work in progress

Author: hkong-mitre

config/devel.jsonc

@@ -8,12 +8,13 @@
     "search": {
       // minimum versions for servers that are compatible with current code
       "minServer": [
-        "opensearch:2.10.0"
+        "opensearch:2.10.0",
+        "opensearch:3.5.0"
       ],
       // URL to reach search server
-      "providerEndpoint": "https://admin:admin@localhost:9200",
+      "providerEndpoint": "https://admin:Test-PassW0rd-2026@localhost:9200",
       // index on search server related to searching CVEs
-      "index": "e2e-cve-test-index-1109",
+      "index": "e2e-cve-test-index-1137",
       // setting this to FALSE (recommended) requires an SSL cert to access the search server
       // The only time this should be allowed to be true is when developing or testing
       //   using containers that do not have SSL certs

package-lock.json

@@ -17,7 +17,8 @@ describe(`AppConfig`, () => {
     const index = config.get('appConfig.search.index');
     // console.log(`info:  ${JSON.stringify(info, null, 2)}`)
     // expect(index).toBe('fixtures-search-baseline-1008');
-    expect(config.get('appConfig.search.minServer').length).toBe(1);
+    const minServer = config.get('appConfig.search.minServer') as string[];
+    expect(minServer.length).toBe(1);
   });
 
 

src/adapters/config/AppConfig.test.int.ts

@@ -73,7 +73,7 @@ export class AppConfig {
    *              `appConfig`
    */
   static set(path:string, value: string): void {
-    config.appConfig[path]=value
+    config['appConfig'][path] = value
     // AppConfig._sVariables[path] = variable
   }
 }

src/adapters/config/AppConfig.ts

@@ -12,7 +12,7 @@ describe(`BasicSearchManager (e2e)`, () => {
   const searchProviderSpec = SearchProviderSpec.getDefaultSearchProviderSpec()
   // const _testPipeline = `jest_test_ingest_pipeline`
 
-  const numFound_office = 9
+  const numFound_office = 11
 
   it(`search(simpleString) correctly searches across all fields`, async () => {
     const searchManager = new BasicSearchManager(searchProviderSpec);
@@ -30,7 +30,7 @@ describe(`BasicSearchManager (e2e)`, () => {
     const searchResult: SearchResultData = resp.data as SearchResultData
     expect(searchResult.hits.total.value).toBe(numFound_office);
     const hits = searchResult.hits.hits;
-    const expectedCveIds = ["CVE-2017-8501", "CVE-2017-8570", "CVE-2018-0804", "CVE-2018-0807", "CVE-2022-30190", "CVE-2022-30693", "CVE-2022-38745", "CVE-2022-38756", "CVE-2022-39024"];
+    const expectedCveIds = ["CVE-2017-8501", "CVE-2017-8570", "CVE-2018-0804", "CVE-2018-0807", "CVE-2022-30190", "CVE-2022-30693", "CVE-2022-38745", "CVE-2022-38756", "CVE-2022-39024", "CVE-2024-49065", "CVE-2024-49142"];
     const hitCveIds = searchResult.hits.hits.map(e => e['_id']).sort();
     expect(hitCveIds).toMatchObject(expectedCveIds);
   });
@@ -124,8 +124,8 @@ describe(`BasicSearchManager (e2e)`, () => {
     // for (let i = 0; i < hits.total.value; i++) {
     //   console.log(`cveIDs:  ${i}:  ${hits.hits[i]._source.cveMetadata.cveId}`);
     // }
-    expect(hits.hits[8]._source.cveMetadata.cveId).toBe('CVE-2017-8501');
-    expect(hits.hits[0]._source.cveMetadata.cveId).toBe('CVE-2022-39024');
+    expect(hits.hits[10]._source.cveMetadata.cveId).toBe('CVE-2017-8501');
+    expect(hits.hits[0]._source.cveMetadata.cveId).toBe('CVE-2024-49142');
   });
 
 
@@ -151,8 +151,8 @@ describe(`BasicSearchManager (e2e)`, () => {
     // for (let i = 0; i < hits.total.value; i++) {
     //   console.log(`cveIDs:  ${i}:  ${hits.hits[i]._source.cveMetadata.cveId}`);
     // }
-    expect(hits.hits[0]._source.cveMetadata.cveId).toBe('CVE-2022-38745');
-    expect(hits.hits[2]._source.cveMetadata.cveId).toBe('CVE-2022-30190');
+    expect(hits.hits[0]._source.cveMetadata.cveId).toBe('CVE-2022-39024');
+    expect(hits.hits[2]._source.cveMetadata.cveId).toBe('CVE-2022-38745');
   });
 
   // ----- spock test for ok search() against a test opensearch instance

src/search/BasicSearchManager.test.e2e.ts

@@ -73,7 +73,7 @@ export class SearchQueryBuilder {
     // console.log(`result:  ${JSON.stringify(result, null, 2)}`)
 
