Merge pull request CVEProject#1042 from CVEProject/dev

Update Int from Dev with Sprint 26

api-docs/openapi.json

@@ -11,7 +11,7 @@
   },
   "servers": [
     {
-      "url": "https://cveawg-int.mitre.org/api"
+      "url": "https://cveawg-dev.mitre.org/api"
     }
   ],
   "paths": {
@@ -989,6 +989,7 @@
           }
         },
         "requestBody": {
+          "description": "Note: providerMetadata is set by the server. If provided, it will be overwritten.",
           "required": true,
           "content": {
             "application/json": {
@@ -1089,6 +1090,7 @@
           }
         },
         "requestBody": {
+          "description": "Note: providerMetadata is set by the server. If provided, it will be overwritten.",
           "required": true,
           "content": {
             "application/json": {
@@ -1191,6 +1193,7 @@
           }
         },
         "requestBody": {
+          "description": "Note: providerMetadata is set by the server. If provided, it will be overwritten.",
           "required": true,
           "content": {
             "application/json": {
@@ -1291,6 +1294,7 @@
           }
         },
         "requestBody": {
+          "description": "Note: providerMetadata is set by the server. If provided, it will be overwritten.",
           "required": true,
           "content": {
             "application/json": {
@@ -2418,9 +2422,7 @@
           "type": "string",
           "enum": [
             "CNA",
-            "SECRETARIAT",
-            "ROOT_CNA",
-            "ADP"
+            "SECRETARIAT"
           ]
         }
       },
@@ -2433,9 +2435,7 @@
           "type": "string",
           "enum": [
             "CNA",
-            "SECRETARIAT",
-            "ROOT_CNA",
-            "ADP"
+            "SECRETARIAT"
           ]
         }
       },
@@ -2566,10 +2566,15 @@
       "cveIdGetFilteredState": {
         "in": "query",
         "name": "state",
-        "description": "Filter by state [RESERVED, PUBLISHED, REJECTED]",
+        "description": "Filter by state ",
         "required": false,
         "schema": {
-          "type": "string"
+          "type": "string",
+          "enum": [
+            "RESERVED",
+            "PUBLISHED",
+            "REJECTED"
+          ]
         }
       },
       "cveIdGetFilteredCveIdYear": {
@@ -2584,7 +2589,7 @@
       "cveIdGetFilteredTimeReservedLt": {
         "in": "query",
         "name": "time_reserved.lt",
-        "description": "Most recent reserved timestamp to retrieve. Include with all requests potentially returning multiple pages of CVE IDs to avoid issues if new IDs are reserved during use.",
+        "description": "Most recent reserved timestamp to retrieve. Include with all requests potentially returning multiple pages of CVE IDs to avoid issues if new IDs are reserved during use. <br><br> <i>Timestamp format</i> : yyyy-MM-ddTHH:mm:ssZZZZ",
         "required": false,
         "schema": {
           "type": "string",
@@ -2594,7 +2599,7 @@
       "cveIdGetFilteredTimeReservedGt": {
         "in": "query",
         "name": "time_reserved.gt",
-        "description": "Earliest CVE ID reserved timestamp to retrieve",
+        "description": "Earliest CVE ID reserved timestamp to retrieve <br><br> <i>Timestamp format</i> : yyyy-MM-ddTHH:mm:ssZZZZ",
         "required": false,
         "schema": {
           "type": "string",
@@ -2604,7 +2609,7 @@
       "cveIdGetFilteredTimeModifiedLt": {
         "in": "query",
         "name": "time_modified.lt",
-        "description": "Most recent modified timestamp to retrieve. Include with all requests using a time_modified.gt filter potentially returning multiple pages of CVE IDs. This will avoid issues if IDs are reserved or modified during use.",
+        "description": "Most recent modified timestamp to retrieve. Include with all requests using a time_modified.gt filter potentially returning multiple pages of CVE IDs. This will avoid issues if IDs are reserved or modified during use.<br><br> <i>Timestamp format</i> : yyyy-MM-ddTHH:mm:ssZZZZ",
         "required": false,
         "schema": {
           "type": "string",
@@ -2614,7 +2619,7 @@
       "cveIdGetFilteredTimeModifiedGt": {
         "in": "query",
         "name": "time_modified.gt",
-        "description": "Earliest CVE ID modified timestamp to retrieve",
+        "description": "Earliest CVE ID modified timestamp to retrieve <br><br> <i>Timestamp format</i> : yyyy-MM-ddTHH:mm:ssZZZZ",
         "required": false,
         "schema": {
           "type": "string",
@@ -2624,7 +2629,7 @@
       "cveRecordFilteredTimeModifiedLt": {
         "in": "query",
         "name": "time_modified.lt",
-        "description": "Most recent CVE record modified timestamp to retrieve",
+        "description": "Most recent CVE record modified timestamp to retrieve <br><br> <i>Timestamp format</i> : yyyy-MM-ddTHH:mm:ssZZZZ",
         "required": false,
         "schema": {
           "type": "string",
@@ -2634,7 +2639,7 @@
       "cveRecordFilteredTimeModifiedGt": {
         "in": "query",
         "name": "time_modified.gt",
-        "description": "Earliest CVE record modified timestamp to retrieve",
+        "description": "Earliest CVE record modified timestamp to retrieve <br><br> <i>Timestamp format</i> : yyyy-MM-ddTHH:mm:ssZZZZ",
         "required": false,
         "schema": {
           "type": "string",
@@ -2710,7 +2715,7 @@
       "newUsername": {
         "in": "query",
         "name": "new_username",
-        "description": "The new username for the user, preferably the user's email address. Must be 3-50 characters in length; allowed characters are alphanumberic and -_@.",
+        "description": "The new username for the user, preferably the user's email address. Must be 3-128 characters in length; allowed characters are alphanumeric and -_@.",
         "required": false,
         "schema": {
           "type": "string"
@@ -2719,7 +2724,7 @@
       "org": {
         "in": "query",
         "name": "org",
-        "description": "The new owning_cna for the CVE ID",
+        "description": "The shortname of the new owning_cna for the CVE ID",
         "required": false,
         "schema": {
           "type": "string"
@@ -2769,7 +2774,11 @@
         "description": "The new state for the CVE ID",
         "required": false,
         "schema": {
-          "type": "string"
+          "type": "string",
+          "enum": [
+            "RESERVED",
+            "REJECTED"
+          ]
         }
       }
     },

