feat: initial version

mhdawson · mhdawson · commit becab5b306be · 2022-07-13T22:14:05.000-04:00
Signed-off-by: Michael Dawson &lt;mdawson@devrus.com&gt;
diff --git a/.github/workflows/daily-main.yml b/.github/workflows/daily-main.yml
@@ -0,0 +1,57 @@
+name: Check main for vulns daily
+
+on:
+  workflow_dispatch:
+    inputs:
+      nodejsStream:
+        default: 'main'
+  schedule:
+    - cron: 0 0 * * *
+
+permissions:
+  contents: read
+
+jobs:
+  check-vulns:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup Python 3.9
+        uses: actions/setup-python@v3
+        with:
+          python-version: '3.9'
+      - name: Checkout node.js repo
+        uses: actions/checkout@v3
+        with:
+          repository: nodejs/node
+          path: node
+          ref: ${{ github.event.inputs.nodejsStream || 'main' }}
+      - name: Installing pre-reqs
+        run: |
+          cd  ${{ github.workspace }}/node/tools/dep_checker
+          pip install -r requirements.txt
+      - name: Run the check
+        run: |
+          cd  ${{ github.workspace }}/node/tools/dep_checker
+          (
+            set -o pipefail
+            python main.py --gh-token ${{ secrets.VULN_CHECK_TOKEN }} 2>&1 | tee result.log
+          )
+      - name: collect error
+        id: collect_error
+        if: ${{ failure() }}
+        run: |
+          cd  ${{ github.workspace }}/node/tools/dep_checker
+          result=`cat result.log`
+          curdate=`date`
+          echo "::set-output name=date::$curdate"
+          echo "::set-output name=result::$result"
+      - name: check for failure
+        if: ${{ failure() }}
+        run: |
+          curl --request POST \
+          --url https://api.github.com/repos/${{ github.repository }}/issues \
+          --header 'Authorization: token ${{ secrets.VULN_CHECK_TOKEN }}' \
+          --header 'Accept: application/vnd.github+json' \
+          --data '{
+            "title": "Vulnerability check reported failure - ${{ steps.collect_error.outputs.date }}",
+            "body": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} \\\n${{ steps.collect_error.outputs.result }}"}'
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -0,0 +1,4 @@
+# Code of Conduct
+
+The Node.js Code of Conduct, which applies to this project, can be found at
+https://github.com/nodejs/admin/blob/HEAD/CODE_OF_CONDUCT.md.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -0,0 +1,30 @@
+# Contributing
+
+We welcome participation in this effort. Please feel free to
+raise or comment on issues and join any of the scheduled meetings.
+
+## Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+* (a) The contribution was created in whole or in part by me and I
+  have the right to submit it under the open source license
+  indicated in the file; or
+
+* (b) The contribution is based upon previous work that, to the best
+  of my knowledge, is covered under an appropriate open source
+  license and I have the right under that license to submit that
+  work with modifications, whether created in whole or in part
+  by me, under the same open source license (unless I am
+  permitted to submit under a different license), as indicated
+  in the file; or
+
+* (c) The contribution was provided directly to me by some other
+  person who certified (a), (b) or (c) and I have not modified
+  it.
+
+* (d) I understand and agree that this project and the contribution
+  are public and that a record of the contribution (including all
+  personal information I submit with it, including my sign-off) is
+  maintained indefinitely and may be redistributed consistent with
+  this project or the open source license(s) involved.
diff --git a/README.md b/README.md
@@ -1 +1,22 @@
-# node-js-dependency-vuln-assessments
+# node-js-dependency-vuln-assessments
+
+This repo is used to
+
+1. Run automated checks for vulnerabilities in Node.js dependencies that have
+   already been made public
+1. Track and communicate information about vulnerabilities in depdencies that
+   are public and have not yet been addressed. This maybe be to documented
+   that they don't affect Node.js or what action is being taken to address
+   then.
+
+
+Automated checks are currently run through a GitHub action using
+[dep_checker](https://github.com/nodejs/node/tree/main/tools/dep_checker).
+
+**DO NOT REPORT OR DISCUSS VULNERABLITIES THAT ARE NOT ALREADY
+PUBLIC IN THIS REPO**. Please report new vulnerabilities either to
+the projects for a specific dependency or report to the Node.js project
+as outlined in the Node.js project's
+[SECURITY.md](https://github.com/nodejs/node/blob/main/SECURITY.md) file.
+
+
