fix: use project version in x_generator for accurate CNA tracking#52
Conversation
The x_generator.engine field in published CVE records was using client._version from cveClientlib.js (stuck at 1.0.15) instead of the project version from cveInterface.js (currently 1.0.25). This means every CVE record published by cveClient has been stamped with "cveClient/1.0.15" regardless of the actual version in use. Fixing this allows us to: - Accurately track which version of cveClient CNAs are using - Identify CNAs running outdated versions and reach out about upgrades - Measure adoption of new releases across the CNA community The fix replaces the conditional client._version lookup with the global _version constant that stays in sync with CHANGELOG.md and package.json. Also removes tests for getadp/deleteadp methods that were removed in PR CERTCC#45. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
jgamblin
force-pushed
the
fix/x-generator-version
branch
from
584f656 to
850745b
Compare
|
I think my plan earlier was to use the cveClientLib version independent of the UI version. I can see it is worth capturing the UI version as the UI is building the JSON and the clientlib is universal can be used by Node as well without the UI. So depending on how it was launched we can provide different . Current version actually comes from Line 8 in 4e96a9c |
Two use cases for x_generator: 1. Browser UI (cveInterface.js) — sets x_generator to "cveClient/<version>" using the project version before calling publishcve() 2. Node.js direct (cveClientlib.js) — publishcve() now injects a default x_generator of "cveClientlib/<version>" if the caller didn't set one This means: - CVE records published via the UI say "cveClient/1.0.25" - CVE records published via the Node.js library say "cveClientlib/1.0.15" - Callers can still set their own x_generator and it won't be overwritten Addresses review feedback from @sei-vsarvepalli about keeping the lib version independent from the UI version. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…where All x_generator tags now report as "cveClient/<version>" to match the existing entries in the CVE corpus. Synced cveClientlib._version from 1.0.15 to 1.0.25 so both UI and Node.js paths report the same project version. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Updated based on your feedback @sei-vsarvepalli — here's what changed:
Going forward we may want to consider keeping these versions in sync as part of the release process, or pulling from a single source of truth (e.g. |
2 participants
Summary
The
x_generator.enginefield embedded in every published CVE record has been reporting the wrong version. It was usingcveClientlib.js's internal_version(frozen at1.0.15) instead of the actual project version (1.0.25).Before: Every CVE record published by cveClient says
"engine": "cveClient/1.0.15"— regardless of which release the CNA is actually running.After: CVE records will correctly report
"engine": "cveClient/1.0.25"(or whatever the current release is), using the single_versionconstant that stays in sync with CHANGELOG.md and package.json.Why this matters
The
x_generatortag is the only way to measure cveClient adoption across the CNA community. With accurate version reporting we can:Without this fix, every CNA appears to be on 1.0.15 no matter what, making version tracking impossible.
What changed
Three locations in
cveInterface.jssetx_generatorbefore publishing — during CVE download, CVE publish, and CVE reject. Each was:Now simplified to:
This also removes the unnecessary conditional — the tag should always be set.
Also removes two stale tests for
getadp/deleteadpmethods that were removed in PR #45.Test plan
🤖 Generated with Claude Code