Merge branch 'oliviergoulet/main/38' into 'main'

Known Vulnerabilities page Closes #38 See merge request !33

Merge branch 'oliviergoulet/main/38' into 'main'
Known Vulnerabilities page Closes #38 See merge request !33
24ac05e6 · Christopher Guindon · 141836cd · fe50b1f1 · 24ac05e6 · 24ac05e6
Commit 24ac05e6 authored 1 year ago by Christopher Guindon
--- a/config.toml
+++ b/config.toml
@@ -177,8 +177,18 @@ pluralizeListTitles = false
  parent = "collaborations"
  name = "Interest Group Process"
  url = "/org/collaborations/interest-groups/process.php"
+
+[[menu.sidebar]]
+  identifier = "security"
+  name = "Security"
+  url = "/security"
  weight = 1
-  
+
+[[menu.sidebar]]
+  parent = "security"
+  name = "Known Vulnerabilities"
+  url = "/security/known"
+  weight = 1  

 [[menu.sidebar]]
  identifier = "security"

--- a/content/security/known/_index.md
+++ b/content/security/known/_index.md
+---
+title: "Known Vulnerabilities"
+date: 2022-08-30T13:14:48-04:00
+description: "List of security vulnerabilities known to affect Eclipse Foundation sites and projects"
+keywords: ['Eclipse', 'projects', 'security', 'cve']
+layout: single
+---
+
+This page lists security vulnerabilities known to affect Eclipse Foundation sites and projects.
+
+{{< pages/security/known >}}
--- a/js/known-vulnerabilities.js
+++ b/js/known-vulnerabilities.js
+/*!
+ * Copyright (c) 2023 Eclipse Foundation, Inc.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * Contributors:
+ *   Olivier Goulet <olivier.goulet@eclipse-foundation.org>
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+
+// Requires jQuery to be loaded beforehand
+
+import './src/known-vulnerabilities-table'
\ No newline at end of file
--- a/js/src/api/eclipsefdn.cve.js
+++ b/js/src/api/eclipsefdn.cve.js
+/*!
+ * Copyright (c) 2023 Eclipse Foundation, Inc.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * Contributors:
+ *   Olivier Goulet <olivier.goulet@eclipse-foundation.org>
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+
+const apiPath = `https://api.eclipse.org/cve`;
+
+const cveMapper = data => ({
+    id: data.id,
+    datePublished: data.date_published,
+    status: data.status,
+    summary: data.summary,
+    project: data.project,
+    cvss: data.cvss,
+    liveLink: data.live_link,
+    cvePullRequest: data.cve_pull_request,
+    nvdLink: `https://nvd.nist.gov/vuln/detail/${data.id}`,
+});
+
+const getAllCVEs = async () => {
+    try { 
+        const response = await fetch(apiPath);
+        if (!response.ok) throw new Error('Problem with the request to CVE API');
+
+        const data = await response.json();
+        if (!Array.isArray(data)) throw new TypeError('Expected an array as CVE API response');
+
+        const cves = data
+          .map(cveMapper)
+          .filter(cve => cve.status === 'PUBLIC');
+
+        return [cves, null];
+    } catch (error) {
+        return [null, error];
+    }
+}
+
+export default getAllCVEs;
--- a/js/src/known-vulnerabilities-table.js
+++ b/js/src/known-vulnerabilities-table.js
+/*!
+ * Copyright (c) 2023 Eclipse Foundation, Inc.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * Contributors:
+ *   Olivier Goulet <olivier.goulet@eclipse-foundation.org>
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ */
+
+import DataTable from 'datatables.net';
+import getAllCVEs from './api/eclipsefdn.cve';
+
+
+const KnownVulnerabilitiesTable = async () => {
+    const element = document.querySelector('#known-table-wrapper');
+    if (!element) return;
+
+    const [cves, error] = await getAllCVEs();
+
+    if (error) {
+        element.innerHTML = `
+            <p class="alert alert-danger">
+                An error has occurred while fetching known vulnerabilities. Please try again later.
+            </p>
+        `;
+
+        return;
+    }
+
+    const data = cves.filter(row => row.cvePullRequest !== null);
+
+    populateTable(data);
+}
+
+export default KnownVulnerabilitiesTable();
+
+/** Populate the known vulnerabilities table with CVE data
+  * @param {Array} data - Array of CVEs
+  * @returns {DataTable} - DataTable instance
+*/
+const populateTable = data =>   
+    new DataTable('#known-table', {
+        data,
+        autoWidth: false,
+        columns: [
+            { 
+                data: 'id',
+                width: '20%',
+                render: (data, _, row) => `<a href="${row.nvdLink}">${data}</a>`
+            },
+            { data: 'datePublished', width: '15%' },
+            { 
+                name: 'project',
+                data: 'project', 
+                width: '25%',
+                render: (data) => `<a class="known-table-project-link" href="https://projects.eclipse.org/projects/${data}">${data}</a>` 
+            },
+            //{ data: 'summary' }
+        ],
+        order: [[1, 'desc']],
+        pageLength: 10,
+        lengthMenu: [10, 20, 50, 100]
+    }
+);
--- a/layouts/partials/footer_custom.html
+++ b/layouts/partials/footer_custom.html
+{{ block "datatables" . }}
+    {{ . }}
+{{ end }}
--- a/layouts/partials/security/known/data_tables.html
+++ b/layouts/partials/security/known/data_tables.html
+{{ define "datatables" }}
+    <link rel="stylesheet" href="/public/css/datatables.net-dt.css">
+    <script async src="/public/js/known-vulnerabilities.js"></script>
+{{ end }}
--- a/layouts/shortcodes/pages/security/known.html
+++ b/layouts/shortcodes/pages/security/known.html
+<div class="dataTables_wrapper margin-top-20" id="known-table-wrapper">
+    <table class="display dataTable" id="known-table" style="width:100%" aria-describedby="known-table_info">
+        <thead>
+            <tr>
+                <th class="sorting" tabindex="0" aria-controls="known-table" rowspan="1" colspan="1" aria-label="ID: activate to sort column ascending">ID</th>
+                <th class="sorting" tabindex="0" aria-controls="known-table" rowspan="1" colspan="1" aria-label="Date: activate to sort column ascending">Date Published</th>
+                <th class="sorting sorting_asc" tabindex="0" aria-controls="known-table" rowspan="1" colspan="1" aria-sort="ascending" aria-label="Project: activate to sort column descending">Project</th>
+                <!--<th tabindex="0" aria-controls="known-table" rowspan="1" colspan="2">Description</th>-->
+            </tr>
+        </thead>
+    </table>
+</div>
--- a/package.json
+++ b/package.json
@@ -22,6 +22,7 @@
  },
  "dependencies": {
    "eclipsefdn-hugo-solstice-theme": "0.0.183",
+    "datatables.net-dt": "^1.13.1",
    "js-yaml": "^3.13.1",
    "json-minify": "^1.0.0"
  },

