cna_modified=true ignores time_modified.lt in ranges

[ElectricNroff]

If GET /cve is called with cna_modified=true and there is a time range, i.e., values for both time_modified.lt and time_modified.gt, then the time_modified.lt value is ignored.

cve-services/src/controller/cve.controller/cve.controller.js

Lines 114 to 129 in 34fe473

	if (timeModified.dateOperator[i] === 'lt') {
	if (cnaModified) {
	query['cve.containers.cna.providerMetadata.dateUpdated'] = {}
	// Due to this not being the mongo created date object, we need to actually check the "ISO String" version of this _NOT_ the date object that is being created in the middleware
	query['cve.containers.cna.providerMetadata.dateUpdated'].$lt = timeModifiedLtDateObject.toISOString()
	} else {
	query['time.modified'].$lt = timeModified.timeStamp[i]
	}
	} else {
	if (cnaModified) {
	query['cve.containers.cna.providerMetadata.dateUpdated'] = {}
	// Due to this not being the mongo created date object, we need to actually check the "ISO String" version of this _NOT_ the date object that is being created in the middleware
	query['cve.containers.cna.providerMetadata.dateUpdated'].$gt = timeModifiedGtDateObject.toISOString()
	} else {
	query['time.modified'].$gt = timeModified.timeStamp[i]
	}

Seeing either 'lt' or 'gt' converts query['cve.containers.cna.providerMetadata.dateUpdated'] to an empty object before proceeding, and thus the one that was first seen is no longer in the object.

Because of details of parseGetParams and reqCtxMapping, 'lt' comes first in insertion order and Object.keys finds it first, and it is pushed first. Then, the time value for 'lt' is removed by line 124 when the for loop is working on the 'gt' value.

The same issue affects getFilteredCvesCursor. Again, the problem happens only for cna_modified=true.