Updated README to reflect current changes and deployment

2026-01-29 10:43:06 -07:00
parent 1a6b51dea3
commit 792467930d
1 changed files with 458 additions and 114 deletions
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 A comprehensive vulnerability management system designed for tracking CVE (Common Vulnerabilities and Exposures) remediation status and maintaining vendor documentation compliance.
 ![Charter Communications](https://img.shields.io/badge/Charter-Communications-0476D9)
-![Version](https://img.shields.io/badge/version-1.0.0-blue)
+![Version](https://img.shields.io/badge/version-1.1.0-blue)
 ![License](https://img.shields.io/badge/license-Internal-red)
 ---
@@ -51,16 +51,32 @@ This dashboard provides:
 ## ✨ Key Features
 ### 🔐 User Authentication & Roles
 - **Secure login**: Session-based authentication with encrypted passwords
 - **Role-based access control**: Three user roles with different permissions
  - **Admin**: Full access including user management and document deletion
  - **Editor**: Can add/edit CVEs and upload documents
  - **Viewer**: Read-only access to CVEs and documents
 - **User management**: Admins can create, edit, and deactivate users
 - **Session persistence**: Stay logged in across browser sessions (24-hour expiry)
 ### 🔍 Quick CVE Status Check
 - **Instant verification**: Enter any CVE ID and immediately see if it's been addressed
- **Document compliance**: Shows which documents are present (Advisory ✓, Email ○, Screenshot ○)
+- **Multi-vendor display**: Shows all vendors associated with a CVE
 - **Document compliance**: Shows which documents are present per vendor (Advisory ✓, Email ○, Screenshot ○)
 - **Visual indicators**: Color-coded results (green = addressed, yellow = not found, red = missing required docs)
 ### 📂 Document Management
 - **Upload documents**: PDF, images, Word docs, text files (up to 10MB)
 - **Automatic organization**: Files stored as `uploads/CVE-2024-1234/Microsoft/advisory.pdf`
 - **Per-vendor storage**: Each vendor's documents are organized separately
 - **Document types**: Advisory, Email, Screenshot, Patch, Other
- **View & Delete**: Direct links to view documents, delete with confirmation
+- **View & Delete**: Direct links to view documents, admin-only deletion
 ### 🏢 Multi-Vendor Support
 - **Same CVE, multiple vendors**: Track a single CVE across different vendors (e.g., CVE-2024-1234 for both Microsoft and Cisco)
 - **Vendor-specific tracking**: Each vendor entry has its own status, documents, and compliance
 - **Flexible organization**: Documents organized by CVE ID and vendor
 ### 🔎 Search & Filter
 - **Search by CVE ID or description**: Find vulnerabilities quickly
@@ -72,6 +88,7 @@ This dashboard provides:
 - **Document status badges**: "✓ Docs Complete" or "⚠ Incomplete"
 - **Required documents**: Advisory (mandatory), Email (optional), Screenshot (optional)
 - **Vendor-specific requirements**: Customizable per vendor
 - **Per-vendor compliance**: Track documentation status for each vendor separately
 ### 🎨 Charter/Spectrum Branding
 - **Corporate colors**: Charter Blue (#0476D9) throughout
@@ -90,12 +107,15 @@ This dashboard provides:
 │  │   Frontend   │         │      Backend API      │     │
 │  │              │  HTTP   │                       │     │
 │  │  React +     │◄───────►│  Express.js          │     │
-│  │  Tailwind    │  :3001  │                       │     │
+│  │  Tailwind    │  :3001  │  + Auth Middleware   │     │
-│  │              │         │  ┌─────────────────┐  │     │
+│  │              │         │                       │     │
-│  │  Port: 3000  │         │  │  SQLite DB      │  │     │
+│  │  Port: 3000  │         │  ┌─────────────────┐  │     │
