Merge pull request step-security#2571 from vamshi-stepsecurity/refactor/dependabot/vk/support-cool-down

fix updateSubtractiveFields to allow adding ecosystems

Author: shubham-stepsecurity

remediation/dependabot/dependabotconfig.go

@@ -205,13 +205,15 @@ func updateSubtractiveFields(content string, ecosystems []Ecosystem) (string, bo
 
 	isChanged := false
 	for _, eco := range ecosystems {
+		found := false
 		for i, update := range cfg.Updates {
 			if update.PackageEcosystem != eco.PackageEcosystem {
 				continue
 			}
 			if update.Directory != eco.Directory && update.Directory != eco.Directory+"/" {
 				continue
 			}
+			found = true
 
 			// Found the matching entry — update only non-empty fields.
 			if eco.Interval != "" && cfg.Updates[i].Schedule.Interval != eco.Interval {
@@ -293,6 +295,20 @@ func updateSubtractiveFields(content string, ecosystems []Ecosystem) (string, bo
 			}
 			break
 		}
+
+		if !found {
+			// Ecosystem not in config — add it as a new entry.
+			cfg.Updates = append(cfg.Updates, ExtendedUpdate{
+				Update: dependabot.Update{
+					PackageEcosystem: eco.PackageEcosystem,
+					Directory:        eco.Directory,
+					Schedule:         dependabot.Schedule{Interval: eco.Interval},
+				},
+				Groups:   eco.Groups,
+				CoolDown: eco.CoolDown,
+			})
+			isChanged = true
+		}
 	}
 
 	if !isChanged {

remediation/dependabot/dependabotconfig_test.go

@@ -317,6 +317,49 @@ func TestUpdateSubtractiveFields(t *testing.T) {
 			},
 			isChanged: true,
 		},
+		{
+			// Subtractive — request has two ecosystems; github-actions exists and gets updated,
+			// npm does not exist in the config and is silently skipped.
+			fileName: "subtractive-multi-skip-missing.yml",
+			ecosystems: []Ecosystem{
+				{
+					PackageEcosystem: "github-actions",
+					Directory:        "/",
+					Interval:         "monthly",
+					CoolDown: &CoolDown{
+						DefaultDays:     14,
+						SemverMajorDays: 60,
+					},
+					Groups: map[string]Group{
+						"actions": {Patterns: []string{"*"}},
+					},
+				},
+				{
+					PackageEcosystem: "npm",
+					Directory:        "/",
+					Interval:         "weekly",
+					CoolDown: &CoolDown{
+						DefaultDays:     7,
+						SemverMajorDays: 30,
+						SemverMinorDays: 14,
+						SemverPatchDays: 5,
+					},
+					Groups: map[string]Group{
+						"production-dependencies": {
+							AppliesTo:      "version-updates",
+							Patterns:       []string{"*"},
+							DependencyType: "production",
+						},
+						"dev-dependencies": {
+							AppliesTo:      "version-updates",
+							Patterns:       []string{"*"},
+							DependencyType: "development",
+						},
+					},
+				},
+			},
+			isChanged: true,
+		},
 	}
 
 	for _, test := range tests {

testfiles/dependabotfiles/input/subtractive-multi-skip-missing.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily

testfiles/dependabotfiles/output/subtractive-multi-skip-missing.yml

@@ -0,0 +1,33 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+    groups:
+      actions:
+        patterns:
+          - '*'
+    cooldown:
+      default-days: 14
+      semver-major-days: 60
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    groups:
+      dev-dependencies:
+        applies-to: version-updates
+        patterns:
+          - '*'
+        dependency-type: development
+      production-dependencies:
+        applies-to: version-updates
+        patterns:
+          - '*'
+        dependency-type: production
+    cooldown:
+      default-days: 7
+      semver-major-days: 30
+      semver-minor-days: 14
+      semver-patch-days: 5