feat: add CSAF 2.0 product tree generator

Signed-off-by: Rifa Achrinza <[email protected]>

Author: achrinza

advisories/lbsa-20201130.csaf.json

@@ -61,13 +61,13 @@
     ],
     "title": "Security Advisory 11-30-2020",
     "tracking": {
-      "current_release_date": "2022-03-05T16:39:00.000Z",
+      "current_release_date": "2022-03-07T03:42:00.000Z",
       "id": "LBSA-20201130",
       "initial_release_date": "2022-01-18T00:00:00.000Z",
       "revision_history": [
         {
           "date": "2022-03-07T03:42:00.000Z",
-          "number": "1.2.0",
+          "number": "2.0.0",
           "summary": "Updated product tree, product status."
         },
         {
@@ -87,7 +87,7 @@
         }
       ],
       "status": "final",
-      "version": "1.1.0"
+      "version": "2.0.0"
     }
   },
   "product_tree": {

package.json

@@ -18,6 +18,7 @@
     "prettier:check": "npm run prettier:cli -- -l",
     "prettier:fix": "npm run prettier:cli -- --write",
     "ts-node": "ts-node --project=scripts/tsconfig.json",
+    "generate-csaf20-product-tree": "npm run ts-node -- scripts/advisories/generate-csaf20-product-tree.ts",
     "validate-csaf20": "npm run ts-node -- scripts/advisories/validate-csaf20.ts",
     "validate-osv": "npm run ts-node -- scripts/advisories/validate-osv.ts"
   },

scripts/advisories/generate-csaf20-product-tree.ts

@@ -0,0 +1,47 @@
+// SPDX-FileCopyrightText: LoopBack Contributors
+// SPDX-License-Identifier: MIT
+
+// This is a rudimentary script which reads a newline-delimited list of GitHub
+// tag name of format `<package name>@<package semver>` and generates the final
+// branch of the CSAF 2.0 Product Tree to stdout. Currently, it's only designed
+// for LoopBack 4 packages (i.e. `@loopback/*`).
+//
+// To generate a list of Git Tags for this script:
+//   git tag --sort=taggerdate | grep <package name>@
+
+import readline from 'readline';
+
+var rl = readline.createInterface({
+  input: process.stdin,
+  output: process.stdout,
+  terminal: false,
+});
+
+const entries = [];
+
+rl.on('line', line => {
+  if (line.startsWith('@loopback/')) {
+    const nameVerSeperator = line.lastIndexOf('@');
+    const name = line.substring(0, nameVerSeperator);
+    const version = line.substring(nameVerSeperator + 1);
+
+    entries.push({
+      category: 'product_version',
+      name: `Version ${version}`,
+      product: {
+        name: `${name} - Version ${version}`,
+        product_id: `${entries.length + 1}`,
+        product_identification_helper: {
+          cpe: `cpe:2.3:a:loopback:${name
+            .replace('/', '_')
+            .replace('@', '')}:${version}:*:*:*:*:*:*:*`,
+          purl: `pkg:npm/${encodeURIComponent(name)}@${version}`,
+        },
+      },
+    });
+  }
+});
+
+rl.on('close', () => {
+  console.log(JSON.stringify(entries, undefined, 2));
+});