@node-core/utils 4.4.0 → 5.0.0

package/bin/ncu-ci.js

@@ -113,6 +113,11 @@ const args = yargs(hideBin(process.argv))
           describe: 'ID of the PR',
           type: 'number'
         })
+        .positional('certify-safe', {
+          describe: 'If not provided, the command will reject PRs that have ' +
+                    'been pushed since the last review',
+          type: 'boolean'
+        })
         .option('owner', {
           default: '',
           describe: 'GitHub repository owner'
@@ -291,7 +296,7 @@ class RunPRJobCommand {
       this.cli.setExitCode(1);
       return;
     }
-    const jobRunner = new RunPRJob(cli, request, owner, repo, prid);
+    const jobRunner = new RunPRJob(cli, request, owner, repo, prid, this.argv.certifySafe);
     if (!(await jobRunner.start())) {
       this.cli.setExitCode(1);
       process.exitCode = 1;

package/components/git/security.js

@@ -1,5 +1,5 @@
 import CLI from '../../lib/cli.js';
-import SecurityReleaseSteward from '../../lib/prepare_security.js';
+import PrepareSecurityRelease from '../../lib/prepare_security.js';
 import UpdateSecurityRelease from '../../lib/update_security_release.js';
 import SecurityBlog from '../../lib/security_blog.js';
 import SecurityAnnouncement from '../../lib/security-announcement.js';
@@ -31,6 +31,10 @@ const securityOptions = {
   'notify-pre-release': {
     describe: 'Notify the community about the security release',
     type: 'boolean'
+  },
+  'request-cve': {
+    describe: 'Request CVEs for a security release',
+    type: 'boolean'
   }
 };
 
@@ -60,6 +64,11 @@ export function builder(yargs) {
     ).example(
       'git node security --notify-pre-release' +
       'Notifies the community about the security release'
+    )
+    .example(
+      'git node security --request-cve',
+      'Request CVEs for a security release of Node.js based on' +
+      ' the next-security-release/vulnerabilities.json'
     );
 }
 
@@ -82,6 +91,9 @@ export function handler(argv) {
   if (argv['notify-pre-release']) {
     return notifyPreRelease(argv);
   }
+  if (argv['request-cve']) {
+    return requestCVEs(argv);
+  }
   yargsInstance.showHelp();
 }
 
@@ -116,10 +128,17 @@ async function createPreRelease() {
   return preRelease.createPreRelease();
 }
 
-async function startSecurityRelease() {
+async function requestCVEs() {
+  const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
+  const cli = new CLI(logStream);
+  const hackerOneCve = new UpdateSecurityRelease(cli);
+  return hackerOneCve.requestCVEs();
+}
+
+async function startSecurityRelease(argv) {
   const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
   const cli = new CLI(logStream);
-  const release = new SecurityReleaseSteward(cli);
+  const release = new PrepareSecurityRelease(cli);
   return release.start();
 }
 

package/lib/ci/run_ci.js

@@ -7,6 +7,7 @@ import {
 } from './ci_type_parser.js';
 import PRData from '../pr_data.js';
 import { debuglog } from '../verbosity.js';
+import PRChecker from '../pr_checker.js';
 
 export const CI_CRUMB_URL = `https://${CI_DOMAIN}/crumbIssuer/api/json`;
 const CI_PR_NAME = CI_TYPES.get(CI_TYPES_KEYS.PR).jobName;
@@ -16,13 +17,16 @@ const CI_V8_NAME = CI_TYPES.get(CI_TYPES_KEYS.V8).jobName;
 export const CI_V8_URL = `https://${CI_DOMAIN}/job/${CI_V8_NAME}/build`;
 
 export class RunPRJob {
-  constructor(cli, request, owner, repo, prid) {
+  constructor(cli, request, owner, repo, prid, certifySafe) {
     this.cli = cli;
     this.request = request;
     this.owner = owner;
     this.repo = repo;
     this.prid = prid;
     this.prData = new PRData({ prid, owner, repo }, cli, request);
+    this.certifySafe =
+      certifySafe ||
+      new PRChecker(cli, this.prData, request, {}).checkCommitsAfterReview();
   }
 