schemas/cve/create-cve-record-rejection-request.json

@@ -2,12 +2,14 @@
     "$schema": "http://json-schema.org/draft-04/schema",
     "type": "object",
     "required": [
-        "cnaContainer",
-        "rejectedReasons"
+        "cnaContainer"
     ],
     "properties": {
         "cnaContainer": {
             "type": "object",
+            "required": [
+                "rejectedReasons"
+            ],
             "properties": {
                 "providerMetadata": {
                     "type": "object",

schemas/cve/cve-record-minimum-request.json

@@ -1,13 +1,13 @@
 {
     "$schema": "http://json-schema.org/draft-04/schema",
     "type": "object",
+    "required":["cnaContainer"],
     "properties": {
         "cnaContainer": {
             "type": "object",
             "required": [
                 "affected",
                 "descriptions",
-                "providerMetadata",
                 "references"
             ],
             "properties": {

schemas/cve/update-cve-record-rejection-request.json

@@ -2,12 +2,14 @@
     "$schema": "http://json-schema.org/draft-04/schema",
     "type": "object",
     "required": [
-        "cnaContainer",
-        "rejectedReasons"
+        "cnaContainer"
     ],
     "properties": {
         "cnaContainer": {
             "type": "object",
+            "required": [
+                "rejectedReasons"
+            ],
             "properties": {
                 "providerMetadata": {
                     "type": "object",

schemas/user/create-user-request.json

@@ -4,7 +4,7 @@
   "properties": {
     "username": {
       "type": "string",
-      "description": "Preferably the user's email address. Must be 3-50 characters in length; allowed characters are alphanumberic and -_@."
+      "description": "Preferably the user's email address. Must be 3-128 characters in length; allowed characters are alphanumeric and -_@."
     },
     "name": {
       "type": "object",

src/controller/cve-id.controller/error.js

@@ -48,7 +48,7 @@ class CveIdControllerError extends idrErr.IDRError {
   noBatchType () { // cve-id
     const err = {}
     err.error = 'NO_BATCH_TYPE'
-    err.message = 'The batch_type query parameter must be specified when reserving more than one CVE ID [sequential, nonsequential || non-sequential].'
+    err.message = 'The batch_type query parameter must be specified when reserving more than one CVE ID. Available values are: sequential, nonsequential, non-sequential.'
     return err
   }
 
