Unknown CVEs should be created when the deprecation form is submitted (#6943)

Author: Scott Bommarito

src/NuGet.Services.Entities/Cve.cs

@@ -46,18 +46,17 @@ public Cve()
         /// The description field is intentionally truncated to maximum 300 characters.
         /// </remarks>
         [MaxLength(300)]
-        [Required]
         public string Description { get; set; }
 
         /// <summary>
         /// Gets or sets the last-modified date for the entity.
         /// </summary>
-        public DateTime LastModifiedDate { get; set; }
+        public DateTime? LastModifiedDate { get; set; }
 
         /// <summary>
         /// Gets or sets the date this CVE entity was first published.
         /// </summary>
-        public DateTime PublishedDate { get; set; }
+        public DateTime? PublishedDate { get; set; }
 
         /// <summary>
         /// Gets or sets whether the <see cref="Cve"/> is publicly listed.

src/NuGet.Services.Entities/CveStatus.cs

@@ -72,6 +72,12 @@ public enum CveStatus
         /// Due to a CNA error, the CVE candidate was also originally assigned to another issue.
         /// The CVE description will provide details about which other CVEs to refer too.
         /// </summary>
-        Split = 10
+        Split = 10,
+
+        /// <summary>
+        /// A value of Unknown refers to an entity that was entered by a user of NuGet.org.
+        /// If the CVE exists, it will be updated with the full data when it is imported.
+        /// </summary>
+        Unknown = 11
     }
 }

src/NuGetGallery.Core/Entities/EntitiesContext.cs

@@ -382,8 +382,7 @@ protected override void OnModelCreating(DbModelBuilder modelBuilder)
 
             modelBuilder.Entity<Cve>()
                 .Property(e => e.Description)
-                .HasMaxLength(300)
-                .IsRequired();
+                .HasMaxLength(300);
 
             modelBuilder.Entity<Cve>()
                 .Property(v => v.CvssRating)

src/NuGetGallery/Controllers/ManageDeprecationJsonApiController.cs

@@ -5,6 +5,7 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Net;
+using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 using System.Web.Mvc;
 using NuGet.Services.Entities;
@@ -16,6 +17,15 @@ namespace NuGetGallery
     public partial class ManageDeprecationJsonApiController
         : AppController
     {
+        private static readonly TimeSpan RegexTimeout = TimeSpan.FromMinutes(1);
+
+        public const string CveIdRegexYearGroupName = "year";
+        public const string CveIdRegexPattern = @"CVE-(?<" + CveIdRegexYearGroupName + @">\d{4})-\d{4,}";
+        private static readonly Regex CveIdRegex = GetRegexFromPattern(CveIdRegexPattern);
+
+        public const string CweIdRegexPattern = @"CWE-\d+";
+        private static readonly Regex CweIdRegex = GetRegexFromPattern(CweIdRegexPattern);
+
         private readonly IVulnerabilityAutocompleteService _vulnerabilityAutocompleteService;
         private readonly IPackageService _packageService;
         private readonly IPackageDeprecationService _deprecationService;
@@ -109,6 +119,28 @@ public virtual async Task<JsonResult> Deprecate(
                 return DeprecateErrorResponse(HttpStatusCode.BadRequest, Strings.DeprecatePackage_NoVersions);
             }
 
+            JsonResult vulnerabilityDetailIdsErrorResult;
+
+            cveIds = cveIds ?? Enumerable.Empty<string>();
+            if (!TryVerifyVulnerabilityDetailIds(
+                cveIds, 
+                IsValidCveId,
+                Strings.DeprecatePackage_InvalidCve, 
+                out vulnerabilityDetailIdsErrorResult))
+            {
+                return vulnerabilityDetailIdsErrorResult;
+            }
+
+            cweIds = cweIds ?? Enumerable.Empty<string>();
+            if (!TryVerifyVulnerabilityDetailIds(
+                cweIds, 
+                IsValidCweId, 
+                Strings.DeprecatePackage_InvalidCwe, 
+                out vulnerabilityDetailIdsErrorResult))
+            {
+                return vulnerabilityDetailIdsErrorResult;
+            }
+
             if (cvssRating.HasValue && (cvssRating < 0 || cvssRating > 10))
             {
                 return DeprecateErrorResponse(HttpStatusCode.BadRequest, Strings.DeprecatePackage_InvalidCvss);
@@ -180,18 +212,16 @@ public virtual async Task<JsonResult> Deprecate(
                 }
             }
 
