Merge branch 'dev' into dr-1278

Author: jdaigneau5

api-docs/openapi.json

@@ -3,10 +3,10 @@
   "info": {
     "version": "2.5.0",
     "title": "CVE Services API",
-    "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are     required for most service endpoints. Representatives of     <a href='https://www.cve.org/ProgramOrganization/CNAs'>CVE Numbering Authorities (CNAs)</a> should     use one of the methods below to obtain credentials:    <ul><li>If your organization already has an Organizational Administrator (OA) account for the CVE     Services, ask your admin for credentials</li>     <li>Contact your Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/Google'>Google</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/INCIBE'>INCIBE</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/jpcert'>JPCERT/CC</a>, or     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat'>Red Hat</a>) or     Top-Level Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/icscert'>CISA ICS</a>     or <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre'>MITRE</a>) to request credentials     </ul>     <p>CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are     located <a href='https://github.com/CVEProject/cve-schema/tree/5.1.1-rc2/schema' target='_blank'>here</a>.</p>    <a href='https://cveform.mitre.org/' class='link' target='_blank'>Contact the CVE Services team</a>",
+    "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are     required for most service endpoints. Representatives of     <a href='https://www.cve.org/ProgramOrganization/CNAs'>CVE Numbering Authorities (CNAs)</a> should     use one of the methods below to obtain credentials:    <ul><li>If your organization already has an Organizational Administrator (OA) account for the CVE     Services, ask your admin for credentials</li>     <li>Contact your Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/Google'>Google</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/INCIBE'>INCIBE</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/jpcert'>JPCERT/CC</a>, or     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat'>Red Hat</a>) or     Top-Level Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/icscert'>CISA ICS</a>     or <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre'>MITRE</a>) to request credentials     </ul>     <p>CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are     located <a href='https://github.com/CVEProject/cve-schema/tree/v5.1.1-rc2/schema' target='_blank'>here</a>.</p>    <a href='https://cveform.mitre.org/' class='link' target='_blank'>Contact the CVE Services team</a>",
     "contact": {
       "name": "CVE Services Overview",
-      "url": "https://cveproject.github.io/automation-cve-services#services-overview"
+      "url": "https://www.cve.org/AllResources/CveServices"
     }
   },
   "servers": [
@@ -1323,6 +1323,9 @@
           },
           {
             "$ref": "#/components/parameters/apiSecretHeader"
+          },
+          {
+            "$ref": "#/components/parameters/erlCheck"
           }
         ],
         "responses": {
@@ -1432,6 +1435,9 @@
           },
           {
             "$ref": "#/components/parameters/apiSecretHeader"
+          },
+          {
+            "$ref": "#/components/parameters/erlCheck"
           }
         ],
         "responses": {
@@ -3036,6 +3042,15 @@
           "type": "string"
         }
       },
+      "erlCheck": {
+        "in": "query",
+        "name": "erlcheck",
+        "description": "Enables stricter validation that ensures submitted record meets enrichment data requirements. For a record to be enriched, a CVSS score and a CWE ID must be provided.",
+        "required": false,
+        "schema": {
+          "type": "boolean"
+        }
+      },
       "batch_type": {
         "in": "query",
         "name": "batch_type",

src/constants/index.js

@@ -100,7 +100,9 @@ function getConstants () {
     CVE_ID_PATTERN: cveSchemaV5.definitions.cveId.pattern,
     // Ajv's pattern validation uses the "u" (unicode) flag:
     // https://ajv.js.org/json-schema.html#pattern
-    CVE_ID_REGEX: new RegExp(cveSchemaV5.definitions.cveId.pattern, 'u')
+    CVE_ID_REGEX: new RegExp(cveSchemaV5.definitions.cveId.pattern, 'u'),
+    DATE_FIELDS: ['cveMetadata.datePublished', 'cveMetadata.dateUpdated', 'cveMetadata.dateReserved', 'providerMetadata.dateUpdated', 'datePublic', 'dateAssigned'
+    ]
   }
 
   return defaults

src/controller/cve.controller/cve.controller.js

@@ -4,6 +4,8 @@ const errors = require('./error')
 const getConstants = require('../../constants').getConstants
 const error = new errors.CveControllerError()
 const booleanIsTrue = require('../../utils/utils').booleanIsTrue
+const convertDatesToISO = require('../../utils/utils').convertDatesToISO
+const isEnrichedContainer = require('../../utils/utils').isEnrichedContainer
 const url = process.env.NODE_ENV === 'staging' ? 'https://test.cve.org/' : 'https://cve.org/'
 