   async getCrumb() {
@@ -62,7 +66,13 @@ export class RunPRJob {
   }
 
   async start() {
-    const { cli } = this;
+    const { cli, certifySafe } = this;
+
+    if (!certifySafe) {
+      cli.error('Refusing to run CI on potentially unsafe PR');
+      return false;
+    }
+
     cli.startSpinner('Validating Jenkins credentials');
     const crumb = await this.getCrumb();
 

package/lib/pr_checker.js

@@ -534,6 +534,7 @@ export default class PRChecker {
     );
 
     if (reviewIndex === -1) {
+      cli.warn('No approving reviews found');
       return false;
     }
 

package/lib/prepare_security.js

@@ -1,4 +1,3 @@
-import nv from '@pkgjs/nv';
 import fs from 'node:fs';
 import path from 'node:path';
 import auth from './auth.js';
@@ -10,92 +9,89 @@ import {
   PLACEHOLDERS,
   checkoutOnSecurityReleaseBranch,
   commitAndPushVulnerabilitiesJSON,
-  getSummary,
-  validateDate
+  validateDate,
+  promptDependencies,
+  getSupportedVersions,
+  pickReport
 } from './security-release/security-release.js';
+import _ from 'lodash';
 
-export default class SecurityReleaseSteward {
+export default class PrepareSecurityRelease {
   repository = NEXT_SECURITY_RELEASE_REPOSITORY;
+  title = 'Next Security Release';
   constructor(cli) {
     this.cli = cli;
   }
 
   async start() {
-    const { cli } = this;
     const credentials = await auth({
       github: true,
       h1: true
     });
 
-    const req = new Request(credentials);
-    const release = new PrepareSecurityRelease(req);
-    const releaseDate = await release.promptReleaseDate(cli);
-    validateDate(releaseDate);
-    const createVulnerabilitiesJSON = await release.promptVulnerabilitiesJSON(cli);
+    this.req = new Request(credentials);
+    const releaseDate = await this.promptReleaseDate();
+    if (releaseDate !== 'TBD') {
+      validateDate(releaseDate);
+    }
+    const createVulnerabilitiesJSON = await this.promptVulnerabilitiesJSON();
 
     let securityReleasePRUrl;
     if (createVulnerabilitiesJSON) {
-      securityReleasePRUrl = await this.createVulnerabilitiesJSON(req, release, { cli });
+      securityReleasePRUrl = await this.startVulnerabilitiesJSONCreation(releaseDate);
     }
 
-    const createIssue = await release.promptCreateRelaseIssue(cli);
+    const createIssue = await this.promptCreateRelaseIssue();
 
     if (createIssue) {
-      const content = await release.buildIssue(releaseDate, securityReleasePRUrl);
-      await release.createIssue(content, { cli });
+      const content = await this.buildIssue(releaseDate, securityReleasePRUrl);
+      await createIssue(
+        this.title, content, this.repository, { cli: this.cli, repository: this.repository });
     };
 
-    cli.ok('Done!');
+    this.cli.ok('Done!');
   }
 
-  async createVulnerabilitiesJSON(req, release, { cli }) {
+  async startVulnerabilitiesJSONCreation(releaseDate) {
     // checkout on the next-security-release branch
-    checkoutOnSecurityReleaseBranch(cli, this.repository);
+    checkoutOnSecurityReleaseBranch(this.cli, this.repository);
 
     // choose the reports to include in the security release
-    const reports = await release.chooseReports(cli);
+    const reports = await this.chooseReports();
+    const depUpdates = await this.getDependencyUpdates();
+    const deps = _.groupBy(depUpdates, 'name');
 
     // create the vulnerabilities.json file in the security-release repo
-    const filePath = await release.createVulnerabilitiesJSON(reports, { cli });
+    const filePath = await this.createVulnerabilitiesJSON(reports, deps, releaseDate);
 
     // review the vulnerabilities.json file
-    const review = await release.promptReviewVulnerabilitiesJSON(cli);
+    const review = await this.promptReviewVulnerabilitiesJSON();
 
     if (!review) {
-      cli.info(`To push the vulnerabilities.json file run:
+      this.cli.info(`To push the vulnerabilities.json file run:
         - git add ${filePath}
         - git commit -m "chore: create vulnerabilities.json for next security release"
         - git push -u origin ${NEXT_SECURITY_RELEASE_BRANCH}
-        - open a PR on ${release.repository.owner}/${release.repository.repo}`);
+        - open a PR on ${this.repository.owner}/${this.repository.repo}`);
       return;
     };
 
