@node-core/utils 4.3.0 → 5.0.0

package/lib/prepare_security.js

@@ -1,244 +1,177 @@
-import nv from '@pkgjs/nv';
-import auth from './auth.js';
-import Request from './request.js';
 import fs from 'node:fs';
-import { runSync } from './run.js';
 import path from 'node:path';
-
-export const PLACEHOLDERS = {
-  releaseDate: '%RELEASE_DATE%',
-  vulnerabilitiesPRURL: '%VULNERABILITIES_PR_URL%',
-  preReleasePrivate: '%PRE_RELEASE_PRIV%',
-  postReleasePrivate: '%POS_RELEASE_PRIV%',
-  affectedLines: '%AFFECTED_LINES%'
-};
-
-export default class SecurityReleaseSteward {
+import auth from './auth.js';
+import Request from './request.js';
+import {
+  NEXT_SECURITY_RELEASE_BRANCH,
+  NEXT_SECURITY_RELEASE_FOLDER,
+  NEXT_SECURITY_RELEASE_REPOSITORY,
+  PLACEHOLDERS,
+  checkoutOnSecurityReleaseBranch,
+  commitAndPushVulnerabilitiesJSON,
+  validateDate,
+  promptDependencies,
+  getSupportedVersions,
+  pickReport
+} from './security-release/security-release.js';
+import _ from 'lodash';
+
+export default class PrepareSecurityRelease {
+  repository = NEXT_SECURITY_RELEASE_REPOSITORY;
+  title = 'Next Security Release';
   constructor(cli) {
     this.cli = cli;
   }
 
   async start() {
-    const { cli } = this;
     const credentials = await auth({
       github: true,
       h1: true
     });
 
-    const req = new Request(credentials);
-    const release = new PrepareSecurityRelease(req);
-    const releaseDate = await release.promptReleaseDate(cli);
-    let securityReleasePRUrl = PLACEHOLDERS.vulnerabilitiesPRURL;
+    this.req = new Request(credentials);
+    const releaseDate = await this.promptReleaseDate();
+    if (releaseDate !== 'TBD') {
+      validateDate(releaseDate);
+    }
+    const createVulnerabilitiesJSON = await this.promptVulnerabilitiesJSON();
 
-    const createVulnerabilitiesJSON = await release.promptVulnerabilitiesJSON(cli);
+    let securityReleasePRUrl;
     if (createVulnerabilitiesJSON) {
-      securityReleasePRUrl = await this.createVulnerabilitiesJSON(req, release, { cli });
+      securityReleasePRUrl = await this.startVulnerabilitiesJSONCreation(releaseDate);
     }
 
-    const createIssue = await release.promptCreateRelaseIssue(cli);
+    const createIssue = await this.promptCreateRelaseIssue();
 
     if (createIssue) {
-      const { content } = release.buildIssue(releaseDate, securityReleasePRUrl);
-      await release.createIssue(content, { cli });
+      const content = await this.buildIssue(releaseDate, securityReleasePRUrl);
+      await createIssue(
+        this.title, content, this.repository, { cli: this.cli, repository: this.repository });
     };
 
-    cli.ok('Done!');
+    this.cli.ok('Done!');
   }
 
-  async createVulnerabilitiesJSON(req, release, { cli }) {
+  async startVulnerabilitiesJSONCreation(releaseDate) {
     // checkout on the next-security-release branch
-    release.checkoutOnSecurityReleaseBranch(cli);
+    checkoutOnSecurityReleaseBranch(this.cli, this.repository);
 
     // choose the reports to include in the security release
-    const reports = await release.chooseReports(cli);
+    const reports = await this.chooseReports();
+    const depUpdates = await this.getDependencyUpdates();
+    const deps = _.groupBy(depUpdates, 'name');
 
     // create the vulnerabilities.json file in the security-release repo
-    const filePath = await release.createVulnerabilitiesJSON(reports, { cli });
+    const filePath = await this.createVulnerabilitiesJSON(reports, deps, releaseDate);
 
