Merge pull request #1725 from CVEProject/dev

david-rocca · web-flow · commit 5f942853b574 · 2026-04-07T16:00:37.000-04:00
v2.7.2 - Renaming some fields &amp; Reports_to and Oversees updates
diff --git a/.gitignore b/.gitignore
@@ -11,6 +11,9 @@ yarn-debug.log*
 yarn-error.log*
 lerna-debug.log*
 
+## Developer Agent stuff`
+.agents/
+
 # Diagnostic reports (https://nodejs.org/api/report.html)
 report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
 
diff --git a/api-docs/openapi.json b/api-docs/openapi.json
@@ -1,7 +1,7 @@
 {
   "openapi": "3.0.2",
   "info": {
-    "version": "2.7.1",
+    "version": "2.7.2",
     "title": "CVE Services API",
     "description": "The CVE Services API supports automation tooling for the CVE Program. Credentials are     required for most service endpoints. Representatives of     <a href='https://www.cve.org/ProgramOrganization/CNAs'>CVE Numbering Authorities (CNAs)</a> should     use one of the methods below to obtain credentials:    <ul><li>If your organization already has an Organizational Administrator (OA) account for the CVE     Services, ask your admin for credentials</li>     <li>Contact your Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/Google'>Google</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/INCIBE'>INCIBE</a>,     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/jpcert'>JPCERT/CC</a>, or     <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat'>Red Hat</a>) or     Top-Level Root (<a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/icscert'>CISA ICS</a>     or <a href='https://www.cve.org/PartnerInformation/ListofPartners/partner/mitre'>MITRE</a>) to request credentials     </ul>     <p>CVE data is to be in the JSON 5.2 CVE Record format. Details of the JSON 5.2 schema are     located <a href='https://github.com/CVEProject/cve-schema/releases/tag/v5.2.0' target='_blank'>here</a>.</p>    <a href='https://cveform.mitre.org/' class='link' target='_blank'>Contact the CVE Services team</a>",
     "contact": {
@@ -2605,7 +2605,7 @@
           "Registry Organization"
         ],
         "summary": "Updates information about the organization specified by short name (accessible Temporarily to Secretariat only)",
-        "description": "  <h2>Access Control</h2>  <p>User must belong to an organization with the <b>Secretariat</b> role temporarily.</p>  <p>In the future, only the organization's admin will be able to request changes to its information.</p>  <p>With Joint Approval required for the following fields:</p>  <h2>Expected Behavior</h2>  <b>This endpoint expects a full organization object in the request body.</b>  <p><b>Secretariat:</b> Updates any organization's information</p>  <p><b>Organization Admin:</b> Requests changes to its organization's information</p>  <ul>  <li>short_name</li>  <li>long_name</li>  <li>authority</li>  <li>aliases</li>  <li>oversees</li>  <li>root_or_tlr</li>  <li>charter_or_scope</li>  <li>product_list</li>  <li>disclosure_policy</li>  <li>contact_info.poc</li>  <li>contact_info.poc_email</li>  <li>contact_info.poc_phone</li>  <li>contact_info.org_email</li>  <li>cna_role_type</li>  <li>cna_country</li>  <li>vulnerability_advisory_locations</li>  <li>advisory_location_require_credentials</li>  <li>industry</li>  <li>tl_root_start_date</li>  <li>is_cna_discussion_list</li>  </ul>",
+        "description": "  <h2>Access Control</h2>  <p>User must belong to an organization with the <b>Secretariat</b> role temporarily.</p>  <p>In the future, only the organization's admin will be able to request changes to its information.</p>  <p>With Joint Approval required for the following fields:</p>  <h2>Expected Behavior</h2>  <b>This endpoint expects a full organization object in the request body.</b>  <p><b>Secretariat:</b> Updates any organization's information</p>  <p><b>Organization Admin:</b> Requests changes to its organization's information</p>  <ul>  <li>short_name</li>  <li>long_name</li>  <li>authority</li>  <li>aliases</li>  <li>oversees</li>  <li>root_or_tlr</li>  <li>charter_or_scope</li>  <li>product_list</li>  <li>disclosure_policy</li>  <li>contact_info.poc</li>  <li>contact_info.poc_email</li>  <li>contact_info.poc_phone</li>  <li>contact_info.org_email</li>  <li>partner_role</li>  <li>partner_type</li>  <li>partner_country</li>  <li>vulnerability_advisory_locations</li>  <li>advisory_location_require_credentials</li>  <li>industry</li>  <li>tl_root_start_date</li>  <li>is_cna_discussion_list</li>  </ul>",
