CVE-API

Table of contents

• Project
• Contributing
  • Security
    • Reporting a Vulnerability
• Development
  • Technologies
  • Style Guidelines
  • Directory Layout
  • Setup
  • API Documentation
  • Unit Testing

The CVE Services Project

This repository contains services that support the CVE Program's mission to "identify, define, and catalog publicly disclosed cybersecurity vulnerabilities."

There are many ways one can assist:

OSS Contributor

Developers can contribute code directly. Getting started can be as fast as choosing an issue on our board.

Please read our contributor's guide for more details. We welcome all contributions!

Working Groups

The CVE project operates as multiple focused working groups. Visit the CVE Website working groups page for more information.

Security

Reporting a Vulnerability

Warning Do not put vulnerability information in a GitHub issue.

Please consult our SECURITY.md for specific instructions on reporting a vulnerability that exists in the CVE Services.

Development

Technologies

This project uses or depends on software from

• NodeJS
• Express
• MongoDB for locally run instances
• Mongoose.js

Style Guidelines

This project follows the JavaScript Standard Style.

Setup

Docker

See the Docker README found in the repo here: https://github.com/CVEProject/cve-services/blob/dev/docker/README.md

Local Development

Warning

DO NOT use the dev configuration on a public network. The dev environment includes credentials to enable rapid development and is not secure for public deployment.

1. Install required node modules

This assumes node 16.14.2 and the latest npm are installed.

cd cve-services
npm install

2. Setup and start MongoDB locally

Install MongoDB locally

• https://docs.mongodb.com/manual/administration/install-community/

Download MongoDB Compass (MongoDB GUI)

• https://www.mongodb.com/download-center/compass

Create a cve_dev database in Compass. The collections will be automatically created when the API starts storing documents.

You can populate the database with test data using:

npm run populate:dev

3. Start the node application

In order to start a dev environment:

npm run start:dev

API Documentation

API documentation is generated using swagger-autogen which ensures that we keep the API specification up to date with any major changes to API routes. Extra information for each API route is defined as a comment in the index.js files under the respective controller and all request and response schemas are stored under the schemas folder served up by schemas.controller.

To ensure you are using the correct API specification the following endpoints can be used:

• Test Instance
• Production

Note: The specification file stored in GitHub will only be correct for that branch; there could be differences between branches and production.

If you are developer and want to test changes to the API specification you can generate a specification in one of two ways:

1. Preferred

When you start your local development server using npm run start:dev the specification file will be generated. Subsequent changes require reloading the server.

2. Manual

You can use npm run swagger-autogen to generate a new specification file.

Unit Testing

This project uses the following for unit testing

• https://mochajs.org/
• https://www.chaijs.com/

In order to run the unit tests:

npm run start:test