v2.1.2-sd

What's Changed

• Resolves #802 Update boolean query parameters to accept 0,1,true,false,yes,no … by @slubar in #952
• Resolves #714 Updated POST /cve/{id}/cna to handle missing org names consistently with POST /cve/{id}/reject by @jdaigneau5 in #954
• Resolves #959 fixes HTML error in Swagger docs by @slubar in #968
• Resolves #965 fix typo in error message about timestamp format by @slubar in #971
• Resolves #885 Output JSON for 429 errors by @brettp in #973
• Resolves #960 remove uuid-apikey package due to CWE-1104 by @slubar in #970
• Resolves #706 Updated rejectCve endpoints to use the same validation as cna endpoints by @jdaigneau5 in #974
• Resolves #980 Fixed validation calls for rejecting new and existing CVEs by @jdaigneau5 in #983
• Resolves #804 provide useful error message for bad timestamps that include whitespaces by @slubar in #986
• Resolves #956 check for valid date when no timestamp is included by @slubar in #988
• Resolves #810 Updated misleading comment by @jdaigneau5 in #989
• Resolves #955 CVE record creation message shows when and where to view it by @jdaigneau5 in #991
• Resolves #591, Clarified wording of error when trying to update user to the same organization by @brettp in #992
• Resolves #907 fixes error in Swagger doc response json for GET /cve by @slubar in #997
• Resolves #838 Updated isValidUsername error message by @jdaigneau5 in #1000
• Resolves #998 adds dateUpdated to cna created CVE records by @jdaigneau5 in #999
• Resolves #608 Improved error message for creating CVE records with $ in X_ values by @jdaigneau5 in #1003
• Resolves #951 implements bulk download org role by @slubar in #1004
• Resolves #749 Updated error messages for creating and updating users and creating CVE records by @jdaigneau5 in #1005
• Resolves #887. Do not create orgs if UUID is passed. Correct error messages. by @brettp in #1007
• Bump qs and express by @dependabot in #939
• Bump minimatch and mocha by @dependabot in #936
• Updated Cve-services version numbers by @jdaigneau5 in #1023

Full Changelog: v2.1.1-sd...v2.1.2-sd

Sprint 24

What's Changed

• Resolves #998 adds dateUpdated to cna created CVE records by @jdaigneau5 in #999

• Resolves issue #887. Do not create orgs if UUID is passed. Correct error messages. by @brettp in #1007

• Resolves #951 Implements foundation for bulk download feature by @slubar in #1004

• Resolves issue #907 fixes error in Swagger doc response json for GET /cve by @slubar in #997

• Resolves #838 Updates isValidUsername error message by @jdaigneau5 in #1000

• Resolves #608 Improves error message for creating CVE records with $ in X_ values by @jdaigneau5 in #1003

• Resolves #749 Updates error messages for creating and updating users and creating CVE records by @jdaigneau5 in #1005

Full Changelog: Sprint-22-23...Sprint-24

Sprint-22-23

What's Changed

• Resolves #980 Fixed validation calls for rejecting new and existing CVEs by @jdaigneau5 in #983
• Resolves #804 provide useful error message for bad timestamps that include whites… by @slubar in #986
• Resolves #956 check for valid date when no timestamp is included by @slubar in #988
• Resolves #810 Updated misleading comment by @jdaigneau5 in #989
• Changed pull request template by @jdaigneau5 in #975
• Resolves #955 CVE record creation message shows when and where to view it by @jdaigneau5 in #991
• Resolves issue #591, Clarified wording of error when trying to update user to the same organization by @brettp in #992

Full Changelog: Sprint-21...Sprint-22-23

Sprint 21

What's Changed

• #802 Update boolean query parameters to accept 0,1,true,false,yes,no … by @slubar in #952
• Resolves #714 Updated POST /cve/{id}/cna to handle missing org names consistently with POST /cve/{id}/reject by @jdaigneau5 in #954
• #961 Bump CVE Services version number, plus doc update by @slubar in #969
• #959 fixes HTML error in Swagger docs by @slubar in #968
• #965 fix typo in error message about timestamp format by @slubar in #971
• #885 Output content-type JSON for 429 errors by @brettp in #973
• #960 remove uuid-apikey package due to CWE-1104 by @slubar in #970
• Resolves #706 Updated rejectCve endpoints to use the same validation as cna endpoints by @jdaigneau5 in #974
• Bump minimatch and mocha by @dependabot in #936
• Bump qs and express by @dependabot in #939

