feat: automate security release issue creation (#771)

marco-ippolito · web-flow · commit 7f89da3b984a · 2024-01-29T15:22:19.000-03:00
* feat: automate security release issue creation

* fixup! address comments in pr

* fixup! adress comments
diff --git a/lib/github/templates/next-security-release.md b/lib/github/templates/next-security-release.md
@@ -3,8 +3,7 @@
 * [X] Open an [issue](https://github.com/nodejs-private/node-private) titled
   `Next Security Release`, and put this checklist in the description.
 
-* [ ] Get agreement on the list of vulnerabilities to be addressed:
-%REPORTS%
+* [ ] Get agreement on the [list of vulnerabilities](%VULNERABILITIES_PR_URL%) to be addressed.
 
 * [ ] PR release announcements in [private](https://github.com/nodejs-private/nodejs.org-private):
   * [ ] pre-release: %PRE_RELEASE_PRIV%
diff --git a/lib/prepare_security.js b/lib/prepare_security.js
@@ -2,6 +2,16 @@ import nv from '@pkgjs/nv';
 import auth from './auth.js';
 import Request from './request.js';
 import fs from 'node:fs';
+import { runSync } from './run.js';
+import path from 'node:path';
+
+export const PLACEHOLDERS = {
+  releaseDate: '%RELEASE_DATE%',
+  vulnerabilitiesPRURL: '%VULNERABILITIES_PR_URL%',
+  preReleasePrivate: '%PRE_RELEASE_PRIV%',
+  postReleasePrivate: '%POS_RELEASE_PRIV%',
+  affectedLines: '%AFFECTED_LINES%'
+};
 
 export default class SecurityReleaseSteward {
   constructor(cli) {
@@ -16,31 +26,100 @@ export default class SecurityReleaseSteward {
     });
 
     const req = new Request(credentials);
-    const create = await cli.prompt(
-      'Create the Next Security Release issue?',
-      { defaultAnswer: true });
-    if (create) {
-      const issue = new SecurityReleaseIssue(req);
-      const content = await issue.buildIssue(cli);
-      const data = await req.createIssue('Next Security Release', content, {
-        owner: 'nodejs-private',
-        repo: 'node-private'
-      });
-      if (data.html_url) {
-        cli.ok('Created: ' + data.html_url);
-      } else {
-        cli.error(data);
-      }
+    const release = new PrepareSecurityRelease(req);
+    const releaseDate = await release.promptReleaseDate(cli);
+    let securityReleasePRUrl = PLACEHOLDERS.vulnerabilitiesPRURL;
+
+    const createVulnerabilitiesJSON = await release.promptVulnerabilitiesJSON(cli);
+    if (createVulnerabilitiesJSON) {
+      securityReleasePRUrl = await this.createVulnerabilitiesJSON(req, release, { cli });
     }
+
+    const createIssue = await release.promptCreateRelaseIssue(cli);
+
+    if (createIssue) {
+      const { content } = release.buildIssue(releaseDate, securityReleasePRUrl);
+      await release.createIssue(content, { cli });
+    };
+
+    cli.ok('Done!');
+  }
+
+  async createVulnerabilitiesJSON(req, release, { cli }) {
+    // checkout on the next-security-release branch
+    release.checkoutOnSecurityReleaseBranch(cli);
+
+    // choose the reports to include in the security release
+    const reports = await release.chooseReports(cli);
+
+    // create the vulnerabilities.json file in the security-release repo
+    const filePath = await release.createVulnerabilitiesJSON(reports, { cli });
+
+    // review the vulnerabilities.json file
+    const review = await release.promptReviewVulnerabilitiesJSON(cli);
+
+    if (!review) {
+      cli.info(`To push the vulnerabilities.json file run:
+        - git add ${filePath}
+        - git commit -m "chore: create vulnerabilities.json for next security release"
+        - git push -u origin next-security-release
+        - open a PR on ${release.repository.owner}/${release.repository.repo}`);
+      return;
+    };
+
+    // commit and push the vulnerabilities.json file
+    release.commitAndPushVulnerabilitiesJSON(filePath, cli);
+
+    const createPr = await release.promptCreatePR(cli);
+
+    if (!createPr) return;
+
+    // create pr on the security-release repo
+    return release.createPullRequest(req, { cli });
   }
 }
 
