feat: update vulnerabilities.json

nodejs · Mar 26, 2024 · b8de0ed · b8de0ed
1 parent 8681dcc
commit b8de0ed
Showing 1 changed file with 52 additions and 14 deletions.
diff --git a/lib/security_blog.js b/lib/security_blog.js
@@ -6,11 +6,17 @@ import {
   getVulnerabilitiesJSON,
   checkoutOnSecurityReleaseBranch,
   NEXT_SECURITY_RELEASE_REPOSITORY,
-  validateDate
+  validateDate,
+  getSummary,
+  commitAndPushVulnerabilitiesJSON,
+  NEXT_SECURITY_RELEASE_FOLDER
 } from './security-release/security-release.js';
+import auth from './auth.js';
+import Request from './request.js';
 
 export default class SecurityBlog {
   repository = NEXT_SECURITY_RELEASE_REPOSITORY;
+  req;
   constructor(cli) {
     this.cli = cli;
   }
@@ -54,6 +60,12 @@ export default class SecurityBlog {
 
   async createPostRelease() {
     const { cli } = this;
+    const credentials = await auth({
+      github: true,
+      h1: true
+    });
+
+    this.req = new Request(credentials);
 
     // checkout on security release branch
     checkoutOnSecurityReleaseBranch(cli, this.repository);
@@ -77,10 +89,9 @@ export default class SecurityBlog {
       slug: this.getSlug(releaseDate),
       openSSLUpdate: await this.promptOpenSSLUpdate(cli),
       author: await this.promptAuthor(cli),
-      reports: content.reports,
       dependencyUpdates: await this.promptDependencyUpdates(cli)
     };
-    const postReleaseContent = await this.buildPostRelease(template, data);
+    const postReleaseContent = await this.buildPostRelease(template, data, content);
 
     const pathPreRelease = await this.promptExistingPreRelease(cli);
     // read the existing pre-release announcement
@@ -95,6 +106,23 @@ export default class SecurityBlog {
 
     fs.writeFileSync(pathPreRelease, updatedContent);
     cli.ok(`Post-release announcement file updated at ${pathPreRelease}`);
+    this.updateVulnerabilitiesJSON(content);
+  }
+
+  updateVulnerabilitiesJSON(content) {
+    try {
+      this.cli.info('Updating vulnerabilities.json');
+      const vulnerabilitiesJSONPath = path.join(process.cwd(),
+        NEXT_SECURITY_RELEASE_FOLDER, 'vulnerabilities.json');
+      fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+      const commitMessage = 'chore: updated vulnerabilities.json';
+      commitAndPushVulnerabilitiesJSON(vulnerabilitiesJSONPath,
+        commitMessage,
+        { cli: this.cli, repository: this.repository });
+    } catch (error) {
+      this.cli.error('Error updating vulnerabilities.json');
+      this.cli.error(error);
+    }
   }
 
   async promptExistingPreRelease(cli) {
@@ -159,7 +187,7 @@ export default class SecurityBlog {
       .replaceAll(PLACEHOLDERS.openSSLUpdate, this.getOpenSSLUpdateTemplate(openSSLUpdate));
   }
 
-  async buildPostRelease(template, data) {
+  async buildPostRelease(template, data, content) {
     const {
       annoucementDate,
       releaseDate,
@@ -169,7 +197,6 @@ export default class SecurityBlog {
       impact,
       openSSLUpdate,
       author,
-      reports,
       dependencyUpdates
     } = data;
     return template.replaceAll(PLACEHOLDERS.annoucementDate, annoucementDate)
@@ -180,30 +207,41 @@ export default class SecurityBlog {
       .replaceAll(PLACEHOLDERS.impact, impact)
       .replaceAll(PLACEHOLDERS.openSSLUpdate, this.getOpenSSLUpdateTemplate(openSSLUpdate))
       .replaceAll(PLACEHOLDERS.author, author)
-      .replaceAll(PLACEHOLDERS.reports, await this.getReportsTemplate(reports))
+      .replaceAll(PLACEHOLDERS.reports, await this.getReportsTemplate(content))
       .replaceAll(PLACEHOLDERS.dependencyUpdates,
         await this.getDependencyUpdatesTemplate(dependencyUpdates));
   }
 
-  async getReportsTemplate(reports) {
+  async getReportsTemplate(content) {
+    const reports = content.reports;
     let template = '';
     for (const report of reports) {
-      let cveId = report.cve_ids.join(', ');
+      let cveId = report.cve_ids?.join(', ');
       if (!cveId) {
-        // TODO(@marco-ippolito): fetch the CVE ID from hackerone
+        // ask for the CVE ID
+        // it should have been created with the step `--request-cve`
         cveId = await this.cli.prompt(`What is the CVE ID for vulnerability https://hackerone.com/reports/${report.id} ${report.title}?`, {
           questionType: 'input',
           defaultAnswer: 'TBD'
         });
-        // TODO(@marco-ippolito): save the cve_id in the vulnerabilities JSON
         report.cve_ids = [cveId];
       }
       template += `\n## ${report.title} (${cveId}) - (${report.severity.rating})\n\n`;
       if (!report.summary) {
-        // TODO(@marco-ippolito): fetch the summary
-        // from hackerone and update the vulnerabilities JSON
-        this.cli.warn(`Summary is missing for vulnerability:\
- ${report.link}. Please add it manually.`);
+        const fetchIt = await this.cli.prompt(`Summary missing for vulnerability https://hackerone.com/reports/${report.id} ${report.title}.\
+ Do you want to try fetch it from HackerOne??`, {
+          questionType: 'confirm',
+          defaultAnswer: true
+        });
+
+        if (fetchIt) {
+          report.summary = await getSummary(report.id, this.req);
+        }
+
+        if (!report.summary) {
+          this.cli.error(`Summary missing for vulnerability https://hackerone.com/reports/${report.id} ${report.title}. Please create it before continuing.`);
+          process.exit(1);
+        }
       }
       template += `${report.summary}\n\n`;
       const releaseLines = report.affectedVersions.join(', ');