diff --git a/README.md b/README.md index e8130c3..973b985 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ A comprehensive vulnerability management system designed for tracking CVE (Common Vulnerabilities and Exposures) remediation status and maintaining vendor documentation compliance. ![Charter Communications](https://img.shields.io/badge/Charter-Communications-0476D9) -![Version](https://img.shields.io/badge/version-1.0.0-blue) +![Version](https://img.shields.io/badge/version-1.1.0-blue) ![License](https://img.shields.io/badge/license-Internal-red) --- @@ -51,16 +51,32 @@ This dashboard provides: ## ✨ Key Features +### πŸ” User Authentication & Roles +- **Secure login**: Session-based authentication with encrypted passwords +- **Role-based access control**: Three user roles with different permissions + - **Admin**: Full access including user management and document deletion + - **Editor**: Can add/edit CVEs and upload documents + - **Viewer**: Read-only access to CVEs and documents +- **User management**: Admins can create, edit, and deactivate users +- **Session persistence**: Stay logged in across browser sessions (24-hour expiry) + ### πŸ” Quick CVE Status Check - **Instant verification**: Enter any CVE ID and immediately see if it's been addressed -- **Document compliance**: Shows which documents are present (Advisory βœ“, Email β—‹, Screenshot β—‹) +- **Multi-vendor display**: Shows all vendors associated with a CVE +- **Document compliance**: Shows which documents are present per vendor (Advisory βœ“, Email β—‹, Screenshot β—‹) - **Visual indicators**: Color-coded results (green = addressed, yellow = not found, red = missing required docs) ### πŸ“‚ Document Management - **Upload documents**: PDF, images, Word docs, text files (up to 10MB) - **Automatic organization**: Files stored as `uploads/CVE-2024-1234/Microsoft/advisory.pdf` +- **Per-vendor storage**: Each vendor's documents are organized separately - **Document types**: Advisory, Email, Screenshot, Patch, Other -- **View & Delete**: Direct links to view documents, delete with confirmation +- **View & Delete**: Direct links to view documents, admin-only deletion + +### 🏒 Multi-Vendor Support +- **Same CVE, multiple vendors**: Track a single CVE across different vendors (e.g., CVE-2024-1234 for both Microsoft and Cisco) +- **Vendor-specific tracking**: Each vendor entry has its own status, documents, and compliance +- **Flexible organization**: Documents organized by CVE ID and vendor ### πŸ”Ž Search & Filter - **Search by CVE ID or description**: Find vulnerabilities quickly @@ -72,6 +88,7 @@ This dashboard provides: - **Document status badges**: "βœ“ Docs Complete" or "⚠ Incomplete" - **Required documents**: Advisory (mandatory), Email (optional), Screenshot (optional) - **Vendor-specific requirements**: Customizable per vendor +- **Per-vendor compliance**: Track documentation status for each vendor separately ### 🎨 Charter/Spectrum Branding - **Corporate colors**: Charter Blue (#0476D9) throughout @@ -90,12 +107,15 @@ This dashboard provides: β”‚ β”‚ Frontend β”‚ β”‚ Backend API β”‚ β”‚ β”‚ β”‚ β”‚ HTTP β”‚ β”‚ β”‚ β”‚ β”‚ React + │◄───────►│ Express.js β”‚ β”‚ -β”‚ β”‚ Tailwind β”‚ :3001 β”‚ β”‚ β”‚ -β”‚ β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ -β”‚ β”‚ Port: 3000 β”‚ β”‚ β”‚ SQLite DB β”‚ β”‚ β”‚ -β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ - cves β”‚ β”‚ β”‚ +β”‚ β”‚ Tailwind β”‚ :3001 β”‚ + Auth Middleware β”‚ β”‚ +β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ +β”‚ β”‚ Port: 3000 β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ +β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ SQLite DB β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ - cves β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ - documents β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ - required_docsβ”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ - users β”‚ β”‚ β”‚ +β”‚ β”‚ β”‚ - sessions β”‚ β”‚ β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”‚ β”‚ @@ -105,9 +125,10 @@ This dashboard provides: β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ uploads/ β”‚ β”‚ β”‚ β”‚ └─ CVE-2024-1234/ β”‚ β”‚ -β”‚ β”‚ └─ Microsoft/ β”‚ β”‚ -β”‚ β”‚ β”œβ”€ advisory.pdfβ”‚ β”‚ -β”‚ β”‚ └─ email.pdf β”‚ β”‚ +β”‚ β”‚ β”œβ”€ Microsoft/ β”‚ β”‚ +β”‚ β”‚ β”‚ └─ advisory.pdfβ”‚ β”‚ +β”‚ β”‚ └─ Cisco/ β”‚ β”‚ +β”‚ β”‚ └─ advisory.pdfβ”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ ``` @@ -119,6 +140,7 @@ This dashboard provides: - Tailwind CSS (via CDN) - Lucide React (icons) - Fetch API +- Context API (AuthContext) **Backend:** - Node.js v18+ @@ -126,6 +148,9 @@ This dashboard provides: - SQLite3 - Multer (file uploads) - CORS +- bcryptjs (password hashing) +- cookie-parser (session management) +- dotenv (environment configuration) **Database:** - SQLite (development/production) @@ -168,6 +193,9 @@ Expected packages: - sqlite3 - multer - cors +- bcryptjs +- cookie-parser +- dotenv ### 3. Install Frontend Dependencies ```bash @@ -189,35 +217,64 @@ node setup.js This will: - βœ… Create `cve_database.db` -- βœ… Create tables: `cves`, `documents`, `required_documents` +- βœ… Create tables: `cves`, `documents`, `required_documents`, `users`, `sessions` +- βœ… Set up multi-vendor support with UNIQUE(cve_id, vendor) constraint - βœ… Create indexes for fast queries - βœ… Create `cve_document_status` view -- βœ… Create `uploads/` and `uploads/temp/` directories +- βœ… Create `uploads/` directory - βœ… Insert default required documents for major vendors +- βœ… Create default admin user (admin/admin123) Expected output: ``` -πŸš€ CVE Database Setup +πŸš€ CVE Database Setup (Multi-Vendor Support) + ════════════════════════════════════════ -βœ“ Created uploads directory + +βœ“ Uploads directory already exists βœ“ Database initialized successfully -βœ“ Database connection closed +βœ“ Created default admin user (admin/admin123) + +πŸ“ Adding sample CVE data for testing... + βœ“ Added sample: CVE-2024-SAMPLE-1 / Microsoft + βœ“ Added sample: CVE-2024-SAMPLE-1 / Cisco +ℹ️ Sample data added - demonstrates multi-vendor support ╔════════════════════════════════════════════════════════╗ β•‘ CVE DATABASE SETUP COMPLETE! β•‘ β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β• ``` -### 5. Configure Server IP +### 5. Configure Environment Variables -Edit `frontend/src/App.js` and update the API URL (line 5): -```javascript -const API_BASE = 'http://YOUR_SERVER_IP:3001/api'; +Run the environment setup script to configure server IP addresses: +```bash +cd backend +chmod +x setup-env.sh +./setup-env.sh ``` -Example: -```javascript -const API_BASE = 'http://192.168.2.117:3001/api'; +The script will: +- Auto-detect your server's IP address +- Create `backend/.env` with CORS and API settings +- Create `frontend/.env` with API base URL + +**Manual Configuration (Alternative):** + +Create `backend/.env`: +```bash +# Backend Configuration +PORT=3001 +API_HOST=YOUR_SERVER_IP +CORS_ORIGINS=http://YOUR_SERVER_IP:3000 +SESSION_SECRET=your-secure-secret-key +``` + +Create `frontend/.env`: +```bash +# Frontend Configuration +REACT_APP_API_BASE=http://YOUR_SERVER_IP:3001/api +REACT_APP_API_HOST=http://YOUR_SERVER_IP:3001 ``` ### 6. Add Tailwind CSS to Frontend @@ -292,32 +349,28 @@ chmod +x stop-servers.sh ### Backend