jramos/cve-dashboard
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Updated README to reflect current changes and deployment

Browse Source
This commit is contained in:
jramos
2026-01-29 10:43:06 -07:00
parent 1a6b51dea3
commit 792467930d
1 changed files with 458 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

570
README.md
View File

@@ -3,7 +3,7 @@
A comprehensive vulnerability management system designed for tracking CVE (Common Vulnerabilities and Exposures) remediation status and maintaining vendor documentation compliance.
![Charter Communications](https://img.shields.io/badge/Charter-Communications-0476D9)
![Version](https://img.shields.io/badge/version-1.0.0-blue)
![Version](https://img.shields.io/badge/version-1.1.0-blue)
![License](https://img.shields.io/badge/license-Internal-red)
---
@@ -51,16 +51,32 @@ This dashboard provides:
## ✨ Key Features
### 🔐 User Authentication & Roles
- **Secure login**: Session-based authentication with encrypted passwords
- **Role-based access control**: Three user roles with different permissions
- **Admin**: Full access including user management and document deletion
- **Editor**: Can add/edit CVEs and upload documents
- **Viewer**: Read-only access to CVEs and documents
- **User management**: Admins can create, edit, and deactivate users
- **Session persistence**: Stay logged in across browser sessions (24-hour expiry)
### 🔍 Quick CVE Status Check
- **Instant verification**: Enter any CVE ID and immediately see if it's been addressed
- **Document compliance**: Shows which documents are present (Advisory ✓, Email ○, Screenshot ○)
- **Multi-vendor display**: Shows all vendors associated with a CVE
- **Document compliance**: Shows which documents are present per vendor (Advisory ✓, Email ○, Screenshot ○)
- **Visual indicators**: Color-coded results (green = addressed, yellow = not found, red = missing required docs)
### 📂 Document Management
- **Upload documents**: PDF, images, Word docs, text files (up to 10MB)
- **Automatic organization**: Files stored as `uploads/CVE-2024-1234/Microsoft/advisory.pdf`
- **Per-vendor storage**: Each vendor's documents are organized separately
- **Document types**: Advisory, Email, Screenshot, Patch, Other
- **View & Delete**: Direct links to view documents, delete with confirmation
- **View & Delete**: Direct links to view documents, admin-only deletion
### 🏢 Multi-Vendor Support
- **Same CVE, multiple vendors**: Track a single CVE across different vendors (e.g., CVE-2024-1234 for both Microsoft and Cisco)
- **Vendor-specific tracking**: Each vendor entry has its own status, documents, and compliance
- **Flexible organization**: Documents organized by CVE ID and vendor
### 🔎 Search & Filter
- **Search by CVE ID or description**: Find vulnerabilities quickly
@@ -72,6 +88,7 @@ This dashboard provides:
- **Document status badges**: "✓ Docs Complete" or "⚠ Incomplete"
- **Required documents**: Advisory (mandatory), Email (optional), Screenshot (optional)
- **Vendor-specific requirements**: Customizable per vendor
