From 7f0dfaa694e2e5cfbf5c68c83c6023146f6d3eae Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Mon, 10 Mar 2025 16:36:36 +0100 Subject: [PATCH 1/3] feat: add csv with missing --- package-lock.json | 102 ++++++++++++++++++++++++++-- package.json | 5 +- tools/eol_cve/eol-cve.csv | 138 ++++++++++++++++++++++++++++++++++++++ tools/eol_cve/index.js | 116 ++++++++++++++++++++++++++++++++ 4 files changed, 354 insertions(+), 7 deletions(-) create mode 100644 tools/eol_cve/eol-cve.csv create mode 100644 tools/eol_cve/index.js diff --git a/package-lock.json b/package-lock.json index bbdde62ca..7cbd151a5 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,9 +9,37 @@ "version": "1.0.0", "license": "MIT", "dependencies": { - "@pkgjs/nv": "^0.2.1", + "@pkgjs/nv": "^0.2.2", + "fast-csv": "^5.0.2", "joi": "^17.13.3", - "semver": "^7.3.8" + "semver": "^7.7.1" + } + }, + "node_modules/@fast-csv/format": { + "version": "5.0.2", + "resolved": "https://registry.npmjs.org/@fast-csv/format/-/format-5.0.2.tgz", + "integrity": "sha512-fRYcWvI8vs0Zxa/8fXd/QlmQYWWkJqKZPAXM+vksnplb3owQFKTPPh9JqOtD0L3flQw/AZjjXdPkD7Kp/uHm8g==", + "license": "MIT", + "dependencies": { + "lodash.escaperegexp": "^4.1.2", + "lodash.isboolean": "^3.0.3", + "lodash.isequal": "^4.5.0", + "lodash.isfunction": "^3.0.9", + "lodash.isnil": "^4.0.0" + } + }, + "node_modules/@fast-csv/parse": { + "version": "5.0.2", + "resolved": "https://registry.npmjs.org/@fast-csv/parse/-/parse-5.0.2.tgz", + "integrity": "sha512-gMu1Btmm99TP+wc0tZnlH30E/F1Gw1Tah3oMDBHNPe9W8S68ixVHjt89Wg5lh7d9RuQMtwN+sGl5kxR891+fzw==", + "license": "MIT", + "dependencies": { + "lodash.escaperegexp": "^4.1.2", + "lodash.groupby": "^4.6.0", + "lodash.isfunction": "^3.0.9", + "lodash.isnil": "^4.0.0", + "lodash.isundefined": "^3.0.1", + "lodash.uniq": "^4.5.0" } }, "node_modules/@hapi/hoek": { @@ -33,6 +61,7 @@ "version": "0.2.2", "resolved": "https://registry.npmjs.org/@pkgjs/nv/-/nv-0.2.2.tgz", "integrity": "sha512-LbQbUKwt2d4VsTM5MKG25WLiZtmXu89zeoqVdJz3POlnyICkZ/o63WLswLleIysYOGHY9rqeOF/SBwC4hbq90Q==", + "license": "MIT", "dependencies": { "got": "^11.8.3", "semver": "^7.1.1", @@ -299,6 +328,19 @@ "node": ">=6" } }, + "node_modules/fast-csv": { + "version": "5.0.2", + "resolved": "https://registry.npmjs.org/fast-csv/-/fast-csv-5.0.2.tgz", + "integrity": "sha512-CnB2zYAzzeh5Ta0UhSf32NexLy2SsEsSMY+fMWPV40k1OgaLEbm9Hf5dms3z/9fASZHBjB6i834079gVeksEqQ==", + "license": "MIT", + "dependencies": { + "@fast-csv/format": "5.0.2", + "@fast-csv/parse": "5.0.2" + }, + "engines": { + "node": ">=10.0.0" + } + }, "node_modules/get-caller-file": { "version": "2.0.5", "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz", @@ -382,6 +424,55 @@ "json-buffer": "3.0.1" } }, + "node_modules/lodash.escaperegexp": { + "version": "4.1.2", + "resolved": "https://registry.npmjs.org/lodash.escaperegexp/-/lodash.escaperegexp-4.1.2.tgz", + "integrity": "sha512-TM9YBvyC84ZxE3rgfefxUWiQKLilstD6k7PTGt6wfbtXF8ixIJLOL3VYyV/z+ZiPLsVxAsKAFVwWlWeb2Y8Yyw==", + "license": "MIT" + }, + "node_modules/lodash.groupby": { + "version": "4.6.0", + "resolved": "https://registry.npmjs.org/lodash.groupby/-/lodash.groupby-4.6.0.tgz", + "integrity": "sha512-5dcWxm23+VAoz+awKmBaiBvzox8+RqMgFhi7UvX9DHZr2HdxHXM/Wrf8cfKpsW37RNrvtPn6hSwNqurSILbmJw==", + "license": "MIT" + }, + "node_modules/lodash.isboolean": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/lodash.isboolean/-/lodash.isboolean-3.0.3.tgz", + "integrity": "sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==", + "license": "MIT" + }, + "node_modules/lodash.isequal": { + "version": "4.5.0", + "resolved": "https://registry.npmjs.org/lodash.isequal/-/lodash.isequal-4.5.0.tgz", + "integrity": "sha512-pDo3lu8Jhfjqls6GkMgpahsF9kCyayhgykjyLMNFTKWrpVdAQtYyB4muAMWozBB4ig/dtWAmsMxLEI8wuz+DYQ==", + "deprecated": "This package is deprecated. Use require('node:util').isDeepStrictEqual instead.", + "license": "MIT" + }, + "node_modules/lodash.isfunction": { + "version": "3.0.9", + "resolved": "https://registry.npmjs.org/lodash.isfunction/-/lodash.isfunction-3.0.9.tgz", + "integrity": "sha512-AirXNj15uRIMMPihnkInB4i3NHeb4iBtNg9WRWuK2o31S+ePwwNmDPaTL3o7dTJ+VXNZim7rFs4rxN4YU1oUJw==", + "license": "MIT" + }, + "node_modules/lodash.isnil": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/lodash.isnil/-/lodash.isnil-4.0.0.tgz", + "integrity": "sha512-up2Mzq3545mwVnMhTDMdfoG1OurpA/s5t88JmQX809eH3C8491iu2sfKhTfhQtKY78oPNhiaHJUpT/dUDAAtng==", + "license": "MIT" + }, + "node_modules/lodash.isundefined": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/lodash.isundefined/-/lodash.isundefined-3.0.1.tgz", + "integrity": "sha512-MXB1is3s899/cD8jheYYE2V9qTHwKvt+npCwpD+1Sxm3Q3cECXCiYHjeHWXNwr6Q0SOBPrYUDxendrO6goVTEA==", + "license": "MIT" + }, + "node_modules/lodash.uniq": { + "version": "4.5.0", + "resolved": "https://registry.npmjs.org/lodash.uniq/-/lodash.uniq-4.5.0.tgz", + "integrity": "sha512-xfBaXQd9ryd9dlSDvnvI0lvxfLJlYAZzXomUYzLKtUeOQvOP5piqAWuGtrhWeqaXK9hhoM/iyJc5AV+XfsX3HQ==", + "license": "MIT" + }, "node_modules/lowercase-keys": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/lowercase-keys/-/lowercase-keys-2.0.0.tgz", @@ -470,9 +561,10 @@ } }, "node_modules/semver": { - "version": "7.6.3", - "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz", - "integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==", + "version": "7.7.1", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.1.tgz", + "integrity": "sha512-hlq8tAfn0m/61p4BVRcPzIGr6LKiMwo4VM6dGi6pt4qcRkmNzTcWq6eCEjEh+qXjkMDvPlOFFSGwQjoEa6gyMA==", + "license": "ISC", "bin": { "semver": "bin/semver.js" }, diff --git a/package.json b/package.json index 804471099..f1d363149 100644 --- a/package.json +++ b/package.json @@ -11,8 +11,9 @@ "author": "", "license": "MIT", "dependencies": { - "@pkgjs/nv": "^0.2.1", + "@pkgjs/nv": "^0.2.2", + "fast-csv": "^5.0.2", "joi": "^17.13.3", - "semver": "^7.3.8" + "semver": "^7.7.1" } } diff --git a/tools/eol_cve/eol-cve.csv b/tools/eol_cve/eol-cve.csv new file mode 100644 index 000000000..8f823b24c --- /dev/null +++ b/tools/eol_cve/eol-cve.csv @@ -0,0 +1,138 @@ +cve,vulnerable,patched,affectedEOL +CVE-2017-1000381,"8.x || 7.x || 4.x || 6.x || 5.x","^8.1.4 || ^7.10.1 || ^4.8.4 || ^6.11.1","5.x || 7.x" +CVE-2017-3731,"4.x || 5.x || 6.x || 7.x","^4.7.3 || ^6.9.5 || ^7.5.0",5.x +CVE-2017-3732,"4.x || 5.x || 6.x || 7.x","^4.7.3 || ^6.9.5 || ^7.5.0",5.x +CVE-2016-7055,"4.x || 5.x || 6.x || 7.x","^4.7.3 || ^6.9.5 || ^7.5.0",5.x +CVE-2016-9551,^7.1.0,^7.2.0,5.x +CVE-2016-9840,"4.x || 5.x || 6.x || 7.x","^4.8.2 || ^6.10.2 || ^7.6.0",5.x +CVE-2016-9841,"4.x || 5.x || 6.x || 7.x","^4.8.2 || ^6.10.2 || ^7.6.0",5.x +CVE-2016-9842,"4.x || 5.x || 6.x || 7.x","^4.8.2 || ^6.10.2 || ^7.6.0",5.x +CVE-2016-9843,"4.x || 5.x || 6.x || 7.x","^4.8.2 || ^6.10.2 || ^7.6.0",5.x +CVE-2016-5172,6.x,^6.9.0,5.x +CVE-2016-6304,"6.x || 5.x || 4.x","^6.7.0 || ^4.6.0",5.x +CVE-2016-2183,"6.x || 5.x || 4.x","^6.7.0 || ^4.6.0",5.x +CVE-2016-6303,"6.x || 5.x || 4.x","^6.7.0 || ^4.6.0",5.x +CVE-2016-2178,"6.x || 5.x || 4.x","^6.7.0 || ^4.6.0",5.x +CVE-2016-6306,"6.x || 5.x || 4.x","^6.7.0 || ^4.6.0",5.x +CVE-2016-5325,"6.x || 4.x || 5.x","^6.7.0 || ^4.6.0",5.x +CVE-2016-7099,"6.x || 4.x || 5.x","^6.7.0 || ^4.6.0",5.x +CVE-2017-14849,8.5.0,^8.6.0,"5.x || 7.x" +CVE-2017-14919,"^4.8.2 || ^6.10.2 || 8.x","^4.8.5 || ^6.11.5 || ^8.8.0","5.x || 7.x" +CVE-2017-15896,"4.x || 6.x || 8.x || 9.x","^4.8.7 || ^6.12.2 || ^8.9.3 || ^9.2.1","5.x || 7.x" +CVE-2017-15897,"8.x || 9.x","^8.9.3 || ^9.2.1","5.x || 7.x" +CVE-2018-7159,"4.x || 6.x || 8.x || 9.x","^4.9.0 || ^6.14.0 || ^8.11.0 || ^9.10.0","5.x || 7.x" +CVE-2018-7160,"6.x || 8.x || 9.x","^6.14.0 || ^8.11.0 || ^9.10.0","5.x || 7.x" +CVE-2018-7161,"8.x || 9.x || 10.x","^8.11.3 || ^9.11.2 || ^10.4.1","4.x || 5.x || 7.x" +CVE-2018-7162,"9.x || 10.x","^9.11.2 || ^10.4.1","4.x || 5.x || 7.x" +CVE-2018-7164,"9.7.x || 10.x","^9.11.2 || ^10.4.1","4.x || 5.x || 7.x" +CVE-2018-7167,"6.x || 8.x || 9.x","^6.14.3 || ^8.11.3 || ^9.11.2","4.x || 5.x || 7.x" +CVE-2018-7166,10.x,>= 10.9.0,"4.x || 5.x || 7.x || 9.x" +CVE-2018-12115,<= 10,"^6.14.4 || ^8.11.4 || >= 10.9.0","4.x || 5.x || 7.x || 9.x" +CVE-2018-12116,"6.x || 8.x","^6.15.0 || ^8.14.0","4.x || 5.x || 7.x" +CVE-2018-12120,"6.x || 8.x","^6.15.0 || ^8.14.0","4.x || 5.x || 7.x" +CVE-2018-12121,"6.x || 8.x || 10.x || 11.x","^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0","4.x || 5.x || 7.x || 9.x" +CVE-2018-12122,"6.x || 8.x || 10.x || 11.x","^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0","4.x || 5.x || 7.x || 9.x" +CVE-2018-12123,"6.x || 8.x || 10.x || 11.x","^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0","4.x || 5.x || 7.x || 9.x" +CVE-2019-5737,"6.x || 8.x || 10.x || 11.x","^6.17.0 || ^8.15.1 || ^10.15.2 || ^11.10.1","4.x || 5.x || 7.x || 9.x" +CVE-2019-5739,6.x,^6.17.0,"4.x || 5.x" +CVE-2019-9511,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" +CVE-2019-9512,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" +CVE-2019-9513,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" +CVE-2019-9514,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" +CVE-2019-9515,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" +CVE-2019-9516,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" +CVE-2019-9517,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" +CVE-2019-9518,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" +CVE-2019-15604,"10.x || 12.x || 13.x","^10.19.0 || ^12.15.0 || ^13.8.