Configuration -**CORS Settings** (`backend/server.js`): -```javascript -app.use(cors({ - origin: ['http://localhost:3000', 'http://192.168.2.117:3000'], - credentials: true -})); +**Environment Variables** (`backend/.env`): +```bash +PORT=3001 # API server port +API_HOST=192.168.2.117 # Server IP address +CORS_ORIGINS=http://192.168.2.117:3000 # Allowed frontend origins (comma-separated) +SESSION_SECRET=your-secure-secret # Session encryption key ``` **File Upload Limits** (`backend/server.js`): ```javascript -const upload = multer({ +const upload = multer({ storage: storage, limits: { fileSize: 10 * 1024 * 1024 } // 10MB limit }); ``` -**Port Configuration** (`backend/server.js`): -```javascript -const PORT = 3001; -``` - ### Frontend Configuration -**API Base URL** (`frontend/src/App.js`): -```javascript -const API_BASE = 'http://192.168.2.117:3001/api'; +**Environment Variables** (`frontend/.env`): +```bash +REACT_APP_API_BASE=http://192.168.2.117:3001/api # API endpoint with /api path +REACT_APP_API_HOST=http://192.168.2.117:3001 # Base URL for file downloads ``` **Severity Levels** (`frontend/src/App.js`): @@ -372,8 +425,36 @@ cd /home/cve-dashboard - Frontend: `http://YOUR_SERVER_IP:3000` - Backend API: `http://YOUR_SERVER_IP:3001` +### Logging In + +1. Navigate to `http://YOUR_SERVER_IP:3000` +2. You'll see the login page +3. Enter credentials: + - **Default admin**: username `admin`, password `admin123` +4. Click **"Sign In"** +5. You'll be redirected to the dashboard + +**First-Time Setup:** +- After initial setup, change the default admin password +- Create additional users based on their roles: + - **Viewers**: Read-only access (security auditors, stakeholders) + - **Editors**: Can add/edit CVEs and upload documents (analysts) + - **Admins**: Full access including user management (team leads) + +### User Management (Admin Only) + +1. Click on your username in the top right +2. Select **"User Management"** +3. From here you can: + - View all users and their roles + - Create new users + - Edit user roles and status + - Deactivate users (soft delete) + ### Adding a New CVE +**Required Role:** Editor or Admin + 1. Click the **"+ Add New CVE"** button (top right) 2. Fill in the form: - **CVE ID**: e.g., `CVE-2024-1234` @@ -384,25 +465,31 @@ cd /home/cve-dashboard 3. Click **"Add CVE"** 4. CVE appears in the dashboard immediately +**Multi-Vendor Note:** You can add the same CVE ID multiple times with different vendors. For example, CVE-2024-1234 can exist for both Microsoft and Cisco with separate tracking. + ### Uploading Documents +**Required Role:** Editor or Admin + 1. Find the CVE in the list 2. Click **"View Documents"** to expand 3. Click **"Upload New Document"** 4. Select your file (PDF, PNG, JPG, TXT, DOC, DOCX) 5. When prompted, specify: + - **Vendor**: Select the vendor this document applies to - **Document type**: advisory, email, screenshot, patch, other - **Notes** (optional): Description or context 6. File uploads and organizes automatically -**File Organization Example:** +**File Organization Example (Multi-Vendor):** ``` uploads/ └── CVE-2024-1234/ - └── Microsoft/ - β”œβ”€β”€ 1706140800000-MS-Security-Advisory.pdf - β”œβ”€β”€ 1706140850000-Vendor-Email.pdf - └── 1706140900000-Patch-Screenshot.png + β”œβ”€β”€ Microsoft/ + β”‚ β”œβ”€β”€ 1706140800000-MS-Security-Advisory.pdf + β”‚ └── 1706140850000-Vendor-Email.pdf + └── Cisco/ + └── 1706140900000-Cisco-Advisory.pdf ``` ### Using Quick Check @@ -412,16 +499,21 @@ uploads/ 1. Enter `CVE-2024-5678` in the **Quick Check** box 2. Click **"Check Status"** -**Result A - Already Addressed:** +**Result A - Already Addressed (Multi-Vendor):** ``` βœ“ CVE Addressed -Vendor: Cisco -Severity: High -Status: Addressed -Documents: 2 attached -βœ“ Advisory βœ“ Email β—‹ Screenshot -Ready for false positive request +Vendor: Microsoft +Severity: Critical | Status: Addressed +Documents: 3 attached +βœ“ Advisory βœ“ Email βœ“ Screenshot + +Vendor: Cisco +Severity: High | Status: Open +Documents: 1 attached +βœ“ Advisory β—‹ Email β—‹ Screenshot + +Ready for false positive request (Microsoft) ``` **Result B - Not Found:** @@ -436,6 +528,7 @@ Action Required: Create entry and gather vendor documentation **Result C - Incomplete:** ``` βœ“ CVE Addressed +Vendor: Oracle Documents: 1 attached βœ— Advisory β—‹ Email β—‹ Screenshot @@ -468,10 +561,10 @@ Missing required advisory - obtain before requesting false positive 3. Click **"View"** to open document in new tab 4. Select checkboxes to export multiple documents -### Deleting Documents +### Deleting Documents (Admin Only) 1. Expand documents for a CVE -2. Click red **"Delete"** button next to document +2. Click red **"Delete"** button next to document (only visible to admins) 3. Confirm deletion in popup 4. Document removed from database and filesystem @@ -488,12 +581,107 @@ Missing required advisory - obtain before requesting false positive Base URL: `http://YOUR_SERVER_IP:3001/api` +**Authentication Required:** All endpoints except `/api/auth/login` require authentication via session cookie. + +### Authentication Endpoints + +#### Login +```http +POST /api/auth/login +Content-Type: application/json +``` + +**Body:** +```json +{ + "username": "admin", + "password": "admin123" +} +``` + +**Response:** +```json +{ + "message": "Login successful", + "user": { + "id": 1, + "username": "admin", + "email": "admin@localhost", + "role": "admin" + } +} +``` + +Sets a session cookie (`session_id`) for subsequent requests. + +#### Logout +```http +POST /api/auth/logout +``` + +**Response:** +```json +{ + "message": "Logged out successfully" +} +``` + +#### Get Current User +```http +GET /api/auth/me +``` + +**Response:** +```json +{ + "id": 1, + "username": "admin", + "email": "admin@localhost", + "role": "admin" +} +``` + +### User Management Endpoints (Admin Only) + +#### Get All Users +```http +GET /api/users +``` + +#### Create User +```http +POST /api/users +Content-Type: application/json +``` + +**Body:** +```json +{ + "username": "newuser", + "email": "user@example.com", + "password": "password123", + "role": "editor" +} +``` + +#### Update User +```http +PUT /api/users/:id +Content-Type: application/json +``` + +#### Delete User +```http +DELETE /api/users/:id +``` + ### CVE Endpoints #### Get All CVEs ```http GET /api/cves ``` +**Required Role:** Any authenticated user **Query Parameters:** - `search` (optional): Search term for CVE ID or description @@ -502,7 +690,7 @@ GET /api/cves **Example:** ```bash -curl "http://192.168.2.117:3001/api/cves?vendor=Microsoft&severity=Critical" +curl -b cookies.txt "http://192.168.2.117:3001/api/cves?vendor=Microsoft&severity=Critical" ``` **Response:** @@ -528,33 +716,43 @@ curl "http://192.168.2.117:3001/api/cves?vendor=Microsoft&severity=Critical" ```http GET /api/cves/check/:cveId ``` +**Required Role:** Any authenticated user **Example:** ```bash -curl "http://192.168.2.117:3001/api/cves/check/CVE-2024-1234" +curl -b cookies.txt "http://192.168.2.117:3001/api/cves/check/CVE-2024-1234" ``` -**Response (Found):** +**Response (Found - Multi-Vendor):** ```json { "exists": true, - "cve": { - "cve_id": "CVE-2024-1234", - "vendor": "Microsoft", - "severity": "Critical", - "status": "Addressed", - "total_documents": 3, - "has_advisory": 1, - "has_email": 1, - "has_screenshot": 