From 3870fec04e7dc936e12de667f9553b54b962d8e5 Mon Sep 17 00:00:00 2001 From: Karl Cardenas Date: Sun, 8 Dec 2024 10:59:43 -0700 Subject: [PATCH] docs: fix CVE url logic --- .../CveReportsTable/CveReportsTable.tsx | 44 +++++++++++++++---- utils/cves/index.js | 5 ++- utils/helpers/urls.js | 28 ++++++++++++ utils/helpers/urls.test.ts | 39 ++++++++++++++++ 4 files changed, 106 insertions(+), 10 deletions(-) create mode 100644 utils/helpers/urls.js create mode 100644 utils/helpers/urls.test.ts diff --git a/src/components/CveReportsTable/CveReportsTable.tsx b/src/components/CveReportsTable/CveReportsTable.tsx index 129ab04da2..ceff529453 100644 --- a/src/components/CveReportsTable/CveReportsTable.tsx +++ b/src/components/CveReportsTable/CveReportsTable.tsx @@ -77,6 +77,31 @@ type CveDataUnion = vertexAirgap: MinimizedCve[]; }; +// generateCVEOfficialDetailsUrl returns a URL that is used to link to the official CVE report. +// The URL is generated based on the cveId. +// The function checks if the cveId starts with "ghsa" and returns a GitHub Security Advisory URL. Other formal sites can be added in the future. +// The default URL is the NVD official CVE report. +function generateCVEOfficialDetailsUrl(cveId: string) { + let url; + + // If cveId is empty, return the default reports page URL + if (!cveId) { + return "/security-bulletins/reports/"; + } + + switch (true) { + // GitHub Security Advisory + case cveId.toLocaleLowerCase().startsWith("ghsa"): + url = `https://github.com/advisories/${cveId.toLocaleLowerCase()}`; + break; + // Default CVE URL + default: + url = `https://nvd.nist.gov/vuln/detail/${cveId.toLocaleLowerCase()}`; + } + + return url; +} + export default function CveReportsTable() { const [data, setData] = useState(null); const [loading, setLoading] = useState(true); @@ -146,11 +171,13 @@ export default function CveReportsTable() { dataIndex: ["metadata", "cve"], key: "cve", sorter: (a, b) => a.metadata.cve.localeCompare(b.metadata.cve), - render: (cve: string, record) => ( - - {cve} - - ), + render: (cve: string, record) => { + return ( + + {cve} + + ); + }, }, { title: "Initial Pub Date", @@ -199,9 +226,10 @@ export default function CveReportsTable() { dataIndex: ["metadata", "cvssScore"], key: "baseScore", sorter: (a, b) => a.metadata.cvssScore - b.metadata.cvssScore, - render: (baseScore: number, record) => ( - {baseScore} - ), + render: (baseScore: number, record) => { + const url = generateCVEOfficialDetailsUrl(record.metadata.cve.toLocaleLowerCase()); + return {baseScore}; + }, }, { title: "Status", diff --git a/utils/cves/index.js b/utils/cves/index.js index 590dede895..b12c5f358f 100644 --- a/utils/cves/index.js +++ b/utils/cves/index.js @@ -7,6 +7,7 @@ const { formatDateCveDetails } = require("../helpers/date"); const { escapeMDXSpecialChars } = require("../helpers/string"); const { generateMarkdownTable } = require("../helpers/affected-table"); const { generateRevisionHistory } = require("../helpers/revision-history"); +const { generateCVEOfficialDetailsUrl } = require("../helpers/urls"); async function getSecurityBulletins(payload) { const limit = 100; @@ -269,7 +270,7 @@ tags: ["security", "cve"] ## CVE Details -[${upperCaseCve}](https://nvd.nist.gov/vuln/detail/${upperCaseCve}) +Visit the official vulnerability details page for [${upperCaseCve}](${generateCVEOfficialDetailsUrl(item.metadata.cve)}) to learn more. ## Initial Publication @@ -288,7 +289,7 @@ ${escapeMDXSpecialChars(item.metadata.summary)} ## CVE Severity -${item.metadata.cvssScore} +[${item.metadata.cvssScore}](${generateCVEOfficialDetailsUrl(item.metadata.cve)}) ## Our Official Summary diff --git a/utils/helpers/urls.js b/utils/helpers/urls.js new file mode 100644 index 0000000000..4e733174fe --- /dev/null +++ b/utils/helpers/urls.js @@ -0,0 +1,28 @@ +// generateCVEOfficialDetailsUrl returns a URL that is used to link to the official CVE report. +// The URL is generated based on the cveId. +// The function checks if the cveId starts with "ghsa" and returns a GitHub Security Advisory URL. Other formal sites can be added in the future. +// The default URL is the NVD official CVE report. +function generateCVEOfficialDetailsUrl(cveId) { + let url; + + // If cveId is empty, return the default reports page URL + if (!cveId) { + return "/security-bulletins/reports/"; + } + + switch (true) { + // GitHub Security Advisory + case cveId.toLocaleLowerCase().startsWith("ghsa"): + url = `https://github.com/advisories/${cveId.toLocaleLowerCase()}`; + break; + // Default CVE URL + default: + url = `https://nvd.nist.gov/vuln/detail/${cveId.toLocaleLowerCase()}`; + } + + return url; +} + +module.exports = { + generateCVEOfficialDetailsUrl, +}; diff --git a/utils/helpers/urls.test.ts b/utils/helpers/urls.test.ts new file mode 100644 index 0000000000..577c872b89 --- /dev/null +++ b/utils/helpers/urls.test.ts @@ -0,0 +1,39 @@ +const { generateCVEOfficialDetailsUrl } = require("./urls"); + +describe("generateCVEOfficialDetailsUrl", () => { + it("should generate the GitHub Security Advisory URL for CVEs starting with 'ghsa'", () => { + const cveId = "GHSA-27wf-5967-98gx"; + const result = generateCVEOfficialDetailsUrl(cveId); + expect(result).toBe("https://github.com/advisories/ghsa-27wf-5967-98gx"); + }); + + it("should handle 'ghsa' case-insensitively and generate the correct URL", () => { + const cveId = "ghsa-27wf-5967-98gx"; + const result = generateCVEOfficialDetailsUrl(cveId); + expect(result).toBe("https://github.com/advisories/ghsa-27wf-5967-98gx"); + }); + + it("should generate the NVD URL for a CVE ID not starting with 'ghsa'", () => { + const cveId = "CVE-2020-16156"; + const result = generateCVEOfficialDetailsUrl(cveId); + expect(result).toBe("https://nvd.nist.gov/vuln/detail/cve-2020-16156"); + }); + + it("should generate the NVD URL for another CVE ID not starting with 'ghsa'", () => { + const cveId = "CVE-2019-20838"; + const result = generateCVEOfficialDetailsUrl(cveId); + expect(result).toBe("https://nvd.nist.gov/vuln/detail/cve-2019-20838"); + }); + + it("should return the default reports page URL for an empty CVE ID", () => { + const cveId = ""; + const result = generateCVEOfficialDetailsUrl(cveId); + expect(result).toBe("/security-bulletins/reports/"); + }); + + it("should return the NVD URL for a CVE ID with mixed case and normalize it", () => { + const cveId = "CVE-2020-16156"; + const result = generateCVEOfficialDetailsUrl(cveId); + expect(result).toBe("https://nvd.nist.gov/vuln/detail/cve-2020-16156"); + }); +});