@node-core/utils 4.3.0 → 5.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/ncu-ci.js +6 -1
- package/components/git/security.js +120 -5
- package/lib/ci/run_ci.js +12 -2
- package/lib/github/templates/security-pre-release.md +30 -0
- package/lib/pr_checker.js +1 -0
- package/lib/prepare_security.js +157 -172
- package/lib/request.js +55 -0
- package/lib/security-announcement.js +76 -0
- package/lib/security-release/security-release.js +193 -0
- package/lib/security_blog.js +182 -0
- package/lib/update_security_release.js +274 -0
- package/package.json +1 -1
- package/lib/github/templates/next-security-release.md +0 -98
package/bin/ncu-ci.js
CHANGED
|
@@ -113,6 +113,11 @@ const args = yargs(hideBin(process.argv))
|
|
|
113
113
|
describe: 'ID of the PR',
|
|
114
114
|
type: 'number'
|
|
115
115
|
})
|
|
116
|
+
.positional('certify-safe', {
|
|
117
|
+
describe: 'If not provided, the command will reject PRs that have ' +
|
|
118
|
+
'been pushed since the last review',
|
|
119
|
+
type: 'boolean'
|
|
120
|
+
})
|
|
116
121
|
.option('owner', {
|
|
117
122
|
default: '',
|
|
118
123
|
describe: 'GitHub repository owner'
|
|
@@ -291,7 +296,7 @@ class RunPRJobCommand {
|
|
|
291
296
|
this.cli.setExitCode(1);
|
|
292
297
|
return;
|
|
293
298
|
}
|
|
294
|
-
const jobRunner = new RunPRJob(cli, request, owner, repo, prid);
|
|
299
|
+
const jobRunner = new RunPRJob(cli, request, owner, repo, prid, this.argv.certifySafe);
|
|
295
300
|
if (!(await jobRunner.start())) {
|
|
296
301
|
this.cli.setExitCode(1);
|
|
297
302
|
process.exitCode = 1;
|
|
@@ -1,5 +1,8 @@
|
|
|
1
1
|
import CLI from '../../lib/cli.js';
|
|
2
|
-
import
|
|
2
|
+
import PrepareSecurityRelease from '../../lib/prepare_security.js';
|
|
3
|
+
import UpdateSecurityRelease from '../../lib/update_security_release.js';
|
|
4
|
+
import SecurityBlog from '../../lib/security_blog.js';
|
|
5
|
+
import SecurityAnnouncement from '../../lib/security-announcement.js';
|
|
3
6
|
|
|
4
7
|
export const command = 'security [options]';
|
|
5
8
|
export const describe = 'Manage an in-progress security release or start a new one.';
|
|
@@ -8,6 +11,30 @@ const securityOptions = {
|
|
|
8
11
|
start: {
|
|
9
12
|
describe: 'Start security release process',
|
|
10
13
|
type: 'boolean'
|
|
14
|
+
},
|
|
15
|
+
'update-date': {
|
|
16
|
+
describe: 'Updates the target date of the security release',
|
|
17
|
+
type: 'string'
|
|
18
|
+
},
|
|
19
|
+
'add-report': {
|
|
20
|
+
describe: 'Extracts data from HackerOne report and adds it into vulnerabilities.json',
|
|
21
|
+
type: 'string'
|
|
22
|
+
},
|
|
23
|
+
'remove-report': {
|
|
24
|
+
describe: 'Removes a report from vulnerabilities.json',
|
|
25
|
+
type: 'string'
|
|
26
|
+
},
|
|
27
|
+
'pre-release': {
|
|
28
|
+
describe: 'Create the pre-release announcement',
|
|
29
|
+
type: 'boolean'
|
|
30
|
+
},
|
|
31
|
+
'notify-pre-release': {
|
|
32
|
+
describe: 'Notify the community about the security release',
|
|
33
|
+
type: 'boolean'
|
|
34
|
+
},
|
|
35
|
+
'request-cve': {
|
|
36
|
+
describe: 'Request CVEs for a security release',
|
|
37
|
+
type: 'boolean'
|
|
11
38
|
}
|
|
12
39
|
};
|
|
13
40
|
|
|
@@ -15,21 +42,109 @@ let yargsInstance;
|
|
|
15
42
|
|
|
16
43
|
export function builder(yargs) {
|
|
17
44
|
yargsInstance = yargs;
|
|
18
|
-
return yargs.options(securityOptions)
|
|
19
|
-
|
|
20
|
-
|
|
45
|
+
return yargs.options(securityOptions)
|
|
46
|
+
.example(
