPatchedVersion ||\n versioningApi.isGreaterThan(\n firstPatchedVersion,\n alertDetails.firstPatchedVersion,\n )\n ) {\n alertDetails.firstPatchedVersion = firstPatchedVersion;\n }\n } else {\n logger.debug('Invalid firstPatchedVersion: ' + firstPatchedVersion);\n }\n alertDetails.fileType = fileType;\n } catch (err) {\n logger.warn({ err }, 'Error parsing vulnerability alert');\n }\n }\n const alertPackageRules: PackageRule[] = [];\n config.remediations = {} as never;\n for (const [fileName, files] of Object.entries(combinedAlerts)) {\n for (const [datasource, dependencies] of Object.entries(files)) {\n for (const [depName, val] of Object.entries(dependencies)) {\n if (!val.firstPatchedVersion) {\n continue;\n }\n\n let prBodyNotes: string[] = [];\n try {\n prBodyNotes = ['### GitHub Vulnerability Alerts'].concat(\n val.advisories.map((advisory) => {\n const identifiers = advisory.identifiers;\n const description = advisory.description;\n let content = '#### ';\n let heading: string;\n if (identifiers.some((id) => id.type === 'CVE')) {\n heading = identifiers\n .filter((id) => id.type === 'CVE')\n .map((id) => id.value)\n .join(' / ');\n } else {\n heading = identifiers.map((id) => id.value).join(' / ');\n }\n if (advisory.references?.length) {\n heading = `[${heading}](${advisory.references[0].url})`;\n }\n content += heading;\n content += '\\n\\n';\n\n content += sanitizeMarkdown(description);\n\n content += '\\n\\n##### Severity\\n';\n const { cvss_v4, cvss_v3 } = advisory.cvss_severities ?? {};\n const cvss = cvss_v4?.vector_string ? cvss_v4 : cvss_v3;\n if (is.number(cvss?.score) && cvss?.vector_string) {\n content += `- CVSS Score: ${cvss.score.toFixed(1)} / 10 (${titleCase(advisory.severity)})\\n`;\n content += `- Vector String: \\`${cvss.vector_string}\\``;\n } else {\n content += titleCase(advisory.severity);\n }\n\n return content;\n }),\n );\n } catch (err) /* istanbul ignore next */ {\n logger.warn({ err }, 'Error generating vulnerability PR notes');\n }\n // TODO: types (#22198)\n const matchFileNames =\n datasource === GoDatasource.id\n ? [fileName.replace('go.sum', 'go.mod')]\n : [fileName];\n let matchRule: PackageRule = {\n matchDatasources: [datasource],\n matchPackageNames: [depName],\n matchFileNames,\n };\n\n let matchCurrentVersion = `< ${val.firstPatchedVersion}`;\n if (\n datasource === MavenDatasource.id ||\n datasource === NugetDatasource.id\n ) {\n matchCurrentVersion = `(,${val.firstPatchedVersion})`;\n } else if (datasource === GithubTagsDatasource.id) {\n matchCurrentVersion = `!