-class SecurityReleaseIssue {
-  constructor(req) {
+class PrepareSecurityRelease {
+  repository = {
+    owner: 'nodejs-private',
+    repo: 'security-release'
+  };
+
+  title = 'Next Security Release';
+  nextSecurityReleaseBranch = 'next-security-release';
+
+  constructor(req, repository) {
     this.req = req;
-    this.content = '';
-    this.title = 'Next Security Release';
-    this.affectedLines = {};
+    if (repository) {
+      this.repository = repository;
+    }
+  }
+
+  promptCreatePR(cli) {
+    return cli.prompt(
+      'Create the Next Security Release PR?',
+      { defaultAnswer: true });
+  }
+
+  checkRemote(cli) {
+    const remote = runSync('git', ['ls-remote', '--get-url', 'origin']).trim();
+    const { owner, repo } = this.repository;
+    const securityReleaseOrigin = `https://github.com/${owner}/${repo}.git`;
+
+    if (remote !== securityReleaseOrigin) {
+      cli.error(`Wrong repository! It should be ${securityReleaseOrigin}`);
+      process.exit(1);
+    }
+  }
+
+  commitAndPushVulnerabilitiesJSON(filePath, cli) {
+    this.checkRemote(cli);
+
+    runSync('git', ['add', filePath]);
+    const commitMessage = 'chore: create vulnerabilities.json for next security release';
+    runSync('git', ['commit', '-m', commitMessage]);
+    runSync('git', ['push', '-u', 'origin', 'next-security-release']);
+    cli.ok(`Pushed commit: ${commitMessage} to ${this.nextSecurityReleaseBranch}`);
   }
 
   getSecurityIssueTemplate() {
@@ -53,31 +132,58 @@ class SecurityReleaseIssue {
     );
   }
 
-  async buildIssue(cli) {
-    this.content = this.getSecurityIssueTemplate();
-    cli.info('Getting triaged H1 reports...');
-    const reports = await this.req.getTriagedReports();
-    await this.fillReports(cli, reports);
-
-    this.fillAffectedLines(Object.keys(this.affectedLines));
-
-    const target = await cli.prompt('Enter target date in YYYY-MM-DD format:', {
+  async promptReleaseDate(cli) {
+    return cli.prompt('Enter target release date in YYYY-MM-DD format:', {
       questionType: 'input',
       defaultAnswer: 'TBD'
     });
-    this.fillTargetDate(target);
+  }
+
+  async promptVulnerabilitiesJSON(cli) {
+    return cli.prompt(
+      'Create the vulnerabilities.json?',
+      { defaultAnswer: true });
+  }
+
+  async promptCreateRelaseIssue(cli) {
+    return cli.prompt(
+      'Create the Next Security Release issue?',
+      { defaultAnswer: true });
+  }
 
-    return this.content;
+  async promptReviewVulnerabilitiesJSON(cli) {
+    return cli.prompt(
+      'Please review vulnerabilities.json and press enter to proceed.',
+      { defaultAnswer: true });
   }
 
-  async fillReports(cli, reports) {
+  buildIssue(releaseDate, securityReleasePRUrl) {
+    const template = this.getSecurityIssueTemplate();
+    const content = template.replace(PLACEHOLDERS.releaseDate, releaseDate)
+      .replace(PLACEHOLDERS.vulnerabilitiesPRURL, securityReleasePRUrl);
+    return { releaseDate, content, securityReleasePRUrl };
+  }
+
+  async createIssue(content, { cli }) {
+    const data = await this.req.createIssue(this.title, content, this.repository);
+    if (data.html_url) {
+      cli.ok('Created: ' + data.html_url);
+    } else {
+      cli.error(data);
+      process.exit(1);
+    }
+  }
+
+  async chooseReports(cli) {
+    cli.info('Getting triaged H1 reports...');
+    const reports = await this.req.getTriagedReports();
     const supportedVersions = (await nv('supported'))
       .map((v) => v.versionName + '.x')
       .join(',');
+    const selectedReports = [];
 
-    let reportsContent = '';
     for (const report of reports.data) {
-      const { id, attributes: { title }, relationships: { severity } } = report;
+      const { id, attributes: { title, cve_ids }, relationships: { severity } } = report;
       const reportLevel = severity ? severity.data.attributes.rating : 'TBD';
       cli.separator();
       cli.info(`Report: ${id} - ${title} (${reportLevel})`);
@@ -88,30 +194,90 @@ class SecurityReleaseIssue {
         continue;
       }
 
