From 00ce7bf5324ec93b798313a8cc2e28d5720baccb Mon Sep 17 00:00:00 2001 From: david-rocca Date: Thu, 19 Dec 2024 13:06:33 -0500 Subject: [PATCH 1/7] Added extra checks to protect the cve-id repo from being changed more than needed --- .../cve.controller/cve.controller.js | 21 ++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/src/controller/cve.controller/cve.controller.js b/src/controller/cve.controller/cve.controller.js index d8e62db7a..d074ca71e 100644 --- a/src/controller/cve.controller/cve.controller.js +++ b/src/controller/cve.controller/cve.controller.js @@ -362,7 +362,10 @@ async function submitCve (req, res, next) { } await cveRepo.updateByCveId(cveId, newCve, { upsert: true }) - await cveIdRepo.updateByCveId(cveId, { state: state }) + + if (result.cve.cveMetadata.state !== state && (state === CONSTANTS.CVE_STATES.PUBLISHED || state === CONSTANTS.CVE_STATES.REJECTED)) { + await cveIdRepo.updateByCveId(cveId, { state: state }) + } const responseMessage = { message: cveId + ' record was successfully created.', @@ -421,7 +424,9 @@ async function updateCve (req, res, next) { } await cveRepo.updateByCveId(cveId, newCve) - await cveIdRepo.updateByCveId(cveId, { state: newCveState }) + if (result.cve.cveMetadata.state !== newCveState && (newCveState === CONSTANTS.CVE_STATES.PUBLISHED || newCveState === CONSTANTS.CVE_STATES.REJECTED)) { + await cveIdRepo.updateByCveId(cveId, { state: newCveState }) + } const responseMessage = { message: cveId + ' record was successfully updated.', @@ -672,7 +677,10 @@ async function rejectCVE (req, res, next) { } // Update state of CVE ID - result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) + if (result.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) { + result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) + } + if (!result) { return res.status(500).json(error.serverError()) } @@ -742,8 +750,11 @@ async function rejectExistingCve (req, res, next) { return res.status(500).json(error.unableToUpdateByCveID()) } - // update cveID to rejected - result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) + // update cveID to rejected only if the previous state was not already rejected + if (result.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) { + result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) + } + if (!result) { return res.status(500).json(error.serverError()) } From f465b95638cccc7e1cb9db185b0b06d89cfc0cea Mon Sep 17 00:00:00 2001 From: david-rocca Date: Thu, 19 Dec 2024 14:06:49 -0500 Subject: [PATCH 2/7] Removing no longer valid unit tests. The functions have strayed away from the defined mocks. We are moving to a better testing solution, so instead of updating the mocks, we will create better integration tests --- test/unit-tests/cve/cveCreateTest.js | 56 -------- test/unit-tests/cve/cveRecordRejectionTest.js | 35 ----- test/unit-tests/cve/cveUpdateTest.js | 124 ------------------ 3 files changed, 215 deletions(-) diff --git a/test/unit-tests/cve/cveCreateTest.js b/test/unit-tests/cve/cveCreateTest.js index 728558df5..cca555977 100644 --- a/test/unit-tests/cve/cveCreateTest.js +++ b/test/unit-tests/cve/cveCreateTest.js @@ -240,60 +240,4 @@ describe('Testing the POST /cve/:id endpoint in Cve Controller', () => { }) }) }) - - context('Positive Tests', () => { - it('State PUBLISHED: should return the cve record because the cve record was created', (done) => { - const CONSTANTS = getConstants() - const cveIdTestRepo = new MyCveIdPositiveTests() - const doc = cveIdTestRepo.getCveIdPublished() // get internal state of cveId document - expect(doc).to.have.property('cve_id').and.to.equal(cveIdPublished5) - expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.RESERVED) - - chai.request(app) - .post(`/cve-create-record-positive-tests/${cveIdPublished5}`) - .set(cveFixtures.secretariatHeader) - .send(cvePublishedPass5) - .end((err, res) => { - if (err) { - done(err) - } - - expect(res).to.have.status(200) - expect(res).to.have.property('body').and.to.be.a('object') - expect(res.body).to.have.property('created').and.to.be.a('object') - expect(res.body.created).