/^${escapeRegExp(val.firstPatchedVersion)}$/`;\n }\n\n // Remediate only direct dependencies\n matchRule = {\n ...matchRule,\n matchCurrentVersion,\n vulnerabilityFixVersion: val.firstPatchedVersion,\n vulnerabilitySeverity: val.severity,\n prBodyNotes,\n isVulnerabilityAlert: true,\n force: {\n ...config.vulnerabilityAlerts,\n },\n };\n alertPackageRules.push(matchRule);\n }\n }\n }\n logger.debug({ alertPackageRules }, 'alert package rules');\n config.packageRules = (config.packageRules ?? []).concat(alertPackageRules);\n return config;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAsDA,eAAsB,0BACpB,OACyB;AACzB,KAAI,CAAC,OAAO,oBACV,QAAO;AAET,KAAI,MAAM,oBAAoB,YAAY,OAAO;AAC/C,SAAO,MAAM,oCAAoC;AACjD,SAAO;;CAET,MAAM,SAAS,MAAM,SAAS,0BAA0B;AACxD,KAAI,CAAC,QAAQ,QAAQ;AACnB,SAAO,MAAM,gCAAgC;AAC7C,MAAI,MAAM,wBACR,OAAM,IAAI,MAAM,wBAAwB;AAE1C,SAAO;;CAET,MAAM,SAAS,EAAE,GAAG,OAAO;CAC3B,MAAM,cAAsC;EAC1C,eAAeA;EACf,IAAIA;EACJ,WAAWC;EACX,OAAOC;EACP,KAAK;EACL,OAAOF;EACP,MAAMG;EACN,UAAUC;EACX;CACD,MAAM,iBAAgC,EAAE;AACxC,MAAK,MAAM,SAAS,OAClB,KAAI;AACF,MAAI,MAAM,iBACR;AAEF,MAAI,CAAC,MAAM,wBAAwB,uBAAuB;AACxD,UAAO,MACL,EAAE,OAAO,EACT,4DACD;AACD;;EAEF,MAAM,aACJ,4BACE,MAAM,uBAAuB,QAAQ;EAEzC,MAAM,UAAU,MAAM,uBAAuB,QAAQ;EACrD,MAAM,WAAW,MAAM,WAAW;EAClC,MAAM,WAAW,SAAS,MAAM,IAAI,CAAC,KAAK;EAC1C,MAAM,sBACJ,MAAM,uBAAuB,sBAAsB;EACrD,MAAM,WAAW,MAAM;AAEvB,iBAAe,cAAc,EAAE;AAC/B,iBAAe,UAAU,gBAAgB,EAAE;AAC3C,iBAAe,UAAU,YAAY,aAAa,EAChD,YAAY,EAAE,EACf;EACD,MAAM,eAAe,eAAe,UAAU,YAAY;AAC1D,eAAa,WAAW,KAAK,SAAS;AACtC,eAAa,WAAW,gCACtB,EAAE,uBAAuB,aAAa,UAAU,EAChD,EAAE,uBAAuB,MAAM,uBAAuB,UAAU,CACjE;EACD,MAAM,gBAAgBC,IAAkB,YAAY,YAAY;AAChE,MAAI,cAAc,UAAU,oBAAoB;OAE5C,CAAC,aAAa,uBACd,cAAc,cACZ,qBACA,aAAa,oBACd,CAED,cAAa,sBAAsB;QAGrC,QAAO,MAAM,kCAAkC,oBAAoB;AAErE,eAAa,WAAW;UACjB,KAAK;AACZ,SAAO,KAAK,EAAE,KAAK,EAAE,oCAAoC;;CAG7D,MAAM,oBAAmC,EAAE;AAC3C,QAAO,eAAe,EAAE;AACxB,MAAK,MAAM,CAAC,UAAU,UAAU,OAAO,QAAQ,eAAe,CAC5D,MAAK,MAAM,CAAC,YAAY,iBAAiB,OAAO,QAAQ,MAAM,CAC5D,MAAK,MAAM,CAAC,SAAS,QAAQ,OAAO,QAAQ,aAAa,EAAE;AACzD,MAAI,CAAC,IAAI,oBACP;EAGF,IAAI,cAAwB,EAAE;AAC9B,MAAI;AACF,iBAAc,CAAC,kCAAkC,CAAC,OAChD,IAAI,WAAW,KAAK,aAAa;IAC/B,MAAM,cAAc,SAAS;IAC7B,MAAM,cAAc,SAAS;IAC7B,IAAI,UAAU;IACd,IAAI;AACJ,QAAI,YAAY,MAAM,OAAO,GAAG,SAAS,MAAM,CAC7C,WAAU,YACP,QAAQ,OAAO,GAAG,SAAS,MAAM,CACjC,KAAK,OAAO,GAAG,MAAM,CACrB,KAAK,MAAM;QAEd,WAAU,YAAY,KAAK,OAAO,GAAG,MAAM,CAAC,KAAK,MAAM;AAEzD,QAAI,SAAS,YAAY,OACvB,WAAU,IAAI,QAAQ,IAAI,SAAS,WAAW,GAAG,IAAI;AAEvD,eAAW;AACX,eAAW;AAEX,eAAW,iBAAiB,YAAY;AAExC,eAAW;IACX,MAAM,EAAE,SAAS,YAAY,SAAS,mBAAmB,EAAE;IAC3D,MAAM,OAAO,SAAS,gBAAgB,UAAU;AAChD,QAAI,GAAG,OAAO,MAAM,MAAM,IAAI,MAAM,eAAe;AACjD,gBAAW,iBAAiB,KAAK,MAAM,QAAQ,EAAE,CAAC,SAAS,UAAU,SAAS,SAAS,CAAC;AACxF,gBAAW,sBAAsB,KAAK,cAAc;UAEpD,YAAW,UAAU,SAAS,SAAS;AAGzC,WAAO;KACP,CACH;WACM,kCAAgC;AACvC,UAAO,KAAK,EAAE,KAAK,EAAE,0CAA0C;;EAGjE,MAAM,iBACJ,eAAe,aAAa,KACxB,CAAC,SAAS,QAAQ,UAAU,SAAS,CAAC,GACtC,CAAC,SAAS;EAChB,IAAI,YAAyB;GAC3B,kBAAkB,CAAC,WAAW;GAC9B,mBAAmB,CAAC,QAAQ;GAC5B;GACD;EAED,IAAI,sBAAsB,KAAK,IAAI;AACnC,MACE,eAAe,gBAAgB,MAC/B,eAAe,gBAAgB,GAE/B,uBAAsB,KAAK,IAAI,oBAAoB;WAC1C,eAAe,qBAAqB,GAC7C,uBAAsB,MAAM,aAAa,IAAI,oBAAoB,CAAC;AAIpE,cAAY;GACV,GAAG;GACH;GACA,yBAAyB,IAAI;GAC7B,uBAAuB,IAAI;GAC3B;GACA,sBAAsB;GACtB,OAAO,EACL,GAAG,OAAO,qBACX;GACF;AACD,oBAAkB,KAAK,UAAU;;AAIvC,QAAO,MAAM,EAAE,mBAAmB,EAAE,sBAAsB;AAC1D,QAAO,gBAAgB,OAAO,gBAAgB,EAAE,EAAE,OAAO,kBAAkB;AAC3E,QAAO"}
|
|
1
|
+
{"version":3,"file":"vulnerability.js","names":["semverVersioning.id","composerVersioning.id","mavenVersioning.id","pep440Versioning.id","rubyVersioning.id","allVersioning.get"],"sources":["../../../../lib/workers/repository/init/vulnerability.ts"],"sourcesContent":["import is from '@sindresorhus/is';\nimport type { PackageRule, RenovateConfig } from '../../../config/types.ts';\nimport { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages.ts';\nimport { logger } from '../../../logger/index.ts';\nimport { GithubTagsDatasource } from '../../../modules/datasource/github-tags/index.ts';\nimport { MavenDatasource } from '../../../modules/datasource/maven/index.ts';\nimport { NugetDatasource } from '../../../modules/datasource/nuget/index.ts';\nimport type { SecurityAdvisory } from '../../../modules/platform/github/schema.ts';\nimport { platform } from '../../../modules/platform/index.ts';\nimport * as composerVersioning from '../../../modules/versioning/composer/index.ts';\nimport * as allVersioning from '../../../modules/versioning/index.ts';\nimport * as mavenVersioning from '../../../modules/versioning/maven/index.ts';\nimport * as npmVersioning from '../../../modules/versioning/npm/index.ts';\nimport * as pep440Versioning from '../../../modules/versioning/pep440/index.ts';\nimport * as rubyVersioning from '../../../modules/versioning/ruby/index.ts';\nimport * as semverVersioning from '../../../modules/versioning/semver/index.ts';\nimport { sanitizeMarkdown } from '../../../util/markdown.ts';\nimport { escapeRegExp } from '../../../util/regex.ts';\nimport { titleCase } from '../../../util/string.ts';\nimport { githubEcosystemToDatasource } from '../../../util/vulnerability/ecosystem.ts';\nimport {\n getFixedVersionConstraint,\n getHighestVulnerabilitySeverity,\n} from '../../../util/vulnerability/utils.ts';\n\ntype Datasource = string;\ntype DependencyName = string;\n\ntype CombinedAlert = Record<\n Datasource,\n Record<\n DependencyName,\n {\n advisories: SecurityAdvisory[];\n firstPatchedVersion?: string;\n severity?: string;\n }\n >\n>;\n\nexport function getFixedVersionByDatasource(\n fixedVersion: string,\n