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x" +CVE-2019-15605,"10.x || 12.x || 13.x","^10.19.0 || ^12.15.0 || ^13.8.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x" +CVE-2019-15606,"10.x || 12.x || 13.x","^10.19.0 || ^12.15.0 || ^13.8.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x" +CVE-2020-8201,"12.x || 14.x","^12.18.4 || ^14.11.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" +CVE-2020-8251,14.x,^14.11.0,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" +CVE-2020-8252,"10.x || 12.x || 14.x","^10.22.1 || ^12.18.4 || ^14.9.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" +CVE-2020-8277," 12.x || 14.x || 15.x"," ^12.19.1 || ^14.15.1 || 15.2.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" +CVE-2020-8265,"10.x || 12.x || 14.x || 15.x","^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" +CVE-2020-8287,"10.x || 12.x || 14.x || 15.x","^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" +CVE-2020-1971,"10.x || 12.x || 14.x || 15.x","^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" +CVE-2021-22883," 10.x || 12.x || 14.x || 15.x"," ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" +CVE-2021-22884," 10.x || 12.x || 14.x || 15.x"," ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" +CVE-2021-23840," 10.x || 12.x || 14.x || 15.x"," ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" +CVE-2021-3450," 10.x || 12.x || 14.x || 15.x"," ^10.24.1 || ^12.22.1 || ^14.16.1 || ^15.14.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" +CVE-2021-3449," 10.x || 12.x || 14.x || 15.x"," ^10.24.1 || ^12.22.1 || ^14.16.1 || ^15.14.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" +CVE-2020-7774," 10.x || 12.x || 14.x"," ^10.24.1 || ^12.22.1 || ^14.16.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" +CVE-2021-22930," 12.x || 14.x || 16.x"," ^12.22.4 || ^14.17.4 || ^16.6.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" +CVE-2021-22921," 12.x || 14.x || 16.x"," ^12.22.2 || ^14.17.2 || ^16.4.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" +CVE-2021-27290, 12.x, ^12.22.2,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x" +CVE-2021-23362, 12.x, ^12.22.2,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x" +CVE-2021-22918," 12.x || 14.x || 16.x"," ^12.22.2 || ^14.17.2 || ^16.4.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" +CVE-2021-22931,"12.x || 14.x || 16.x","^12.22.5 || ^14.17.5 || ^16.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" +CVE-2021-22940,"12.x || 14.x || 16.x","^12.22.5 || ^14.17.5 || ^16.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" +CVE-2021-22939,"12.x || 14.x || 16.x","^12.22.5 || ^14.17.5 || ^16.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" +CVE-2021-37701," 12.x || 14.x"," ^12.22.6 || ^14.17.6","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x" +CVE-2021-37712," 12.x || 14.x"," ^12.22.6 || ^14.17.6","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x" +CVE-2021-37713," 12.x || 14.x"," ^12.22.6 || ^14.17.6","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x" +CVE-2021-39134," 12.x || 14.x"," ^12.22.6 || ^14.17.6","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x" +CVE-2021-39135," 12.x || 14.x"," ^12.22.6 || ^14.17.6","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x" +CVE-2021-22959,"12.x || 14.x || 16.x"," ^12.22.7 || ^14.18.1 || ^16.11.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" +CVE-2021-22960,"12.x || 14.x || 16.x"," ^12.22.7 || ^14.18.1 || ^16.11.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" +CVE-2021-44531,"12.x || 14.x || 16.x || 17.x","^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" +CVE-2021-44532,"12.x || 14.x || 16.x || 17.x","^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" +CVE-2021-44533,"12.x || 14.x || 16.x || 17.x","^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" +CVE-2022-21824,"12.x || 14.x || 16.x || 17.x","^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" +CVE-2022-0778,"12.x || 14.x || 16.x || 17.x","^12.22.11 || ^14.19.1 || ^16.14.2 || ^17.7.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" +CVE-2022-32215,"14.x || 16.x || 18.x","^14.20.1 || ^16.17.1 || ^18.9.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" +CVE-2022-32214,"14.x || 16.x || 18.x","^14.20.0 || ^16.20.0 || ^18.5.