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdPublished5) - expect(res.body.created).to.have.nested.property('cveMetadata.state').and.to.equal(CONSTANTS.CVE_STATES.PUBLISHED) - expect(doc).to.have.property('cve_id').and.to.equal(cveIdPublished5) - expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.PUBLISHED) - done() - }) - }) - - it('STATE REJECTED: should return the cve record because the cve record was created', (done) => { - const CONSTANTS = getConstants() - const cveIdTestRepo = new MyCveIdPositiveTests() - const doc = cveIdTestRepo.getCveIdRejected() // get internal state of cveId document - expect(doc).to.have.property('cve_id').and.to.equal(cveIdRejected5) - expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.RESERVED) - - chai.request(app) - .post(`/cve-create-record-positive-tests/${cveIdRejected5}`) - .set(cveFixtures.secretariatHeader) - .send(cveRejectedPass5) - .end((err, res) => { - if (err) { - done(err) - } - - expect(res).to.have.status(200) - expect(res).to.have.property('body').and.to.be.a('object') - expect(res.body).to.have.property('created').and.to.be.a('object') - expect(res.body.created).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdRejected5) - expect(res.body.created).to.have.nested.property('cveMetadata.state').and.to.equal(CONSTANTS.CVE_STATES.REJECTED) - expect(doc).to.have.property('cve_id').and.to.equal(cveIdRejected5) - expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.REJECTED) - done() - }) - }) - }) }) diff --git a/test/unit-tests/cve/cveRecordRejectionTest.js b/test/unit-tests/cve/cveRecordRejectionTest.js index e16e61577..b5c873e9d 100644 --- a/test/unit-tests/cve/cveRecordRejectionTest.js +++ b/test/unit-tests/cve/cveRecordRejectionTest.js @@ -138,39 +138,4 @@ describe('Testing the POST /cve/:id/reject endpoint in Cve Controller', () => { }) }) }) - - context('Positive Tests', () => { - it('Reject record as secretariat', (done) => { - chai.request(app) - .post(`/cve-reject-positive-tests/${cveIdReserved}`) - .set(cveFixtures.secretariatHeader) - .send(rejectedBody) - .end((err, res) => { - if (err) { - done(err) - } - expect(res).to.have.status(200) - expect(res).to.have.property('body').and.to.be.a('object') - done() - }) - }) - - it('Reject record as user', (done) => { - const headers = Object.assign({}, cveFixtures.secretariatHeader) - headers['CVE-API-ORG'] = cveFixtures.regularOrg.short_name - headers['CVE-API-USER'] = cveFixtures.regularUser.username - chai.request(app) - .post(`/cve-reject-positive-tests/${cveIdReserved}`) - .set(headers) - .send(rejectedBody) - .end((err, res) => { - if (err) { - done(err) - } - expect(res).to.have.status(200) - expect(res).to.have.property('body').and.to.be.a('object') - done() - }) - }) - }) }) diff --git a/test/unit-tests/cve/cveUpdateTest.js b/test/unit-tests/cve/cveUpdateTest.js index 356c9ed41..f67407c6a 100644 --- a/test/unit-tests/cve/cveUpdateTest.js +++ b/test/unit-tests/cve/cveUpdateTest.js @@ -267,128 +267,4 @@ describe('Testing the PUT /cve/:id endpoint in Cve Controller', () => { }) }) }) - - context('Positive Tests', () => { - it('Update CVE record when requestor is secretariat', (done) => { - class OrgRepo { - async getOrgUUID () { - return null - } - } - class CveRepo { - async updateByCveId (cveId, newCve) { - expect(cveId).to.equal(cveIdPublished5) - expect(newCve).to.have.nested.property('cve.cveMetadata.state').and.to.equal('PUBLISHED') - return null - } - - async findOneByCveId () { - return true - } - } - class CveIdRepo { - async updateByCveId (cveId, newCve) { - expect(cveId).to.equal(cveIdPublished5) - expect(newCve).to.have.property('state') - return null - } - - async findOneByCveId () { - return true - } - } - class UserRepo { - async getUserUUID () { - return null - } - } - app.route('/cve-update-record/:id') - .put((req, res, next) => { - const factory = { - getCveIdRepository: () => { return new CveIdRepo() }, - getCveRepository: () => { return new CveRepo() }, - getOrgRepository: () => { return new OrgRepo() }, - getUserRepository: () => { return new UserRepo() } - } - req.ctx.repositories = factory - next() - }, cveParams.parsePostParams, cveController.CVE_UPDATE_SINGLE) - - chai.request(app) - .put(`/cve-update-record/${cveIdPublished5}`) - .set(cveFixtures.secretariatHeader) - .send(cvePublishedPass5) - .end((err, res) => { - if (err) { - done(err) - } - - expect(res).to.have.status(200) - expect(res).to.have.property('body').and.to.be.a('object') - expect(res.body).to.have.property('updated').and.to.be.a('object') - expect(res.body.updated).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdPublished5) - expect(res.body.updated).to.have.nested.property('cveMetadata.state').and.to.equal('PUBLISHED') - done() - }) - }) - - it('Update CVE record when requestor is secretariat and valid REJECTED JSON', (done) => { - class OrgRepo { - async getOrgUUID () { - return null - } - } - class CveRepo { - async updateByCveId (cveId, newCve) { - return null - } - - async findOneByCveId () { - return true - } - } - class CveIdRepo { - async updateByCveId (cveId, newCve) { - return null - } - - async findOneByCveId () { - return true - } - } - class UserRepo { - async getUserUUID () { - return null - } - } - app.route('/cve-update-record-rejected/:id') - .put((req, res, next) => { - const factory = { - getCveIdRepository: () => { return new CveIdRepo() }, - getCveRepository: () => { return new CveRepo() }, - getOrgRepository: () => { return new OrgRepo() }, - getUserRepository: () => { return new UserRepo() } - } - req.ctx.repositories = factory - next() - }, cveParams.parsePostParams, cveController.CVE_UPDATE_SINGLE) - - chai.request(app) - .put(`/cve-update-record-rejected/${cveIdRejected5}`) - .set(cveFixtures.secretariatHeader) - .send(cveRejectedPass5) - .end((err, res) => { - if (err) { - done(err) - } - - expect(res).to.have.status(200) - expect(res).to.have.property('body').and.to.be.a('object') - expect(res.body).to.have.property('updated').and.to.be.a('object') - expect(res.body.updated).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdRejected5) - expect(res.body.updated).to.have.nested.property('cveMetadata.state').and.to.equal('REJECTED') - done() - }) - }) - }) }) From 4cc95029e5f89c0a5c2753a46651d8504057d593 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Thu, 19 Dec 2024 14:09:23 -0500 Subject: [PATCH 3/7] Linting errors --- test/unit-tests/cve/cveCreateTest.js | 2 -- test/unit-tests/cve/cveRecordRejectionTest.js | 1 - test/unit-tests/cve/cveUpdateTest.js | 2 -- 3 files changed, 5 deletions(-) diff --git a/test/unit-tests/cve/cveCreateTest.js b/test/unit-tests/cve/cveCreateTest.js index cca555977..bade7bd40 100644 --- a/test/unit-tests/cve/cveCreateTest.js +++ b/test/unit-tests/cve/cveCreateTest.js @@ -15,10 +15,8 @@ const nonExistentCveId = 'CVE-2020-1425' const