datasource: string,\n): string {\n return getFixedVersionConstraint(fixedVersion, datasource);\n}\n\n// TODO can return `null` and `undefined` (#22198)\nexport async function detectVulnerabilityAlerts(\n input: RenovateConfig,\n): Promise<RenovateConfig> {\n if (!input?.vulnerabilityAlerts) {\n return input;\n }\n if (input.vulnerabilityAlerts.enabled === false) {\n logger.debug('Vulnerability alerts are disabled');\n return input;\n }\n const alerts = await platform.getVulnerabilityAlerts?.();\n if (!alerts?.length) {\n logger.debug('No vulnerability alerts found');\n if (input.vulnerabilityAlertsOnly) {\n throw new Error(NO_VULNERABILITY_ALERTS);\n }\n return input;\n }\n const config = { ...input };\n const versionings: Record<string, string> = {\n 'github-tags': semverVersioning.id,\n go: semverVersioning.id,\n packagist: composerVersioning.id,\n maven: mavenVersioning.id,\n npm: npmVersioning.id,\n nuget: semverVersioning.id,\n pypi: pep440Versioning.id,\n rubygems: rubyVersioning.id,\n };\n const combinedAlerts: CombinedAlert = {};\n for (const alert of alerts) {\n try {\n if (alert.dismissed_reason) {\n continue;\n }\n if (!alert.security_vulnerability?.first_patched_version) {\n logger.debug(\n { alert },\n 'Vulnerability alert has no firstPatchedVersion - skipping',\n );\n continue;\n }\n const datasource =\n githubEcosystemToDatasource[\n alert.security_vulnerability.package.ecosystem\n ];\n const depName = alert.security_vulnerability.package.name;\n const firstPatchedVersion =\n alert.security_vulnerability.first_patched_version.identifier;\n const advisory = alert.security_advisory;\n\n combinedAlerts[datasource] ??= {};\n combinedAlerts[datasource][depName] ??= {\n advisories: [],\n };\n const alertDetails = combinedAlerts[datasource][depName];\n alertDetails.advisories.push(advisory);\n alertDetails.severity = getHighestVulnerabilitySeverity(\n { vulnerabilitySeverity: alertDetails.severity },\n { vulnerabilitySeverity: alert.security_vulnerability.severity },\n );\n const versioningApi = allVersioning.get(versionings[datasource]);\n if (versioningApi.isVersion(firstPatchedVersion)) {\n if (\n !alertDetails.firstPatchedVersion ||\n versioningApi.isGreaterThan(\n firstPatchedVersion,\n alertDetails.firstPatchedVersion,\n )\n ) {\n alertDetails.firstPatchedVersion = firstPatchedVersion;\n }\n } else {\n logger.debug('Invalid firstPatchedVersion: ' + firstPatchedVersion);\n }\n } catch (err) {\n logger.warn({ err }, 'Error parsing vulnerability alert');\n }\n }\n const alertPackageRules: PackageRule[] = [];\n config.remediations = {} as never;\n for (const [datasource, dependencies] of Object.entries(combinedAlerts)) {\n for (const [depName, val] of Object.entries(dependencies)) {\n if (!val.firstPatchedVersion) {\n continue;\n }\n\n let prBodyNotes: string[] = [];\n try {\n prBodyNotes = ['### GitHub Vulnerability Alerts'].concat(\n val.advisories.map((advisory) => {\n const identifiers = advisory.identifiers;\n const description = advisory.description;\n let content = '#### ';\n let heading: string;\n if (identifiers.some((id) => id.type === 'CVE')) {\n heading = identifiers\n .filter((id) => id.type === 'CVE')\n .map((id) => id.value)\n .join(' / ');\n } else {\n heading = identifiers.map((id) => id.value).join(' / ');\n }\n if (advisory.references?.length) {\n heading = `[${heading}](${advisory.references[0].url})`;\n }\n content += heading;\n content += '\\n\\n';\n\n content += sanitizeMarkdown(description);\n\n content += '\\n\\n##### Severity\\n';\n const { cvss_v4, cvss_v3 } = advisory.cvss_severities ?? {};\n const cvss = cvss_v4?.vector_string ? cvss_v4 : cvss_v3;\n if (is.number(cvss?.score) && cvss?.vector_string) {\n content += `- CVSS Score: ${cvss.score.toFixed(1)} / 10 (${titleCase(advisory.severity)})\\n`;\n content += `- Vector String: \\`${cvss.vector_string}\\``;\n } else {\n content += titleCase(advisory.severity);\n }\n\n return content;\n }),\n );\n } catch (err) /* istanbul ignore next */ {\n logger.warn({ err }, 'Error generating vulnerability PR notes');\n }\n let matchRule: PackageRule = {\n matchDatasources: [datasource],\n matchPackageNames: [depName],\n };\n\n let matchCurrentVersion = `< ${val.firstPatchedVersion}`;\n if (\n datasource === MavenDatasource.id ||\n datasource === NugetDatasource.id\n ) {\n matchCurrentVersion = `(,${val.firstPatchedVersion})`;\n } else if (datasource === GithubTagsDatasource.id) {\n matchCurrentVersion = `!/^${escapeRegExp(val.firstPatchedVersion)}$/`;\n }\n\n matchRule = {\n ...matchRule,\n matchCurrentVersion,\n vulnerabilityFixVersion: val.firstPatchedVersion,\n vulnerabilitySeverity: val.severity,\n prBodyNotes,\n isVulnerabilityAlert: true,\n force: {\n ...config.vulnerabilityAlerts,\n },\n };\n alertPackageRules.push(matchRule);\n }\n }\n logger.debug({ alertPackageRules }, 'alert package rules');\n config.packageRules = (config.packageRules ?? []).concat(alertPackageRules);\n return config;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAgDA,eAAsB,0BACpB,OACyB;AACzB,KAAI,CAAC,OAAO,oBACV,QAAO;AAET,KAAI,MAAM,oBAAoB,YAAY,OAAO;AAC/C,SAAO,MAAM,oCAAoC;AACjD,SAAO;;CAET,MAAM,SAAS,MAAM,SAAS,0BAA0B;AACxD,KAAI,CAAC,QAAQ,QAAQ;AACnB,SAAO,MAAM,gCAAgC;AAC7C,MAAI,MAAM,wBACR,OAAM,IAAI,MAAM,wBAAwB;AAE1C,SAAO;;CAET,MAAM,SAAS,EAAE,GAAG,OAAO;CAC3B,MAAM,cAAsC;EAC1C,eAAeA;EACf,IAAIA;EACJ,WAAWC;EACX,OAAOC;EACP,KAAK