Merge pull request #6916 from NuGet/dev

[ReleasePrep][2019.02.21]RI of dev into master

Author: zhhyu

src/Bootstrap/dist/css/bootstrap-theme.css

@@ -2,6 +2,7 @@
 @import "modals.less";
 @import "common-edit-metadata.less";
 @import "common-high-contrast.less";
+@import "common-licenses.less";
 @import "common-list-packages.less";
 @import "common-user-package-list.less";
 @import "page-about.less";

src/Bootstrap/less/theme/all.less

@@ -0,0 +1,10 @@
+.common-licenses {
+    pre.license-file-contents {
+        white-space: pre-wrap;
+        word-break: normal;
+    }
+
+    .custom-license-container {
+        margin-bottom: @default-margin-bottom;
+    }
+}

src/Bootstrap/less/theme/common-licenses.less

@@ -2,13 +2,4 @@
     #browse-for-package-button {
         margin: 0;
     }
-
-    pre.license-file-contents {
-        white-space: pre-wrap;
-        word-break: normal;
-    }
-
-    .custom-license-container {
-        margin-bottom: @default-margin-bottom;
-    }
 }

src/Bootstrap/less/theme/page-upload.less

@@ -0,0 +1,86 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations.Schema;
+
+namespace NuGet.Services.Entities
+{
+    /// <summary>
+    /// Represents a Common Vulnerability and Exposure (CVE).
+    /// </summary>
+    public class Cve
+        : IEntity
+    {
+        public const string IdPrefix = "CVE-";
+
+        public Cve()
+        {
+            PackageDeprecations = new HashSet<PackageDeprecation>();
+        }
+
+        /// <summary>
+        /// Gets or sets the primary key for the entity.
+        /// </summary>
+        public int Key { get; set; }
+
+        /// <summary>
+        /// Gets or sets the unique CVE ID.
+        /// The CVE ID number has four or more digits in the sequence number portion of the ID (e.g., "CVE-1999-0067", "CVE-2014-12345", "CVE-2016-7654321").
+        /// </summary>
+        // sources:
+        //  * https://cve.mitre.org/cve/identifiers/syntaxchange.html
+        //  * https://cve.mitre.org/about/faqs.html#what_is_cve_id
+        [Index(IsUnique = true)]
+        [Required]
+        [MaxLength(20)]
+        public string CveId { get; set; }
+
+        /// <summary>
+        /// Gets or sets the description of the CVE.
+        /// The description is a plain language field that describes the vulnerability with sufficient detail as to demonstrate that the vulnerability is unique.
+        /// </summary>
+        /// <remarks>
+        /// The description field is intentionally truncated to maximum 300 characters.
+        /// </remarks>
+        [MaxLength(300)]
+        [Required]
+        public string Description { get; set; }
+
+        /// <summary>
+        /// Gets or sets the last-modified date for the entity.
+        /// </summary>
+        public DateTime LastModifiedDate { get; set; }
+
+        /// <summary>
+        /// Gets or sets the date this CVE entity was first published.
+        /// </summary>
+        public DateTime PublishedDate { get; set; }
+
+        /// <summary>
+        /// Gets or sets whether the <see cref="Cve"/> is publicly listed.
+        /// An unlisted CVE is no longer available for reference.
+        /// Any <see cref="PackageDeprecation"/>s referencing an unlisted CVE will maintain existing references.
+        /// </summary>
+        public bool Listed { get; set; }
+
+        /// <summary>
+        /// Gets or sets the status of the <see cref="Cve"/>.
+        /// </summary>
+        [Required]
+        public CveStatus Status { get; set; }
+
+        /// <summary>
+        /// Gets or sets the CVSS rating for this <see cref="Cve"/> as determined by the NVD.
+        /// </summary>
+        /// <remarks>
+        /// CVSS ratings are from 0.0 to 10.0 and have a single point of precision.
+        /// </remarks>
+        [Range(0, 10)]
+        public decimal? CvssRating { get; set; }
+
+        public virtual ICollection<PackageDeprecation> PackageDeprecations { get; set; }
+    }
+}

src/NuGet.Services.Entities/Cve.cs

@@ -0,0 +1,77 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace NuGet.Services.Entities
+{
+    // source: https://nvd.nist.gov/vuln
+    public enum CveStatus
+    {
+        /// <summary>
+        /// CVE has been recently published to the CVE dictionary and has been received by the NVD.
+        /// </summary>
+        Received = 0,
+
+        /// <summary>
+        /// CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
+        /// </summary>
+        AwaitingAnalysis = 1,
+
+        /// <summary>
+        /// CVE is currently being analyzed by NVD staff. 
+        /// This process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
+        /// </summary>
+        UndergoingAnalysis = 2,
+
+        /// <summary>
+        /// CVE has had analysis completed and all data associations made.
+        /// </summary>
+        Analyzed = 3,
+
+        /// <summary>
+        /// CVE has been amended by a source (CVE Primary CNA or another CNA). 
+        /// Analysis data supplied by the NVD may be no longer be accurate due to these changes.
+        /// </summary>
+        Modified = 4,
+
+        /// <summary>
+        /// When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.
+        /// </summary>
+        Deferred = 5,
+
+        /// <summary>
+        /// CVE has been marked as "**REJECT**" in the CVE Dictionary. 
+        /// These CVEs are in the NVD, but do not show up in search results.
+        /// </summary>
+        // source: https://cve.mitre.org/about/faqs.html#reject_signify_in_cve_entry
+        Rejected = 6,
+
+        /// <summary>
+        /// A CVE Entry is marked as "RESERVED" when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher,
+        /// but the details of it are not yet populated.
+        /// A CVE Entry can change from the RESERVED state to being populated at any time based on a number of factors both internal and external to the CVE List.
+        /// Once the CVE Entry is populated with details on the CVE List, it will become available in the U.S. National Vulnerability Database (NVD).
+        /// </summary>
+        // source: https://cve.mitre.org/about/faqs.html#reserved_signify_in_cve_entry
+        Reserved = 7,
+
+        /// <summary>
+        /// When one party disagrees with another party's assertion that a particular issue in software is a vulnerability,
+        /// a CVE Entry assigned to that issue may be designated as being "DISPUTED".
+        /// In these cases, CVE is making no determination as to which party is correct.
+        /// Instead, CVE makes note of this dispute and try to offer any public references that will better inform those trying to understand the facts of the issue.
+        /// </summary>
+        // source: https://cve.mitre.org/about/faqs.html#disputed_signify_in_cve_entry
+        Disputed = 8,
+
+        /// <summary>
+        /// 
+        /// </summary>
+        Unverifiable = 9,
+
+        /// <summary>
+        /// Due to a CNA error, the CVE candidate was also originally assigned to another issue.
+        /// The CVE description will provide details about which other CVEs to refer too.
+        /// </summary>
+        Split = 10
+    }
+}