     // commit and push the vulnerabilities.json file
     const commitMessage = 'chore: create vulnerabilities.json for next security release';
-    commitAndPushVulnerabilitiesJSON(filePath, commitMessage, { cli, repository: this.repository });
+    commitAndPushVulnerabilitiesJSON(filePath,
+      commitMessage,
+      { cli: this.cli, repository: this.repository });
 
-    const createPr = await release.promptCreatePR(cli);
+    const createPr = await this.promptCreatePR();
 
     if (!createPr) return;
 
     // create pr on the security-release repo
-    return release.createPullRequest(req, { cli });
-  }
-}
-
-class PrepareSecurityRelease {
-  repository = NEXT_SECURITY_RELEASE_REPOSITORY;
-  title = 'Next Security Release';
-
-  constructor(req, repository) {
-    this.req = req;
-    if (repository) {
-      this.repository = repository;
-    }
+    return this.createPullRequest();
   }
 
-  promptCreatePR(cli) {
-    return cli.prompt(
+  promptCreatePR() {
+    return this.cli.prompt(
       'Create the Next Security Release PR?',
       { defaultAnswer: true });
   }
@@ -117,31 +113,32 @@ class PrepareSecurityRelease {
     }
   }
 
-  async promptReleaseDate(cli) {
+  async promptReleaseDate() {
     const nextWeekDate = new Date();
     nextWeekDate.setDate(nextWeekDate.getDate() + 7);
     // Format the date as YYYY/MM/DD
     const formattedDate = nextWeekDate.toISOString().slice(0, 10).replace(/-/g, '/');
-    return cli.prompt('Enter target release date in YYYY/MM/DD format:', {
-      questionType: 'input',
-      defaultAnswer: formattedDate
-    });
+    return this.cli.prompt(
+      'Enter target release date in YYYY/MM/DD format (TBD if not defined yet):', {
+        questionType: 'input',
+        defaultAnswer: formattedDate
+      });
   }
 
-  async promptVulnerabilitiesJSON(cli) {
-    return cli.prompt(
+  async promptVulnerabilitiesJSON() {
+    return this.cli.prompt(
       'Create the vulnerabilities.json?',
       { defaultAnswer: true });
   }
 
-  async promptCreateRelaseIssue(cli) {
-    return cli.prompt(
+  async promptCreateRelaseIssue() {
+    return this.cli.prompt(
       'Create the Next Security Release issue?',
       { defaultAnswer: true });
   }
 
-  async promptReviewVulnerabilitiesJSON(cli) {
-    return cli.prompt(
+  async promptReviewVulnerabilitiesJSON() {
+    return this.cli.prompt(
       'Please review vulnerabilities.json and press enter to proceed.',
       { defaultAnswer: true });
   }
@@ -153,78 +150,25 @@ class PrepareSecurityRelease {
     return content;
   }
 
-  async createIssue(content, { cli }) {
-    const data = await this.req.createIssue(this.title, content, this.repository);
-    if (data.html_url) {
-      cli.ok(`Created: ${data.html_url}`);
-    } else {
-      cli.error(data);
-      process.exit(1);
-    }
-  }
-
-  async chooseReports(cli) {
-    cli.info('Getting triaged H1 reports...');
+  async chooseReports() {
+    this.cli.info('Getting triaged H1 reports...');
     const reports = await this.req.getTriagedReports();
-    const supportedVersions = (await nv('supported'))
-      .map((v) => `${v.versionName}.x`)
-      .join(',');
     const selectedReports = [];
 