-│  └──────────────┘         │  │  - cves         │  │     │
+│  └──────────────┘         │  │  SQLite DB      │  │     │
 │                           │  │  - cves         │  │     │
 │                           │  │  - documents    │  │     │
 │                           │  │  - required_docs│  │     │
 │                           │  │  - users        │  │     │
 │                           │  │  - sessions     │  │     │
 │                           │  └─────────────────┘  │     │
 │                           └──────────────────────┘     │
 │                                      │                  │
@@ -105,9 +125,10 @@ This dashboard provides:
 │                           │                       │     │
 │                           │  uploads/             │     │
 │                           │  └─ CVE-2024-1234/   │     │
-│                           │     └─ Microsoft/     │     │
+│                           │     ├─ Microsoft/     │     │
-│                           │        ├─ advisory.pdf│     │
+│                           │     │  └─ advisory.pdf│     │
-│                           │        └─ email.pdf   │     │
+│                           │     └─ Cisco/         │     │
 │                           │        └─ advisory.pdf│     │
 │                           └──────────────────────┘     │
 └─────────────────────────────────────────────────────────┘
 ```
@@ -119,6 +140,7 @@ This dashboard provides:
 - Tailwind CSS (via CDN)
 - Lucide React (icons)
 - Fetch API
 - Context API (AuthContext)
 **Backend:**
 - Node.js v18+
@@ -126,6 +148,9 @@ This dashboard provides:
 - SQLite3
 - Multer (file uploads)
 - CORS
 - bcryptjs (password hashing)
 - cookie-parser (session management)
 - dotenv (environment configuration)
 **Database:**
 - SQLite (development/production)
@@ -168,6 +193,9 @@ Expected packages:
 - sqlite3
 - multer
 - cors
 - bcryptjs
 - cookie-parser
 - dotenv
 ### 3. Install Frontend Dependencies
 ```bash
@@ -189,35 +217,64 @@ node setup.js
 This will:
 - ✅ Create `cve_database.db`
- ✅ Create tables: `cves`, `documents`, `required_documents`
+- ✅ Create tables: `cves`, `documents`, `required_documents`, `users`, `sessions`
 - ✅ Set up multi-vendor support with UNIQUE(cve_id, vendor) constraint
 - ✅ Create indexes for fast queries
 - ✅ Create `cve_document_status` view
- ✅ Create `uploads/` and `uploads/temp/` directories
+- ✅ Create `uploads/` directory
 - ✅ Insert default required documents for major vendors
 - ✅ Create default admin user (admin/admin123)
 Expected output:
 ```
-🚀 CVE Database Setup
+🚀 CVE Database Setup (Multi-Vendor Support)
 ════════════════════════════════════════
-✓ Created uploads directory
+
 ✓ Uploads directory already exists
 ✓ Database initialized successfully
-✓ Database connection closed
+✓ Created default admin user (admin/admin123)
 📝 Adding sample CVE data for testing...
   ✓ Added sample: CVE-2024-SAMPLE-1 / Microsoft
   ✓ Added sample: CVE-2024-SAMPLE-1 / Cisco
 ℹ️  Sample data added - demonstrates multi-vendor support
 ╔════════════════════════════════════════════════════════╗
 ║          CVE DATABASE SETUP COMPLETE!                  ║
 ╚════════════════════════════════════════════════════════╝
 ```
-### 5. Configure Server IP
+### 5. Configure Environment Variables
-Edit `frontend/src/App.js` and update the API URL (line 5):
+Run the environment setup script to configure server IP addresses:
-```javascript
+```bash
-const API_BASE = 'http://YOUR_SERVER_IP:3001/api';
+cd backend
 chmod +x setup-env.sh
 ./setup-env.sh
 ```
-Example:
+The script will:
-```javascript
+- Auto-detect your server's IP address
-const API_BASE = 'http://192.168.2.117:3001/api';
