Releases: CVEProject/cve-services
Sprint-22-23
What's Changed
- Resolves #980 Fixed validation calls for rejecting new and existing CVEs by @jdaigneau5 in #983
- Resolves #804 provide useful error message for bad timestamps that include whites… by @slubar in #986
- Resolves #956 check for valid date when no timestamp is included by @slubar in #988
- Resolves #810 Updated misleading comment by @jdaigneau5 in #989
- Changed pull request template by @jdaigneau5 in #975
- Resolves #955 CVE record creation message shows when and where to view it by @jdaigneau5 in #991
- Resolves issue #591, Clarified wording of error when trying to update user to the same organization by @brettp in #992
Full Changelog: Sprint-21...Sprint-22-23
Contributors
Assets 2
Sprint 21
What's Changed
- #802 Update boolean query parameters to accept 0,1,true,false,yes,no … by @slubar in #952
- Resolves #714 Updated POST /cve/{id}/cna to handle missing org names consistently with POST /cve/{id}/reject by @jdaigneau5 in #954
- #961 Bump CVE Services version number, plus doc update by @slubar in #969
- #959 fixes HTML error in Swagger docs by @slubar in #968
- #965 fix typo in error message about timestamp format by @slubar in #971
- #885 Output content-type JSON for 429 errors by @brettp in #973
- #960 remove uuid-apikey package due to CWE-1104 by @slubar in #970
- Resolves #706 Updated rejectCve endpoints to use the same validation as cna endpoints by @jdaigneau5 in #974
- Bump minimatch and mocha by @dependabot in #936
- Bump qs and express by @dependabot in #939
Full Changelog: Sprint-20...Sprint-21
Contributors
Assets 2
v2.1.1-sd
What's Changed
- #920 Fixes pagination issue that caused missing or duplicate data by @brettp in #942
- Resolves #931 Fixes CVE v5 schema submission bug related to 'product' field by @jdaigneau5 in #935
- Resolves #715 Improves schema validation for cna and reject endpoints by @jdaigneau5 in #902
- #745 improve messaging for user update with no changes specified by @slubar in #909
- Fixed broken production API doc link by @marcruef in #910
- Merge PR for unique English language tests and improve error message by @brettp in #912
- Resolves #713 Omits requesterUserId from all CVE records by @jdaigneau5 in #916
- Resolves #697 Remove disallowed characters in endpoint calls to prevent reflected XSS by @jdaigneau5 in #921
- Resolves #785 Remove disallowed characters in query parameter names to prevent XSS reflection by @jdaigneau5 in #922
- Resolves #787 Prevents updating CVE-ID states to RESERVED if owning Org has no remaining quota by @jdaigneau5 in #926
- #908 update Swagger doc contact information by @slubar in #914
- #925 updates to Swagger docs, including removal of the term CVE ID entry by @slubar in #930
- #817 disallow invalid dates; move toDate to utils file by @slubar in #933
- Resolves #894 Cve database updates must succeed before Cve-Id database updates by @jdaigneau5 in #937
- Resolves #881 Invalid Cve Schemas Posts and Puts now return a 400 status code and corresponding errors by @jdaigneau5 in #945
- #961 Bump CVE Services version number, plus doc update by @slubar in #963
- Bump node-notifier and node-dev by @dependabot in #905
- Bump markdown-it and apidoc by @dependabot in #906
- Bump loader-utils from 2.0.3 to 2.0.4 by @dependabot in #923
- Bump loader-utils from 2.0.2 to 2.0.3 by @dependabot in #915
Full Changelog: v2.1.0-sd2...v2.1.1-sd
Contributors
Assets 2
Sprint-20
What's Changed
- Resolves #787 Prevents updating CVE-ID states to RESERVED if owning Org has no remaining quota by @jdaigneau5 in #926
- #925 updates to Swagger docs, including removal of the term CVE ID entry by @slubar in #930
- #817 disallow invalid dates; move toDate to utils file by @slubar in #933
- Bump loader-utils from 2.0.3 to 2.0.4 by @dependabot in #923
- Resolves #931 Fixes CVE v5 schema submission bug related to 'product' field by @jdaigneau5 in #935
- Resolves #894 Cve database updates must succeed before Cve-Id database updates by @jdaigneau5 in #937
- Pull out constants into a function to prevent accidental overriding by @brettp in #934
- Resolves #920 Fixes duplicate and missing data in response from GET /cve-id and GET /cve
- #729 decode HTML entities in names prior to storing in the database and sending http response by @slubar in #943
- Resolves #881 Invalid Cve Schemas Posts and Puts now return a 400 status code and corresponding errors by @jdaigneau5 in #945
Full Changelog: Sprint-19...Sprint-20
Contributors
Assets 2
Sprint-19
What's Changed
- Bump loader-utils from 2.0.2 to 2.0.3 by @dependabot in #915
- Resolves #697 Remove disallowed characters in endpoint calls to prevent reflected XSS by @jdaigneau5 in #921
- Resolves #785 Remove disallowed characters in query parameter names to prevent XSS reflection by @jdaigneau5 in #922
Full Changelog: Sprint-18...Sprint-19
Contributors
Assets 2
Sprint-18
What's Changed
- Resolves #715 by @jdaigneau5 in #902
- Pull in prod-staging boilerplate. by @brettp in #904
- #745 improve messaging for user update with no changes specified by @slubar in #909
- Fixed broken production API doc link by @marcruef in #910
- #908 update contact information and point to JSON 5.0 schema informat… by @slubar in #914
- Merge PR for unique English language tests and improve error message by @brettp in #912
- Resolves #713 by @jdaigneau5 in #916
Full Changelog: v2.1.0-sd2...Sprint-18
Contributors
Assets 2
v1.1.1 Release Notes
Release v1.1.1 of the CVE Services expands functionality of the User Registry and includes the initial Record Service that will only operate internally. The Record Service will be opened to the community in a later release.
Features
User Registry
For the community, the most significant update is the introduction of the Org Admin role. With this role, Org Admins can administer accounts for their organization: register them, deactivate/reactivate them, reset secrets, and modify general data.
Along with the autonomy allowed with the Org Admin role, general User permissions have been expanded as well. Now general Users can change their data and reset their secrets.
Finally, both Users and Org Admins alike will be able to get a list of the Users for their organization and see their organization's information. The organization information itself is quite bare at this point, but the model will expand and this functionality will become more useful.
Record Service
The initial version of the Record service is bundled in this release but will not be open publicly. This is a first step towards transitioning CVE "source of record" functionality out of internal systems and into the CVE Services. The community should not experience any effects from this release.
Where to Learn More
The Developer Guide is a living document that steps new users through interacting with the current production release of the services.
The API for v1.1.1 is also described in the Open API 2.0 format here.
Milestones Closed this Release
Enabling the role of Org Admin for User Registry
Expanding the abilities of default Users in the system
Record Service Phase 1A MVP
Initial Release of the ID Reservation Service
Version 1.0.0 of the CVE Services was a release of the ID Reservation Service (IDR) with supporting functionality.
Features
Overall, this release enables CNAs to have accounts created with the services where they can then immediately reserve CVE IDs by making appropriate HTTP requests to the IDR, avoiding traditional avenues such as the web forms.
Internal administration features shipped with this release were supporting features for the IDR, mainly around account management: account creation, resetting user secrets, deactivating CNAs, and managing an internal limit of IDs per organization.
Where to Learn More
The Developer Guide is a living document that steps new users through interacting with the services.
The API is also described in the Open API 2.0 format here.