cveIdPublished5 = 'CVE-2017-4024' const cveIdReserved5 = 'CVE-2017-5833' const cveIdAvailable5 = 'CVE-2017-5834' -const cveIdRejected5 = 'CVE-2017-5835' const cvePublishedPass5 = require('../../schemas/5.0/' + cveIdPublished5 + '_published.json') const cveReservedPass5 = require('../../schemas/5.0/' + cveIdReserved5 + '_reserved.json') -const cveRejectedPass5 = require('../../schemas/5.0/' + cveIdRejected5 + '_rejected.json') const errors = require('../../../src/controller/cve.controller/error') const error = new errors.CveControllerError() diff --git a/test/unit-tests/cve/cveRecordRejectionTest.js b/test/unit-tests/cve/cveRecordRejectionTest.js index b5c873e9d..4fcad06d0 100644 --- a/test/unit-tests/cve/cveRecordRejectionTest.js +++ b/test/unit-tests/cve/cveRecordRejectionTest.js @@ -18,7 +18,6 @@ const cveMiddleware = require('../../../src/controller/cve.controller/cve.middle const rejectedBody = require('../../../test-http/src/test/cve_tests/cve_record_fixtures/rejectBody.json') const nonExistentId = 'CVE-1800-0001' -const cveIdReserved = 'CVE-2019-1421' class MyOrg { async findOneByShortName (shortName) { diff --git a/test/unit-tests/cve/cveUpdateTest.js b/test/unit-tests/cve/cveUpdateTest.js index f67407c6a..6121f8728 100644 --- a/test/unit-tests/cve/cveUpdateTest.js +++ b/test/unit-tests/cve/cveUpdateTest.js @@ -14,10 +14,8 @@ const getConstants = require('../../../src/constants').getConstants const nonExistentCveId = 'CVE-2020-1425' const cveIdPublished5 = 'CVE-2017-4024' const cveIdReserved5 = 'CVE-2017-5833' -const cveIdRejected5 = 'CVE-2017-5835' const cvePublishedPass5 = require('../../schemas/5.0/' + cveIdPublished5 + '_published.json') const cveReservedPass5 = require('../../schemas/5.0/' + cveIdReserved5 + '_reserved.json') -const cveRejectedPass5 = require('../../schemas/5.0/' + cveIdRejected5 + '_rejected.json') const errors = require('../../../src/controller/cve.controller/error') const error = new errors.CveControllerError() From 52ed97c157a6472a50a599956fe0429bcd19b847 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Thu, 19 Dec 2024 14:16:12 -0500 Subject: [PATCH 4/7] Apparently, these are used in other tests? --- test/unit-tests/cve/cveCreateTest.js | 3 +++ test/unit-tests/cve/cveRecordRejectionTest.js | 2 ++ test/unit-tests/cve/cveUpdateTest.js | 3 +++ 3 files changed, 8 insertions(+) diff --git a/test/unit-tests/cve/cveCreateTest.js b/test/unit-tests/cve/cveCreateTest.js index bade7bd40..71084e052 100644 --- a/test/unit-tests/cve/cveCreateTest.js +++ b/test/unit-tests/cve/cveCreateTest.js @@ -1,3 +1,4 @@ +/* eslint-disable no-unused-vars */ const express = require('express') const app = express() const chai = require('chai') @@ -15,8 +16,10 @@ const nonExistentCveId = 'CVE-2020-1425' const cveIdPublished5 = 'CVE-2017-4024' const cveIdReserved5 = 'CVE-2017-5833' const cveIdAvailable5 = 'CVE-2017-5834' +const cveIdRejected5 = 'CVE-2017-5835' const cvePublishedPass5 = require('../../schemas/5.0/' + cveIdPublished5 + '_published.json') const cveReservedPass5 = require('../../schemas/5.0/' + cveIdReserved5 + '_reserved.json') +const cveRejectedPass5 = require('../../schemas/5.0/' + cveIdRejected5 + '_rejected.json') const errors = require('../../../src/controller/cve.controller/error') const error = new errors.CveControllerError() diff --git a/test/unit-tests/cve/cveRecordRejectionTest.js b/test/unit-tests/cve/cveRecordRejectionTest.js index 4fcad06d0..67ee8f04b 100644 --- a/test/unit-tests/cve/cveRecordRejectionTest.js +++ b/test/unit-tests/cve/cveRecordRejectionTest.js @@ -1,3 +1,4 @@ +/* eslint-disable no-unused-vars */ const express = require('express') const app = express() const chai = require('chai') @@ -18,6 +19,7 @@ const cveMiddleware = require('../../../src/controller/cve.controller/cve.middle const rejectedBody = require('../../../test-http/src/test/cve_tests/cve_record_fixtures/rejectBody.json') const nonExistentId = 'CVE-1800-0001' +const cveIdReserved = 'CVE-2019-1421' class MyOrg { async findOneByShortName (shortName) { diff --git a/test/unit-tests/cve/cveUpdateTest.js b/test/unit-tests/cve/cveUpdateTest.js index 6121f8728..42d6151b0 100644 --- a/test/unit-tests/cve/cveUpdateTest.js +++ b/test/unit-tests/cve/cveUpdateTest.js @@ -1,3 +1,4 @@ +/* eslint-disable no-unused-vars */ const express = require('express') const app = express() const chai = require('chai') @@ -14,8 +15,10 @@ const getConstants = require('../../../src/constants').getConstants const nonExistentCveId = 'CVE-2020-1425' const cveIdPublished5 = 'CVE-2017-4024' const cveIdReserved5 = 'CVE-2017-5833' +const cveIdRejected5 = 'CVE-2017-5835' const cvePublishedPass5 = require('../../schemas/5.0/' + cveIdPublished5 + '_published.json') const cveReservedPass5 = require('../../schemas/5.0/' + cveIdReserved5 + '_reserved.json') +const cveRejectedPass5 = require('../../schemas/5.0/' + cveIdRejected5 + '_rejected.json') const errors = require('../../../src/controller/cve.controller/error') const error = new errors.CveControllerError() From 0a6532fe2d1a353c738b016d2e60684254b15ed5 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Thu, 19 Dec 2024 14:38:18 -0500 Subject: [PATCH 5/7] Revert "Removing no longer valid unit tests. The functions have strayed away from the defined mocks. We are moving to a better testing solution, so instead of updating the mocks, we will create better integration tests" This reverts commit f465b95638cccc7e1cb9db185b0b06d89cfc0cea. --- test/unit-tests/cve/cveCreateTest.js | 56 ++++++++ test/unit-tests/cve/cveRecordRejectionTest.js | 35 +++++ test/unit-tests/cve/cveUpdateTest.js | 124 ++++++++++++++++++ 3 files changed, 215 insertions(+) diff --git a/test/unit-tests/cve/cveCreateTest.js b/test/unit-tests/cve/cveCreateTest.js index 71084e052..16057e821 100644 --- a/test/unit-tests/cve/cveCreateTest.js +++ b/test/unit-tests/cve/cveCreateTest.js @@ -241,4 +241,60 @@ describe('Testing the POST /cve/:id endpoint in Cve Controller', () => { }) }) }) + + context('Positive Tests', () => { + it('State PUBLISHED: should return the cve record because the cve record was created', (done) => { + const CONSTANTS = getConstants() + const cveIdTestRepo = new MyCveIdPositiveTests() + const doc = cveIdTestRepo.getCveIdPublished() // get internal state of cveId document + expect(doc).to.have.property('cve_id').and.to.equal(cveIdPublished5) + expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.RESERVED) + + chai.request(app) + .post(`/cve-create-record-positive-tests/${cveIdPublished5}`) + .set(cveFixtures.secretariatHeader) + .send(cvePublishedPass5) + .end((err, res) => { + if (err) { + done(err) + } + + expect(res).to.have.status(200) + expect(res).to.have.property('body').and.to.be.a('object') + expect(res.body).to.have.property('created').and.to.be.a('object') + expect(res.body.created).