src/NuGet.Services.Entities/CveStatus.cs

@@ -0,0 +1,68 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Collections.Generic;
+using System.ComponentModel.DataAnnotations;
+using System.ComponentModel.DataAnnotations.Schema;
+
+namespace NuGet.Services.Entities
+{
+    /// <summary>
+    /// Represents a Common Weakness Enumeration (CWE).
+    /// </summary>
+    public class Cwe
+        : IEntity
+    {
+        public const string IdPrefix = "CWE-";
+
+        public Cwe()
+        {
+            PackageDeprecations = new HashSet<PackageDeprecation>();
+        }
+
+        /// <summary>
+        /// Gets or sets the primary key for the entity.
+        /// </summary>
+        public int Key { get; set; }
+
+        /// <summary>
+        /// Gets or sets the unique CWE-ID.
+        /// </summary>
+        [Index(IsUnique = true)]
+        [Required]
+        [MaxLength(20)]
+        public string CweId { get; set; }
+
+        /// <summary>
+        /// Gets or sets the name of the CWE.
+        /// </summary>
+        [MaxLength(200)]
+        [Required]
+        public string Name { get; set; }
+
+        /// <summary>
+        /// Gets or sets the description of the CWE.
+        /// </summary>
+        /// <remarks>
+        /// The description field is intentionally truncated to maximum 300 characters.
+        /// </remarks>
+        [MaxLength(300)]
+        [Required]
+        public string Description { get; set; }
+
+        /// <summary>
+        /// Gets or sets whether the <see cref="Cwe"/> is publicly listed.
+        /// An unlisted CWE is no longer available for reference.
+        /// Any <see cref="PackageDeprecation"/>s referencing an unlisted CWE will maintain existing references.
+        /// </summary>
+        public bool Listed { get; set; }
+
+        /// <summary>
+        /// Gets or sets the status of the <see cref="Cwe"/>.
+        /// </summary>
+        [Required]
+        public CweStatus Status { get; set; }
+
+        public virtual ICollection<PackageDeprecation> PackageDeprecations { get; set; }
+    }
+}

src/NuGet.Services.Entities/Cwe.cs

@@ -0,0 +1,52 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace NuGet.Services.Entities
+{
+    // source: https://cwe.mitre.org/documents/schema/#StatusEnumeration
+    // Note that the quality requirements for Draft and Usable status are very resource-intensive to accomplish, 
+    // while some Incomplete and Draft entries are actively used by the general public; 
+    // so, this status enumeration might change in the future.
+    public enum CweStatus
+    {
+        /// <summary>
+        /// A value of Stable indicates that all important elements have been verified, 
+        /// and the entry is unlikely to change significantly in the future.
+        /// </summary>
+        Stable = 0,
+
+        /// <summary>
+        /// A value of Usable refers to an entity that has received close, extensive review, 
+        /// with critical elements verified. 
+        /// </summary>
+        Usable = 1,
+
+        /// <summary>
+        /// A value of Draft refers to an entity that has all important elements filled, 
+        /// and critical elements such as Name and Description are reasonably well-written; 
+        /// the entity may still have important problems or gaps.
+        /// </summary>
+        Draft = 2,
+
+        /// <summary>
+        /// A value of Incomplete means that the entity does not have all important elements filled, 
+        /// and there is no guarantee of quality.
+        /// </summary>
+        Incomplete = 3,
+
+        /// <summary>
+        /// A value of Obsolete is used when an entity is still valid but no longer is relevant, 
+        /// likely because it has been superceded by a more recent entity.
+        /// </summary>
+        Obsolete = 4,
+
+        /// <summary>
+        /// A value of Deprecated refers to an entity that has been removed from CWE, 
+        /// likely because it was a duplicate or was created in error.
+        /// </summary>
+        /// <remarks>
+        /// CWEs with this status must be filtered out during initial import.
+        /// </remarks>
+        Deprecated = 5
+    }
+}

src/NuGet.Services.Entities/CweStatus.cs

@@ -52,6 +52,10 @@
     <Compile Include="Credential.cs" />
     <Compile Include="CuratedFeed.cs" />
     <Compile Include="CuratedPackage.cs" />
+    <Compile Include="Cve.cs" />
+    <Compile Include="CveStatus.cs" />
+    <Compile Include="Cwe.cs" />
+    <Compile Include="CweStatus.cs" />
     <Compile Include="EmailMessage.cs" />
     <Compile Include="EmbeddedLicenseFileType.cs" />
     <Compile Include="EntityException.cs" />