feat: add vex generator (#1537)

* feat: add vex generator

* chore: bump node versions

* fix: update validator function

Author: marco-ippolito

.github/workflows/generate-vex.yml

@@ -0,0 +1,78 @@
+name: "Generate VEX document"
+
+on:
+  workflow_run:
+    workflows:
+      - "Update core index.json"
+      - "Update deps index.json"
+      - "Update npm index.json"
+    types:
+      - completed
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - 'vuln/core/index.json'
+      - 'vuln/npm/index.json'
+      - 'vuln/deps/index.json'
+      - 'tools/vex/**'
+
+concurrency:
+  group: generate-vex
+  cancel-in-progress: true
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  generate-vex:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23.x'
+
+      - name: Generate VEX document
+        working-directory: tools/vex
+        run: |
+          go run .
+
+      - name: Detect changes
+        id: detect
+        run: |
+          if git diff --quiet node.openvex.json; then
+            echo "no_changes=true" >> $GITHUB_OUTPUT
+          else
+            echo "no_changes=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create Pull Request
+        if: steps.detect.outputs.no_changes == 'false'
+        uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          commit-message: 'vex: regenerate node.openvex.json'
+          title: regenerate node.openvex.json
+          body: 'Automated regeneration of node.openvex.json after vulnerability index update. cc: @nodejs/security-wg'
+          assignees: ${{ github.actor }}
+          labels: security-wg-agenda
+          branch: regenerate-vex
+          update-pull-request-title-and-body: true
+
+      - name: No changes summary
+        if: steps.detect.outputs.no_changes == 'true'
+        run: echo "No changes to node.openvex.json; skipping PR creation."

.github/workflows/test.yml

@@ -15,7 +15,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [18.x, 20.x, 22.x]
+        node-version: [20.x, 22.x, '24.x']
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/update-core-index.yml

@@ -27,7 +27,7 @@ jobs:
 
     - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       with:
-        node-version: 18
+        node-version-file: '.nvmrc'
 
     - name: Install deps
       run: npm ci

.github/workflows/update-deps-index.yml

@@ -0,0 +1,50 @@
+name: "Update deps index.json"
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - 'vuln/deps/*.json'
+      - '!vuln/deps/index.json'
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      with:
+        persist-credentials: false
+
+    - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      with:
+        node-version-file: '.nvmrc'
+
+    - name: Install deps
+      run: npm ci
+
+    - name: Update deps index.json
+      run: |
+        npm run create-deps-index
+
+    - name: Create Pull Request
+      uses: gr2m/create-or-update-pull-request-action@77596e3166f328b24613f7082ab30bf2d93079d5
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+          commit-message: 'vuln: update deps index.json'
+          title: update deps index.json
+          body: 'update deps index.json. cc: @nodejs/security-wg'
+          assignees: ${{ github.actor }}
+          labels: security-wg-agenda
+          branch: deps-index-updated
+          update-pull-request-title-and-body: true

.github/workflows/update-npm-index.yml

@@ -27,7 +27,7 @@ jobs:
 
     - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
       with:
-        node-version: 18
+        node-version-file: '.nvmrc'
 
     - name: Install deps
       run: npm ci

.github/workflows/validate-vulnerability.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Use Node.js
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
-          node-version: 18
+          node-version-file: '.nvmrc'
 
       - name: Install deps
         run: npm ci

.nvmrc

@@ -0,0 +1 @@
+22

package.json

@@ -5,7 +5,8 @@
     "test": "node --test",
     "validate": "node tools/vuln_valid",
     "create-npm-index": "node tools/create_index/create_npm_index.js",
-    "create-core-index": "node tools/create_index/create_core_index.js"
+    "create-core-index": "node tools/create_index/create_core_index.js",
+    "create-deps-index": "node tools/create_index/create_deps_index.js"
   },
   "keywords": [],
   "author": "",

tools/create_index/create_deps_index.js

@@ -0,0 +1,56 @@
+const fs = require('node:fs')
+const path = require('node:path')
+
+const depsVulnerabilitiesPath = path.join(__dirname, '../../vuln/deps/')
+
+// Valid justification values from OpenVEX spec v0.2.0
+// See: https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
+const validJustifications = [
+    'component_not_present',
+    'vulnerable_code_not_present',
+    'vulnerable_code_not_in_execute_path',
+    'vulnerable_code_cannot_be_controlled_by_adversary',
+    'inline_mitigations_already_exist'
+]
+
+let vuln = {}
+
+function createDepsIndex() {
+    const files = fs.readdirSync(depsVulnerabilitiesPath)
+    getVulnDirectoryContents(files)
+    writeIndex(vuln)
+}
+
+function getVulnDirectoryContents(files) {
+    for (const file of files) {
+        const filename = file.slice(0, file.toString().indexOf('.json'))
+        if (filename !== 'index') {
+            const data = fs.readFileSync(depsVulnerabilitiesPath + file)
+            const json = JSON.parse(data)
+
+            if (!json.reason) {
+                throw new Error(`Missing 'reason' field in ${file}`)
+            }
+
+            if (!validJustifications.includes(json.reason)) {
+                throw new Error(
+                    `Invalid justification '${json.reason}' in ${file}. ` +
+                    `Valid values are: ${validJustifications.join(', ')}`
+                )
+            }
+
+            createVulnObject(filename, json)
+        }
+    }
+}
+
+function createVulnObject(identifier, json) {
+    vuln[identifier] = json
+}
+
+function writeIndex(data) {
+    fs.writeFileSync(depsVulnerabilitiesPath + 'index.json', JSON.stringify(data, null, 2))
+    console.log('Successfully wrote ' + depsVulnerabilitiesPath + 'index.json for deps vulnerabilities.')
+}
+
+createDepsIndex()

tools/vex/.gitignore

@@ -0,0 +1 @@
+node-vex-generator