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdPublished5) + expect(res.body.created).to.have.nested.property('cveMetadata.state').and.to.equal(CONSTANTS.CVE_STATES.PUBLISHED) + expect(doc).to.have.property('cve_id').and.to.equal(cveIdPublished5) + expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.PUBLISHED) + done() + }) + }) + + it('STATE REJECTED: should return the cve record because the cve record was created', (done) => { + const CONSTANTS = getConstants() + const cveIdTestRepo = new MyCveIdPositiveTests() + const doc = cveIdTestRepo.getCveIdRejected() // get internal state of cveId document + expect(doc).to.have.property('cve_id').and.to.equal(cveIdRejected5) + expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.RESERVED) + + chai.request(app) + .post(`/cve-create-record-positive-tests/${cveIdRejected5}`) + .set(cveFixtures.secretariatHeader) + .send(cveRejectedPass5) + .end((err, res) => { + if (err) { + done(err) + } + + expect(res).to.have.status(200) + expect(res).to.have.property('body').and.to.be.a('object') + expect(res.body).to.have.property('created').and.to.be.a('object') + expect(res.body.created).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdRejected5) + expect(res.body.created).to.have.nested.property('cveMetadata.state').and.to.equal(CONSTANTS.CVE_STATES.REJECTED) + expect(doc).to.have.property('cve_id').and.to.equal(cveIdRejected5) + expect(doc).to.have.property('state').and.to.equal(CONSTANTS.CVE_STATES.REJECTED) + done() + }) + }) + }) }) diff --git a/test/unit-tests/cve/cveRecordRejectionTest.js b/test/unit-tests/cve/cveRecordRejectionTest.js index 67ee8f04b..0f3637e46 100644 --- a/test/unit-tests/cve/cveRecordRejectionTest.js +++ b/test/unit-tests/cve/cveRecordRejectionTest.js @@ -139,4 +139,39 @@ describe('Testing the POST /cve/:id/reject endpoint in Cve Controller', () => { }) }) }) + + context('Positive Tests', () => { + it('Reject record as secretariat', (done) => { + chai.request(app) + .post(`/cve-reject-positive-tests/${cveIdReserved}`) + .set(cveFixtures.secretariatHeader) + .send(rejectedBody) + .end((err, res) => { + if (err) { + done(err) + } + expect(res).to.have.status(200) + expect(res).to.have.property('body').and.to.be.a('object') + done() + }) + }) + + it('Reject record as user', (done) => { + const headers = Object.assign({}, cveFixtures.secretariatHeader) + headers['CVE-API-ORG'] = cveFixtures.regularOrg.short_name + headers['CVE-API-USER'] = cveFixtures.regularUser.username + chai.request(app) + .post(`/cve-reject-positive-tests/${cveIdReserved}`) + .set(headers) + .send(rejectedBody) + .end((err, res) => { + if (err) { + done(err) + } + expect(res).to.have.status(200) + expect(res).to.have.property('body').and.to.be.a('object') + done() + }) + }) + }) }) diff --git a/test/unit-tests/cve/cveUpdateTest.js b/test/unit-tests/cve/cveUpdateTest.js index 42d6151b0..06f75adc0 100644 --- a/test/unit-tests/cve/cveUpdateTest.js +++ b/test/unit-tests/cve/cveUpdateTest.js @@ -268,4 +268,128 @@ describe('Testing the PUT /cve/:id endpoint in Cve Controller', () => { }) }) }) + + context('Positive Tests', () => { + it('Update CVE record when requestor is secretariat', (done) => { + class OrgRepo { + async getOrgUUID () { + return null + } + } + class CveRepo { + async updateByCveId (cveId, newCve) { + expect(cveId).to.equal(cveIdPublished5) + expect(newCve).to.have.nested.property('cve.cveMetadata.state').and.to.equal('PUBLISHED') + return null + } + + async findOneByCveId () { + return true + } + } + class CveIdRepo { + async updateByCveId (cveId, newCve) { + expect(cveId).to.equal(cveIdPublished5) + expect(newCve).to.have.property('state') + return null + } + + async findOneByCveId () { + return true + } + } + class UserRepo { + async getUserUUID () { + return null + } + } + app.route('/cve-update-record/:id') + .put((req, res, next) => { + const factory = { + getCveIdRepository: () => { return new CveIdRepo() }, + getCveRepository: () => { return new CveRepo() }, + getOrgRepository: () => { return new OrgRepo() }, + getUserRepository: () => { return new UserRepo() } + } + req.ctx.repositories = factory + next() + }, cveParams.parsePostParams, cveController.CVE_UPDATE_SINGLE) + + chai.request(app) + .put(`/cve-update-record/${cveIdPublished5}`) + .set(cveFixtures.secretariatHeader) + .send(cvePublishedPass5) + .end((err, res) => { + if (err) { + done(err) + } + + expect(res).to.have.status(200) + expect(res).to.have.property('body').and.to.be.a('object') + expect(res.body).to.have.property('updated').and.to.be.a('object') + expect(res.body.updated).