fix(vulnerabilities): set matchCurrentVersion for github alerts (#31612)

renovatebot · Sep 25, 2024 · b2e2b0d · b2e2b0d
1 parent f96ecc1
commit b2e2b0d
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap b/lib/workers/repository/init/__snapshots__/vulnerability.spec.ts.snap
@@ -15,6 +15,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
       "vulnerabilityFixStrategy": "lowest",
     },
     "isVulnerabilityAlert": true,
+    "matchCurrentVersion": "< 1.8.3",
     "matchDatasources": [
       "go",
     ],
@@ -50,6 +51,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
       "vulnerabilityFixStrategy": "lowest",
     },
     "isVulnerabilityAlert": true,
+    "matchCurrentVersion": "(,2.7.9.4)",
     "matchDatasources": [
       "maven",
     ],
@@ -85,6 +87,7 @@ exports[`workers/repository/init/vulnerability detectVulnerabilityAlerts() retur
       "vulnerabilityFixStrategy": "lowest",
     },
     "isVulnerabilityAlert": true,
+    "matchCurrentVersion": "< 2.2.1.0",
     "matchDatasources": [
       "pypi",
     ],

diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts
@@ -184,9 +184,15 @@ export async function detectVulnerabilityAlerts(
           matchFileNames,
         };
 
+        let matchCurrentVersion = `< ${val.firstPatchedVersion}`;
+        if (datasource === MavenDatasource.id) {
+          matchCurrentVersion = `(,${val.firstPatchedVersion})`;
+        }
+
         // Remediate only direct dependencies
         matchRule = {
           ...matchRule,
+          matchCurrentVersion,
           vulnerabilityFixVersion: val.firstPatchedVersion,
           prBodyNotes,
           isVulnerabilityAlert: true,