Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attempting to POST/PUT CVE with inconsistent cvss scores and severities should throw an error #1124

Closed
jdaigneau5 opened this issue Oct 3, 2023 · 0 comments
Closed

Attempting to POST/PUT CVE with inconsistent cvss scores and severities should throw an error #1124

jdaigneau5 opened this issue Oct 3, 2023 · 0 comments
Projects
Sprint 42 (Feb 14 - Mar 13)

Comments

@jdaigneau5
Copy link
Collaborator

jdaigneau5 commented Oct 3, 2023
edited
Loading

Summary

CVSS V3 have a baseScore which corresponds to a baseSeverity:

High: 7.0 - 8.9
Medium: 4.0 - 6.9
Low: < 4.0

The relationship between these fields is not enforced by the schema and therefore they can contradict each other. Cve-services should prevent this and throw an error explaining that the values must be consistent with the above ranges.

Definition of Done

  • Create a new 400 error with an error message explaining the above restriction
  • Create new middleware function that checks CVE POSTs/PUTs for consistent CVSS scores and severities
  • Apply new middleware to CVE POST/PUT endpoints
  • Create unit tests for new middleware

Note

  • Confirm that the requirements are the same for CVSS V4.
@github-actions github-actions bot added this to Needs Triage in Issue Triage Oct 3, 2023
@jdaigneau5 jdaigneau5 removed this from Needs Triage in Issue Triage Feb 16, 2024
@jdaigneau5 jdaigneau5 moved this from To do to In progress in Sprint 42 (Feb 14 - Mar 13) Feb 20, 2024
jdaigneau5 added a commit that referenced this issue Feb 20, 2024
@jdaigneau5
#1126, #1124 Updated schema file paths and added cvss 3.0 score valid…
a2dd995 
…ation to schemas
@jdaigneau5 jdaigneau5 mentioned this issue Feb 21, 2024
Merged
1 task
@jdaigneau5 jdaigneau5 moved this from In progress to Done in Sprint 42 (Feb 14 - Mar 13) Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
No open projects
Sprint 42 (Feb 14 - Mar 13)
Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jdaigneau5