Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

inconsistent behavior when organization is not found #714

Closed
ElectricNroff opened this issue Jun 12, 2022 · 0 comments · Fixed by #954
Closed

inconsistent behavior when organization is not found #714

ElectricNroff opened this issue Jun 12, 2022 · 0 comments · Fixed by #954
Assignees
@jdaigneau5
Milestone
CVE Services 2.1

Comments

@ElectricNroff
Copy link
Contributor

For a POST /cve/{id}/reject request, when the organization (that owns the CVE ID) is not found, the implementation apparently works around this by creating a CVE Record in which the required assignerOrgId field is set, but the optional assignerShortName field is omitted:

cve-services/src/controller/cve.controller/cve.controller.js

Lines 415 to 419 in b083cfe

const owningCnaObj = await orgRepo.findOneByUUID(cveIdObj.owning_cna)
let owningCnaShortName = null
if (owningCnaObj) {
owningCnaShortName = owningCnaObj.short_name
}

cve-services/src/model/cve.js

Lines 85 to 87 in b083cfe

if (owningCnaShortName) {
rejectedRecord.cveMetadata.assignerShortName = owningCnaShortName
}

By contrast, for a POST /cve/{id}/cna request, the implementation assumes that the organization will be found and proceeds to access the short_name field:

cve-services/src/controller/cve.controller/cve.controller.js

Lines 271 to 272 in b083cfe

const owningCna = await orgRepo.findOneByUUID(cveId.owning_cna)
const assignerShortName = owningCna.short_name

The organization isn't inherently less likely to exist in one case than in the other. This is a bug only in the sense that there's no apparent reason for a missing organization to be considered a normal event in one place but an error in analogous code elsewhere.

If a missing organization is supposed to be handled, then the latter code should be fixed so that owningCna.short_name isn't accessed unless owningCna is a valid data structure. For example, this allows CVE Services to be used in a testing environment in which it happens to be convenient for some CVE ID objects to be associated with CNAs that don't exist in the database.

Also, in general, if an organization is missing, logging that information would be useful.
@slubar slubar added this to the CVE Services 2.1 milestone Jun 14, 2022
@jdaigneau5 jdaigneau5 self-assigned this Dec 13, 2022
jdaigneau5 added a commit that referenced this issue Dec 15, 2022
@jdaigneau5
#714 updated the submitCna() function to handle case when org isn't f…
bf9950a 
…ound. Also, refactored rejectCVE() to use optional chaining. Updated eslint to v8.20.0 to support ecmaScript 2020
@jdaigneau5 jdaigneau5 mentioned this issue Dec 15, 2022
Merged
jdaigneau5 added a commit that referenced this issue Dec 15, 2022
@jdaigneau5
#714 updated workflow linting files to use node 16
f3650cb
brettp added a commit that referenced this issue Dec 16, 2022
@brettp
Merge pull request #954 from CVEProject/jd-714
a05a3d4 
Resolves #714 Updated POST /cve/{id}/cna to handle missing org names consistently with POST /cve/{id}/reject
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jdaigneau5 jdaigneau5

Labels
None yet
Projects
None yet
Milestone
CVE Services 2.1
3 participants
@slubar @jdaigneau5 @ElectricNroff