add wip vulnerability table

Author: bmuenzenmeyer

apps/site/components/Downloads/ReleaseModal/index.tsx

@@ -42,10 +42,7 @@ const ReleaseModal: FC<ReleaseModalProps> = ({
           >
             {t.rich('components.releaseModal.unsupportedVersionWarning', {
               link: text => (
-                <Link
-                  onClick={closeModal}
-                  href="/eol"
-                >
+                <Link onClick={closeModal} href="/eol">
                   {text}
                 </Link>
               ),

apps/site/components/MDX/EOL/DetailsButton.tsx

@@ -0,0 +1,35 @@
+'use client';
+
+import { useTranslations } from 'next-intl';
+import type { FC } from 'react';
+import { use } from 'react';
+
+import LinkWithArrow from '#site/components/LinkWithArrow';
+import { ReleaseModalContext } from '#site/providers/releaseModalProvider';
+import type { NodeRelease } from '#site/types';
+
+type DetailsButtonProps = {
+  versionData: NodeRelease;
+};
+
+/**
+ * TODO @bmuenzenmeyer adapt to vulnerabilities - this is currently a copy paste of the release - versionData should have everything we need :fingers_crossed:
+ * @param param0
+ * @returns
+ */
+const DetailsButton: FC<DetailsButtonProps> = ({ versionData }) => {
+  const t = useTranslations('components.downloadReleasesTable');
+
+  const { openModal } = use(ReleaseModalContext);
+
+  return (
+    <LinkWithArrow
+      className="cursor-pointer"
+      onClick={() => openModal(versionData)}
+    >
+      {t('details')}
+    </LinkWithArrow>
+  );
+};
+
+export default DetailsButton;

apps/site/components/MDX/EOL/Table.tsx

@@ -0,0 +1,58 @@
+import { getTranslations } from 'next-intl/server';
+import type { FC } from 'react';
+
+import FormattedTime from '#site/components/Common/FormattedTime';
+import DetailsButton from '#site/components/MDX/EOL/DetailsButton';
+import provideVulnerabilities from '#site/next-data/providers/vulnerabilities';
+import getReleaseData from '#site/next-data/releaseData';
+
+import VulnerabilityChips from './VulnerabilityChips';
+
+const EOLTable: FC = async () => {
+  const releaseData = await getReleaseData();
+  const vulnerabilities = await provideVulnerabilities();
+  const EOLReleases = releaseData.filter(
+    release => release.status === 'End-of-life'
+  );
+
+  const t = await getTranslations();
+
+  return (
+    <table id="tbVulnerabilities" className="download-table full-width">
+      <thead>
+        <tr>
+          {/* TODO @bmuenzenmeyer change these to new i18n keys */}
+          <th>
+            {t('components.downloadReleasesTable.version')} (
+            {t('components.downloadReleasesTable.codename')})
+          </th>
+          <th>{t('components.downloadReleasesTable.lastUpdated')}</th>
+          <th>Vulnerabilities</th>
+          <th>Details</th>
+        </tr>
+      </thead>
+      <tbody>
+        {EOLReleases.map(release => (
+          <tr key={release.major}>
+            <td data-label="Version">
+              v{release.major} {release.codename ? `(${release.codename})` : ''}
+            </td>
+            <td data-label="Date">
+              <FormattedTime date={release.releaseDate} />
+            </td>
+            <td>
+              <VulnerabilityChips
+                vulnerabilities={vulnerabilities[release.major]}
+              />
+            </td>
+            <td className="download-table-last">
+              <DetailsButton versionData={release} />
+            </td>
+          </tr>
+        ))}
+      </tbody>
+    </table>
+  );
+};
+
+export default EOLTable;

apps/site/components/MDX/EOL/VulnerabilityChips.tsx

@@ -0,0 +1,55 @@
+import Badge from '@node-core/ui-components/Common/Badge';
+import type { FC } from 'react';
+
+// mapping of vulnerability severities to UI labels and colors
+// TODO @bmuenzenmeyer we need i18n keys for these labels
+const severityLabels: Record<string, { label: string; kind: string }> = {
+  low: { label: 'Low', kind: 'default' },
+  medium: { label: 'Medium', kind: 'info' },
+  high: { label: 'High', kind: 'warning' },
+  critical: { label: 'Critical', kind: 'error' },
+};
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+// TODO @bmuenzenmeyer type
+const VulnerabilityChips: FC<{ vulnerabilities: Array<any> }> = ({
+  vulnerabilities,
+}) => {
+  if (!vulnerabilities || vulnerabilities.length === 0) {
+    return <span>No vulnerabilities reported</span>;
+  }
+
+  // group all vulnerabilities by severity
+  const groupedVulnerabilities = vulnerabilities.reduce(
+    (acc, vuln) => {
+      const severity = vuln.severity.toLowerCase();
+      if (!acc[severity]) {
+        acc[severity] = [];
+      }
+      acc[severity].push(vuln);
+      return acc;
+    },
+    {} as Record<string, Array<any>>
+  );
+
+  return (
+    <div className="vulnerability-chips">
+      {Object.entries(groupedVulnerabilities)
+        .sort((a, b) => {
+          const severityOrder = ['critical', 'high', 'medium', 'low'];
+          return severityOrder.indexOf(a[0]) - severityOrder.indexOf(b[0]);
+        })
+        .filter(([severity]) => severityLabels[severity]) // filter out unknown severities. there are 78+, with increasing frequency the older you get into our release or security governance
+        .map(([severity, vulnerabilityCount]) => {
+          const { label, kind } = severityLabels[severity];
+          return (
+            <Badge size="small" key={severity} kind={kind} className="mr-0.5">
+              {label} ({vulnerabilityCount.length})
+            </Badge>
+          );
+        })}
+    </div>
+  );
+};
+
+export default VulnerabilityChips;