+- Create `backend/.env` with CORS and API settings
 - Create `frontend/.env` with API base URL
 **Manual Configuration (Alternative):**
 Create `backend/.env`:
 ```bash
 # Backend Configuration
 PORT=3001
 API_HOST=YOUR_SERVER_IP
 CORS_ORIGINS=http://YOUR_SERVER_IP:3000
 SESSION_SECRET=your-secure-secret-key
 ```
 Create `frontend/.env`:
 ```bash
 # Frontend Configuration
 REACT_APP_API_BASE=http://YOUR_SERVER_IP:3001/api
 REACT_APP_API_HOST=http://YOUR_SERVER_IP:3001
 ```
 ### 6. Add Tailwind CSS to Frontend
@@ -292,32 +349,28 @@ chmod +x stop-servers.sh
 ### Backend Configuration
-**CORS Settings** (`backend/server.js`):
+**Environment Variables** (`backend/.env`):
-```javascript
+```bash
-app.use(cors({
+PORT=3001                              # API server port
-  origin: ['http://localhost:3000', 'http://192.168.2.117:3000'],
+API_HOST=192.168.2.117                 # Server IP address
-  credentials: true
+CORS_ORIGINS=http://192.168.2.117:3000 # Allowed frontend origins (comma-separated)
-}));
+SESSION_SECRET=your-secure-secret      # Session encryption key
 ```
 **File Upload Limits** (`backend/server.js`):
 ```javascript
-const upload = multer({ 
+const upload = multer({
    storage: storage,
    limits: { fileSize: 10 * 1024 * 1024 } // 10MB limit
 });
 ```
 **Port Configuration** (`backend/server.js`):
 ```javascript
 const PORT = 3001;
 ```
 ### Frontend Configuration
-**API Base URL** (`frontend/src/App.js`):
+**Environment Variables** (`frontend/.env`):
-```javascript
+```bash
-const API_BASE = 'http://192.168.2.117:3001/api';
+REACT_APP_API_BASE=http://192.168.2.117:3001/api  # API endpoint with /api path
 REACT_APP_API_HOST=http://192.168.2.117:3001      # Base URL for file downloads
 ```
 **Severity Levels** (`frontend/src/App.js`):
@@ -372,8 +425,36 @@ cd /home/cve-dashboard
 - Frontend: `http://YOUR_SERVER_IP:3000`
 - Backend API: `http://YOUR_SERVER_IP:3001`
 ### Logging In
 1. Navigate to `http://YOUR_SERVER_IP:3000`
 2. You'll see the login page
 3. Enter credentials:
   - **Default admin**: username `admin`, password `admin123`
 4. Click **"Sign In"**
 5. You'll be redirected to the dashboard
 **First-Time Setup:**
 - After initial setup, change the default admin password
 - Create additional users based on their roles:
  - **Viewers**: Read-only access (security auditors, stakeholders)
  - **Editors**: Can add/edit CVEs and upload documents (analysts)
  - **Admins**: Full access including user management (team leads)
 ### User Management (Admin Only)
 1. Click on your username in the top right
 2. Select **"User Management"**
 3. From here you can:
   - View all users and their roles
   - Create new users
   - Edit user roles and status
   - Deactivate users (soft delete)
 ### Adding a New CVE
 **Required Role:** Editor or Admin
 1. Click the **"+ Add New CVE"** button (top right)
 2. Fill in the form:
   - **CVE ID**: e.g., `CVE-2024-1234`
@@ -384,25 +465,31 @@ cd /home/cve-dashboard
 3. Click **"Add CVE"**
 4. CVE appears in the dashboard immediately
 **Multi-Vendor Note:** You can add the same CVE ID multiple times with different vendors. For example, CVE-2024-1234 can exist for both Microsoft and Cisco with separate tracking.
 ### Uploading Documents
 **Required Role:** Editor or Admin
 1. Find the CVE in the list
 2. Click **"View Documents"** to expand
 3. Click **"Upload New Document"**
 4. Select your file (PDF, PNG, JPG, TXT, DOC, DOCX)
 5. When prompted, specify:
   - **Vendor**: Select the vendor this document applies to
   - **Document type**: advisory, email, screenshot, patch, other
   - **Notes** (optional): Description or context
 6. File uploads and organizes automatically
-**File Organization Example:**
