✨ add note when a CVE is not reproducible but should be

ctcpip · ctcpip · commit 1fd37645b392 · 2024-02-15T23:37:56.000-06:00
diff --git a/security/server/index.cjs b/security/server/index.cjs
@@ -4,6 +4,7 @@ const xssApp = express();
 const port = 3333;
 const xssPort = 3334;
 const cors = require('cors');
+const chalk = require('chalk');
 
 xssApp.use(cors());
 
@@ -15,12 +16,12 @@ xssApp.get('/jqueryxss', (req, res) => {
 });
 
 xssApp.listen(xssPort, () => {
-  console.log(`listening on port ${xssPort} (xss endpoint)`);
+  console.log(chalk.magenta(`listening on port ${xssPort} (xss endpoint)`));
 });
 
 app.use(express.static('../site'));
 
 app.listen(port, () => {
-  console.log(`listening on port ${port} (test site)`);
-  console.log('\nopen http://localhost:3333 in your browser if you want to test manually');
+  console.log(chalk.cyan(`listening on port ${port} (test site)`));
+  console.log(chalk.green('\nopen http://localhost:3333 in your browser if you want to test manually\n\n'));
 });
diff --git a/security/server/package-lock.json b/security/server/package-lock.json
diff --git a/security/server/package.json b/security/server/package.json
@@ -4,6 +4,7 @@
     "serve": "node index.cjs"
   },
   "dependencies": {
+    "chalk": "^4.1.2",
     "cors": "^2.8.5",
     "express": "^4.18.2"
   }
diff --git a/security/site/main.mjs b/security/site/main.mjs
@@ -90,11 +90,11 @@ if(qsVersion) {
 else {
 
 	const sessionVersion = sessionStorage.getItem(VERSION);
-	const sessionPatched = sessionStorage.getItem(PATCHED);
+	const sessionPatched = sessionStorage.getItem(PATCHED) === 'true';
 
 	if(sessionVersion) {
 		selVersion.value = sessionVersion;
-		chkPatched.checked = sessionPatched === 'true';
+		chkPatched.checked = sessionPatched;
 	}
 
 }
@@ -165,6 +165,8 @@ function triggerCVE(cveID){
 function updateCVE(cve) {
 
 	const cveID = `CVE-${cve[0]}`;
+	const version = sessionStorage.getItem(VERSION); // use version from session/select because our CVE map doesn't have the patched versions
+	const patched = sessionStorage.getItem(PATCHED) === 'true';
 
 	const $relevantCVEFooter = $(`div.cve__header:contains(${cveID})`).siblings('.cve__footer');
 	const $footerStatus = $('.cve__footer-status', $relevantCVEFooter);
@@ -180,11 +182,19 @@ function updateCVE(cve) {
 	}
 	else {
 		$footerStatus.text(`Can't reproduce! 🎉`);
-		const v = sessionStorage.getItem(VERSION); // use version from session/select because our CVE map doesn't have the patched versions
-		if(!cve[1].versions.includes(v)) {
+
+		if(!patched) {
+
 			const $footerNote = $('.cve__footer-note', $relevantCVEFooter);
-			$footerNote.text(`(but v${v} is not vulnerable to this CVE)`);
+
+			if(cve[1].versions.includes(version)) {
+				$footerNote.text(`but v${version} should be vulnerable 🤔`);
+			}
+			else {
+				$footerNote.text(`but v${version} is not vulnerable 😺`);
+			}
 		}
+
 	}
 
 	$relevantCVEFooter.addClass('flash');
diff --git a/security/site/styles.css b/security/site/styles.css
@@ -79,7 +79,7 @@ input[type="checkbox"] {
 	background-color: var(--grey);
 	border: solid .2rem var(--blue-white);
 	margin: 2rem;
-	width: 32rem;
+	width: 30rem;
 }
 
 .cve__header {

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`	`"serve": "node index.cjs"`
`5`	`5`	`},`
`6`	`6`	`"dependencies": {`
	`7`	`+ "chalk": "^4.1.2",`
`7`	`8`	`"cors": "^2.8.5",`
`8`	`9`	`"express": "^4.18.2"`
`9`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ input[type="checkbox"] {`
`79`	`79`	`background-color: var(--grey);`
`80`	`80`	`border: solid .2rem var(--blue-white);`
`81`	`81`	`margin: 2rem;`
`82`		`- width: 32rem;`
	`82`	`+ width: 30rem;`
`83`	`83`	`}`
`84`	`84`
`85`	`85`	`.cve__header {`