     // review the vulnerabilities.json file
-    const review = await release.promptReviewVulnerabilitiesJSON(cli);
+    const review = await this.promptReviewVulnerabilitiesJSON();
 
     if (!review) {
-      cli.info(`To push the vulnerabilities.json file run:
+      this.cli.info(`To push the vulnerabilities.json file run:
         - git add ${filePath}
         - git commit -m "chore: create vulnerabilities.json for next security release"
-        - git push -u origin next-security-release
-        - open a PR on ${release.repository.owner}/${release.repository.repo}`);
+        - git push -u origin ${NEXT_SECURITY_RELEASE_BRANCH}
+        - open a PR on ${this.repository.owner}/${this.repository.repo}`);
       return;
     };
 
     // commit and push the vulnerabilities.json file
-    release.commitAndPushVulnerabilitiesJSON(filePath, cli);
+    const commitMessage = 'chore: create vulnerabilities.json for next security release';
+    commitAndPushVulnerabilitiesJSON(filePath,
+      commitMessage,
+      { cli: this.cli, repository: this.repository });
 
-    const createPr = await release.promptCreatePR(cli);
+    const createPr = await this.promptCreatePR();
 
     if (!createPr) return;
 
     // create pr on the security-release repo
-    return release.createPullRequest(req, { cli });
+    return this.createPullRequest();
   }
-}
 
-class PrepareSecurityRelease {
-  repository = {
-    owner: 'nodejs-private',
-    repo: 'security-release'
-  };
-
-  title = 'Next Security Release';
-  nextSecurityReleaseBranch = 'next-security-release';
-
-  constructor(req, repository) {
-    this.req = req;
-    if (repository) {
-      this.repository = repository;
-    }
-  }
-
-  promptCreatePR(cli) {
-    return cli.prompt(
+  promptCreatePR() {
+    return this.cli.prompt(
       'Create the Next Security Release PR?',
       { defaultAnswer: true });
   }
 
-  checkRemote(cli) {
-    const remote = runSync('git', ['ls-remote', '--get-url', 'origin']).trim();
-    const { owner, repo } = this.repository;
-    const securityReleaseOrigin = `https://github.com/${owner}/${repo}.git`;
-
-    if (remote !== securityReleaseOrigin) {
-      cli.error(`Wrong repository! It should be ${securityReleaseOrigin}`);
-      process.exit(1);
+  async getSecurityIssueTemplate() {
+    const url = 'https://raw.githubusercontent.com/nodejs/node/main/doc/contributing/security-release-process.md';
+    try {
+      // fetch document from nodejs/node main so we dont need to keep a copy
+      const response = await fetch(url);
+      const body = await response.text();
+      // remove everything before the Planning section
+      const index = body.indexOf('## Planning');
+      if (index !== -1) {
+        return body.substring(index);
+      }
+      return body;
+    } catch (error) {
+      this.cli.error(`Could not retrieve the security issue template from ${url}`);
     }
   }
 
-  commitAndPushVulnerabilitiesJSON(filePath, cli) {
-    this.checkRemote(cli);
-
-    runSync('git', ['add', filePath]);
-    const commitMessage = 'chore: create vulnerabilities.json for next security release';
-    runSync('git', ['commit', '-m', commitMessage]);
-    runSync('git', ['push', '-u', 'origin', 'next-security-release']);
-    cli.ok(`Pushed commit: ${commitMessage} to ${this.nextSecurityReleaseBranch}`);
-  }
-
-  getSecurityIssueTemplate() {
-    return fs.readFileSync(
-      new URL(
-        './github/templates/next-security-release.md',
-        import.meta.url
-      ),
-      'utf-8'
-    );
-  }
-
-  async promptReleaseDate(cli) {
-    return cli.prompt('Enter target release date in YYYY-MM-DD format:', {
-      questionType: 'input',
-      defaultAnswer: 'TBD'
-    });
+  async promptReleaseDate() {
+    const nextWeekDate = new Date();
+    nextWeekDate.setDate(nextWeekDate.getDate() + 7);
+    // Format the date as YYYY/MM/DD
+    const formattedDate = nextWeekDate.toISOString().slice(0, 10).replace(/-/g, '/');
+    return this.cli.prompt(
+      'Enter target release date in YYYY/MM/DD format (TBD if not defined yet):', {
+        questionType: 'input',
+        defaultAnswer: formattedDate
+      });
   }
 
-  async promptVulnerabilitiesJSON(cli) {
-    return cli.prompt(
+  async promptVulnerabilitiesJSON() {
+    return this.cli.prompt(
       'Create the vulnerabilities.json?',
       { defaultAnswer: true });
   }
 
-  async promptCreateRelaseIssue(cli) {
-    return cli.prompt(
+  async promptCreateRelaseIssue() {
+    return this.cli.prompt(
       'Create the Next Security Release issue?',
       { defaultAnswer: true });
   }
 
-  async promptReviewVulnerabilitiesJSON(cli) {
-    return cli.prompt(
+  async promptReviewVulnerabilitiesJSON() {
+    return this.cli.prompt(
       'Please review vulnerabilities.json and press enter to proceed.',
       { defaultAnswer: true });
   }
 
-  buildIssue(releaseDate, securityReleasePRUrl) {
-    const template = this.getSecurityIssueTemplate();
+  async buildIssue(releaseDate, securityReleasePRUrl = PLACEHOLDERS.vulnerabilitiesPRURL) {
+    const template = await this.getSecurityIssueTemplate();
     const content = template.replace(PLACEHOLDERS.releaseDate, releaseDate)
       .replace(PLACEHOLDERS.vulnerabilitiesPRURL, securityReleasePRUrl);
-    return { releaseDate, content, securityReleasePRUrl };
-  }
-
-  async createIssue(content, { cli }) {
-    const data = await this.req.createIssue(this.title, content, this.repository);
-    if (data.html_url) {
-      cli.ok('Created: ' + data.html_url);
-    } else {
-      cli.error(data);
-      process.exit(1);
-    }
+    return content;
   }
 
-  async chooseReports(cli) {
-    cli.info('Getting triaged H1 reports...');
+  async chooseReports() {
+    this.cli.info('Getting triaged H1 reports...');
     const reports = await this.req.getTriagedReports();
-    const supportedVersions = (await nv('supported'))
-      .map((v) => v.versionName + '.x')
-      .join(',');
     const selectedReports = [];
 
     for (const report of reports.data) {
-      const { id, attributes: { title, cve_ids }, relationships: { severity } } = report;
-      const reportLevel = severity ? severity.data.attributes.rating : 'TBD';
-      cli.separator();
-      cli.info(`Report: ${id} - ${title} (${reportLevel})`);
-      const include = await cli.prompt(
-        'Would you like to include this report to the next security release?',
-        { defaultAnswer: true });
-      if (!include) {
-        continue;
-      }
-
-      const versions = await cli.prompt('Which active release lines this report affects?', {
-        questionType: 'input',
-        defaultAnswer: supportedVersions
-      });
-      const summaryContent = await this.getSummary(id);
-
-      selectedReports.push({
-        id,
-        title,
-        cve_ids,
-        severity: reportLevel,
-        summary: summaryContent ?? '',
-        affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim())
-      });
+      const rep = await pickReport(report, { cli: this.cli, req: this.req });
+      if (!rep) continue;
+      selectedReports.push(rep);
     }
     return selectedReports;
   }
 
-  async getSummary(reportId) {
-    const { data } = await this.req.getReport(reportId);
-    const summaryList = data?.relationships?.summaries?.data;
-    if (!summaryList?.length) return;
-    const summaries = summaryList.filter((summary) => summary?.attributes?.category === 'team');
-    if (!summaries?.length) return;
-    return summaries?.[0].attributes?.content;
-  }
-
-  checkoutOnSecurityReleaseBranch(cli) {
-    this.checkRemote(cli);
-    const currentBranch = runSync('git', ['branch', '--show-current']).trim();
-    cli.info(`Current branch: ${currentBranch} `);
-
-    if (currentBranch !== this.nextSecurityReleaseBranch) {
-      runSync('git', ['checkout', '-B', this.nextSecurityReleaseBranch]);
-      cli.ok(`Checkout on branch: ${this.nextSecurityReleaseBranch} `);
-    };
-  }
-
-  async createVulnerabilitiesJSON(reports, { cli }) {
-    cli.separator('Creating vulnerabilities.json...');
+  async createVulnerabilitiesJSON(reports, dependencies, releaseDate) {
+    this.cli.separator('Creating vulnerabilities.json...');
     const file = JSON.stringify({
-      reports
+      releaseDate,
+      reports,
+      dependencies
     }, null, 2);
 
-    const folderPath = path.join(process.cwd(), 'security-release', 'next-security-release');
+    const folderPath = path.join(process.cwd(), NEXT_SECURITY_RELEASE_FOLDER);
     try {
       await fs.accessSync(folderPath);
     } catch (error) {
@@ -247,14 +180,14 @@ class PrepareSecurityRelease {
 
     const fullPath = path.join(folderPath, 'vulnerabilities.json');
     fs.writeFileSync(fullPath, file);
-    cli.ok(`Created ${fullPath} `);
+    this.cli.ok(`Created ${fullPath} `);
 
     return fullPath;
   }
 
-  async createPullRequest(req, { cli }) {
+  async createPullRequest() {
     const { owner, repo } = this.repository;
-    const response = await req.createPullRequest(
+    const response = await this.req.createPullRequest(
       this.title,
       'List of vulnerabilities to be included in the next security release',
       {
@@ -267,17 +200,69 @@ class PrepareSecurityRelease {
     );
     const url = response?.html_url;
     if (url) {
-      cli.ok('Created: ' + url);
+      this.cli.ok(`Created: ${url}`);
       return url;
+    }
+    if (response?.errors) {
+      for (const error of response.errors) {
+        this.cli.error(error.message);
+      }
     } else {
-      if (response?.errors) {
-        for (const error of response.errors) {
-          cli.error(error.message);
-        }
-      } else {
-        cli.error(response);
+      this.cli.error(response);
+    }
+    process.exit(1);
+  }
+
+  async getDependencyUpdates() {
+    const deps = [];
+    this.cli.log('\n');
+    this.cli.separator('Dependency Updates');
+    const updates = await this.cli.prompt('Are there dependency updates in this security release?',
+      {
+        defaultAnswer: true,
+        questionType: 'confirm'
+      });
+
+    if (!updates) return deps;
+
+    const supportedVersions = await getSupportedVersions();
+
+    let asking = true;
+    while (asking) {
+      const dep = await promptDependencies(this.cli);
+      if (!dep) {
+        asking = false;
+        break;
+      }
+
+      const name = await this.cli.prompt(
+        'What is the name of the dependency that has been updated?', {
+          defaultAnswer: '',
+          questionType: 'input'
+        });
+
+      const versions = await this.cli.prompt(
+        'Which release line does this dependency update affect?', {
+          defaultAnswer: supportedVersions,
+          questionType: 'input'
+        });
+
+      try {
+        const prUrl = dep.replace('https://github.com/', 'https://api.github.com/repos/').replace('pull', 'pulls');
+        const res = await this.req.getPullRequest(prUrl);
+        const { html_url, title } = res;
+        deps.push({
+          name,
+          url: html_url,
+          title,
+          affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim())
+        });
+        this.cli.separator();
+      } catch (error) {
+        this.cli.error('Invalid PR url. Please provide a valid PR url.');
+        this.cli.error(error);
       }
-      process.exit(1);
     }
+    return deps;
   }
 }

package/lib/request.js

@@ -77,6 +77,18 @@ export default class Request {
     return this.json(url, options);
   }
 
+  async getPullRequest(url) {
+    const options = {
+      method: 'GET',
+      headers: {
+        Authorization: `Basic ${this.credentials.github}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/vnd.github+json'
+      }
+    };
+    return this.json(url, options);
+  }
+
   async createPullRequest(title, body, { owner, repo, head, base }) {
     const url = `https://api.github.com/repos/${owner}/${repo}/pulls`;
     const options = {
@@ -132,6 +144,49 @@ export default class Request {
     return this.json(url, options);
   }
 
+  async getPrograms() {
+    const url = 'https://api.hackerone.com/v1/me/programs';
+    const options = {
+      method: 'GET',
+      headers: {
+        Authorization: `Basic ${this.credentials.h1}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/json'
+      }
+    };
+    return this.json(url, options);
+  }
+
+  async requestCVE(programId, opts) {
+    const url = `https://api.hackerone.com/v1/programs/${programId}/cve_requests`;
+    const options = {
+      method: 'POST',
+      headers: {
+        Authorization: `Basic ${this.credentials.h1}`,
+        'User-Agent': 'node-core-utils',
+        'Content-Type': 'application/json',
+        Accept: 'application/json'
+      },
+      body: JSON.stringify(opts)
+    };
+    return this.json(url, options);
+  }
+
+  async updateReportCVE(reportId, opts) {
+    const url = `https://api.hackerone.com/v1/reports/${reportId}/cves`;
+    const options = {
+      method: 'PUT',
+      headers: {
+        Authorization: `Basic ${this.credentials.h1}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/json',
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify(opts)
+    };
+    return this.json(url, options);
+  }
+
   async getReport(reportId) {
     const url = `https://api.hackerone.com/v1/reports/${reportId}`;
     const options = {

package/lib/security-announcement.js

@@ -0,0 +1,76 @@
+import {
+  NEXT_SECURITY_RELEASE_REPOSITORY,
+  checkoutOnSecurityReleaseBranch,
+  getVulnerabilitiesJSON,
+  validateDate,
+  formatDateToYYYYMMDD,
+  createIssue
+} from './security-release/security-release.js';
+import auth from './auth.js';
+import Request from './request.js';
+
+export default class SecurityAnnouncement {
+  repository = NEXT_SECURITY_RELEASE_REPOSITORY;
+  req;
+  constructor(cli) {
+    this.cli = cli;
+  }
+
+  async notifyPreRelease() {
+    const { cli } = this;
+
+    const credentials = await auth({
+      github: true,
+      h1: true
+    });
+
+    this.req = new Request(credentials);
+
+    // checkout on security release branch
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
+    // read vulnerabilities JSON file
+    const content = getVulnerabilitiesJSON(cli);
+    // validate the release date read from vulnerabilities JSON
+    if (!content.releaseDate) {
+      cli.error('Release date is not set in vulnerabilities.json,' +
+        ' run `git node security --update-date=YYYY/MM/DD` to set the release date.');
+      process.exit(1);
+    }
+
+    validateDate(content.releaseDate);
+    const releaseDate = new Date(content.releaseDate);
+
+    await Promise.all([
+      this.createDockerNodeIssue(releaseDate),
+      this.createBuildWGIssue(releaseDate)
+    ]);
+  }
+
+  async createBuildWGIssue(releaseDate) {
+    const repository = {
+      owner: 'nodejs',
+      repo: 'build'
+    };
+
+    const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'build');
+    await this.createIssue(title, content, repository);
+  }
+
+  createPreleaseAnnouncementIssue(releaseDate, team) {
+    const title = `[NEXT-SECURITY-RELEASE] Heads up on upcoming Node.js\
+ security release ${formatDateToYYYYMMDD(releaseDate)}`;
+    const content = `As per security release workflow,\
+ creating issue to give the ${team} team a heads up.`;
+    return { title, content };
+  }
+
+  async createDockerNodeIssue(releaseDate) {
+    const repository = {
+      owner: 'nodejs',
+      repo: 'docker-node'
+    };
+
+    const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'docker');
+    await createIssue(title, content, repository, { cli: this.cli, repository: this.repository });
+  }
+}