undo README changes from gitlab

hkong-mitre · hkong-mitre · commit 05363e2f43bd · 2025-08-28T13:22:39.000-04:00
diff --git a/README.md b/README.md
@@ -2,188 +2,26 @@
 
 ## Overview
 
-This CVE project implements the `cve-core` common library containing the general purpose core classes for interacting with CVEs and services related to CVEs.  The intent is for this library to become a public npm package, where it can be used in any Typescript or Javascript (ESM) application to simplify and help standardize working with CVEs and CVE services.
+This CVE project implements the `cve-core` common library containing the general purpose core classes for interacting with CVEs and CVE services.  The intent is for this library to become a public npm package, where it can be used in any Typescript or Javascript (ESM) application to simplify and standardize working with CVEs and CVE services.
 
 ## Versioning
 
 The first version of this library is **version 2.0.0**.  This is because the capabilities of this library have already been in use in [cvelistV5](https://github.com/CVEProject/cvelistV5), and to preserve the versioning of capabilities, we decided to start this library at 2.0.0.  See [the ChangeLog](./ChangeLog.md) for specific details.
 
+## Usage
 
-# Pre-requisites
-#### All functionality is locked behind the following minimum requirements:
-- `Node.js` (18+ required, 20+ reccomended.)
-  - You may want to use [`nvm`](https://github.com/nvm-sh/nvm) (or [nvm for windows](https://github.com/coreybutler/nvm-windows/releases)) to install Node.JS
-
-#### Some functionality may require additional requirements:
-- `Git`
-
-
-#### Optional reccomended requirements:
-- `Docker`, for hosting local instaces of external dependencies.
-  - e.g. [Cve Services](#cve-services) as a local docker container.
-- POSIX compliant shell, for cross compatability when running CLI scripts.
-  - e.g. `Bash`, (or `Git Bash` for Windows)
-- [`jq`](https://jqlang.github.io/jq/download/), for working with JSON files.
-
-
-
-# Installation
-Be sure to install the necessary [prequisites](#pre-requisites) before continuing here. 
-
-There are multiple ways to install the packages.
-
-<details>
-  <summary>
-    <h3>Option 1: Install via npm</h3>
-  </summary>
-  <ol>
-    <li>
-      <details>
-        <summary>Install via npm.</summary>
-        <pre>npm install git+https://github.com/CVEProject/[name].git</pre>
-      </details>
-    </li>
-    <li>
-      <details>
-        <summary>Setup your .env file.</summary>
-        <ul>
-          <li>If you already have an existing .env file:<ul>
-              <li>
-                <pre>cat node_modules/[name]/.env-EXAMPLE >> .env</pre>
-              </li>
-          </li>
-        </ul>
-    <li>Or you can start a new .env from scratch with:<ul>
-        <li>
-          <pre>cp node_modules/[name]/.env-EXAMPLE .env</pre>
-        </li>
-    </li>
-    </ul>
-    <li>
-      <details>
-        <summary>Edit the variables needed. See the package's README and .env-EXAMPLE for additional comments and
-          details on each variable.</summary>
-    </li>
-    <ul>
-      <li><em><b>Note:</b> You may need to come back to this step later as some variables rely on installing other CVE
-          Project packages.</em></li>
-    </ul>
-</details>
-</details>
-</li>
-The CVE Project package is now installed! Double check your .env file!
-</ol>
-</details>
-
-<details>
-  <summary>
-    <h3>Option 2: Build from source</h3>
-  </summary>
-  <ol>
-    <li>
-      <details>
-        <summary>Clone the source repository.</summary>
-        <pre>git clone https://github.com/CVEProject/[name].git</pre>
-      </details>
-    </li>
-    <li>
-      <details>
-        <summary>Enter the newly cloned repository.</summary>
-        <pre>cd [name]</pre>
-      </details>
-    </li>
-    <li>
-      <details>
-        <summary>Build the package dependencies.</summary>
-        <pre>npm i</pre>
-      </details>
-    </li>
-    <li>
-      <details>
-        <summary>Setup your .env file.</summary>
-        <ul>
-          <li>If you already have an existing .env file:
-            <ul>
-              <li>
-                <pre>cat node_modules/[name]/.env-EXAMPLE >> .env</pre>
-              </li>
-              <li>Or you can start a new .env from scratch with:
-                <ul>
-                  <li>
-                    <pre>cp node_modules/[name]/.env-EXAMPLE .env</pre>
-                  </li>
-                </ul>
-              </li>
-            </ul>
-          </li>
-        </ul>
-      </details>
-    </li>
-    <li>
-      <details>
-        <summary>Edit the variables needed. See the package's README and .env-EXAMPLE for additional comments and
-          details on each
-          variable.</summary>
-        <ul>
-          <li><em><b>Note:</b> You may need to come back to this step later as some variables rely on installing other
-              CVE
-              Project packages.</em></li>
-        </ul>
-      </details>
-    </li>
-    <li>
-      <details>
-        <summary><em>[Optional]</em> Run the tests.</summary>
-        Note that you may need to complete the installation process of other CVE Project packages before you can run
-        some of the tests.
-        <pre># For running asynchronously</br>npm run test<br><br># For running synchronously<br>npm run test:serial<br><br># Or run tests and view coverage<br>npm run coverage<br># You can find the report file at <b>/coverage/lcov-report/index.html</b>.</pre>
-      </details>
-    </li>
-    <li>
-      <details>
-        <summary>Build the project.</summary>
-        <pre>npm run build</pre>
-      </details>
-    </li>
-    The CVE Project package is now installed! Double check your .env file!
-  </ol>
-</details>
-
-
-
----
-
-## Using the package in code
-After installing the package:
-
-`const CveCore = require('cve-core');`
-
-or
-
-`import { * as CveCore } from 'cve-core';`
-
-then use it
-
-`CveCore.CveId.isValidCveId('CVE-1999-0001');`
-
-
-## Using the package as a command line:
-
-Run the following in the command line after installing or building the cve-core package.
-```
-npx cves --help
-npx cves date
-```
-or
-```
-./cves.sh --help
-./cves.sh date
-```
-<sub>_To ensure compatability with DOS/Windows based operating systems, we have provided `./cves.bat` as an alternative for `./cves.sh`._</sub>
+There are 2 ways to use this library:
+1. as an npm package (note this is not yet publicly available in version 2.0.0)
+2. as a "sibling project import" (this is the only way to use this library in version 2.0.0).  This approach is useful when you need to both make changes to `cve-core` and your project, since it allows changing code in either repository without needing to publish a new version.
+
+### Pre-Requisites
 
-----
+You only need the following to use or develop this library:
+- a modern NodeJS (see `package.json`'s `engines.node` value for supported versions) to develop and/or run this project. The easiest way to do this is to use [nvm](https://github.com/nvm-sh/nvm).
+- (optional) [`jq`](https://jqlang.github.io/jq/download/) for working with JSON files
+
+### External dependencies
 
-# Additional dependencies
 #### [CVE Services](https://github.com/CVEProject/cve-services)
 
 To test or develop for cve-services, you will need to have an instance of CVE Services to point to.
@@ -197,16 +35,38 @@ To test or develop for cve-services, you will need to have an instance of CVE Se
 To test against a local version of cve-services you will need to build the cve-services docker container. [See here for docker build instructions](https://github.com/CVEProject/cve-services/blob/dev/README.md#docker). Note: [If you are developing on windows you may want to check out this comment explaining why your build may not be working](https://github.com/CVEProject/cve-services/issues/1171#issuecomment-2688313720).
 
 
-#### OpenSearch
+### As NPM Package
+
+This project is not yet set up to be used as an NPM package.
+
+
+### As a "Sibling Project Import"
+
 
-TBD: Release opensearch info?
-inside cve-search repo:
-- `docker compose up`
-- unzip 1000cves.zip
-- `./prep.sh`
-- ...?
+This setup allows you to work on this library project and the application project simultaneously.  It is currently the only way to use this library.
 
