feat(advisories): add provisional GHSA feed#242
Merged
Conversation
Contributor
|
Your organization's Advanced Security usage limit has been reached. To continue using Advanced Security reviews, please upgrade your plan or increase your usage limits in your account settings. |
![baz-reviewer[bot]](https://avatars.githubusercontent.com/in/933528?s=60&v=4){kind=small}
Comment on lines
+69
to
+72
| async function writeJson(filePath, value) { | ||
| await mkdir(path.dirname(filePath), { recursive: true }); | ||
| await writeFile(filePath, `${JSON.stringify(value, null, 2)}\n`); | ||
| } |
Contributor
There was a problem hiding this comment.
The new writeJson helper duplicates the mkdir + JSON write logic in scripts/ghsa-without-cve-feed.mjs, should we centralize it in a shared helper so both scripts use the same atomic write path?
Finding type: Code Dedup and Conventions | Severity: 🟢 Low
Want Baz to fix this for you? Activate Fixer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Summary
ghsa-without-cve.jsonadvisory feed for public GHSAs before they receive CVE IDsactive,matured, andstaleGHSA records with a 60-day stale thresholdCoverage
openclaw,nanoclaw,hermes, andpicoclawopenclaw/openclaw,qwibitai/nanoclaw,softwarepub/hermes,nousresearch/hermes-agent, andsipeed/picoclawTesting
node scripts/test-ghsa-without-cve-feed.mjsnode node_modules/eslint/bin/eslint.js scripts/ghsa-without-cve-feed.mjs scripts/test-ghsa-without-cve-feed.mjs --max-warnings 0node node_modules/typescript/bin/tsc --noEmitnode scripts/generate-wiki-llms.mjs && node node_modules/vite/bin/vite.js buildgit diff --checkGenerated description
Below is a concise technical summary of the changes proposed in this PR:
Deliver a provisional
ghsa-without-cvefeed generator that polls GitHub Security Advisories, tracks lifecycle states, and wires the signed artifacts into CI, deploy, and pages-validation workflows alongside the canonical CVE stream. Document and version-bump every consumer skill so operators know the consolidated feed now carries NVD CVEs, approved community advisories, and pending GHSA records while release tooling rejects incomplete metadata.Modified files (22)
Latest Contributors(2)
scripts/ghsa-without-cve-feed.mjs, the new poll/GHSA workflows, and the deployment/signing/checksum steps that publish both canonical and provisional advisories.Modified files (9)
Latest Contributors(2)
Modified files (3)
Latest Contributors(2)