From 6ca79aa4a8265e0d6251cbb43a9cafa5360d7ff8 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Tue, 15 Jul 2025 14:45:08 -0300
Subject: [PATCH] feat: add patchedVersions on --request-cve

Refs: https://github.com/nodejs-private/security-release/issues/64
---
 lib/update_security_release.js | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/lib/update_security_release.js b/lib/update_security_release.js
index 91ec0715..ffe56df6 100644
--- a/lib/update_security_release.js
+++ b/lib/update_security_release.js
@@ -152,6 +152,7 @@ export default class UpdateSecurityRelease extends SecurityRelease {
     for (const cve of cves) {
       const report = reports.find(report => report.id === cve.reportId);
       report.cveIds = [cve.cve_identifier];
+      report.patchedVersions = cve.patchedVersions;
     }
   }
 
@@ -219,12 +220,14 @@ Summary: ${summary}\n`,
 
       if (!create) continue;
 
+      const { h1AffectedVersions, patchedVersions } =
+        await this.calculateVersions(affectedVersions, supportedVersions);
       const body = {
         data: {
           type: 'cve-request',
           attributes: {
             team_handle: 'nodejs-team',
-            versions: await this.formatAffected(affectedVersions, supportedVersions),
+            versions: h1AffectedVersions,
             metrics: [
               {
                 vectorString: cvss_vector_string
@@ -246,7 +249,7 @@ Summary: ${summary}\n`,
         continue;
       }
       const { cve_identifier } = data.attributes;
-      cves.push({ cve_identifier, reportId: id });
+      cves.push({ cve_identifier, reportId: id, patchedVersions });
     }
     return cves;
   }
@@ -262,15 +265,23 @@ Summary: ${summary}\n`,
     }
   }
 
-  async formatAffected(affectedVersions, supportedVersions) {
-    const result = [];
+  async calculateVersions(affectedVersions, supportedVersions) {
+    const h1AffectedVersions = [];
+    const patchedVersions = [];
     for (const affectedVersion of affectedVersions) {
       const major = affectedVersion.split('.')[0];
       const latest = supportedVersions.find((v) => v.major === Number(major)).version;
       const version = await this.cli.prompt(
         `What is the affected version (<=) for release line ${affectedVersion}?`,
         { questionType: 'input', defaultAnswer: latest });
-      result.push({
+
+      const nextPatchVersion = parseInt(version.split('.')[2]) + 1;
+      const patchedVersion = await this.cli.prompt(
+        `What is the patched version (>=) for release line ${affectedVersion}?`,
+        { questionType: 'input', defaultAnswer: nextPatchVersion });
+
+      patchedVersions.push(patchedVersion);
+      h1AffectedVersions.push({
         vendor: 'nodejs',
         product: 'node',
         func: '<=',
@@ -279,6 +290,6 @@ Summary: ${summary}\n`,
         affected: true
       });
     }
-    return result;
+    return { h1AffectedVersions, patchedVersions };
   }
 }