Merge pull request #1237 from CVEProject/jd-dev-version

Adding hot fixes from Int to Dev

api-docs/openapi.json

@@ -1,7 +1,7 @@
 {
   "openapi": "3.0.2",
   "info": {
-    "version": "2.3.0",
+    "version": "2.3.2",
     "title": "CVE Services API",
     "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are     required for most service endpoints. Representatives of     <a href='https://www.cve.org/ProgramOrganization/CNAs'>CVE Numbering Authorities (CNAs)</a> should     use one of the methods below to obtain credentials:    <ul><li>If your organization already has an Organizational Administrator (OA) account for the CVE     Services, ask your admin for credentials</li>     <li>Contact your Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/Google'>Google</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/INCIBE'>INCIBE</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/jpcert'>JPCERT/CC</a>, or     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat'>Red Hat</a>) or     Top-Level Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/icscert'>CISA ICS</a>     or <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre'>MITRE</a>) to request credentials     </ul>     <p>CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are     located <a href='https://github.com/CVEProject/cve-schema/tree/5.1.0/schema/v5.0' target='_blank'>here</a>.</p>    <a href='https://cveform.mitre.org/' class='link' target='_blank'>Contact the CVE Services team</a>",
     "contact": {
@@ -1489,7 +1489,7 @@
           }
         },
         "requestBody": {
-          "description": "<h3>Notes:</h3>  <ul>  <li>When updating a rejected record to published, it is recommended to confirm that both the Cve-Id and CVE record are in the REJECTED state after calling this endpoint. Though very unlikely, a race condition can occur causing the two states to be out of sync. </li>  <li>**providerMetadata** is set by the server. If provided, it will be overwritten.</li>  <li>**datePublished** and **assignerShortname** are optional fields in the schema, but are set by the server. </li>  </ul>",
+          "description": "<h3>Notes:</h3>  <ul>  <li>When updating a rejected record to published, it is recommended to confirm that both the Cve-Id and CVE record are in the correct state after calling this endpoint. Though very unlikely, a race condition can occur causing the two states to be out of sync. </li>  <li>**providerMetadata** is set by the server. If provided, it will be overwritten.</li>  <li>**datePublished** and **assignerShortname** are optional fields in the schema, but are set by the server. </li>  </ul>",
           "required": true,
           "content": {
             "application/json": {

package.json

@@ -1,7 +1,7 @@
 {
     "name": "cve-services",
     "author": "Automation Working Group",
-    "version": "2.3.0",
+    "version": "2.3.1",
     "license": "(CC0)",
     "devDependencies": {
         "@faker-js/faker": "^7.6.0",

src/controller/cve.controller/cve.controller.js

@@ -566,6 +566,11 @@ async function updateCna (req, res, next) {
     const dateUpdated = (new Date()).toISOString()
     cveRecord.cveMetadata.dateUpdated = dateUpdated
 
+    // Update dataVersion to current schema version
+    if (cveRecord.dataVersion !== CONSTANTS.SCHEMA_VERSION) {
+      cveRecord.dataVersion = CONSTANTS.SCHEMA_VERSION
+    }
+
     if (cveRecord.cveMetadata.state === CONSTANTS.CVE_STATES.REJECTED) {
       delete cveRecord.cveMetadata.dateRejected
       if (!cveRecord.cveMetadata.datePublished) {
@@ -718,9 +723,15 @@ async function rejectExistingCve (req, res, next) {
 
     const providerMetadata = createProviderMetadata(providerOrgObj.UUID, req.ctx.org, (new Date()).toISOString())
 
