TSC icon indicating copy to clipboard operation
TSC copied to clipboard
verified publisher icon nodejs

Moving from our CNA to OpenJS CNA

Open RafaelGSS opened this issue 7 months ago • 9 comments

As recently announced by OpenJS, they now own their CNA.

I have been talking with @ruddermann over the past month about the possibility of including Node.js in the OpenJS CNA umbrella. As stated by @mcollina in the TSC channel

We are a CNA only as a defensive measure to have the final say. I trust OpenJS to be a good CNA.

I feel it would be great to fold in their CNA as well. Nothing should change from our security release process or in the automation.

RafaelGSS avatar May 28 '25 21:05 RafaelGSS

@RafaelGSS are you sure? How will we request the CVE?

mcollina avatar May 30 '25 00:05 mcollina

I'm afraid the whole automation with H1 apis will stop working

marco-ippolito avatar May 30 '25 06:05 marco-ippolito

It really does not cost us much to have our own CNA so I'm not sure its worth making a change immediately. We might see how the foundation manages being a CNA for the other projects for a little while and if we see benefits from what is being done that would help us move over then.

mhdawson avatar May 30 '25 18:05 mhdawson

If so it would be better to start issuing our own CVEs instead of relying on H1.

mcollina avatar May 30 '25 20:05 mcollina

I'd be cautious with changing CNA, I'd wait a few months and figure out a few things (also technical details like how to automate the cve lifecycle). There is no rush for us so I'm in favor of moving but not right now

marco-ippolito avatar May 30 '25 21:05 marco-ippolito

Sorry if there was confusion on this, but being in the OpenJS CNA's scope doesn't force you to stop using the H1 API. You're already in the scope of your own CNA and using the H1 API.

The OpenJS CNA will soon have an API token to request CVE IDs and publish/update those CVEs IDs and there are standard tools like cvelib from Red Hat that the CNA can use to automate and control the entire end-to-end CVE process.

Y'all have a lot of experience with this kind of automation already. It'd be awesome to have Node.js folks advise on this so the OpenJS CNA can provide a service that is easy and straightforward for you to leverage. But it is not a requirement to be under the OpenJS CNA.

ruddermann avatar Jun 04 '25 00:06 ruddermann

@ruddermann, what would we need to do in order to be in the OpenJS CNA scope? Can we keep using HackerOne and its API?

Meanwhile, I leave this issue open, but remove it from the TSC agenda so we can discuss it asynchronously.

RafaelGSS avatar Jun 12 '25 12:06 RafaelGSS

Are there concrete next steps here or is this left open just to allow for discussion? It's not clear.

jasnell avatar Jul 18 '25 17:07 jasnell

We are still discussing it on the OpenJS Security Collab space. I'll bring more details once I have them.

RafaelGSS avatar Jul 21 '25 14:07 RafaelGSS