CVE ID Reservation Support for CVE Number Authorities #255
Description
User Story
As a member of the CVE CNA community (which means I would be authenticated), I would like to be able to reserve a CVE ID using the official CVE Web Site and have it automatically, in real time, return CVE IDs that meet my reservation request criteria. (The implied requirement here is that this request will be processed using CVE Services (i.e., the CVE ID Reservation System).
The web site should also allow an authenticated user to query the CVE ID Quota that is associated with their organization and provide return how many CVE ID #s their organization has reserved and how many CVE ID #s they have available before the meet their quota.
I should be able to request reservations in the following manner:
- A Single CVE ID # which will return a single CVE ID assigned by the system.
- A series of CVE ID # that are sequentially ordered
- A series of CVE ID #s that are randomly assigned (i.e., they are not sequential).
The User Interface for these requests will be implemented with a series of drop down menus items (for type of request) and User Data “boxes” (e.g., for User ID, organization short name and Authentication Secret) which will hold user supplied data.
Acceptance Criteria
Happy Path
Scenario 1: CVE ID Quota inquiry
Given
a) a user has appropriately authenticated.
b) requests the CVE ID quota for their organization
Then
The CVE ID quota, CVE ID #s reserved, and the CVE ID #s that are available for that
organization will be displayed.
Scenario 2: Single CVE ID Request
Given:
a) A user has appropriately authenticated
b) requests a single CVE ID #
c) has quota
Then
A single CVE ID # is returned and displayed with no error.
Scenario 3a: Batch/Sequence CVE ID # request for less than 1000 CVE IDs
Given:
a) A user has appropriately authenticated
b) requests a batch/sequential set of CVE ID #
c) has quota
Then
A batch/sequence of CVE ID #s are returned and displayed with no error.
Scenario 3b: Batch/Sequence CVE ID # request for more than 1000 CVE IDs
Given:
a) A user has appropriately authenticated
b) requests a batch/sequential set of CVE ID #
c) has quota
Then
A batch/sequence of CVE ID #s are returned and displayed with no error.
(Note: This scenario is based on the CVE Services 1.1.1 release where CVE IDs requests that result in over 1,000 returned CVE IDs will be provided a "page at a time". This requires the client to recognize that there are more CVE IDs to be returned (and go and fetch them)
Scenario 4: Nonsequential CVE ID # request
Given:
a) A user has appropriately authenticated
b) a non sequential series of CVE ID # (i.e, randomly assigned)
c) has quota
Then
A nonsequential of CVE ID #s are returned and displayed with no error.
Error Paths:
For Scenarios 1-4, the web site will “handle” (and display) an appropriate error message for at least the following error status codes (as defined in the Developer Guide to CVE Services API.
• 400 -> The request either lacked a necessary parameter or input for the parameter wasn't valid
• 401 -> Authentication didn't match up
• 403 -> This user isn't allowed to do what was requested
• 404 -> Either the endpoint doesn't exist or the resource could not be found.
• 500 -> The service or a necessary component is down.