@node-core/utils 4.3.0 → 5.0.0

package/lib/security-release/security-release.js

@@ -0,0 +1,193 @@
+import { runSync } from '../run.js';
+import nv from '@pkgjs/nv';
+import fs from 'node:fs';
+import path from 'node:path';
+
+export const NEXT_SECURITY_RELEASE_BRANCH = 'next-security-release';
+export const NEXT_SECURITY_RELEASE_FOLDER = 'security-release/next-security-release';
+
+export const NEXT_SECURITY_RELEASE_REPOSITORY = {
+  owner: 'nodejs-private',
+  repo: 'security-release'
+};
+
+export const PLACEHOLDERS = {
+  releaseDate: '%RELEASE_DATE%',
+  vulnerabilitiesPRURL: '%VULNERABILITIES_PR_URL%',
+  preReleasePrivate: '%PRE_RELEASE_PRIV%',
+  postReleasePrivate: '%POS_RELEASE_PRIV%',
+  affectedLines: '%AFFECTED_LINES%',
+  annoucementDate: '%ANNOUNCEMENT_DATE%',
+  slug: '%SLUG%',
+  affectedVersions: '%AFFECTED_VERSIONS%',
+  openSSLUpdate: '%OPENSSL_UPDATES%',
+  impact: '%IMPACT%',
+  vulnerabilities: '%VULNERABILITIES%'
+};
+
+export function checkRemote(cli, repository) {
+  const remote = runSync('git', ['ls-remote', '--get-url', 'origin']).trim();
+  const { owner, repo } = repository;
+  const securityReleaseOrigin = [
+    `https://github.com/${owner}/${repo}.git`,
+    `git@github.com:${owner}/${repo}.git`
+  ];
+
+  if (!securityReleaseOrigin.includes(remote)) {
+    cli.error(`Wrong repository! It should be ${securityReleaseOrigin}`);
+    process.exit(1);
+  }
+}
+
+export function checkoutOnSecurityReleaseBranch(cli, repository) {
+  checkRemote(cli, repository);
+  const currentBranch = runSync('git', ['branch', '--show-current']).trim();
+  cli.info(`Current branch: ${currentBranch} `);
+
+  if (currentBranch !== NEXT_SECURITY_RELEASE_BRANCH) {
+    runSync('git', ['checkout', '-B', NEXT_SECURITY_RELEASE_BRANCH]);
+    cli.ok(`Checkout on branch: ${NEXT_SECURITY_RELEASE_BRANCH} `);
+  };
+}
+
+export function commitAndPushVulnerabilitiesJSON(filePath, commitMessage, { cli, repository }) {
+  checkRemote(cli, repository);
+
+  if (Array.isArray(filePath)) {
+    for (const path of filePath) {
+      runSync('git', ['add', path]);
+    }
+  } else {
+    runSync('git', ['add', filePath]);
+  }
+
+  const staged = runSync('git', ['diff', '--name-only', '--cached']).trim();
+  if (!staged) {
+    cli.ok('No changes to commit');
+    return;
+  }
+
+  runSync('git', ['commit', '-m', commitMessage]);
+
+  try {
+    runSync('git', ['push', '-u', 'origin', NEXT_SECURITY_RELEASE_BRANCH]);
+  } catch (error) {
+    cli.warn('Rebasing...');
+    // try to pull rebase and push again
+    runSync('git', ['pull', 'origin', NEXT_SECURITY_RELEASE_BRANCH, '--rebase']);
+    runSync('git', ['push', '-u', 'origin', NEXT_SECURITY_RELEASE_BRANCH]);
+  }
+  cli.ok(`Pushed commit: ${commitMessage} to ${NEXT_SECURITY_RELEASE_BRANCH}`);
+}
+
+export async function getSupportedVersions() {
+  const supportedVersions = (await nv('supported'))
+    .map((v) => `${v.versionName}.x`)
+    .join(',');
+  return supportedVersions;
+}
+
+export async function getSummary(reportId, req) {
+  const { data } = await req.getReport(reportId);
+  const summaryList = data?.relationships?.summaries?.data;
+  if (!summaryList?.length) return;
+  const summaries = summaryList.filter((summary) => summary?.attributes?.category === 'team');
+  if (!summaries?.length) return;
+  return summaries?.[0].attributes?.content;
+}
+
+export function getVulnerabilitiesJSON(cli) {
+  const vulnerabilitiesJSONPath = path.join(process.cwd(),
+    NEXT_SECURITY_RELEASE_FOLDER, 'vulnerabilities.json');
+  cli.startSpinner(`Reading vulnerabilities.json from ${vulnerabilitiesJSONPath}..`);