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" +CVE-2022-32212,"14.x || 16.x || 18.x","^14.20.1 || ^16.17.1 || ^18.9.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" +CVE-2022-32213,"14.x || 16.x || 18.x","^14.20.1 || ^16.17.1 || ^18.9.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" +CVE-2022-32223,"14.x || 16.x || 18.x","^14.20.0 || ^16.20.0 || ^18.5.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" +CVE-2022-32222,"14.x || 16.x || 18.x","^14.20.0 || ^16.20.0 || ^18.9.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" +CVE-2022-35256,"14.x || 16.x || 18.x","^14.20.1 || ^16.17.1 || ^18.9.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" +CVE-2022-35255,18.x,^18.9.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" +CVE-2022-43548,"14.x || 16.x || 18.x || 19.x","^14.21.1 || ^16.18.1 || ^18.12.1 || ^19.0.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" +CVE-2023-23918,"14.x || 16.x || 18.x || 19.x","^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" +CVE-2023-23919,"14.x || 16.x || 18.x || 19.x","^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.2.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" +CVE-2023-23936,"14.x || 16.x || 18.x || 19.x","^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" +CVE-2023-24807,"14.x || 16.x || 18.x || 19.x","^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" +CVE-2023-23920,"14.x || 16.x || 18.x || 19.x","^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" +CVE-2023-30581,"16.x || 18.x || 20.x","^16.20.1 || ^18.16.1 || ^20.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-30582,20.x,^20.3.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-30583,20.x,^20.3.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-30584,20.x,^20.3.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-30585,"16.x || 18.x || 20.x","^16.20.1 || ^18.16.1 || ^20.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-30586,20.x,^20.3.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-30587,20.x,^20.3.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-30589,"16.x || 18.x || 20.x","^16.20.1 || ^18.16.1 || ^20.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-30588,"16.x || 18.x || 20.x","^16.20.1 || ^18.16.1 || ^20.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-30590,"16.x || 18.x || 20.x","^16.20.1 || ^18.16.1 || ^20.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-32002,"16.x || 18.x || 20.x","^16.20.2 || ^18.17.1 || ^20.5.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-32004,20.x,^20.5.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-32558,20.x,^20.5.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-32006,"16.x || 18.x || 20.x","^16.20.2 || ^18.17.1 || ^20.5.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-32559,"16.x || 18.x || 20.x","^16.20.2 || ^18.17.1 || ^20.5.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-32005,20.x,^20.5.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-32003,20.x,^20.5.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" +CVE-2023-45143,"18.x || 20.x","^18.18.2 || ^20.8.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2023-44487,"18.x || 20.x","^18.18.2 || ^20.8.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2023-39331,20.x,^20.8.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2023-39332,20.x,^20.8.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2023-38552,"18.x || 20.x","^18.18.2 || ^20.8.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2023-39333,"18.x || 20.x","^18.18.2 || ^20.8.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2023-46809,"18.x || 20.x || 21.x","^18.19.1 || ^20.11.1 || ^21.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2024-21891,"20.x || 21.x","^20.11.1 || ^21.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2024-21890,"20.x || 21.x","^20.11.1 || ^21.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2024-21892,"18.x || 20.x || 21.x","^18.19.1 || ^20.11.1 || ^21.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2024-22019,"18.x || 20.x || 21.x","^18.19.1 || ^20.11.1 || ^21.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2024-21896,"20.x || 21.x","^20.11.1 || ^21.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2024-22017,"20.x || 21.x","^20.11.1 || ^21.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2024-22025,"18.x || 20.x || 21.x","^18.19.1 || ^20.11.1 || ^21.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2024-27983,"18.x || 20.x || 21.x","^18.20.1 || ^20.12.1 || ^21.7.