Format for the comments, bundle for vulnerability-lookup

[adulau]

Vulnerability-lookup will allow logged user (with validated account) and with type "commenter" or "admin" to create comment or bundle.

The format of the JSON foreseen (draft) is the following:

field name	values	type	required	description
uuid	UUID	uuid	X	UUIDv4 of the message
vulnerability-lookup-origin	UUID	uuid	X	UUIDv4 of the vulnerability lookup instance
creation_timestamp	datetime	datetime	X	When the message was created originally
timestamp	datetime	datetime	X	When the message was last updated
type	comment, bundle	string	X	Type of the message. Comment is a title, description text per vulnerability mentioned. Bundle is a bundle of vulnerabilities with title and a description text.
title	free text (limit? 65K?)	string	X	Title of the message
description	free text	string	-	Description of the message
description-format	markdown, text	string	-	Format of the description
vulnerability	array of vulnerability references	array	X	One or more vulnerability references for this message
meta	array of fields (like MISP galaxy)	array	-	Zero or more meta-fields

[cedricbonhomme]

Thank you for this !

As discussed here I focus on finishing the user management system (creation, management of accounts) with a simple case of submitting a new vulnerability. Just to not have a huge PR. It won't be small PR. But it will be ready soon. I'll make first a draft PR for it.
And after we can add the comments in another PR.

[cedricbonhomme]

And since you raise the problem of 'type' of users, I would like to make clear the different roles we need for the moment.

To summarize, an authenticated user (not an admin) can have several roles/permissions ? For example:

• commenter (as you said)
• reporter (to submit/edit vulnerabilities)
  The user can be only commenter, only reporter, or both ? All is fine for me.

Or a same type of authenticated user (not admin) is able to comment and report, without distinction ?

[adulau]

The roles seen are the following:

• admin full access to everything including update of other comments or bundles or vulnerabilities
• commenter allow to create new comment or edit their own comments
• reporter is also a commenter but can also submit/edit vulnerabilities their own vulnerabilities

[cedricbonhomme]

Thanks for the information. I did the self-creation of accounts (creation by the admin was already done).
The new user receives an email in order to verify the account. When the app is executed in debug mode, the email is simply written in a file. I will update the roles and permissions now.