@@ -70,7 +70,7 @@ class CveIdControllerError extends idrErr.IDRError {
   invalidBatchType () { // cve-id
     const err = {}
     err.error = 'INVALID_BATCH_TYPE'
-    err.message = 'The batch_type provided is invalid [null when amount=1, sequential, nonsequential||non-sequential].'
+    err.message = 'The batch_type provided is invalid. Available values are sequential, nonsequential, non-sequential.'
     return err
   }
 

src/controller/cve-id.controller/index.js

@@ -87,7 +87,7 @@ router.get('/cve-id',
   mw.validateUser,
   query().custom((query) => { return mw.validateQueryParameterNames(query, ['page', 'state', 'cve_id_year', 'time_reserved.lt', 'time_reserved.gt', 'time_modified.lt', 'time_modified.gt']) }),
   query(['page']).optional().isInt({ min: CONSTANTS.PAGINATOR_PAGE }),
-  query(['state']).optional().isString().trim().escape().customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES),
+  query(['state']).optional().isString().trim().escape().customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES).withMessage(errorMsgs.ID_STATES),
   query(['cve_id_year']).optional().isNumeric().matches(/^[0-9]{4}$/),
   query(['time_reserved.lt']).optional().isString().trim().escape().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT),
   query(['time_reserved.gt']).optional().isString().trim().escape().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT),
@@ -340,7 +340,7 @@ router.put('/cve-id/:id',
   mw.onlyCnas,
   param(['id']).isString().matches(CONSTANTS.CVE_ID_REGEX),
   query().custom((query) => { return mw.validateQueryParameterNames(query, ['state', 'org']) }),
-  query(['state']).optional().isString().trim().escape().customSanitizer(val => { return val.toUpperCase() }).isIn(MODIFYTARGETS),
+  query(['state']).optional().isString().trim().escape().customSanitizer(val => { return val.toUpperCase() }).isIn(MODIFYTARGETS).withMessage(errorMsgs.ID_MODIFY_STATES),
   query(['org']).optional().isString().trim().escape(),
   parseError,
   parsePostParams,

src/controller/cve.controller/index.js

@@ -158,8 +158,8 @@ router.get('/cve',
   query(['page']).optional().isInt({ min: CONSTANTS.PAGINATOR_PAGE }),
   query(['time_modified.lt']).optional().isString().trim().escape().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT),
   query(['time_modified.gt']).optional().isString().trim().escape().customSanitizer(val => { return toDate(val) }).not().isEmpty().withMessage(errorMsgs.TIMESTAMP_FORMAT),
-  query(['state']).optional().isString().trim().escape().customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES),
-  query(['count_only']).optional().isBoolean({ loose: true }),
+  query(['state']).optional().isString().trim().escape().customSanitizer(val => { return val.toUpperCase() }).isIn(CHOICES).withMessage(errorMsgs.CVE_FILTERED_STATES),
+  query(['count_only']).optional().isBoolean({ loose: true }).withMessage(errorMsgs.COUNT_ONLY),
   query(['assigner_short_name']).optional().isString().trim().escape().notEmpty().isLength({ min: CONSTANTS.MIN_SHORTNAME_LENGTH, max: CONSTANTS.MAX_SHORTNAME_LENGTH }),
   query(['assigner']).optional().isString().trim().escape().notEmpty(),
   parseError,
@@ -350,6 +350,7 @@ router.post('/cve/:id/cna',
     '#/components/parameters/apiSecretHeader'
   ]
   #swagger.requestBody = {
+    description: 'Note: providerMetadata is set by the server. If provided, it will be overwritten.',
     required: true,
     content: {
       "application/json": {
@@ -434,6 +435,7 @@ router.put('/cve/:id/cna',
     '#/components/parameters/apiSecretHeader'
   ]
   #swagger.requestBody = {
+    description: 'Note: providerMetadata is set by the server. If provided, it will be overwritten.',
     required: true,
     content: {
       "application/json": {
@@ -518,6 +520,7 @@ router.post('/cve/:id/reject',
     '#/components/parameters/apiSecretHeader'
   ]
   #swagger.requestBody = {
+    description: 'Note: providerMetadata is set by the server. If provided, it will be overwritten.',
     required: true,
     content: {
       "application/json": {
@@ -603,6 +606,7 @@ router.put('/cve/:id/reject',
     '#/components/parameters/apiSecretHeader'
   ]
   #swagger.requestBody = {
+    description: 'Note: providerMetadata is set by the server. If provided, it will be overwritten.',
     required: true,
     content: {
       "application/json": {