+    // Update dataVersion to current schema version
+    if (result.cve.dataVersion !== CONSTANTS.SCHEMA_VERSION) {
+      result.cve.dataVersion = CONSTANTS.SCHEMA_VERSION
+    }
+
     // update CVE record to rejected
     const updatedRecord = Cve.updateCveToRejected(id, providerMetadata, result.cve, req.ctx.body)
     const updatedCve = new Cve({ cve: updatedRecord })
+
     result = Cve.validateCveRecord(updatedCve.cve)
     if (!result.isValid) {
       logger.error(JSON.stringify({ uuid: req.ctx.uuid, message: 'CVE JSON schema validation FAILED.' }))
@@ -786,6 +797,10 @@ async function insertAdp (req, res, next) {
     // update cve record here
     const cveRecord = result.cve
 
+    // Update dataVersion to current schema version
+    if (cveRecord.dataVersion !== CONSTANTS.SCHEMA_VERSION) {
+      cveRecord.dataVersion = CONSTANTS.SCHEMA_VERSION
+    }
     if (cveRecord.cveMetadata.state === CONSTANTS.CVE_STATES.REJECTED) {
       return res.status(403).json(error.cveRecordRejected())
     }

src/swagger.js

@@ -14,7 +14,7 @@ const rejectedCreateCVERecord = require('../schemas/cve/rejected-create-cve-exam
 /* eslint-disable no-multi-str */
 const doc = {
   info: {
-    version: '2.3.0',
+    version: '2.3.2',
     title: 'CVE Services API',
     description: "The CVE Services API supports automation tooling for the CVE Program. Credentials are \
     required for most service endpoints. Representatives of \

test/schemas/5.0/CVE-2017-4024_published.json

@@ -1,6 +1,6 @@
 {
     "dataType": "CVE_RECORD",
-    "dataVersion": "5.1",
+    "dataVersion": "5.0",
     "cveMetadata": {
         "cveId": "CVE-2017-4024",
         "assignerOrgId": "88c02595-c8f7-4864-a0e7-e09b3e1da691",

test/unit-tests/cve/cveCnaContainerUpdateTest.js

@@ -10,7 +10,6 @@ app.use(express.urlencoded({ extended: false })) // Allows us to handle url enco
 const middleware = require('../../../src/middleware/middleware')
 app.use(middleware.createCtxAndReqUUID)
 
-const nonExistentCveId = 'CVE-2020-1425'
 const cveIdPublished5 = 'CVE-2017-4024'
 const cveIdReserved = 'CVE-2017-5835'
 const url = process.env.NODE_ENV === 'staging' ? 'https://test.cve.org/' : 'https://cve.org/' // Used in updateCna response messages
@@ -150,65 +149,6 @@ app.route('/cve-cna-positive-tests/:id')
 
 describe('Testing the PUT /cve/:id/cna endpoint in Cve Controller', () => {
   context('Negative Tests', () => {
-    it('should return 400 when cveId does not exist', (done) => {
-      chai.request(app)
-        .put(`/cve-cna-negative-tests/${nonExistentCveId}`)
-        .set(cveFixtures.secretariatHeader)
-        .send(cveCnaContainerFail)
-        .end((err, res) => {
-          if (err) {
-            done(err)
-          }
-
-          expect(res).to.have.status(400)
-          expect(res).to.have.property('body').and.to.be.a('object')
-          const errObj = error.cveDne()
-          expect(res.body.error).to.equal(errObj.error)
-          expect(res.body.message).to.equal(errObj.message)
-          done()
-        })
-    })
-
-    it('should return 403 when cveId does not belong to cveId owning org', (done) => {
-      const headers = Object.assign({}, cveFixtures.secretariatHeader)
-      headers['CVE-API-ORG'] = 'cisco'
-      chai.request(app)
-        .put(`/cve-cna-negative-tests/${cveIdPublished5}`)
-        .set(headers)
-        .send(cveCnaContainerFail)
-        .end((err, res) => {
-          if (err) {
-            done(err)
-          }
-
-          expect(res).to.have.status(403)
-          expect(res).to.have.property('body').and.to.be.a('object')
-          const errObj = error.owningOrgDoesNotMatch()
-          expect(res.body.error).to.equal(errObj.error)
-          expect(res.body.message).to.equal(errObj.message)
-          done()
-        })
-    })
-
-    it('should return 403 when cve record does not exist', (done) => {
-      chai.request(app)
-        .put(`/cve-cna-negative-tests/${cveIdReserved}`)
-        .set(cveFixtures.secretariatHeader)
-        .send(cveCnaContainerFail)
-        .end((err, res) => {
-          if (err) {
-            done(err)
-          }
-
-          expect(res).to.have.status(403)
-          expect(res).to.have.property('body').and.to.be.a('object')
-          const errObj = error.cveRecordDne()
-          expect(res.body.error).to.equal(errObj.error)
-          expect(res.body.message).to.equal(errObj.message)
-          done()
-        })
-    })
-
     it('should return 400 when cve record is not valid', (done) => {
       chai.request(app)
         .put(`/cve-cna-negative-tests/${cveIdPublished5}`)