1 - }, + "vendors": [ + { + "vendor": "Microsoft", + "severity": "Critical", + "status": "Addressed", + "total_documents": 3, + "compliance": { + "advisory": true, + "email": true, + "screenshot": true + } + }, + { + "vendor": "Cisco", + "severity": "High", + "status": "Open", + "total_documents": 1, + "compliance": { + "advisory": true, + "email": false, + "screenshot": false + } + } + ], "addressed": true, - "has_required_docs": true, - "compliance": { - "advisory": true, - "email": true, - "screenshot": true - } + "has_required_docs": true } ``` @@ -566,11 +764,43 @@ curl "http://192.168.2.117:3001/api/cves/check/CVE-2024-1234" } ``` +#### Get Vendors for CVE +```http +GET /api/cves/:cveId/vendors +``` +**Required Role:** Any authenticated user + +**Example:** +```bash +curl -b cookies.txt "http://192.168.2.117:3001/api/cves/CVE-2024-1234/vendors" +``` + +**Response:** +```json +[ + { + "vendor": "Microsoft", + "severity": "Critical", + "status": "Addressed", + "description": "Remote code execution vulnerability", + "published_date": "2024-01-15" + }, + { + "vendor": "Cisco", + "severity": "High", + "status": "Open", + "description": "Remote code execution vulnerability", + "published_date": "2024-01-15" + } +] +``` + #### Create CVE ```http POST /api/cves Content-Type: application/json ``` +**Required Role:** Editor or Admin **Body:** ```json @@ -583,9 +813,11 @@ Content-Type: application/json } ``` +**Note:** The same CVE ID can be added multiple times with different vendors. The combination of (cve_id, vendor) must be unique. + **Example:** ```bash -curl -X POST http://192.168.2.117:3001/api/cves \ +curl -b cookies.txt -X POST http://192.168.2.117:3001/api/cves \ -H "Content-Type: application/json" \ -d '{ "cve_id": "CVE-2024-1234", @@ -601,7 +833,14 @@ curl -X POST http://192.168.2.117:3001/api/cves \ { "id": 1, "cve_id": "CVE-2024-1234", - "message": "CVE created successfully" + "message": "CVE created successfully for vendor: Microsoft" +} +``` + +**Error (Duplicate):** +```json +{ + "error": "This CVE already exists for this vendor. Choose a different vendor or update the existing entry." } ``` @@ -610,6 +849,7 @@ curl -X POST http://192.168.2.117:3001/api/cves \ PATCH /api/cves/:cveId/status Content-Type: application/json ``` +**Required Role:** Editor or Admin **Body:** ```json @@ -620,7 +860,7 @@ Content-Type: application/json **Example:** ```bash -curl -X PATCH http://192.168.2.117:3001/api/cves/CVE-2024-1234/status \ +curl -b cookies.txt -X PATCH http://192.168.2.117:3001/api/cves/CVE-2024-1234/status \ -H "Content-Type: application/json" \ -d '{"status": "False Positive Requested"}' ``` @@ -631,10 +871,14 @@ curl -X PATCH http://192.168.2.117:3001/api/cves/CVE-2024-1234/status \ ```http GET /api/cves/:cveId/documents ``` +**Required Role:** Any authenticated user + +**Query Parameters:** +- `vendor` (optional): Filter documents by vendor **Example:** ```bash -curl "http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents" +curl -b cookies.txt "http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents?vendor=Microsoft" ``` **Response:** @@ -643,6 +887,7 @@ curl "http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents" { "id": 1, "cve_id": "CVE-2024-1234", + "vendor": "Microsoft", "name": "MS-Security-Advisory.pdf", "type": "advisory", "file_path": "uploads/CVE-2024-1234/Microsoft/1706140800000-MS-Security-Advisory.pdf", @@ -659,19 +904,18 @@ curl "http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents" POST /api/cves/:cveId/documents Content-Type: multipart/form-data ``` +**Required Role:** Editor or Admin **Form Fields:** - `file`: The file to upload -- `cveId`: CVE ID (e.g., CVE-2024-1234) -- `vendor`: Vendor name (e.g., Microsoft) +- `vendor`: Vendor name (required - determines storage folder) - `type`: Document type (advisory, email, screenshot, patch, other) - `notes` (optional): Description **Example:** ```bash -curl -X POST http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents \ +curl -b cookies.txt -X POST http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents \ -F "file=@/path/to/advisory.pdf" \ - -F "cveId=CVE-2024-1234" \ -F "vendor=Microsoft" \ -F "type=advisory" \ -F "notes=Official security advisory" @@ -694,10 +938,11 @@ curl -X POST http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents \ ```http DELETE /api/documents/:id ``` +**Required Role:** Admin only **Example:** ```bash -curl -X DELETE http://192.168.2.117:3001/api/documents/1 +curl -b cookies.txt -X DELETE http://192.168.2.117:3001/api/documents/1 ``` **Response:** @@ -713,10 +958,11 @@ curl -X DELETE http://192.168.2.117:3001/api/documents/1 ```http GET /api/vendors ``` +**Required Role:** Any authenticated user **Example:** ```bash -curl "http://192.168.2.117:3001/api/vendors" +curl -b cookies.txt "http://192.168.2.117:3001/api/vendors" ``` **Response:** @@ -728,10 +974,11 @@ curl "http://192.168.2.117:3001/api/vendors" ```http GET /api/stats ``` +**Required Role:** Any authenticated user **Example:** ```bash -curl "http://192.168.2.117:3001/api/stats" +curl -b cookies.txt "http://192.168.2.117:3001/api/stats" ``` **Response:** @@ -757,7 +1004,7 @@ Stores CVE metadata and remediation status. | Column | Type | Description | |--------|------|-------------| | id | INTEGER PRIMARY KEY | Auto-incrementing ID | -| cve_id | VARCHAR(20) UNIQUE | CVE identifier (e.g., CVE-2024-1234) | +| cve_id | VARCHAR(20) | CVE identifier (e.g., CVE-2024-1234) | | vendor | VARCHAR(100) | Vendor name | | severity | VARCHAR(20) | Critical, High, Medium, Low | | description | TEXT | Vulnerability description | @@ -766,6 +1013,8 @@ Stores CVE metadata and remediation status. | created_at | TIMESTAMP | Record creation timestamp | | updated_at | TIMESTAMP | Last update timestamp | +**Unique Constraint:** `UNIQUE(cve_id, vendor)` - Allows same CVE with different vendors + **Indexes:** - `idx_cve_id` on `cve_id` - `idx_vendor` on `vendor` @@ -778,7 +1027,8 @@ Stores document metadata and file locations. | Column | Type | Description | |--------|------|-------------| | id | INTEGER PRIMARY KEY | Auto-incrementing ID | -| cve_id | VARCHAR(20) | Foreign key to cves.cve_id | +| cve_id | VARCHAR(20) | CVE identifier | +| vendor | VARCHAR(100) | Vendor name (for per-vendor organization) | | name | VARCHAR(255) | Original filename | | type | VARCHAR(50) | advisory, email, screenshot, patch, other | | file_path | VARCHAR(500) | Path to file on filesystem | @@ -791,8 +1041,49 @@ Stores document metadata and file locations. **Indexes:** - `idx_doc_cve_id` on `cve_id` +- `idx_doc_vendor` on `vendor` - `idx_doc_type` on `type` +#### `users` +Stores user accounts for authentication. + +| Column | Type | Description | +|--------|------|-------------| +| id | INTEGER PRIMARY KEY | Auto-incrementing ID | +| username | VARCHAR(50) UNIQUE | Login username | +| email | VARCHAR(255) UNIQUE | User email address | +| password_hash | VARCHAR(255) | bcrypt hashed password | +| role | VARCHAR(20) | admin, editor, or viewer | +| is_active | BOOLEAN | Account active status (1=active, 0=disabled) | +| created_at | TIMESTAMP | Account creation timestamp | +| last_login | TIMESTAMP | Last successful login | + +**Roles:** +- `admin` - Full access: manage users, delete documents, all CVE operations +- `editor` - Can add/edit CVEs, upload documents +- `viewer` - Read-only access to CVEs and documents + +**Indexes:** +- `idx_users_username` on `username` + +#### `sessions` +Stores active user sessions. + +| Column | Type | Description | +|--------|------|-------------| +| id | INTEGER PRIMARY KEY | Auto-incrementing ID | +| session_id | VARCHAR(255) UNIQUE | Session token (stored in cookie) | +| user_id | INTEGER | Foreign key to users.id | +| expires_at | TIMESTAMP | Session expiration time | +| created_at | TIMESTAMP | Session creation timestamp | + +**Foreign Key:** `user_id` β†’ `users(id)` ON DELETE CASCADE + +**Indexes:** +- `idx_sessions_session_id` on `session_id` +- `idx_sessions_user_id` on `user_id` +- `idx_sessions_expires` on `expires_at` + #### `required_documents` Defines which document types are mandatory per vendor. @@ -872,36 +1163,53 @@ cve-dashboard/ β”œβ”€β”€ backend/ β”‚ β”œβ”€β”€ server.js # Express API server β”‚ β”œβ”€β”€ setup.js # Database initialization script -β”‚ β”œβ”€β”€ cve_database.db # SQLite database file -β”‚ β”œβ”€β”€ package.json # Backend dependencies -β”‚ └── backend.log # Backend log file (if using startup script) +β”‚ β”œβ”€β”€ setup-env.sh # Environment configuration script +β”‚ β”œβ”€β”€ .env # Environment variables (create with setup-env.sh) +β”‚ β”œβ”€β”€ cve_database.db # SQLite database file +β”‚ β”œβ”€β”€ package.json # Backend dependencies +β”‚ β”œβ”€β”€ middleware/ +β”‚ β”‚ └── auth.js # Authentication middleware +β”‚ β”œβ”€β”€ routes/ +β”‚ β”‚ β”œβ”€β”€ auth.js # Login/logout endpoints +β”‚ β”‚ └── users.js # User management endpoints +β”‚ └── backend.log # Backend log file (if using startup script) β”‚ β”œβ”€β”€ frontend/ β”‚ β”œβ”€β”€ public/ -β”‚ β”‚ └── index.html # Main HTML (includes Tailwind CDN) +β”‚ β”‚ └── index.html # Main HTML (includes Tailwind CDN) β”‚ β”œβ”€β”€ src/ -β”‚ β”‚ β”œβ”€β”€ App.js # Main React component -β”‚ β”‚ β”œβ”€β”€ index.js # React entry point -β”‚ β”‚ └── index.css # Global styles -β”‚ β”œβ”€β”€ package.json # Frontend dependencies -β”‚ └── frontend.log # Frontend log file (if using startup script) +β”‚ β”‚ β”œβ”€β”€ App.js # Main React component +β”‚ β”‚ β”œβ”€β”€ index.js # React entry point +β”‚ β”‚ β”œβ”€β”€ index.css # Global styles +β”‚ β”‚ β”œβ”€β”€ components/ +β”‚ β”‚ β”‚ β”œβ”€β”€ LoginForm.js # Login page component +β”‚ β”‚ β”‚ β”œβ”€β”€ UserMenu.js # User dropdown menu +β”‚ β”‚ β”‚ └── UserManagement.js # Admin user management +β”‚ β”‚ └── contexts/ +β”‚ β”‚ └── AuthContext.js # Authentication state management +β”‚ β”œβ”€β”€ .env # Environment variables (create with setup-env.sh) +β”‚ β”œβ”€β”€ package.json # Frontend dependencies +β”‚ └── frontend.log # Frontend log file (if using startup script) β”‚ -β”œβ”€β”€ uploads/ # File storage (auto-created) -β”‚ β”œβ”€β”€ temp/ # Temporary upload directory +β”œβ”€β”€ uploads/ # File storage (auto-created) +β”‚ β”œβ”€β”€ temp/ # Temporary upload directory β”‚ β”œβ”€β”€ CVE-2024-1234/ -β”‚ β”‚ └── Microsoft/ -β”‚ β”‚ β”œβ”€β”€ 1706140800000-advisory.pdf -β”‚ β”‚ └── 1706140850000-email.pdf +β”‚ β”‚ β”œβ”€β”€ Microsoft/ # Vendor-specific folder +β”‚ β”‚ β”‚ β”œβ”€β”€ 1706140800000-advisory.pdf +β”‚ β”‚ β”‚ └── 1706140850000-email.pdf +β”‚ β”‚ └── Cisco/ # Same CVE, different vendor +β”‚ β”‚ └── 1706140900000-advisory.pdf β”‚ └── CVE-2024-5678/ -β”‚ └── Cisco/ +β”‚ └── Oracle/ β”‚ └── 1706140900000-advisory.pdf β”‚ -β”œβ”€β”€ .gitignore # Git ignore rules -β”œβ”€β”€ README.md # This file -β”œβ”€β”€ start-servers.sh # Startup script -β”œβ”€β”€ stop-servers.sh # Shutdown script -β”œβ”€β”€ backend.pid # Backend process ID (when running) -└── frontend.pid # Frontend process ID (when