- **Per-vendor compliance**: Track documentation status for each vendor separately
### 🎨 Charter/Spectrum Branding
- **Corporate colors**: Charter Blue (#0476D9) throughout
@@ -90,12 +107,15 @@ This dashboard provides:
│ │ Frontend │ │ Backend API │ │
│ │ │ HTTP │ │ │
│ │ React + │◄───────►│ Express.js │ │
│ │ Tailwind │ :3001 │ │ │
│ │ │ │ ┌─────────────────┐ │ │
│ │ Port: 3000 │ │ │ SQLite DB │ │ │
│ └──────────────┘ │ │ - cves │ │ │
│ │ Tailwind │ :3001 │ + Auth Middleware │ │
│ │ │ │ │ │
│ │ Port: 3000 │ │ ┌─────────────────┐ │ │
│ └──────────────┘ │ │ SQLite DB │ │ │
│ │ │ - cves │ │ │
│ │ │ - documents │ │ │
│ │ │ - required_docs│ │ │
│ │ │ - users │ │ │
│ │ │ - sessions │ │ │
│ │ └─────────────────┘ │ │
│ └──────────────────────┘ │
│ │ │
@@ -105,9 +125,10 @@ This dashboard provides:
│ │ │ │
│ │ uploads/ │ │
│ │ └─ CVE-2024-1234/ │ │
│ │ ─ Microsoft/ │ │
│ │ ─ advisory.pdf│ │
│ │ └─ email.pdf │ │
│ │ ─ Microsoft/ │ │
│ │ ─ advisory.pdf│ │
│ │ └─ Cisco/ │ │
│ │ └─ advisory.pdf│ │
│ └──────────────────────┘ │
└─────────────────────────────────────────────────────────┘
```
@@ -119,6 +140,7 @@ This dashboard provides:
- Tailwind CSS (via CDN)
- Lucide React (icons)
- Fetch API
- Context API (AuthContext)
**Backend:**
- Node.js v18+
@@ -126,6 +148,9 @@ This dashboard provides:
- SQLite3
- Multer (file uploads)
- CORS
- bcryptjs (password hashing)
- cookie-parser (session management)
- dotenv (environment configuration)
**Database:**
- SQLite (development/production)
@@ -168,6 +193,9 @@ Expected packages:
- sqlite3
- multer
- cors
- bcryptjs
- cookie-parser
- dotenv
### 3. Install Frontend Dependencies
```bash
@@ -189,35 +217,64 @@ node setup.js
This will:
- ✅ Create `cve_database.db`
- ✅ Create tables: `cves`, `documents`, `required_documents`
- ✅ Create tables: `cves`, `documents`, `required_documents`, `users`, `sessions`
- ✅ Set up multi-vendor support with UNIQUE(cve_id, vendor) constraint
- ✅ Create indexes for fast queries
- ✅ Create `cve_document_status` view
- ✅ Create `uploads/` and `uploads/temp/` directories
- ✅ Create `uploads/` directory
- ✅ Insert default required documents for major vendors
- ✅ Create default admin user (admin/admin123)
Expected output:
```
🚀 CVE Database Setup
🚀 CVE Database Setup (Multi-Vendor Support)
════════════════════════════════════════
✓ Created uploads directory
✓ Uploads directory already exists
✓ Database initialized successfully
Database connection closed
Created default admin user (admin/admin123)
📝 Adding sample CVE data for testing...
✓ Added sample: CVE-2024-SAMPLE-1 / Microsoft
✓ Added sample: CVE-2024-SAMPLE-1 / Cisco
Sample data added - demonstrates multi-vendor support
╔════════════════════════════════════════════════════════╗
║ CVE DATABASE SETUP COMPLETE! ║
╚════════════════════════════════════════════════════════╝
```
### 5. Configure Server IP
### 5. Configure Environment Variables
Edit `frontend/src/App.js` and update the API URL (line 5):
```javascript
const API_BASE = 'http://YOUR_SERVER_IP:3001/api';
Run the environment setup script to configure server IP addresses:
```bash
cd backend
chmod +x setup-env.sh
./setup-env.sh
