Merge pull request #1566 from CVEProject/5.2.0-Purl-Test

Updating Production to CVE-Services v2.6.0

Author: david-rocca

api-docs/openapi.json

@@ -1,9 +1,9 @@
 {
   "openapi": "3.0.2",
   "info": {
-    "version": "2.5.4",
+    "version": "2.6.0",
     "title": "CVE Services API",
-    "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are     required for most service endpoints. Representatives of     <a href='https://www.cve.org/ProgramOrganization/CNAs'>CVE Numbering Authorities (CNAs)</a> should     use one of the methods below to obtain credentials:    <ul><li>If your organization already has an Organizational Administrator (OA) account for the CVE     Services, ask your admin for credentials</li>     <li>Contact your Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/Google'>Google</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/INCIBE'>INCIBE</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/jpcert'>JPCERT/CC</a>, or     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat'>Red Hat</a>) or     Top-Level Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/icscert'>CISA ICS</a>     or <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre'>MITRE</a>) to request credentials     </ul>     <p>CVE data is to be in the JSON 5.1 CVE Record format. Details of the JSON 5.1 schema are     located <a href='https://github.com/CVEProject/cve-schema/tree/v5.1.1-rc2/schema' target='_blank'>here</a>.</p>    <a href='https://cveform.mitre.org/' class='link' target='_blank'>Contact the CVE Services team</a>",
+    "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are     required for most service endpoints. Representatives of     <a href='https://www.cve.org/ProgramOrganization/CNAs'>CVE Numbering Authorities (CNAs)</a> should     use one of the methods below to obtain credentials:    <ul><li>If your organization already has an Organizational Administrator (OA) account for the CVE     Services, ask your admin for credentials</li>     <li>Contact your Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/Google'>Google</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/INCIBE'>INCIBE</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/jpcert'>JPCERT/CC</a>, or     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat'>Red Hat</a>) or     Top-Level Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/icscert'>CISA ICS</a>     or <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre'>MITRE</a>) to request credentials     </ul>     <p>CVE data is to be in the JSON 5.2 CVE Record format. Details of the JSON 5.2 schema are     located <a href='https://github.com/CVEProject/cve-schema/releases/tag/v5.2.0' target='_blank'>here</a>.</p>    <a href='https://cveform.mitre.org/' class='link' target='_blank'>Contact the CVE Services team</a>",
     "contact": {
       "name": "CVE Services Overview",
       "url": "https://www.cve.org/AllResources/CveServices"
@@ -2974,7 +2974,6 @@
         "summary": "Checks that the system is running (accessible to all users)",
         "description": "  <h2>Access Control</h2>  <p>Endpoint is accessible to all</p>  <h2>Expected Behavior</h2>  <p>Returns a 200 response code when CVE Services are running</p>",
         "operationId": "healthCheck",
-        "parameters": [],
         "responses": {
           "200": {
             "description": "Returns a 200 response code"
@@ -5048,4 +5047,4 @@
       }
     }
   }
-}
+}

package-lock.json

@@ -1,7 +1,7 @@
 {
     "name": "cve-services",
     "author": "Automation Working Group",
-    "version": "2.5.4",
+    "version": "2.6.0",
     "license": "(CC0)",
     "devDependencies": {
         "@faker-js/faker": "^7.6.0",
@@ -27,10 +27,10 @@
         "standard": "^16.0.3"
     },
     "dependencies": {
-        "bson": "^6.10.1",
         "ajv": "^8.6.2",
         "ajv-formats": "^2.1.1",
         "argon2": "^0.41.1",
+        "bson": "^6.10.1",
         "config": "^3.3.6",
         "cors": "^2.8.5",
         "crypto-random-string": "^3.3.1",
@@ -50,6 +50,7 @@
         "mongoose-aggregate-paginate-v2": "1.0.6",
         "morgan": "^1.9.1",
         "node-dev": "^7.4.3",
+        "packageurl-js": "^2.0.1",
         "prompt-sync": "^4.2.0",
         "replace-in-file": "6.3.5",
         "replace-json-property": "^1.8.0",
@@ -60,7 +61,11 @@
         "winston": "^3.2.1",
         "yamljs": "^0.3.0"
     },
-    "overrides": { "mongo-cursor-pagination": { "bson": "^6.10.1" } },
+    "overrides": {
+        "mongo-cursor-pagination": {
+            "bson": "^6.10.1"
+        }
+    },
     "apidoc": {
         "name": "CVE-Services",
         "version": "0.0.0",
@@ -103,4 +108,4 @@
         "test:coverage-html": "NODE_ENV=test nyc --reporter=html mocha src/* --recursive --exit || true",
         "test:scripts": "NODE_ENV=development node-dev src/scripts/templateScript.js"
     }
-}
+}

package.json

@@ -1,5 +1,5 @@
 const fs = require('fs')
-const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1.1_bundled.json'))
+const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.2.0_bundled.json'))
 