apps/site/next-data/providers/vulnerabilities.ts

@@ -0,0 +1,110 @@
+import { cache } from 'react';
+
+interface Vulnerability {
+  cve: Array<string>;
+  ref?: string;
+  vulnerable: string;
+  patched?: string;
+  description: string;
+  overview: string;
+  affectedEnvironments: Array<string>;
+  severity: string;
+}
+
+interface GroupedVulnerabilities {
+  [majorVersion: string]: Array<Vulnerability>;
+}
+
+/**
+ * Vulnerability data looks like this:
+ *
+ *
+ * [
+  * "1": {
+      "cve": [
+        "CVE-2017-1000381"
+      ],
+      "ref": "https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/",
+      "vulnerable": "8.x || 7.x || 4.x || 6.x || 5.x",
+      "patched": "^8.1.4 || ^7.10.1 || ^4.8.4 || ^6.11.1",
+      "description": "memory overread when parsing invalid NAPTR responses",
+      "overview": "The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR\nresponses, could be triggered to read memory outside of the given input buffer\nif the passed in DNS response packet was crafted in a particular way.\n\n",
+      "affectedEnvironments": [
+        "all"
+      ],
+      "severity": "unknown"
+    },
+    "2": {
+      "cve": [],
+      "vulnerable": "4.x || 5.x || 6.x || 7.x || 8.x",
+      "patched": "^4.8.4 || ^6.11.1 || ^7.10.1 || ^8.1.4",
+      "description": "DoS possible in V8 object lookup",
+      "overview": "Disable V8 snapshots - The hashseed embedded in the snapshot is\ncurrently the same for all runs of the binary. This opens node up to\ncollision attacks which could result in a Denial of Service. We have\ntemporarily disabled snapshots until a more robust solution is found\nFixed: Ali Ijaz Sheikh\nReported: Fedor Indutny\nref: https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/\n\n",
+      "affectedEnvironments": [
+        "all"
+      ],
+      "severity": "unknown"
+  }
+]
+ * TODO: @bmuenzenmeyer Better document
+ * @param vulnerabilities
+ */
+
+const groupVulnerabilitiesByMajor = (
+  vulnerabilities: Array<Vulnerability>
+): GroupedVulnerabilities => {
+  const grouped: GroupedVulnerabilities = {};
+
+  Object.values(vulnerabilities).forEach(vulnerability => {
+    // `vulnerable` value can look as complicated as >=6.0.0 <6.2.0 || 5.x || 4.x
+    // extract just the major versions, which is the unique first integer before any dot
+    // e.g. 6, 5, 4
+    // use a regex to get the integers and ignore the potential ranges
+    // e.g. >=6.0.0 <6.2.0 will be parsed as 6
+    //       5.x will be parsed as 5
+    //       6.0.0 will be parsed as 6
+    //       6.2.0 will be parsed as 6
+    const majorVersions =
+      vulnerability.vulnerable
+        .match(/\d+/g)
+        ?.map(Number)
+        .filter(major => !isNaN(major)) || [];
+
+    majorVersions.forEach(majorVersion => {
+      if (!grouped[majorVersion]) {
+        grouped[majorVersion] = [];
+      }
+      grouped[majorVersion].push(vulnerability);
+    });
+  });
+
+  return grouped;
+};
+
+const provideVulnerabilities = cache(async () => {
+  const data = await fetchVulnerabilities();
+
+  // group by major version
+  const groupedData = groupVulnerabilitiesByMajor(data);
+
+  return groupedData;
+});
+
+/**
+ * TODO: @bmuenzenmeyer We need to extend the same data loading patterns at next-data/ to account for static generation.
+ * This is a good place for others to extensively review what I've done here.
+ */
+export default provideVulnerabilities;
+
+async function fetchVulnerabilities() {
+  const response = await fetch(
+    'https://raw.githubusercontent.com/nodejs/security-wg/main/vuln/core/index.json'
+  );
+
+  if (!response.ok) {
+    throw new Error('Failed to fetch vulnerabilities data');
+  }
+
+  const data = await response.json();
+  return data;
+}

apps/site/next.mdx.use.mjs

@@ -5,6 +5,7 @@ import BadgeGroup from '@node-core/ui-components/Common/BadgeGroup';
 import DownloadReleasesTable from './components/Downloads/DownloadReleasesTable';
 import UpcomingMeetings from './components/MDX/Calendar/UpcomingMeetings';
 import EOLAlertBox from './components/MDX/EOL/Alert';
+import EOLTable from './components/MDX/EOL/Table';
 import WithBadgeGroup from './components/withBadgeGroup';
 import WithBanner from './components/withBanner';
 import WithNodeRelease from './components/withNodeRelease';
@@ -28,4 +29,6 @@ export const mdxComponents = {
   UpcomingMeetings,
   // Renders an EOL alert
   EOLAlertBox,
+  // Renders the EOL Table
+  EOLTable,
 };

apps/site/pages/en/eol.mdx

@@ -21,7 +21,7 @@ The security implications are immediate and serious. For example, when new secur
 
 ## EOL Versions
 
-`TO BE BUILT`
+<EOLTable />
 
 ## Commercial Support