;EACL,OAAOF;EACP,MAAMG;EACN,UAAUC;EACX;CACD,MAAM,iBAAgC,EAAE;AACxC,MAAK,MAAM,SAAS,OAClB,KAAI;AACF,MAAI,MAAM,iBACR;AAEF,MAAI,CAAC,MAAM,wBAAwB,uBAAuB;AACxD,UAAO,MACL,EAAE,OAAO,EACT,4DACD;AACD;;EAEF,MAAM,aACJ,4BACE,MAAM,uBAAuB,QAAQ;EAEzC,MAAM,UAAU,MAAM,uBAAuB,QAAQ;EACrD,MAAM,sBACJ,MAAM,uBAAuB,sBAAsB;EACrD,MAAM,WAAW,MAAM;AAEvB,iBAAe,gBAAgB,EAAE;AACjC,iBAAe,YAAY,aAAa,EACtC,YAAY,EAAE,EACf;EACD,MAAM,eAAe,eAAe,YAAY;AAChD,eAAa,WAAW,KAAK,SAAS;AACtC,eAAa,WAAW,gCACtB,EAAE,uBAAuB,aAAa,UAAU,EAChD,EAAE,uBAAuB,MAAM,uBAAuB,UAAU,CACjE;EACD,MAAM,gBAAgBC,IAAkB,YAAY,YAAY;AAChE,MAAI,cAAc,UAAU,oBAAoB;OAE5C,CAAC,aAAa,uBACd,cAAc,cACZ,qBACA,aAAa,oBACd,CAED,cAAa,sBAAsB;QAGrC,QAAO,MAAM,kCAAkC,oBAAoB;UAE9D,KAAK;AACZ,SAAO,KAAK,EAAE,KAAK,EAAE,oCAAoC;;CAG7D,MAAM,oBAAmC,EAAE;AAC3C,QAAO,eAAe,EAAE;AACxB,MAAK,MAAM,CAAC,YAAY,iBAAiB,OAAO,QAAQ,eAAe,CACrE,MAAK,MAAM,CAAC,SAAS,QAAQ,OAAO,QAAQ,aAAa,EAAE;AACzD,MAAI,CAAC,IAAI,oBACP;EAGF,IAAI,cAAwB,EAAE;AAC9B,MAAI;AACF,iBAAc,CAAC,kCAAkC,CAAC,OAChD,IAAI,WAAW,KAAK,aAAa;IAC/B,MAAM,cAAc,SAAS;IAC7B,MAAM,cAAc,SAAS;IAC7B,IAAI,UAAU;IACd,IAAI;AACJ,QAAI,YAAY,MAAM,OAAO,GAAG,SAAS,MAAM,CAC7C,WAAU,YACP,QAAQ,OAAO,GAAG,SAAS,MAAM,CACjC,KAAK,OAAO,GAAG,MAAM,CACrB,KAAK,MAAM;QAEd,WAAU,YAAY,KAAK,OAAO,GAAG,MAAM,CAAC,KAAK,MAAM;AAEzD,QAAI,SAAS,YAAY,OACvB,WAAU,IAAI,QAAQ,IAAI,SAAS,WAAW,GAAG,IAAI;AAEvD,eAAW;AACX,eAAW;AAEX,eAAW,iBAAiB,YAAY;AAExC,eAAW;IACX,MAAM,EAAE,SAAS,YAAY,SAAS,mBAAmB,EAAE;IAC3D,MAAM,OAAO,SAAS,gBAAgB,UAAU;AAChD,QAAI,GAAG,OAAO,MAAM,MAAM,IAAI,MAAM,eAAe;AACjD,gBAAW,iBAAiB,KAAK,MAAM,QAAQ,EAAE,CAAC,SAAS,UAAU,SAAS,SAAS,CAAC;AACxF,gBAAW,sBAAsB,KAAK,cAAc;UAEpD,YAAW,UAAU,SAAS,SAAS;AAGzC,WAAO;KACP,CACH;WACM,kCAAgC;AACvC,UAAO,KAAK,EAAE,KAAK,EAAE,0CAA0C;;EAEjE,IAAI,YAAyB;GAC3B,kBAAkB,CAAC,WAAW;GAC9B,mBAAmB,CAAC,QAAQ;GAC7B;EAED,IAAI,sBAAsB,KAAK,IAAI;AACnC,MACE,eAAe,gBAAgB,MAC/B,eAAe,gBAAgB,GAE/B,uBAAsB,KAAK,IAAI,oBAAoB;WAC1C,eAAe,qBAAqB,GAC7C,uBAAsB,MAAM,aAAa,IAAI,oBAAoB,CAAC;AAGpE,cAAY;GACV,GAAG;GACH;GACA,yBAAyB,IAAI;GAC7B,uBAAuB,IAAI;GAC3B;GACA,sBAAsB;GACtB,OAAO,EACL,GAAG,OAAO,qBACX;GACF;AACD,oBAAkB,KAAK,UAAU;;AAGrC,QAAO,MAAM,EAAE,mBAAmB,EAAE,sBAAsB;AAC1D,QAAO,gBAAgB,OAAO,gBAAgB,EAAE,EAAE,OAAO,kBAAkB;AAC3E,QAAO"}
|
package/package.json
CHANGED
package/renovate-schema.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$id": "https://docs.renovatebot.com/renovate-schema.json",
|
|
3
|
-
"title": "JSON schema for Renovate 43.120.
|
|
3
|
+
"title": "JSON schema for Renovate 43.120.2 config files (https://renovatebot.com/)",
|
|
4
4
|
"$schema": "http://json-schema.org/draft-07/schema#",
|
|
5
|
-
"x-renovate-version": "43.120.
|
|
5
|
+
"x-renovate-version": "43.120.2",
|
|
6
6
|
"allowComments": true,
|
|
7
7
|
"type": "object",
|
|
8
8
|
"properties": {
|