[pull] main from renovatebot:main

lib/modules/platform/github/schema.ts

@@ -2,25 +2,27 @@ import { z } from 'zod/v3';
 import { logger } from '../../../logger/index.ts';
 import { LooseArray } from '../../../util/schema-utils/index.ts';
 
+const Ecosystem = z.enum([
+  'actions',
+  'composer',
+  'go',
+  'maven',
+  'npm',
+  'nuget',
+  'pip',
+  'rubygems',
+  'rust',
+]);
+export type Ecosystem = z.infer<typeof Ecosystem>;
+
 const Package = z.object({
-  ecosystem: z
-    .union([
-      z.literal('maven'),
-      z.literal('npm'),
-      z.literal('nuget'),
-      z.literal('pip'),
-      z.literal('rubygems'),
-      z.literal('rust'),
-      z.literal('composer'),
-      z.literal('go'),
-    ])
-    .catch((ctx) => {
-      logger.debug(
-        { ecosystem: ctx.input },
-        'Skipping vulnerability alert with unsupported ecosystem',
-      );
-      return undefined as any;
-    }),
+  ecosystem: Ecosystem.catch((ctx) => {
+    logger.debug(
+      { ecosystem: ctx.input },
+      'Skipping vulnerability alert with unsupported ecosystem',
+    );
+    return undefined as any;
+  }),
   name: z.string(),
 });
 

lib/types/vulnerability-alert.ts

@@ -1,13 +1,7 @@
+import type { Ecosystem } from '../modules/platform/github/schema.ts';
+
 export interface VulnerabilityPackage {
-  ecosystem:
-    | 'maven'
-    | 'npm'
-    | 'nuget'
-    | 'pip'
-    | 'rubygems'
-    | 'rust'
-    | 'composer'
-    | 'go';
+  ecosystem: Ecosystem;
   name: string;
 }
 export interface SecurityVulnerability {

lib/workers/repository/init/vulnerability.spec.ts

@@ -382,6 +382,58 @@ describe('workers/repository/init/vulnerability', () => {
       expect(res.packageRules).toHaveLength(1);
     });
 
+    it('returns GitHub Actions alerts', async () => {
+      // TODO #22198
+      delete config.vulnerabilityAlerts!.enabled;
+      platform.getVulnerabilityAlerts.mockResolvedValue([
+        {
+          dependency: {
+            manifest_path: '.github/workflows/j178.yml',
+          },
+          security_advisory: {
+            description:
+              '### Summary\\nThere are three potential attacks of arbitrary code injection vulnerability in the composite action at _action.yml_.\\n\\n### Details\\nThe GitHub Action variables `inputs.prek-version`, `inputs.extra_args`, and `inputs.extra-args` can be used to execute arbitrary code in the context of the action.',
+            identifiers: [{ type: 'GHSA', value: 'GHSA-pwf7-47c3-mfhx' }],
+            references: [
+              {
+                url: 'https://github.com/j178/prek-action/security/advisories/GHSA-pwf7-47c3-mfhx',
+              },
+              {
+                url: 'https://github.com/j178/prek-action/commit/6b7c6ef5c3875c766893b881b40773cd5605bde3',
+              },
+              { url: 'https://github.com/advisories/GHSA-pwf7-47c3-mfhx' },
+            ],
+          },
+          security_vulnerability: {
+            package: {
+              ecosystem: 'actions',
+              name: 'j178/prek-action',
+            },
+            vulnerable_version_range: '<= 1.0.5',
+            first_patched_version: { identifier: '1.0.6' },
+          },
+        },
+      ]);
+
+      const res = await detectVulnerabilityAlerts(config);
+      expect(res).toMatchObject({
+        packageRules: [
+          {
+            matchDatasources: ['github-tags'],
+            matchPackageNames: ['j178/prek-action'],
+            matchFileNames: ['.github/workflows/j178.yml'],
+            matchCurrentVersion: '!/^1\\.0\\.6$/',
+            vulnerabilityFixVersion: '1.0.6',
+            prBodyNotes: [
+              '### GitHub Vulnerability Alerts',
+              '#### [GHSA-pwf7-47c3-mfhx](https://github.com/j178/prek-action/security/advisories/GHSA-pwf7-47c3-mfhx)\n\n### Summary\\nThere are three potential attacks of arbitrary code injection vulnerability in the composite action at _action.yml_.\\n\\n### Details\\nThe GitHub Action variables `inputs.prek-version`, `inputs.extra_args`, and `inputs.extra-args` can be used to execute arbitrary code in the context of the action.',
+            ],
+            isVulnerabilityAlert: true,
+          },
+        ],
+      });
+    });
+
     it('skips package rule if no valid firstPatchedVersion found across multiple alerts', async () => {
       platform.getVulnerabilityAlerts.mockResolvedValue([
         {