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2024-27982,"18.x || 20.x || 21.x","^18.20.1 || ^20.12.1 || ^21.7.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2024-27982,"18.x || 20.x || 21.x","^18.20.2 || ^20.12.2 || ^21.7.3","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" +CVE-2024-36137,"20.x || 22.x","^20.15.1 || ^22.4.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x || 21.x" +CVE-2024-36138,"18.x || 20.x || 22.x","^18.20.4 || ^20.15.1 || ^22.4.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x || 21.x" +CVE-2024-22018,"20.x || 22.x","^20.15.1 || ^22.4.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x || 21.x" +CVE-2024-22020,"18.x || 20.x || 22.x","^18.20.4 || ^20.15.1 || ^22.4.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x || 21.x" +CVE-2024-37372,"20.x || 22.x","^20.15.1 || ^22.4.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x || 21.x" +CVE-2025-23083,"20.x || 22.x || 23.x","^20.18.2 || ^22.13.1 || ^23.6.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x || 21.x" +CVE-2025-23084,"18.x || 20.x || 22.x || 23.x","^18.20.6 || ^20.18.2 || ^22.13.1 || ^23.6.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x || 21.x" +CVE-2025-23085,"18.x || 20.x || 22.x || 23.x","^18.20.6 || ^20.18.2 || ^22.13.1 || ^23.6.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x || 21.x" +CVE-2024-27980,"18.x || 20.x || 21.x","^18.20.2 || ^20.12.2 || ^21.7.3","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" diff --git a/tools/eol_cve/index.js b/tools/eol_cve/index.js new file mode 100644 index 000000000..11c9d8cb7 --- /dev/null +++ b/tools/eol_cve/index.js @@ -0,0 +1,116 @@ +const vulnerabilities = require('../../vuln/core/index.json'); +const { createWriteStream } = require('fs'); +const { format } = require('fast-csv'); +const { resolve } = require('path'); +const semver = require('semver'); +const nv = require('@pkgjs/nv'); +const path = require('path'); + +const csvStream = format({ headers: true }); +const filePath = resolve(__dirname, 'eol-cve.csv'); +const writeStream = createWriteStream(filePath); +csvStream.pipe(writeStream); + +const MINIMUM_VERSION = 4; + +const RELEASE_SCHEDULE_JSON = 'https://raw.githubusercontent.com/nodejs/Release/main/schedule.json'; + +async function fetchReleasesSchedule() { + try { + const response = await fetch(RELEASE_SCHEDULE_JSON); + const body = await response.json(); + return body; + } catch (error) { + throw new Error(`Failed to fetch release schedule: ${error}`); + } +} + +// Given a string 0.10.x || 0.12.x || 4.x +// returns the latest major version +function getLastAffectedVersion(vulnerable) { + const versions = vulnerable.split('||').map((v) => { + // Not all versions are semver, so we need to coerce them + // Example 4.x, 5.6.x etc + const coerced = semver.coerce(v.replace('x', '0').trim()); + return semver.major(coerced); + }); + return Math.max(...versions) +} + +// Given a number n, returns an array of numbers from MINIMUM_VERSION to n +// Example differenceToArray(7) => [4, 5, 6] +function differenceToArray(n) { + return n > MINIMUM_VERSION ? Array.from({ length: n - MINIMUM_VERSION }, (_, i) => i + MINIMUM_VERSION) : []; +} + +// Get the first patched version +// If an array we return the first element +// We only care to get when the vulnerability was patched +// usually if multiple version they are patched at the same time +function getPatchedVersion(patched) { + const patches = patched.split('||'); + return semver.coerce(patches[0].trim()).version; +} + + +function findPatchReleaseDate(patch, versions) { + const releaseDate = versions.find((v) => v.version === patch)?.releaseDate; + return new Date(releaseDate); +} + +async function run() { + const releases = await fetchReleasesSchedule(); + const versions = await nv('all'); + + for (const vuln of Object.values(vulnerabilities)) { + // No CVEs for this vulnerability + if (!vuln.cve?.length) { + continue; + } + + // Each vulnerability can have multiple CVEs + for (const cve of vuln.cve) { + const last = getLastAffectedVersion(vuln.vulnerable); + // Skip 0.x and 4.x versions + if (last <= MINIMUM_VERSION) continue; + + // Get in which version the vulnerability was patched + const patch = getPatchedVersion(vuln.patched); + // Get the release date for the patch + const releaseDate = findPatchReleaseDate(patch, versions); + if (!releaseDate) throw new Error(`Release date for ${patch} not found`); + const releaseMajors = differenceToArray(last).filter((major) => { + // Find the release schedule for the major version + // Example v4, v5, v6 etc + const release = releases[`v${major}`]; + + if (!release) throw new Error(`Release schedule for v${major} not found`); + + if (!release.end) throw new Error(`End of life for v${major} not found`); + + // Get the end of life date for the major version + const eol = new Date(release.end); + // If the release date is greater than the end of life date + // then the version is affected + // Example the fix was released in v7.x 01/01/2022 and v6.x EOL is 01/01/2021 + // we assume v6.x is affected + return releaseDate > eol; + }); + + if(releaseMajors.length === 0) continue; + + // Write into the format v4.x || v5.x || v6.x + const missing = releaseMajors.map((n) => `${n}.x`).join(' || '); + csvStream.write({ + cve, + vulnerable: vuln.vulnerable, + patched: vuln.patched, + affectedEOL: missing + }); + } + } + writeStream.write('\n'); + csvStream.end(); +} + +run(); From e9862c26b4484b43688d17ca075ee2644c8c8368 Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Thu, 24 Apr 2025 16:01:18 +0200 Subject: [PATCH 2/3] fix: remove unusued import --- tools/eol_cve/index.js | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/eol_cve/index.js b/tools/eol_cve/index.js index 11c9d8cb7..fbe0a28ca 100644 --- a/tools/eol_cve/index.js +++ b/tools/eol_cve/index.js @@ -4,7 +4,6 @@ const { format } = require('fast-csv'); const { resolve } = require('path'); const semver = require('semver'); const nv = require('@pkgjs/nv'); -const path = require('path'); const csvStream = format({ headers: true }); const filePath = resolve(__dirname, 'eol-cve.csv'); From cc7a3774fff9b50a373108c77b6c380184827f4a Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Tue, 29 Apr 2025 11:42:13 +0200 Subject: [PATCH 3/3] chore: remove indirect node dependencies --- tools/eol_cve/eol-cve.csv | 40 -------------------- tools/eol_cve/index.js | 79 ++++++++++++++++++++++++++++++++++++++- 2 files changed, 78 insertions(+), 41 deletions(-) diff --git a/tools/eol_cve/eol-cve.csv b/tools/eol_cve/eol-cve.csv index 8f823b24c..aa3908d60 100644 --- a/tools/eol_cve/eol-cve.csv +++ b/tools/eol_cve/eol-cve.csv @@ -1,19 +1,4 @@ cve,vulnerable,patched,affectedEOL -CVE-2017-1000381,"8.x || 7.x || 4.x || 6.x || 5.x","^8.1.4 || ^7.10.1 || ^4.8.4 || ^6.11.1","5.x || 7.x" -CVE-2017-3731,"4.x || 5.x || 6.x || 7.x","^4.7.3 || ^6.9.5 || ^7.5.0",5.x -CVE-2017-3732,"4.x || 5.x || 6.x || 7.x","^4.7.3 || ^6.9.5 || ^7.5.0",5.x -CVE-2016-7055,"4.x || 5.x || 6.x || 7.x","^4.7.3 || ^6.9.5 || ^7.5.0",5.x -CVE-2016-9551,^7.1.0,^7.2.0,5.x -CVE-2016-9840,"4.x || 5.x || 6.x || 7.x","^4.8.2 || ^6.10.2 || ^7.6.0",5.x -CVE-2016-9841,"4.x || 5.x || 6.x || 7.x","^4.8.2 || ^6.10.2 || ^7.6.0",5.x -CVE-2016-9842,"4.x || 5.x || 6.x || 7.x","^4.8.2 || ^6.10.2 || ^7.6.0",5.x -CVE-2016-9843,"4.x || 5.x || 6.x || 7.x","^4.8.2 || ^6.10.2 || ^7.6.0",5.x -CVE-2016-5172,6.x,^6.9.0,5.x -CVE-2016-6304,"6.x || 5.x || 4.x","^6.7.0 || ^4.6.0",5.x -CVE-2016-2183,"6.x || 5.x || 4.x","^6.7.0 || ^4.6.0",5.x -CVE-2016-6303,"6.x || 5.x || 4.x","^6.7.0 || ^4.6.0",5.x -CVE-2016-2178,"6.x || 5.x || 4.x","^6.7.0 || ^4.6.0",5.x -CVE-2016-6306,"6.x || 5.x || 4.x","^6.7.0 || ^4.6.0",5.x CVE-2016-5325,"6.x || 4.x || 5.x","^6.7.0 || ^4.6.0",5.x CVE-2016-7099,"6.x || 4.x || 5.x","^6.7.0 || ^4.6.0",5.x CVE-2017-14849,8.5.0,^8.6.0,"5.x || 7.x" @@ -35,14 +20,6 @@ CVE-2018-12122,"6.x || 8.x || 10.x || 11.x","^6.15.0 || ^8.14.0 || ^10.14.0 || ^ CVE-2018-12123,"6.x || 8.x || 10.x || 11.x","^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0","4.x || 5.x || 7.x || 9.x" CVE-2019-5737,"6.x || 8.x || 10.x || 11.x","^6.17.0 || ^8.15.1 || ^10.15.2 || ^11.10.1","4.x || 5.x || 7.x || 9.x" CVE-2019-5739,6.x,^6.17.0,"4.x || 5.x" -CVE-2019-9511,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" -CVE-2019-9512,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" -CVE-2019-9513,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" -CVE-2019-9514,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" -CVE-2019-9515,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" -CVE-2019-9516,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" -CVE-2019-9517,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" -CVE-2019-9518,"8.x || 10.x || 12.x","^8.16.1 || ^10.16.3 || ^12.8.1","4.x || 5.x || 6.x || 7.x || 9.x || 11.x" CVE-2019-15604,"10.x || 12.x || 13.x","^10.19.0 || ^12.15.0 || ^13.8.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x" CVE-2019-15605,"10.x || 12.x || 13.x","^10.19.0 || ^12.15.0 || ^13.8.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x" CVE-2019-15606,"10.x || 12.x || 13.x","^10.19.0 || ^12.15.0 || ^13.8.