+**File Organization Example (Multi-Vendor):**
 ```
 uploads/
 └── CVE-2024-1234/
-    └── Microsoft/
+    ├── Microsoft/
-        ├── 1706140800000-MS-Security-Advisory.pdf
+    │   ├── 1706140800000-MS-Security-Advisory.pdf
-        ├── 1706140850000-Vendor-Email.pdf
+    │   └── 1706140850000-Vendor-Email.pdf
-        └── 1706140900000-Patch-Screenshot.png
+    └── Cisco/
        └── 1706140900000-Cisco-Advisory.pdf
 ```
 ### Using Quick Check
@@ -412,16 +499,21 @@ uploads/
 1. Enter `CVE-2024-5678` in the **Quick Check** box
 2. Click **"Check Status"**
-**Result A - Already Addressed:**
+**Result A - Already Addressed (Multi-Vendor):**
 ```
 ✓ CVE Addressed
 Vendor: Cisco
 Severity: High
 Status: Addressed
 Documents: 2 attached
 ✓ Advisory ✓ Email ○ Screenshot
-Ready for false positive request
+Vendor: Microsoft
 Severity: Critical | Status: Addressed
 Documents: 3 attached
 ✓ Advisory ✓ Email ✓ Screenshot
 Vendor: Cisco
 Severity: High | Status: Open
 Documents: 1 attached
 ✓ Advisory ○ Email ○ Screenshot
 Ready for false positive request (Microsoft)
 ```
 **Result B - Not Found:**
@@ -436,6 +528,7 @@ Action Required: Create entry and gather vendor documentation
 **Result C - Incomplete:**
 ```
 ✓ CVE Addressed
 Vendor: Oracle
 Documents: 1 attached
 ✗ Advisory ○ Email ○ Screenshot
@@ -468,10 +561,10 @@ Missing required advisory - obtain before requesting false positive
 3. Click **"View"** to open document in new tab
 4. Select checkboxes to export multiple documents
-### Deleting Documents
+### Deleting Documents (Admin Only)
 1. Expand documents for a CVE
-2. Click red **"Delete"** button next to document
+2. Click red **"Delete"** button next to document (only visible to admins)
 3. Confirm deletion in popup
 4. Document removed from database and filesystem
@@ -488,12 +581,107 @@ Missing required advisory - obtain before requesting false positive
 Base URL: `http://YOUR_SERVER_IP:3001/api`
 **Authentication Required:** All endpoints except `/api/auth/login` require authentication via session cookie.
 ### Authentication Endpoints
 #### Login
 ```http
 POST /api/auth/login
 Content-Type: application/json
 ```
 **Body:**
 ```json
 {
  "username": "admin",
  "password": "admin123"
 }
 ```
 **Response:**
 ```json
 {
  "message": "Login successful",
  "user": {
    "id": 1,
    "username": "admin",
    "email": "admin@localhost",
    "role": "admin"
  }
 }
 ```
 Sets a session cookie (`session_id`) for subsequent requests.
 #### Logout
 ```http
 POST /api/auth/logout
 ```
 **Response:**
 ```json
 {
  "message": "Logged out successfully"
 }
 ```
 #### Get Current User
 ```http
 GET /api/auth/me
 ```
 **Response:**
 ```json
 {
  "id": 1,
  "username": "admin",
  "email": "admin@localhost",
  "role": "admin"
 }
 ```
 ### User Management Endpoints (Admin Only)
 #### Get All Users
 ```http
 GET /api/users
 ```
 #### Create User
 ```http
 POST /api/users
 Content-Type: application/json
 ```
 **Body:**
 ```json
 {
  "username": "newuser",
  "email": "user@example.com",
  "password": "password123",
  "role": "editor"
 }
 ```
 #### Update User
 ```http
 PUT /api/users/:id
 Content-Type: application/json
 ```
 #### Delete User
 ```http
 DELETE /api/users/:id
 ```
 ### CVE Endpoints
 #### Get All CVEs
 ```http
 GET /api/cves
 ```
 **Required Role:** Any authenticated user
 **Query Parameters:**
 - `search` (optional): Search term for CVE ID or description
@@ -502,7 +690,7 @@ GET /api/cves
 **Example:**
 ```bash
-curl "http://192.168.2.117:3001/api/cves?vendor=Microsoft&severity=Critical"
+curl -b cookies.txt "http://192.168.2.117:3001/api/cves?vendor=Microsoft&severity=Critical"
 ```
 **Response:**
@@ -528,33 +716,43 @@ curl "http://192.168.2.117:3001/api/cves?vendor=Microsoft&severity=Critical"