test/unit-tests/cve/insertAdpTest.js

@@ -9,6 +9,7 @@ const adpContainer = require('../../schemas/5.0/adpContainerExample.json').adpCo
 const { CVE_INSERT_ADP } = require('../../../src/controller/cve.controller/cve.controller.js')
 const errors = require('../../../src/controller/cve.controller/error.js')
 const error = new errors.CveControllerError()
+const constants = require('../../../src/constants').getConstants()
 
 const OrgRepository = require('../../../src/repositories/orgRepository.js')
 const CveIdRepository = require('../../../src/repositories/cveIdRepository.js')
@@ -182,5 +183,12 @@ describe('Testing insertAdp function', () => {
       expect(res.json.args[0][0].updated.containers.adp[adpCount - 1].affected[0].vendor).to.equal('test')
       expect(res.json.args[0][0].updated.containers.adp[adpCount - 1]).to.not.deep.equal(adpCopy2)
     })
+
+    it('Should update dataVersion to current version', async () => {
+      await CVE_INSERT_ADP(req, res, next)
+
+      expect(status.args[0][0]).to.equal(200)
+      expect(res.json.args[0][0].updated.dataVersion).to.equal(constants.SCHEMA_VERSION)
+    })
   })
 })

test/unit-tests/cve/updateCnaTest.js

@@ -0,0 +1,148 @@
+const chai = require('chai')
+const sinon = require('sinon')
+const { faker } = require('@faker-js/faker')
+const _ = require('lodash')
+const expect = chai.expect
+const cveIdPublished5 = 'CVE-2017-4024'
+const cveRecordPublished = require('../../schemas/5.0/CVE-2017-4024_published.json')
+const cnaContainer = require('../../schemas/cna-container/cna-container_pass.json')
+const { CVE_UPDATE_CNA } = require('../../../src/controller/cve.controller/cve.controller.js')
+const errors = require('../../../src/controller/cve.controller/error.js')
+const error = new errors.CveControllerError()
+const constants = require('../../../src/constants').getConstants()
+const Cve = require('../../../src/model/cve.js')
+
+const cnaUUID = faker.datatype.uuid()
+
+const stubCnaOrg = {
+  short_name: 'CnaOrg',
+  name: 'test_cna',
+  UUID: cnaUUID,
+  authority: {
+    active_roles: [
+      'CNA'
+    ]
+  }
+}
+
+const stubCnaUser = {
+  username: 'testCnaUser',
+  org_UUID: cnaUUID,
+  UUID: faker.datatype.uuid()
+}
+
+const stubCveId = {
+  requested_by: {
+    cna: 'CnaOrg',
+    user: 'testCnaUser'
+  },
+  cve_id: 'CVE-2017-4024',
+  cve_year: '2017',
+  state: 'PUBLISHED',
+  owning_cna: cnaUUID,
+  reserved: '2023-05-17T16:57:35.698Z'
+}
+
+describe('updateCna function', () => {
+  let req
+  let res
+  let next
+  let status
+  let json
+  let cveRepo
+  let cveIdRepo
+  let orgRepo
+  let userRepo
+  let getCveRepository
+  let getCveIdRepository
+  let getUserRepository
+  let getOrgRepository
+  let cveCopy
+  let cnaContainerCopy
+
+  beforeEach(() => {
+    status = sinon.stub()
+    json = sinon.spy()
+    res = { json, status }
+    next = sinon.spy()