-            cveIds = cveIds ?? Enumerable.Empty<string>();
-            var cves = _deprecationService.GetCvesById(cveIds);
-            if (cveIds.Count() != cves.Count)
+            var cves = await _deprecationService.GetOrCreateCvesByIdAsync(cveIds, commitChanges: false);
+
+            IReadOnlyCollection<Cwe> cwes;
+            try
             {
-                return DeprecateErrorResponse(HttpStatusCode.NotFound, Strings.DeprecatePackage_MissingCve);
+                cwes = _deprecationService.GetCwesById(cweIds);
             }
-
-            cweIds = cweIds ?? Enumerable.Empty<string>();
-            var cwes = _deprecationService.GetCwesById(cweIds);
-            if (cweIds.Count() != cwes.Count)
+            catch (ArgumentException)
             {
-                return DeprecateErrorResponse(HttpStatusCode.NotFound, Strings.DeprecatePackage_MissingCwe);
+                return DeprecateErrorResponse(HttpStatusCode.NotFound, Strings.DeprecatePackage_CweMissing);
             }
 
             var status = PackageDeprecationStatus.NotDeprecated;
@@ -228,5 +258,66 @@ private JsonResult DeprecateErrorResponse(HttpStatusCode code, string error)
         {
             return Json(code, new { error });
         }
+        
+        /// <summary>
+        /// Verifies IDs in the list match <paramref name="regex"/>.
+        /// If they don't, returns <c>false</c> and sets <paramref name="result"/> to the expected <see cref="JsonResult"/>.
+        /// Otherwise, returns <c>true</c>.
+        /// </summary>
+        /// <param name="errorString">The error string to use to construct <paramref name="result"/>.</param>
+        private bool TryVerifyVulnerabilityDetailIds(
+            IEnumerable<string> ids, 
+            Func<string, bool> isValid,
+            string errorString, 
+            out JsonResult result)
+        {
+            result = null;
+            string invalidId;
+            if ((invalidId = ids.FirstOrDefault(c => !isValid(c))) != null)
+            {
+                result = DeprecateErrorResponse(
+                    HttpStatusCode.BadRequest,
+                    string.Format(errorString, invalidId));
+
+                return false;
+            }
+
+            return true;
+        }
+
+        private bool IsValidCveId(string id)
+        {
+            var match = CveIdRegex.Match(id);
+            if (match.Value == string.Empty)
+            {
+                return false;
+            }
+
+            var yearString = match.Groups[CveIdRegexYearGroupName].Value;
+            if (!int.TryParse(yearString.ToString(), out var year))
+            {
+                return false;
+            }
+
+            if (year < 1999 || year > DateTime.UtcNow.Year)
+            {
+                return false;
+            }
+
+            return true;
+        }
+
+        private bool IsValidCweId(string id)
+        {
+            return CweIdRegex.IsMatch(id);
+        }
+
+        private static Regex GetRegexFromPattern(string pattern)
+        {
+            return new Regex(
+                pattern,
+                RegexOptions.Compiled | RegexOptions.IgnoreCase | RegexOptions.Singleline,
+                RegexTimeout);
+        }
     }
 }

src/NuGetGallery/Migrations/201903020136235_CvesCanBeEmpty.Designer.cs

@@ -0,0 +1,20 @@
+namespace NuGetGallery.Migrations
+{
+    using System;
+    using System.Data.Entity.Migrations;
+    
+    public partial class CvesCanBeEmpty : DbMigration
+    {
+        public override void Up()
+        {
+            AlterColumn("dbo.Cwes", "Name", c => c.String(nullable: false, maxLength: 200));
+            AlterColumn("dbo.Cwes", "Description", c => c.String(nullable: false, maxLength: 300));
+        }
+        
+        public override void Down()
+        {
+            AlterColumn("dbo.Cwes", "Description", c => c.String(maxLength: 300));
+            AlterColumn("dbo.Cwes", "Name", c => c.String(maxLength: 200));
+        }
+    }
+}

