Add new subcommand for transfering CVE IDs to other CNAs

An owning CNA can transfer one of their CVE IDs to any other existing
CNA using the shortname of that CNA.

Author: mprpic

cvelib/cli.py

@@ -627,6 +627,43 @@ def undo_reject(ctx: click.Context, cve_id: str, print_raw: bool) -> None:
         print_cve_id(response_data["updated"])
 
 
+@cli.command()
+@click.argument("cve_id", callback=validate_cve)
+@click.option(
+    "-n",
+    "--new-cna",
+    required=True,
+    help="Shortname of the new owning CNA for the CVE ID.",
+)
+@click.option("--raw", "print_raw", default=False, is_flag=True, help="Print response JSON.")
+@click.pass_context
+@handle_cve_api_error
+def transfer(ctx: click.Context, cve_id: str, new_cna: str, print_raw: bool) -> None:
+    """Transfer ownership of a CVE ID to another CNA.
+
+    This command updates the owning_cna attribute of the specified CVE ID to transfer
+    ownership to another CNA organization. CNAs can only transfer CVE IDs they own.
+    """
+    if ctx.obj.interactive:
+        click.echo("You are about to transfer ownership of ", nl=False)
+        click.secho(cve_id, bold=True, nl=False)
+        click.echo(" to CNA ", nl=False)
+        click.secho(new_cna, bold=True, nl=False)
+        click.echo(".")
+        if not click.confirm("\nDo you want to continue?"):
+            click.echo("Exiting...")
+            sys.exit(0)
+        click.echo()
+
+    cve_api = ctx.obj.cve_api
+    response_data = cve_api.transfer(cve_id, new_cna)
+    if print_raw:
+        print_json_data(response_data)
+    else:
+        click.echo("Successfully transferred the following CVE:\n")
+        print_cve_id(response_data["updated"])
+
+
 @cli.command()
 @click.option(
     "-r",

cvelib/cve_api.py

@@ -289,6 +289,14 @@ def move_to_reserved(self, cve_id):
         params = {"state": self.States.RESERVED}
         return self._put(f"cve-id/{cve_id}", params=params).json()
 
+    def transfer(self, cve_id: str, new_cna: str) -> dict:
+        """Transfer ownership of a CVE ID to another CNA.
+
+        This updates the owning_cna attribute of the specified CVE ID.
+        """
+        params = {"org": new_cna}
+        return self._put(f"cve-id/{cve_id}", params=params).json()
+
     def reserve(self, count: int, random: bool, year: str) -> dict:
         """Reserve a set of CVE IDs.
 

tests/test_cli.py

@@ -556,6 +556,99 @@ def test_cve_undo_reject(move_to_reserved):
     )
 
