Merge pull request #1309 from CVEProject/dr-1278

Removed Unconditionally editing of cve-id collection in cve endpoints

Author: jdaigneau5

src/controller/cve.controller/cve.controller.js

@@ -8,6 +8,8 @@ const convertDatesToISO = require('../../utils/utils').convertDatesToISO
 const isEnrichedContainer = require('../../utils/utils').isEnrichedContainer
 const url = process.env.NODE_ENV === 'staging' ? 'https://test.cve.org/' : 'https://cve.org/'
 
+const _ = require('lodash')
+
 // Helper function to create providerMetadata object
 function createProviderMetadata (orgId, shortName, updateDate) {
   return { orgId: orgId, shortName: shortName, dateUpdated: updateDate }
@@ -353,6 +355,7 @@ async function submitCve (req, res, next) {
 
     // check that cve id exists
     let result = await cveIdRepo.findOneByCveId(id)
+    const oldCveID = _.cloneDeep(result)
     if (!result || result.state === CONSTANTS.CVE_STATES.AVAILABLE) {
       return res.status(403).json(error.cveDne())
     }
@@ -364,7 +367,10 @@ async function submitCve (req, res, next) {
     }
 
     await cveRepo.updateByCveId(cveId, newCve, { upsert: true })
-    await cveIdRepo.updateByCveId(cveId, { state: state })
+
+    if (oldCveID.state !== state && (state === CONSTANTS.CVE_STATES.PUBLISHED || state === CONSTANTS.CVE_STATES.REJECTED)) {
+      await cveIdRepo.updateByCveId(cveId, { state: state })
+    }
 
     const responseMessage = {
       message: cveId + ' record was successfully created.',
@@ -416,6 +422,7 @@ async function updateCve (req, res, next) {
       logger.info(cveId + ' does not exist.')
       return res.status(403).json(error.cveDne())
     }
+    const oldCveID = _.cloneDeep(result)
 
     result = await cveRepo.findOneByCveId(cveId)
     if (!result) {
@@ -424,7 +431,9 @@ async function updateCve (req, res, next) {
     }
 
     await cveRepo.updateByCveId(cveId, newCve)
-    await cveIdRepo.updateByCveId(cveId, { state: newCveState })
+    if (oldCveID.state !== newCveState && (newCveState === CONSTANTS.CVE_STATES.PUBLISHED || newCveState === CONSTANTS.CVE_STATES.REJECTED)) {
+      await cveIdRepo.updateByCveId(cveId, { state: newCveState })
+    }
 
     const responseMessage = {
       message: cveId + ' record was successfully updated.',
@@ -757,6 +766,8 @@ async function rejectExistingCve (req, res, next) {
       result.cve.dataVersion = CONSTANTS.SCHEMA_VERSION
     }
 
+    // old cve record
+    const oldCveRecord = _.cloneDeep(result)
     // update CVE record to rejected
     const updatedRecord = Cve.updateCveToRejected(id, providerMetadata, result.cve, req.ctx.body)
     const updatedCve = new Cve({ cve: convertDatesToISO(updatedRecord, CONSTANTS.DATE_FIELDS) })
@@ -771,10 +782,12 @@ async function rejectExistingCve (req, res, next) {
       return res.status(500).json(error.unableToUpdateByCveID())
     }
 
-    // update cveID to rejected
-    result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED })
-    if (!result) {
-      return res.status(500).json(error.serverError())
+    // update cveID to rejected only if the previous state was not already rejected
+    if (oldCveRecord.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) {
+      result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED })
+      if (!result) {
+        return res.status(500).json(error.serverError())
+      }
     }
 
     const responseMessage = {

test/unit-tests/cve/cveCreateTest.js

@@ -1,3 +1,4 @@
+/* eslint-disable no-unused-vars */
 const express = require('express')
 const app = express()
 const chai = require('chai')

test/unit-tests/cve/cveRecordRejectionTest.js

@@ -1,3 +1,4 @@
+/* eslint-disable no-unused-vars */
 const express = require('express')
 const app = express()
 const chai = require('chai')

test/unit-tests/cve/cveUpdateTest.js

@@ -1,3 +1,4 @@
+/* eslint-disable no-unused-vars */
 const express = require('express')
 const app = express()
 const chai = require('chai')