Update GET `/cve-id/{id}` and PUT `/cve-id/{id}` endpoints to redact `requested_by.user` fields not in `requested_by.org` organizations

Question

Update GET `/cve-id/{id}` and PUT `/cve-id/{id}` endpoints to redact `requested_by.user` fields not in `requested_by.org` organizations

jdaigneau5 opened this issue a year ago · 1 comments

Summary

Responses from the GET /cve-id/{id} and PUT /cve-id/{id} endpoints will return Cve-id data, which includes requested_by.user and requested_by.org. In some cases, the requested_by.user may no longer be in the requested_by.org organization. The value of requested_by.user should be updated to "REDACTED" in these cases. Similarly, this field should be redacted when owning_cna is not the same org as the requested_by.cna org.

Definition of Done

GET /cve-id/{id} endpoint returns Cve-Ids with requested_by.user: 'Redacted' for the situation described above
PUT /cve-id/{id} endpoint returns Cve-Ids with requested_by.user: 'Redacted' for the situation described above
Tests are created to ensure functionality

Answer 1 · 2024-03-12T14:06:34.000Z

Closed by #1179