fix: require at least one field for security advisory updates

root · root · commit 71725a7f3fcb · 2026-06-07T00:20:59.000Z
Reject update_repository_security_advisory calls that only provide
owner, repo, and ghsaId to avoid sending empty PATCH requests.
diff --git a/pkg/github/security_advisories_write.go b/pkg/github/security_advisories_write.go
@@ -494,6 +494,12 @@ func UpdateRepositorySecurityAdvisory(t translations.TranslationHelperFunc) inve
 				requestBody.State = &state
 			}
 
+			if requestBody.Summary == nil && requestBody.Description == nil && len(requestBody.Vulnerabilities) == 0 &&
+				requestBody.CVEID == nil && len(requestBody.CWEIDs) == 0 && requestBody.Severity == nil &&
+				requestBody.CVSSVectorString == nil && len(requestBody.Credits) == 0 && requestBody.State == nil {
+				return utils.NewToolResultError("at least one of summary, description, vulnerabilities, cveId, cweIds, severity, cvssVectorString, credits, or state must be provided for update"), nil, nil
+			}
+
 			client, err := deps.GetClient(ctx)
 			if err != nil {
 				return nil, nil, fmt.Errorf("failed to get GitHub client: %w", err)
diff --git a/pkg/github/security_advisories_write_test.go b/pkg/github/security_advisories_write_test.go
@@ -218,6 +218,19 @@ func Test_UpdateRepositorySecurityAdvisory(t *testing.T) {
 			expectError:    true,
 			expectedErrMsg: "missing required parameter: ghsaId",
 		},
+		{
+			name: "no update fields provided",
+			mockedClient: MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
+				PatchReposSecurityAdvisoriesByOwnerByRepoByGhsaID: mockResponse(t, http.StatusOK, mockAdvisory),
+			}),
+			requestArgs: map[string]any{
+				"owner":  "octo",
+				"repo":   "hello-world",
+				"ghsaId": "GHSA-xxxx-xxxx-xxxx",
+			},
+			expectError:    true,
+			expectedErrMsg: "at least one of summary, description, vulnerabilities, cveId, cweIds, severity, cvssVectorString, credits, or state must be provided for update",
+		},
 		{
 			name: "API error handling",
 			mockedClient: MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