 ```http
 GET /api/cves/check/:cveId
 ```
 **Required Role:** Any authenticated user
 **Example:**
 ```bash
-curl "http://192.168.2.117:3001/api/cves/check/CVE-2024-1234"
+curl -b cookies.txt "http://192.168.2.117:3001/api/cves/check/CVE-2024-1234"
 ```
-**Response (Found):**
+**Response (Found - Multi-Vendor):**
 ```json
 {
  "exists": true,
-  "cve": {
+  "vendors": [
-    "cve_id": "CVE-2024-1234",
+    {
-    "vendor": "Microsoft",
+      "vendor": "Microsoft",
-    "severity": "Critical",
+      "severity": "Critical",
-    "status": "Addressed",
+      "status": "Addressed",
-    "total_documents": 3,
+      "total_documents": 3,
-    "has_advisory": 1,
+      "compliance": {
-    "has_email": 1,
+        "advisory": true,
-    "has_screenshot": 1
+        "email": true,
-  },
+        "screenshot": true
      }
    },
    {
      "vendor": "Cisco",
      "severity": "High",
      "status": "Open",
      "total_documents": 1,
      "compliance": {
        "advisory": true,
        "email": false,
        "screenshot": false
      }
    }
  ],
  "addressed": true,
-  "has_required_docs": true,
+  "has_required_docs": true
  "compliance": {
    "advisory": true,
    "email": true,
    "screenshot": true
  }
 }
 ```
@@ -566,11 +764,43 @@ curl "http://192.168.2.117:3001/api/cves/check/CVE-2024-1234"
 }
 ```
 #### Get Vendors for CVE
 ```http
 GET /api/cves/:cveId/vendors
 ```
 **Required Role:** Any authenticated user
 **Example:**
 ```bash
 curl -b cookies.txt "http://192.168.2.117:3001/api/cves/CVE-2024-1234/vendors"
 ```
 **Response:**
 ```json
 [
  {
    "vendor": "Microsoft",
    "severity": "Critical",
    "status": "Addressed",
    "description": "Remote code execution vulnerability",
    "published_date": "2024-01-15"
  },
  {
    "vendor": "Cisco",
    "severity": "High",
    "status": "Open",
    "description": "Remote code execution vulnerability",
    "published_date": "2024-01-15"
  }
 ]
 ```
 #### Create CVE
 ```http
 POST /api/cves
 Content-Type: application/json
 ```
 **Required Role:** Editor or Admin
 **Body:**
 ```json
@@ -583,9 +813,11 @@ Content-Type: application/json
 }
 ```
 **Note:** The same CVE ID can be added multiple times with different vendors. The combination of (cve_id, vendor) must be unique.
 **Example:**
 ```bash
-curl -X POST http://192.168.2.117:3001/api/cves \
+curl -b cookies.txt -X POST http://192.168.2.117:3001/api/cves \
  -H "Content-Type: application/json" \
  -d '{
    "cve_id": "CVE-2024-1234",
@@ -601,7 +833,14 @@ curl -X POST http://192.168.2.117:3001/api/cves \
 {
  "id": 1,
  "cve_id": "CVE-2024-1234",
-  "message": "CVE created successfully"
+  "message": "CVE created successfully for vendor: Microsoft"
 }
 ```
 **Error (Duplicate):**
 ```json
 {
  "error": "This CVE already exists for this vendor. Choose a different vendor or update the existing entry."
 }
 ```
@@ -610,6 +849,7 @@ curl -X POST http://192.168.2.117:3001/api/cves \
 PATCH /api/cves/:cveId/status
 Content-Type: application/json
 ```
 **Required Role:** Editor or Admin
 **Body:**
 ```json
@@ -620,7 +860,7 @@ Content-Type: application/json
 **Example:**
 ```bash
-curl -X PATCH http://192.168.2.117:3001/api/cves/CVE-2024-1234/status \
+curl -b cookies.txt -X PATCH http://192.168.2.117:3001/api/cves/CVE-2024-1234/status \
  -H "Content-Type: application/json" \
  -d '{"status": "False Positive Requested"}'
 ```
@@ -631,10 +871,14 @@ curl -X PATCH http://192.168.2.117:3001/api/cves/CVE-2024-1234/status \
 ```http
 GET /api/cves/:cveId/documents
 ```
 **Required Role:** Any authenticated user
 **Query Parameters:**
 - `vendor` (optional): Filter documents by vendor