```
Example:
```javascript
const API_BASE = 'http://192.168.2.117:3001/api';
The script will:
- Auto-detect your server's IP address
- Create `backend/.env` with CORS and API settings
- Create `frontend/.env` with API base URL
**Manual Configuration (Alternative):**
Create `backend/.env`:
```bash
# Backend Configuration
PORT=3001
API_HOST=YOUR_SERVER_IP
CORS_ORIGINS=http://YOUR_SERVER_IP:3000
SESSION_SECRET=your-secure-secret-key
```
Create `frontend/.env`:
```bash
# Frontend Configuration
REACT_APP_API_BASE=http://YOUR_SERVER_IP:3001/api
REACT_APP_API_HOST=http://YOUR_SERVER_IP:3001
```
### 6. Add Tailwind CSS to Frontend
@@ -292,12 +349,12 @@ chmod +x stop-servers.sh
### Backend Configuration
**CORS Settings** (`backend/server.js`):
```javascript
app.use(cors({
origin: ['http://localhost:3000', 'http://192.168.2.117:3000'],
credentials: true
}));
**Environment Variables** (`backend/.env`):
```bash
PORT=3001 # API server port
API_HOST=192.168.2.117 # Server IP address
CORS_ORIGINS=http://192.168.2.117:3000 # Allowed frontend origins (comma-separated)
SESSION_SECRET=your-secure-secret # Session encryption key
```
**File Upload Limits** (`backend/server.js`):
@@ -308,16 +365,12 @@ const upload = multer({
});
```
**Port Configuration** (`backend/server.js`):
```javascript
const PORT = 3001;
```
### Frontend Configuration
**API Base URL** (`frontend/src/App.js`):
```javascript
const API_BASE = 'http://192.168.2.117:3001/api';
**Environment Variables** (`frontend/.env`):
```bash
REACT_APP_API_BASE=http://192.168.2.117:3001/api # API endpoint with /api path
REACT_APP_API_HOST=http://192.168.2.117:3001 # Base URL for file downloads
```
**Severity Levels** (`frontend/src/App.js`):
@@ -372,8 +425,36 @@ cd /home/cve-dashboard
- Frontend: `http://YOUR_SERVER_IP:3000`
- Backend API: `http://YOUR_SERVER_IP:3001`
### Logging In
1. Navigate to `http://YOUR_SERVER_IP:3000`
2. You'll see the login page
3. Enter credentials:
- **Default admin**: username `admin`, password `admin123`
4. Click **"Sign In"**
5. You'll be redirected to the dashboard
**First-Time Setup:**
- After initial setup, change the default admin password
- Create additional users based on their roles:
- **Viewers**: Read-only access (security auditors, stakeholders)
- **Editors**: Can add/edit CVEs and upload documents (analysts)
- **Admins**: Full access including user management (team leads)
### User Management (Admin Only)
1. Click on your username in the top right
2. Select **"User Management"**
3. From here you can:
- View all users and their roles
- Create new users
- Edit user roles and status
- Deactivate users (soft delete)
### Adding a New CVE
**Required Role:** Editor or Admin
1. Click the **"+ Add New CVE"** button (top right)
2. Fill in the form:
- **CVE ID**: e.g., `CVE-2024-1234`
@@ -384,25 +465,31 @@ cd /home/cve-dashboard
3. Click **"Add CVE"**
4. CVE appears in the dashboard immediately
**Multi-Vendor Note:** You can add the same CVE ID multiple times with different vendors. For example, CVE-2024-1234 can exist for both Microsoft and Cisco with separate tracking.