 /**
  * Return default values.
@@ -16,7 +16,7 @@ function getConstants () {
   * @lends defaults
   */
   const defaults = {
-    SCHEMA_VERSION: '5.1',
+    SCHEMA_VERSION: '5.2',
     MONGOOSE_VALIDATION: {
       Org_policies_id_quota_min: 0,
       Org_policies_id_quota_min_message: 'Org.policies.id_quota cannot be a negative number.',

src/constants/index.js

@@ -1,10 +1,11 @@
+const { PackageURL } = require('packageurl-js')
 const { body, validationResult } = require('express-validator')
 const errors = require('./error')
 const error = new errors.CveControllerError()
 const utils = require('../../utils/utils')
 const fs = require('fs')
-const RejectedSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1.1_rejected_cna_container.json'))
-const cnaContainerSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.1.1_published_cna_container.json'))
+const RejectedSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.2.0_rejected_cna_container.json'))
+const cnaContainerSchema = JSON.parse(fs.readFileSync('src/middleware/schemas/5.2.0_published_cna_container.json'))
 const logger = require('../../middleware/logger')
 const Ajv = require('ajv')
 const addFormats = require('ajv-formats')
@@ -184,6 +185,100 @@ function validateCveAdpContainerJsonSchema (req, res, next) {
   next()
 }
 
+// PURL validator middleware
+function validatePURL (pURLIndex) {
+  return body(pURLIndex).optional({ nullable: true }).bail().custom((affected) => {
+    const result = purlValidateHelper(affected)
+    return result
+  })
+}
+
+function purlValidateHelper (affected) {
+  for (const affObj of affected) {
+    const purlStr = affObj.packageURL
+
+    // If no PURL string provided, skip validation and continue through loop
+    if (!purlStr) {
+      continue
+    }
+    let purlObj
+    let parsedPurlArray
+    // Passes first validation check if PackageURL can build a PURL from the string
+    try {
+      // PURL class from PackageURL
+      purlObj = PackageURL.fromString(purlStr)
+
+      // PURL string broken up by component and store in array. Used for additional validation
+      parsedPurlArray = PackageURL.parseString(purlStr)
+    } catch (e) {
+      throw new Error(e.message + ': "' + purlStr + '"')
+    }
+
+    // PURL's with versions are not allowed
+    if (purlObj.version !== undefined) {
+      throw new Error('The PURL version component is currently not supported by the CVE schema: ' + purlStr)
+    }
+
+    // Handle qualifier cases
+    if (purlObj.qualifiers !== undefined) {
+      // Check for versions within qualifiers
+      if (Object.keys(purlObj.qualifiers).includes('vers')) {
+        throw new Error('PURL versions are currently not supported by the CVE schema: ' + purlStr)
+      }
+    }
+
+    if (parsedPurlArray[4] !== undefined) {
+      // Check for qualifier with key but no value
+      if ((Array.from(parsedPurlArray[4].values()).includes(''))) {
+        throw new Error('Qualifier keys must have a value: ' + purlStr)
+      }
+    }
+
+    // PackageURL does not properly prevent encoded ':', so check for that here
+    const encColon = /%3a/i
+    if (encColon.test(purlStr)) {
+      throw new Error('Percent-encoded colons are not allowed in a PURL: ' + purlStr)
+    }
+
+    // PackageURL does not properly account for certain Subpath situations
+    // so adding additional validation to account for them
+    // Handles PURLs that include a # but no subpath
+    if (purlObj.subpath === undefined && purlStr.includes('#')) {
+      throw new Error('Subpaths cannot be empty or contain only a /: ' + purlStr)
+    }
+
+    if (purlObj.subpath !== undefined) {
+      // Checks if any subpaths contain invalid characters
+      // Subpaths cannot be '.' or '..'
+      const parsedSubpaths = subpathHelper(parsedPurlArray[5])
+
+      if (parsedSubpaths.includes('..') || parsedSubpaths.includes('.')) {
+        throw new Error('Subpaths cannot be "." or "..": ' + purlStr)
+      }
+
+      if (parsedSubpaths.includes('')) {
+        throw new Error('Subpaths cannot be empty or contain only a /: ' + purlStr)
+      }
+    }
+  }
+  return true
+}
+
+// Parses subpaths into array, stripping leading and trailing '/'
+function subpathHelper (subpathStr) {
+  // remove leading and trailing '/'s
+  if (subpathStr[0] === '/') {
+    subpathStr = subpathStr.slice(1)
+  }
+
+  if (subpathStr[subpathStr.length - 1] === '/') {
+    subpathStr = subpathStr.slice(0, subpathStr.length - 1)
+  }
+
+  const parsedSubpaths = subpathStr.split('/')
+  return parsedSubpaths
+}
+
 module.exports = {
   parseGetParams,
   parsePostParams,
@@ -195,5 +290,7 @@ module.exports = {
   validateDescription,
   validateRejectBody,
   validateDatePublic,
-  datePublicHelper
+  datePublicHelper,
+  validatePURL,
+  purlValidateHelper
 }