         "operationId": "orgUpdateSingle",
         "parameters": [
           {
@@ -3166,6 +3166,107 @@
         }
       }
     },
+    "/registry/org/{shortname}/conversation/{index}": {
+      "put": {
+        "tags": [
+          "Registry Organization"
+        ],
+        "summary": "Update the conversation at the given index for the given organization (accessible to Secretariat or Org Admin)",
+        "description": "  <h2>Access Control</h2>  <p>User must belong to an organization with the <b>Secretariat</b> role or be an <b>Admin</b> of the organization</p>  <h2>Expected Behavior</h2>  <p><b>Admin User:</b> Allowed to update only the message body of any conversation posted by them</p>  <p><b>Secretariat:</b> Allowed to update the message body and/or visibility of any conversation</p>",
+        "operationId": "registryUserUpdateConversation",
+        "parameters": [
+          {
+            "name": "shortname",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            },
+            "description": "The shortname of the organization"
+          },
+          {
+            "name": "index",
+            "in": "path",
+            "required": true,
+            "schema": {
+              "type": "string"
+            },
+            "description": "The index of the conversation to update"
+          },
+          {
+            "$ref": "#/components/parameters/apiEntityHeader"
+          },
+          {
+            "$ref": "#/components/parameters/apiUserHeader"
+          },
+          {
+            "$ref": "#/components/parameters/apiSecretHeader"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Returns the updated conversation",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "../schemas/conversation/update-conversation-response.json"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad Request",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "../schemas/errors/bad-request.json"
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Not Authenticated",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "../schemas/errors/generic.json"
+                }
+              }
+            }
+          },
+          "403": {
+            "description": "Forbidden",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "../schemas/errors/generic.json"
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Not Found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "../schemas/errors/generic.json"
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal Server Error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "../schemas/errors/generic.json"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
     "/org": {
       "get": {
         "tags": [
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
     "name": "cve-services",
     "author": "Automation Working Group",
-    "version": "2.7.1",
+    "version": "2.7.2",
     "license": "(CC0)",
     "devDependencies": {
         "@faker-js/faker": "^7.6.0",
diff --git a/schemas/registry-org/create-registry-org-request.json b/schemas/registry-org/create-registry-org-request.json
@@ -27,10 +27,6 @@
             "enum": ["CNA", "ADP", "BULK_DOWNLOAD", "SECRETARIAT"]
           }
     },
-    "reports_to": {
-      "type": ["string", "null"],
-      "description": "UUID of the parent organization, if any"
-    },
     "oversees": {
       "type": "array",
       "items": {
diff --git a/schemas/registry-org/get-registry-org-response.json b/schemas/registry-org/get-registry-org-response.json
@@ -105,13 +105,17 @@
         "org_email"
       ]
     },
-    "cna_role_type": {
+    "partner_role": {
         "type": "string",
-        "description": "Type of CNA role"
+        "description": "Role of the partner"
     },
-    "cna_country": {
+    "partner_type": {
         "type": "string",
-        "description": "Country of the CNA"
+        "description": "Type of the partner"
+    },
+    "partner_country": {
+        "type": "string",
+        "description": "Country of the partner"
     },
     "vulnerability_advisory_locations": {
         "type": "array",
diff --git a/schemas/registry-org/list-registry-orgs-response.json b/schemas/registry-org/list-registry-orgs-response.json
@@ -134,13 +134,17 @@
               "org_email"
             ]
           },
-          "cna_role_type": {
+          "partner_role": {
             "type": "string",
-            "description": "Type of CNA role"
+            "description": "Role of the partner"