+  const file = JSON.parse(fs.readFileSync(vulnerabilitiesJSONPath, 'utf-8'));
+  cli.stopSpinner(`Done reading vulnerabilities.json from ${vulnerabilitiesJSONPath}`);
+  return file;
+}
+
+export function validateDate(releaseDate) {
+  const value = new Date(releaseDate).valueOf();
+  if (Number.isNaN(value) || value < 0) {
+    throw new Error('Invalid date format');
+  }
+}
+
+export function formatDateToYYYYMMDD(date) {
+  // Get year, month, and day
+  const year = date.getFullYear();
+  const month = String(date.getMonth() + 1).padStart(2, '0'); // Months are zero-based
+  const day = String(date.getDate()).padStart(2, '0');
+
+  // Concatenate year, month, and day with slashes
+  return `${year}/${month}/${day}`;
+}
+
+export function promptDependencies(cli) {
+  return cli.prompt('Enter the link to the dependency update PR (leave empty to exit): ', {
+    defaultAnswer: '',
+    questionType: 'input'
+  });
+}
+
+export async function createIssue(title, content, repository, { cli, req }) {
+  const data = await req.createIssue(title, content, repository);
+  if (data.html_url) {
+    cli.ok(`Created: ${data.html_url}`);
+  } else {
+    cli.error(data);
+    process.exit(1);
+  }
+}
+
+export async function pickReport(report, { cli, req }) {
+  const {
+    id, attributes: { title, cve_ids },
+    relationships: { severity, weakness, reporter }
+  } = report;
+  const link = `https://hackerone.com/reports/${id}`;
+  const reportSeverity = {
+    rating: severity?.data?.attributes?.rating || '',
+    cvss_vector_string: severity?.data?.attributes?.cvss_vector_string || '',
+    weakness_id: weakness?.data?.id || ''
+  };
+
+  cli.separator();
+  cli.info(`Report: ${link} - ${title} (${reportSeverity?.rating})`);
+  const include = await cli.prompt(
+    'Would you like to include this report to the next security release?',
+    { defaultAnswer: true });
+  if (!include) {
+    return;
+  }
+
+  const versions = await cli.prompt('Which active release lines this report affects?', {
+    questionType: 'input',
+    defaultAnswer: await getSupportedVersions()
+  });
+
+  let patchAuthors = await cli.prompt(
+    'Add github username of the authors of the patch (split by comma if multiple)', {
+      questionType: 'input',
+      defaultAnswer: ''
+    });
+
+  if (!patchAuthors) {
+    patchAuthors = [];
+  } else {
+    patchAuthors = patchAuthors.split(',').map((p) => p.trim());
+  }
+
+  const summaryContent = await getSummary(id, req);
+
+  return {
+    id,
+    title,
+    cveIds: cve_ids,
+    severity: reportSeverity,
+    summary: summaryContent ?? '',
+    patchAuthors,
+    affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim()),
+    link,
+    reporter: reporter.data.attributes.username
+  };
+}

package/lib/security_blog.js

@@ -0,0 +1,182 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import _ from 'lodash';
+import {
+  PLACEHOLDERS,
+  getVulnerabilitiesJSON,
+  checkoutOnSecurityReleaseBranch,
+  NEXT_SECURITY_RELEASE_REPOSITORY,
+  validateDate
+} from './security-release/security-release.js';
+
+export default class SecurityBlog {
+  repository = NEXT_SECURITY_RELEASE_REPOSITORY;
+  constructor(cli) {
+    this.cli = cli;
+  }
+
+  async createPreRelease() {
+    const { cli } = this;
+
+    // checkout on security release branch
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
+
+    // read vulnerabilities JSON file
+    const content = getVulnerabilitiesJSON(cli);
+    // validate the release date read from vulnerabilities JSON
+    if (!content.releaseDate) {
+      cli.error('Release date is not set in vulnerabilities.json,' +
+        ' run `git node security --update-date=YYYY/MM/DD` to set the release date.');