     for (const report of reports.data) {
-      const {
-        id, attributes: { title, cve_ids, created_at },
-        relationships: { severity, weakness, reporter }
-      } = report;
-      const link = `https://hackerone.com/reports/${id}`;
-      let reportSeverity = {
-        rating: '',
-        cvss_vector_string: '',
-        weakness_id: ''
-      };
-      if (severity?.data?.attributes?.cvss_vector_string) {
-        const { cvss_vector_string, rating } = severity.data.attributes;
-        reportSeverity = {
-          cvss_vector_string,
-          rating,
-          weakness_id: weakness?.data?.id
-        };
-      }
-
-      cli.separator();
-      cli.info(`Report: ${link} - ${title} (${reportSeverity?.rating})`);
-      const include = await cli.prompt(
-        'Would you like to include this report to the next security release?',
-        { defaultAnswer: true });
-      if (!include) {
-        continue;
-      }
-
-      const versions = await cli.prompt('Which active release lines this report affects?', {
-        questionType: 'input',
-        defaultAnswer: supportedVersions
-      });
-      const summaryContent = await getSummary(id, this.req);
-
-      selectedReports.push({
-        id,
-        title,
-        cve_ids,
-        severity: reportSeverity,
-        summary: summaryContent ?? '',
-        affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim()),
-        link,
-        reporter: reporter.data.attributes.username,
-        created_at // when we request CVE we need to input vulnerability_discovered_at
-      });
+      const rep = await pickReport(report, { cli: this.cli, req: this.req });
+      if (!rep) continue;
+      selectedReports.push(rep);
     }
     return selectedReports;
   }
 
-  async createVulnerabilitiesJSON(reports, { cli }) {
-    cli.separator('Creating vulnerabilities.json...');
+  async createVulnerabilitiesJSON(reports, dependencies, releaseDate) {
+    this.cli.separator('Creating vulnerabilities.json...');
     const file = JSON.stringify({
-      reports
+      releaseDate,
+      reports,
+      dependencies
     }, null, 2);
 
     const folderPath = path.join(process.cwd(), NEXT_SECURITY_RELEASE_FOLDER);
@@ -236,14 +180,14 @@ class PrepareSecurityRelease {
 
     const fullPath = path.join(folderPath, 'vulnerabilities.json');
     fs.writeFileSync(fullPath, file);
-    cli.ok(`Created ${fullPath} `);
+    this.cli.ok(`Created ${fullPath} `);
 
     return fullPath;
   }
 
-  async createPullRequest(req, { cli }) {
+  async createPullRequest() {
     const { owner, repo } = this.repository;
-    const response = await req.createPullRequest(
+    const response = await this.req.createPullRequest(
       this.title,
       'List of vulnerabilities to be included in the next security release',
       {
@@ -256,16 +200,69 @@ class PrepareSecurityRelease {
     );
     const url = response?.html_url;
     if (url) {
-      cli.ok(`Created: ${url}`);
+      this.cli.ok(`Created: ${url}`);
       return url;
     }
     if (response?.errors) {
       for (const error of response.errors) {
-        cli.error(error.message);
+        this.cli.error(error.message);
       }
     } else {
-      cli.error(response);
+      this.cli.error(response);
     }
     process.exit(1);
   }
+
+  async getDependencyUpdates() {
+    const deps = [];
+    this.cli.log('\n');
+    this.cli.separator('Dependency Updates');
+    const updates = await this.cli.prompt('Are there dependency updates in this security release?',
+      {
+        defaultAnswer: true,
+        questionType: 'confirm'
+      });
+
+    if (!updates) return deps;
+
+    const supportedVersions = await getSupportedVersions();
+
+    let asking = true;
+    while (asking) {
+      const dep = await promptDependencies(this.cli);
+      if (!dep) {
+        asking = false;
+        break;
+      }
+
+      const name = await this.cli.prompt(
+        'What is the name of the dependency that has been updated?', {
+          defaultAnswer: '',
+          questionType: 'input'
+        });
+
+      const versions = await this.cli.prompt(
+        'Which release line does this dependency update affect?', {
+          defaultAnswer: supportedVersions,
+          questionType: 'input'
+        });
+
+      try {
+        const prUrl = dep.replace('https://github.com/', 'https://api.github.com/repos/').replace('pull', 'pulls');
+        const res = await this.req.getPullRequest(prUrl);
+        const { html_url, title } = res;
+        deps.push({
+          name,
+          url: html_url,
+          title,
+          affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim())
+        });
+        this.cli.separator();
+      } catch (error) {
+        this.cli.error('Invalid PR url. Please provide a valid PR url.');
+        this.cli.error(error);
+      }
+    }
+    return deps;
+  }
 }

package/lib/request.js

@@ -77,6 +77,18 @@ export default class Request {
     return this.json(url, options);
   }
 