### Uploading Documents
**Required Role:** Editor or Admin
1. Find the CVE in the list
2. Click **"View Documents"** to expand
3. Click **"Upload New Document"**
4. Select your file (PDF, PNG, JPG, TXT, DOC, DOCX)
5. When prompted, specify:
- **Vendor**: Select the vendor this document applies to
- **Document type**: advisory, email, screenshot, patch, other
- **Notes** (optional): Description or context
6. File uploads and organizes automatically
**File Organization Example:**
**File Organization Example (Multi-Vendor):**
```
uploads/
└── CVE-2024-1234/
── Microsoft/
├── 1706140800000-MS-Security-Advisory.pdf
── 1706140850000-Vendor-Email.pdf
└── 1706140900000-Patch-Screenshot.png
── Microsoft/
├── 1706140800000-MS-Security-Advisory.pdf
── 1706140850000-Vendor-Email.pdf
└── Cisco/
└── 1706140900000-Cisco-Advisory.pdf
```
### Using Quick Check
@@ -412,16 +499,21 @@ uploads/
1. Enter `CVE-2024-5678` in the **Quick Check** box
2. Click **"Check Status"**
**Result A - Already Addressed:**
**Result A - Already Addressed (Multi-Vendor):**
```
✓ CVE Addressed
Vendor: Cisco
Severity: High
Status: Addressed
Documents: 2 attached
✓ Advisory ✓ Email ○ Screenshot
Ready for false positive request
Vendor: Microsoft
Severity: Critical | Status: Addressed
Documents: 3 attached
✓ Advisory ✓ Email ✓ Screenshot
Vendor: Cisco
Severity: High | Status: Open
Documents: 1 attached
✓ Advisory ○ Email ○ Screenshot
Ready for false positive request (Microsoft)
```
**Result B - Not Found:**
@@ -436,6 +528,7 @@ Action Required: Create entry and gather vendor documentation
**Result C - Incomplete:**
```
✓ CVE Addressed
Vendor: Oracle
Documents: 1 attached
✗ Advisory ○ Email ○ Screenshot
@@ -468,10 +561,10 @@ Missing required advisory - obtain before requesting false positive
3. Click **"View"** to open document in new tab
4. Select checkboxes to export multiple documents
### Deleting Documents
### Deleting Documents (Admin Only)
1. Expand documents for a CVE
2. Click red **"Delete"** button next to document
2. Click red **"Delete"** button next to document (only visible to admins)
3. Confirm deletion in popup
4. Document removed from database and filesystem
@@ -488,12 +581,107 @@ Missing required advisory - obtain before requesting false positive
Base URL: `http://YOUR_SERVER_IP:3001/api`
**Authentication Required:** All endpoints except `/api/auth/login` require authentication via session cookie.
### Authentication Endpoints
#### Login
```http
POST /api/auth/login
Content-Type: application/json
```
**Body:**
```json
{
"username": "admin",
"password": "admin123"
}
```
**Response:**
```json
{
"message": "Login successful",
"user": {
"id": 1,
"username": "admin",
"email": "admin@localhost",
"role": "admin"
}
}
```
Sets a session cookie (`session_id`) for subsequent requests.
#### Logout
```http
POST /api/auth/logout
```
**Response:**
```json
{
"message": "Logged out successfully"
}
```
#### Get Current User
```http
GET /api/auth/me
```
**Response:**
```json
{
"id": 1,
"username": "admin",
"email": "admin@localhost",
"role": "admin"
}
```
### User Management Endpoints (Admin Only)
#### Get All Users
```http
GET /api/users
```
#### Create User
```http
POST /api/users
Content-Type: application/json
```
**Body:**
```json
{
"username": "newuser",
"email": "user@example.com",
"password": "password123",
"role": "editor"
}
```
#### Update User
```http
PUT /api/users/:id
Content-Type: application/json
```
#### Delete User
```http
DELETE /api/users/:id
```
### CVE Endpoints
#### Get All CVEs
```http
GET /api/cves
```
**Required Role:** Any authenticated user
**Query Parameters:**
- `search` (optional): Search term for CVE ID or description