src/controller/cve.controller/cve.middleware.js

@@ -4,7 +4,7 @@ const mw = require('../../middleware/middleware')
 const errorMsgs = require('../../middleware/errorMessages')
 const controller = require('./cve.controller')
 const { body, param, query } = require('express-validator')
-const { parseGetParams, parsePostParams, parseError, validateCveCnaContainerJsonSchema, validateCveAdpContainerJsonSchema, validateRejectBody, validateUniqueEnglishEntry, validateDescription, validateDatePublic } = require('./cve.middleware')
+const { parseGetParams, parsePostParams, parseError, validateCveCnaContainerJsonSchema, validateCveAdpContainerJsonSchema, validateRejectBody, validateUniqueEnglishEntry, validateDescription, validateDatePublic, validatePURL } = require('./cve.middleware')
 const getConstants = require('../../constants').getConstants
 const CONSTANTS = getConstants()
 const CHOICES = [CONSTANTS.CVE_STATES.REJECTED, CONSTANTS.CVE_STATES.PUBLISHED]
@@ -495,6 +495,7 @@ router.post('/cve/:id',
   validateUniqueEnglishEntry(['containers.cna.descriptions', 'containers.cna.rejectedReasons']),
   validateDescription(['containers.cna.rejectedReasons', 'containers.cna.descriptions', 'containers.cna.problemTypes[0].descriptions']),
   validateDatePublic(['containers.cna.datePublic']),
+  validatePURL(['containers.cna.affected']),
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   parseError,
   parsePostParams,
@@ -581,6 +582,7 @@ router.put('/cve/:id',
   validateUniqueEnglishEntry(['containers.cna.descriptions', 'containers.cna.rejectedReasons']),
   validateDescription(['containers.cna.rejectedReasons', 'containers.cna.descriptions', 'containers.cna.problemTypes[0].descriptions']),
   validateDatePublic(['containers.cna.datePublic']),
+  validatePURL(['containers.cna.affected']),
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   parseError,
   parsePostParams,
@@ -679,6 +681,7 @@ router.post('/cve/:id/cna',
   validateUniqueEnglishEntry('cnaContainer.descriptions'),
   validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']),
   validateDatePublic(['cnaContainer.datePublic']),
+  validatePURL(['cnaContainer.affected']),
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   parseError,
   parsePostParams,
@@ -779,6 +782,7 @@ router.put('/cve/:id/cna',
   validateUniqueEnglishEntry('cnaContainer.descriptions'),
   validateDescription(['cnaContainer.descriptions', 'cnaContainer.problemTypes[0].descriptions']),
   validateDatePublic(['cnaContainer.datePublic']),
+  validatePURL(['cnaContainer.affected']),
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   parseError,
   parsePostParams,
@@ -1049,6 +1053,7 @@ router.put('/cve/:id/adp',
   mw.onlyAdps,
   mw.trimJSONWhitespace,
   validateCveAdpContainerJsonSchema,
+  validatePURL(['adpContainer.affected']),
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   parseError,
   parsePostParams,

src/controller/cve.controller/index.js

@@ -1,6 +1,6 @@
 const getConstants = require('../constants').getConstants
 const fs = require('fs')
-const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.1.1_bundled.json'))
+const cveSchemaV5 = JSON.parse(fs.readFileSync('src/middleware/schemas/CVE_JSON_5.2.0_bundled.json'))
 const argon2 = require('argon2')
 const logger = require('./logger')
 const Ajv = require('ajv')