fix(worker/repository): add normalized match for pip alertPackageRules (

#28214)
renovatebot · Apr 18, 2024 · dfbb054 · dfbb054
1 parent 6e389d7
commit dfbb054
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/lib/workers/repository/init/vulnerability.spec.ts b/lib/workers/repository/init/vulnerability.spec.ts
@@ -368,6 +368,41 @@ describe('workers/repository/init/vulnerability', () => {
       expect(res.packageRules).toHaveLength(1);
     });
 
+    it('returns pip alerts with normalized name', async () => {
+      // TODO #22198
+      delete config.vulnerabilityAlerts!.enabled;
+      platform.getVulnerabilityAlerts.mockResolvedValue([
+        {
+          dismissReason: null,
+          vulnerableManifestFilename: 'requirements.txt',
+          vulnerableManifestPath: 'requirements.txt',
+          vulnerableRequirements: '= 1.6.7',
+          securityAdvisory: {
+            description: 'Description',
+            identifiers: [
+              { type: 'GHSA', value: 'GHSA-m956-frf4-m2wr' },
+              { type: 'CVE', value: 'CVE-2016-2137' },
+            ],
+            references: [
+              { url: 'https://nvd.nist.gov/vuln/detail/CVE-2016-9587' },
+            ],
+            severity: 'MODERATE',
+          },
+          securityVulnerability: {
+            package: { name: 'Pillow', ecosystem: 'PIP' },
+            firstPatchedVersion: { identifier: '2.1.4' },
+            vulnerableVersionRange: '< 2.1.4',
+          },
+        },
+      ]);
+      const res = await detectVulnerabilityAlerts(config);
+      expect(res.packageRules).toHaveLength(1);
+      expect(res.packageRules![0].matchPackageNames).toEqual([
+        'Pillow',
+        'pillow',
+      ]);
+    });
+
     it('returns remediations', async () => {
       config.transitiveRemediation = true;
       // TODO #22198

diff --git a/lib/workers/repository/init/vulnerability.ts b/lib/workers/repository/init/vulnerability.ts
@@ -9,6 +9,7 @@ import { NpmDatasource } from '../../../modules/datasource/npm';
 import { NugetDatasource } from '../../../modules/datasource/nuget';
 import { PackagistDatasource } from '../../../modules/datasource/packagist';
 import { PypiDatasource } from '../../../modules/datasource/pypi';
+import { normalizeDepName } from '../../../modules/datasource/pypi/common';
 import { RubyGemsDatasource } from '../../../modules/datasource/rubygems';
 import { platform } from '../../../modules/platform';
 import * as allVersioning from '../../../modules/versioning';
@@ -218,6 +219,12 @@ export async function detectVulnerabilityAlerts(
             matchCurrentVersion,
             matchFileNames,
           };
+          if (
+            datasource === PypiDatasource.id &&
+            normalizeDepName(depName) !== depName
+          ) {
+            matchRule.matchPackageNames?.push(normalizeDepName(depName));
+          }
           const supportedRemediationFileTypes = ['package-lock.json'];
           if (
             config.transitiveRemediation &&