Merge pull request #186 from SalimBensiali/fix-incorrect-vulnerable-m…

…anifest-path-check Fix incorrect vulnerable manifest path check
dependabot · Mar 30, 2022 · 7e50846 · 7e50846
2 parents e79f0f2 + aa4ffba
commit 7e50846
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 2 deletions.
diff --git a/dist/index.js b/dist/index.js
diff --git a/src/dependabot/verified_commits.test.ts b/src/dependabot/verified_commits.test.ts
@@ -134,39 +134,83 @@ const response = {
   }
 }
 
+const responseWithManifestFileAtRoot = {
+  data: {
+    repository: {
+      vulnerabilityAlerts: {
+        nodes: [
+          {
+            vulnerableManifestFilename: 'package.json',
+            vulnerableManifestPath: 'package.json',
+            vulnerableRequirements: '= 4.0.1',
+            state: 'DISMISSED',
+            securityVulnerability: { package: { name: 'coffee-script' } },
+            securityAdvisory: { cvss: { score: 4.5 }, ghsaId: 'FOO' }
+          }
+        ]
+      }
+    }
+  }
+}
+
 test('it returns the alert state if it matches all 3', async () => {
   nock('https://api.github.com').post('/graphql', query)
     .reply(200, response)
 
   expect(await getAlert('coffee-script', '4.0.1', '/wwwroot', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: 'DISMISSED', cvss: 4.5, ghsaId: 'FOO' })
+
+  nock('https://api.github.com').post('/graphql', query)
+    .reply(200, responseWithManifestFileAtRoot)
+
+  expect(await getAlert('coffee-script', '4.0.1', '/', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: 'DISMISSED', cvss: 4.5, ghsaId: 'FOO' })
 })
 
 test('it returns the alert state if it matches 2 and the version is blank', async () => {
   nock('https://api.github.com').post('/graphql', query)
     .reply(200, response)
 
   expect(await getAlert('coffee-script', '', '/wwwroot', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: 'DISMISSED', cvss: 4.5, ghsaId: 'FOO' })
+
+  nock('https://api.github.com').post('/graphql', query)
+    .reply(200, responseWithManifestFileAtRoot)
+
+  expect(await getAlert('coffee-script', '', '/', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: 'DISMISSED', cvss: 4.5, ghsaId: 'FOO' })
 })
 
 test('it returns default if it does not match the version', async () => {
   nock('https://api.github.com').post('/graphql', query)
     .reply(200, response)
 
   expect(await getAlert('coffee-script', '4.0.2', '/wwwroot', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' })
+
+  nock('https://api.github.com').post('/graphql', query)
+    .reply(200, responseWithManifestFileAtRoot)
+
+  expect(await getAlert('coffee-script', '4.0.2', '/', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' })
 })
 
 test('it returns default if it does not match the directory', async () => {
   nock('https://api.github.com').post('/graphql', query)
     .reply(200, response)
 
   expect(await getAlert('coffee-script', '4.0.1', '/', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' })
+
+  nock('https://api.github.com').post('/graphql', query)
+    .reply(200, responseWithManifestFileAtRoot)
+
+  expect(await getAlert('coffee-script', '4.0.1', '/wwwroot', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' })
 })
 
 test('it returns default if it does not match the name', async () => {
   nock('https://api.github.com').post('/graphql', query)
     .reply(200, response)
 
   expect(await getAlert('coffee', '4.0.1', '/wwwroot', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' })
+
+  nock('https://api.github.com').post('/graphql', query)
+    .reply(200, responseWithManifestFileAtRoot)
+
+  expect(await getAlert('coffee', '4.0.1', '/', mockGitHubClient, mockGitHubPullContext())).toEqual({ alertState: '', cvss: 0, ghsaId: '' })
 })
 
 test('trimSlashes should only trim slashes from both ends', () => {

diff --git a/src/dependabot/verified_commits.ts b/src/dependabot/verified_commits.ts
@@ -78,7 +78,7 @@ export async function getAlert (name: string, version: string, directory: string
 
   const nodes = alerts?.repository?.vulnerabilityAlerts?.nodes
   const found = nodes.find(a => (version === '' || a.vulnerableRequirements === `= ${version}`) &&
-      trimSlashes(a.vulnerableManifestPath) === `${trimSlashes(directory)}/${a.vulnerableManifestFilename}` &&
+      trimSlashes(a.vulnerableManifestPath) === trimSlashes(`${directory}/${a.vulnerableManifestFilename}`) &&
       a.securityVulnerability.package.name === name)
 
   return {