Merge pull request #1197 from CVEProject/int

Updating Test from Int with version 2.3.0
CVEProject · Mar 13, 2024 · e6227a7 · e6227a7
2 parents 6a2234b + dcdb2f0
commit e6227a7
Show file tree

Hide file tree

Showing 43 changed files with 5,871 additions and 3,962 deletions.
diff --git a/api-docs/openapi.json b/api-docs/openapi.json
@@ -1,7 +1,7 @@
 {
   "openapi": "3.0.2",
   "info": {
-    "version": "2.2.1",
+    "version": "2.3.0",
     "title": "CVE Services API",
     "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are     required for most service endpoints. Representatives of     <a href='https://www.cve.org/ProgramOrganization/CNAs'>CVE Numbering Authorities (CNAs)</a> should     use one of the methods below to obtain credentials:    <ul><li>If your organization already has an Organizational Administrator (OA) account for the CVE     Services, ask your admin for credentials</li>     <li>Contact your Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/Google'>Google</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/INCIBE'>INCIBE</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/jpcert'>JPCERT/CC</a>, or     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat'>Red Hat</a>) or     Top-Level Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/icscert'>CISA ICS</a>     or <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre'>MITRE</a>) to request credentials     </ul>     <p>CVE data is to be in the JSON 5.0 CVE Record format. Details of the JSON 5.0 schema are     located <a href='https://github.com/CVEProject/cve-schema/tree/master/schema/v5.0' target='_blank'>here</a>.</p>    <a href='https://cveform.mitre.org/' class='link' target='_blank'>Contact the CVE Services team</a>",
     "contact": {

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
     "name": "cve-services",
     "author": "Automation Working Group",
-    "version": "2.2.1",
+    "version": "2.3.0",
     "license": "(CC0)",
     "devDependencies": {
         "@faker-js/faker": "^7.6.0",

diff --git a/schemas/cve/update-full-cve-record-response.json b/schemas/cve/update-full-cve-record-response.json
@@ -98,9 +98,6 @@
                                             "name": {
                                                 "type": "string"
                                             },
-                                            "refsource": {
-                                                "type": "string"
-                                            },
                                             "url": {
                                                 "type": "string"
                                             }

diff --git a/src/constants/index.js b/src/constants/index.js
@@ -1,5 +1,5 @@
 const fs = require('fs')
-const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/5.0_bundled_schema.json'))
+const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1_bundled.json'))
 
 /**
  * Return default values.
@@ -16,6 +16,7 @@ function getConstants () {
   * @lends defaults
   */
   const defaults = {
+    SCHEMA_VERSION: '5.1',
     MONGOOSE_VALIDATION: {
       Org_policies_id_quota_min: 0,
       Org_policies_id_quota_min_message: 'Org.policies.id_quota cannot be a negative number.',

diff --git a/src/controller/cve.controller/cve.middleware.js b/src/controller/cve.controller/cve.middleware.js
@@ -3,8 +3,8 @@ const errors = require('./error')
 const error = new errors.CveControllerError()
 const utils = require('../../utils/utils')
 const fs = require('fs')
-const RejectedSchema = JSON.parse(fs.readFileSync('src/middleware/Reject_5.0_Schema.json'))
-const cnaContainerSchema = JSON.parse(fs.readFileSync('src/controller/cve.controller/cna_container_schema.json'))
+const RejectedSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1_rejected_cna_container.json'))
+const cnaContainerSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1_published_cna_container.json'))
 const logger = require('../../middleware/logger')
 const Ajv = require('ajv')
 const addFormats = require('ajv-formats')

diff --git a/src/middleware/5.0_bundled_schema.json b/src/middleware/5.0_bundled_schema.json
diff --git a/src/middleware/Reject_5.0_Schema.json b/src/middleware/Reject_5.0_Schema.json
@@ -147,10 +147,17 @@
                     "$ref": "#/definitions/providerMetadata"
                 },
                 "rejectedReasons": {
+                    "description": "Reasons for rejecting this CVE Record.",
                     "$ref": "#/definitions/rejectedReasons"
                 },
                 "replacedBy": {
-                    "$ref": "#/definitions/replacedBy"
+                    "type": "array",
+                    "description": "Contains an array of CVE IDs that this CVE ID was rejected in favor of because this CVE ID was assigned to the vulnerabilities.",
+                    "minItems": 1,
+                    "uniqueItems": true,
+                    "items": {
+                        "$ref": "#/definitions/cveId"
+                    }
                 }
             },
             "required": [
@@ -162,5 +169,8 @@
             "additionalProperties": false
         }
     },
+    "required": [
+        "cnaContainer"
+    ],
     "additionalProperties": false
 }
diff --git a/src/middleware/middleware.js b/src/middleware/middleware.js
@@ -1,11 +1,11 @@
 const getConstants = require('../constants').getConstants
 const fs = require('fs')
-const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/5.0_bundled_schema.json'))
+const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1_bundled.json'))
 const argon2 = require('argon2')
 const logger = require('./logger')
 const Ajv = require('ajv')
 const addFormats = require('ajv-formats')
-const ajv = new Ajv({ allErrors: true })
+const ajv = new Ajv({ allErrors: false })
 addFormats(ajv)
 const validate = ajv.compile(cveSchemaV5)
 const uuid = require('uuid')
@@ -309,9 +309,14 @@ async function cnaMustOwnID (req, res, next) {
 }
 
 function validateCveJsonSchema (req, res, next) {
+  const CONSTANTS = getConstants()
   const cve = req.body
-  const cveVersion = cve.dataVersion
   let cveState = cve.cveMetadata
+
+  if (!cve.dataVersion) {
+    cve.dataVersion = CONSTANTS.SCHEMA_VERSION
+  }
+
   if (cveState === undefined) {
     logger.error(JSON.stringify({ uuid: req.ctx.uuid, message: 'CVE JSON schema validation FAILED.' }))
     return res.status(400).json(error.invalidJsonSchema(['instance.cveMetadata is not defined']))
@@ -321,16 +326,11 @@ function validateCveJsonSchema (req, res, next) {
   logger.info({ uuid: req.ctx.uuid, message: 'Validating CVE JSON schema.' })
   let result
 
-  if (cveVersion === '5.0') {
-    if (['PUBLISHED', 'RESERVED', 'REJECTED'].includes(cveState)) {
-      result = validate(cve)
-    } else {
-      logger.error(JSON.stringify({ uuid: req.ctx.uuid, message: 'CVE JSON schema validation FAILED.' }))
-      return res.status(400).json(error.invalidJsonSchema(['instance.cveMetadata.state is not one of enum values']))
-    }
+  if (['PUBLISHED', 'RESERVED', 'REJECTED'].includes(cveState)) {
+    result = validate(cve)
   } else {
     logger.error(JSON.stringify({ uuid: req.ctx.uuid, message: 'CVE JSON schema validation FAILED.' }))
-    return res.status(400).json(error.invalidJsonSchema(['instance.dataVersion is not one of enum values']))
+    return res.status(400).json(error.invalidJsonSchema(['instance.cveMetadata.state is not one of enum values']))
   }
 
   if (result) {