CVEProject / cve-services

This repo contains the source for the CVE Services API.
Creative Commons Zero v1.0 Universal
150 stars 70 forks source link

PUT /cve/:id/reject does not set dataVersion to 5.1 #1230

Closed ElectricNroff closed 5 months ago

ElectricNroff commented 5 months ago

This REJECTED CVE Record had previously been placed in the test.cve.org database with CVE Services 2.2.x:

{"dataType":"CVE_RECORD","dataVersion":"5.0","cveMetadata":{"cveId":"CVE-2024-21243",
"assignerOrgId":"ee1fa4c6-8d34-4353-ad97-194c1b986b8b","state":"REJECTED",
"dateReserved":"2024-03-06T13:51:02.274Z","dateUpdated":"2024-03-06T13:58:59.968Z",
"dateRejected":"2024-03-06T13:58:59.968Z","assignerShortName":"exampleCNA"},
"containers":{"cna":{"providerMetadata":{"orgId":"466e066c-d384-4b8a-8b15-067d9c22c5af",
"shortName":"mitre","dateUpdated":"2024-03-06T13:58:59.968Z"},"rejectedReasons":
[{"lang":"en","value":
"This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}]}}}

Then, this container was sent to the PUT /cve/:id/reject endpoint with CVE Services 2.3.1:

{
  "cnaContainer": {
    "rejectedReasons": [
      {
        "lang": "en",
        "value": "Because it is a duplicate of CVE-1900-12345, this CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
      }
    ]
  }
}

The CVE Record was then in the test.cve.org database as:

{"dataType":"CVE_RECORD","dataVersion":"5.0","cveMetadata":{"cveId":"CVE-2024-21243",
"assignerOrgId":"ee1fa4c6-8d34-4353-ad97-194c1b986b8b","state":"REJECTED",
"dateReserved":"2024-03-06T13:51:02.274Z","dateUpdated":"2024-05-15T19:02:48.717Z",
"dateRejected":"2024-03-06T13:58:59.968Z","assignerShortName":"exampleCNA"},
"containers":{"cna":{"rejectedReasons":[{"lang":"en","value":
"Because it is a duplicate of CVE-1900-12345, this CVE ID has been rejected or withdrawn by its CVE Numbering Authority."}],
"providerMetadata":{"orgId":"466e066c-d384-4b8a-8b15-067d9c22c5af",
"shortName":"mitre","dateUpdated":"2024-05-15T19:02:48.717Z"}}}}

In other words, even though this CVE Record was validated against the 5.1 schema (and not validated against the 5.0 schema) before the database was updated, it still states "dataVersion":"5.0"

jdaigneau5 commented 5 months ago

Resolved by #1231