diff --git a/lib/github/templates/next-security-release.md b/lib/github/templates/next-security-release.md deleted file mode 100644 index 0ed1667e..00000000 --- a/lib/github/templates/next-security-release.md +++ /dev/null @@ -1,98 +0,0 @@ -## Planning - -* [X] Open an [issue](https://github.com/nodejs-private/node-private) titled - `Next Security Release`, and put this checklist in the description. - -* [ ] Get agreement on the [list of vulnerabilities](%VULNERABILITIES_PR_URL%) to be addressed. - -* [ ] PR release announcements in [private](https://github.com/nodejs-private/nodejs.org-private): - * [ ] pre-release: %PRE_RELEASE_PRIV% - * [ ] post-release: %POS_RELEASE_PRIV% - * List vulnerabilities in order of descending severity - * Use the "summary" feature in HackerOne to sync post-release content - and CVE requests. Example [2038134](https://hackerone.com/bugs?subject=nodejs\&report_id=2038134) - * Ask the HackerOne reporter if they would like to be credited on the - security release blog page - -* [ ] Get agreement on the planned date for the release: %RELEASE_DATE% - -* [ ] Get release team volunteers for all affected lines: -%AFFECTED_LINES% - -## Announcement (one week in advance of the planned release) - -* [ ] Check that all vulnerabilities are ready for release integration: - * PRs against all affected release lines or cherry-pick clean - * PRs with breaking changes have a - [--security-revert](#Adding-a-security-revert-option) option if possible. - * Approved - * (optional) Approved by the reporter - * Build and send the binary to the reporter according to its architecture - and ask for a review. This step is important to avoid insufficient fixes - between Security Releases. - * Have CVEs - * Make sure that dependent libraries have CVEs for their issues. We should - only create CVEs for vulnerabilities in Node.js itself. This is to avoid - having duplicate CVEs for the same vulnerability. - * Described in the pre/post announcements - -* [ ] Pre-release announcement to nodejs.org blog: TBD - (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to - nodejs/nodejs.org) - -* [ ] Pre-release announcement [email](https://groups.google.com/forum/#!forum/nodejs-sec): TBD - * Subject: `Node.js security updates for all active release lines, Month Year` - -* [ ] CC `oss-security@lists.openwall.com` on pre-release - * [ ] Forward the email you receive to `oss-security@lists.openwall.com`. - -* [ ] Create a new issue in [nodejs/tweet](https://github.com/nodejs/tweet/issues) - -* [ ] Request releaser(s) to start integrating the PRs to be released. - -* [ ] Notify [docker-node](https://github.com/nodejs/docker-node/issues) of upcoming security release date: TBD - -* [ ] Notify build-wg of upcoming security release date by opening an issue - in [nodejs/build](https://github.com/nodejs/build/issues) to request WG members are available to fix any CI issues: TBD - -## Release day - -* [ ] [Lock CI](https://github.com/nodejs/build/blob/HEAD/doc/jenkins-guide.md#before-the-release) - -* [ ] The releaser(s) run the release process to completion. - -* [ ] [Unlock CI](https://github.com/nodejs/build/blob/HEAD/doc/jenkins-guide.md#after-the-release) - -* [ ] Post-release announcement to Nodejs.org blog: - * (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to - nodejs/nodejs.org) - -* [ ] Post-release announcement in reply email: TBD - -* [ ] Notify `#nodejs-social` about the release. - -* [ ] Comment in [docker-node][] issue that release is ready for integration. - The docker-node team will build and release docker image updates. - -* [ ] For every H1 report resolved: - * Close as Resolved - * Request Disclosure - * Request publication of H1 CVE requests - * (Check that the "Version Fixed" field in the CVE is correct, and provide - links to the release blogs in the "Public Reference" section) - -* [ ] PR machine-readable JSON descriptions of the vulnerabilities to the - [core](https://github.com/nodejs/security-wg/tree/HEAD/vuln/core) - vulnerability DB. - * For each vulnerability add a `#.json` file, one can copy an existing - [json](https://github.com/nodejs/security-wg/blob/0d82062d917cb9ddab88f910559469b2b13812bf/vuln/core/78.json) - file, and increment the latest created file number and use that as the name - of the new file to be added. For example, `79.json`. - -* [ ] Close this issue - -* [ ] Make sure the PRs for the vulnerabilities are closed. - -* [ ] PR in that you stewarded the release in - [Security release stewards](https://github.com/nodejs/node/blob/HEAD/doc/contributing/security-release-process.md#security-release-stewards). - If necessary add the next rotation of the steward rotation. diff --git a/lib/prepare_security.js b/lib/prepare_security.js index d344c324..d5bdde64 100644 --- a/lib/prepare_security.js +++ b/lib/prepare_security.js @@ -10,7 +10,8 @@ import { PLACEHOLDERS, checkoutOnSecurityReleaseBranch, commitAndPushVulnerabilitiesJSON, - getSummary + getSummary, + validateDate } from './security-release/security-release.js'; export default class SecurityReleaseSteward { @@ -29,7 +30,7 @@ export default class SecurityReleaseSteward { const req = new Request(credentials); const release = new PrepareSecurityRelease(req); const releaseDate = await release.promptReleaseDate(cli); - + validateDate(releaseDate); const createVulnerabilitiesJSON = await release.promptVulnerabilitiesJSON(cli); let securityReleasePRUrl; @@ -40,7 +41,7 @@ export default class SecurityReleaseSteward { const createIssue = await release.promptCreateRelaseIssue(cli); if (createIssue) { - const { content } = release.buildIssue(releaseDate, securityReleasePRUrl); + const content = await release.buildIssue(releaseDate, securityReleasePRUrl); await release.createIssue(content, { cli }); }; @@ -99,18 +100,25 @@ class PrepareSecurityRelease { { defaultAnswer: true }); } - getSecurityIssueTemplate() { - return fs.readFileSync( - new URL( - './github/templates/next-security-release.md', - import.meta.url - ), - 'utf-8' - ); + async getSecurityIssueTemplate() { + const url = 'https://raw.githubusercontent.com/nodejs/node/main/doc/contributing/security-release-process.md'; + try { + // fetch document from nodejs/node main so we dont need to keep a copy + const response = await fetch(url); + const body = await response.text(); + // remove everything before the Planning section + const index = body.indexOf('## Planning'); + if (index !== -1) { + return body.substring(index); + } + return body; + } catch (error) { + this.cli.error(`Could not retrieve the security issue template from ${url}`); + } } async promptReleaseDate(cli) { - return cli.prompt('Enter target release date in YYYY-MM-DD format:', { + return cli.prompt('Enter target release date in YYYY/MM/DD format:', { questionType: 'input', defaultAnswer: 'TBD' }); @@ -134,11 +142,11 @@ class PrepareSecurityRelease { { defaultAnswer: true }); } - buildIssue(releaseDate, securityReleasePRUrl = PLACEHOLDERS.vulnerabilitiesPRURL) { - const template = this.getSecurityIssueTemplate(); + async buildIssue(releaseDate, securityReleasePRUrl = PLACEHOLDERS.vulnerabilitiesPRURL) { + const template = await this.getSecurityIssueTemplate(); const content = template.replace(PLACEHOLDERS.releaseDate, releaseDate) .replace(PLACEHOLDERS.vulnerabilitiesPRURL, securityReleasePRUrl); - return { releaseDate, content, securityReleasePRUrl }; + return content; } async createIssue(content, { cli }) {