+  async getPullRequest(url) {
+    const options = {
+      method: 'GET',
+      headers: {
+        Authorization: `Basic ${this.credentials.github}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/vnd.github+json'
+      }
+    };
+    return this.json(url, options);
+  }
+
   async createPullRequest(title, body, { owner, repo, head, base }) {
     const url = `https://api.github.com/repos/${owner}/${repo}/pulls`;
     const options = {
@@ -132,6 +144,49 @@ export default class Request {
     return this.json(url, options);
   }
 
+  async getPrograms() {
+    const url = 'https://api.hackerone.com/v1/me/programs';
+    const options = {
+      method: 'GET',
+      headers: {
+        Authorization: `Basic ${this.credentials.h1}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/json'
+      }
+    };
+    return this.json(url, options);
+  }
+
+  async requestCVE(programId, opts) {
+    const url = `https://api.hackerone.com/v1/programs/${programId}/cve_requests`;
+    const options = {
+      method: 'POST',
+      headers: {
+        Authorization: `Basic ${this.credentials.h1}`,
+        'User-Agent': 'node-core-utils',
+        'Content-Type': 'application/json',
+        Accept: 'application/json'
+      },
+      body: JSON.stringify(opts)
+    };
+    return this.json(url, options);
+  }
+
+  async updateReportCVE(reportId, opts) {
+    const url = `https://api.hackerone.com/v1/reports/${reportId}/cves`;
+    const options = {
+      method: 'PUT',
+      headers: {
+        Authorization: `Basic ${this.credentials.h1}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/json',
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify(opts)
+    };
+    return this.json(url, options);
+  }
+
   async getReport(reportId) {
     const url = `https://api.hackerone.com/v1/reports/${reportId}`;
     const options = {

package/lib/security-announcement.js

@@ -3,7 +3,8 @@ import {
   checkoutOnSecurityReleaseBranch,
   getVulnerabilitiesJSON,
   validateDate,
-  formatDateToYYYYMMDD
+  formatDateToYYYYMMDD,
+  createIssue
 } from './security-release/security-release.js';
 import auth from './auth.js';
 import Request from './request.js';
@@ -39,8 +40,10 @@ export default class SecurityAnnouncement {
     validateDate(content.releaseDate);
     const releaseDate = new Date(content.releaseDate);
 
-    await Promise.all([this.createDockerNodeIssue(releaseDate),
-      this.createBuildWGIssue(releaseDate)]);
+    await Promise.all([
+      this.createDockerNodeIssue(releaseDate),
+      this.createBuildWGIssue(releaseDate)
+    ]);
   }
 
   async createBuildWGIssue(releaseDate) {
@@ -56,8 +59,8 @@ export default class SecurityAnnouncement {
   createPreleaseAnnouncementIssue(releaseDate, team) {
     const title = `[NEXT-SECURITY-RELEASE] Heads up on upcoming Node.js\
  security release ${formatDateToYYYYMMDD(releaseDate)}`;
-    const content = 'As per security release workflow,' +
-      ` creating issue to give the ${team} team a heads up.`;
+    const content = `As per security release workflow,\
+ creating issue to give the ${team} team a heads up.`;
     return { title, content };
   }
 
@@ -68,16 +71,6 @@ export default class SecurityAnnouncement {
     };
 
     const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'docker');
-    await this.createIssue(title, content, repository);
-  }
-
-  async createIssue(title, content, repository) {
-    const data = await this.req.createIssue(title, content, repository);
-    if (data.html_url) {
-      this.cli.ok(`Created: ${data.html_url}`);
-    } else {
-      this.cli.error(data);
-      process.exit(1);
-    }
+    await createIssue(title, content, repository, { cli: this.cli, repository: this.repository });
   }
 }

package/lib/security-release/security-release.js

@@ -61,8 +61,22 @@ export function commitAndPushVulnerabilitiesJSON(filePath, commitMessage, { cli,
     runSync('git', ['add', filePath]);
   }
 
