MCPcopy Index your code
hub / github.com/CVEProject/cve-services

github.com/CVEProject/cve-services @v2.8.2

Chat with this repo
repository ↗ · DeepWiki ↗ · release v2.8.2 ↗ · + Follow
1,826 symbols 4,036 edges 245 files 359 documented · 20%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

6/12/2025 NOTE: the Test environment of CVE Services now includes the release candidate “User Registry” which adds many additional features. See the details at the end of this ReadMe doc.

CVE-API

CodeQL

Table of contents

The CVE Services Project

This repository contains services that support the CVE Program's mission to "identify, define, and catalog publicly disclosed cybersecurity vulnerabilities."

There are many ways one can assist:

OSS Contributor

Developers can contribute code directly. Getting started can be as fast as choosing an issue on our board.

Please read our contributor's guide for more details. We welcome all contributions!

Working Groups

The CVE project operates as multiple focused working groups. Visit the CVE Website working groups page for more information.

Security

Reporting a Vulnerability

Warning Do not put vulnerability information in a GitHub issue.

Please consult our SECURITY.md for specific instructions on reporting a vulnerability that exists in the CVE Services.

Development

Technologies

This project uses or depends on software from

Style Guidelines

This project follows the JavaScript Standard Style.

Setup

Docker

See the Docker README found in the repo here: https://github.com/CVEProject/cve-services/blob/dev/docker/README.md

Local Development

Warning

DO NOT use the dev configuration on a public network. The dev environment includes credentials to enable rapid development and is not secure for public deployment.

  1. Install required node modules

This assumes node 16.14.2 and the latest npm are installed.

cd cve-services
npm install
  1. Setup and start MongoDB locally

Install MongoDB locally

  • https://docs.mongodb.com/manual/administration/install-community/

Download MongoDB Compass (MongoDB GUI)

  • https://www.mongodb.com/download-center/compass

Create a cve_dev database in Compass. The collections will be automatically created when the API starts storing documents.

You can populate the database with test data using:

npm run populate:dev
  1. Start the node application

In order to start a dev environment:

npm run start:dev

API Documentation

API documentation is generated using swagger-autogen which ensures that we keep the API specification up to date with any major changes to API routes. Extra information for each API route is defined as a comment in the index.js files under the respective controller and all request and response schemas are stored under the schemas folder served up by schemas.controller.

To ensure you are using the correct API specification the following endpoints can be used: - Test Instance - Production

Note: The specification file stored in GitHub will only be correct for that branch; there could be differences between branches and production.

If you are developer and want to test changes to the API specification you can generate a specification in one of two ways:

  1. Preferred

When you start your local development server using npm run start:dev the specification file will be generated. Subsequent changes require reloading the server.

  1. Manual

You can use npm run swagger-autogen to generate a new specification file.

CVE Record Submission Validation Rules

As part of the submission processing, CVE Services "validates" that specific requirements are met prior to accepting the submission and posting the CVE Record to the CVE List. Validation rules for CVE Record Submission are noted here.

Unit Testing

This project uses the following for unit testing

  • https://mochajs.org/
  • https://www.chaijs.com/

In order to run the unit tests:

npm run start:test

User Registry

The CVE Automation Working Group (on behalf of the CVE Program) is currently working on a new automation capability: the User Registry. The objective of the User Registry is to modernize how CVE Program Organizations (e.g., CNAs, Roots, Top level Roots, the Secretariat) manage/update their organizational properties and user pools. The new capability will ultimately allow CNAs, Roots, Top Level Roots to better manage their own data/user pools with more robust information. It is targeted to be implemented in a series of incremental deployments to CVE Services in the Fall/2025 through Summer/2026.

Current Status:

The release candidate for the first User Registry increment (termed the User Registry MVP) is now available for testing/review in the CVE Program Testing Environment. (Note that this release IS NOT a PRODUCTION Release and will not be visible in the CVE Program PRODUCTION environment). This release candidate establishes a new, more robust User/Organizations databases (and associated APIs) while maintaining full backwards compatibility with the current User/Organizational management functions (meaning that current CVE Services clients will not be required to be modified with the deployment of this candidate). It was discussed at the 6/10/2025 CVE Program AWG meeting.

HowTo:

Credentialed users of CVE Services Test Environment will be able to use the new capabilities via the API endpoints which are described here (Be sure to scroll down to the bottom of the page to review the new User Registry interfaces).

Credentialed users can access the APIs by

  • installing/using common web application API testing tools such as curl or postman OR

  • installing/using the User Registry Client which provides a GUI interface to exercise the basic functions of the User Registry.

Note that there is no support for these new endpoints in many currently available CVE Services “client” tools (e.g, Vulnogram) and hence they should not be relied upon to examine/test these interfaces.

Next Steps:

The AWG is taking comments/questions on this release candidate. You can provide feedback in three ways:

  • Send comments/questions to AWG+owner@CVE-CWE-Programs.groups.io,

  • Post Issues/Questions to the CVE Services Issue Board (please attach a “user registry” label to your post).

  • Attend (virtually) an AWG meeting which meets every week on Tuesday at 4:00 PM Eastern US Time. Send a request for the link to AWG+owner@CVE-CWE-Programs.groups.io.

Core symbols most depended-on inside this repo

response_contains_json
called by 172
test-http/src/utils.py
getConstants
called by 156
src/constants/index.js
find
called by 73
test/unit-tests/user/userUpdateTest.js
findOne
called by 59
src/repositories/baseRepository.js
response_contains
called by 51
test-http/src/utils.py
getBaseOrgRepository
called by 43
src/repositories/repositoryFactory.js
ok_response_contains
called by 32
test-http/src/utils.py
getOrgRepository
called by 28
src/repositories/repositoryFactory.js

Shape

Method 730
Function 714
Class 382

Languages

TypeScript86%
Python14%

Modules by API surface

test/unit-tests/user/userUpdateTest.js108 symbols
test/unit-tests/cve-id/cveIdGetSingleTest.js54 symbols
test/unit-tests/cve-id/reserveCveId.non-sequential/reserveCveIdTest.usersA_B.non-sequential.js53 symbols
test/unit-tests/org/orgGetIdQuotaTest.js50 symbols
test/unit-tests/cve-id/reserveCveId/cveIdReservePriorityTest.js50 symbols
test/unit-tests/cve-id/cveIdUpdateTest.js50 symbols
test-http/src/test/cve_tests/cve.py50 symbols
src/controller/schemas.controller/schemas.controller.js50 symbols
test/unit-tests/org/orgUpdateTest.js43 symbols
test/unit-tests/cve-id/reserveCveId/cveIdReserveSequentialTest.js43 symbols
test/unit-tests/cve-id/reserveCveId.non-sequential/reserveCveIdTest.non-sequential.js40 symbols
src/repositories/baseOrgRepository.js40 symbols

Datastores touched

AuditCollection · 1 repos
BaseOrgCollection · 1 repos
BaseUserCollection · 1 repos
ConversationCollection · 1 repos
CveCollection · 1 repos
Cve-IdCollection · 1 repos
Cve-Id-RangeCollection · 1 repos
GlossaryCollection · 1 repos

For agents

$ claude mcp add cve-services \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact