Skip to content

Commit

Permalink
fixup! feat: add resolve report and close PR
Browse files Browse the repository at this point in the history
  • Loading branch information
RafaelGSS committed Aug 12, 2024
1 parent 74be229 commit 9525d56
Show file tree
Hide file tree
Showing 4 changed files with 40 additions and 8 deletions.
23 changes: 17 additions & 6 deletions lib/prepare_security.js
Original file line number Diff line number Diff line change
Expand Up @@ -56,11 +56,16 @@ export default class PrepareSecurityRelease extends SecurityRelease {

this.req = new Request(credentials);
const vulnerabilityJSON = this.readVulnerabilitiesJSON();
this.cli.info('Closing and request disclosure to HackerOne reports');
await this.closeAndRequestDisclosure(vulnerabilityJSON.reports);

this.cli.info('Closing pull requests');
// For now, close the ones with vN.x label
await this.closePRWithLabel(this.getAffectedVersions(vulnerabilityJSON));
// TODO: Update next-security-release folder to current releaseDate
// TODO: Merge the PR
this.cli.info(`Merge pull request with:
- git checkout main
- git merge --squash ${NEXT_SECURITY_RELEASE_BRANCH}
- git push origin main`);
this.cli.ok('Done!');
}

Expand Down Expand Up @@ -278,30 +283,36 @@ export default class PrepareSecurityRelease extends SecurityRelease {
}

async closeAndRequestDisclosure(jsonReports) {
this.cli.startSpinner('Closing HackerOne reports');
for (const report of jsonReports) {
this.cli.updateSpinner(`Closing report ${report.id}...`);
await this.req.updateReportState(
report.id,
'resolved',
'Closing as resolved'
);
// TODO: Request Disclosure

this.cli.updateSpinner(`Requesting disclosure to report ${report.id}...`);
await this.req.requestDisclosure(report.id);
}
this.cli.stopSpinner('Done closing H1 Reports and requesting disclosure');
}

async closePRWithLabel(labels) {
if (typeof labels === 'string') {
labels = [labels];
}

const url = 'https://github.com/nodejs-private/node-private/pulls'
const url = 'https://github.com/nodejs-private/node-private/pulls';
this.cli.startSpinner('Closing GitHub Pull Requests...');
// At this point, GitHub does not provide filters through their REST API
const prs = this.req.getPullRequest(url);
for (const pr of prs) {
if (pr.labels.some((l) => labels.includes(l))) {
this.cli.info(`Closing Pull Request: ${pr.id}`);
// TODO assert
this.cli.updateSpinner(`Closing Pull Request: ${pr.id}`);
await this.req.closePullRequest(pr.id);
}
}
this.cli.startSpinner('Closed GitHub Pull Requests.');
}
}
21 changes: 21 additions & 0 deletions lib/request.js
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,27 @@ export default class Request {
return this.json(url, options);
}

async requestDisclosure(reportId) {
const url = `https://api.hackerone.com/v1/reports/${reportId}/disclosure_requests`;
const options = {
method: 'POST',
headers: {
Authorization: `Basic ${this.credentials.h1}`,
'User-Agent': 'node-core-utils',
Accept: 'application/json'
},
body: JSON.stringify({
data: {
attributes: {
// default to limited version
substate: 'no-content'
}
}
})
};
return this.json(url, options);
}

// This is for github v4 API queries, for other types of queries
// use .text or .json
async query(query, variables) {
Expand Down
1 change: 0 additions & 1 deletion lib/security-release/security-release.js
Original file line number Diff line number Diff line change
Expand Up @@ -262,5 +262,4 @@ export class SecurityRelease {
})
.join(', ');
}

}
3 changes: 2 additions & 1 deletion lib/update_security_release.js
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import {
pickReport,
getReportSeverity,
getSummary,
SecurityRelease,
SecurityRelease
} from './security-release/security-release.js';
import fs from 'node:fs';
import auth from './auth.js';
Expand Down Expand Up @@ -44,6 +44,7 @@ export default class UpdateSecurityRelease extends SecurityRelease {
prURL
};
}
const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
this.cli.ok('Synced vulnerabilities.json with HackerOne');
}
Expand Down

0 comments on commit 9525d56

Please sign in to comment.