From 00ce7bf5324ec93b798313a8cc2e28d5720baccb Mon Sep 17 00:00:00 2001
From: david-rocca <davidtrocca@gmail.com>
Date: Thu, 19 Dec 2024 13:06:33 -0500
Subject: [PATCH] Added extra checks to protect the cve-id repo from being
 changed more than needed

---
 .../cve.controller/cve.controller.js          | 21 ++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/controller/cve.controller/cve.controller.js b/src/controller/cve.controller/cve.controller.js
index d8e62db7a..d074ca71e 100644
--- a/src/controller/cve.controller/cve.controller.js
+++ b/src/controller/cve.controller/cve.controller.js
@@ -362,7 +362,10 @@ async function submitCve (req, res, next) {
     }
 
     await cveRepo.updateByCveId(cveId, newCve, { upsert: true })
-    await cveIdRepo.updateByCveId(cveId, { state: state })
+
+    if (result.cve.cveMetadata.state !== state && (state === CONSTANTS.CVE_STATES.PUBLISHED || state === CONSTANTS.CVE_STATES.REJECTED)) {
+      await cveIdRepo.updateByCveId(cveId, { state: state })
+    }
 
     const responseMessage = {
       message: cveId + ' record was successfully created.',
@@ -421,7 +424,9 @@ async function updateCve (req, res, next) {
     }
 
     await cveRepo.updateByCveId(cveId, newCve)
-    await cveIdRepo.updateByCveId(cveId, { state: newCveState })
+    if (result.cve.cveMetadata.state !== newCveState && (newCveState === CONSTANTS.CVE_STATES.PUBLISHED || newCveState === CONSTANTS.CVE_STATES.REJECTED)) {
+      await cveIdRepo.updateByCveId(cveId, { state: newCveState })
+    }
 
     const responseMessage = {
       message: cveId + ' record was successfully updated.',
@@ -672,7 +677,10 @@ async function rejectCVE (req, res, next) {
     }
 
     // Update state of CVE ID
-    result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED })
+    if (result.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) {
+      result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED })
+    }
+
     if (!result) {
       return res.status(500).json(error.serverError())
     }
@@ -742,8 +750,11 @@ async function rejectExistingCve (req, res, next) {
       return res.status(500).json(error.unableToUpdateByCveID())
     }
 
-    // update cveID to rejected
-    result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED })
+    // update cveID to rejected only if the previous state was not already rejected
+    if (result.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) {
+      result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED })
+    }
+
     if (!result) {
       return res.status(500).json(error.serverError())
     }