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x" @@ -52,33 +29,20 @@ CVE-2020-8252,"10.x || 12.x || 14.x","^10.22.1 || ^12.18.4 || ^14.9.0","4.x || 5 CVE-2020-8277," 12.x || 14.x || 15.x"," ^12.19.1 || ^14.15.1 || 15.2.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" CVE-2020-8265,"10.x || 12.x || 14.x || 15.x","^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" CVE-2020-8287,"10.x || 12.x || 14.x || 15.x","^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" -CVE-2020-1971,"10.x || 12.x || 14.x || 15.x","^10.23.1 || ^12.20.1 || ^14.15.4 || ^15.5.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" CVE-2021-22883," 10.x || 12.x || 14.x || 15.x"," ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" CVE-2021-22884," 10.x || 12.x || 14.x || 15.x"," ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" -CVE-2021-23840," 10.x || 12.x || 14.x || 15.x"," ^10.24.0 || ^12.21.0 || ^14.16.0 || ^15.10.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" -CVE-2021-3450," 10.x || 12.x || 14.x || 15.x"," ^10.24.1 || ^12.22.1 || ^14.16.1 || ^15.14.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" -CVE-2021-3449," 10.x || 12.x || 14.x || 15.x"," ^10.24.1 || ^12.22.1 || ^14.16.1 || ^15.14.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" -CVE-2020-7774," 10.x || 12.x || 14.x"," ^10.24.1 || ^12.22.1 || ^14.16.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 11.x || 13.x" CVE-2021-22930," 12.x || 14.x || 16.x"," ^12.22.4 || ^14.17.4 || ^16.6.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" CVE-2021-22921," 12.x || 14.x || 16.x"," ^12.22.2 || ^14.17.2 || ^16.4.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" -CVE-2021-27290, 12.x, ^12.22.2,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x" -CVE-2021-23362, 12.x, ^12.22.2,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x" CVE-2021-22918," 12.x || 14.x || 16.x"," ^12.22.2 || ^14.17.2 || ^16.4.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" CVE-2021-22931,"12.x || 14.x || 16.x","^12.22.5 || ^14.17.5 || ^16.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" CVE-2021-22940,"12.x || 14.x || 16.x","^12.22.5 || ^14.17.5 || ^16.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" CVE-2021-22939,"12.x || 14.x || 16.x","^12.22.5 || ^14.17.5 || ^16.6.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" -CVE-2021-37701," 12.x || 14.x"," ^12.22.6 || ^14.17.6","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x" -CVE-2021-37712," 12.x || 14.x"," ^12.22.6 || ^14.17.6","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x" -CVE-2021-37713," 12.x || 14.x"," ^12.22.6 || ^14.17.6","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x" -CVE-2021-39134," 12.x || 14.x"," ^12.22.6 || ^14.17.6","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x" -CVE-2021-39135," 12.x || 14.x"," ^12.22.6 || ^14.17.6","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x" CVE-2021-22959,"12.x || 14.x || 16.x"," ^12.22.7 || ^14.18.1 || ^16.11.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" CVE-2021-22960,"12.x || 14.x || 16.x"," ^12.22.7 || ^14.18.1 || ^16.11.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" CVE-2021-44531,"12.x || 14.x || 16.x || 17.x","^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" CVE-2021-44532,"12.x || 14.x || 16.x || 17.x","^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" CVE-2021-44533,"12.x || 14.x || 16.x || 17.x","^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" CVE-2022-21824,"12.x || 14.x || 16.x || 17.x","^12.22.9 || ^14.18.3 || ^16.13.2 || ^17.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" -CVE-2022-0778,"12.x || 14.x || 16.x || 17.x","^12.22.11 || ^14.19.1 || ^16.14.2 || ^17.7.2","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 13.x || 15.x" CVE-2022-32215,"14.x || 16.x || 18.x","^14.20.1 || ^16.17.1 || ^18.9.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" CVE-2022-32214,"14.x || 16.x || 18.x","^14.20.0 || ^16.20.0 || ^18.5.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" CVE-2022-32212,"14.x || 16.x || 18.x","^14.20.1 || ^16.17.1 || ^18.9.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" @@ -90,8 +54,6 @@ CVE-2022-35255,18.x,^18.9.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 1 CVE-2022-43548,"14.x || 16.x || 18.x || 19.x","^14.21.1 || ^16.18.1 || ^18.12.1 || ^19.0.