add config directory

this makes it easier to make local changes at runtime

Author: hkong-mitre

.github/workflows/config/custom-environment-variables.jsonc

@@ -0,0 +1,24 @@
+{
+  // this file is used by node-config to map a node-config (AppConfig)
+  //  hierarchy of constants to an environment variable
+  // Note that much of the environment variables mapped here existed for some time
+  //  without AppConfig, this file bridges the historical uses of those with the new
+  //  as we transition to AppConfig
+  "appConfig": {
+    // constants for search capability
+    "search": {
+      "providerEndpoint": "OpenSearchDomainEndpoint",
+      "index": "OpenSearchCveIndex",
+      // allows local development using containers that do not have SSL certs
+      "allowUnknownSslCerts": "OpenSearchAllowUnknownSslCerts"
+    },
+    // constants for testing node-config
+    // these values are only used to test node-config in AppConfig.test.int.ts
+    // DO NOT USE THIS FOR ANYTHING ELSE
+    "test": {
+      "appConfigTest": {
+        "test": "JEST_env_config_test"
+      }
+    }
+  }
+}

.github/workflows/config/default.jsonc

@@ -0,0 +1,34 @@
+{
+  // Default configuration
+  //  These values are overridable using other *.jsonc (e.g., prod.jsonc)
+  //    as well as using environment variables (e.g., in `.env`)
+  //    - Each configuration is mapped using custom-environment-variables.jsonc to enable environment varialbe overrides.
+  //    - For more information, see cve-core/src/adapters/config/AppConfig.ts
+  //  NOTE for consistency, all values need to be strings for proper type when using .env overrides
+  "appConfig": {
+    // constants for search capability
+    "search": {
+      // minimum versions for servers that are compatible with current code
+      "minServer": [
+        "elasticsearch:7.10.2",
+        "opensearch:2.10.0"
+      ],
+      // setting this to FALSE (highly recommended) requires an SSL cert to access the search server
+      // The only time this should be allowed to be true is when developing or testing
+      //   using containers that do not have SSL certs
+      "allowUnknownSslCerts": "FALSE",
+      "providerEndpoint": "<using config/default.jsonc>", // preference is to specify this in a (secret) environment variable on production platforms
+      "index": "<using config/default.jsonc>" // preference is to specify this in a (secret) environment variable on production platforms
+    },
+    "github": {
+      "cvelist": {
+        "cvesDirUrl": "https://raw.githubusercontent.com/CVEProject/cvelistV5/refs/heads/main/cves",
+        "deltalogUrl": "https://raw.githubusercontent.com/CVEProject/cvelistV5/refs/heads/main/cves/deltaLog.json"
+      }
+    },
+    "local": {
+      "tempDownloadDirRoot": "./tempDownloads",
+      "cvesDirRoot": "./cves"
+    }
+  }
+}

.github/workflows/config/devel.jsonc

@@ -0,0 +1,47 @@
+{
+  // development configurations
+  // overrides values specified in default.jsonc, read additional comments there
+  //   and in cve-core/src/adapters/config/AppConfig.ts
+  // NOTE for consistency, all values need to be strings for proper type when using .env overrides
+  "appConfig": {
+    // constants for search capability
+    "search": {
+      // minimum versions for servers that are compatible with current code
+      "minServer": [
+        "opensearch:2.10.0"
+      ],
+      // URL to reach search server
+      "providerEndpoint": "https://admin:admin@localhost:9200",
+      // index on search server related to searching CVEs
+      "index": "e2e-cve-test-index-1109",
+      // setting this to FALSE (recommended) requires an SSL cert to access the search server
+      // The only time this should be allowed to be true is when developing or testing
+      //   using containers that do not have SSL certs
+      // DO NOT USE THIS IN ANY PUBLIC OR PRODUCTION ENVIRONMENTS
+      "allowUnknownSslCerts": "TRUE"
+    },
+    // constants for unit, int, e2e testing
+    "test": {
+      // constants for testing search capability
+      "searchTest": {
+        // many tests for search uses snapshots, which requires CVEs to remain unchanged
+        // since the live server is updated all the time, a fixture containing fixed CVEs
+        // is required to keep the test consistent.  "fixtures" provides the link
+        // to the cve-fixtures repository
+        "fixtures": {
+          // @todo these constants needs to be in sync in cve-fixtures 
+          // so that testing snapshots are consistent and valid
+          "name": "fixtures-search-baseline-1086", // release tag
+          "numCves": "1086" // possible identifier assuming we always add cves to a new release
+        }
+      },
+      // constants for testing node-config
+      "appConfigTest": {
+        // these values are only used to test node-config in AppConfig.test.int.ts
+        // DO NOT USE THIS FOR ANYTHING ELSE
+        "two": "2",
+        "five": "5"
+      }
+    }
+  }
+}

.github/workflows/config/prod.jsonc

@@ -0,0 +1,17 @@
+{
+  // production (example) constants
+  // overrides values specified in default.jsonc, read additional comments there
+  //   and in cve-core/src/adapters/config/AppConfig.ts
+  // NOTE for consistency, all values need to be strings for proper type when using .env overrides
+  "appConfig": {
+    "search": {
+      "minServer": [
+        "elasticsearch:7.10.2",
+        "opensearch:2.10.0"
+      ],
+      "providerEndpoint": "", // preference is to specify this in a (secret) environment variable on production platforms
+      "index": "", // preference is to specify this in a (secret) environment variable on production platforms
+      "allowUnknownSslCerts": "FALSE"
+    }
+  }
+}

.github/workflows/config/sadp.jsonc

@@ -0,0 +1,22 @@
+{
+  // SADP configuration
+  //  NOTE for consistency, all values need to be strings for proper type when using .env overrides
+  "appConfig": {
+    "local": {
+      "cvesDirRoot": "./Published SADP Records"
+    },
+    // these variables are for working with CVEs with SADP information
+    "sadp": {
+      "deltaLog": {
+        "numLookback": 3
+      },
+      // the code reviews CVEs based on the jsonpath string, looking for matching values
+      "conditionalCveCopy": {
+        "jsonpath": "$.containers.adp[*].providerMetadata.shortName",
+        "matches": [
+          "*-SADP"
+        ]
+      }
+    }
+  }
+}

.github/workflows/config/sadptest.jsonc

@@ -0,0 +1,30 @@
+{
+  // SADP configuration
+  //  NOTE for consistency, all values need to be strings for proper type when using .env overrides
+  "appConfig": {
+    "local": {
+      // "cvesDirRoot": "./cves.sadp"
+      "cvesDirRoot": "./Published SADP Records"
+    },
+    // these variables are for working with CVEs with SADP information
+    "sadp": {
+      "deltaLog": {
+        "numLookback": 2
+      },
+      // the code reviews CVEs based on the jsonpath string, looking for matching values
+      "conditionalCveCopy": {
+        "jsonpath": "$.containers.adp[*].providerMetadata.shortName",
+        // "jsonpath": "$.cveMetadata.state",
+        // "jsonpath": "$.cveMetadata.assignerShortName",
+        "matches": [
+          // "redhat",
+          // "PUBLISHED",
+          // "*ED",
+          // "PUBLISH*",
+          "*-ADP",
+          // "*-SADP",
+        ]
+      }
+    }
+  }
+}