|
|
47
|
+
'git node security --start',
|
|
48
|
+
'Prepare a security release of Node.js')
|
|
49
|
+
.example(
|
|
50
|
+
'git node security --update-date=YYYY/MM/DD',
|
|
51
|
+
'Updates the target date of the security release'
|
|
52
|
+
)
|
|
53
|
+
.example(
|
|
54
|
+
'git node security --add-report=H1-ID',
|
|
55
|
+
'Fetches HackerOne report based on ID provided and adds it into vulnerabilities.json'
|
|
56
|
+
)
|
|
57
|
+
.example(
|
|
58
|
+
'git node security --remove-report=H1-ID',
|
|
59
|
+
'Removes the Hackerone report based on ID provided from vulnerabilities.json'
|
|
60
|
+
)
|
|
61
|
+
.example(
|
|
62
|
+
'git node security --pre-release' +
|
|
63
|
+
'Create the pre-release announcement on the Nodejs.org repo'
|
|
64
|
+
).example(
|
|
65
|
+
'git node security --notify-pre-release' +
|
|
66
|
+
'Notifies the community about the security release'
|
|
67
|
+
)
|
|
68
|
+
.example(
|
|
69
|
+
'git node security --request-cve',
|
|
70
|
+
'Request CVEs for a security release of Node.js based on' +
|
|
71
|
+
' the next-security-release/vulnerabilities.json'
|
|
72
|
+
);
|
|
21
73
|
}
|
|
22
74
|
|
|
23
75
|
export function handler(argv) {
|
|
24
76
|
if (argv.start) {
|
|
25
77
|
return startSecurityRelease(argv);
|
|
26
78
|
}
|
|
79
|
+
if (argv['update-date']) {
|
|
80
|
+
return updateReleaseDate(argv);
|
|
81
|
+
}
|
|
82
|
+
if (argv['pre-release']) {
|
|
83
|
+
return createPreRelease(argv);
|
|
84
|
+
}
|
|
85
|
+
if (argv['add-report']) {
|
|
86
|
+
return addReport(argv);
|
|
87
|
+
}
|
|
88
|
+
if (argv['remove-report']) {
|
|
89
|
+
return removeReport(argv);
|
|
90
|
+
}
|
|
91
|
+
if (argv['notify-pre-release']) {
|
|
92
|
+
return notifyPreRelease(argv);
|
|
93
|
+
}
|
|
94
|
+
if (argv['request-cve']) {
|
|
95
|
+
return requestCVEs(argv);
|
|
96
|
+
}
|
|
27
97
|
yargsInstance.showHelp();
|
|
28
98
|
}
|
|
29
99
|
|
|
100
|
+
async function removeReport(argv) {
|
|
101
|
+
const reportId = argv['remove-report'];
|
|
102
|
+
const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
|
|
103
|
+
const cli = new CLI(logStream);
|
|
104
|
+
const update = new UpdateSecurityRelease(cli);
|
|
105
|
+
return update.removeReport(reportId);
|
|
106
|
+
}
|
|
107
|
+
|
|
108
|
+
async function addReport(argv) {
|
|
109
|
+
const reportId = argv['add-report'];
|
|
110
|
+
const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
|
|
111
|
+
const cli = new CLI(logStream);
|
|
112
|
+
const update = new UpdateSecurityRelease(cli);
|
|
113
|
+
return update.addReport(reportId);
|
|
114
|
+
}
|
|
115
|
+
|
|
116
|
+
async function updateReleaseDate(argv) {
|
|
117
|
+
const releaseDate = argv['update-date'];
|
|
118
|
+
const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
|
|
119
|
+
const cli = new CLI(logStream);
|
|
120
|
+
const update = new UpdateSecurityRelease(cli);
|
|
121
|
+
return update.updateReleaseDate(releaseDate);
|
|
122
|
+
}
|
|
123
|
+
|
|
124
|
+
async function createPreRelease() {
|
|
125
|
+
const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
|
|
126
|
+
const cli = new CLI(logStream);
|
|
127
|
+
const preRelease = new SecurityBlog(cli);
|
|
128
|
+
return preRelease.createPreRelease();
|
|
129
|
+
}
|
|
130
|
+
|
|
131
|
+
async function requestCVEs() {
|
|
132
|
+
const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
|
|
133
|
+
const cli = new CLI(logStream);
|
|
134
|
+
const hackerOneCve = new UpdateSecurityRelease(cli);