+  const staged = runSync('git', ['diff', '--name-only', '--cached']).trim();
+  if (!staged) {
+    cli.ok('No changes to commit');
+    return;
+  }
+
   runSync('git', ['commit', '-m', commitMessage]);
-  runSync('git', ['push', '-u', 'origin', NEXT_SECURITY_RELEASE_BRANCH]);
+
+  try {
+    runSync('git', ['push', '-u', 'origin', NEXT_SECURITY_RELEASE_BRANCH]);
+  } catch (error) {
+    cli.warn('Rebasing...');
+    // try to pull rebase and push again
+    runSync('git', ['pull', 'origin', NEXT_SECURITY_RELEASE_BRANCH, '--rebase']);
+    runSync('git', ['push', '-u', 'origin', NEXT_SECURITY_RELEASE_BRANCH]);
+  }
   cli.ok(`Pushed commit: ${commitMessage} to ${NEXT_SECURITY_RELEASE_BRANCH}`);
 }
 
@@ -107,3 +121,73 @@ export function formatDateToYYYYMMDD(date) {
   // Concatenate year, month, and day with slashes
   return `${year}/${month}/${day}`;
 }
+
+export function promptDependencies(cli) {
+  return cli.prompt('Enter the link to the dependency update PR (leave empty to exit): ', {
+    defaultAnswer: '',
+    questionType: 'input'
+  });
+}
+
+export async function createIssue(title, content, repository, { cli, req }) {
+  const data = await req.createIssue(title, content, repository);
+  if (data.html_url) {
+    cli.ok(`Created: ${data.html_url}`);
+  } else {
+    cli.error(data);
+    process.exit(1);
+  }
+}
+
+export async function pickReport(report, { cli, req }) {
+  const {
+    id, attributes: { title, cve_ids },
+    relationships: { severity, weakness, reporter }
+  } = report;
+  const link = `https://hackerone.com/reports/${id}`;
+  const reportSeverity = {
+    rating: severity?.data?.attributes?.rating || '',
+    cvss_vector_string: severity?.data?.attributes?.cvss_vector_string || '',
+    weakness_id: weakness?.data?.id || ''
+  };
+
+  cli.separator();
+  cli.info(`Report: ${link} - ${title} (${reportSeverity?.rating})`);
+  const include = await cli.prompt(
+    'Would you like to include this report to the next security release?',
+    { defaultAnswer: true });
+  if (!include) {
+    return;
+  }
+
+  const versions = await cli.prompt('Which active release lines this report affects?', {
+    questionType: 'input',
+    defaultAnswer: await getSupportedVersions()
+  });
+
+  let patchAuthors = await cli.prompt(
+    'Add github username of the authors of the patch (split by comma if multiple)', {
+      questionType: 'input',
+      defaultAnswer: ''
+    });
+
+  if (!patchAuthors) {
+    patchAuthors = [];
+  } else {
+    patchAuthors = patchAuthors.split(',').map((p) => p.trim());
+  }
+
+  const summaryContent = await getSummary(id, req);
+
+  return {
+    id,
+    title,
+    cveIds: cve_ids,
+    severity: reportSeverity,
+    summary: summaryContent ?? '',
+    patchAuthors,
+    affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim()),
+    link,
+    reporter: reporter.data.attributes.username
+  };
+}

package/lib/update_security_release.js

@@ -3,14 +3,14 @@ import {
   NEXT_SECURITY_RELEASE_REPOSITORY,
   checkoutOnSecurityReleaseBranch,
   commitAndPushVulnerabilitiesJSON,
-  getSupportedVersions,
-  getSummary,
-  validateDate
+  validateDate,
+  pickReport
 } from './security-release/security-release.js';
 import fs from 'node:fs';
 import path from 'node:path';
 import auth from './auth.js';
 import Request from './request.js';
+import nv from '@pkgjs/nv';
 
 export default class UpdateSecurityRelease {
   repository = NEXT_SECURITY_RELEASE_REPOSITORY;
@@ -32,7 +32,7 @@ export default class UpdateSecurityRelease {
     checkoutOnSecurityReleaseBranch(cli, this.repository);
 