lib/workers/repository/init/vulnerability.ts

@@ -2,13 +2,15 @@ import type { PackageRule, RenovateConfig } from '../../../config/types.ts';
 import { NO_VULNERABILITY_ALERTS } from '../../../constants/error-messages.ts';
 import { logger } from '../../../logger/index.ts';
 import { CrateDatasource } from '../../../modules/datasource/crate/index.ts';
+import { GithubTagsDatasource } from '../../../modules/datasource/github-tags/index.ts';
 import { GoDatasource } from '../../../modules/datasource/go/index.ts';
 import { MavenDatasource } from '../../../modules/datasource/maven/index.ts';
 import { NpmDatasource } from '../../../modules/datasource/npm/index.ts';
 import { NugetDatasource } from '../../../modules/datasource/nuget/index.ts';
 import { PackagistDatasource } from '../../../modules/datasource/packagist/index.ts';
 import { PypiDatasource } from '../../../modules/datasource/pypi/index.ts';
 import { RubygemsDatasource } from '../../../modules/datasource/rubygems/index.ts';
+import type { Ecosystem } from '../../../modules/platform/github/schema.ts';
 import { platform } from '../../../modules/platform/index.ts';
 import * as composerVersioning from '../../../modules/versioning/composer/index.ts';
 import * as allVersioning from '../../../modules/versioning/index.ts';
@@ -19,6 +21,7 @@ import * as rubyVersioning from '../../../modules/versioning/ruby/index.ts';
 import * as semverVersioning from '../../../modules/versioning/semver/index.ts';
 import type { SecurityAdvisory } from '../../../types/index.ts';
 import { sanitizeMarkdown } from '../../../util/markdown.ts';
+import { escapeRegExp } from '../../../util/regex.ts';
 
 type Datasource = string;
 type DependencyName = string;
@@ -94,7 +97,8 @@ export async function detectVulnerabilityAlerts(
         );
         continue;
       }
-      const datasourceMapping: Record<string, string> = {
+      const datasourceMapping: Record<Ecosystem, string> = {
+        actions: GithubTagsDatasource.id,
         composer: PackagistDatasource.id,
         go: GoDatasource.id,
         maven: MavenDatasource.id,
@@ -194,6 +198,8 @@ export async function detectVulnerabilityAlerts(
           datasource === NugetDatasource.id
         ) {
           matchCurrentVersion = `(,${val.firstPatchedVersion})`;
+        } else if (datasource === GithubTagsDatasource.id) {
+          matchCurrentVersion = `!/^${escapeRegExp(val.firstPatchedVersion)}$/`;
         }
 
         // Remediate only direct dependencies

lib/workers/repository/process/vulnerabilities.spec.ts

@@ -24,8 +24,15 @@ vi.mock('@renovatebot/osv-offline', () => {
 
 describe('workers/repository/process/vulnerabilities', () => {
   describe('create()', () => {
-    it('works', async () => {
+    beforeEach(resetOsv);
+
+    it('works, and is a singleton', async () => {
+      createMock.mockResolvedValue({
+        getVulnerabilities: getVulnerabilitiesMock,
+      });
+      await expect(Vulnerabilities.create()).resolves.not.toThrow();
       await expect(Vulnerabilities.create()).resolves.not.toThrow();
+      expect(createMock).toHaveBeenCalledTimes(1);
     });
 
     it('throws when osv-offline error', async () => {
@@ -40,6 +47,7 @@ describe('workers/repository/process/vulnerabilities', () => {
     let vulnerabilities: Vulnerabilities;
 
     beforeAll(async () => {
+      resetOsv();
       createMock.mockResolvedValue({
         getVulnerabilities: getVulnerabilitiesMock,
       });
@@ -144,6 +152,7 @@ describe('workers/repository/process/vulnerabilities', () => {
     };
 
     beforeAll(async () => {
+      resetOsv();
       createMock.mockResolvedValue({
         getVulnerabilities: getVulnerabilitiesMock,
       });
@@ -1551,3 +1560,8 @@ describe('workers/repository/process/vulnerabilities', () => {
     });
   });
 });
+
+function resetOsv() {
+  // @ts-expect-error - reset the cached OSV client to avoid state leak between tests
+  Vulnerabilities.osvOffline = undefined;
+}

lib/workers/repository/process/vulnerabilities.ts

@@ -35,7 +35,9 @@ const { fromVector } = (_aeCvss as unknown as { default: typeof _aeCvss })
   .default;
 
 export class Vulnerabilities {
-  private osvOffline: OsvOffline | undefined;
+  private static osvOffline: Promise<OsvOffline> | undefined;
+
+  private osvOffline: OsvOffline;
 
   private static readonly datasourceEcosystemMap: Record<
     string,
@@ -53,17 +55,21 @@ export class Vulnerabilities {
     rubygems: 'RubyGems',
   };
 
-  private constructor() {
-    // private constructor
+  private constructor(osvOffline: OsvOffline) {
+    this.osvOffline = osvOffline;
   }
 
-  private async initialize(): Promise<void> {
-    this.osvOffline = await OsvOffline.create();
+  private static initialize(): Promise<OsvOffline> {
+    // no async here, so osv promise will only be created once
+    Vulnerabilities.osvOffline ??= OsvOffline.create();
+    return Vulnerabilities.osvOffline;
   }
 
   static async create(): Promise<Vulnerabilities> {
-    const instance = new Vulnerabilities();
-    await instance.initialize();
+    // intialize osv only once
+    const osvOffline = await Vulnerabilities.initialize();
+
+    const instance = new Vulnerabilities(osvOffline);
     return instance;
   }
 
@@ -180,7 +186,7 @@ export class Vulnerabilities {
     try {
       const osvVulnerabilities = await instrument(
         'get OSV vulnerabilities',
-        () => this.osvOffline?.getVulnerabilities(ecosystem, packageName),
+        () => this.osvOffline.getVulnerabilities(ecosystem, packageName),
         {
           attributes: {
             packageName,

package.json

@@ -183,7 +183,7 @@
     "@redis/client": "5.11.0",
     "@renovatebot/detect-tools": "1.2.8",
     "@renovatebot/good-enough-parser": "1.2.0",
-    "@renovatebot/osv-offline": "2.1.0",
+    "@renovatebot/osv-offline": "2.1.2",
     "@renovatebot/pep440": "4.2.2",
     "@renovatebot/pgp": "1.3.2",
     "@renovatebot/ruby-semver": "4.1.2",