|
|
135
|
+
return hackerOneCve.requestCVEs();
|
|
136
|
+
}
|
|
137
|
+
|
|
30
138
|
async function startSecurityRelease(argv) {
|
|
31
139
|
const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
|
|
32
140
|
const cli = new CLI(logStream);
|
|
33
|
-
const release = new
|
|
141
|
+
const release = new PrepareSecurityRelease(cli);
|
|
34
142
|
return release.start();
|
|
35
143
|
}
|
|
144
|
+
|
|
145
|
+
async function notifyPreRelease() {
|
|
146
|
+
const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
|
|
147
|
+
const cli = new CLI(logStream);
|
|
148
|
+
const preRelease = new SecurityAnnouncement(cli);
|
|
149
|
+
return preRelease.notifyPreRelease();
|
|
150
|
+
}
|
package/lib/ci/run_ci.js
CHANGED
|
@@ -7,6 +7,7 @@ import {
|
|
|
7
7
|
} from './ci_type_parser.js';
|
|
8
8
|
import PRData from '../pr_data.js';
|
|
9
9
|
import { debuglog } from '../verbosity.js';
|
|
10
|
+
import PRChecker from '../pr_checker.js';
|
|
10
11
|
|
|
11
12
|
export const CI_CRUMB_URL = `https://${CI_DOMAIN}/crumbIssuer/api/json`;
|
|
12
13
|
const CI_PR_NAME = CI_TYPES.get(CI_TYPES_KEYS.PR).jobName;
|
|
@@ -16,13 +17,16 @@ const CI_V8_NAME = CI_TYPES.get(CI_TYPES_KEYS.V8).jobName;
|
|
|
16
17
|
export const CI_V8_URL = `https://${CI_DOMAIN}/job/${CI_V8_NAME}/build`;
|
|
17
18
|
|
|
18
19
|
export class RunPRJob {
|
|
19
|
-
constructor(cli, request, owner, repo, prid) {
|
|
20
|
+
constructor(cli, request, owner, repo, prid, certifySafe) {
|
|
20
21
|
this.cli = cli;
|
|
21
22
|
this.request = request;
|
|
22
23
|
this.owner = owner;
|
|
23
24
|
this.repo = repo;
|
|
24
25
|
this.prid = prid;
|
|
25
26
|
this.prData = new PRData({ prid, owner, repo }, cli, request);
|
|
27
|
+
this.certifySafe =
|
|
28
|
+
certifySafe ||
|
|
29
|
+
new PRChecker(cli, this.prData, request, {}).checkCommitsAfterReview();
|
|
26
30
|
}
|
|
27
31
|
|
|
28
32
|
async getCrumb() {
|
|
@@ -62,7 +66,13 @@ export class RunPRJob {
|
|
|
62
66
|
}
|
|
63
67
|
|
|
64
68
|
async start() {
|
|
65
|
-
const { cli } = this;
|
|
69
|
+
const { cli, certifySafe } = this;
|
|
70
|
+
|
|
71
|
+
if (!certifySafe) {
|
|
72
|
+
cli.error('Refusing to run CI on potentially unsafe PR');
|
|
73
|
+
return false;
|
|
74
|
+
}
|
|
75
|
+
|
|
66
76
|
cli.startSpinner('Validating Jenkins credentials');
|
|
67
77
|
const crumb = await this.getCrumb();
|
|
68
78
|
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
---
|
|
2
|
+
date: %ANNOUNCEMENT_DATE%
|
|
3
|
+
category: vulnerability
|
|
4
|
+
title: %RELEASE_DATE% Security Releases
|
|
5
|
+
slug: %SLUG%
|
|
6
|
+
layout: blog-post
|
|
7
|
+
author: The Node.js Project
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
# Summary
|
|
11
|
+
|
|
12
|
+
The Node.js project will release new versions of the %AFFECTED_VERSIONS%
|
|
13
|
+
releases lines on or shortly after, %RELEASE_DATE% in order to address:
|
|
14
|
+
|
|
15
|
+
%VULNERABILITIES%
|
|
16
|
+
%OPENSSL_UPDATES%
|
|
17
|
+
## Impact
|
|
18
|
+
|
|
19
|
+
%IMPACT%
|
|
20
|
+
|
|
21
|
+
## Release timing
|
|
22
|
+
|
|
23
|
+
Releases will be available on, or shortly after, %RELEASE_DATE%.
|
|
24
|
+
|
|
25
|
+
## Contact and future updates
|
|
26
|
+
|
|
27
|
+
The current Node.js security policy can be found at https://nodejs.org/en/security/.
|
|
28
|
+
Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js.
|
|
29
|
+
|
|
30
|
+
Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.
|