use time.created for sorting of GET /cve and GET /cve-id

[ElectricNroff]

As noted in f1607d9 the time.created sorting does not fix the problem described in the first few paragraphs of the #972 issue. That was the problem in which the client uses both time_modified.gt and time_modified.lt, and observes that "jumped out of the bounded range" can occur.

However, time.created sorting does fix the problem of missing data when only time_modified.gt is used. In other words, there are some very realistic use cases in which

'time.created': 1

is the preferred sorting, and (as far as I know) no identifed use cases in which

'cve.cveMetadata.cveId': 1

or

options.sort = { owning_cna: 'asc', cve_id: 'asc' }

or

time.modified

or

reserved

would be better than that.

[mprpic]

Whatever field this sorts on first, the code should ensure the last field that it sorts on is a unique field (e.g. CVE ID or _id). Sorting only on a timestamp value (which is non-unique) will produce duplicate results when paging through large sets of data. For more info, see https://www.mongodb.com/docs/manual/reference/operator/aggregation/sort/#sort-consistency

[jdaigneau5]

This breaks backwards compatibility and could affect the bulk download process. Putting this on hold for now.