Merge pull request #1833 from CVEProject/dr_1830

afoote-mitre · web-flow · commit 397066968c2e · 2026-06-03T12:08:16.000-04:00
Resolves issue #1830, move advisory scraping fields out of program_data and require joint approval.
diff --git a/schemas/registry-org/BaseOrg.json b/schemas/registry-org/BaseOrg.json
@@ -182,15 +182,6 @@
         },
         "status": {
           "type": "string"
-        },
-        "advisory_location_require_credentials": {
-          "type": "boolean"
-        },
-        "vulnerability_advisory_location_for_web_scraping": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
         }
       },
       "additionalProperties": false
@@ -201,6 +192,15 @@
         "type": "string"
       }
     },
+    "advisory_location_require_credentials": {
+      "type": "boolean"
+    },
+    "vulnerability_advisory_location_for_web_scraping": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      }
+    },
     "industry": {
       "type": "string"
     },
@@ -225,4 +225,4 @@
     "short_name",
     "long_name"
   ]
-}
+}
diff --git a/schemas/registry-org/CNAOrg.json b/schemas/registry-org/CNAOrg.json
@@ -123,6 +123,12 @@
     "advisory_locations": {
       "$ref": "/BaseOrg#/properties/advisory_locations"
     },
+    "advisory_location_require_credentials": {
+      "$ref": "/BaseOrg#/properties/advisory_location_require_credentials"
+    },
+    "vulnerability_advisory_location_for_web_scraping": {
+      "$ref": "/BaseOrg#/properties/vulnerability_advisory_location_for_web_scraping"
+    },
     "program_data": {
       "$ref": "/BaseOrg#/properties/program_data"
     },
diff --git a/schemas/registry-org/RootOrg.json b/schemas/registry-org/RootOrg.json
@@ -93,6 +93,12 @@
     "advisory_locations": {
       "$ref": "/BaseOrg#/properties/advisory_locations"
     },
+    "advisory_location_require_credentials": {
+      "$ref": "/BaseOrg#/properties/advisory_location_require_credentials"
+    },
+    "vulnerability_advisory_location_for_web_scraping": {
+      "$ref": "/BaseOrg#/properties/vulnerability_advisory_location_for_web_scraping"
+    },
     "program_data": {
       "$ref": "/BaseOrg#/properties/program_data"
     },
diff --git a/schemas/registry-org/create-registry-org-request.json b/schemas/registry-org/create-registry-org-request.json
@@ -114,6 +114,17 @@
       },
       "description": "Locations of vulnerability advisories"
     },
+    "advisory_location_require_credentials": {
+      "type": "boolean",
+      "description": "Indicates if advisory locations require credentials"
+    },
+    "vulnerability_advisory_location_for_web_scraping": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      },
+      "description": "Advisory locations for web scraping"
+    },
     "industry": {
       "type": "string",
       "description": "Industry sector of the organization"
@@ -170,17 +181,6 @@
         },
         "status": {
           "type": "string"
-        },
-        "advisory_location_require_credentials": {
-          "type": "boolean",
-          "description": "Indicates if advisory locations require credentials"
-        },
-        "vulnerability_advisory_location_for_web_scraping": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "description": "Advisory locations for web scraping"
         }
       },
       "description": "Additional partner metadata (restricted)"
diff --git a/schemas/registry-org/get-registry-org-response.json b/schemas/registry-org/get-registry-org-response.json
@@ -144,17 +144,6 @@
         },
         "status": {
           "type": "string"
-        },
-        "advisory_location_require_credentials": {
-          "type": "boolean",
-          "description": "Indicates if advisory locations require credentials"
-        },
-        "vulnerability_advisory_location_for_web_scraping": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "description": "Advisory locations for web scraping"
         }
       },
       "description": "Additional partner metadata (restricted)"
@@ -166,6 +155,17 @@
       },
       "description": "Locations of vulnerability advisories"
     },
+    "advisory_location_require_credentials": {
+      "type": "boolean",
+      "description": "Indicates if advisory locations require credentials"
+    },
+    "vulnerability_advisory_location_for_web_scraping": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      },
+      "description": "Advisory locations for web scraping"
+    },
     "industry": {
       "type": "string",
       "description": "Industry sector of the organization"
