From c75755462a9fddc1c7d3a9a197d40381e4f06afd Mon Sep 17 00:00:00 2001
From: ElectricNroff <44594610+ElectricNroff@users.noreply.github.com>
Date: Thu, 7 Apr 2022 02:41:48 +0000
Subject: [PATCH 1/2] for issue 621, change /api/cna to /api/org

---
 docker/README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docker/README.md b/docker/README.md
index 3317db0c0..058fb93c1 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -42,7 +42,7 @@ environment.
 To make a REST request to the running CVE services, use the following
 `curl` command:
 
-  `curl http://localhost:3000/api/cna`
+  `curl http://localhost:3000/api/org`
 
 ## To shell into the web app server
 
@@ -52,7 +52,7 @@ To make a REST request to the running CVE services, use the following
 
   `curl -X POST -H "Content-Type: application/json" \
      -d '{"name": "MITRE Corporation","short_name": "mitre"}' \
-     http://localhost:3000/api/cna`
+     http://localhost:3000/api/org`
 
 ## Using Mongo Express
 

From 4e58c021432655d0554c2f93ee6541ed84263c72 Mon Sep 17 00:00:00 2001
From: ElectricNroff <44594610+ElectricNroff@users.noreply.github.com>
Date: Tue, 3 May 2022 05:12:36 +0000
Subject: [PATCH 2/2] for issue 621, correct curl usage for examples

---
 docker/README.md | 50 ++++++++++++++++++++++++++++++------------------
 1 file changed, 31 insertions(+), 19 deletions(-)

diff --git a/docker/README.md b/docker/README.md
index 058fb93c1..24b879459 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -1,5 +1,9 @@
 # Using Docker with cve-services
 
+## Security Considerations
+
+The cve-services docker container contains a MongoDB instance that doesn't require authentication. If this container is exposed to the public internet it may allow unauthorised actors to modify data stored in the database.
+
 ## Setup for Local Development
 
 Use the following steps to build and run cve-services (Node.js app
@@ -18,42 +22,50 @@ environment.
 1. Change to the "staging" branch (this branch is used for the public testing instance):
   `git checkout staging`
 
-1. Create your environment file if it doesn't already exist:
+2. Create your environment file if it doesn't already exist:
   `cp .docker-env.staging-example .docker-env`
 
-2. Run the containers (this will also build the cveawg container from the included Dockerfile):
+3. Run the containers (this will also build the cveawg container from the included Dockerfile):
   `docker-compose up`
 
-3. Populate mongoDB with test data included in "datadump/pre-population/":
+4. Populate mongoDB with test data included in "datadump/pre-population/":
   `docker-compose exec cveawg npm run populate:stage`
 
-4. Retrieve the API Key (secret) for test user is stored in “user-secret.txt”
+5. Retrieve an API Key (secret) for a test user that is stored in "user-secret.txt"
   `docker-compose exec cveawg cat user-secret.txt | grep admin2` \
   Should return: {"username":"admin2@mitre.org","secret":"API_KEY"}
 
-5. Use curl to test the API (be sure to include the correct API_KEY returned in step #5):
-  `curl -v http://localhost:3000/api/cve-id \
-     -H "CVE-API-ORG: mitre" \
-     -H "CVE-API-USER: admin2@mitre.org" \
-     -H "CVE-API-KEY: API_KEY"`
-
-## Try It Out
+6. Before running curl commands to test the API, you can create a configuration file with the values of HTTP headers. The examples below require a configuration file. (If you do not wish to create a configuration file, then you can instead modify each example so that all headers are entered separately on the command line, e.g., `-H "CVE-API-ORG: mitre" -H "CVE-API-USER: admin2@mitre.org"` (etc.). Such a command line has an https://cwe.mitre.org/data/definitions/214.html weakness.) If you are using Bash on Linux, then you can type the following (except replace aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa with the correct 36-character API Key from step 5):
+```
+export CURL_CVE_CONFIG=$HOME/.curl-cve-config
+touch $CURL_CVE_CONFIG
+chmod 600 $CURL_CVE_CONFIG
+/bin/echo -H \"CVE-API-ORG: mitre\" >> $CURL_CVE_CONFIG
+/bin/echo -H \"CVE-API-USER: admin2@mitre.org\" >> $CURL_CVE_CONFIG
+/bin/echo -H \"CVE-API-KEY: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\" >> $CURL_CVE_CONFIG
+/bin/echo -H \"Content-type: application/json\" >> $CURL_CVE_CONFIG
+/bin/echo -s >> $CURL_CVE_CONFIG
+/bin/echo -S >> $CURL_CVE_CONFIG
+```
 
-To make a REST request to the running CVE services, use the following
-`curl` command:
+7. Use curl to test the API's ability to show CVE IDs that exist in the running CVE Services:
+  `curl -K $CURL_CVE_CONFIG http://localhost:3000/api/cve-id`
 
-  `curl http://localhost:3000/api/org`
-
-## To shell into the web app server
+## Try It Out Further
 
-  `docker-compose exec cveawg /bin/sh`
+   Use curl to retrieve organization information:
+  `curl -K $CURL_CVE_CONFIG http://localhost:3000/api/org`
 
 ## To use curl to add a CNA
 
-  `curl -X POST -H "Content-Type: application/json" \
-     -d '{"name": "MITRE Corporation","short_name": "mitre"}' \
+  `curl -K $CURL_CVE_CONFIG -X POST \
+     --data-binary '{"name": "Example Corporation","short_name": "exampleCorp"}' \
      http://localhost:3000/api/org`
 
+## To shell into the web app server
+
+  `docker-compose exec cveawg /bin/sh`
+
 ## Using Mongo Express
 
 You can use [Mongo Express](https://github.com/mongo-express/mongo-express)