 // Helper function to create providerMetadata object
@@ -331,7 +333,7 @@ async function submitCve (req, res, next) {
   const CONSTANTS = getConstants()
 
   try {
-    const newCve = new Cve({ cve: req.ctx.body })
+    const newCve = new Cve({ cve: convertDatesToISO(req.ctx.body, CONSTANTS.DATE_FIELDS) })
     const id = req.ctx.params.id
     const cveId = newCve.cve.cveMetadata.cveId
     const state = newCve.cve.cveMetadata.state
@@ -395,7 +397,8 @@ async function updateCve (req, res, next) {
   const CONSTANTS = getConstants()
 
   try {
-    const newCve = new Cve({ cve: req.ctx.body })
+    // All CVE fields are stored in UTC format, we need to check and convert dates to ISO before storing in the database.
+    const newCve = new Cve({ cve: convertDatesToISO(req.ctx.body, CONSTANTS.DATE_FIELDS) })
     const cveId = req.ctx.params.id
     const cveRepo = req.ctx.repositories.getCveRepository()
     const cveIdRepo = req.ctx.repositories.getCveIdRepository()
@@ -465,6 +468,14 @@ async function submitCna (req, res, next) {
     const orgUuid = await orgRepo.getOrgUUID(req.ctx.org)
     const userUuid = await userRepo.getUserUUID(req.ctx.user, orgUuid)
 
+    // To avoid breaking legacy behavior in the "booleanIsTrue" function, we need to check to make sure that undefined is set to false
+    let erlCheck
+    if (typeof req.query.erlcheck === 'undefined') {
+      erlCheck = false
+    } else {
+      erlCheck = booleanIsTrue(req.query.erlcheck) || false
+    }
+
     // check that cve id exists
     let result = await cveIdRepo.findOneByCveId(id)
     if (!result || result.state === CONSTANTS.CVE_STATES.AVAILABLE) {
@@ -484,10 +495,15 @@ async function submitCna (req, res, next) {
       return res.status(403).json(error.cveRecordExists())
     }
 
+    const cnaContainer = convertDatesToISO(req.ctx.body.cnaContainer, CONSTANTS.DATE_FIELDS)
+    if (erlCheck && !isEnrichedContainer(cnaContainer)) {
+      // Process the ERL check here
+      return res.status(403).json(error.erlCheckFailed())
+    }
+
     // create full cve record here
     const owningCna = await orgRepo.findOneByUUID(cveId.owning_cna)
     const assignerShortName = owningCna.short_name
-    const cnaContainer = req.ctx.body.cnaContainer
     const dateUpdated = (new Date()).toISOString()
     const additionalCveMetadataFields = {
       assignerShortName: assignerShortName,
@@ -548,6 +564,14 @@ async function updateCna (req, res, next) {
     const orgUuid = await orgRepo.getOrgUUID(req.ctx.org)
     const userUuid = await userRepo.getUserUUID(req.ctx.user, orgUuid)
 
+    // To avoid breaking legacy behavior in the "booleanIsTrue" function, we need to check to make sure that undefined is set to false
+    let erlCheck
+    if (typeof req.query.erlcheck === 'undefined') {
+      erlCheck = false
+    } else {
+      erlCheck = booleanIsTrue(req.query.erlcheck) || false
+    }
+
     // check that cve id exists
     let result = await cveIdRepo.findOneByCveId(id)
     if (!result || result.state === CONSTANTS.CVE_STATES.AVAILABLE) {
@@ -567,9 +591,14 @@ async function updateCna (req, res, next) {
       return res.status(403).json(error.cveRecordDne())
     }
 
+    const cnaContainer = convertDatesToISO(req.ctx.body.cnaContainer, CONSTANTS.DATE_FIELDS)
+    if (erlCheck && !isEnrichedContainer(cnaContainer)) {
+      // Process the ERL check here
+      return res.status(403).json(error.erlCheckFailed())
+    }
+
     // update cve record here
     const cveRecord = result.cve
-    const cnaContainer = req.ctx.body.cnaContainer
     const dateUpdated = (new Date()).toISOString()
     cveRecord.cveMetadata.dateUpdated = dateUpdated
 
@@ -664,7 +693,7 @@ async function rejectCVE (req, res, next) {
 
     const providerMetadata = createProviderMetadata(providerOrgObj.UUID, req.ctx.org, (new Date()).toISOString())
     const rejectedCve = Cve.newRejectedCve(cveIdObj, req.ctx.body, owningCnaShortName, providerMetadata)
-    const newCveObj = new Cve({ cve: rejectedCve })
+    const newCveObj = new Cve({ cve: convertDatesToISO(rejectedCve, CONSTANTS.DATE_FIELDS) })
 
     result = Cve.validateCveRecord(newCveObj.cve)
     if (!result.isValid) {
@@ -739,7 +768,7 @@ async function rejectExistingCve (req, res, next) {
     const oldCveRecord = result
     // update CVE record to rejected
     const updatedRecord = Cve.updateCveToRejected(id, providerMetadata, result.cve, req.ctx.body)
-    const updatedCve = new Cve({ cve: updatedRecord })
+    const updatedCve = new Cve({ cve: convertDatesToISO(updatedRecord, CONSTANTS.DATE_FIELDS) })
 
     result = Cve.validateCveRecord(updatedCve.cve)
     if (!result.isValid) {
@@ -851,7 +880,7 @@ async function insertAdp (req, res, next) {
       cveRecord.containers.adp.push(adpContainer)
     }
 
-    const cveModel = new Cve({ cve: cveRecord })
+    const cveModel = new Cve({ cve: convertDatesToISO(cveRecord, CONSTANTS.DATE_FIELDS) })
     result = Cve.validateCveRecord(cveModel.cve)
     if (!result.isValid) {
       logger.error(JSON.stringify({ uuid: req.ctx.uuid, message: 'CVE JSON schema validation FAILED.' }))

src/controller/cve.controller/error.js

@@ -111,6 +111,13 @@ class CveControllerError extends idrErr.IDRError {
     err.message = 'The ADP data does not begin with adpContainer.'
     return err
   }
+
+  erlCheckFailed () {
+    const err = {}
+    err.error = 'ERL_CHECK_FAILED'
+    err.message = 'The ERL check failed. The CNA container is not enriched and the ERLCheck flag is set.'
+    return err
+  }
 }
 
 module.exports = {

src/controller/cve.controller/index.js

@@ -549,7 +549,8 @@ router.post('/cve/:id/cna',
   #swagger.parameters['$ref'] = [
     '#/components/parameters/apiEntityHeader',
     '#/components/parameters/apiUserHeader',
-    '#/components/parameters/apiSecretHeader'
+    '#/components/parameters/apiSecretHeader',
+    '#/components/parameters/erlCheck'
   ]
   #swagger.requestBody = {
     description: '<h3>Notes:</h3>
@@ -620,6 +621,8 @@ router.post('/cve/:id/cna',
   mw.validateUser,
   mw.onlyCnas,
   mw.trimJSONWhitespace,
+  query().custom((query) => { return mw.validateQueryParameterNames(query, ['erlcheck']) }),
+  query(['erlcheck']).optional().isBoolean({ loose: true }).withMessage(errorMsgs.ERLCHECK),
   validateCveCnaContainerJsonSchema,
   validateUniqueEnglishEntry('cnaContainer.descriptions'),
   validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']),
@@ -645,7 +648,8 @@ router.put('/cve/:id/cna',
   #swagger.parameters['$ref'] = [
     '#/components/parameters/apiEntityHeader',
     '#/components/parameters/apiUserHeader',
-    '#/components/parameters/apiSecretHeader'
+    '#/components/parameters/apiSecretHeader',
+    '#/components/parameters/erlCheck'
   ]
   #swagger.requestBody = {
      description: '<h3>Notes:</h3>
@@ -717,6 +721,8 @@ router.put('/cve/:id/cna',
   mw.validateUser,
   mw.onlyCnas,
   mw.trimJSONWhitespace,
+  query().custom((query) => { return mw.validateQueryParameterNames(query, ['erlcheck']) }),
+  query(['erlcheck']).optional().isBoolean({ loose: true }).withMessage(errorMsgs.ERLCHECK),
   validateCveCnaContainerJsonSchema,
   validateUniqueEnglishEntry('cnaContainer.descriptions'),
   validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']),

src/middleware/errorMessages.js

@@ -10,6 +10,7 @@ module.exports = {
   COUNT_ONLY: 'Invalid count_only value. Value should be 1, true, or yes to indicate true, or 0, false, or no to indicate false',
   TIMESTAMP_FORMAT: "Bad date, or invalid timestamp format: valid format is yyyy-MM-ddTHH:mm:ss or yyyy-MM-ddTHH:mm:ssZZ:ZZ (to use '+' in timezone offset, encode as '%2B). ZZ:ZZ (if used) must be between 00:00 and 23:59.",
   CNA_MODIFIED: 'Invalid cna_modified value. Value should be 1, true, or yes to indicate true, or 0, false, or no to indicate false',
+  ERLCHECK: 'Invalid erlcheck value. Value should be 1, true, or yes to indicate true, or 0, false, or no to indicate false',
   FIRSTNAME_LENGTH: 'Invalid name.first. Name must be between 1 and 100 characters in length.',
   LASTNAME_LENGTH: 'Invalid name.last. Name must be between 1 and 100 characters in length.',
   MIDDLENAME_LENGTH: 'Invalid name.middle. Name must be between 1 and 100 characters in length.',

