6/12/2025 NOTE: the Test environment of CVE Services now includes the release candidate “User Registry” which adds many additional features. See the details at the end of this ReadMe doc.
This repository contains services that support the CVE Program's mission to "identify, define, and catalog publicly disclosed cybersecurity vulnerabilities."
There are many ways one can assist:
Developers can contribute code directly. Getting started can be as fast as choosing an issue on our board.
Please read our contributor's guide for more details. We welcome all contributions!
The CVE project operates as multiple focused working groups. Visit the CVE Website working groups page for more information.
Warning Do not put vulnerability information in a GitHub issue.
Please consult our SECURITY.md for specific instructions on reporting a vulnerability that exists in the CVE Services.
This project uses or depends on software from
This project follows the JavaScript Standard Style.
See the Docker README found in the repo here: https://github.com/CVEProject/cve-services/blob/dev/docker/README.md
Warning
DO NOT use the dev configuration on a public network. The dev environment includes credentials to enable rapid development and is not secure for public deployment.
- Install required node modules
This assumes node 16.14.2 and the latest npm are installed.
cd cve-services
npm install- Setup and start MongoDB locally
Install MongoDB locally
Download MongoDB Compass (MongoDB GUI)
Create a cve_dev database in Compass. The collections will be automatically created when the API starts storing documents.
You can populate the database with test data using:
npm run populate:dev- Start the node application
In order to start a dev environment:
npm run start:devAPI documentation is generated using swagger-autogen which ensures that we keep the API specification up to date with any major changes to API routes. Extra information for each API route is defined as a comment in the index.js files under the respective controller and all request and response schemas are stored under the schemas folder served up by schemas.controller.
To ensure you are using the correct API specification the following endpoints can be used:
Note: The specification file stored in GitHub will only be correct for that branch; there could be differences between branches and production.
If you are developer and want to test changes to the API specification you can generate a specification in one of two ways:
- Preferred
When you start your local development server using npm run start:dev the specification file will be generated. Subsequent changes require reloading the server.
- Manual
You can use npm run swagger-autogen to generate a new specification file.
As part of the submission processing, CVE Services "validates" that specific requirements are met prior to accepting the submission and posting the CVE Record to the CVE List. Validation rules for CVE Record Submission are noted here.
This project uses the following for unit testing
In order to run the unit tests:
npm run start:testThe CVE Automation Working Group (on behalf of the CVE Program) is currently working on a new automation capability: the User Registry. The objective of the User Registry is to modernize how CVE Program Organizations (e.g., CNAs, Roots, Top level Roots, the Secretariat) manage/update their organizational properties and user pools. The new capability will ultimately allow CNAs, Roots, Top Level Roots to better manage their own data/user pools with more robust information. It is targeted to be implemented in a series of incremental deployments to CVE Services in the Fall/2025 through Summer/2026.
The release candidate for the first User Registry increment (termed the User Registry MVP) is now available for testing/review in the CVE Program Testing Environment. (Note that this release IS NOT a PRODUCTION Release and will not be visible in the CVE Program PRODUCTION environment). This release candidate establishes a new, more robust User/Organizations databases (and associated APIs) while maintaining full backwards compatibility with the current User/Organizational management functions (meaning that current CVE Services clients will not be required to be modified with the deployment of this candidate). It was discussed at the 6/10/2025 CVE Program AWG meeting.
Credentialed users of CVE Services Test Environment will be able to use the new capabilities via the API endpoints which are described here (Be sure to scroll down to the bottom of the page to review the new User Registry interfaces).
Credentialed users can access the APIs by
-
installing/using common web application API testing tools such as curl or postman OR
-
installing/using the User Registry Client which provides a GUI interface to exercise the basic functions of the User Registry.
Note that there is no support for these new endpoints in many currently available CVE Services “client” tools (e.g, Vulnogram) and hence they should not be relied upon to examine/test these interfaces.
The AWG is taking comments/questions on this release candidate. You can provide feedback in three ways:
-
Send comments/questions to [email protected],
-
Post Issues/Questions to the CVE Services Issue Board (please attach a “user registry” label to your post).
-
Attend (virtually) an AWG meeting which meets every week on Tuesday at 4:00 PM Eastern US Time. Send a request for the link to [email protected].
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