           },
-          "cna_country": {
+          "partner_type": {
             "type": "string",
-            "description": "Country of the CNA"
+            "description": "Type of the partner"
+          },
+          "partner_country": {
+            "type": "string",
+            "description": "Country of the partner"
           },
           "vulnerability_advisory_locations": {
             "type": "array",
diff --git a/schemas/registry-org/update-registry-org-request.json b/schemas/registry-org/update-registry-org-request.json
@@ -38,10 +38,6 @@
       },
       "required": ["active_roles"]
     },
-    "reports_to": {
-      "type": ["string", "null"],
-      "description": "UUID of the parent organization, if any"
-    },
     "oversees": {
       "type": "array",
       "items": {
diff --git a/src/constants/index.js b/src/constants/index.js
@@ -44,7 +44,7 @@ function getConstants () {
     USER_ROLES: [
       'ADMIN'
     ],
-    JOINT_APPROVAL_FIELDS: ['short_name', 'long_name', 'authority', 'aliases', 'oversees', 'root_or_tlr', 'charter_or_scope', 'product_list', 'disclosure_policy', 'contact_info.poc', 'contact_info.poc_email', 'contact_info.poc_phone', 'contact_info.org_email', 'cna_role_type', 'cna_country', 'vulnerability_advisory_locations', 'advisory_location_require_credentials', 'industry', 'tl_root_start_date', 'is_cna_discussion_list', 'hard_quota'],
+    JOINT_APPROVAL_FIELDS: ['short_name', 'long_name', 'authority', 'aliases', 'oversees', 'root_or_tlr', 'charter_or_scope', 'product_list', 'disclosure_policy', 'contact_info.poc', 'contact_info.poc_email', 'contact_info.poc_phone', 'contact_info.org_email', 'partner_role', 'partner_type', 'partner_country', 'vulnerability_advisory_locations', 'advisory_location_require_credentials', 'industry', 'tl_root_start_date', 'is_cna_discussion_list', 'hard_quota'],
     JOINT_APPROVAL_FIELDS_LEGACY: ['short_name', 'name', 'authority.active_roles', 'policies.id_quota'],
     USER_ROLE_ENUM: {
       ADMIN: 'ADMIN'
diff --git a/src/controller/org.controller/index.js b/src/controller/org.controller/index.js
@@ -556,8 +556,9 @@ router.put('/registry/org/:shortname',
           <li>contact_info.poc_email</li>
           <li>contact_info.poc_phone</li>
           <li>contact_info.org_email</li>
-          <li>cna_role_type</li>
-          <li>cna_country</li>
+          <li>partner_role</li>
+          <li>partner_type</li>
+          <li>partner_country</li>
           <li>vulnerability_advisory_locations</li>
           <li>advisory_location_require_credentials</li>
           <li>industry</li>
diff --git a/src/controller/org.controller/org.middleware.js b/src/controller/org.controller/org.middleware.js
@@ -65,14 +65,14 @@ function validateCreateOrgParameters () {
             'charter_or_scope',
             'disclosure_policy',
             'product_list',
-            'reports_to',
             'contact_info.poc',
             'contact_info.poc_email',
             'contact_info.poc_phone',
             'contact_info.org_email',
             'contact_info.website',
-            'cna_role_type',
-            'cna_country',
+            'partner_role',
+            'partner_type',
+            'partner_country',
             'industry'
           ])
           .default('')
@@ -88,7 +88,7 @@ function validateCreateOrgParameters () {
           .isArray()
           .isInt({ min: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_min, max: CONSTANTS.MONGOOSE_VALIDATION.Org_policies_id_quota_max })
           .withMessage(errorMsgs.ID_QUOTA),
-        ...isNotAllowed('name', 'users', 'contact_info.admins', 'in_use', 'created', 'last_updated', 'policies.id_quota')
+        ...isNotAllowed('reports_to', 'name', 'users', 'contact_info.admins', 'in_use', 'created', 'last_updated', 'policies.id_quota')
       ]
     } else {
       validations = [
@@ -128,15 +128,15 @@ function validateCreateOrgParameters () {
           'charter_or_scope',
           'disclosure_policy',
           'product_list',
-          'reports_to',
           'contact_info.poc',
           'contact_info.poc_email',
           'contact_info.poc_phone',
           'contact_info.org_email',
           'contact_info.additional_contact_users',
           'contact_info.website',
-          'cna_role_type',
-          'cna_country',
+          'partner_role',
+          'partner_type',
+          'partner_country',
           'vulnerability_advisory_locations',
