Add severity to JSON feed (#1374)

* vuln/core: fix bad refs

* vuln/core: add severity

* vuln/core: CR fixes

* vuln/core: CR fixes 2

Author: srmish-jfrog

__mocks__/mockVuln/pass/core/1.json

@@ -7,5 +7,6 @@
   "patched": "^8.1.4 || ^7.10.1 || ^4.8.4 || ^6.11.1",
   "description": "mocked core vulnerability overview",
   "overview": "mocked core vulnerability overview",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": ["all"],
+  "severity": "medium"
 }

tools/vuln_valid/vulnValidate.js

@@ -37,6 +37,10 @@ const coreModel = joi.object().keys({
   // See: https://nodejs.org/api/os.html#osplatform
   .items(joi.string().valid("all", "aix", "darwin", "freebsd", "linux", "openbsd", "sunos", "win32", "android"))
   .min(1)
+  .required(),
+  severity: joi
+  .string()
+  .regex(/^(unknown)|(low)|(medium)|(high)|(critical)$/)
   .required()
 });
 

vuln/core/1.json

@@ -7,5 +7,8 @@
   "patched": "^8.1.4 || ^7.10.1 || ^4.8.4 || ^6.11.1",
   "description": "memory overread when parsing invalid NAPTR responses",
   "overview": "The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR\nresponses, could be triggered to read memory outside of the given input buffer\nif the passed in DNS response packet was crafted in a particular way.\n\n",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "unknown"
 }

vuln/core/10.json

@@ -6,5 +6,8 @@
   "patched": "^6.9.0",
   "ref": "https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/",
   "overview": "The V8 parser mishandled scopes, potentially allowing an attacker to obtain\nsensitive information from arbitrary memory locations via crafted JavaScript\ncode. This vulnerability would require an attacker to be able to execute\narbitrary JavaScript code in a Node.js process.\n\n",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "unknown"
 }

vuln/core/100.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2022-35256"],
+  "cve": [
+    "CVE-2022-35256"
+  ],
   "vulnerable": "14.x || 16.x || 18.x",
   "patched": "^14.20.1 || ^16.17.1 || ^18.9.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/",
   "overview": "The llhttp parser in the http module in Node.js v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
 }

vuln/core/101.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2022-35255"],
+  "cve": [
+    "CVE-2022-35255"
+  ],
   "vulnerable": "18.x",
   "patched": "^18.9.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/",
   "overview": "Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "high"
 }

vuln/core/102.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2022-43548"],
+  "cve": [
+    "CVE-2022-43548"
+  ],
   "vulnerable": "14.x || 16.x || 18.x || 19.x",
   "patched": "^14.21.1 || ^16.18.1 || ^18.12.1 || ^19.0.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/",
   "overview": "The Node.js rebinding protector for --inspect still allows invalid IP address, specifically, the octal format.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
 }

vuln/core/103.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-23918"],
+  "cve": [
+    "CVE-2023-23918"
+  ],
   "vulnerable": "14.x || 16.x || 18.x || 19.x",
   "patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/",
   "overview": "It was possible to bypass Permissions and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "high"
 }

vuln/core/104.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-23919"],
+  "cve": [
+    "CVE-2023-23919"
+  ],
   "vulnerable": "14.x || 16.x || 18.x || 19.x",
   "patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.2.0",
   "ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/",
   "overview": "In some cases Node.js did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
 }

vuln/core/105.json

@@ -1,8 +1,13 @@
 {
-  "cve": ["CVE-2023-23936"],
+  "cve": [
+    "CVE-2023-23936"
+  ],
   "vulnerable": "14.x || 16.x || 18.x || 19.x",
   "patched": "^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1",
   "ref": "https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/",
   "overview": "The fetch API in Node.js did not prevent CRLF injection in the 'host' header potentially allowing attacks such as HTTP response splitting and HTTP header injection.",
-  "affectedEnvironments": ["all"]
+  "affectedEnvironments": [
+    "all"
+  ],
+  "severity": "medium"
 }