avoid January 1 failures of CVE ID reservation

[ElectricNroff]

(This does not need to be addressed for the initial production release of CVE Services 2.x.)

cve-services/src/controller/cve-id.controller/cve-id.controller.js

Line 323 in facb0f8

logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' cannot be reserved at this time.' })

cve-services/src/controller/cve-id.controller/cve-id.controller.js

Line 398 in facb0f8

logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' cannot be reserved at this time.' })

cve-services/src/controller/cve-id.controller/cve-id.controller.js

Line 493 in facb0f8

logger.info({ uuid: req.ctx.uuid, message: 'CVE IDs for year ' + year + ' cannot be reserved at this time.' })

cause CVE ID reservations to start failing each January 1 unless a client user has remembered to do annual maintenance tasks such as

cve-services/src/controller/cve-id.controller/cve-id.controller.js

Lines 732 to 735 in facb0f8

	await cveIdRangeRepo.findOneAndUpdate({ cve_year: year }, defaultDoc, { upsert: true })
	const payload = {
	action: 'create_cveIdRange',
	change: 'CVE Id Range document for year ' + year + ' was created.',

A more reasonable design would have:

• the code is able to calculate usable range values for all future years
• the code is able to enforce a policy on how early a range may be used (e.g., in October 2022, one cannot reserve CVE-2525-#### but CVE-2023-#### is OK)
• if perspectives on usable range values change, the code should be updated before January 1, and a new release deployed to production before January 1

[shelbyc]

If there are any items that should be prioritized in Q4 2023, I think it should be this one. January 1 is approaching, and people likely don't want to deal with errors as their first item coming back from the holidays.

[mprpic]

Discussion from AWG meeting on Jul 30, 2024: how many days ahead of a new year should CVE Services automatically allow reservation of IDs for the next year? Currently enabling the next year is a manual action that is not consistently done at a set date. At the same time, we don't want to allow reservations for arbitrary future years since it could be misused to reserve IDs for e.g. year 2050, and dilutes the value of the year part in the identifier. Reserving IDs ahead of the new year is a legitimate use case for some CNA so we also can't restrict reservations to only the current year exclusively.

The proposed and agreed solution: automatically allow reservations 90 days ahead of the next year.