Support OpenJS Foundation CNA as CVE source

components/git/security.js

@@ -40,6 +40,11 @@ const securityOptions = {
     describe: 'Request CVEs for a security release',
     type: 'boolean'
   },
+  'publish-cve': {
+    describe:
+      'Publish reserved CVEs to MITRE via the OpenJS Foundation CNA',
+    type: 'boolean'
+  },
   'post-release': {
     describe: 'Create the post-release announcement to the given nodejs.org folder',
     type: 'string'
@@ -88,6 +93,9 @@ export function builder(yargs) {
     ).example(
       'git node security --cleanup',
       'Cleanup the security release. Merge the PR and close H1 reports'
+    ).example(
+      'git node security --publish-cve',
+      'Publish reserved CVEs to MITRE via the OpenJS Foundation CNA'
     );
 }
 
@@ -119,6 +127,9 @@ export function handler(argv) {
   if (argv['request-cve']) {
     return requestCVEs(cli, argv);
   }
+  if (argv['publish-cve']) {
+    return publishCVEs(cli, argv);
+  }
   if (argv['post-release']) {
     return createPostRelease(cli, argv);
   }
@@ -157,6 +168,11 @@ async function requestCVEs(cli) {
   return hackerOneCve.requestCVEs();
 }
 
+async function publishCVEs(cli) {
+  const release = new UpdateSecurityRelease(cli);
+  return release.publishCVEs();
+}
+
 async function createPostRelease(cli, argv) {
   const nodejsOrgFolder = argv['post-release'];
   const blog = new SecurityBlog(cli);

docs/git-node.md

@@ -455,6 +455,29 @@ $ ncu-config --global set h1_username $H1_TOKEN
   access.
 - `h1_username`: HackerOne API Token username.
 
+#### Optional: source CVEs from the OpenJS Foundation CNA
+
+By default, `--request-cve` reserves CVE identifiers through HackerOne (which
+acts as Node.js' CNA). You can switch to the **OpenJS Foundation CNA** as the
+issuer by setting `cve_source: 'openjs-cna'` in `.ncurc`. HackerOne is still
+used for the bug-bounty workflow (triage, sync, disclosure) and is updated with
+the resulting CVE id at the end of the request flow, so reports stay in sync.
+
+```console
+$ ncu-config --global set cve_source openjs-cna
+$ ncu-config --global set -x openjs_cna_token "<bucket>:<hex-secret>"
+$ ncu-config --global set -x openjs_cna_worker_url "https://<your-deployment>.workers.dev"
+```
+
+- `cve_source`: `hackerone` (default) or `openjs-cna`.
+- `openjs_cna_token`: **secret**. Bearer in `bucket:secret` form (e.g.
+  `prod_nodejs:<256 hex chars>`).
+- `openjs_cna_worker_url`: The Cloudflare Worker URL for your
+  deployment.
+
+To revert to HackerOne, either delete `cve_source` or set it back to
+`hackerone`.
+
 ### `git node security --start`
 
 This command creates the Next Security Issue in Node.js private repository

lib/auth.js

@@ -107,6 +107,30 @@
       const h1 = encode(h1_username, h1_token);
       setOwnProperty(result, 'h1', h1);
       return h1;
+    },
+
+    get cna() {
+      const { openjs_cna_token, openjs_cna_worker_url } = getMergedConfig();
+      if (!openjs_cna_token || !openjs_cna_worker_url) {
+        throw new Error(
+          'OpenJS CNA credentials are not configured. Both values are secrets ' +
+          'and must be stored encrypted with the `-x` flag. Run:\n' +
+          '  ncu-config --global set -x openjs_cna_token <bucket:secret>\n' +
+          '  ncu-config --global set -x openjs_cna_worker_url <https://...workers.dev>'
+        );
+      }
+      if (!/^[a-z0-9_]+:[0-9a-f]+$/i.test(openjs_cna_token)) {
+        throw new Error(
+          'openjs_cna_token is misformatted; expected `<bucket>:<hex-secret>`'
+        );
+      }
+
+      const cna = {
+        token: openjs_cna_token,
+        worker_url: openjs_cna_worker_url.replace(/\/$/, '')
+      };
+      setOwnProperty(result, 'cna', cna);
+      return cna;
     }
   };
   if (options.github) {