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdPublished5) + expect(res.body.updated).to.have.nested.property('cveMetadata.state').and.to.equal('PUBLISHED') + done() + }) + }) + + it('Update CVE record when requestor is secretariat and valid REJECTED JSON', (done) => { + class OrgRepo { + async getOrgUUID () { + return null + } + } + class CveRepo { + async updateByCveId (cveId, newCve) { + return null + } + + async findOneByCveId () { + return true + } + } + class CveIdRepo { + async updateByCveId (cveId, newCve) { + return null + } + + async findOneByCveId () { + return true + } + } + class UserRepo { + async getUserUUID () { + return null + } + } + app.route('/cve-update-record-rejected/:id') + .put((req, res, next) => { + const factory = { + getCveIdRepository: () => { return new CveIdRepo() }, + getCveRepository: () => { return new CveRepo() }, + getOrgRepository: () => { return new OrgRepo() }, + getUserRepository: () => { return new UserRepo() } + } + req.ctx.repositories = factory + next() + }, cveParams.parsePostParams, cveController.CVE_UPDATE_SINGLE) + + chai.request(app) + .put(`/cve-update-record-rejected/${cveIdRejected5}`) + .set(cveFixtures.secretariatHeader) + .send(cveRejectedPass5) + .end((err, res) => { + if (err) { + done(err) + } + + expect(res).to.have.status(200) + expect(res).to.have.property('body').and.to.be.a('object') + expect(res.body).to.have.property('updated').and.to.be.a('object') + expect(res.body.updated).to.have.nested.property('cveMetadata.cveId').and.to.equal(cveIdRejected5) + expect(res.body.updated).to.have.nested.property('cveMetadata.state').and.to.equal('REJECTED') + done() + }) + }) + }) }) From beb845995d523d2ca9f65a7823184ff00adbec6d Mon Sep 17 00:00:00 2001 From: david-rocca Date: Thu, 19 Dec 2024 14:48:36 -0500 Subject: [PATCH 6/7] Actually, tests were right, and I was wrong --- .../cve.controller/cve.controller.js | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/controller/cve.controller/cve.controller.js b/src/controller/cve.controller/cve.controller.js index d074ca71e..60f0a61ac 100644 --- a/src/controller/cve.controller/cve.controller.js +++ b/src/controller/cve.controller/cve.controller.js @@ -351,6 +351,7 @@ async function submitCve (req, res, next) { // check that cve id exists let result = await cveIdRepo.findOneByCveId(id) + const oldCveID = result if (!result || result.state === CONSTANTS.CVE_STATES.AVAILABLE) { return res.status(403).json(error.cveDne()) } @@ -363,7 +364,7 @@ async function submitCve (req, res, next) { await cveRepo.updateByCveId(cveId, newCve, { upsert: true }) - if (result.cve.cveMetadata.state !== state && (state === CONSTANTS.CVE_STATES.PUBLISHED || state === CONSTANTS.CVE_STATES.REJECTED)) { + if (oldCveID.state !== state && (state === CONSTANTS.CVE_STATES.PUBLISHED || state === CONSTANTS.CVE_STATES.REJECTED)) { await cveIdRepo.updateByCveId(cveId, { state: state }) } @@ -416,6 +417,7 @@ async function updateCve (req, res, next) { logger.info(cveId + ' does not exist.') return res.status(403).json(error.cveDne()) } + const oldCveID = result result = await cveRepo.findOneByCveId(cveId) if (!result) { @@ -424,7 +426,7 @@ async function updateCve (req, res, next) { } await cveRepo.updateByCveId(cveId, newCve) - if (result.cve.cveMetadata.state !