running) +β”œβ”€β”€ .gitignore # Git ignore rules +β”œβ”€β”€ README.md # This file +β”œβ”€β”€ test_cases_auth.md # Authentication test cases +β”œβ”€β”€ start-servers.sh # Startup script +β”œβ”€β”€ stop-servers.sh # Shutdown script +β”œβ”€β”€ backend.pid # Backend process ID (when running) +└── frontend.pid # Frontend process ID (when running) ``` ### File Naming Convention @@ -1104,8 +1412,10 @@ chmod -R 777 /home/cve-dashboard/uploads ## πŸ—ΊοΈ Roadmap -### Version 1.1 (Next Release) -- [ ] **User Authentication**: Login system with user roles +### Version 1.1 (Current Release) βœ… +- [x] **User Authentication**: Login system with user roles (admin, editor, viewer) +- [x] **Multi-Vendor Support**: Same CVE can be tracked across multiple vendors +- [x] **Environment Configuration**: .env files replace hardcoded IPs - [ ] **Audit Logging**: Track who added/modified CVEs - [ ] **Email Notifications**: Alert when new CVEs are added - [ ] **Export to Excel**: Download CVE list as spreadsheet @@ -1232,16 +1542,16 @@ Vulnerability Management Team This software is proprietary and confidential. Unauthorized copying, distribution, or use of this software, via any medium, is strictly prohibited. -Copyright Β© 2024 Charter Communications. All rights reserved. +Copyright Β© 2024-2026 Charter Communications. All rights reserved. --- ## πŸ“Š Project Statistics -- **Version**: 1.0.0 -- **Released**: January 2024 -- **Lines of Code**: ~1,500 -- **Dependencies**: 12 +- **Version**: 1.1.0 +- **Released**: January 2026 +- **Lines of Code**: ~2,500 +- **Dependencies**: 15 - **Supported Browsers**: Chrome, Edge, Firefox, Safari --- @@ -1273,6 +1583,40 @@ Copyright Β© 2024 Charter Communications. All rights reserved. ## πŸ“ Changelog +### [1.1.0] - 2026-01-29 + +#### Added +- **User Authentication**: Complete login system with session-based auth + - Three user roles: admin, editor, viewer + - Default admin account (admin/admin123) + - Session persistence with secure cookies + - Password hashing with bcryptjs +- **User Management**: Admin interface for managing users + - Create, edit, deactivate users + - Role assignment + - Password reset capability +- **Multi-Vendor Support**: Track same CVE across multiple vendors + - UNIQUE constraint on (cve_id, vendor) instead of just cve_id + - Per-vendor document storage + - Quick Check shows all vendors for a CVE + - New API endpoint: GET /api/cves/:cveId/vendors +- **Environment Configuration**: Replaced hardcoded IPs + - setup-env.sh script for easy configuration + - .env files for both frontend and backend + - Auto-detection of server IP address + +#### Changed +- All API endpoints now require authentication +- Document deletion restricted to admin role +- CVE creation/editing restricted to editor and admin roles +- stop-servers.sh improved with better process killing +- Browser tab title changed from "ReactApp" to "Dashboard" +- Document storage now organized by CVE ID AND vendor + +#### Fixed +- Dynamic hostname detection now works via environment variables +- Multiple vendors can now have entries for the same CVE + ### [1.0.0] - 2024-01-26 #### Added @@ -1288,9 +1632,9 @@ Copyright Β© 2024 Charter Communications. All rights reserved. - Document compliance tracking - Required document configuration per vendor -#### Known Issues -- Dynamic hostname detection not working (hardcoded IP as workaround) -- No user authentication (single-user system) +#### Known Issues (Resolved in 1.1.0) +- ~~Dynamic hostname detection not working (hardcoded IP as workaround)~~ Fixed +- ~~No user authentication (single-user system)~~ Fixed - Export functionality shows alert only (not implemented) ---