     // update the release date in the vulnerabilities.json file
-    const updatedVulnerabilitiesFiles = await this.updateVulnerabilitiesJSON(releaseDate, { cli });
+    const updatedVulnerabilitiesFiles = await this.updateJSONReleaseDate(releaseDate, { cli });
 
     const commitMessage = `chore: update the release date to ${releaseDate}`;
     commitAndPushVulnerabilitiesJSON(updatedVulnerabilitiesFiles,
@@ -56,7 +56,7 @@ export default class UpdateSecurityRelease {
       NEXT_SECURITY_RELEASE_FOLDER, 'vulnerabilities.json');
   }
 
-  async updateVulnerabilitiesJSON(releaseDate) {
+  async updateJSONReleaseDate(releaseDate) {
     const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
     const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
     content.releaseDate = releaseDate;
@@ -68,7 +68,6 @@ export default class UpdateSecurityRelease {
   }
 
   async addReport(reportId) {
-    const { cli } = this;
     const credentials = await auth({
       github: true,
       h1: true
@@ -76,43 +75,21 @@ export default class UpdateSecurityRelease {
 
     const req = new Request(credentials);
     // checkout on the next-security-release branch
-    checkoutOnSecurityReleaseBranch(cli, this.repository);
+    checkoutOnSecurityReleaseBranch(this.cli, this.repository);
 
     // get h1 report
     const { data: report } = await req.getReport(reportId);
-    const { id, attributes: { title, cve_ids }, relationships: { severity, reporter } } = report;
-    // if severity is not set on h1, set it to TBD
-    const reportLevel = severity ? severity.data.attributes.rating : 'TBD';
-
-    // get the affected versions
-    const supportedVersions = await getSupportedVersions();
-    const versions = await cli.prompt('Which active release lines this report affects?', {
-      questionType: 'input',
-      defaultAnswer: supportedVersions
-    });
-
-    // get the team summary from h1 report
-    const summaryContent = await getSummary(id, req);
-
-    const entry = {
-      id,
-      title,
-      cve_ids,
-      severity: reportLevel,
-      summary: summaryContent ?? '',
-      affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim()),
-      reporter: reporter.data.attributes.username
-    };
+    const entry = await pickReport(report, { cli: this.cli, req });
 
     const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
     const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
     content.reports.push(entry);
     fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
-    this.cli.ok(`Updated vulnerabilities.json with the report: ${id}`);
-    const commitMessage = `chore: added report ${id} to vulnerabilities.json`;
+    this.cli.ok(`Updated vulnerabilities.json with the report: ${entry.id}`);
+    const commitMessage = `chore: added report ${entry.id} to vulnerabilities.json`;
     commitAndPushVulnerabilitiesJSON(vulnerabilitiesJSONPath,
-      commitMessage, { cli, repository: this.repository });
-    cli.ok('Done!');
+      commitMessage, { cli: this.cli, repository: this.repository });
+    this.cli.ok('Done!');
   }
 