+To use it this way, the directory location of this library and that of your application must be maintained in a strict hierarchical fashion as can be seen below.  This is because when we run `npm install cve-core` later in the instructions, npm will make a soft link to the files in this repository from `<your-app>`.
 
+```bash
+<cveProjects>
+├── cve-core
+└── <your-app>
+```
+
+1. clone 2 (or more) repositories into a common parent directory (`cveProjects` as an example)
+   1. `mkdir cveProjects`
+   2. `cd cveProjects`
+   3. `git clone git@gitlab.mitre.org:cve-projects/cve-core.git`
+   4. `pushd cve-core && git checkout <branch> && npm i && popd` (sets cve-core to a modern, stable branch, but you can set <branch> to any branch in `cve-core`).  Your project may contain a `cve-layers` section in the `package.json` to specify a specific branch needed.  If not, use the `develop` branch for a stable version with the latest functionality
+   5. `git clone <url-to-your-app> <your-app>`
+   6. `cd <your-app>`
+2. set up tokens/secrets/environment variables by making a `.env` file in the root directory.
+   - Copy `.env-EXAMPLE` as a starting point
+   - You will need to replace the `<var>` variables with your own credentials for this app to work
+3. `npm i` to load dependencies.
+4. For development, look at `package.json`'s `scripts` for available `npm` scripts
+   - of special interest is the `npm run build` command, which builds this project into a single `index.js` file that contains all the necessary code and libraries to run as a Github action or to be used with `cves.sh` as a CLI.  This is a useful step to check that the code "compiles"
+5. Run `./cves.sh --help`[^1] for help on using the commands.
 
 ### Fixtures
 
@@ -218,13 +78,32 @@ There are several fixtures directories in this project:
 
 For `src/core/Delta.test.ts` to work properly, do not commit `pretend_github_repository/1970/0xxx/CVE-1970-0999.json`. It is intended to be copied from `fixtures` during testing to test that a new file shows up in the `new` list of an activity's delta.
 
-There is also the cve-fixtures repo that is intended for int and e2e testing. You may add files, but you may not modify or remove files once they end up in the cve-fixtures main branch. Keep the size of the cve-fixtures repository small enough where a clone will not take a significant amount of time.
+### Testing
+
+There are 2 `npm` scripts for running tests. Most of the time, just running
+
+```bash
+npm test
+```
 
+should do it. However, there are times, when tests in `git.test.ts` and `gitSync.test.ts` fail due to the way Jest runs everything in parallel, and some tests in those files will report errors because of race conditions. To mitigate this, run `npm run test` first, and if you get errors in any of the `git` test files, re-run Jest using `npm run test-serial` to run tests in "`runInBand`" (that is, one at a time in serial) mode. This approach is slower, but should solve any race conditions that may occur during testing.
 
 ## Environment Variables and Secrets
 
 There are 3 CVE-related "secret" environment variables: `CVE_API_KEY`, `CVE_API_ORG`, and `CVE_API_USER`. These need to be defined as specified in the Setup section above.
 
+## Version Conventions
+
+The version for this library is specified in the `package.json`'s `version` field.  The convention is:
+
+   - follow semver for released software: Major.Minor.Patch, e.g., `2.0.4`.
+   - deviate from semver during development and testing, using the following syntax instead
+      - the version number that it branched from, appending to it `+feature_YYYY-MM-DD`, e.g., `2.0.0+search_2025-01-24`, where the date is the date that the `npm run build` command was built.  For frequently updated code, you can also append `aHH` or `pHH` for AM and PM local timestamps.
+
+
 ### History
 
-See [`ChangeLog.md`](./ChangeLog.md) for a full history of this project.
+See [`ChangeLog.md](./ChangeLog.md) for a full history of this project.
+
+### Footnotes
+[^1]: To ensure compatability with DOS/Windows based operating systems, we have provided `./cves.bat` as an alternative for `./cves.sh`.