src/NuGetGallery/Migrations/201903020136235_CvesCanBeEmpty.cs

@@ -223,6 +223,10 @@
     <Compile Include="Authentication\Providers\AzureActiveDirectory\AzureActiveDirectoryAuthenticator.cs" />
     <Compile Include="Authentication\Providers\AzureActiveDirectory\AzureActiveDirectoryAuthenticatorConfiguration.cs" />
     <Compile Include="Controllers\ManageDeprecationJsonApiController.cs" />
+    <Compile Include="Migrations\201903020136235_CvesCanBeEmpty.cs" />
+    <Compile Include="Migrations\201903020136235_CvesCanBeEmpty.Designer.cs">
+      <DependentUpon>201903020136235_CvesCanBeEmpty.cs</DependentUpon>
+    </Compile>
     <Compile Include="Queries\AutocompleteCveIdQueryResults.cs" />
     <Compile Include="Queries\AutocompleteCweIdQueryResults.cs" />
     <Compile Include="Queries\AutocompleteCveIdQueryResult.cs" />
@@ -1701,6 +1705,9 @@
     <EmbeddedResource Include="Migrations\201902061444243_AddVulnerabilityEntities.resx">
       <DependentUpon>201902061444243_AddVulnerabilityEntities.cs</DependentUpon>
     </EmbeddedResource>
+    <EmbeddedResource Include="Migrations\201903020136235_CvesCanBeEmpty.resx">
+      <DependentUpon>201903020136235_CvesCanBeEmpty.cs</DependentUpon>
+    </EmbeddedResource>
     <EmbeddedResource Include="OData\QueryAllowed\Data\apiv1packages.json" />
     <EmbeddedResource Include="OData\QueryAllowed\Data\apiv1search.json" />
     <EmbeddedResource Include="OData\QueryAllowed\Data\apiv2getupdates.json" />

src/NuGetGallery/Migrations/201903020136235_CvesCanBeEmpty.resx

@@ -29,8 +29,9 @@ Task UpdateDeprecation(
 
         /// <summary>
         /// Fetches all <see cref="Cve"/>s with a <see cref="Cve.CveId"/> contained in <paramref name="ids"/>.
+        /// If an ID does not have an associated <see cref="Cve"/>, it creates a dummy entity.
         /// </summary>
-        IReadOnlyCollection<Cve> GetCvesById(IEnumerable<string> ids);
+        Task<IReadOnlyCollection<Cve>> GetOrCreateCvesByIdAsync(IEnumerable<string> ids, bool commitChanges);
 
         /// <summary>
         /// Fetches all <see cref="Cwe"/>s with a <see cref="Cwe.CweId"/> contained in <paramref name="ids"/>.

src/NuGetGallery/NuGetGallery.csproj

@@ -117,16 +117,40 @@ public async Task UpdateDeprecation(
             await _deprecationRepository.CommitChangesAsync();
         }
 
-        public IReadOnlyCollection<Cve> GetCvesById(IEnumerable<string> ids)
+        public async Task<IReadOnlyCollection<Cve>> GetOrCreateCvesByIdAsync(IEnumerable<string> ids, bool commitChanges)
         {
             if (ids == null)
             {
                 throw new ArgumentNullException(nameof(ids));
             }
 
-            return _cveRepository.GetAll()
+            var details = _cveRepository.GetAll()
                .Where(c => ids.Contains(c.CveId))
                .ToList();
+
+            var addedDetails = new List<Cve>();
+            foreach (var missingId in ids.Where(i => !details.Any(c => c.CveId == i)))
+            {
+                var detail = new Cve
+                {
+                    CveId = missingId,
+                    Listed = false,
+                    Status = CveStatus.Unknown
+                };
+                addedDetails.Add(detail);
+                details.Add(detail);
+            }
+
+            if (addedDetails.Any())
+            {
+                _cveRepository.InsertOnCommit(addedDetails);
+                if (commitChanges)
+                {
+                    await _cveRepository.CommitChangesAsync();
+                }
+            }
+
+            return details;
         }
 
         public IReadOnlyCollection<Cwe> GetCwesById(IEnumerable<string> ids)
@@ -136,9 +160,16 @@ public IReadOnlyCollection<Cwe> GetCwesById(IEnumerable<string> ids)
                 throw new ArgumentNullException(nameof(ids));
             }
 
-            return _cweRepository.GetAll()
+            var cwes = _cweRepository.GetAll()
                .Where(c => ids.Contains(c.CweId))
                .ToList();
+
+            if (ids.Any(i => !cwes.Any(c => i == c.CweId)))
+            {
+                throw new ArgumentException("Some IDs do not have a CWE associated with them!", nameof(ids));
+            }
+
+            return cwes;
         }
     }
 }