src/controller/org.controller/index.js

@@ -317,11 +317,11 @@ router.put('/org/:shortname',
   query(['active_roles.add']).optional().toArray()
     .custom(isFlatStringArray)
     .customSanitizer(toUpperCaseArray)
-    .custom(isOrgRole),
+    .custom(isOrgRole).withMessage(errorMsgs.ORG_ROLES),
   query(['active_roles.remove']).optional().toArray()
     .custom(isFlatStringArray)
     .customSanitizer(toUpperCaseArray)
-    .custom(isOrgRole),
+    .custom(isOrgRole).withMessage(errorMsgs.ORG_ROLES),
   parseError,
   parsePostParams,
   controller.ORG_UPDATE_SINGLE)
@@ -729,11 +729,11 @@ router.put('/org/:shortname/user/:username',
   query(['active_roles.add']).optional().toArray()
     .custom(isFlatStringArray)
     .customSanitizer(toUpperCaseArray)
-    .custom(isUserRole),
+    .custom(isUserRole).withMessage(errorMsgs.USER_ROLES),
   query(['active_roles.remove']).optional().toArray()
     .custom(isFlatStringArray)
     .customSanitizer(toUpperCaseArray)
-    .custom(isUserRole),
+    .custom(isUserRole).withMessage(errorMsgs.USER_ROLES),
   parseError,
   parsePostParams,
   controller.USER_UPDATE_SINGLE)

src/controller/org.controller/org.middleware.js

@@ -59,7 +59,7 @@ function parseError (req, res, next) {
 function isValidUsername (val) {
   const value = val.match(/^[A-Za-z0-9\-_@.]{3,128}$/)
   if (value == null) {
-    throw new Error('Username should be 3-128 characters. Allowed characters are alphanumberic and -_@.')
+    throw new Error('Username should be 3-128 characters. Allowed characters are alphanumeric and -_@.')
   }
   return true
 }

src/middleware/errorMessages.js

@@ -1,6 +1,12 @@
 // Error message strings to be used in controller/index.js files
 
 module.exports = {
+  ORG_ROLES: 'Invalid role. Valid roles are CNA, SECRETARIAT',
+  USER_ROLES: 'Invalid role. Valid role is ADMIN',
   ID_QUOTA: 'The id_quota does not comply with CVE id quota limitations',
+  ID_STATES: 'Invalid CVE ID state. Valid states are: RESERVED, PUBLISHED, REJECTED',
+  ID_MODIFY_STATES: 'Invalid CVE ID state. Valid states are: RESERVED, REJECTED',
+  CVE_FILTERED_STATES: 'Invalid record state. Valid states are: PUBLISHED, REJECTED',
+  COUNT_ONLY: 'Invalid count_only value. Value should be 1, true, or yes to indicate true, or 0, false, or no to indicate false',
   TIMESTAMP_FORMAT: "Bad date, or invalid timestamp format: valid format is yyyy-MM-ddTHH:mm:ss or yyyy-MM-ddTHH:mm:ssZZZZ (to use '+' in timezone offset, encode as '%2B)"
 }