lib/request.js

@@ -339,4 +339,101 @@ export default class Request {
 
     return all;
   }
+
+  // ---------------------------------------------------------------------------
+  // OpenJS Foundation CNA — github.com/UlisesGascon/openjs-cna-api-poc
+  //
+  // The Worker is a thin edge in front of `workflow_dispatch`. POST /dispatch
+  // returns a Worker-minted correlation_id; GET /runs/{id} polls until the
+  // backing workflow run completes.
+  // ---------------------------------------------------------------------------
+
+  async cnaDispatch(operation, inputs = {}) {
+    const { worker_url, token } = this.credentials.cna;
+    const url = `${worker_url}/dispatch`;
+    const options = {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${token}`,
+        'User-Agent': 'node-core-utils',
+        'Content-Type': 'application/json',
+        Accept: 'application/json'
+      },
+      body: JSON.stringify({ operation, inputs })
+    };
+    const response = await this.json(url, options);
+    if (response.error) {
+      throw new Error(
+        `OpenJS CNA dispatch failed (${operation}): ${response.error}`
+      );
+    }
+    return response;
+  }
+
+  async cnaPoll(correlationId) {
+    const { worker_url, token } = this.credentials.cna;
+    const url = `${worker_url}/runs/${correlationId}`;
+    const options = {
+      method: 'GET',
+      headers: {
+        Authorization: `Bearer ${token}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/json'
+      }
+    };
+    return this.json(url, options);
+  }
+
+  // Polls /runs/{id} until the workflow reports status === 'completed'.
+  // Throws on timeout or on a `conclusion` other than 'success'. Default
+  // timeout is generous (10 min) — publish-cve in particular has been seen
+  // to take 3-4 min during MITRE staging slowdowns.
+  async cnaWaitForCompletion(correlationId, { timeoutMs = 600_000, intervalMs = 5_000 } = {}) {
+    const deadline = Date.now() + timeoutMs;
+    while (Date.now() < deadline) {
+      const run = await this.cnaPoll(correlationId);
+      if (run.status === 'completed') {
+        if (run.conclusion !== 'success') {
+          throw new Error(
+            `OpenJS CNA run ${correlationId} concluded with ` +
+            `'${run.conclusion}'. See ${run.url} for details.`
+          );
+        }
+        return run;
+      }
+      await new Promise(resolve => setTimeout(resolve, intervalMs));
+    }
+    throw new Error(
+      `OpenJS CNA run ${correlationId} did not complete within ${timeoutMs}ms`
+    );
+  }
+
+  // Reserve a CVE id via the OpenJS CNA. /runs/{correlation_id} surfaces the
+  // operation result (e.g. `{ cve_id: "CVE-2026-..." }`) on the same response
+  // once the run completes, so the caller only needs to await this one method.
+  async cnaReserveCve(opts = {}) {
+    const dispatch = await this.cnaDispatch('reserve-cve', opts);
+    const run = await this.cnaWaitForCompletion(dispatch.correlation_id, opts);
+    return {
+      correlation_id: dispatch.correlation_id,
+      run_url: run.url,
+      run_id: run.run_id,
+      result: run.result // shape depends on the operation; reserve returns { cve_id }
+    };
+  }
+
+  // Publish a v5.2 CNA Container against an already-reserved CVE id.
+  async cnaPublishCve(cveId, cnaContainer, opts = {}) {
+    const dispatch = await this.cnaDispatch('publish-cve', {
+      cve_id: cveId,
+      cnaContainer
+    });
+    const run = await this.cnaWaitForCompletion(dispatch.correlation_id, opts);
+    return {
+      correlation_id: dispatch.correlation_id,
+      run_url: run.url,
+      run_id: run.run_id,
+      result: run.result
+    };
+  }
 }