+      process.exit(1);
+    }
+
+    validateDate(content.releaseDate);
+    const releaseDate = new Date(content.releaseDate);
+
+    const template = this.getSecurityPreReleaseTemplate();
+    const data = {
+      annoucementDate: await this.getAnnouncementDate(cli),
+      releaseDate: this.formatReleaseDate(releaseDate),
+      affectedVersions: this.getAffectedVersions(content),
+      vulnerabilities: this.getVulnerabilities(content),
+      slug: this.getSlug(releaseDate),
+      impact: this.getImpact(content),
+      openSSLUpdate: await this.promptOpenSSLUpdate(cli)
+    };
+    const month = releaseDate.toLocaleString('en-US', { month: 'long' }).toLowerCase();
+    const year = releaseDate.getFullYear();
+    const fileName = `${month}-${year}-security-releases.md`;
+    const preRelease = this.buildPreRelease(template, data);
+    const file = path.join(process.cwd(), fileName);
+    fs.writeFileSync(file, preRelease);
+    cli.ok(`Pre-release announcement file created at ${file}`);
+  }
+
+  promptOpenSSLUpdate(cli) {
+    return cli.prompt('Does this security release containt OpenSSL updates?', {
+      defaultAnswer: true
+    });
+  }
+
+  formatReleaseDate(releaseDate) {
+    const options = {
+      weekday: 'long',
+      month: 'long',
+      day: 'numeric',
+      year: 'numeric'
+    };
+    return releaseDate.toLocaleDateString('en-US', options);
+  }
+
+  buildPreRelease(template, data) {
+    const {
+      annoucementDate,
+      releaseDate,
+      affectedVersions,
+      vulnerabilities,
+      slug,
+      impact,
+      openSSLUpdate
+    } = data;
+    return template.replaceAll(PLACEHOLDERS.annoucementDate, annoucementDate)
+      .replaceAll(PLACEHOLDERS.slug, slug)
+      .replaceAll(PLACEHOLDERS.affectedVersions, affectedVersions)
+      .replaceAll(PLACEHOLDERS.vulnerabilities, vulnerabilities)
+      .replaceAll(PLACEHOLDERS.releaseDate, releaseDate)
+      .replaceAll(PLACEHOLDERS.impact, impact)
+      .replaceAll(PLACEHOLDERS.openSSLUpdate, this.getOpenSSLUpdateTemplate(openSSLUpdate));
+  }
+
+  getOpenSSLUpdateTemplate(openSSLUpdate) {
+    if (openSSLUpdate) {
+      return '\n## OpenSSL Security updates\n\n' +
+        'This security release includes OpenSSL security updates\n';
+    }
+    return '';
+  }
+
+  getSlug(releaseDate) {
+    const month = releaseDate.toLocaleString('en-US', { month: 'long' });
+    const year = releaseDate.getFullYear();
+    return `${month.toLocaleLowerCase()}-${year}-security-releases`;
+  }
+
+  async getAnnouncementDate(cli) {
+    try {
+      const date = await this.promptAnnouncementDate(cli);
+      validateDate(date);
+      return new Date(date).toISOString();
+    } catch (error) {
+      return PLACEHOLDERS.annoucementDate;
+    }
+  }
+
+  promptAnnouncementDate(cli) {
+    const today = new Date().toISOString().substring(0, 10).replace(/-/g, '/');
+    return cli.prompt('When is the security release going to be announced? ' +
+      'Enter in YYYY/MM/DD format:', {
+      questionType: 'input',
+      defaultAnswer: today
+    });
+  }
+
+  getImpact(content) {
+    const impact = content.reports.reduce((acc, report) => {
+      for (const affectedVersion of report.affectedVersions) {
+        if (acc[affectedVersion]) {
+          acc[affectedVersion].push(report);
+        } else {
+          acc[affectedVersion] = [report];
+        }
+      }
+      return acc;
+    }, {});
+
+    const impactText = [];
+    for (const [key, value] of Object.entries(impact)) {
+      const groupedByRating = Object.values(_.groupBy(value, 'severity.rating'))
+        .map(severity => {
