@node-core/utils 5.14.1 → 5.16.0

package/README.md

@@ -47,7 +47,7 @@ If you would prefer to build from the source, install and link:
 ```
 git clone git@github.com:nodejs/node-core-utils.git
 cd node-core-utils
-npm install
+npm ci
 npm link
 ```
 
@@ -89,6 +89,14 @@ After the token is generated, create an rc file with the following content:
 Note: you could use `ncu-config` to configure these variables, but it's not
 recommended to leave your tokens in your command line history.
 
+If you have `gpg` installed and setup on your local machine, it is recommended
+to store an encrypted version of this file:
+
+```console
+$ gpg --default-recipient-self --encrypt ~/.ncurc
+$ rm ~/.ncurc
+```
+
 ### Setting up Jenkins credentials
 
 The `git-node` and `ncu-ci` commands need to query the Node.js Jenkins API for
@@ -104,8 +112,9 @@ To obtain the Jenkins API token
 3. Enter an identifiable name (for example, `node-core-utils`) for this
    token in the inbox that appears, and click `GENERATE`.
 4. Copy the generated token.
-5. Add it into your `ncurc` file (`~/.ncurc` or `$XDG_CONFIG_HOME/ncurc`)
-   with `jenkins_token` as key, like this:
+5. Add it into your `ncurc` file (`~/.ncurc` or `$XDG_CONFIG_HOME/ncurc`, or
+   `~/.ncurc.gpg` or `$XDG_CONFIG_HOME/ncurc.gpg`) with `jenkins_token` as key,
+   like this:
 
    ```json
    {
@@ -125,6 +134,7 @@ Put the following entries into your
 ```
 # node-core-utils configuration file
 .ncurc
+.ncurc.gpg
 # node-core-utils working directory
 .ncu
 ```

package/bin/ncu-ci.js

@@ -111,8 +111,8 @@ const args = yargs(hideBin(process.argv))
     builder: (yargs) => {
       yargs
         .positional('prid', {
-          describe: 'ID of the PR',
-          type: 'number'
+          describe: 'ID of the PR or URL to the PR or its head commit',
+          type: 'string'
         })
         .option('certify-safe', {
           describe: 'SHA of the commit that is expected to be at the tip of the PR head. ' +
@@ -574,6 +574,15 @@ async function main(command, argv) {
   // Prepare queue.
   switch (command) {
     case 'run': {
+      const maybeURL = URL.parse(argv.prid);
+      if (maybeURL?.host === 'github.com') {
+        const [, owner, repo, , prid, , commit_sha] = maybeURL.pathname.split('/');
+        argv.owner ||= owner;
+        argv.repo ||= repo;
+        argv.certifySafe ||= commit_sha;
+        argv.prid = prid;
+      }
+      argv.prid = Number(argv.prid);
       const jobRunner = new RunPRJobCommand(cli, request, argv);
       return jobRunner.start();
     }

package/lib/config.js

@@ -2,6 +2,8 @@ import path from 'node:path';
 import os from 'node:os';
 
 import { readJson, writeJson } from './file.js';
+import { existsSync, mkdtempSync, rmSync } from 'node:fs';
+import { spawnSync } from 'node:child_process';
 
 export const GLOBAL_CONFIG = Symbol('globalConfig');
 export const PROJECT_CONFIG = Symbol('projectConfig');
@@ -25,6 +27,14 @@ export function getMergedConfig(dir, home) {
 
 export function getConfig(configType, dir) {
   const configPath = getConfigPath(configType, dir);
+  const encryptedConfigPath = configPath + '.gpg';
+  if (existsSync(encryptedConfigPath)) {
+    const { status, stdout } =
+      spawnSync('gpg', ['--decrypt', encryptedConfigPath]);
+    if (status === 0) {
+      return JSON.parse(stdout.toString('utf-8'));
+    }
+  }
   try {
     return readJson(configPath);
   } catch (cause) {
@@ -51,13 +61,31 @@ export function getConfigPath(configType, dir) {
 };
 
 export function writeConfig(configType, obj, dir) {
-  writeJson(getConfigPath(configType, dir), obj);
+  const configPath = getConfigPath(configType, dir);
+  const encryptedConfigPath = configPath + '.gpg';
+  if (existsSync(encryptedConfigPath)) {
+    const tmpDir = mkdtempSync(path.join(os.tmpdir(), 'ncurc-'));
+    const tmpFile = path.join(tmpDir, 'config.json');
+    try {
+      writeJson(tmpFile, obj);
+      const { status } = spawnSync('gpg',
+        ['--default-recipient-self', '--yes', '--encrypt', '--output', encryptedConfigPath, tmpFile]
+      );
+      if (status !== 0) {
+        throw new Error('Failed to encrypt config file: ' + encryptedConfigPath);
+      }
+    } finally {
+      rmSync(tmpDir, { recursive: true, force: true });
+    }
+    return encryptedConfigPath;
+  }
+  writeJson(configPath, obj);
+  return configPath;
 };
 
 export function updateConfig(configType, obj, dir) {
   const config = getConfig(configType, dir);
-  const configPath = getConfigPath(configType, dir);
-  writeJson(configPath, Object.assign(config, obj));
+  writeConfig(configType, Object.assign(config, obj), dir);
 };
 
 export function getHomeDir(home) {

package/lib/prepare_security.js

@@ -55,6 +55,22 @@ export default class PrepareSecurityRelease extends SecurityRelease {
     // For now, close the ones with Security Release label
     await this.closePRWithLabel('Security Release');
 