 **Example:**
 ```bash
-curl "http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents"
+curl -b cookies.txt "http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents?vendor=Microsoft"
 ```
 **Response:**
@@ -643,6 +887,7 @@ curl "http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents"
  {
    "id": 1,
    "cve_id": "CVE-2024-1234",
    "vendor": "Microsoft",
    "name": "MS-Security-Advisory.pdf",
    "type": "advisory",
    "file_path": "uploads/CVE-2024-1234/Microsoft/1706140800000-MS-Security-Advisory.pdf",
@@ -659,19 +904,18 @@ curl "http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents"
 POST /api/cves/:cveId/documents
 Content-Type: multipart/form-data
 ```
 **Required Role:** Editor or Admin
 **Form Fields:**
 - `file`: The file to upload
- `cveId`: CVE ID (e.g., CVE-2024-1234)
+- `vendor`: Vendor name (required - determines storage folder)
 - `vendor`: Vendor name (e.g., Microsoft)
 - `type`: Document type (advisory, email, screenshot, patch, other)
 - `notes` (optional): Description
 **Example:**
 ```bash
-curl -X POST http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents \
+curl -b cookies.txt -X POST http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents \
  -F "file=@/path/to/advisory.pdf" \
  -F "cveId=CVE-2024-1234" \
  -F "vendor=Microsoft" \
  -F "type=advisory" \
  -F "notes=Official security advisory"
@@ -694,10 +938,11 @@ curl -X POST http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents \
 ```http
 DELETE /api/documents/:id
 ```
 **Required Role:** Admin only
 **Example:**
 ```bash
-curl -X DELETE http://192.168.2.117:3001/api/documents/1
+curl -b cookies.txt -X DELETE http://192.168.2.117:3001/api/documents/1
 ```
 **Response:**
@@ -713,10 +958,11 @@ curl -X DELETE http://192.168.2.117:3001/api/documents/1
 ```http
 GET /api/vendors
 ```
 **Required Role:** Any authenticated user
 **Example:**
 ```bash
-curl "http://192.168.2.117:3001/api/vendors"
+curl -b cookies.txt "http://192.168.2.117:3001/api/vendors"
 ```
 **Response:**
@@ -728,10 +974,11 @@ curl "http://192.168.2.117:3001/api/vendors"
 ```http
 GET /api/stats
 ```
 **Required Role:** Any authenticated user
 **Example:**
 ```bash
-curl "http://192.168.2.117:3001/api/stats"
+curl -b cookies.txt "http://192.168.2.117:3001/api/stats"
 ```
 **Response:**
@@ -757,7 +1004,7 @@ Stores CVE metadata and remediation status.
 | Column | Type | Description |
 |--------|------|-------------|
 | id | INTEGER PRIMARY KEY | Auto-incrementing ID |
-| cve_id | VARCHAR(20) UNIQUE | CVE identifier (e.g., CVE-2024-1234) |
+| cve_id | VARCHAR(20) | CVE identifier (e.g., CVE-2024-1234) |
 | vendor | VARCHAR(100) | Vendor name |
 | severity | VARCHAR(20) | Critical, High, Medium, Low |
 | description | TEXT | Vulnerability description |
@@ -766,6 +1013,8 @@ Stores CVE metadata and remediation status.
 | created_at | TIMESTAMP | Record creation timestamp |
 | updated_at | TIMESTAMP | Last update timestamp |
 **Unique Constraint:** `UNIQUE(cve_id, vendor)` - Allows same CVE with different vendors
 **Indexes:**
 - `idx_cve_id` on `cve_id`
 - `idx_vendor` on `vendor`
@@ -778,7 +1027,8 @@ Stores document metadata and file locations.
 | Column | Type | Description |
 |--------|------|-------------|
 | id | INTEGER PRIMARY KEY | Auto-incrementing ID |
-| cve_id | VARCHAR(20) | Foreign key to cves.cve_id |
+| cve_id | VARCHAR(20) | CVE identifier |
 | vendor | VARCHAR(100) | Vendor name (for per-vendor organization) |
 | name | VARCHAR(255) | Original filename |
 | type | VARCHAR(50) | advisory, email, screenshot, patch, other |
 | file_path | VARCHAR(500) | Path to file on filesystem |
@@ -791,8 +1041,49 @@ Stores document metadata and file locations.