   removeReport(reportId) {
@@ -135,4 +112,163 @@ export default class UpdateSecurityRelease {
       commitMessage, { cli, repository: this.repository });
     cli.ok('Done!');
   }
+
+  async requestCVEs() {
+    const credentials = await auth({
+      github: true,
+      h1: true
+    });
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    const { reports } = content;
+    const req = new Request(credentials);
+    const programId = await this.getNodeProgramId(req);
+    const cves = await this.promptCVECreation(req, reports, programId);
+    this.assignCVEtoReport(cves, reports);
+    this.updateVulnerabilitiesJSON(content, vulnerabilitiesJSONPath);
+    this.updateHackonerReportCve(req, reports);
+  }
+
+  assignCVEtoReport(cves, reports) {
+    for (const cve of cves) {
+      const report = reports.find(report => report.id === cve.reportId);
+      report.cveIds = [cve.cve_identifier];
+    }
+  }
+
+  async updateHackonerReportCve(req, reports) {
+    for (const report of reports) {
+      const { id, cveIds } = report;
+      this.cli.startSpinner(`Updating report ${id} with CVEs ${cveIds}..`);
+      const body = {
+        data: {
+          type: 'report-cves',
+          attributes: {
+            cve_ids: cveIds
+          }
+        }
+      };
+      const response = await req.updateReportCVE(id, body);
+      if (response.errors) {
+        this.cli.error(`Error updating report ${id}`);
+        this.cli.error(JSON.stringify(response.errors, null, 2));
+      }
+      this.cli.stopSpinner(`Done updating report ${id} with CVEs ${cveIds}..`);
+    }
+  }
+
+  updateVulnerabilitiesJSON(content, vulnerabilitiesJSONPath) {
+    this.cli.startSpinner(`Updating vulnerabilities.json from\
+     ${vulnerabilitiesJSONPath}..`);
+    const filePath = path.resolve(vulnerabilitiesJSONPath);
+    fs.writeFileSync(filePath, JSON.stringify(content, null, 2));
+    // push the changes to the repository
+    commitAndPushVulnerabilitiesJSON(filePath,
+      'chore: updated vulnerabilities.json with CVEs',
+      { cli: this.cli, repository: this.repository });
+    this.cli.stopSpinner(`Done updating vulnerabilities.json from ${filePath}`);
+  }
+
+  async promptCVECreation(req, reports, programId) {
+    const supportedVersions = (await nv('supported'));
+    const cves = [];
+    for (const report of reports) {
+      const { id, summary, title, affectedVersions, cveIds, link } = report;
+      // skip if already has a CVE
+      // risky because the CVE associated might be
+      // mentioned in the report and not requested by Node
+      if (cveIds?.length) continue;
+
+      let severity = report.severity;
+
+      if (!severity.cvss_vector_string || !severity.weakness_id) {
+        try {
+          const h1Report = await req.getReport(id);
+          if (!h1Report.data.relationships.severity?.data.attributes.cvss_vector_string) {
+            throw new Error('No severity found');
+          }
+          severity = {
+            weakness_id: h1Report.data.relationships.weakness?.data.id,
+            cvss_vector_string:
+              h1Report.data.relationships.severity?.data.attributes.cvss_vector_string,
+            rating: h1Report.data.relationships.severity?.data.attributes.rating
+          };
+        } catch (error) {
+          this.cli.error(`Couldnt not retrieve severity from report ${id}, skipping...`);
+          continue;
+        }
+      }
+
+      const { cvss_vector_string, weakness_id } = severity;
+
+      const create = await this.cli.prompt(
+        `Request a CVE for: \n
+Title: ${title}\n
+Link: ${link}\n
+Affected versions: ${affectedVersions.join(', ')}\n
+Vector: ${cvss_vector_string}\n
+Summary: ${summary}\n`,
+        { defaultAnswer: true });
+
+      if (!create) continue;
+
+      const body = {
+        data: {
+          type: 'cve-request',
+          attributes: {
+            team_handle: 'nodejs-team',
+            versions: await this.formatAffected(affectedVersions, supportedVersions),
+            metrics: [
+              {
+                vectorString: cvss_vector_string
+              }
+            ],
+            weakness_id: Number(weakness_id),
+            description: title,
+            vulnerability_discovered_at: new Date().toISOString()
+          }
+        }
+      };
+      const { data } = await req.requestCVE(programId, body);
+      if (data.errors) {
+        this.cli.error(`Error requesting CVE for report ${id}`);
+        this.cli.error(JSON.stringify(data.errors, null, 2));
+        continue;
+      }
+      const { cve_identifier } = data.attributes;
+      cves.push({ cve_identifier, reportId: id });
+    }
+    return cves;
+  }
+
+  async getNodeProgramId(req) {
+    const programs = await req.getPrograms();
+    const { data } = programs;
+    for (const program of data) {
+      const { attributes } = program;
+      if (attributes.handle === 'nodejs') {
+        return program.id;
+      }
+    }
+  }
+
+  async formatAffected(affectedVersions, supportedVersions) {
+    const result = [];
+    for (const affectedVersion of affectedVersions) {
+      const major = affectedVersion.split('.')[0];
+      const latest = supportedVersions.find((v) => v.major === Number(major)).version;
+      const version = await this.cli.prompt(
+        `What is the affected version (<=) for release line ${affectedVersion}?`,
+        { questionType: 'input', defaultAnswer: latest });
+      result.push({
+        vendor: 'nodejs',
+        product: 'node',
+        func: '<=',
+        version,
+        versionType: 'semver',
+        affected: true
+      });
+    }
+    return result;
+  }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "4.4.0",
+  "version": "5.0.0",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {