ChangeLog.md

Change Log

2.2.0-rc4 (Sprint 5)

• exact phrase search using double quotes
• date and date range search on date fields, using the following formats (date ranges are inclusive):
  • YYYY-MM-DD
  • YYYY-MM-DDTHH:MM:SS(.mmm)(Z) (where the .mmm and Z are optional, defaults to .000Z if missing)
  • YYYY-MM-DD..YYYY-MM-DD
  • YYYY-MM-DDTHH:MM:SS(.mmm)(Z)..YYYY-MM-DDTHH:MM:SS.(mmm)(Z)

2.1.0

• wildcard search using "*" and "?"
• AppConfig to manage hierarchical environment variables and all default values for environment variables
• code refactoring: reorganizing code, general cleaning up for migration to github

2.0.0-rc14 - deployed: 2025-06-05

• initial version of cve-core as a peer project to other cve-projects. Can be used as part of a monorepo (e.g., https://github.com/CVEProject/CVE-Search-API/tree/dev)
• search using axios, NodeJS-native fetch and @opensearch-project/opensearch libraries
  • CVE-, CWE-, and CAPAC- IDs
  • CVE YEAR
  • basic version strings (e.g., "v3.2.5", "v3.2.5-RC1")
  • basic IPv4 and IPv6
  • URLs
  • compound words (e.g., "docker-compose", "microsoft word")
  • hyphenated words (e.g., "man-in-the-middle")
  • software names (e.g., "Node.JS", ".NET")
  • file extension (e.g., "matvar_struct.c")
  • can run as AWS Lambda Layer
• new adapters
  • CVE Services reader
  • CVE Search reader
  • CVE file reader
  • file reader/writer
  • console input for interacting with a user in a CLI
• CveResult class with standardized errors and messages (this version is aimed at the search service)
• object (JSON) comparer using json-difference library
• JSON replacer that alphabetizes keys when serializing using JSON.stringify()

Older Milestones from the older cveUtils/cvelist-bulk-download repositories

Note that the following milestones were in multiple repositories, and together contained a superset of the source code in this npm library. The milestones below are meant only for historic reference, in case a full history of an implementation is needed.

1.3.0 - deployed only on AWS in 2024-12 for initial search capability (tag 2024-12-06)

• search using axios and @opensearch-project/opensearch libraries
  • general search for tokenized strings in all fields
  • CVE-ID

2.0.0-rc14

• initial version of cve-core as a peer project to other cve-projects. Can be used as part of a monorepo (e.g., https://github.com/CVEProject/CVE-Search-API/tree/dev)
• search using axios, NodeJS-native fetch and @opensearch-project/opensearch libraries
  • CVE-, CWE-, and CAPAC- IDs
  • CVE YEAR
  • basic version strings (e.g., "v3.2.5", "v3.2.5-RC1")
  • basic IPv4 and IPv6
  • URLs
  • compound words (e.g., "docker-compose", "microsoft word")
  • hyphenated words (e.g., "man-in-the-middle")
  • software names (e.g., "Node.JS", ".NET")
  • file extension (e.g., "matvar_struct.c")
  • repeating non-language characters (e.g., "aaaaa" is ok, but "?????" is replaced by "")
  • can run as AWS Lambda Layer
• new adapters
  • CVE Services reader
  • CVE Search reader
  • CVE file reader
  • file reader/writer
  • console input for interacting with a user in a CLI
• CveResult class with standardized errors and messages (this version is aimed at the search service)
• object (JSON) comparer using json-difference library
• JSON replacer that alphabetizes keys when serializing using JSON.stringify()

1.2.0 - deployed 2024-07-18 (tag 2024-07-18_v1.2.0)

• baseline for the cve-core npm library
• changes for cisa adp, reference ingest
• axios-retry library for network retry
• optimized update.yml to use fetch-depth: 1
• CVES_MAX_ALLOWABLE_CVE_YEAR environment variable set to 2025
• GIT_MAX_FILESIZE_MB environment variable set to 100
• initial refactoring of core classes to separate I/O functions from business logic classes (work in progress)
• minimized 3rd party dependency in IsoDateString class to minimize AWS Lambda footprint
• import specific lodash functions instead of the full lodash to minimize AWS Lambda footprint
• dependabot PRs defaults to develop branch
• cveUtils/GitLab PR 32

1.1.1 - 2024-06-03

• hotfix for large commit messages in anticipation of CISA adding ADP containers to a large number of CVEs on 6/4/2024.
• tested but not used on cvelistV5

1.1.0 - 2023-09-26 (tag 2023-09-26_v1.1.0)

• Official support for delta files in /cves (delta.json and deltaLog.json), replacing recent_activities.json

1.0.0 - 2023-05-26 (tag 2023-04-25_v1.0.0)

• Official version using public domain code in https://github.com/CVEProject/cvelist-bulk-download

Sprint-0 - 2023-04-20 (tag 2023-04-20_initial_cveUtils_on_github)

• initial version selectively copied from internal MITRE gitlab to https://github.com/CVEProject/cvelist-bulk-download
• https://github.com/CVEProject/cvelist-bulk-download/commit/207b9f2b82908afbd8d9d2270969f6781f9d39e4
• note date is slightly different in GitLab tag in cve_utils, but the code is functionly the same: 2023-04-25_to_github_hkong-mitre_cvelist_bulk_download

2023-03-29

• official version used in GitHub actions that updated /cves when cvelistV5 was announced at CNA Summit 2023
• GitLab tag in cve_utils: 2023-03-29-cveproject_cvelistV5_dist_(similar)

2023-03-10

• code during team code walkthru
• GitLab tag in cve_utils: 2023_03_10_code_walkthrough_with_team

2023-03-06

• first version deployed to cvelistV5 for testing (using preview_cves instead of cves)
• GitLab tag in cve_utils: 2023_03_06_deployed_to_cveproject_cvelistv5

Additional Information

This project uses (either verbatim or modified from) the following projects:

1. jsynowiec/node-typescript-boilerplate as a starter (8/26/2022).
   • but not using [Volta][volta]
2. Quicktype to convert CVE schemas to usable Typescript classes. Specifically, all classes in src/generated/quicktype are all generated this way:
   • Cve5: https://raw.githubusercontent.com/CVEProject/cve-services/dev/schemas/cve/create-full-cve-record-request.json
3. recommended tsconfig