 **Indexes:**
 - `idx_doc_cve_id` on `cve_id`
 - `idx_doc_vendor` on `vendor`
 - `idx_doc_type` on `type`
 #### `users`
 Stores user accounts for authentication.
 | Column | Type | Description |
 |--------|------|-------------|
 | id | INTEGER PRIMARY KEY | Auto-incrementing ID |
 | username | VARCHAR(50) UNIQUE | Login username |
 | email | VARCHAR(255) UNIQUE | User email address |
 | password_hash | VARCHAR(255) | bcrypt hashed password |
 | role | VARCHAR(20) | admin, editor, or viewer |
 | is_active | BOOLEAN | Account active status (1=active, 0=disabled) |
 | created_at | TIMESTAMP | Account creation timestamp |
 | last_login | TIMESTAMP | Last successful login |
 **Roles:**
 - `admin` - Full access: manage users, delete documents, all CVE operations
 - `editor` - Can add/edit CVEs, upload documents
 - `viewer` - Read-only access to CVEs and documents
 **Indexes:**
 - `idx_users_username` on `username`
 #### `sessions`
 Stores active user sessions.
 | Column | Type | Description |
 |--------|------|-------------|
 | id | INTEGER PRIMARY KEY | Auto-incrementing ID |
 | session_id | VARCHAR(255) UNIQUE | Session token (stored in cookie) |
 | user_id | INTEGER | Foreign key to users.id |
 | expires_at | TIMESTAMP | Session expiration time |
 | created_at | TIMESTAMP | Session creation timestamp |
 **Foreign Key:** `user_id` → `users(id)` ON DELETE CASCADE
 **Indexes:**
 - `idx_sessions_session_id` on `session_id`
 - `idx_sessions_user_id` on `user_id`
 - `idx_sessions_expires` on `expires_at`
 #### `required_documents`
 Defines which document types are mandatory per vendor.
@@ -872,36 +1163,53 @@ cve-dashboard/
 ├── backend/
 │   ├── server.js                 # Express API server
 │   ├── setup.js                  # Database initialization script
-│   ├── cve_database.db          # SQLite database file
+│   ├── setup-env.sh              # Environment configuration script
-│   ├── package.json             # Backend dependencies
+│   ├── .env                      # Environment variables (create with setup-env.sh)
-│   └── backend.log              # Backend log file (if using startup script)
+│   ├── cve_database.db           # SQLite database file
 │   ├── package.json              # Backend dependencies
 │   ├── middleware/
 │   │   └── auth.js               # Authentication middleware
 │   ├── routes/
 │   │   ├── auth.js               # Login/logout endpoints
 │   │   └── users.js              # User management endpoints
 │   └── backend.log               # Backend log file (if using startup script)
 │
 ├── frontend/
 │   ├── public/
-│   │   └── index.html           # Main HTML (includes Tailwind CDN)
+│   │   └── index.html            # Main HTML (includes Tailwind CDN)
 │   ├── src/
-│   │   ├── App.js               # Main React component
+│   │   ├── App.js                # Main React component
-│   │   ├── index.js             # React entry point
+│   │   ├── index.js              # React entry point
-│   │   └── index.css            # Global styles
+│   │   ├── index.css             # Global styles
-│   ├── package.json             # Frontend dependencies
+│   │   ├── components/
-│   └── frontend.log             # Frontend log file (if using startup script)
+│   │   │   ├── LoginForm.js      # Login page component
 │   │   │   ├── UserMenu.js       # User dropdown menu
 │   │   │   └── UserManagement.js # Admin user management
 │   │   └── contexts/
 │   │       └── AuthContext.js    # Authentication state management
 │   ├── .env                      # Environment variables (create with setup-env.sh)
 │   ├── package.json              # Frontend dependencies
 │   └── frontend.log              # Frontend log file (if using startup script)
 │
-├── uploads/                      # File storage (auto-created)
+├── uploads/                       # File storage (auto-created)
-│   ├── temp/                    # Temporary upload directory
+│   ├── temp/                      # Temporary upload directory
 │   ├── CVE-2024-1234/
-│   │   └── Microsoft/
+│   │   ├── Microsoft/             # Vendor-specific folder
-│   │       ├── 1706140800000-advisory.pdf
+│   │   │   ├── 1706140800000-advisory.pdf
-│   │       └── 1706140850000-email.pdf
+│   │   │   └── 1706140850000-email.pdf
 │   │   └── Cisco/                 # Same CVE, different vendor
 │   │       └── 1706140900000-advisory.pdf
 │   └── CVE-2024-5678/
-│       └── Cisco/
+│       └── Oracle/
 │           └── 1706140900000-advisory.pdf
 │
-├── .gitignore                   # Git ignore rules
+├── .gitignore                    # Git ignore rules
-├── README.md                    # This file
+├── README.md                     # This file
-├── start-servers.sh             # Startup script
+├── test_cases_auth.md            # Authentication test cases
-├── stop-servers.sh              # Shutdown script
+├── start-servers.sh              # Startup script
-├── backend.pid                  # Backend process ID (when running)
+├── stop-servers.sh               # Shutdown script
-└── frontend.pid                 # Frontend process ID (when running)
+├── backend.pid                   # Backend process ID (when running)
 └── frontend.pid                  # Frontend process ID (when running)
 ```
 ### File Naming Convention
@@ -1104,8 +1412,10 @@ chmod -R 777 /home/cve-dashboard/uploads
 ## 🗺️ Roadmap
-### Version 1.1 (Next Release)
+### Version 1.1 (Current Release) ✅
- [ ] **User Authentication**: Login system with user roles
+- [x] **User Authentication**: Login system with user roles (admin, editor, viewer)
 - [x] **Multi-Vendor Support**: Same CVE can be tracked across multiple vendors
 - [x] **Environment Configuration**: .env files replace hardcoded IPs
 - [ ] **Audit Logging**: Track who added/modified CVEs
 - [ ] **Email Notifications**: Alert when new CVEs are added
 - [ ] **Export to Excel**: Download CVE list as spreadsheet
@@ -1232,16 +1542,16 @@ Vulnerability Management Team
 This software is proprietary and confidential. Unauthorized copying, distribution, or use of this software, via any medium, is strictly prohibited.
-Copyright © 2024 Charter Communications. All rights reserved.
+Copyright © 2024-2026 Charter Communications. All rights reserved.
 ---
 ## 📊 Project Statistics
- **Version**: 1.0.0
+- **Version**: 1.1.0
- **Released**: January 2024
+- **Released**: January 2026
- **Lines of Code**: ~1,500
+- **Lines of Code**: ~2,500
- **Dependencies**: 12
+- **Dependencies**: 15
 - **Supported Browsers**: Chrome, Edge, Firefox, Safari
 ---
@@ -1273,6 +1583,40 @@ Copyright © 2024 Charter Communications. All rights reserved.
 ## 📝 Changelog
 ### [1.1.0] - 2026-01-29
 #### Added
 - **User Authentication**: Complete login system with session-based auth
  - Three user roles: admin, editor, viewer
  - Default admin account (admin/admin123)
  - Session persistence with secure cookies
  - Password hashing with bcryptjs
 - **User Management**: Admin interface for managing users
  - Create, edit, deactivate users
  - Role assignment
  - Password reset capability
 - **Multi-Vendor Support**: Track same CVE across multiple vendors
  - UNIQUE constraint on (cve_id, vendor) instead of just cve_id
  - Per-vendor document storage
  - Quick Check shows all vendors for a CVE
  - New API endpoint: GET /api/cves/:cveId/vendors
 - **Environment Configuration**: Replaced hardcoded IPs
  - setup-env.sh script for easy configuration
  - .env files for both frontend and backend
  - Auto-detection of server IP address
 #### Changed
 - All API endpoints now require authentication
 - Document deletion restricted to admin role
 - CVE creation/editing restricted to editor and admin roles
 - stop-servers.sh improved with better process killing
 - Browser tab title changed from "ReactApp" to "Dashboard"
 - Document storage now organized by CVE ID AND vendor
 #### Fixed
 - Dynamic hostname detection now works via environment variables
 - Multiple vendors can now have entries for the same CVE
 ### [1.0.0] - 2024-01-26
 #### Added
@@ -1288,9 +1632,9 @@ Copyright © 2024 Charter Communications. All rights reserved.
 - Document compliance tracking
 - Required document configuration per vendor
-#### Known Issues
+#### Known Issues (Resolved in 1.1.0)
- Dynamic hostname detection not working (hardcoded IP as workaround)
+- ~~Dynamic hostname detection not working (hardcoded IP as workaround)~~ Fixed
- No user authentication (single-user system)
+- ~~No user authentication (single-user system)~~ Fixed
 - Export functionality shows alert only (not implemented)
 ---