Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: security post release blogpost #785

Merged
merged 10 commits into from
Jun 24, 2024
34 changes: 24 additions & 10 deletions components/git/security.js
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ const securityOptions = {
'request-cve': {
describe: 'Request CVEs for a security release',
type: 'boolean'
},
'post-release': {
describe: 'Create the post-release announcement',
type: 'boolean'
}
};

Expand All @@ -49,34 +53,34 @@ export function builder(yargs) {
return yargs.options(securityOptions)
.example(
'git node security --start',
'Prepare a security release of Node.js')
'Prepare a security release of Node.js'
)
.example(
'git node security --sync',
'Synchronize an ongoing security release with HackerOne'
)
.example(
'git node security --update-date=YYYY/MM/DD',
'Updates the target date of the security release'
)
.example(
).example(
'git node security --add-report=H1-ID',
'Fetches HackerOne report based on ID provided and adds it into vulnerabilities.json'
)
.example(
).example(
'git node security --remove-report=H1-ID',
'Removes the Hackerone report based on ID provided from vulnerabilities.json'
)
.example(
).example(
'git node security --pre-release',
'Create the pre-release announcement on the Nodejs.org repo'
).example(
'git node security --notify-pre-release',
'Notifies the community about the security release'
)
.example(
).example(
'git node security --request-cve',
'Request CVEs for a security release of Node.js based on' +
' the next-security-release/vulnerabilities.json'
).example(
'git node security --post-release' +
'Create the post-release announcement on the Nodejs.org repo'
);
}

Expand Down Expand Up @@ -105,6 +109,9 @@ export function handler(argv) {
if (argv['request-cve']) {
return requestCVEs(argv);
}
if (argv['post-release']) {
return createPostRelease(argv);
}
yargsInstance.showHelp();
}

Expand Down Expand Up @@ -146,7 +153,14 @@ async function requestCVEs() {
return hackerOneCve.requestCVEs();
}

async function startSecurityRelease(argv) {
async function createPostRelease() {
const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
const cli = new CLI(logStream);
const blog = new SecurityBlog(cli);
return blog.createPostRelease();
}

async function startSecurityRelease() {
const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
const cli = new CLI(logStream);
const release = new PrepareSecurityRelease(cli);
Expand Down
18 changes: 18 additions & 0 deletions lib/github/templates/security-post-release.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
date: %ANNOUNCEMENT_DATE%
category: vulnerability
title: %RELEASE_DATE% Security Releases
slug: %SLUG%
layout: blog-post
author: %AUTHOR%
RafaelGSS marked this conversation as resolved.
Show resolved Hide resolved
---

## Security releases available

Updates are now available for the %AFFECTED_VERSIONS% Node.js release lines for the
following issues.
%DEPENDENCY_UPDATES%
%REPORTS%
## Downloads and release details

%DOWNLOADS%
8 changes: 4 additions & 4 deletions lib/github/templates/security-pre-release.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ The Node.js project will release new versions of the %AFFECTED_VERSIONS%
releases lines on or shortly after, %RELEASE_DATE% in order to address:

%VULNERABILITIES%
%OPENSSL_UPDATES%

## Impact

%IMPACT%
Expand All @@ -28,7 +28,7 @@ Releases will be available on, or shortly after, %RELEASE_DATE%.

## Contact and future updates

The current Node.js security policy can be found at https://nodejs.org/en/security/.
Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js.
The current Node.js security policy can be found at <https://nodejs.org/en/security/>.
Please follow the process outlined in <https://github.com/nodejs/node/blob/master/SECURITY.md> if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at <https://groups.google.com/forum/#!forum/nodejs-sec> to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.
7 changes: 5 additions & 2 deletions lib/security-release/security-release.js
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,12 @@ export const PLACEHOLDERS = {
annoucementDate: '%ANNOUNCEMENT_DATE%',
slug: '%SLUG%',
affectedVersions: '%AFFECTED_VERSIONS%',
openSSLUpdate: '%OPENSSL_UPDATES%',
impact: '%IMPACT%',
vulnerabilities: '%VULNERABILITIES%'
vulnerabilities: '%VULNERABILITIES%',
reports: '%REPORTS%',
author: '%AUTHOR%',
dependencyUpdates: '%DEPENDENCY_UPDATES%',
downloads: '%DOWNLOADS%'
};

export function checkRemote(cli, repository) {
Expand Down
Loading
Loading