Updated OpenAPI YAML for CVE v5 #511
Conversation
…on with services.
|
I suggest merging PUT and POST into one POST and an "upsert" operation on backend if everything else is valid. See #505. |
| - $ref: '#/components/parameters/api-secret-header' | ||
| - $ref: '#/components/parameters/api-user-header' | ||
| - $ref: '#/components/parameters/cve-id-path' | ||
| get: |
There was a problem hiding this comment.
We can definitely do this in the future but I think we should avoid trying to do gets for the specific sub resources in order to make this first release. My intuition would be that most use cases would be interested in grabbing the whole record and even then any case that needs the container can pull it from the full record easily.
There was a problem hiding this comment.
Good with me.
| description: | | ||
| <h2>Access Control</h2> | ||
| <p>At least one of the following roles are needed to access the endpoint:</p> | ||
| <p>- <b>SECRETARIAT:</b> The user must belong to an Organization with the “SECRETARIAT” role</p> |
There was a problem hiding this comment.
Noting that we'll need to specify that CNAs can access this endpoint to post their own records.
There was a problem hiding this comment.
Yes. I wasn't sure what to include in these text fields.
| application/json: | ||
| schema: | ||
| $ref: '#/components/schemas/errorGeneric' | ||
| /cve/{cve-id}/cna/rejected: |
There was a problem hiding this comment.
Was it intended to have the action endpoint off the /cna endpoint? For me it's more appropriate to have it off the whole resource (/cve/:cve-id) because that's what is getting rejected. Also, due to the nature of the structure of a rejected record, the containers actually become non-existent.
There was a problem hiding this comment.
I like the /cve/{cve-id}/reject endpoint approach better.
| content: | ||
| application/json: | ||
| schema: | ||
| $ref: service-api-cve-schema.json#/definitions/rejected |
There was a problem hiding this comment.
I'm guessing the schema is WIP and we'll add the rejected schema once we actually build it.
| description: | | ||
| <h2>Access Control</h2> | ||
| <p>At least one of the following roles are needed to access the endpoint:</p> | ||
| <p>- <b>SECRETARIAT:</b> The user must belong to an Organization with the “SECRETARIAT” role</p> |
There was a problem hiding this comment.
ditto adding permission documentation for CNAs
This is not the ideal REST way of doing this. POST is for creating. PUT is for updating. |
Description of the Change
In the context #510, this PR updates the OpenAPI YAML for the services for the following endpoints:
POST /cve/:id/cna-> Publish the record, expecting acnacontainer in the JSON body.PUT /cve/:id/cna-> Update thecnacontainer for the record.POST /cve/:id/rejected-> Reject the CVE. Expects adescriptionsarray with at least one english description and an optionalreplacedByarray to build the new rejected CVE record.It integrates the CVE Record Format v5 JSON schema through an integration schema, which is specific to the service implementation.
This is a work in progress for discussion purposes.