2.0.0-rc13 • Published 5 months ago

@noah.jaffe/alpha v2.0.0-rc13

Weekly downloads
-
License
Apache-2.0
Repository
github
Last release
5 months ago

CVE Core

Overview

This CVE project implements the cve-core common library containing the general purpose core classes for interacting with CVEs and services related to CVEs. The intent is for this library to become a public npm package, where it can be used in any Typescript or Javascript (ESM) application to simplify and help standardize working with CVEs and CVE services.

Versioning

The first version of this library is version 2.0.0. This is because the capabilities of this library have already been in use in cvelistV5, and to preserve the versioning of capabilities, we decided to start this library at 2.0.0. See the ChangeLog for specific details.

Pre-requisites

All functionality is locked behind the following minimum requirements:

  • Node.js (18+ required, 20+ reccomended.)

Some functionality may require additional requirements:

  • Git

Optional reccomended requirements:

  • Docker, for hosting local instaces of external dependencies.
  • POSIX compliant shell, for cross compatability when running CLI scripts.
    • e.g. Bash, (or Git Bash for Windows)
  • jq, for working with JSON files.

Installation

Be sure to install the necessary prequisites before continuing here.

There are multiple ways to install the packages.

Using the package in code

After installing the package:

const CveCore = require('cve-core');

or

import { * as CveCore } from 'cve-core';

then use it

CveCore.CveId.isValidCveId('CVE-1999-0001');

Using the package as a command line:

Run the following in the command line after installing or building the cve-core package.

npx cves --help
npx cves date

or

./cves.sh --help
./cves.sh date

To ensure compatability with DOS/Windows based operating systems, we have provided ./cves.bat as an alternative for ./cves.sh.

Additional dependencies

CVE Services

To test or develop for cve-services, you will need to have an instance of CVE Services to point to.

.Env variables to be required:

  • CVE_SERVICES_URL - URL for cve-services.
  • CVE_API_ORG - The org short name for the user.
  • CVE_API_USER - The user name.
  • CVE_API_KEY - The key for this org user.

To test against a local version of cve-services you will need to build the cve-services docker container. See here for docker build instructions. Note: If you are developing on windows you may want to check out this comment explaining why your build may not be working.

OpenSearch

TBD: Release opensearch info? inside cve-search repo:

  • docker compose up
  • unzip 1000cves.zip
  • ./prep.sh
  • ...?

Fixtures

There are several fixtures directories in this project:

  1. ./cves - a partial and not necessarily up-to-date collection of CVEs arranged in the expected cvelistV5 project location. The files here are NOT intended to be up-to-date with actual CVE content. If they are outdated, they should remain outdated for tests already written using them. It may also contain test-only fake CVEs in ./cves/1970/. This is to be considered the de facto location for CVE test files that needs to be verified in the expected locations when deployed.

  2. ./test/fixtures - collection of subdirectories for specific tests. For example, ./test/fixtures/cve/5 contain test files that are copied and then maninpulated during testing for specific purposes.

For src/core/Delta.test.ts to work properly, do not commit pretend_github_repository/1970/0xxx/CVE-1970-0999.json. It is intended to be copied from fixtures during testing to test that a new file shows up in the new list of an activity's delta.

There is also the cve-fixtures repo that is intended for int and e2e testing. You may add files, but you may not modify or remove files once they end up in the cve-fixtures main branch. Keep the size of the cve-fixtures repository small enough where a clone will not take a significant amount of time.

Environment Variables and Secrets

There are 3 CVE-related "secret" environment variables: CVE_API_KEY, CVE_API_ORG, and CVE_API_USER. These need to be defined as specified in the Setup section above.

History

See ChangeLog.md for a full history of this project.

cvecve-corecve-servicescvelistV5typescript
@commander-js/extra-typings@opensearch-project/opensearchadm-zipaxiosaxios-retrycommanderdate-fnsdate-fns-tzdotenvfetch-retryglobjson-differencelodash.clonedeeplodash.isequallodash.isintegerlodash.maplodash.omitlodash.reducelodash.truncatelodash.unsetsimple-gitts-patterntslib
2.0.0-rc13

5 months ago

2.0.0-rc9-alpha

6 months ago