Full Changelog: Sprint-20...Sprint-21

v2.1.1-sd

What's Changed

• #920 Fixes pagination issue that caused missing or duplicate data by @brettp in #942
• Resolves #931 Fixes CVE v5 schema submission bug related to 'product' field by @jdaigneau5 in #935
• Resolves #715 Improves schema validation for cna and reject endpoints by @jdaigneau5 in #902
• #745 improve messaging for user update with no changes specified by @slubar in #909
• Fixed broken production API doc link by @marcruef in #910
• Merge PR for unique English language tests and improve error message by @brettp in #912
• Resolves #713 Omits requesterUserId from all CVE records by @jdaigneau5 in #916
• Resolves #697 Remove disallowed characters in endpoint calls to prevent reflected XSS by @jdaigneau5 in #921
• Resolves #785 Remove disallowed characters in query parameter names to prevent XSS reflection by @jdaigneau5 in #922
• Resolves #787 Prevents updating CVE-ID states to RESERVED if owning Org has no remaining quota by @jdaigneau5 in #926
• #908 update Swagger doc contact information by @slubar in #914
• #925 updates to Swagger docs, including removal of the term CVE ID entry by @slubar in #930
• #817 disallow invalid dates; move toDate to utils file by @slubar in #933
• Resolves #894 Cve database updates must succeed before Cve-Id database updates by @jdaigneau5 in #937
• Resolves #881 Invalid Cve Schemas Posts and Puts now return a 400 status code and corresponding errors by @jdaigneau5 in #945
• #961 Bump CVE Services version number, plus doc update by @slubar in #963
• Bump node-notifier and node-dev by @dependabot in #905
• Bump markdown-it and apidoc by @dependabot in #906
• Bump loader-utils from 2.0.3 to 2.0.4 by @dependabot in #923
• Bump loader-utils from 2.0.2 to 2.0.3 by @dependabot in #915

Full Changelog: v2.1.0-sd2...v2.1.1-sd

Sprint-20

What's Changed

• Resolves #787 Prevents updating CVE-ID states to RESERVED if owning Org has no remaining quota by @jdaigneau5 in #926
• #925 updates to Swagger docs, including removal of the term CVE ID entry by @slubar in #930
• #817 disallow invalid dates; move toDate to utils file by @slubar in #933
• Bump loader-utils from 2.0.3 to 2.0.4 by @dependabot in #923
• Resolves #931 Fixes CVE v5 schema submission bug related to 'product' field by @jdaigneau5 in #935
• Resolves #894 Cve database updates must succeed before Cve-Id database updates by @jdaigneau5 in #937
• Pull out constants into a function to prevent accidental overriding by @brettp in #934
• Resolves #920 Fixes duplicate and missing data in response from GET /cve-id and GET /cve
• #729 decode HTML entities in names prior to storing in the database and sending http response by @slubar in #943
• Resolves #881 Invalid Cve Schemas Posts and Puts now return a 400 status code and corresponding errors by @jdaigneau5 in #945

Full Changelog: Sprint-19...Sprint-20

Sprint-19

What's Changed

• Bump loader-utils from 2.0.2 to 2.0.3 by @dependabot in #915
• Resolves #697 Remove disallowed characters in endpoint calls to prevent reflected XSS by @jdaigneau5 in #921
• Resolves #785 Remove disallowed characters in query parameter names to prevent XSS reflection by @jdaigneau5 in #922

Full Changelog: Sprint-18...Sprint-19

Sprint-18

What's Changed

• Resolves #715 by @jdaigneau5 in #902
• Pull in prod-staging boilerplate. by @brettp in #904
• #745 improve messaging for user update with no changes specified by @slubar in #909
• Fixed broken production API doc link by @marcruef in #910
• #908 update contact information and point to JSON 5.0 schema informat… by @slubar in #914
• Merge PR for unique English language tests and improve error message by @brettp in #912
• Resolves #713 by @jdaigneau5 in #916

Full Changelog: v2.1.0-sd2...Sprint-18

v1.1.1 Release Notes

Release v1.1.1 of the CVE Services expands functionality of the User Registry and includes the initial Record Service that will only operate internally. The Record Service will be opened to the community in a later release.

Features

User Registry

For the community, the most significant update is the introduction of the Org Admin role. With this role, Org Admins can administer accounts for their organization: register them, deactivate/reactivate them, reset secrets, and modify general data.

Along with the autonomy allowed with the Org Admin role, general User permissions have been expanded as well. Now general Users can change their data and reset their secrets.

Finally, both Users and Org Admins alike will be able to get a list of the Users for their organization and see their organization's information. The organization information itself is quite bare at this point, but the model will expand and this functionality will become more useful.

Record Service

The initial version of the Record service is bundled in this release but will not be open publicly. This is a first step towards transitioning CVE "source of record" functionality out of internal systems and into the CVE Services. The community should not experience any effects from this release.

Where to Learn More

The Developer Guide is a living document that steps new users through interacting with the current production release of the services.

The API for v1.1.1 is also described in the Open API 2.0 format here.

Milestones Closed this Release

Enabling the role of Org Admin for User Registry
Expanding the abilities of default Users in the system
Record Service Phase 1A MVP

Initial Release of the ID Reservation Service

Version 1.0.0 of the CVE Services was a release of the ID Reservation Service (IDR) with supporting functionality.

Features

Overall, this release enables CNAs to have accounts created with the services where they can then immediately reserve CVE IDs by making appropriate HTTP requests to the IDR, avoiding traditional avenues such as the web forms.

Internal administration features shipped with this release were supporting features for the IDR, mainly around account management: account creation, resetting user secrets, deactivating CNAs, and managing an internal limit of IDs per organization.

Where to Learn More

The Developer Guide is a living document that steps new users through interacting with the services.

The API is also described in the Open API 2.0 format here.