diff --git a/schemas/registry-org/list-registry-orgs-response.json b/schemas/registry-org/list-registry-orgs-response.json
@@ -173,17 +173,6 @@
               },
               "status": {
                 "type": "string"
-              },
-              "advisory_location_require_credentials": {
-                "type": "boolean",
-                "description": "Indicates if advisory locations require credentials"
-              },
-              "vulnerability_advisory_location_for_web_scraping": {
-                "type": "array",
-                "items": {
-                  "type": "string"
-                },
-                "description": "Advisory locations for web scraping"
               }
             },
             "description": "Additional partner metadata (restricted)"
@@ -195,6 +184,17 @@
             },
             "description": "Locations of vulnerability advisories"
           },
+          "advisory_location_require_credentials": {
+            "type": "boolean",
+            "description": "Indicates if advisory locations require credentials"
+          },
+          "vulnerability_advisory_location_for_web_scraping": {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "description": "Advisory locations for web scraping"
+          },
           "industry": {
             "type": "string",
             "description": "Industry sector of the organization"
diff --git a/schemas/registry-org/update-registry-org-request.json b/schemas/registry-org/update-registry-org-request.json
@@ -130,6 +130,17 @@
       },
       "description": "Locations of vulnerability advisories"
     },
+    "advisory_location_require_credentials": {
+      "type": "boolean",
+      "description": "Indicates if advisory locations require credentials"
+    },
+    "vulnerability_advisory_location_for_web_scraping": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      },
+      "description": "Advisory locations for web scraping"
+    },
     "industry": {
       "type": "string",
       "description": "Industry sector of the organization"
@@ -186,17 +197,6 @@
         },
         "status": {
           "type": "string"
-        },
-        "advisory_location_require_credentials": {
-          "type": "boolean",
-          "description": "Indicates if advisory locations require credentials"
-        },
-        "vulnerability_advisory_location_for_web_scraping": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          },
-          "description": "Advisory locations for web scraping"
         }
       },
       "description": "Additional partner metadata (restricted)"
diff --git a/src/constants/index.js b/src/constants/index.js
@@ -44,7 +44,7 @@ function getConstants () {
     USER_ROLES: [
       'ADMIN'
     ],
-    JOINT_APPROVAL_FIELDS: ['short_name', 'long_name', 'authority', 'aliases', 'oversees', 'top_level_root', 'charter_or_scope', 'product_list', 'disclosure_policy', 'partner_role_type', 'partner_number', 'program_data.cve_website_update_date', 'program_data.cve_website_update_needed', 'program_data.status', 'advisory_locations', 'tl_root_start_date', 'is_cna_discussion_list', 'hard_quota'],
+    JOINT_APPROVAL_FIELDS: ['short_name', 'long_name', 'authority', 'aliases', 'oversees', 'top_level_root', 'charter_or_scope', 'product_list', 'disclosure_policy', 'partner_role_type', 'partner_number', 'program_data.cve_website_update_date', 'program_data.cve_website_update_needed', 'program_data.status', 'advisory_locations', 'advisory_location_require_credentials', 'vulnerability_advisory_location_for_web_scraping', 'tl_root_start_date', 'is_cna_discussion_list', 'hard_quota'],
     JOINT_APPROVAL_FIELDS_LEGACY: ['short_name', 'name', 'authority.active_roles', 'policies.id_quota'],
     ORG_EXCLUDED_FIELDS: ['__t', '__v', '_id', 'inUse', 'in_use'],
     ORG_RESTRICTED_FIELDS: ['program_data'],
@@ -54,8 +54,6 @@ function getConstants () {
       'program_data.cve_website_update_date',
       'program_data.cve_website_update_needed',
       'program_data.status',
-      'program_data.advisory_location_require_credentials',
-      'program_data.vulnerability_advisory_location_for_web_scraping',
       'top_level_root',
       'oversees'
     ],
diff --git a/src/controller/org.controller/index.js b/src/controller/org.controller/index.js
@@ -555,6 +555,8 @@ router.put('/registry/org/:shortname',
           <li>partner_role_type</li>
           <li>partner_country</li>
           <li>advisory_locations</li>
+          <li>advisory_location_require_credentials</li>
