feat: add vex generator #1537
feat: add vex generator #1537
Conversation
| - name: Harden Runner | ||
| uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 | ||
| with: | ||
| egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs |
There was a problem hiding this comment.
mcollina
left a comment
mcollina
left a comment
There was a problem hiding this comment.
I'm a bit skeptical on adding go to our toolchain.
How hard is to get an implementation of vex done in JS?
The Go library is maintained by the OpenVEX project, so it's well maintained. Getting a JavaScript implementation would require porting that library over, and that's an effort outside my current bandwidth |
RafaelGSS
left a comment
RafaelGSS
left a comment
There was a problem hiding this comment.
It seems ok to support golang on this repository. Let's make sure to update the nodejs-deps-vulnerability-assessment repository to point to this VEX file too.
Refs: #1517
This PR generates a
node.openvex.jsonfromvuln/core/index.json,vuln/npm/index.jsonandvuln/deps/index.json.The vex file contains entry like:
{ "vulnerability": { "@id": "https://www.cve.org/CVERecord?id=CVE-2024-27980", "name": "CVE-2024-27980", "description": "Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled." }, "products": [ { "@id": "pkg:nodejs/[email protected]" }, { "@id": "pkg:nodejs/[email protected]" }, { "@id": "pkg:nodejs/[email protected]" } ], "status": "fixed" },Why GO??
There is no javascript implementation I'm aware of so between go and .NET and rust I went with GO https://github.com/openvex/go-vex
When is the vex file generated?
Any time we update one of the
index.jsonWhat about non affected?
Whenever we believe a vulnerability in one of the node.js deps from the https://github.com/nodejs/nodejs-dependency-vuln-assessments analysis does not affect node we can add it into the
vulnes/deps/index.json(for this PR I took like 6 from the latests issues)Entries look like this:
{ "cve": [ "CVE-2023-45853" ], "description": "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field.", "overview": "This CVE was created for MiniZip (part of zlib/contrib/minizip), which is not used by Node.js. Node.js uses zlib for compression but does not use the MiniZip component where this vulnerability exists.", "ref": "https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/205", "reason": "vulnerable_code_not_present" }