-      reportsContent +=
-        `  * **[${id}](https://hackerone.com/bugs?subject=nodejs&report_id=${id}) - ${title} (TBD) - (${reportLevel})**\n`;
       const versions = await cli.prompt('Which active release lines this report affects?', {
         questionType: 'input',
         defaultAnswer: supportedVersions
       });
-      for (const v of versions.split(',')) {
-        if (!this.affectedLines[v]) this.affectedLines[v] = true;
-        reportsContent += `    * ${v} - TBD\n`;
-      }
+      const summaryContent = await this.getSummary(id);
+
+      selectedReports.push({
+        id,
+        title,
+        cve_ids,
+        severity: reportLevel,
+        summary: summaryContent ?? '',
+        affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim())
+      });
     }
-    this.content = this.content.replace('%REPORTS%', reportsContent);
+    return selectedReports;
+  }
+
+  async getSummary(reportId) {
+    const { data } = await this.req.getReport(reportId);
+    const summaryList = data?.relationships?.summaries?.data;
+    if (!summaryList?.length) return;
+    const summaries = summaryList.filter((summary) => summary?.attributes?.category === 'team');
+    if (!summaries?.length) return;
+    return summaries?.[0].attributes?.content;
   }
 
-  fillAffectedLines(affectedLines) {
-    let affected = '';
-    for (const line of affectedLines) {
-      affected += `  * ${line} - TBD\n`;
+  checkoutOnSecurityReleaseBranch(cli) {
+    this.checkRemote(cli);
+    const currentBranch = runSync('git', ['branch', '--show-current']).trim();
+    cli.info(`Current branch: ${currentBranch} `);
+
+    if (currentBranch !== this.nextSecurityReleaseBranch) {
+      runSync('git', ['checkout', '-B', this.nextSecurityReleaseBranch]);
+      cli.ok(`Checkout on branch: ${this.nextSecurityReleaseBranch} `);
+    };
+  }
+
+  async createVulnerabilitiesJSON(reports, { cli }) {
+    cli.separator('Creating vulnerabilities.json...');
+    const file = JSON.stringify({
+      reports
+    }, null, 2);
+
+    const folderPath = path.join(process.cwd(), 'security-release', 'next-security-release');
+    try {
+      await fs.accessSync(folderPath);
+    } catch (error) {
+      await fs.mkdirSync(folderPath, { recursive: true });
     }
-    this.content =
-      this.content.replace('%AFFECTED_LINES%', affected);
+
+    const fullPath = path.join(folderPath, 'vulnerabilities.json');
+    fs.writeFileSync(fullPath, file);
+    cli.ok(`Created ${fullPath} `);
+
+    return fullPath;
   }
 
-  fillTargetDate(date) {
-    this.content = this.content.replace('%RELEASE_DATE%', date);
+  async createPullRequest(req, { cli }) {
+    const { owner, repo } = this.repository;
+    const response = await req.createPullRequest(
+      this.title,
+      'List of vulnerabilities to be included in the next security release',
+      {
+        owner,
+        repo,
+        base: 'main',
+        head: 'next-security-release'
+      }
+
+    );
+    const url = response?.html_url;
+    if (url) {
+      cli.ok('Created: ' + url);
+      return url;
+    } else {
+      if (response?.errors) {
+        for (const error of response.errors) {
+          cli.error(error.message);
+        }
+      } else {
+        cli.error(response);
+      }
+      process.exit(1);
+    }
   }
 }
diff --git a/lib/request.js b/lib/request.js
@@ -77,6 +77,25 @@ export default class Request {
     return this.json(url, options);
   }
 
+  async createPullRequest(title, body, { owner, repo, head, base }) {
+    const url = `https://api.github.com/repos/${owner}/${repo}/pulls`;
+    const options = {
+      method: 'POST',
+      headers: {
+        Authorization: `Basic ${this.credentials.github}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/vnd.github+json'
+      },
+      body: JSON.stringify({
+        title,
+        body,
+        head,
+        base
+      })
+    };
+    return this.json(url, options);
+  }
+
   async gql(name, variables, path) {
     const query = this.loadQuery(name);
     if (path) {
@@ -113,6 +132,19 @@ export default class Request {
     return this.json(url, options);
   }
 
+  async getReport(reportId) {
+    const url = `https://api.hackerone.com/v1/reports/${reportId}`;
+    const options = {
+      method: 'GET',
+      headers: {
+        Authorization: `Basic ${this.credentials.h1}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/json'
+      }
+    };
+    return this.json(url, options);
+  }
+
   // This is for github v4 API queries, for other types of queries
   // use .text or .json
   async query(query, variables) {
