Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PUT /cve/{id} should not unconditionally modify Cve-Id collection #1278

Closed
ElectricNroff opened this issue Sep 23, 2024 · 2 comments
Closed
Assignees

Comments

@ElectricNroff
Copy link
Contributor

if (cveId.state === CONSTANTS.CVE_STATES.REJECTED) {
result = await cveIdRepo.updateByCveId(id, { state: CONSTANTS.CVE_STATES.PUBLISHED })

versus
await cveIdRepo.updateByCveId(cveId, { state: newCveState })

(etc.)

Successful calls to updateCve always result in cveIdRepo.updateByCveId(cveId, { state: newCveState }) but should do that only if the state of the CVE Record is being changed from PUBLISHED to REJECTED, or from REJECTED to PUBLISHED. Otherwise, in realistic situations in which there are tens of thousands of PUT /cve/{id} calls, there can be tens of thousands of modified items in the Cve-Id collection even though the state remained PUBLISHED. This can potentially result in a large amount of processing time for some Secretariat processes that care about modified CVE IDs.

More generally, updateCna is behaving optimally because it sets the state to PUBLISHED only if was previously REJECTED. rejectExistingCve makes superfluous changes to the Cve-Id collection if the CNA is replacing one REJECTED record with a different REJECTED record. rejectCVE makes superfluous changes to the Cve-Id collection if the CNA is entering a new REJECTED CVE Record when the CVE ID happens to be in the REJECTED state already. submitCVE makes superfluous changes to the Cve-Id collection if the Secretariat is entering a new REJECTED CVE Record when the CVE ID happens to be in the REJECTED state already.

And, of course, submitCna is correct because there is no way for the CVE ID to already be in the PUBLISHED state during a successful call.

@github-project-automation github-project-automation bot moved this to Needs Triage in Issue Triage Sep 23, 2024
@david-rocca david-rocca moved this to Todo in Sprint 45 Dec 18, 2024
@david-rocca david-rocca moved this from Todo to In Progress in Sprint 45 Dec 18, 2024
@david-rocca david-rocca self-assigned this Dec 18, 2024
@david-rocca
Copy link
Collaborator

Reading through this ticket I am seeing the main issues below:

  • updateCve is always calling updateByCveId when it should only be called when a change from Published to Rejected or from rejected to published.
  • rejectExistingCve makes superfluous changes to the Cve-Id collection if the CNA is replacing one REJECTED record with a different REJECTED record.
  • rejectCVE makes superfluous changes to the Cve-Id collection if the CNA is entering a new REJECTED CVE Record when the CVE ID happens to be in the REJECTED state already.
  • submitCVE makes superfluous changes to the Cve-Id collection if the Secretariat is entering a new REJECTED CVE Record when the CVE ID happens to be in the REJECTED state already.

@david-rocca
Copy link
Collaborator

@ElectricNroff Feel free to validate this as well if you would like to ensure it meets your original request if you desire.

@david-rocca david-rocca moved this from In Review to Done in Sprint 45 Dec 30, 2024
@david-rocca david-rocca closed this as completed by moving to Done in Sprint 45 Dec 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Done
Development

No branches or pull requests

3 participants