Give your feedback about the osvVulnerabilityAlerts experimental feature

[HonkingGoose]

Tell us how you like the new osvVulnerabilityAlerts experimental feature. What works for you, what doesn't work for you? Do you see anything we could improve?

Let us know what you think! 😉

[jwnmulder]

It's a really cool feature! Especially when adding a label like 'security' it gives you a nice cross repository overview.

One improvement that would be welcome is the ability to have more control over major dependency updates and the 'dependencyDashboardApproval' flag. Right now, this configuration has no effect when fixedVersion reflects a major upgrade

  "major": {
    "dependencyDashboardApproval": true
  }

Example issue: GHSA-r8f7-9pfq-mjmv

Another improvement / feature request. Would it be possible to reflect the security risk in the PR title? Something like a Low/Medium/High/Critical suffix?

[setchy]

We enabled this feature yesterday and it's really really cool!

Another improvement / feature request. Would it be possible to reflect the security risk in the PR title? Something like a Low/Medium/High/Critical suffix?

+1 - this would be an great enhancement!

[viceice]

i don't like the idea to enable approval for security updates. to easy to miss those updates.

[jwnmulder]

i don't like the idea to enable approval for security updates. to easy to miss those updates.

That does make sense thinking about it.

My first reaction was to initially disable it as some developers where surprised. Seeing the dependencyDashboardApproval parameter as documented on https://docs.renovatebot.com/configuration-options/#vulnerabilityalerts gave me the impression it was supported.

Maybe related. Could it be that custom packages rules where allowedVersions is used are ignored in case of a vulnerability? As an example, a maven package named org.codehaus.jackson:jackson-mapper-asl is being updated from 1.9.9 to 1.9.14.jdk17-redhat-00001 while our package rules exclude versions that include 'redhat'.

[Churro]

Another improvement / feature request. Would it be possible to reflect the security risk in the PR title? Something like a Low/Medium/High/Critical suffix?

Not sure about this. Depending on who reports vulns, initially they are often overrated (esp. when found via Bug Bounty programs). Over time, GHSA and other sources react on community feedback, adapt the score and renovate will silently also update the PR description. Changing the PR title would cause additional noise by renovate closing and reopeing PRs.

[rarkins]

Relevant to some of the discussions:

renovate/lib/config/options/index.ts

Lines 1653 to 1672 in e87af92

	{
	name: 'vulnerabilityAlerts',
	description:
	'Config to apply when a PR is needed due to a vulnerability in the existing package version.',
	type: 'object',
	default: {
	groupName: null,
	schedule: [],
	dependencyDashboardApproval: false,
	stabilityDays: 0,
	rangeStrategy: 'update-lockfile',
	commitMessageSuffix: '[SECURITY]',
	branchTopic: `{{{datasource}}}-{{{depName}}}-vulnerability`,
	prCreation: 'immediate',
	},
	mergeable: true,
	cli: false,
	env: false,
	supportedPlatforms: ['github'],
	},

I'm not aware of anyone modifying that in the past, but it was intended to be possible.

It says github-only there, but I think that's only used for documentation.

[rarkins]

Changing the PR title would cause additional noise by renovate closing and reopeing PRs.

Only if the first PR was closed. In this case you'd get a replacement with the new severity. Otherwise, you would see the title updated in-placed without closing/opening.

[viceice]

saw a strange security PR autoclose

[Churro]

saw a strange security PR autoclose

@viceice, you've hit an edge case that occurs with only 0.58% (83 / 14311) of OSV vulnerabilities (congrats on that 😉):

• jquery 2.2.4 is also vulnerable to GHSA-gxr4-xjj5-5px2 since version 1.2, which the advisory mistakenly lists as semver.
• While sorting OSV events to check if affected, the sortVersions method in renovate's semver versioning API is fed 1.2 and expectedly throws an exception.
• The exception causes renovate to skip post-processing of package rules, eventually resulting in allowedVersions: '3.0.0' being highest, instead of version 3.4.0 (after correct package rule sorting actually 3.5.0).
• The order in which different vulns are processed is not deterministic, so depending on what gets out of the DB first, the issue occurs sooner or later, after already having composed a few package rules with findings.

PR #20512 intends to corrects this. Note that renovate still depends on semantically valid versions for comparisons. Hence, it will still not flag GHSA-gxr4-xjj5-5px2 for jquery 2.2.4, although affected. IMHO such cases should rather be corrected in the OSV advisory itself (1.2 -> 1.2.0), rather than in renovate by trying workarounds like semver-coerced versioning.

[andrewpollock]

Hi @Churro I'm with the OSV team, is there an issue with GHSA-gxr4-xjj5-5px2 that needs to be corrected? I totally agree that we should be fixing the underlying data rather than downstream consumers doing contortions to correct for it.

[Churro]

@andrewpollock, thanks for reaching out. It seems to me there is indeed an issue with GHSA-gxr4-xjj5-5px2:

• GHSA-gxr4-xjj5-5px2 in the GitHub advisory DB lists version 1.2 with versioning ECOSYSTEM. This should be correct, as 1.2 was in fact a valid JQuery release, still before they decided to adopt semantic versioning.
• GHSA-gxr4-xjj5-5px2 in the OSV DB shows up with SEMVER, although the Introduced version 1.2 itself is not semver-compliant. My understanding is that the OSV importer infers the versioning based on the package ecosystem only, so npm -> semver
• The OSV schema foresees only actual semantic versions to be used with "type": "SEMVER". Conversely, this means the affected entry of GHSA-gxr4-xjj5-5px2 violates this constraint.

I ran a check across all OSV datasources that renovate uses and extracted all entries with versions that are listed as SEMVER but are not actually semantic versions. You can find the list here.