@@ -502,7 +690,7 @@ GET /api/cves
**Example:**
```bash
curl "http://192.168.2.117:3001/api/cves?vendor=Microsoft&severity=Critical"
curl -b cookies.txt "http://192.168.2.117:3001/api/cves?vendor=Microsoft&severity=Critical"
```
**Response:**
@@ -528,33 +716,43 @@ curl "http://192.168.2.117:3001/api/cves?vendor=Microsoft&severity=Critical"
```http
GET /api/cves/check/:cveId
```
**Required Role:** Any authenticated user
**Example:**
```bash
curl "http://192.168.2.117:3001/api/cves/check/CVE-2024-1234"
curl -b cookies.txt "http://192.168.2.117:3001/api/cves/check/CVE-2024-1234"
```
**Response (Found):**
**Response (Found - Multi-Vendor):**
```json
{
"exists": true,
"cve": {
"cve_id": "CVE-2024-1234",
"vendor": "Microsoft",
"severity": "Critical",
"status": "Addressed",
"total_documents": 3,
"has_advisory": 1,
"has_email": 1,
"has_screenshot": 1
},
"vendors": [
{
"vendor": "Microsoft",
"severity": "Critical",
"status": "Addressed",
"total_documents": 3,
"compliance": {
"advisory": true,
"email": true,
"screenshot": true
}
},
{
"vendor": "Cisco",
"severity": "High",
"status": "Open",
"total_documents": 1,
"compliance": {
"advisory": true,
"email": false,
"screenshot": false
}
}
],
"addressed": true,
"has_required_docs": true,
"compliance": {
"advisory": true,
"email": true,
"screenshot": true
}
"has_required_docs": true
}
```
@@ -566,11 +764,43 @@ curl "http://192.168.2.117:3001/api/cves/check/CVE-2024-1234"
}
```
#### Get Vendors for CVE
```http
GET /api/cves/:cveId/vendors
```
**Required Role:** Any authenticated user
**Example:**
```bash
curl -b cookies.txt "http://192.168.2.117:3001/api/cves/CVE-2024-1234/vendors"
```
**Response:**
```json
[
{
"vendor": "Microsoft",
"severity": "Critical",
"status": "Addressed",
"description": "Remote code execution vulnerability",
"published_date": "2024-01-15"
},
{
"vendor": "Cisco",
"severity": "High",
"status": "Open",
"description": "Remote code execution vulnerability",
"published_date": "2024-01-15"
}
]
```
#### Create CVE
```http
POST /api/cves
Content-Type: application/json
```
**Required Role:** Editor or Admin
**Body:**
```json
@@ -583,9 +813,11 @@ Content-Type: application/json
}
```
**Note:** The same CVE ID can be added multiple times with different vendors. The combination of (cve_id, vendor) must be unique.
**Example:**
```bash
curl -X POST http://192.168.2.117:3001/api/cves \
curl -b cookies.txt -X POST http://192.168.2.117:3001/api/cves \
-H "Content-Type: application/json" \
-d '{
"cve_id": "CVE-2024-1234",
@@ -601,7 +833,14 @@ curl -X POST http://192.168.2.117:3001/api/cves \
{
"id": 1,
"cve_id": "CVE-2024-1234",
"message": "CVE created successfully"
"message": "CVE created successfully for vendor: Microsoft"
}
```
**Error (Duplicate):**
```json
{
"error": "This CVE already exists for this vendor. Choose a different vendor or update the existing entry."
}
```
@@ -610,6 +849,7 @@ curl -X POST http://192.168.2.117:3001/api/cves \
PATCH /api/cves/:cveId/status
Content-Type: application/json
```
**Required Role:** Editor or Admin
**Body:**
```json
@@ -620,7 +860,7 @@ Content-Type: application/json
**Example:**
```bash
curl -X PATCH http://192.168.2.117:3001/api/cves/CVE-2024-1234/status \
curl -b cookies.txt -X PATCH http://192.168.2.117:3001/api/cves/CVE-2024-1234/status \
-H "Content-Type: application/json" \
-d '{"status": "False Positive Requested"}'
```
@@ -631,10 +871,14 @@ curl -X PATCH http://192.168.2.117:3001/api/cves/CVE-2024-1234/status \
```http
GET /api/cves/:cveId/documents
```
**Required Role:** Any authenticated user
**Query Parameters:**
- `vendor` (optional): Filter documents by vendor