+          <li>vulnerability_advisory_location_for_web_scraping</li>
           <li>industry</li>
           <li>tl_root_start_date</li>
           <li>is_cna_discussion_list</li>
diff --git a/src/controller/org.controller/org.middleware.js b/src/controller/org.controller/org.middleware.js
@@ -51,10 +51,10 @@ function validateCreateOrgParameters () {
         body(['advisory_locations'])
           .default([])
           .custom(isFlatStringArray),
-        body(['program_data.advisory_location_require_credentials'])
+        body(['advisory_location_require_credentials'])
           .default(false)
           .isBoolean(),
-        body(['program_data.vulnerability_advisory_location_for_web_scraping'])
+        body(['vulnerability_advisory_location_for_web_scraping'])
           .default([])
           .custom(isFlatStringArray),
         body(['tl_root_start_date'])
@@ -153,8 +153,8 @@ function validateCreateOrgParameters () {
           'program_data.cve_website_update_needed',
           'program_data.status',
           'advisory_locations',
-          'program_data.advisory_location_require_credentials',
-          'program_data.vulnerability_advisory_location_for_web_scraping',
+          'advisory_location_require_credentials',
+          'vulnerability_advisory_location_for_web_scraping',
           'industry',
           'tl_root_start_date',
           'is_cna_discussion_list')
@@ -241,8 +241,8 @@ function validateUpdateOrgParameters () {
           'program_data.cve_website_update_date',
           'program_data.cve_website_update_needed',
           'program_data.status',
-          'program_data.advisory_location_require_credentials',
-          'program_data.vulnerability_advisory_location_for_web_scraping',
+          'advisory_location_require_credentials',
+          'vulnerability_advisory_location_for_web_scraping',
           'advisory_locations',
           'industry',
           'tl_root_start_date',
@@ -334,8 +334,8 @@ const QUERY_PARAMETERS = {
     'program_data.cve_website_update_date',
     'program_data.cve_website_update_needed',
     'program_data.status',
-    'program_data.advisory_location_require_credentials',
-    'program_data.vulnerability_advisory_location_for_web_scraping',
+    'advisory_location_require_credentials',
+    'vulnerability_advisory_location_for_web_scraping',
     'advisory_locations',
     'industry',
     'tl_root_start_date',
diff --git a/src/controller/registry-org.controller/registry-org.middleware.js b/src/controller/registry-org.controller/registry-org.middleware.js
@@ -23,8 +23,8 @@ function parsePostParams (req, res, next) {
     'program_data.cve_website_update_needed',
     'program_data.status',
     'advisory_locations',
-    'program_data.advisory_location_require_credentials',
-    'program_data.vulnerability_advisory_location_for_web_scraping',
+    'advisory_location_require_credentials',
+    'vulnerability_advisory_location_for_web_scraping',
     'industry',
     'tl_root_start_date',
     'is_cna_discussion_list'
diff --git a/src/model/baseorg.js b/src/model/baseorg.js
@@ -33,11 +33,11 @@ const schema = {
     cve_website_update_needed: Boolean,
     partner_active_date: String,
     partner_inactive_date: String,
-    status: String,
-    advisory_location_require_credentials: Boolean,
-    vulnerability_advisory_location_for_web_scraping: [String]
+    status: String
   },
   advisory_locations: [String],
+  advisory_location_require_credentials: Boolean,
+  vulnerability_advisory_location_for_web_scraping: { type: [String], default: undefined },
   industry: String,
   tl_root_start_date: Date,
   is_cna_discussion_list: Boolean,
diff --git a/src/repositories/baseOrgRepository.js b/src/repositories/baseOrgRepository.js
@@ -726,8 +726,8 @@ class BaseOrgRepository extends BaseRepository {
  * @param {string} [incomingParameters.cna_role_type] - (Registry only)
  * @param {string} [incomingParameters.cna_country] - (Registry only)
  * @param {string[]} [incomingParameters.advisory_locations] - (Registry only)
- * @param {boolean} [incomingParameters.program_data.advisory_location_require_credentials] - (Registry only)
- * @param {string[]} [incomingParameters.program_data.vulnerability_advisory_location_for_web_scraping] - (Registry only)
+ * @param {boolean} [incomingParameters.advisory_location_require_credentials] - (Registry only)
+ * @param {string[]} [incomingParameters.vulnerability_advisory_location_for_web_scraping] - (Registry only)