     // if there are any errors, return result which already contains errors and notes
-    if (!result.isOk()) {
+    if (result && !result.isOk()) {
       return result;
     }
 

src/search/SearchQueryBuilder.ts

@@ -186,11 +186,13 @@ export class SearchRequest {
         }
       })
       this._searchText = newSearchText.trim()
-      result.data = {
-        searchTextType: overallType,
-        expression,
-        processedSearchText: this._searchText
-      };
+      if (result) {
+        result.data = {
+          searchTextType: overallType,
+          expression,
+          processedSearchText: this._searchText
+        };
+      }
       // errorIds.forEach(id => {
       //   result.pushErrors(id);
       // })

src/search/SearchRequest.ts

@@ -157,31 +157,31 @@ Object {
 
 exports[`BasicSearchManager (e2e) search("office") correctly returns expected data (ok CveResult) 1`] = `
 Object {
-  "_id": "CVE-2022-39024",
+  "_id": "CVE-2024-49142",
   "_index": Any<String>,
   "_score": null,
   "_source": Object {
     "containers": Object {
       "cna": Object {
         "descriptions": Array [
           Object {
-            "value": "U-Office Force Bulletin function has insufficient filtering for special characters. An unauthenticated remote attacker can exploit this vulnerability to inject JavaScript and perform XSS (Reflected Cross-Site Scripting) attack.",
+            "value": "Microsoft Access Remote Code Execution Vulnerability",
           },
         ],
       },
     },
     "cveMetadata": Object {
-      "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
-      "assignerShortName": "twcert",
-      "cveId": "CVE-2022-39024",
-      "datePublished": "2022-10-31T06:40:36.532745Z",
-      "dateReserved": "2022-08-30T00:00:00",
-      "dateUpdated": "2024-09-16T20:07:27.280Z",
+      "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
+      "assignerShortName": "microsoft",
+      "cveId": "CVE-2024-49142",
+      "datePublished": "2024-12-10T17:49:33.983Z",
+      "dateReserved": "2024-10-11T20:57:49.214Z",
+      "dateUpdated": "2025-05-13T15:25:32.461Z",
       "state": "PUBLISHED",
     },
   },
   "sort": Array [
-    "CVE-2022-39024",
+    "CVE-2024-49142",
   ],
 }
 `;
@@ -478,32 +478,31 @@ Object {
 
 exports[`BasicSearchManager (e2e) search(microsoft ???? office ?????????) correctly returns expected data (ok CveResult) 1`] = `
 Object {
-  "_id": "CVE-2022-30190",
+  "_id": "CVE-2024-49142",
   "_index": Any<String>,
   "_score": null,
   "_source": Object {
     "containers": Object {
       "cna": Object {
         "descriptions": Array [
           Object {
-            "value": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.
-Please see the MSRC Blog Entry for important information about steps you can take to protect your system from this vulnerability.",
+            "value": "Microsoft Access Remote Code Execution Vulnerability",
           },
         ],
       },
     },
     "cveMetadata": Object {
       "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
       "assignerShortName": "microsoft",
-      "cveId": "CVE-2022-30190",
-      "datePublished": "2022-06-01T20:10:17.000Z",
-      "dateReserved": "2022-05-03T00:00:00.000Z",
-      "dateUpdated": "2025-02-04T19:04:33.929Z",
+      "cveId": "CVE-2024-49142",
+      "datePublished": "2024-12-10T17:49:33.983Z",
+      "dateReserved": "2024-10-11T20:57:49.214Z",
+      "dateUpdated": "2025-05-13T15:25:32.461Z",
       "state": "PUBLISHED",
     },
   },
   "sort": Array [
-    "CVE-2022-30190",
+    "CVE-2024-49142",
   ],
 }
 `;
@@ -525,31 +524,31 @@ CveResult {
 
 exports[`BasicSearchManager (e2e) search(office) correctly returns expected data (ok CveResult) 1`] = `
 Object {
-  "_id": "CVE-2022-39024",
+  "_id": "CVE-2024-49142",
   "_index": Any<String>,
   "_score": null,
   "_source": Object {
     "containers": Object {
       "cna": Object {
         "descriptions": Array [
           Object {
-            "value": "U-Office Force Bulletin function has insufficient filtering for special characters. An unauthenticated remote attacker can exploit this vulnerability to inject JavaScript and perform XSS (Reflected Cross-Site Scripting) attack.",
+            "value": "Microsoft Access Remote Code Execution Vulnerability",
           },
         ],
       },
     },
     "cveMetadata": Object {
-      "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
-      "assignerShortName": "twcert",
-      "cveId": "CVE-2022-39024",
-      "datePublished": "2022-10-31T06:40:36.532745Z",
-      "dateReserved": "2022-08-30T00:00:00",
-      "dateUpdated": "2024-09-16T20:07:27.280Z",
+      "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
+      "assignerShortName": "microsoft",
+      "cveId": "CVE-2024-49142",
+      "datePublished": "2024-12-10T17:49:33.983Z",
+      "dateReserved": "2024-10-11T20:57:49.214Z",
+      "dateUpdated": "2025-05-13T15:25:32.461Z",
       "state": "PUBLISHED",
     },
   },
   "sort": Array [
-    "CVE-2022-39024",
+    "CVE-2024-49142",
   ],
 }
 `;