**Example:**
```bash
curl "http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents"
curl -b cookies.txt "http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents?vendor=Microsoft"
```
**Response:**
@@ -643,6 +887,7 @@ curl "http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents"
{
"id": 1,
"cve_id": "CVE-2024-1234",
"vendor": "Microsoft",
"name": "MS-Security-Advisory.pdf",
"type": "advisory",
"file_path": "uploads/CVE-2024-1234/Microsoft/1706140800000-MS-Security-Advisory.pdf",
@@ -659,19 +904,18 @@ curl "http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents"
POST /api/cves/:cveId/documents
Content-Type: multipart/form-data
```
**Required Role:** Editor or Admin
**Form Fields:**
- `file`: The file to upload
- `cveId`: CVE ID (e.g., CVE-2024-1234)
- `vendor`: Vendor name (e.g., Microsoft)
- `vendor`: Vendor name (required - determines storage folder)
- `type`: Document type (advisory, email, screenshot, patch, other)
- `notes` (optional): Description
**Example:**
```bash
curl -X POST http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents \
curl -b cookies.txt -X POST http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents \
-F "file=@/path/to/advisory.pdf" \
-F "cveId=CVE-2024-1234" \
-F "vendor=Microsoft" \
-F "type=advisory" \
-F "notes=Official security advisory"
@@ -694,10 +938,11 @@ curl -X POST http://192.168.2.117:3001/api/cves/CVE-2024-1234/documents \
```http
DELETE /api/documents/:id
```
**Required Role:** Admin only
**Example:**
```bash
curl -X DELETE http://192.168.2.117:3001/api/documents/1
curl -b cookies.txt -X DELETE http://192.168.2.117:3001/api/documents/1
```
**Response:**
@@ -713,10 +958,11 @@ curl -X DELETE http://192.168.2.117:3001/api/documents/1
```http
GET /api/vendors
```
**Required Role:** Any authenticated user
**Example:**
```bash
curl "http://192.168.2.117:3001/api/vendors"
curl -b cookies.txt "http://192.168.2.117:3001/api/vendors"
```
**Response:**
@@ -728,10 +974,11 @@ curl "http://192.168.2.117:3001/api/vendors"
```http
GET /api/stats
```
**Required Role:** Any authenticated user
**Example:**
```bash
curl "http://192.168.2.117:3001/api/stats"
curl -b cookies.txt "http://192.168.2.117:3001/api/stats"
```
**Response:**
@@ -757,7 +1004,7 @@ Stores CVE metadata and remediation status.
| Column | Type | Description |
|--------|------|-------------|
| id | INTEGER PRIMARY KEY | Auto-incrementing ID |
| cve_id | VARCHAR(20) UNIQUE | CVE identifier (e.g., CVE-2024-1234) |
| cve_id | VARCHAR(20) | CVE identifier (e.g., CVE-2024-1234) |
| vendor | VARCHAR(100) | Vendor name |
| severity | VARCHAR(20) | Critical, High, Medium, Low |
| description | TEXT | Vulnerability description |
@@ -766,6 +1013,8 @@ Stores CVE metadata and remediation status.
| created_at | TIMESTAMP | Record creation timestamp |
| updated_at | TIMESTAMP | Last update timestamp |
**Unique Constraint:** `UNIQUE(cve_id, vendor)` - Allows same CVE with different vendors
**Indexes:**
- `idx_cve_id` on `cve_id`
- `idx_vendor` on `vendor`
@@ -778,7 +1027,8 @@ Stores document metadata and file locations.
| Column | Type | Description |
|--------|------|-------------|
| id | INTEGER PRIMARY KEY | Auto-incrementing ID |
| cve_id | VARCHAR(20) | Foreign key to cves.cve_id |
| cve_id | VARCHAR(20) | CVE identifier |
| vendor | VARCHAR(100) | Vendor name (for per-vendor organization) |
| name | VARCHAR(255) | Original filename |
| type | VARCHAR(50) | advisory, email, screenshot, patch, other |
| file_path | VARCHAR(500) | Path to file on filesystem |
@@ -791,8 +1041,49 @@ Stores document metadata and file locations.