--- a/webpack.mix.js
+++ b/webpack.mix.js
@@ -25,4 +25,8 @@ mix.less('./less/page_css_file/openchain/styles.less', 'static/public/css/projec
 mix.less('./less/page_css_file/europe/styles.less', 'static/public/css/europe-styles.css');
 mix.less('./less/page_css_file/research/styles.less', 'static/public/css/research-styles.css');

+mix.css('./node_modules/datatables.net-dt/css/jquery.dataTables.min.css', 'static/public/css/datatables.net-dt.css');
+
 mix.js('js/main.js', './static/public/js/main.js');
+mix.js('js/known-vulnerabilities.js', './static/public/js/known-vulnerabilities.js')
+
--- a/yarn.lock
+++ b/yarn.lock
@@ -2301,6 +2301,21 @@ csso@^4.2.0:
  dependencies:
    css-tree "^1.1.2"

+datatables.net-dt@^1.13.1:
+  version "1.13.4"
+  resolved "https://registry.yarnpkg.com/datatables.net-dt/-/datatables.net-dt-1.13.4.tgz#ec32d22a02772ee6dda2677032cb6b24f3f5e4d0"
+  integrity sha512-QAvuEej/qKSiaSmSeDQ36wWO72XzFGKkd0jdiqbp+2FHAAzIk+ffsqQAwylystMoBSiO0zlcdaqHoAPa5Dy7Pg==
+  dependencies:
+    datatables.net ">=1.12.1"
+    jquery ">=1.7"
+
+datatables.net@>=1.12.1:
+  version "1.13.4"
+  resolved "https://registry.yarnpkg.com/datatables.net/-/datatables.net-1.13.4.tgz#9a809cee82eca0a884e10b4d47a3a3d6e65e9fe7"
+  integrity sha512-yzhArTOB6tPO2QFKm1z3hA4vabtt2hRvgw8XLsT1xqEirinfGYqWDiWXlkTPTaJv2e7gG+Kf985sXkzBFlGrGQ==
+  dependencies:
+    jquery ">=1.7"
+
 date-fns@^2.27.0:
  version "2.29.3"
  resolved "https://registry.yarnpkg.com/date-fns/-/date-fns-2.29.3.tgz#27402d2fc67eb442b511b70bbdf98e6411cd68a8"
@@ -3664,7 +3679,7 @@ jquery-match-height@^0.7.2:
  resolved "https://registry.yarnpkg.com/jquery-match-height/-/jquery-match-height-0.7.2.tgz#f8d9f3ba5314daab109cf07408674be204be5f0e"
  integrity sha512-qSyC0GBc4zUlgBcxfyyumJSVUm50T6XuJEIz59cKaI28VXMUT95mZ6KiIjhMIMbG8IiJhh65FtQO1XD42TAcwg==

-jquery@>=1.8.3, jquery@^3.5.1:
+jquery@>=1.7, jquery@>=1.8.3, jquery@^3.5.1:
  version "3.6.3"
  resolved "https://registry.yarnpkg.com/jquery/-/jquery-3.6.3.tgz#23ed2ffed8a19e048814f13391a19afcdba160e6"
  integrity sha512-bZ5Sy3YzKo9Fyc8wH2iIQK4JImJ6R0GWI9kL1/k7Z91ZBNgkRXE6U0JfHIizZbort8ZunhSI3jw9I6253ahKfg==