src/swagger.js

@@ -34,11 +34,11 @@ const doc = {
     or <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre'>MITRE</a>) to request credentials \
     </ul> \
     <p>CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are \
-    located <a href='https://github.com/CVEProject/cve-schema/tree/5.1.1-rc2/schema' target='_blank'>here</a>.</p>\
+    located <a href='https://github.com/CVEProject/cve-schema/tree/v5.1.1-rc2/schema' target='_blank'>here</a>.</p>\
     <a href='https://cveform.mitre.org/' class='link' target='_blank'>Contact the CVE Services team</a>",
     contact: {
       name: 'CVE Services Overview',
-      url: 'https://cveproject.github.io/automation-cve-services#services-overview'
+      url: 'https://www.cve.org/AllResources/CveServices'
 
     }
   },
@@ -168,6 +168,15 @@ const doc = {
           type: 'string'
         }
       },
+      erlCheck: {
+        in: 'query',
+        name: 'erlcheck',
+        description: 'Enables stricter validation that ensures submitted record meets enrichment data requirements. For a record to be enriched, a CVSS score and a CWE ID must be provided.',
+        required: false,
+        schema: {
+          type: 'boolean'
+        }
+      },
       batch_type: {
         in: 'query',
         name: 'batch_type',

src/utils/utils.js

@@ -1,6 +1,7 @@
 const Org = require('../model/org')
 const User = require('../model/user')
 const getConstants = require('../constants').getConstants
+const _ = require('lodash')
 const { DateTime } = require('luxon')
 
 async function getOrgUUID (shortName) {
@@ -123,6 +124,7 @@ function reqCtxMapping (req, keyType, keys) {
 }
 
 // Return true if boolean is 0, true, or yes, with any mix of casing
+// Please note that this function does NOT evaluate "undefined" as false. - A tired developer who lost way too much time to this.
 function booleanIsTrue (val) {
   if ((val.toString() === '1') ||
       (val.toString().toLowerCase() === 'true') ||
@@ -153,15 +155,83 @@ function toDate (val) {
   return result
 }
 
+// Covert Dates to ISO format
+function convertDatesToISO (obj, dateKeys) {
+  // Helper function to check if a value is a valid date
+  function isValidDate (value) {
+    return value instanceof Date && !isNaN(value)
+  }
+
+  // Helper function to check if a string is a valid date
+  function isStringDate (value) {
+    const date = new Date(value)
+    return !isNaN(date.getTime())
+  }
+
+  function updateDateValue (objectToUpdate, key, value) {
+    if (isValidDate(value)) {
+      _.set(objectToUpdate, key, value.toISOString())
+    } else if (typeof value === 'string' && isStringDate(value)) {
+      _.set(objectToUpdate, key, new Date(value).toISOString())
+    }
+  }
+
+  // For the top layer object
+  for (const key of dateKeys) {
+    if (_.has(obj, key)) {
+      const value = _.get(obj, key)
+      updateDateValue(obj, key, value)
+    }
+  }
+
+  // For the ADP(s)
+  if (_.has(obj, 'containers.adp')) {
+    // Use lodash for each to loop over array and check for date keys
+    _.each(obj.containers.adp, (adp) => {
+      for (const key of dateKeys) {
+        if (_.has(adp, key)) {
+          const value = _.get(adp, key)
+          updateDateValue(adp, key, value)
+        }
+      }
+    })
+  }
+  // For the CNAs
+
+  if (_.has(obj, 'containers.cna')) {
+    // Use lodash to check the containers.cna object for date keys
+    for (const key of dateKeys) {
+      if (_.has(obj.containers.cna, key)) {
+        const value = _.get(obj.containers.cna, key)
+        updateDateValue(obj.containers.cna, key, value)
+      }
+    }
+  }
+
+  return obj
+}
+
+function isEnrichedContainer (container) {
+  const hasCvss = container?.metrics?.some(item => 'cvssV4_0' in item || 'cvssV3_1' in item || 'cvssV3_0' in item || 'cvssV2_0' in item)
+  const hasCwe = container?.problemTypes?.some(pItem => pItem?.descriptions?.some(dItem => 'cweId' in dItem))
+  if (!(hasCvss && hasCwe)) {
+    return false
+  }
+  return true
+}
+
 module.exports = {
   isSecretariat,
   isBulkDownload,
   isAdmin,
   isAdminUUID,
   isSecretariatUUID,
+  isEnrichedContainer,
   getOrgUUID,
   getUserUUID,
   reqCtxMapping,
   booleanIsTrue,
-  toDate
+  toDate,
+  convertDatesToISO
+
 }