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" CVE-2023-23918,"14.x || 16.x || 18.x || 19.x","^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" CVE-2023-23919,"14.x || 16.x || 18.x || 19.x","^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.2.0","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" -CVE-2023-23936,"14.x || 16.x || 18.x || 19.x","^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" -CVE-2023-24807,"14.x || 16.x || 18.x || 19.x","^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" CVE-2023-23920,"14.x || 16.x || 18.x || 19.x","^14.21.3 || ^16.19.1 || ^18.14.1 || ^19.6.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 15.x || 17.x" CVE-2023-30581,"16.x || 18.x || 20.x","^16.20.1 || ^18.16.1 || ^20.3.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" CVE-2023-30582,20.x,^20.3.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" @@ -110,8 +72,6 @@ CVE-2023-32006,"16.x || 18.x || 20.x","^16.20.2 || ^18.17.1 || ^20.5.1","4.x || CVE-2023-32559,"16.x || 18.x || 20.x","^16.20.2 || ^18.17.1 || ^20.5.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" CVE-2023-32005,20.x,^20.5.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" CVE-2023-32003,20.x,^20.5.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 17.x || 19.x" -CVE-2023-45143,"18.x || 20.x","^18.18.2 || ^20.8.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" -CVE-2023-44487,"18.x || 20.x","^18.18.2 || ^20.8.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" CVE-2023-39331,20.x,^20.8.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" CVE-2023-39332,20.x,^20.8.1,"4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" CVE-2023-38552,"18.x || 20.x","^18.18.2 || ^20.8.1","4.x || 5.x || 6.x || 7.x || 8.x || 9.x || 10.x || 11.x || 12.x || 13.x || 14.x || 15.x || 16.x || 17.x || 19.x" diff --git a/tools/eol_cve/index.js b/tools/eol_cve/index.js index fbe0a28ca..621aa982e 100644 --- a/tools/eol_cve/index.js +++ b/tools/eol_cve/index.js @@ -4,6 +4,7 @@ const { format } = require('fast-csv'); const { resolve } = require('path'); const semver = require('semver'); const nv = require('@pkgjs/nv'); +const { setTimeout } = require('node:timers/promises'); const csvStream = format({ headers: true }); const filePath = resolve(__dirname, 'eol-cve.csv'); @@ -14,6 +15,73 @@ const MINIMUM_VERSION = 4; const RELEASE_SCHEDULE_JSON = 'https://raw.githubusercontent.com/nodejs/Release/main/schedule.json'; +const NVD_API_URL = "https://services.nvd.nist.gov/rest/json/cves/2.0"; + +const VALID_REFERENCES = [ + { + url: 'nodejs.org/en/blog/vulnerability', + source: 'cve-request@iojs.org' + }, + { + url: 'nodejs.org/en/blog/vulnerability', + source: 'cve@mitre.org' + }, + { + url: 'nodejs.org/en/blog/vulnerability', + source: 'support@hackerone.com' + }, + { + url: 'hackerone.com/reports/', + source: 'support@hackerone.com' + }, { + url: 'www.openwall.com/lists/oss-security/', + source: 'support@hackerone.com' + } +] + +async function isNodeCVE(cveId) { + const queryParams = new URLSearchParams({ + cveId: cveId, + }); + + const response = await fetch(`${NVD_API_URL}?${queryParams.toString()}`, { + headers: { + 'apiKey': process.env.NVD_TOKEN, + } + }); + if (!response.ok) { + console.error( + `Error fetching data: ${response.status} ${response.statusText}`, + ); + process.exit(1); + } + const data = await response.json(); + + const { vulnerabilities } = data; + if (!vulnerabilities?.length) { + return false; + } + + const { cve } = vulnerabilities.at(0); + const { references } = cve; + + if (references?.length) { + // Try to identify if the CVE is related to Node.js + // by checking the references + for (const reference of references) { + const { url, source } = reference; + for (const validReference of VALID_REFERENCES) { + const { url: validUrl, source: validSource } = validReference; + if (url.includes(validUrl) && source === validSource) { + return true; + } + } + } + } + + return false; +} + async function fetchReleasesSchedule() { try { const response = await fetch(RELEASE_SCHEDULE_JSON); @@ -69,6 +137,15 @@ async function run() { // Each vulnerability can have multiple CVEs for (const cve of vuln.cve) { + if (!await isNodeCVE(cve)) { + continue; + } + // Otherwise NVD will block us + // Rate limit is 50 requests per 30 second with token + // and 5 requests per 30 seconds without token + const timeout = process.env.NVD_TOKEN ? 750 : 5000; + await setTimeout(timeout); + const last = getLastAffectedVersion(vuln.vulnerable); // Skip 0.x and 4.x versions if (last <= MINIMUM_VERSION) continue; @@ -96,7 +173,7 @@ async function run() { return releaseDate > eol; }); - if(releaseMajors.length === 0) continue; + if (releaseMajors.length === 0) continue; // Write into the format v4.x || v5.x || v6.x const missing = releaseMajors.map((n) => `${n}.x`).join(' || ');