  * @param {string} [incomingParameters.industry] - (Registry only)
  * @param {string} [incomingParameters.tl_root_start_date] - (Registry only)
  * @param {boolean} [incomingParameters.is_cna_discussion_list] - (Registry only)
@@ -815,6 +815,8 @@ class BaseOrgRepository extends BaseRepository {
       'partner_number',
       'partner_country',
       'advisory_locations',
+      'advisory_location_require_credentials',
+      'vulnerability_advisory_location_for_web_scraping',
       'industry',
       'tl_root_start_date',
       'is_cna_discussion_list'
diff --git a/test/integration-tests/registry-org/registryOrgCRUDTest.js b/test/integration-tests/registry-org/registryOrgCRUDTest.js
@@ -83,10 +83,10 @@ describe('Testing /registryOrg endpoints', () => {
         const orgWithProgramData = {
           ...testRegistryOrg,
           short_name: 'registry_org_test_prog_data',
+          advisory_location_require_credentials: true,
+          vulnerability_advisory_location_for_web_scraping: ['https://example.com/scraping'],
           program_data: {
-            status: 'active',
-            advisory_location_require_credentials: true,
-            vulnerability_advisory_location_for_web_scraping: ['https://example.com/scraping']
+            status: 'active'
           }
         }
         await chai.request(app)
@@ -103,8 +103,10 @@ describe('Testing /registryOrg endpoints', () => {
             expect(res.body.created).to.haveOwnProperty('program_data')
             expect(res.body.created.program_data.status).to.equal('active')
             expect(res.body.created.program_data).to.haveOwnProperty('partner_active_date')
-            expect(res.body.created.program_data.advisory_location_require_credentials).to.be.true
-            expect(res.body.created.program_data.vulnerability_advisory_location_for_web_scraping).to.deep.equal(['https://example.com/scraping'])
+            expect(res.body.created.program_data).to.not.haveOwnProperty('advisory_location_require_credentials')
+            expect(res.body.created.program_data).to.not.haveOwnProperty('vulnerability_advisory_location_for_web_scraping')
+            expect(res.body.created.advisory_location_require_credentials).to.be.true
+            expect(res.body.created.vulnerability_advisory_location_for_web_scraping).to.deep.equal(['https://example.com/scraping'])
           })
       })
     })
@@ -366,11 +368,11 @@ describe('Testing /registryOrg endpoints', () => {
           .set(secretariatHeaders)
           .send({
             ...createdOrg,
+            advisory_location_require_credentials: true,
+            vulnerability_advisory_location_for_web_scraping: ['https://example.com/scraping'],
             program_data: {
               status: 'active',
-              partner_active_date: partnerActiveDate,
-              advisory_location_require_credentials: true,
-              vulnerability_advisory_location_for_web_scraping: ['https://example.com/scraping']
+              partner_active_date: partnerActiveDate
             }
           })
           .then((res, err) => {
@@ -380,8 +382,10 @@ describe('Testing /registryOrg endpoints', () => {
             expect(res.body.updated.program_data.status).to.equal('active')
             expect(res.body.updated.program_data).to.haveOwnProperty('partner_active_date')
             expect(res.body.updated.program_data.partner_active_date).to.equal(partnerActiveDate)
-            expect(res.body.updated.program_data.advisory_location_require_credentials).to.be.true
-            expect(res.body.updated.program_data.vulnerability_advisory_location_for_web_scraping).to.deep.equal(['https://example.com/scraping'])
+            expect(res.body.updated.program_data).to.not.haveOwnProperty('advisory_location_require_credentials')
+            expect(res.body.updated.program_data).to.not.haveOwnProperty('vulnerability_advisory_location_for_web_scraping')
+            expect(res.body.updated.advisory_location_require_credentials).to.be.true
+            expect(res.body.updated.vulnerability_advisory_location_for_web_scraping).to.deep.equal(['https://example.com/scraping'])
           })
       })
       it('Allows Secretariat to edit partner_active_date without changing status', async () => {
diff --git a/test/integration-tests/registry-org/registryOrgWithJointReviewTest.js b/test/integration-tests/registry-org/registryOrgWithJointReviewTest.js
diff --git a/test/integration-tests/review-object/reviewObjectTest.js b/test/integration-tests/review-object/reviewObjectTest.js