**Indexes:**
- `idx_doc_cve_id` on `cve_id`
- `idx_doc_vendor` on `vendor`
- `idx_doc_type` on `type`
#### `users`
Stores user accounts for authentication.
| Column | Type | Description |
|--------|------|-------------|
| id | INTEGER PRIMARY KEY | Auto-incrementing ID |
| username | VARCHAR(50) UNIQUE | Login username |
| email | VARCHAR(255) UNIQUE | User email address |
| password_hash | VARCHAR(255) | bcrypt hashed password |
| role | VARCHAR(20) | admin, editor, or viewer |
| is_active | BOOLEAN | Account active status (1=active, 0=disabled) |
| created_at | TIMESTAMP | Account creation timestamp |
| last_login | TIMESTAMP | Last successful login |
**Roles:**
- `admin` - Full access: manage users, delete documents, all CVE operations
- `editor` - Can add/edit CVEs, upload documents
- `viewer` - Read-only access to CVEs and documents
**Indexes:**
- `idx_users_username` on `username`
#### `sessions`
Stores active user sessions.
| Column | Type | Description |
|--------|------|-------------|
| id | INTEGER PRIMARY KEY | Auto-incrementing ID |
| session_id | VARCHAR(255) UNIQUE | Session token (stored in cookie) |
| user_id | INTEGER | Foreign key to users.id |
| expires_at | TIMESTAMP | Session expiration time |
| created_at | TIMESTAMP | Session creation timestamp |
**Foreign Key:** `user_id``users(id)` ON DELETE CASCADE
**Indexes:**
- `idx_sessions_session_id` on `session_id`
- `idx_sessions_user_id` on `user_id`
- `idx_sessions_expires` on `expires_at`
#### `required_documents`
Defines which document types are mandatory per vendor.
@@ -872,36 +1163,53 @@ cve-dashboard/
├── backend/
│ ├── server.js # Express API server
│ ├── setup.js # Database initialization script
│ ├── cve_database.db # SQLite database file
│ ├── package.json # Backend dependencies
── backend.log # Backend log file (if using startup script)
│ ├── setup-env.sh # Environment configuration script
│ ├── .env # Environment variables (create with setup-env.sh)
── cve_database.db # SQLite database file
│ ├── package.json # Backend dependencies
│ ├── middleware/
│ │ └── auth.js # Authentication middleware
│ ├── routes/
│ │ ├── auth.js # Login/logout endpoints
│ │ └── users.js # User management endpoints
│ └── backend.log # Backend log file (if using startup script)
├── frontend/
│ ├── public/
│ │ └── index.html # Main HTML (includes Tailwind CDN)
│ │ └── index.html # Main HTML (includes Tailwind CDN)
│ ├── src/
│ │ ├── App.js # Main React component
│ │ ├── index.js # React entry point
│ │ ── index.css # Global styles
│ ├── package.json # Frontend dependencies
└── frontend.log # Frontend log file (if using startup script)
│ │ ├── App.js # Main React component
│ │ ├── index.js # React entry point
│ │ ── index.css # Global styles
│ ├── components/
├── LoginForm.js # Login page component
│ │ │ ├── UserMenu.js # User dropdown menu
│ │ │ └── UserManagement.js # Admin user management
│ │ └── contexts/
│ │ └── AuthContext.js # Authentication state management
│ ├── .env # Environment variables (create with setup-env.sh)
│ ├── package.json # Frontend dependencies
│ └── frontend.log # Frontend log file (if using startup script)
├── uploads/ # File storage (auto-created)
│ ├── temp/ # Temporary upload directory
├── uploads/ # File storage (auto-created)
│ ├── temp/ # Temporary upload directory
│ ├── CVE-2024-1234/
│ │ ── Microsoft/
│ │ ├── 1706140800000-advisory.pdf
│ │ └── 1706140850000-email.pdf
│ │ ── Microsoft/ # Vendor-specific folder
│ │ ├── 1706140800000-advisory.pdf
│ │ └── 1706140850000-email.pdf
│ │ └── Cisco/ # Same CVE, different vendor
│ │ └── 1706140900000-advisory.pdf
│ └── CVE-2024-5678/
│ └── Cisco/
│ └── Oracle/
│ └── 1706140900000-advisory.pdf
├── .gitignore # Git ignore rules
├── README.md # This file
├── start-servers.sh # Startup script
├── stop-servers.sh # Shutdown script
├── backend.pid # Backend process ID (when running)
── frontend.pid # Frontend process ID (when running)
├── .gitignore # Git ignore rules
├── README.md # This file
├── test_cases_auth.md # Authentication test cases
├── start-servers.sh # Startup script
├── stop-servers.sh # Shutdown script
── backend.pid # Backend process ID (when running)
└── frontend.pid # Frontend process ID (when running)
```
### File Naming Convention
@@ -1104,8 +1412,10 @@ chmod -R 777 /home/cve-dashboard/uploads
## 🗺️ Roadmap
### Version 1.1 (Next Release)
- [ ] **User Authentication**: Login system with user roles
### Version 1.1 (Current Release)
- [x] **User Authentication**: Login system with user roles (admin, editor, viewer)
- [x] **Multi-Vendor Support**: Same CVE can be tracked across multiple vendors
- [x] **Environment Configuration**: .env files replace hardcoded IPs
- [ ] **Audit Logging**: Track who added/modified CVEs
- [ ] **Email Notifications**: Alert when new CVEs are added
- [ ] **Export to Excel**: Download CVE list as spreadsheet
@@ -1232,16 +1542,16 @@ Vulnerability Management Team
This software is proprietary and confidential. Unauthorized copying, distribution, or use of this software, via any medium, is strictly prohibited.
Copyright © 2024 Charter Communications. All rights reserved.
Copyright © 2024-2026 Charter Communications. All rights reserved.
---
## 📊 Project Statistics
- **Version**: 1.0.0
- **Released**: January 2024
- **Lines of Code**: ~1,500
- **Dependencies**: 12
- **Version**: 1.1.0
- **Released**: January 2026
- **Lines of Code**: ~2,500
- **Dependencies**: 15
- **Supported Browsers**: Chrome, Edge, Firefox, Safari
---
@@ -1273,6 +1583,40 @@ Copyright © 2024 Charter Communications. All rights reserved.
## 📝 Changelog
### [1.1.0] - 2026-01-29
#### Added
- **User Authentication**: Complete login system with session-based auth
- Three user roles: admin, editor, viewer
- Default admin account (admin/admin123)
- Session persistence with secure cookies
- Password hashing with bcryptjs
- **User Management**: Admin interface for managing users
- Create, edit, deactivate users
- Role assignment
- Password reset capability
- **Multi-Vendor Support**: Track same CVE across multiple vendors
- UNIQUE constraint on (cve_id, vendor) instead of just cve_id
- Per-vendor document storage
- Quick Check shows all vendors for a CVE
- New API endpoint: GET /api/cves/:cveId/vendors
- **Environment Configuration**: Replaced hardcoded IPs
- setup-env.sh script for easy configuration
- .env files for both frontend and backend
- Auto-detection of server IP address
#### Changed
- All API endpoints now require authentication
- Document deletion restricted to admin role
- CVE creation/editing restricted to editor and admin roles
- stop-servers.sh improved with better process killing
- Browser tab title changed from "ReactApp" to "Dashboard"
- Document storage now organized by CVE ID AND vendor
#### Fixed
- Dynamic hostname detection now works via environment variables
- Multiple vendors can now have entries for the same CVE
### [1.0.0] - 2024-01-26
#### Added
@@ -1288,9 +1632,9 @@ Copyright © 2024 Charter Communications. All rights reserved.
- Document compliance tracking
- Required document configuration per vendor
#### Known Issues
- Dynamic hostname detection not working (hardcoded IP as workaround)
- No user authentication (single-user system)
#### Known Issues (Resolved in 1.1.0)
- ~~Dynamic hostname detection not working (hardcoded IP as workaround)~~ Fixed
- ~~No user authentication (single-user system)~~ Fixed
- Export functionality shows alert only (not implemented)
---