Added extra checks to protect the cve-id repo from being changed more…

… than needed
CVEProject · Dec 19, 2024 · 00ce7bf · 00ce7bf
1 parent c477675
commit 00ce7bf
Showing 1 changed file with 16 additions and 5 deletions.
diff --git a/src/controller/cve.controller/cve.controller.js b/src/controller/cve.controller/cve.controller.js
@@ -362,7 +362,10 @@ async function submitCve (req, res, next) {
     }
 
     await cveRepo.updateByCveId(cveId, newCve, { upsert: true })
-    await cveIdRepo.updateByCveId(cveId, { state: state })
+
+    if (result.cve.cveMetadata.state !== state && (state === CONSTANTS.CVE_STATES.PUBLISHED || state === CONSTANTS.CVE_STATES.REJECTED)) {
+      await cveIdRepo.updateByCveId(cveId, { state: state })
+    }
 
     const responseMessage = {
       message: cveId + ' record was successfully created.',
@@ -421,7 +424,9 @@ async function updateCve (req, res, next) {
     }
 
     await cveRepo.updateByCveId(cveId, newCve)
-    await cveIdRepo.updateByCveId(cveId, { state: newCveState })
+    if (result.cve.cveMetadata.state !== newCveState && (newCveState === CONSTANTS.CVE_STATES.PUBLISHED || newCveState === CONSTANTS.CVE_STATES.REJECTED)) {
+      await cveIdRepo.updateByCveId(cveId, { state: newCveState })
+    }
 
     const responseMessage = {
       message: cveId + ' record was successfully updated.',
@@ -672,7 +677,10 @@ async function rejectCVE (req, res, next) {
     }
 
     // Update state of CVE ID
-    result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED })
+    if (result.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) {
+      result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED })
+    }
+
     if (!result) {
       return res.status(500).json(error.serverError())
     }
@@ -742,8 +750,11 @@ async function rejectExistingCve (req, res, next) {
       return res.status(500).json(error.unableToUpdateByCveID())
     }
 
-    // update cveID to rejected
-    result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED })
+    // update cveID to rejected only if the previous state was not already rejected
+    if (result.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) {
+      result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED })
+    }
+
     if (!result) {
       return res.status(500).json(error.serverError())
     }