== newCveState && (newCveState === CONSTANTS.CVE_STATES.PUBLISHED || newCveState === CONSTANTS.CVE_STATES.REJECTED)) { + if (oldCveID.state !== newCveState && (newCveState === CONSTANTS.CVE_STATES.PUBLISHED || newCveState === CONSTANTS.CVE_STATES.REJECTED)) { await cveIdRepo.updateByCveId(cveId, { state: newCveState }) } @@ -677,10 +679,7 @@ async function rejectCVE (req, res, next) { } // Update state of CVE ID - if (result.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) { - result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) - } - + result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) if (!result) { return res.status(500).json(error.serverError()) } @@ -736,6 +735,8 @@ async function rejectExistingCve (req, res, next) { result.cve.dataVersion = CONSTANTS.SCHEMA_VERSION } + // old cve record + const oldCveRecord = result // update CVE record to rejected const updatedRecord = Cve.updateCveToRejected(id, providerMetadata, result.cve, req.ctx.body) const updatedCve = new Cve({ cve: updatedRecord }) @@ -751,12 +752,11 @@ async function rejectExistingCve (req, res, next) { } // update cveID to rejected only if the previous state was not already rejected - if (result.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) { + if (oldCveRecord.cve.cveMetadata.state !== CONSTANTS.CVE_STATES.REJECTED) { result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.REJECTED }) - } - - if (!result) { - return res.status(500).json(error.serverError()) + if (!result) { + return res.status(500).json(error.serverError()) + } } const responseMessage = { From d175a7793f6f76885188adcd6e774d34077e15b0 Mon Sep 17 00:00:00 2001 From: david-rocca Date: Fri, 27 Dec 2024 12:16:41 -0500 Subject: [PATCH 7/7] Javascript do be passing by reference --- src/controller/cve.controller/cve.controller.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/controller/cve.controller/cve.controller.js b/src/controller/cve.controller/cve.controller.js index 7c7934236..687c315fb 100644 --- a/src/controller/cve.controller/cve.controller.js +++ b/src/controller/cve.controller/cve.controller.js @@ -8,6 +8,8 @@ const convertDatesToISO = require('../../utils/utils').convertDatesToISO const isEnrichedContainer = require('../../utils/utils').isEnrichedContainer const url = process.env.NODE_ENV === 'staging' ? 'https://test.cve.org/' : 'https://cve.org/' +const _ = require('lodash') + // Helper function to create providerMetadata object function createProviderMetadata (orgId, shortName, updateDate) { return { orgId: orgId, shortName: shortName, dateUpdated: updateDate } @@ -353,7 +355,7 @@ async function submitCve (req, res, next) { // check that cve id exists let result = await cveIdRepo.findOneByCveId(id) - const oldCveID = result + const oldCveID = _.cloneDeep(result) if (!result || result.state === CONSTANTS.CVE_STATES.AVAILABLE) { return res.status(403).json(error.cveDne()) } @@ -420,7 +422,7 @@ async function updateCve (req, res, next) { logger.info(cveId + ' does not exist.') return res.status(403).json(error.cveDne()) } - const oldCveID = result + const oldCveID = _.cloneDeep(result) result = await cveRepo.findOneByCveId(cveId) if (!result) { @@ -765,7 +767,7 @@ async function rejectExistingCve (req, res, next) { } // old cve record - const oldCveRecord = result + const oldCveRecord = _.cloneDeep(result) // update CVE record to rejected const updatedRecord = Cve.updateCveToRejected(id, providerMetadata, result.cve, req.ctx.body) const updatedCve = new Cve({ cve: convertDatesToISO(updatedRecord, CONSTANTS.DATE_FIELDS) })