Merge pull request #186 from SalimBensiali/fix-incorrect-vulnerable-manifest-path-check

Fix incorrect vulnerable manifest path check
2026-03-13 18:17:13 -04:00 · 2022-03-30 14:14:03 +01:00
parent e79f0f25a3 aa4ffba345
commit 7e50846bfd
3 changed files with 46 additions and 2 deletions
--- a/dist/index.js
+++ b/dist/index.js
@@ -9218,7 +9218,7 @@ function getAlert(name, version, directory, client, context) {
     }`);
        const nodes = (_b = (_a = alerts === null || alerts === void 0 ? void 0 : alerts.repository) === null || _a === void 0 ? void 0 : _a.vulnerabilityAlerts) === null || _b === void 0 ? void 0 : _b.nodes;
        const found = nodes.find(a => (version === '' || a.vulnerableRequirements === `= ${version}`) &&
-            trimSlashes(a.vulnerableManifestPath) === `${trimSlashes(directory)}/${a.vulnerableManifestFilename}` &&
+            trimSlashes(a.vulnerableManifestPath) === trimSlashes(`${directory}/${a.vulnerableManifestFilename}`) &&
            a.securityVulnerability.package.name === name);
        return {
            alertState: (_c = found === null || found === void 0 ? void 0 : found.state) !== null && _c !== void 0 ? _c : '',
--- a/src/dependabot/verified_commits.test.ts
+++ b/src/dependabot/verified_commits.test.ts
@@ -134,11 +134,35 @@ const response = {
  }
 }

+const responseWithManifestFileAtRoot = {
+  data: {
+    repository: {
+      vulnerabilityAlerts: {
+        nodes: [
+          {
+            vulnerableManifestFilename: 'package.json',
+            vulnerableManifestPath: 'package.json',
+            vulnerableRequirements: '= 4.0.1',
+            state: 'DISMISSED',
+            securityVulnerability: { package: { name: 'coffee-script' } },
+            securityAdvisory: { cvss: { score: 4.5 }, ghsaId: 'FOO' }
+          }
+        ]
+      }
+    }
+  }
+}
+
 test('it returns the alert state if it matches all 3', async () => {
  nock('https://api.github.com').post('/graphql', query)
    .reply(200, response)

  expect(await getAlert('coffee-script', '4.0.1', '/wwwroot', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: 'DISMISSED', cvss: 4.5, ghsaId: 'FOO' })
+
+  nock('https://api.github.com').post('/graphql', query)
+    .reply(200, responseWithManifestFileAtRoot)
+
+  expect(await getAlert('coffee-script', '4.0.1', '/', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: 'DISMISSED', cvss: 4.5, ghsaId: 'FOO' })
 })

 test('it returns the alert state if it matches 2 and the version is blank', async () => {
@@ -146,6 +170,11 @@ test('it returns the alert state if it matches 2 and the version is blank', asyn
    .reply(200, response)

  expect(await getAlert('coffee-script', '', '/wwwroot', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: 'DISMISSED', cvss: 4.5, ghsaId: 'FOO' })
+
+  nock('https://api.github.com').post('/graphql', query)
+    .reply(200, responseWithManifestFileAtRoot)
+
+  expect(await getAlert('coffee-script', '', '/', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: 'DISMISSED', cvss: 4.5, ghsaId: 'FOO' })
 })

 test('it returns default if it does not match the version', async () => {
@@ -153,6 +182,11 @@ test('it returns default if it does not match the version', async () => {
    .reply(200, response)

  expect(await getAlert('coffee-script', '4.0.2', '/wwwroot', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' })
+
+  nock('https://api.github.com').post('/graphql', query)
+    .reply(200, responseWithManifestFileAtRoot)
+
+  expect(await getAlert('coffee-script', '4.0.2', '/', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' })
 })

 test('it returns default if it does not match the directory', async () => {
@@ -160,6 +194,11 @@ test('it returns default if it does not match the directory', async () => {
    .reply(200, response)

  expect(await getAlert('coffee-script', '4.0.1', '/', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' })
+
+  nock('https://api.github.com').post('/graphql', query)
+    .reply(200, responseWithManifestFileAtRoot)
+
+  expect(await getAlert('coffee-script', '4.0.1', '/wwwroot', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' })
 })

 test('it returns default if it does not match the name', async () => {
@@ -167,6 +206,11 @@ test('it returns default if it does not match the name', async () => {
    .reply(200, response)

  expect(await getAlert('coffee', '4.0.1', '/wwwroot', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' })
+
+  nock('https://api.github.com').post('/graphql', query)
+    .reply(200, responseWithManifestFileAtRoot)
+
+  expect(await getAlert('coffee', '4.0.1', '/', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' })
 })

 test('trimSlashes should only trim slashes from both ends', () => {
--- a/src/dependabot/verified_commits.ts
+++ b/src/dependabot/verified_commits.ts
@@ -78,7 +78,7 @@ export async function getAlert (name: string, version: string, directory: string

  const nodes = alerts?.repository?.vulnerabilityAlerts?.nodes
  const found = nodes.find(a => (version === '' || a.vulnerableRequirements === `= ${version}`) &&
-      trimSlashes(a.vulnerableManifestPath) === `${trimSlashes(directory)}/${a.vulnerableManifestFilename}` &&
+      trimSlashes(a.vulnerableManifestPath) === trimSlashes(`${directory}/${a.vulnerableManifestFilename}`) &&
      a.securityVulnerability.package.name === name)

  return {