+    status.returns(res)
+    cveCopy = _.cloneDeep(cveRecordPublished)
+    cnaContainerCopy = _.cloneDeep(cnaContainer)
+
+    sinon.stub(Cve, 'validateCveRecord').returns({ isValid: true })
+    orgRepo = { getOrgUUID: sinon.stub(), isSecretariat: sinon.stub() }
+    orgRepo.getOrgUUID.returns(stubCnaOrg.UUID)
+    orgRepo.isSecretariat.returns(false)
+    getOrgRepository = sinon.stub()
+    getOrgRepository.returns(orgRepo)
+
+    userRepo = { getUserUUID: sinon.stub() }
+    userRepo.getUserUUID.returns(stubCnaUser.UUID)
+    getUserRepository = sinon.stub()
+    getUserRepository.returns(userRepo)
+
+    cveRepo = { findOneByCveId: sinon.stub(), updateByCveId: sinon.stub() }
+    cveRepo.findOneByCveId.returns({ cve: cveCopy })
+    cveRepo.updateByCveId.returns(true)
+    getCveRepository = sinon.stub()
+    getCveRepository.returns(cveRepo)
+
+    cveIdRepo = { findOneByCveId: sinon.stub() }
+    cveIdRepo.findOneByCveId.returns(stubCveId)
+    getCveIdRepository = sinon.stub()
+    getCveIdRepository.returns(cveIdRepo)
+
+    req = {
+      ctx: {
+        org: stubCnaOrg.short_name,
+        uuid: stubCnaOrg.UUID,
+        params: {
+          id: cveIdPublished5
+        },
+        repositories: {
+          getOrgRepository,
+          getUserRepository,
+          getCveRepository,
+          getCveIdRepository
+        },
+        body: {
+          cnaContainer: cnaContainerCopy
+        }
+      }
+    }
+  })
+
+  afterEach(() => {
+    sinon.restore()
+  })
+
+  it('should return 400 when the CVE-ID does not exist', async () => {
+    cveIdRepo.findOneByCveId.returns(null)
+
+    await CVE_UPDATE_CNA(req, res, next)
+
+    expect(status.args[0][0]).to.equal(400)
+    expect(res.json.args[0][0].message).to.equal(error.cveDne().message)
+  })
+  it('should return 403 if calling user org is not secretariat and does not match CVE org, ', async () => {
+    orgRepo.getOrgUUID.returns('bad id')
+    await CVE_UPDATE_CNA(req, res, next)
+
+    expect(status.args[0][0]).to.equal(403)
+    expect(res.json.args[0][0].message).to.equal(error.owningOrgDoesNotMatch().message)
+  })
+  it('should return 400 when the CVE record does not exist', async () => {
+    cveRepo.findOneByCveId.returns(null)
+    await CVE_UPDATE_CNA(req, res, next)
+
+    expect(status.args[0][0]).to.equal(403)
+    expect(res.json.args[0][0].message).to.equal(error.cveRecordDne().message)
+  })
+  it('should update dataVersion to current schema if existing record was last updating against previous schema', async () => {
+    await CVE_UPDATE_CNA(req, res, next)
+
+    expect(status.args[0][0]).to.equal(200)
+    expect(res.json.args[0][0].message).to.include(' record was successfully updated. This submission should appear on ')
+    expect(res.json.args[0][0].updated.dataVersion).to.equal(constants.SCHEMA_VERSION)
+  })
+})