Merge branch 'staging' into 5.2.0-Purl-Test

Author: david-rocca

.github/workflows/test-http.yml

@@ -26,7 +26,7 @@ jobs:
     - name: Sleep
       run: bash -c "while ! docker compose --file docker/docker-compose.yml logs --tail=10 cveawg | grep -q 'Serving on port'; do sleep 1; done"
     - name: Load Data into MongoDb
-      run: docker compose -f docker/docker-compose.yml exec -T cveawg npm run populate:dev y
+      run: docker compose -f docker/docker-compose.yml exec -T cveawg npm run populate:dev y; docker compose -f docker/docker-compose.yml exec -T cveawg npm run migrate:test-black-box
     - name: Run Black Box Tests
       run: |
         docker compose --file test-http/docker/docker-compose.yml exec -T demon pytest src/ | tee test-http/src/testOutput.txt

README.md

@@ -1,3 +1,5 @@
+*6/12/2025 NOTE: the Test environment of CVE Services now includes the release candidate “User Registry” which adds many additional features.  See the details at the end of this ReadMe doc.*
+
 # CVE-API
 
 ![CodeQL](https://github.com/CVEProject/cve-services/workflows/CodeQL/badge.svg)
@@ -124,6 +126,9 @@ When you start your local development server using `npm run start:dev` the speci
 
 You can use `npm run swagger-autogen` to generate a new specification file.
 
+### CVE Record Submission Validation Rules
+
+As part of the submission processing, CVE Services "validates" that specific requirements are met prior to accepting the submission and  posting the CVE Record to the CVE List.  Validation rules for CVE Record Submission are noted [here](https://github.com/CVEProject/automation-working-group/blob/master/meeting-notes/files/CVERules.md).
 
 ### Unit Testing
 
@@ -137,3 +142,34 @@ In order to run the unit tests:
 ```sh
 npm run start:test
 ```
+
+### User Registry
+
+The CVE Automation Working Group (on behalf of the CVE Program)  is currently working on a new automation capability: the User Registry.  The objective of the User Registry is to modernize how CVE Program Organizations (e.g., CNAs, Roots, Top level Roots, the Secretariat) manage/update their organizational properties and user pools.   The new capability will ultimately allow CNAs, Roots, Top Level Roots to better manage their own data/user pools with more robust information.  It is targeted to be implemented in a series of incremental deployments to CVE Services in the Fall/2025 through Summer/2026.   
+
+#### Current Status:  
+
+The release candidate for the first User Registry increment (termed the User Registry MVP) is now available for testing/review in the CVE Program Testing Environment. (Note that this release IS NOT a PRODUCTION Release and will not be visible in the CVE Program PRODUCTION environment).
+This release candidate establishes a new, more robust User/Organizations databases (and associated APIs) while maintaining full backwards compatibility with the current User/Organizational management functions (meaning that current CVE Services clients will not be required to be modified with the deployment of this candidate).  It was discussed at the [6/10/2025 CVE Program AWG meeting](https://github.com/CVEProject/automation-working-group/blob/master/meeting-notes/2025-06-10.md).  
+
+#### HowTo:  
+
+Credentialed users of CVE Services Test Environment will be able to use the new capabilities via the API endpoints which are described [here](https://cveawg-test.mitre.org/api-docs/) (Be sure to scroll down to the bottom of the page to review the new User Registry interfaces).  
+
+Credentialed users can access the APIs by
+
+- installing/using common web application API testing tools such as [curl](https://curl.se/) or [postman](https://www.postman.com/) OR
+
+- installing/using the [User Registry Client](https://github.com/CVEProject/cve-user-registry-client) which provides a GUI interface to exercise the basic functions of the User Registry.
+
+  Note that there is no support for these new endpoints in many currently available CVE Services “client” tools (e.g, Vulnogram) and hence they should not be relied upon to examine/test these interfaces.    
+
+#### Next Steps:  
+
+The AWG is taking comments/questions on this release candidate.   You can provide feedback in three ways:
+
+- Send  comments/questions to AWG+owner@CVE-CWE-Programs.groups.io,
+
+- Post Issues/Questions to the CVE Services Issue Board (please attach a “user registry” label to your post).   
+
+- Attend (virtually) an AWG meeting which meets every week on Tuesday at 4:00 PM Eastern US Time. Send a request for the link to AWG+owner@CVE-CWE-Programs.groups.io.