+          if (!severity[0]?.severity?.rating) {
+            this.cli.error(`severity.rating not found for the report ${severity[0].id}. \
+              Please add it manually before continuing.`);
+            process.exit(1);
+          }
+          const firstSeverityRating = severity[0].severity.rating.toLocaleLowerCase();
+          return `${severity.length} ${firstSeverityRating} severity issues`;
+        }).join(', ');
+
+      impactText.push(`The ${key} release line of Node.js is vulnerable to ${groupedByRating}.`);
+    }
+
+    return impactText.join('\n');
+  }
+
+  getVulnerabilities(content) {
+    const grouped = _.groupBy(content.reports, 'severity.rating');
+    const text = [];
+    for (const [key, value] of Object.entries(grouped)) {
+      text.push(`- ${value.length} ${key.toLocaleLowerCase()} severity issues.`);
+    }
+    return text.join('\n');
+  }
+
+  getAffectedVersions(content) {
+    const affectedVersions = new Set();
+    for (const report of Object.values(content.reports)) {
+      for (const affectedVersion of report.affectedVersions) {
+        affectedVersions.add(affectedVersion);
+      }
+    }
+    return Array.from(affectedVersions).join(', ');
+  }
+
+  getSecurityPreReleaseTemplate() {
+    return fs.readFileSync(
+      new URL(
+        './github/templates/security-pre-release.md',
+        import.meta.url
+      ),
+      'utf-8'
+    );
+  }
+}

package/lib/update_security_release.js

@@ -0,0 +1,274 @@
+import {
+  NEXT_SECURITY_RELEASE_FOLDER,
+  NEXT_SECURITY_RELEASE_REPOSITORY,
+  checkoutOnSecurityReleaseBranch,
+  commitAndPushVulnerabilitiesJSON,
+  validateDate,
+  pickReport
+} from './security-release/security-release.js';
+import fs from 'node:fs';
+import path from 'node:path';
+import auth from './auth.js';
+import Request from './request.js';
+import nv from '@pkgjs/nv';
+
+export default class UpdateSecurityRelease {
+  repository = NEXT_SECURITY_RELEASE_REPOSITORY;
+  constructor(cli) {
+    this.cli = cli;
+  }
+
+  async updateReleaseDate(releaseDate) {
+    const { cli } = this;
+
+    try {
+      validateDate(releaseDate);
+    } catch (error) {
+      cli.error('Invalid date format. Please use the format yyyy/mm/dd.');
+      process.exit(1);
+    }
+
+    // checkout on the next-security-release branch
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
+
+    // update the release date in the vulnerabilities.json file
+    const updatedVulnerabilitiesFiles = await this.updateJSONReleaseDate(releaseDate, { cli });
+
+    const commitMessage = `chore: update the release date to ${releaseDate}`;
+    commitAndPushVulnerabilitiesJSON(updatedVulnerabilitiesFiles,
+      commitMessage, { cli, repository: this.repository });
+    cli.ok('Done!');
+  }
+
+  readVulnerabilitiesJSON(vulnerabilitiesJSONPath) {
+    const exists = fs.existsSync(vulnerabilitiesJSONPath);
+
+    if (!exists) {
+      this.cli.error(`The file vulnerabilities.json does not exist at ${vulnerabilitiesJSONPath}`);
+      process.exit(1);
+    }
+
+    return JSON.parse(fs.readFileSync(vulnerabilitiesJSONPath, 'utf8'));
+  }
+
+  getVulnerabilitiesJSONPath() {
+    return path.join(process.cwd(),
+      NEXT_SECURITY_RELEASE_FOLDER, 'vulnerabilities.json');
+  }
+
+  async updateJSONReleaseDate(releaseDate) {
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    content.releaseDate = releaseDate;
+
+    fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+
+    this.cli.ok(`Updated the release date in vulnerabilities.json: ${releaseDate}`);
+    return [vulnerabilitiesJSONPath];
+  }
+
+  async addReport(reportId) {