           'advisory_location_require_credentials',
           'industry',
@@ -214,14 +214,14 @@ function validateUpdateOrgParameters () {
           'charter_or_scope',
           'disclosure_policy',
           'product_list',
-          'reports_to',
           'contact_info.poc',
           'contact_info.poc_email',
           'contact_info.poc_phone',
           'contact_info.org_email',
           'contact_info.website',
-          'cna_role_type',
-          'cna_country',
+          'partner_role',
+          'partner_type',
+          'partner_country',
           'vulnerability_advisory_locations',
           'advisory_location_require_credentials',
           'industry',
@@ -302,15 +302,15 @@ const QUERY_PARAMETERS = {
     'disclosure_policy',
     'product_list',
     'oversees',
-    'reports_to',
     'contact_info',
     'contact_info.poc',
     'contact_info.poc_email',
     'contact_info.poc_phone',
     'contact_info.org_email',
     'contact_info.website',
-    'cna_role_type',
-    'cna_country',
+    'partner_role',
+    'partner_type',
+    'partner_country',
     'vulnerability_advisory_locations',
     'advisory_location_require_credentials',
     'industry',
diff --git a/src/controller/registry-org.controller/index.js b/src/controller/registry-org.controller/index.js
@@ -1,7 +1,7 @@
 const express = require('express')
 const router = express.Router()
 const mw = require('../../middleware/middleware')
-const { param, query } = require('express-validator')
+const { param, query, body } = require('express-validator')
 const controller = require('./registry-org.controller')
 const { parseGetParams, parsePostParams, parseDeleteParams, parseError } = require('./registry-org.middleware')
 const getConstants = require('../../constants').getConstants
@@ -214,6 +214,7 @@ router.post('/registryOrg',
   mw.useRegistry(),
   mw.onlySecretariat,
   mw.validateUser,
+  body(['reports_to']).not().exists().withMessage('reports_to must not be present'),
   parseError,
   parsePostParams,
   controller.CREATE_ORG
@@ -302,6 +303,7 @@ router.put('/registryOrg/:shortname',
   mw.validateUser,
   mw.onlySecretariat,
   param(['shortname']).isString().trim(),
+  body(['reports_to']).not().exists().withMessage('reports_to must not be present'),
   parseError,
   parsePostParams,
   controller.UPDATE_ORG
diff --git a/src/controller/registry-org.controller/registry-org.middleware.js b/src/controller/registry-org.controller/registry-org.middleware.js
@@ -11,14 +11,15 @@ function parsePostParams (req, res, next) {
   utils.reqCtxMapping(req, 'query', [
     'long_name', 'short_name', 'aliases',
     'cve_program_org_function', 'authority.active_roles',
-    'reports_to', 'oversees',
+    'oversees',
     'root_or_tlr', 'users',
     'charter_or_scope', 'disclosure_policy', 'product_list',
     'soft_quota', 'hard_quota',
     'contact_info.additional_contact_users', 'contact_info.poc', 'contact_info.poc_email', 'contact_info.poc_phone',
     'contact_info.admins', 'contact_info.org_email', 'contact_info.website',
-    'cna_role_type',
-    'cna_country',
+    'partner_role',
+    'partner_type',
+    'partner_country',
     'vulnerability_advisory_locations',
     'advisory_location_require_credentials',
     'industry',
diff --git a/src/middleware/schemas/BaseOrg.json b/src/middleware/schemas/BaseOrg.json
@@ -76,9 +76,6 @@
     "root_or_tlr": {
       "type": "boolean"
     },
-    "reports_to": {
-      "$ref": "#/definitions/uuidType"
-    },
     "users": {
       "type": "array",
       "uniqueItems": true,
@@ -124,10 +121,13 @@
       },
       "additionalProperties": false
     },
-    "cna_role_type": {
+    "partner_role": {
+      "type": "string"
+    },
+    "partner_type": {
       "type": "string"
     },
-    "cna_country": {
+    "partner_country": {
       "type": "string"
     },
     "vulnerability_advisory_locations": {
diff --git a/src/model/baseorg.js b/src/model/baseorg.js
diff --git a/src/repositories/baseOrgRepository.js b/src/repositories/baseOrgRepository.js
diff --git a/src/swagger.js b/src/swagger.js
diff --git a/test/integration-tests/registry-org/registryOrgCRUDTest.js b/test/integration-tests/registry-org/registryOrgCRUDTest.js

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "cve-services",`
`3`	`3`	`"author": "Automation Working Group",`
`4`		`- "version": "2.7.1",`
	`4`	`+ "version": "2.7.2",`
`5`	`5`	`"license": "(CC0)",`
`6`	`6`	`"devDependencies": {`
`7`	`7`	`"@faker-js/faker": "^7.6.0",`