 
+@mock.patch("cvelib.cli.CveApi.transfer")
+def test_cve_transfer(transfer):
+    cve_id = "CVE-2023-1234"
+    response = {
+        "updated": {
+            "cve_id": "CVE-2023-1234",
+            "cve_year": "2023",
+            "owning_cna": "new-cna",
+            "requested_by": {"cna": "old-cna", "user": "test@example.com"},
+            "reserved": "2021-01-14T18:35:17.469Z",
+            "state": "RESERVED",
+            "time": {"created": "2021-01-14T18:35:17.469Z", "modified": "2021-01-14T18:35:17.469Z"},
+        },
+        "message": f"{cve_id} owning_cna updated",
+    }
+
+    transfer.return_value = response
+    runner = CliRunner()
+    result = runner.invoke(cli, DEFAULT_OPTS + ["transfer", cve_id, "--new-cna", "new-cna"])
+    assert result.exit_code == 0, result.output
+    assert result.output == (
+        "Successfully transferred the following CVE:\n"
+        "\n"
+        f"{cve_id}\n"
+        "├─ State:\tRESERVED\n"
+        "├─ Owning CNA:\tnew-cna\n"
+        "├─ Reserved by:\ttest@example.com (old-cna)\n"
+        "├─ Reserved on:\tThu Jan 14 18:35:17 2021 +0000\n"
+        "└─ Updated on:\tThu Jan 14 18:35:17 2021 +0000\n"
+    )
+    transfer.assert_called_once_with(cve_id, "new-cna")
+
+
+@mock.patch("cvelib.cli.CveApi.transfer")
+def test_cve_transfer_raw_output(transfer):
+    cve_id = "CVE-2023-1234"
+    response = {
+        "updated": {
+            "cve_id": "CVE-2023-1234",
+            "owning_cna": "new-cna",
+            "state": "RESERVED",
+        },
+        "message": f"{cve_id} owning_cna updated",
+    }
+
+    transfer.return_value = response
+    runner = CliRunner()
+    result = runner.invoke(
+        cli, DEFAULT_OPTS + ["transfer", cve_id, "--new-cna", "new-cna", "--raw"]
+    )
+    assert result.exit_code == 0, result.output
+    assert json.loads(result.output) == response
+    transfer.assert_called_once_with(cve_id, "new-cna")
+
+
+@mock.patch("cvelib.cli.CveApi.transfer")
+def test_cve_transfer_interactive_confirm(transfer):
+    cve_id = "CVE-2023-1234"
+    transfer_response = {
+        "updated": {
+            "cve_id": "CVE-2023-1234",
+            "owning_cna": "new-cna",
+            "state": "RESERVED",
+        },
+        "message": f"{cve_id} owning_cna updated",
+    }
+
+    transfer.return_value = transfer_response
+    runner = CliRunner()
+    result = runner.invoke(
+        cli, DEFAULT_OPTS + ["-i", "transfer", cve_id, "--new-cna", "new-cna"], input="y\n"
+    )
+    assert result.exit_code == 0, result.output
+    assert "You are about to transfer ownership of CVE-2023-1234 to CNA new-cna" in result.output
+    assert "Do you want to continue?" in result.output
+    transfer.assert_called_once_with(cve_id, "new-cna")
+
+
+@mock.patch("cvelib.cli.CveApi.transfer")
+def test_cve_transfer_interactive_abort(transfer):
+    cve_id = "CVE-2023-1234"
+
+    runner = CliRunner()
+    result = runner.invoke(
+        cli, DEFAULT_OPTS + ["-i", "transfer", cve_id, "--new-cna", "new-cna"], input="n\n"
+    )
+    assert result.exit_code == 0, result.output
+    assert "You are about to transfer ownership of CVE-2023-1234 to CNA new-cna" in result.output
+    assert "Do you want to continue?" in result.output
+    assert "Exiting..." in result.output
+    transfer.assert_not_called()
+
+
 def test_quota():
     quota = {"id_quota": 100, "total_reserved": 10, "available": 90}
     with mock.patch("cvelib.cli.CveApi.quota") as get_quota:

tests/test_cve_api.py

@@ -107,3 +107,23 @@ def test_count_cves():
         count = cve_api.count_cves(state="published")
         get_mock.assert_called_with("cve_count", params={"state": "PUBLISHED"})
         assert count == {"totalCount": 42}
+
+
+def test_transfer():
+    with mock.patch("cvelib.cve_api.CveApi._put") as put_mock:
+        response = {
+            "updated": "CVE-2099-1234",
+            "message": "CVE-2099-1234 owning_cna updated",
+            "cve_id": "CVE-2099-1234",
+            "owning_cna": "new-cna",
+            "state": "RESERVED",
+            "requested_by": {"cna": "old-cna", "user": "test@example.com"},
+            "reserved": "2021-01-14T18:35:17.469Z",
+            "time": {"created": "2021-01-14T18:35:17.469Z", "modified": "2021-01-14T18:35:17.469Z"},
+        }
+        put_mock.return_value.json.return_value = response
+        cve_api = CveApi(username="test_user", org="test_org", api_key="test_key")
+
+        result = cve_api.transfer("CVE-2099-1234", "new-cna")
+        put_mock.assert_called_with("cve-id/CVE-2099-1234", params={"org": "new-cna"})
+        assert result == response