+    if (vulnerabilityJSON.buildIssue) {
+      this.cli.info('Commenting on nodejs/build issue');
+      await this.req.commentIssue(
+        vulnerabilityJSON.buildIssue,
+        'Security release is out'
+      );
+    }
+
+    if (vulnerabilityJSON.dockerIssue) {
+      this.cli.info('Commenting on nodejs/docker-node issue');
+      await this.req.commentIssue(
+        vulnerabilityJSON.dockerIssue,
+        'Security release is out'
+      );
+    }
+
     const updateFolder = await this.cli.prompt(
       `Would you like to update the next-security-release folder to ${
         vulnerabilityJSON.releaseDate}?`,

package/lib/request.js

@@ -81,6 +81,23 @@ export default class Request {
     return this.json(url, options);
   }
 
+  async commentIssue(fullUrl, comment) {
+    const commentUrl = fullUrl.replace('https://github.com/', 'https://api.github.com/repos/') +
+      '/comments';
+    const options = {
+      method: 'POST',
+      headers: {
+        Authorization: `Basic ${this.credentials.github}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/vnd.github+json'
+      },
+      body: JSON.stringify({
+        body: comment,
+      })
+    };
+    return this.json(commentUrl, options);
+  }
+
   async getPullRequest(fullUrl) {
     const prUrl = fullUrl.replace('https://github.com/', 'https://api.github.com/repos/').replace('pull', 'pulls');
     const options = {

package/lib/security-announcement.js

@@ -1,9 +1,12 @@
+import fs from 'node:fs';
 import {
   NEXT_SECURITY_RELEASE_REPOSITORY,
   checkoutOnSecurityReleaseBranch,
   getVulnerabilitiesJSON,
+  getVulnerabilitiesJSONPath,
   validateDate,
   formatDateToYYYYMMDD,
+  commitAndPushVulnerabilitiesJSON,
   createIssue
 } from './security-release/security-release.js';
 import auth from './auth.js';
@@ -40,10 +43,21 @@ export default class SecurityAnnouncement {
     validateDate(content.releaseDate);
     const releaseDate = new Date(content.releaseDate);
 
-    await Promise.all([
+    const [dockerIssue, buildIssue] = await Promise.all([
       this.createDockerNodeIssue(releaseDate),
       this.createBuildWGIssue(releaseDate)
     ]);
+
+    content.buildIssue = buildIssue;
+    content.dockerIssue = dockerIssue;
+
+    const vulnerabilitiesJSONPath = getVulnerabilitiesJSONPath();
+    fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+    const commitMessage = 'chore: add build and docker issue link';
+    commitAndPushVulnerabilitiesJSON([vulnerabilitiesJSONPath],
+      commitMessage, { cli: this.cli, repository: this.repository });
+
+    this.cli.ok('Added docker and build issue in vulnerabilities.json');
   }
 
   async createBuildWGIssue(releaseDate) {
@@ -53,7 +67,7 @@ export default class SecurityAnnouncement {
     };
 
     const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'build');
-    await createIssue(title, content, repository, { cli: this.cli, req: this.req });
+    return createIssue(title, content, repository, { cli: this.cli, req: this.req });
   }
 
   createPreleaseAnnouncementIssue(releaseDate, team) {
@@ -71,6 +85,6 @@ export default class SecurityAnnouncement {
     };
 
     const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'docker');
-    await createIssue(title, content, repository, { cli: this.cli, req: this.req });
+    return createIssue(title, content, repository, { cli: this.cli, req: this.req });
   }
 }

package/lib/security-release/security-release.js

@@ -107,6 +107,12 @@ export function getVulnerabilitiesJSON(cli) {
   return file;
 }
 
+export function getVulnerabilitiesJSONPath() {
+  const vulnerabilitiesJSONPath = path.join(process.cwd(),
+    NEXT_SECURITY_RELEASE_FOLDER, 'vulnerabilities.json');
+  return vulnerabilitiesJSONPath;
+}
+
 export function validateDate(releaseDate) {
   const value = new Date(releaseDate).valueOf();
   if (Number.isNaN(value) || value < 0) {
@@ -135,6 +141,7 @@ export async function createIssue(title, content, repository, { cli, req }) {
   const data = await req.createIssue(title, content, repository);
   if (data.html_url) {
     cli.ok(`Created: ${data.html_url}`);
+    return data.html_url;
   } else {
     cli.error(data);
     process.exit(1);

package/lib/security_blog.js

@@ -6,7 +6,8 @@ import {
   PLACEHOLDERS,
   checkoutOnSecurityReleaseBranch,
   validateDate,
-  SecurityRelease
+  SecurityRelease,
+  commitAndPushVulnerabilitiesJSON,
 } from './security-release/security-release.js';
 import auth from './auth.js';
 import Request from './request.js';
@@ -56,16 +57,41 @@ export default class SecurityBlog extends SecurityRelease {
     const endDate = new Date(data.annoucementDate);
     endDate.setDate(endDate.getDate() + 7);
 
+    const link = `https://nodejs.org/en/blog/vulnerability/${fileName}`;
     this.updateWebsiteBanner(site, {
       startDate: data.annoucementDate,
       endDate: endDate.toISOString(),
       text: `New security releases to be made available ${data.releaseDate}`,
-      link: `https://nodejs.org/en/blog/vulnerability/${fileName}`,
+      link,
       type: 'warning'
     });
-
     fs.writeFileSync(file, preRelease);
+
     cli.ok(`Announcement file created and banner has been updated. Folder: ${nodejsOrgFolder}`);
+    await this.updateAnnouncementLink(link);
+  }
+
+  async updateAnnouncementLink(link) {
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    let shouldCommit = false;
+    for (let i = 0; i < content.reports.length; ++i) {
+      if (content.reports[i].announcement !== link) {
+        content.reports[i].announcement = link;
+        shouldCommit = true;
+      }
+    };
+
+    if (shouldCommit) {
+      fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+      const commitMessage = 'chore: add announcement link';
+      commitAndPushVulnerabilitiesJSON([vulnerabilitiesJSONPath],
+        commitMessage, { cli: this.cli, repository: this.repository });
+
+      this.cli.ok('Updated the announcement link in vulnerabilities.json');
+    }
+
+    return [vulnerabilitiesJSONPath];
   }
 
   async createPostRelease(nodejsOrgFolder) {

package/lib/update_security_release.js

@@ -152,6 +152,7 @@ export default class UpdateSecurityRelease extends SecurityRelease {
     for (const cve of cves) {
       const report = reports.find(report => report.id === cve.reportId);
       report.cveIds = [cve.cve_identifier];
+      report.patchedVersions = cve.patchedVersions;
     }
   }
 
@@ -219,12 +220,14 @@ Summary: ${summary}\n`,
 
       if (!create) continue;
 
+      const { h1AffectedVersions, patchedVersions } =
+        await this.calculateVersions(affectedVersions, supportedVersions);
       const body = {
         data: {
           type: 'cve-request',
           attributes: {
             team_handle: 'nodejs-team',
-            versions: await this.formatAffected(affectedVersions, supportedVersions),
+            versions: h1AffectedVersions,
             metrics: [
               {
                 vectorString: cvss_vector_string
@@ -246,7 +249,7 @@ Summary: ${summary}\n`,
         continue;
       }
       const { cve_identifier } = data.attributes;
-      cves.push({ cve_identifier, reportId: id });
+      cves.push({ cve_identifier, reportId: id, patchedVersions });
     }
     return cves;
   }
@@ -262,15 +265,23 @@ Summary: ${summary}\n`,
     }
   }
 
-  async formatAffected(affectedVersions, supportedVersions) {
-    const result = [];
+  async calculateVersions(affectedVersions, supportedVersions) {
+    const h1AffectedVersions = [];
+    const patchedVersions = [];
     for (const affectedVersion of affectedVersions) {
       const major = affectedVersion.split('.')[0];
       const latest = supportedVersions.find((v) => v.major === Number(major)).version;
       const version = await this.cli.prompt(
         `What is the affected version (<=) for release line ${affectedVersion}?`,
         { questionType: 'input', defaultAnswer: latest });
-      result.push({
+
+      const nextPatchVersion = parseInt(version.split('.')[2]) + 1;
+      const patchedVersion = await this.cli.prompt(
+        `What is the patched version (>=) for release line ${affectedVersion}?`,
+        { questionType: 'input', defaultAnswer: nextPatchVersion });
+
+      patchedVersions.push(patchedVersion);
+      h1AffectedVersions.push({
         vendor: 'nodejs',
         product: 'node',
         func: '<=',
@@ -279,6 +290,6 @@ Summary: ${summary}\n`,
         affected: true
       });
     }
-    return result;
+    return { h1AffectedVersions, patchedVersions };
   }
 }

package/lib/voting_session.js

@@ -29,6 +29,7 @@ export default class VotingSession extends Session {
     this.abstain = abstain;
     this.closeVote = argv['decrypt-key-part'];
     this.postComment = argv['post-comment'];
+    this.gpgSign = argv['gpg-sign'];
   }
 
   get argv() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "5.14.1",
+  "version": "5.16.0",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {
@@ -68,6 +68,6 @@
     "eslint-plugin-promise": "^7.2.1",
     "globals": "^16.0.0",
     "neostandard": "^0.12.1",
-    "sinon": "^20.0.0"
+    "sinon": "^21.0.0"
   }
 }