In some cases, the GitHub advisories can be corrected. For all others, OSV could tackle this by adding a trailing .0 or by importing versions with type ECOSYSTEM unchanged. I tend to think the former would the better option, as it would allow OSV to compile a list of affected versions. Also, assuming a package belongs to ecosystem Go and versioning is specified to be ecosystem-specific, then any OSV advisory parser would reasonably interpret the version again as semver - unless a more tolerant fallback is enforced.

[andrewpollock]

Hey @Churro you're a champion! Thanks so much for doing some of the additional legwork to identify problematic records, this directly helps us maintain a high standard of quality in OSV data.

FYI we're working on doing stricter validation at record import time as part of google/osv.dev#771 (and subsequently surfacing import issues to our data sources)

We've flagged these records with GitHub to determine the best course of action. We would much rather see OSV source data be correct (at the source) than try to paper over it by having OSV.dev do creative interpolation, as you've suggested as one of the options.

[viceice]

@Churro thanks for finding the cause ❤️ can you upstream the version fix too?

[vquie]

I really love the idea of this vulnerability alert. We also had this issue with flapping merge requests in hosted gitlab. All merge requests created by this feature were autoclosed several times. Since we have just started using renovate on that repository it didn't bother that much. I noticed it though.

Another thing I noticed was the github ratelimit in this case. We authenticate to github for the release notes already with a personal token, but it seems that toen is not used for these alert.
Error message:

"data": {
  "message": "API rate limit exceeded for xx.xx.xx.xx. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)",
  "documentation_url": "https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting"
}

Could this be the reason for the flip flopping? If yes, how can I make renovate use the github token for these calls?

[kkom]

We've been running into this as well – currently maybe 20% of Renovate runs succeed. On balance, it's nice to get vulnerability notifications, but it would be better if Renovate went back to running regularly (when the API rate limit is exceeded, Renovate doesn't do anything - no creating or rebasing of PRs either I believe).

[Churro]

Did you define a Github token (see here)? Vulnerability alerts now also use that token, so that you don't hit the rate limit as fast as before but it may still happen, of course ...

[kkom]

Sorry for the slow response @Churro – I am travelling at the moment.

I didn't read the original thread carefully. I am actually on GitHub.com and I'm using the cloud-hosted renovate through Mend.io – I see frequent (~90% of attempts) errors both for personal repositories under @kkom and for work ones under @isometric.

[Churro]

This may be related to #22502 then.

[Churro]

@vquie, flapping PRs are most likely related to hitting the API limit. This has been addressed with renovatebot/osv-offline#230, which found its way into renovate 34.142.0. Can you please check if the issue is gone after updating renovate?

[vquie]

Thanks @Churro . I just updated to the latest helm release and will monitor it.

[Churro]

Currently, renovate raises no vulnerability fix PRs for dependencies that are disabled explicitly or by using a preset like:disableMajorUpdates. If a security fix is only provided via major update (take guava as an example), users would never take notice of using a vulnerable dependency.

Proposition: Add an opt-in config flag (= disabled by default) to vulnerabilityAlerts named vulnerabilityAlertsForDisabled (better naming proposals welcome) that raises vulnerability fix PRs even for disabled deps.

Any thoughts on that? Let me know if this is something you'd also find useful 👍 or not 👎

[Churro]

Update: Found out that this already possible, even without adding a new config option. Just specify:

"osvVulnerabilityAlerts": true,
"vulnerabilityAlerts": {
  "enabled": true
}

The "enabled": true option force-enables dependencies in case if disabled but vulnerabilities are found.

[gaeljw]

Not sure if it's really an issue but I've observed the following message in logs for a project with NPM manager:

Skipping vulnerability lookup for package lodash due to unsupported version ^4.17.21

Is the unsupported version because of the ^ character and the fact the version is not fixed?

[Churro]

Correct, the ^ leaves it open which minor or patch version is used. The version in use can but doesn't necessarily need to be 4.17.21. Most likely to happen if no package-lock.json file is committed.

[gaeljw]

Pretty sure it happened on a project with a package-lock.json file.

[mdesanti]

What would be the correct way of making renovate still open an MR even if the version is pinned with ^?

I have a project which uses "xlsx": "^0.18.5" and in the revovate logs I see Skipping vulnerability lookup for package xlsx due to unsupported version ^0.18.5

@gaeljw did you manage to solve this?

[gzmarstone]

I noticed another peculiarity... It seems that when a package in the Pipfile does not match the case of the package in the OSV, a security update is not created (with the [Security] in the header and a branch name with -vulnerability, just a regular update in this case)...
I am guessing that if I updated the case of the package to be pillow in all lowercase in the Pipfile it would work.
The reason I am bringing it up though is that I can see why other repos other than mine would also have the same mixed case for packages as in the documentation for Pillow it states to run python3 -m pip install --upgrade Pillow, so people following the standard recommendation would simply use that mixed case. Other packages also have similar documentation, for example SQLAlchemy has it as well.

So the Pipfile has:
Pillow = "==10.1.0"

In the log of renovate runs I see (note lowercase pillow):

DEBUG: Vulnerability GHSA-3f63-hfp8-52jq affects pillow 10.1.0 (repository=corp/myproject)
DEBUG: Setting allowed version ==10.2.0 to fix vulnerability GHSA-3f63-hfp8-52jq in pillow 10.1.0 (repository=corp/myproject)

When it outputs the json for the update it outputs this for Pillow (note depName mixedcase and no branch with -vulnerability after it):

               {
                 "depType": "packages",
                 "depName": "Pillow",
                 "managerData": {},
                 "currentValue": "==10.1.0",
                 "datasource": "pypi",
                 "currentVersion": "10.1.0",
                 "updates": [
                   {
                     "bucket": "non-major",
                     "newVersion": "10.2.0",
                     "newValue": "==10.2.0",
                     "newMajor": 10,
                     "newMinor": 2,
                     "updateType": "minor",
                     "isRange": true,
                     "branchName": "renovate/pillow-10.x"
                   }
                 ],
                 "packageName": "Pillow",
                 "versioning": "pep440",
                 "warnings": [],
                 "registryUrl": "https://[custom aws codeartifact repo]/pypi/marstone-python/simple",
                 "isSingleVersion": true,
                 "fixedVersion": "10.1.0"
               },

Let me know if I gave you enough information or if you need me to give you any more details...

Geoff

[gzmarstone]

Here is the simple repro case:
Pipfile:

[packages]
Pillow = "==10.1.0"

config.js

module.exports = {
  "platform": "local",
  "osvVulnerabilityAlerts": true,
  "vulnerabilityAlerts": {
     "enabled": true
  },
  "onboarding": false,
  "dryRun": "lookup",
  "hostRules": [
     {"hostType": "github", "matchHost": "github.com", "token": "xxxxxxxxxxxxxxxxxxxx"}
  ],
  baseDir: "./renovate",
};

You will see that the in the log it creates a regular branch not a security branch (look at branchName in the logs) :

DEBUG: Matched 1 file(s) for manager pipenv: Pipfile (repository=local)
DEBUG: manager extract durations (ms) (repository=local)
       "managers": {"pipenv": 5}
DEBUG: Found pipenv package files (repository=local)
DEBUG: Found 1 package file(s) (repository=local)
 INFO: Dependency extraction complete (repository=local)
       "stats": {
         "managers": {"pipenv": {"fileCount": 1, "depCount": 1}},
         "total": {"fileCount": 1, "depCount": 1}
       }
DEBUG: fetchVulnerabilities() - osvVulnerabilityAlerts=true (repository=local)
DEBUG: Vulnerability GHSA-3f63-hfp8-52jq affects pillow 10.1.0 (repository=local)
DEBUG: Setting allowed version ==10.2.0 to fix vulnerability GHSA-3f63-hfp8-52jq in pillow 10.1.0 (repository=local)
DEBUG: PackageFiles.add() - Package file saved for base branch (repository=local)
DEBUG: Package releases lookups complete (repository=local)
DEBUG: branchifyUpgrades (repository=local)
DEBUG: detectSemanticCommits() (repository=local)
DEBUG: getCommitMessages (repository=local)
DEBUG: semanticCommits: detected "unknown" (repository=local)
DEBUG: semanticCommits: disabled (repository=local)
DEBUG: 1 flattened updates found: Pillow (repository=local)
DEBUG: Returning 1 branch(es) (repository=local)
DEBUG: config.repoIsOnboarded=true (repository=local)
DEBUG: packageFiles with updates (repository=local)
       "config": {
         "pipenv": [
           {
             "deps": [
               {
                 "depType": "packages",
                 "depName": "Pillow",
                 "managerData": {},
                 "currentValue": "==10.1.0",
                 "datasource": "pypi",
                 "currentVersion": "10.1.0",
                 "updates": [
                   {
                     "bucket": "non-major",
                     "newVersion": "10.2.0",
                     "newValue": "==10.2.0",
                     "releaseTimestamp": "2024-01-02T09:15:01.000Z",
                     "newMajor": 10,
                     "newMinor": 2,
                     "updateType": "minor",
                     "isRange": true,
                     "branchName": "renovate/pillow-10.x"
                   }
                 ],
                 "packageName": "Pillow",
                 "versioning": "pep440",
                 "warnings": [],
                 "sourceUrl": "https://github.com/python-pillow/Pillow",
                 "registryUrl": "https://pypi.org/pypi",
                 "changelogUrl": "https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst",
                 "isSingleVersion": true,
                 "fixedVersion": "10.1.0"
               }
             ],
             "extractedConstraints": {},
             "packageFile": "Pipfile"
           }
         ]
       }

If you change the Pipfile to be pillow in lowercase and re-run renovate, you see that it then creates a security vulnerability branch...

DEBUG: Matched 1 file(s) for manager pipenv: Pipfile (repository=local)
DEBUG: manager extract durations (ms) (repository=local)
       "managers": {"pipenv": 5}
DEBUG: Found pipenv package files (repository=local)
DEBUG: Found 1 package file(s) (repository=local)
 INFO: Dependency extraction complete (repository=local)
       "stats": {
         "managers": {"pipenv": {"fileCount": 1, "depCount": 1}},
         "total": {"fileCount": 1, "depCount": 1}
       }
DEBUG: fetchVulnerabilities() - osvVulnerabilityAlerts=true (repository=local)
DEBUG: Vulnerability GHSA-3f63-hfp8-52jq affects pillow 10.1.0 (repository=local)
DEBUG: Setting allowed version ==10.2.0 to fix vulnerability GHSA-3f63-hfp8-52jq in pillow 10.1.0 (repository=local)
DEBUG: PackageFiles.add() - Package file saved for base branch (repository=local)
DEBUG: Package releases lookups complete (repository=local)
DEBUG: branchifyUpgrades (repository=local)
DEBUG: detectSemanticCommits() (repository=local)
DEBUG: getCommitMessages (repository=local)
DEBUG: semanticCommits: detected "unknown" (repository=local)
DEBUG: semanticCommits: disabled (repository=local)
DEBUG: 1 flattened updates found: Pillow (repository=local)
DEBUG: Returning 1 branch(es) (repository=local)
DEBUG: config.repoIsOnboarded=true (repository=local)
DEBUG: packageFiles with updates (repository=local)
       "config": {
         "pipenv": [
           {
             "deps": [
               {
                 "depType": "packages",
                 "depName": "Pillow",
                 "managerData": {},
                 "currentValue": "==10.1.0",
                 "datasource": "pypi",
                 "currentVersion": "10.1.0",
                 "updates": [
                   {
                     "bucket": "non-major",
                     "newVersion": "10.2.0",
                     "newValue": "==10.2.0",
                     "releaseTimestamp": "2024-01-02T09:15:01.000Z",
                     "newMajor": 10,
                     "newMinor": 2,
                     "updateType": "minor",
                     "isRange": true,
                     "branchName": "renovate/pillow-10.x"
                   }
                 ],
                 "packageName": "Pillow",
                 "versioning": "pep440",
                 "warnings": [],
                 "sourceUrl": "https://github.com/python-pillow/Pillow",
                 "registryUrl": "https://pypi.org/pypi",
                 "changelogUrl": "https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst",
                 "isSingleVersion": true,
                 "fixedVersion": "10.1.0"
               }
             ],
             "extractedConstraints": {},
             "packageFile": "Pipfile"
           }
         ]
       }

[Churro]

@gzmarstone, when I find some time the next few days, I'll make a PR to address this... it's an easy fix.

[setchy]

Would something like https://github.com/AppThreat/vulnerability-db positively broaden the available offline data for vulnerability analysis?

[philippe-granet]

I have created an issue for this: renovatebot/osv-offline#630
My workaround:

export RENOVATE_OSV_VULNERABILITY_ALERTS="true"
export OSV_OFFLINE_ROOT_DIR="/tmp"
export OSV_OFFLINE_DISABLE_DOWNLOAD="true"
curl https://<internal proxy>/osv-offline.zip -o ${OSV_OFFLINE_ROOT_DIR}/osv-offline.zip
unzip ${OSV_OFFLINE_ROOT_DIR}/osv-offline.zip -d ${OSV_OFFLINE_ROOT_DIR}
renovate

You can download latest osv-offline.zip file from here: https://github.com/renovatebot/osv-offline/releases/latest/download/osv-offline.zip

[OrbisK]

Hey, it's not quite clear to me from the docs whether the options under vulnerabilityAlerts (e.g. label) also affect OSV alerts. I would just try to find out by testing. Maybe you could add to the docs if necessary

[Enkidu-Aururu]

As far as I noticed, vulnerabilityAlerts settings does work for example when used on self-hosted Gitlab with "osvVulnerabilityAlerts": true. I was able to add vulnerability label with it.

[bbigras]

Is there a way to get notified when a vulnerability can't be fixed by a PR? Maybe by creating an issue.

Example: the dotenv crate was discontinued, so renovate won't create a PR.

No fixed version available for vulnerability RUSTSEC-2021-0141 in dotenv 0.15.0

I saw that I can use https://docs.renovatebot.com/configuration-options/#dependencydashboardosvvulnerabilitysummary but it would be nice to get a notification.

I'm using gitlab.

[bh-tt]

I'm trying to get only security PRs to work using the regex manager, yet something appears to go wrong. The debug logs indicate it finds the packages and versions, yet it skips opening any python PR because all dependencies are disabled. I have a reproducer, which does open a PR for the requirements.txt dependency (aiohttp=3.8.3), but not for the regex manager based config (with tornado=6.2.0). The mend renovate app log clearly shows it has found vulnerabilities, yet it only opens a branch for the requirements.txt vulnerability.

DEBUG: Matched 1 file(s) for manager pip_requirements: requirements.txt
DEBUG: Matched 1 file(s) for manager regex: dmz/it/repositories/pypirepo/values-allowlist.yml
DEBUG: manager extract durations (ms)
{
  "managers": {
    "pip_requirements": 8,
    "regex": 8
  }
}

DEBUG: Found pip_requirements package files
DEBUG: Found regex package files
DEBUG: Found 2 package file(s)
INFO: Dependency extraction complete
{
  "baseBranch": "main"
  "stats": {
    "managers": {
      "pip_requirements": {
        "fileCount": 1,
        "depCount": 1
      },
      "regex": {
        "fileCount": 1,
        "depCount": 1
      }
    },
    "total": {
      "fileCount": 2,
      "depCount": 2
    }
  }
}

DEBUG: fetchVulnerabilities() - osvVulnerabilityAlerts=true
DEBUG: Vulnerability PYSEC-2024-24 affects aiohttp 3.8.3
DEBUG: Vulnerability GHSA-gfw2-4jvh-wgfg affects aiohttp 3.8.3
DEBUG: Vulnerability GHSA-qvrw-v9rv-5rjx affects aiohttp 3.8.3
DEBUG: Vulnerability GHSA-7gpw-8wmc-pm8g affects aiohttp 3.8.3
DEBUG: Vulnerability GHSA-q3qx-c6g2-7pw2 affects aiohttp 3.8.3
DEBUG: Vulnerability PYSEC-2024-26 affects aiohttp 3.8.3
DEBUG: Vulnerability GHSA-45c4-8wx5-qw6w affects aiohttp 3.8.3
DEBUG: Vulnerability PYSEC-2023-251 affects aiohttp 3.8.3
DEBUG: Vulnerability PYSEC-2023-246 affects aiohttp 3.8.3
DEBUG: Vulnerability GHSA-5m98-qgg9-wh84 affects aiohttp 3.8.3
DEBUG: Vulnerability GHSA-5h86-8mv2-jq9f affects aiohttp 3.8.3
DEBUG: Vulnerability GHSA-8qpw-xqxj-h4r2 affects aiohttp 3.8.3
DEBUG: Vulnerability PYSEC-2023-250 affects aiohttp 3.8.3
DEBUG: Vulnerability PYSEC-2023-120 affects aiohttp 3.8.3
DEBUG: Vulnerability GHSA-pjjw-qhg8-p2p9 affects aiohttp 3.8.3
DEBUG: Vulnerability GHSA-qppv-j76h-2rpx affects tornado 6.2.0
DEBUG: Vulnerability GHSA-hj3f-6gcp-jg8j affects tornado 6.2.0
DEBUG: Vulnerability PYSEC-2023-75 affects tornado 6.2.0
DEBUG: Setting allowed version ==3.9.2 to fix vulnerability PYSEC-2024-24 in aiohttp 3.8.3
DEBUG: Setting allowed version ==3.8.6 to fix vulnerability GHSA-gfw2-4jvh-wgfg in aiohttp 3.8.3
DEBUG: Setting allowed version ==3.9.0 to fix vulnerability GHSA-qvrw-v9rv-5rjx in aiohttp 3.8.3
DEBUG: Setting allowed version ==3.9.4 to fix vulnerability GHSA-7gpw-8wmc-pm8g in aiohttp 3.8.3
DEBUG: Setting allowed version ==3.9.0 to fix vulnerability GHSA-q3qx-c6g2-7pw2 in aiohttp 3.8.3
DEBUG: Setting allowed version ==3.9.2 to fix vulnerability PYSEC-2024-26 in aiohttp 3.8.3
DEBUG: Setting allowed version ==3.8.5 to fix vulnerability GHSA-45c4-8wx5-qw6w in aiohttp 3.8.3
DEBUG: Setting allowed version ==3.9.0 to fix vulnerability PYSEC-2023-251 in aiohttp 3.8.3
DEBUG: Setting allowed version ==3.8.6 to fix vulnerability PYSEC-2023-246 in aiohttp 3.8.3
DEBUG: Setting allowed version ==3.9.4 to fix vulnerability GHSA-5m98-qgg9-wh84 in aiohttp 3.8.3
DEBUG: Setting allowed version ==3.9.2 to fix vulnerability GHSA-5h86-8mv2-jq9f in aiohttp 3.8.3
DEBUG: Setting allowed version ==3.9.2 to fix vulnerability GHSA-8qpw-xqxj-h4r2 in aiohttp 3.8.3
DEBUG: Setting allowed version ==3.9.0 to fix vulnerability PYSEC-2023-250 in aiohttp 3.8.3
DEBUG: Setting allowed version ==3.8.5 to fix vulnerability PYSEC-2023-120 in aiohttp 3.8.3
DEBUG: Setting allowed version ==3.8.6 to fix vulnerability GHSA-pjjw-qhg8-p2p9 in aiohttp 3.8.3
DEBUG: Setting allowed version ==6.3.3 to fix vulnerability GHSA-qppv-j76h-2rpx in tornado 6.2.0
DEBUG: Setting allowed version ==6.3.2 to fix vulnerability GHSA-hj3f-6gcp-jg8j in tornado 6.2.0
DEBUG: Setting allowed version ==6.3.2 to fix vulnerability PYSEC-2023-75 in tornado 6.2.0
DEBUG: Dependency: tornado, is disabled
DEBUG: PackageFiles.add() - Package file saved for base branch
{
  "baseBranch": "main"
}

DEBUG: Package releases lookups complete
{
  "baseBranch": "main"
}

DEBUG: branchifyUpgrades
DEBUG: detectSemanticCommits()
DEBUG: getCommitMessages
DEBUG: semanticCommits: detected "unknown"
DEBUG: semanticCommits: disabled
DEBUG: 1 flattened updates found: aiohttp
DEBUG: Returning 1 branch(es)
DEBUG: config.repoIsOnboarded=true
DEBUG: packageFiles with updates
{
  "baseBranch": "main"
  "config": {
    "pip_requirements": [
      {
        "deps": [
          {
            "depName": "aiohttp",
            "currentValue": "==3.8.3",
            "datasource": "pypi",
            "currentVersion": "3.8.3",
            "updates": [
              {
                "bucket": "non-major",
                "newVersion": "3.9.4",
                "newValue": "==3.9.4",
                "releaseTimestamp": "2024-04-11T19:13:03.000Z",
                "newMajor": 3,
                "newMinor": 9,
                "updateType": "minor",
                "isRange": true,
                "branchName": "renovate/pypi-aiohttp-vulnerability"
              }
            ],
            "packageName": "aiohttp",
            "versioning": "pep440",
            "warnings": [],
            "sourceUrl": "https://github.com/aio-libs/aiohttp",
            "registryUrl": "https://pypi.org/pypi",
            "currentVersionTimestamp": "2022-09-21T14:40:05.000Z",
            "isSingleVersion": true,
            "fixedVersion": "3.8.3"
          }
        ],
        "packageFile": "requirements.txt"
      }
    ],
    "regex": [
      {
        "deps": [
          {
            "depName": "tornado",
            "currentValue": "6.2.0",
            "datasource": "pypi",
            "replaceString": "pypi.allowlist.\"tornado\".min=6.2.0\n",
            "updates": [],
            "packageName": "tornado",
            "skipReason": "disabled"
          }
        ],
        "matchStrings": [
          "pypi\\.allowlist\\.\"(?<depName>.+?)\"\\.min=(?<currentValue>.+?)\\n"
        ],
        "datasourceTemplate": "pypi",
        "packageFile": "dmz/it/repositories/pypirepo/values-allowlist.yml"
      }
    ]
  }
}

DEBUG: detectSemanticCommits()
DEBUG: semanticCommits: returning "disabled" from cache
DEBUG: processRepo()
DEBUG: Processing 1 branch: renovate/pypi-aiohttp-vulnerability
DEBUG: Calculating hourly PRs remaining
DEBUG: currentHourStart=2024-06-03T12:00:00.000+00:00
DEBUG: PR hourly limit remaining: 2
DEBUG: Calculating prConcurrentLimit (10)
DEBUG: getBranchPr(renovate/pypi-aiohttp-vulnerability)
DEBUG: findPr(renovate/pypi-aiohttp-vulnerability, undefined, open)
DEBUG: findPr(renovate/pypi-aiohttp-vulnerability, undefined, closed)
DEBUG: 0 PRs are currently open
DEBUG: PR concurrent limit remaining: 10
DEBUG: Calculated maximum PRs remaining this run: 2
DEBUG: PullRequests limit = 2
DEBUG: Calculating hourly PRs remaining
DEBUG: currentHourStart=2024-06-03T12:00:00.000+00:00
DEBUG: PR hourly limit remaining: 2
DEBUG: Calculating branchConcurrentLimit (10)
DEBUG: 0 already existing branches found: 
DEBUG: Branch concurrent limit remaining: 10
DEBUG: Calculated maximum branches remaining this run: 2
DEBUG: Branches limit = 2
DEBUG: syncBranchState() (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: syncBranchState(): Branch cache not found, creating minimal branchState (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: getBranchPr(renovate/pypi-aiohttp-vulnerability) (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: findPr(renovate/pypi-aiohttp-vulnerability, undefined, open) (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: findPr(renovate/pypi-aiohttp-vulnerability, undefined, closed) (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: branchExists=false (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: dependencyDashboardCheck=undefined (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: Check for closed PR because recreating closed PRs is disabled. (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: findPr(renovate/pypi-aiohttp-vulnerability, Update dependency aiohttp to v3.9.4 [SECURITY], !open) (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: prAlreadyExisted=false (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: Checking schedule(schedule=, tz=null, now=2024-06-03T12:50:06.275Z) (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: No schedule defined (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: Branch needs creating (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: Using reuseExistingBranch: false (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: Setting current branch to main (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: latest commit (branch="renovate/pypi-aiohttp-vulnerability")
{
  "branchName": "main"
  "latestCommitDate": "2024-06-03T14:49:20+02:00"
}

DEBUG: manager.getUpdatedPackageFiles() reuseExistingBranch=false (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: Starting search at index 7 (branch="renovate/pypi-aiohttp-vulnerability")
{
  "packageFile": "requirements.txt"
  "depName": "aiohttp"
}

DEBUG: Found match at index 7 (branch="renovate/pypi-aiohttp-vulnerability")
{
  "packageFile": "requirements.txt"
  "depName": "aiohttp"
}

DEBUG: Contents updated (branch="renovate/pypi-aiohttp-vulnerability")
{
  "packageFile": "requirements.txt"
  "depName": "aiohttp"
}

DEBUG: updateArtifacts for updatedPackageFiles (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: pip_requirements.updateArtifacts(requirements.txt) (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: No hashin commands to run - returning (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: Updated 1 package files (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: No updated lock files in branch (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: 1 file(s) to commit (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: Preparing files for committing to branch renovate/pypi-aiohttp-vulnerability (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: Setting git author name: renovate[bot] (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: Setting git author email: 29139614+renovate[bot]@users.noreply.github.com (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: git commit (branch="renovate/pypi-aiohttp-vulnerability")
{
  "deletedFiles": []
  "ignoredFiles": []
  "result": {
    "author": null,
    "branch": "renovate/pypi-aiohttp-vulnerability",
    "commit": "cd73c33945392bfb0a5ee2a3b1153c2caed26aca",
    "root": false,
    "summary": {
      "changes": 1,
      "insertions": 1,
      "deletions": 1
    }
  }
}

DEBUG: HEAD https://api.github.com/repos/bh-tt/renovate-python-security-reproducer/git/refs/heads/renovate/pypi-aiohttp-vulnerability/ = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=404 retryCount=0, duration=97) (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: HEAD https://api.github.com/repos/bh-tt/renovate-python-security-reproducer/git/refs/heads/renovate/pypi-aiohttp-vulnerability = (code=ERR_NON_2XX_3XX_RESPONSE, statusCode=404 retryCount=0, duration=139) (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: resetToCommit(1750a51e8a61596e993c89d03c2f3d7fd94104cc) (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: Fetching branch renovate/pypi-aiohttp-vulnerability (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: Setting current branch to main (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: latest commit (branch="renovate/pypi-aiohttp-vulnerability")
{
  "branchName": "main"
  "latestCommitDate": "2024-06-03T14:49:20+02:00"
}

INFO: Branch created (branch="renovate/pypi-aiohttp-vulnerability")
{
  "commitSha": "51a4b84ac684b1902717cd18f2157e4e742e0a37"
}

DEBUG: Ensuring PR (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: There are 0 errors and 0 warnings (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: getBranchPr(renovate/pypi-aiohttp-vulnerability) (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: findPr(renovate/pypi-aiohttp-vulnerability, undefined, open) (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: findPr(renovate/pypi-aiohttp-vulnerability, undefined, closed) (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: getPrCache() (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: Fetching changelog: https://github.com/aio-libs/aiohttp (3.8.3 -> 3.9.4) (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: Creating PR (branch="renovate/pypi-aiohttp-vulnerability")
{
  "prTitle": "Update dependency aiohttp to v3.9.4 [SECURITY]"
}

DEBUG: Creating PR (branch="renovate/pypi-aiohttp-vulnerability")
{
  "title": "Update dependency aiohttp to v3.9.4 [SECURITY]"
  "head": "bh-tt:renovate/pypi-aiohttp-vulnerability"
  "base": "main"
  "draft": false
}

DEBUG: PR created (branch="renovate/pypi-aiohttp-vulnerability")
{
  "pr": 2
  "draft": false
}

DEBUG: Adding labels '' to #2 (branch="renovate/pypi-aiohttp-vulnerability")
INFO: PR created (branch="renovate/pypi-aiohttp-vulnerability")
{
  "pr": 2
  "prTitle": "Update dependency aiohttp to v3.9.4 [SECURITY]"
}

DEBUG: addParticipants(pr=2) (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: setPrCache() (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: Created Pull Request #2 (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: PR is not configured for automerge (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: setBranchCommit() (branch="renovate/pypi-aiohttp-vulnerability")
DEBUG: getBranchPr(renovate/pypi-aiohttp-vulnerability)
DEBUG: findPr(renovate/pypi-aiohttp-vulnerability, undefined, open)
DEBUG: Found PR #2
DEBUG: getPrCache()
DEBUG: ensureDependencyDashboard()
DEBUG: Ensuring Dependency Dashboard
DEBUG: http cache: saving https://api.github.com/repos/bh-tt/renovate-python-security-reproducer/issues/1 (etag=W/"af4738827584813a8f41a0379cfa9e48fca3636e0ccea70412230f352c898273", lastModified=Mon, 03 Jun 2024 12:49:11 GMT)
DEBUG: http cache: saving https://api.github.com/repos/bh-tt/renovate-python-security-reproducer/issues/1 (etag=W/"af4738827584813a8f41a0379cfa9e48fca3636e0ccea70412230f352c898273", lastModified=Mon, 03 Jun 2024 12:49:11 GMT)
DEBUG: ensureIssue(Dependency Dashboard)
DEBUG: http cache: saving https://api.github.com/repos/bh-tt/renovate-python-security-reproducer/issues/1 (etag=W/"af4738827584813a8f41a0379cfa9e48fca3636e0ccea70412230f352c898273", lastModified=Mon, 03 Jun 2024 12:49:11 GMT)
DEBUG: Patching issue
DEBUG: Issue updated

[bh-tt]

This may need to be made into an issue as I'd expect renovate's behavior to be independent of the manager, as long as that manager is correctly configured.

[juancarlosjr97]

I added osvVulnerabilityAlerts but it looks like it is bypassing any constraints added to a project when the MR is related to a security https://github.com/juancarlosjr97/renovate-test-security.

Now, despite I like this very much as security should be treated seriously there might be scenarios where something has been accepted as a dev dependency for example and will not be resolved because the new version brings breaking changes for example.

How can I make Renovate when a security vulnerability is found and there is a constraint, to respect the constraint and make the information on the dependency dashboard?

[juancarlosjr97]

I can make it into an discussion itself if would help

[juancarlosjr97]

Raised a separate discussion #29433 but I think I know my answer by this comment #20542 (comment)

[basil]

In jenkinsci/jenkins we have a default branch (master) as well as a stable/backport branch (e.g., stable-2.461). Can we get security updates to the stable branch using osvVulnerabilityAlerts? We don't want any non-security updates on the stable branch. vulnerabilityAlerts seems to be a non-starter, as it uses the GitHub Dependabot alerts, which only work on the default branch.

[rarkins]

It should work to enable it using matchBaseBranches inside packageRules

[timja]

I haven't been able to make it work.

When I put it in a packageRule it does nothing.
When I enable it globally:
a) certain package rules are being ignored and on the master branch PRs created, e.g. timja-org/jenkins#147, which should be disabled by https://github.com/timja-org/jenkins/blob/master/.github/renovate.json#L121-L132
b) on the stable branch the disable all packages rules (to disable everything except security, the same as in the preset

renovate/lib/config/presets/internal/security.ts

Lines 24 to 38 in 833df8e

	'only-security-updates': {
	description:
	'Only update dependencies if vulnerabilities have been detected.',
	extends: ['config:recommended'],
	packageRules: [
	{
	enabled: false,
	matchPackageNames: ['*'],
	},
	],
	vulnerabilityAlerts: {
	enabled: true,
	},
	osvVulnerabilityAlerts: true,
	},

) seems to be disabling everything

[samuelstadler]

When using osvVulnerabilityAlerts we notice that indirect go dependencies are updated. However the documentation states that only direct dependencies will get vulnerability alerts.

For example we have this renovate config:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "osvVulnerabilityAlerts": true,
  "vulnerabilityAlerts": {
      "enabled": true
  }
}

a GitHub Token and a go.mod file like

module example.com/m

go 1.21

require (
  github.com/argoproj/argo-cd/v2 v2.3.17
  k8s.io/kubernetes v1.24.2 // indirect
)

If we now run renovate we get security updates for k8s.io/kubernetes but since it is an indirect dependency that should not happen. When we set osvVulnerabilityAlerts to false we do not get the PR.

[rarkins]

This sounds like a feature, not a bug

[wolf-michl]

This sounds like a feature, not a bug

The doumentation states though:

You will only get OSV-based vulnerability alerts for direct dependencies.

It still creates updates for indirect dependencies, even if no direct dependency is being updated, which would lead to an update of the indirect dependency.

This leads to unwanted behaviour:
We get updates of indirect dependencies, even if the direct dependency leading to the indirect dependency is not being updated. This could then introduce breaking behaviour.

The default of not updating indirect dependencies is not being taken into account here, which seems to be the root cause for this issue.

[rarkins]

The documentation can be updated/fixed, and you are welcome to submit a PR if it's urgent to you.

The gomod manager is an exception within Renovate where Renovate supports updating of indirect dependencies too, including for Remediations. In Go, dependencies to not pin exact version of indirect dependencies and must be able to work with any future version of the dependency in the same major release too. Any reference in a go.mod such as "1.1.0" implicitly means ">=1.1.0 <2.0.0" and newer versions of 1.x must be backwards compatible to prevent breaking behavior.

Please separate this topic off into a new config help discussion with a reproduction repo demonstrating the remediation of an indirect dependency. It's possible that remediation of indirect dependencies can be disabled via existing config options.

[samuelstadler]

Sorry for the late response but in the logs we see this:

{
    "datasource": "go",
    "depType": "indirect",
    "depName": "k8s.io/kubernetes",
    "currentValue": "v1.24.2",
    "enabled": false,
    "managerData": {
        "multiLine": true,
        "lineNumber": 199
    },
    "updates": [
        {
            "bucket": "non-major",
            "newVersion": "v1.27.16",
            "newValue": "v1.27.16",
            "releaseTimestamp": "2024-07-17T01:44:24.000Z",
            "newMajor": 1,
            "newMinor": 27,
            "newPatch": 16,
            "updateType": "minor",
            "branchName": "renovate/go-k8s.io-kubernetes-vulnerability"
        }
    ],
    "packageName": "k8s.io/kubernetes",
    "versioning": "semver",
    "warnings": [],
    "sourceUrl": "https://github.com/kubernetes/kubernetes",
    "currentVersion": "v1.24.2",
    "currentVersionTimestamp": "2022-06-15T14:14:10.000Z",
    "isSingleVersion": true,
    "fixedVersion": "v1.24.2"
}

so "enabled": false and we still get the a PR because of osvVulnerabilityAlerts is enabled. Just for our understanding if osvVulnerabilityAlerts is enabled then the enabled flag is ignored? If not than I can create a config help discussion 🙂

[rarkins]

If you disable a dependency by config then it's not intended that package alerts would reenable it. If you can reproduce it in a public repo then please create a new discussion

[aarongoldenthal]

Is there a way to set rangeStrategy to something other than update-lockfile for OSV vulnerabilities? It appears not, for example with config:

  "packageRules": [
    {
      "matchManagers": ["npm"],
      "rangeStrategy": "bump",
      "osvVulnerabilityAlerts": true
    }
  ]

...and a package with "dependencies": { "axios": "^1.7.3" }, the lockfile is updated first for the vulnerability, then the next pass renovate applies the rangeStrategy and updates the package to "dependencies": { "axios": "^1.7.4" }. It works, but would be helpful if the rangeStrategy were respected initially so it didn't have to be a two step process.

[rarkins]

@aarongoldenthal please raise that as a separate "suggest an idea" discussion

[aarongoldenthal]

@aarongoldenthal please raise that as a separate "suggest an idea" discussion

Raised the proposal at #30854

[Goltergaul]

I like the feature but we are running into issues in our setup. We use bundle-audit in our CI to check if the dependencies include known vulnerabilities. This is for ruby btw. Bundle-audit checks also indirect dependencies, which totally makes sense. Unfortunately renovate does not create prs for these. According to the documentation this is on purpose. However it would be nice if it would also update indirect dependencies, as those are equally dangerous imo.

Using bundler those can be updated also if they are not part of the Gemfile. However you cannot specify a specific target version. but e.g. renovate could try to run bundle update <indirect-dependency> This might actually update something or not. In case this does not update anything, renovate could add the gem to the gemfile maybe, even though bundle update will then probably fail. But as a dev i would then at least have a pr that i can fix and would be aware of the issue.

Edit: Thinking about it more I think this could create kind of a loop or prs that update something but not fix the vulnerability. renovate would need to extract the version of the indirect dependenc from the Gemfile.lock to actually verify that a safe version is used. Not sure how straight forward that is

[s00hyun]

Hi, I would like to propose a feature request.
As a Gerrit user, osvVulnerabilityAlerts is really useful to get notified of security updates. However, it would be great if Renovate can open only certain level(s) of security updates by configuration, probably by CVSS Severity Level (Low/Medium/High/Critical).
A similar idea was already mentioned before at #20542 (comment).

On the feature side I think it would be really benefitial to be able to filter out certain "levels" but it looks like there is no such thing in the OSV schema, so maybe that's why it's not possible?

[marcelser]

Actually the 'severity' field is part of the schema, but it's often not set. The question is how should renovate handle the ones without 'severity' rating. There's even an option to set different severities for different versions and then the toplevel 'severity' should not be set. Not too easy to automate it.

[ggjulio]

Works fine so far for us.

For critical cve we need to back port on older versions.
It would be nice to open PRs on a list of maintained branches without actually enabling renovate on theses branches.
Maybe when the score >= N to avoid noise.

Don't know if we can already do that with some workaround in the config.

[HonkingGoose]

Hi @ggjulio, 👋

I created a config that I think will do what you want. Please read (and subscribe) to this discsusion:

• Security updates for `backport` branches, and normal behavior for "default" branch #31943

[adam-moss]

We've been using this for over a year now and get a lot of value from it.

One additional thing we'd like to be able to do is add the vuln id's as labels to the MRs. Does anyone know if this is possible?

[highlandcowfun1122]

"Great feature! The osvVulnerabilityAlerts provide valuable insights, but it would be helpful to have more detailed filtering options for different severity levels. Also, integrating notifications for high-priority alerts could make it even more useful. Keep up the good work!"
https://highlandcowfun.com/how-much-land-do-highland-mini-cows-need/

[felipecrs]

It looks like security updates disregard groups. Is this by design? I don't see how this would be a good thing.