+    const credentials = await auth({
+      github: true,
+      h1: true
+    });
+
+    const req = new Request(credentials);
+    // checkout on the next-security-release branch
+    checkoutOnSecurityReleaseBranch(this.cli, this.repository);
+
+    // get h1 report
+    const { data: report } = await req.getReport(reportId);
+    const entry = await pickReport(report, { cli: this.cli, req });
+
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    content.reports.push(entry);
+    fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+    this.cli.ok(`Updated vulnerabilities.json with the report: ${entry.id}`);
+    const commitMessage = `chore: added report ${entry.id} to vulnerabilities.json`;
+    commitAndPushVulnerabilitiesJSON(vulnerabilitiesJSONPath,
+      commitMessage, { cli: this.cli, repository: this.repository });
+    this.cli.ok('Done!');
+  }
+
+  removeReport(reportId) {
+    const { cli } = this;
+    // checkout on the next-security-release branch
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    const found = content.reports.some((report) => report.id === reportId);
+    if (!found) {
+      cli.error(`Report with id ${reportId} not found in vulnerabilities.json`);
+      process.exit(1);
+    }
+    content.reports = content.reports.filter((report) => report.id !== reportId);
+    fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+    this.cli.ok(`Updated vulnerabilities.json with the report: ${reportId}`);
+
+    const commitMessage = `chore: remove report ${reportId} from vulnerabilities.json`;
+    commitAndPushVulnerabilitiesJSON(vulnerabilitiesJSONPath,
+      commitMessage, { cli, repository: this.repository });
+    cli.ok('Done!');
+  }
+
+  async requestCVEs() {
+    const credentials = await auth({
+      github: true,
+      h1: true
+    });
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    const { reports } = content;
+    const req = new Request(credentials);
+    const programId = await this.getNodeProgramId(req);
+    const cves = await this.promptCVECreation(req, reports, programId);
+    this.assignCVEtoReport(cves, reports);
+    this.updateVulnerabilitiesJSON(content, vulnerabilitiesJSONPath);
+    this.updateHackonerReportCve(req, reports);
+  }
+
+  assignCVEtoReport(cves, reports) {
+    for (const cve of cves) {
+      const report = reports.find(report => report.id === cve.reportId);
+      report.cveIds = [cve.cve_identifier];
+    }
+  }
+
+  async updateHackonerReportCve(req, reports) {
+    for (const report of reports) {
+      const { id, cveIds } = report;
+      this.cli.startSpinner(`Updating report ${id} with CVEs ${cveIds}..`);
+      const body = {
+        data: {
+          type: 'report-cves',
+          attributes: {
+            cve_ids: cveIds
+          }
+        }
+      };
+      const response = await req.updateReportCVE(id, body);
+      if (response.errors) {
+        this.cli.error(`Error updating report ${id}`);
+        this.cli.error(JSON.stringify(response.errors, null, 2));
+      }
+      this.cli.stopSpinner(`Done updating report ${id} with CVEs ${cveIds}..`);
+    }
+  }
+
+  updateVulnerabilitiesJSON(content, vulnerabilitiesJSONPath) {
+    this.cli.startSpinner(`Updating vulnerabilities.json from\
+     ${vulnerabilitiesJSONPath}..`);
+    const filePath = path.resolve(vulnerabilitiesJSONPath);
+    fs.writeFileSync(filePath, JSON.stringify(content, null, 2));
+    // push the changes to the repository
+    commitAndPushVulnerabilitiesJSON(filePath,
+      'chore: updated vulnerabilities.json with CVEs',
+      { cli: this.cli, repository: this.repository });
