Skip to content

Commit

Permalink
docs: fix CVE url logic
Browse files Browse the repository at this point in the history
  • Loading branch information
karl-cardenas-coding committed Dec 8, 2024
1 parent 360e385 commit 3870fec
Show file tree
Hide file tree
Showing 4 changed files with 106 additions and 10 deletions.
44 changes: 36 additions & 8 deletions src/components/CveReportsTable/CveReportsTable.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,31 @@ type CveDataUnion =
vertexAirgap: MinimizedCve[];
};

// generateCVEOfficialDetailsUrl returns a URL that is used to link to the official CVE report.
// The URL is generated based on the cveId.
// The function checks if the cveId starts with "ghsa" and returns a GitHub Security Advisory URL. Other formal sites can be added in the future.
// The default URL is the NVD official CVE report.
function generateCVEOfficialDetailsUrl(cveId: string) {
let url;

// If cveId is empty, return the default reports page URL
if (!cveId) {
return "/security-bulletins/reports/";
}

switch (true) {
// GitHub Security Advisory
case cveId.toLocaleLowerCase().startsWith("ghsa"):
url = `https://github.com/advisories/${cveId.toLocaleLowerCase()}`;
break;
// Default CVE URL
default:
url = `https://nvd.nist.gov/vuln/detail/${cveId.toLocaleLowerCase()}`;
}

return url;
}

export default function CveReportsTable() {
const [data, setData] = useState<CveDataUnion | null>(null);
const [loading, setLoading] = useState(true);
Expand Down Expand Up @@ -146,11 +171,13 @@ export default function CveReportsTable() {
dataIndex: ["metadata", "cve"],
key: "cve",
sorter: (a, b) => a.metadata.cve.localeCompare(b.metadata.cve),
render: (cve: string, record) => (
<Link to={`/security-bulletins/reports/${record.metadata.uid.toLowerCase()}`} style={{ color: "#1890ff" }}>
{cve}
</Link>
),
render: (cve: string, record) => {
return (
<Link to={record.metadata.uid} style={{ color: "#1890ff" }}>
{cve}
</Link>
);
},
},
{
title: "Initial Pub Date",
Expand Down Expand Up @@ -199,9 +226,10 @@ export default function CveReportsTable() {
dataIndex: ["metadata", "cvssScore"],
key: "baseScore",
sorter: (a, b) => a.metadata.cvssScore - b.metadata.cvssScore,
render: (baseScore: number, record) => (
<Link to={`https://nvd.nist.gov/vuln/detail/${record.metadata.cve}`}>{baseScore}</Link>
),
render: (baseScore: number, record) => {
const url = generateCVEOfficialDetailsUrl(record.metadata.cve.toLocaleLowerCase());
return <Link to={url}>{baseScore}</Link>;
},
},
{
title: "Status",
Expand Down
5 changes: 3 additions & 2 deletions utils/cves/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ const { formatDateCveDetails } = require("../helpers/date");
const { escapeMDXSpecialChars } = require("../helpers/string");
const { generateMarkdownTable } = require("../helpers/affected-table");
const { generateRevisionHistory } = require("../helpers/revision-history");
const { generateCVEOfficialDetailsUrl } = require("../helpers/urls");

async function getSecurityBulletins(payload) {
const limit = 100;
Expand Down Expand Up @@ -269,7 +270,7 @@ tags: ["security", "cve"]
## CVE Details
[${upperCaseCve}](https://nvd.nist.gov/vuln/detail/${upperCaseCve})
Visit the official vulnerability details page for [${upperCaseCve}](${generateCVEOfficialDetailsUrl(item.metadata.cve)}) to learn more.
## Initial Publication
Expand All @@ -288,7 +289,7 @@ ${escapeMDXSpecialChars(item.metadata.summary)}
## CVE Severity
${item.metadata.cvssScore}
[${item.metadata.cvssScore}](${generateCVEOfficialDetailsUrl(item.metadata.cve)})
## Our Official Summary
Expand Down
28 changes: 28 additions & 0 deletions utils/helpers/urls.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
// generateCVEOfficialDetailsUrl returns a URL that is used to link to the official CVE report.
// The URL is generated based on the cveId.
// The function checks if the cveId starts with "ghsa" and returns a GitHub Security Advisory URL. Other formal sites can be added in the future.
// The default URL is the NVD official CVE report.
function generateCVEOfficialDetailsUrl(cveId) {
let url;

// If cveId is empty, return the default reports page URL
if (!cveId) {
return "/security-bulletins/reports/";
}

switch (true) {
// GitHub Security Advisory
case cveId.toLocaleLowerCase().startsWith("ghsa"):
url = `https://github.com/advisories/${cveId.toLocaleLowerCase()}`;
break;
// Default CVE URL
default:
url = `https://nvd.nist.gov/vuln/detail/${cveId.toLocaleLowerCase()}`;
}

return url;
}

module.exports = {
generateCVEOfficialDetailsUrl,
};
39 changes: 39 additions & 0 deletions utils/helpers/urls.test.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
const { generateCVEOfficialDetailsUrl } = require("./urls");

describe("generateCVEOfficialDetailsUrl", () => {
it("should generate the GitHub Security Advisory URL for CVEs starting with 'ghsa'", () => {
const cveId = "GHSA-27wf-5967-98gx";
const result = generateCVEOfficialDetailsUrl(cveId);
expect(result).toBe("https://github.com/advisories/ghsa-27wf-5967-98gx");
});

it("should handle 'ghsa' case-insensitively and generate the correct URL", () => {
const cveId = "ghsa-27wf-5967-98gx";
const result = generateCVEOfficialDetailsUrl(cveId);
expect(result).toBe("https://github.com/advisories/ghsa-27wf-5967-98gx");
});

it("should generate the NVD URL for a CVE ID not starting with 'ghsa'", () => {
const cveId = "CVE-2020-16156";
const result = generateCVEOfficialDetailsUrl(cveId);
expect(result).toBe("https://nvd.nist.gov/vuln/detail/cve-2020-16156");
});

it("should generate the NVD URL for another CVE ID not starting with 'ghsa'", () => {
const cveId = "CVE-2019-20838";
const result = generateCVEOfficialDetailsUrl(cveId);
expect(result).toBe("https://nvd.nist.gov/vuln/detail/cve-2019-20838");
});

it("should return the default reports page URL for an empty CVE ID", () => {
const cveId = "";
const result = generateCVEOfficialDetailsUrl(cveId);
expect(result).toBe("/security-bulletins/reports/");
});

it("should return the NVD URL for a CVE ID with mixed case and normalize it", () => {
const cveId = "CVE-2020-16156";
const result = generateCVEOfficialDetailsUrl(cveId);
expect(result).toBe("https://nvd.nist.gov/vuln/detail/cve-2020-16156");
});
});

0 comments on commit 3870fec

Please sign in to comment.