+    this.cli.stopSpinner(`Done updating vulnerabilities.json from ${filePath}`);
+  }
+
+  async promptCVECreation(req, reports, programId) {
+    const supportedVersions = (await nv('supported'));
+    const cves = [];
+    for (const report of reports) {
+      const { id, summary, title, affectedVersions, cveIds, link } = report;
+      // skip if already has a CVE
+      // risky because the CVE associated might be
+      // mentioned in the report and not requested by Node
+      if (cveIds?.length) continue;
+
+      let severity = report.severity;
+
+      if (!severity.cvss_vector_string || !severity.weakness_id) {
+        try {
+          const h1Report = await req.getReport(id);
+          if (!h1Report.data.relationships.severity?.data.attributes.cvss_vector_string) {
+            throw new Error('No severity found');
+          }
+          severity = {
+            weakness_id: h1Report.data.relationships.weakness?.data.id,
+            cvss_vector_string:
+              h1Report.data.relationships.severity?.data.attributes.cvss_vector_string,
+            rating: h1Report.data.relationships.severity?.data.attributes.rating
+          };
+        } catch (error) {
+          this.cli.error(`Couldnt not retrieve severity from report ${id}, skipping...`);
+          continue;
+        }
+      }
+
+      const { cvss_vector_string, weakness_id } = severity;
+
+      const create = await this.cli.prompt(
+        `Request a CVE for: \n
+Title: ${title}\n
+Link: ${link}\n
+Affected versions: ${affectedVersions.join(', ')}\n
+Vector: ${cvss_vector_string}\n
+Summary: ${summary}\n`,
+        { defaultAnswer: true });
+
+      if (!create) continue;
+
+      const body = {
+        data: {
+          type: 'cve-request',
+          attributes: {
+            team_handle: 'nodejs-team',
+            versions: await this.formatAffected(affectedVersions, supportedVersions),
+            metrics: [
+              {
+                vectorString: cvss_vector_string
+              }
+            ],
+            weakness_id: Number(weakness_id),
+            description: title,
+            vulnerability_discovered_at: new Date().toISOString()
+          }
+        }
+      };
+      const { data } = await req.requestCVE(programId, body);
+      if (data.errors) {
+        this.cli.error(`Error requesting CVE for report ${id}`);
+        this.cli.error(JSON.stringify(data.errors, null, 2));
+        continue;
+      }
+      const { cve_identifier } = data.attributes;
+      cves.push({ cve_identifier, reportId: id });
+    }
+    return cves;
+  }
+
+  async getNodeProgramId(req) {
+    const programs = await req.getPrograms();
+    const { data } = programs;
+    for (const program of data) {
+      const { attributes } = program;
+      if (attributes.handle === 'nodejs') {
+        return program.id;
+      }
+    }
+  }
+
+  async formatAffected(affectedVersions, supportedVersions) {
+    const result = [];
+    for (const affectedVersion of affectedVersions) {
+      const major = affectedVersion.split('.')[0];
+      const latest = supportedVersions.find((v) => v.major === Number(major)).version;
+      const version = await this.cli.prompt(
+        `What is the affected version (<=) for release line ${affectedVersion}?`,
+        { questionType: 'input', defaultAnswer: latest });
+      result.push({
+        vendor: 'nodejs',
+        product: 'node',
+        func: '<=',
+        version,
+        versionType: 'semver',
+        affected: true
+      });
+    }
+    return result;
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "4.3.0",
+  "version": "5.0.0",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {