From d0087ba9b721b023399189c34d731e9a10e4ab1b Mon Sep 17 00:00:00 2001 From: jramos Date: Wed, 1 Apr 2026 12:42:56 -0600 Subject: [PATCH] docs: remove all weekly reports references Weekly report feature was removed previously. Cleans up all remaining references from README, architecture diagram, and deletes WEEKLY_REPORT_FEATURE.md entirely. --- README.md | 42 +------- WEEKLY_REPORT_FEATURE.md | 211 --------------------------------------- architecture.excalidraw | 8 +- 3 files changed, 7 insertions(+), 254 deletions(-) delete mode 100644 WEEKLY_REPORT_FEATURE.md diff --git a/README.md b/README.md index 5fc5dbe..e5a3709 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,6 @@ A self-hosted vulnerability management dashboard for the NTS-AEO-STEAM and NTS-A - [Knowledge Base](#knowledge-base) - [Exports](#exports) - [Archer Risk Acceptance Tickets](#archer-risk-acceptance-tickets) - - [Weekly Reports](#weekly-reports) - [User Management (Admin)](#user-management-admin) - [Audit Log (Admin)](#audit-log-admin) - [Scripts](#scripts) @@ -46,7 +45,6 @@ The application provides: - **Ivanti Queue** — personal staging list for batch-processing FP, Archer, and CARD workflows - **AEO Compliance page** — weekly xlsx upload, diff preview, per-team metric health cards, device-level violation tracking with notes history - Archer risk acceptance ticket tracking (EXC numbers) linked to CVE/vendor pairs -- Weekly vulnerability report upload and processing - A knowledge base for internal documentation and policies - Role-based access control with a full audit trail @@ -61,7 +59,7 @@ The application provides: | File uploads | Multer 2 | | Auth | bcryptjs, cookie-based sessions | | Frontend | React 19, lucide-react, xlsx | -| Compliance / report processing | Python 3, pandas, openpyxl | +| Compliance xlsx parsing | Python 3, pandas, openpyxl | | Bulk notes import | Python 3 (stdlib only) | --- @@ -70,7 +68,7 @@ The application provides: - Node.js 18 or later - npm -- Python 3 with `pandas` and `openpyxl` (required for compliance xlsx parsing and weekly report processing) +- Python 3 with `pandas` and `openpyxl` (required for compliance xlsx parsing) --- @@ -129,7 +127,6 @@ Apply all feature migrations in order: ```bash cd backend -node migrations/add_weekly_reports_table.js node migrations/add_knowledge_base_table.js node migrations/add_archer_tickets_table.js node migrations/add_ivanti_sync_table.js @@ -234,7 +231,7 @@ All routes require authentication. Three roles are supported: | Role | Permissions | |---|---| | `viewer` | Read-only: CVEs, documents, findings, reports, knowledge base, Archer tickets, compliance data | -| `editor` | All viewer permissions plus: create/update CVEs, upload documents, sync Ivanti findings, save notes and overrides, manage knowledge base, manage Archer tickets, upload weekly reports, upload compliance reports, manage Ivanti Queue | +| `editor` | All viewer permissions plus: create/update CVEs, upload documents, sync Ivanti findings, save notes and overrides, manage knowledge base, manage Archer tickets, upload compliance reports, manage Ivanti Queue | | `admin` | All editor permissions plus: delete documents, delete reports, manage users, view audit logs | Sessions expire after 24 hours. Session tokens are stored in `httpOnly` cookies. @@ -435,14 +432,6 @@ Track Archer exception tickets (EXC numbers) linked to specific CVE/vendor pairs --- -### Weekly Reports - -Editors and admins can upload weekly vulnerability reports as `.xlsx` files. The report is processed by `backend/scripts/split_cve_report.py` which splits rows where multiple CVE IDs are comma-separated in the `CVE ID` column into individual rows. - -Both the original and processed files can be downloaded from the weekly reports list. Admins can delete old report records and associated files. - ---- - ### User Management (Admin) - Create users with a role assignment @@ -475,14 +464,6 @@ Called automatically by the compliance upload flow. Parses the NTS_AEO xlsx repo --- -### `backend/scripts/split_cve_report.py` - -Called automatically by the weekly report upload flow. Splits multi-CVE rows in the uploaded Excel report into one row per CVE ID. Not intended to be run manually. - -**Dependencies:** `pandas>=2.0.0`, `openpyxl>=3.0.0` - ---- - ### `backend/scripts/import_notes_from_csv.py` Bulk-import notes into the findings cache from a CSV file. Useful for onboarding existing notes or migrating from a spreadsheet. @@ -605,15 +586,6 @@ All endpoints are prefixed with `/api`. All endpoints except `/api/auth/login` a | GET | `/api/compliance/notes/:hostname/:metricId` | viewer+ | Notes for a specific hostname/metric | | POST | `/api/compliance/notes` | editor+ | Add a note for a hostname/metric | -### Weekly Reports - -| Method | Path | Role | Description | -|---|---|---|---| -| POST | `/api/weekly-reports/upload` | editor+ | Upload and process a `.xlsx` vulnerability report | -| GET | `/api/weekly-reports` | viewer+ | List all uploaded reports | -| GET | `/api/weekly-reports/:id/download/:type` | viewer+ | Download `original` or `processed` file | -| DELETE | `/api/weekly-reports/:id` | admin | Delete a report record and its files | - ### Knowledge Base | Method | Path | Role | Description | @@ -673,7 +645,6 @@ cve-dashboard/ │ ├── cve_database.db # SQLite database (gitignored) │ ├── uploads/ # File storage root (gitignored) │ │ ├── // # CVE documents -│ │ ├── weekly_reports/ # Uploaded vulnerability reports │ │ ├── knowledge_base/ # Knowledge base documents │ │ └── temp/ # Temporary upload staging │ ├── routes/ @@ -681,7 +652,6 @@ cve-dashboard/ │ │ ├── users.js # User CRUD (admin) │ │ ├── auditLog.js # Audit log viewer (admin) │ │ ├── nvdLookup.js # NVD API proxy -│ │ ├── weeklyReports.js # Weekly report upload and management │ │ ├── knowledgeBase.js # Knowledge base document management │ │ ├── archerTickets.js # Archer EXC ticket CRUD │ │ ├── ivantiWorkflows.js # Ivanti workflow batch sync and cache @@ -692,9 +662,7 @@ cve-dashboard/ │ │ └── auth.js # requireAuth and requireRole middleware │ ├── helpers/ │ │ ├── auditLog.js # logAudit helper (fire-and-forget) -│ │ └── excelProcessor.js # Calls Python script for report processing │ ├── migrations/ -│ │ ├── add_weekly_reports_table.js │ │ ├── add_knowledge_base_table.js │ │ ├── add_archer_tickets_table.js │ │ ├── add_ivanti_sync_table.js @@ -705,7 +673,6 @@ cve-dashboard/ │ │ └── add_compliance_tables.js # AEO compliance tables │ └── scripts/ │ ├── parse_compliance_xlsx.py # Parses NTS_AEO xlsx compliance reports -│ ├── split_cve_report.py # Splits multi-CVE rows in weekly reports │ ├── import_notes_from_csv.py # Bulk-import finding notes from CSV │ └── requirements.txt # pandas, openpyxl │ @@ -754,8 +721,6 @@ cve-dashboard/ ### Feature tables (added by migrations) -**`weekly_reports`** — Metadata for uploaded vulnerability reports. Tracks original and processed file paths, row counts, uploader, and an `is_current` flag. - **`knowledge_base`** — Document library entries with title, slug, category, description, and file metadata. **`archer_tickets`** — Archer EXC exception tickets linked to CVE/vendor pairs. `UNIQUE(exc_number)`. @@ -835,7 +800,6 @@ Migrations are standalone Node.js scripts. Run them in the listed order on a fre ```bash cd backend -node migrations/add_weekly_reports_table.js node migrations/add_knowledge_base_table.js node migrations/add_archer_tickets_table.js node migrations/add_ivanti_sync_table.js diff --git a/WEEKLY_REPORT_FEATURE.md b/WEEKLY_REPORT_FEATURE.md deleted file mode 100644 index 43970c6..0000000 --- a/WEEKLY_REPORT_FEATURE.md +++ /dev/null @@ -1,211 +0,0 @@ -# Weekly Vulnerability Report Upload Feature - -## Overview - -A new feature has been added to the CVE Dashboard that allows users to upload their weekly vulnerability reports in Excel format (.xlsx) and automatically process them to split multiple CVE IDs into separate rows for easier filtering and analysis. - -## What Was Implemented - -### Backend Changes - -1. **Database Migration** (`backend/migrations/add_weekly_reports_table.js`) - - Created `weekly_reports` table to store report metadata - - Tracks upload date, file paths, row counts, and which report is current - - Indexed for fast queries - -2. **Excel Processor** (`backend/helpers/excelProcessor.js`) - - Executes Python script via Node.js child_process - - Parses row counts from Python output - - Handles errors, timeouts (30 seconds), and validation - -3. **API Routes** (`backend/routes/weeklyReports.js`) - - `POST /api/weekly-reports/upload` - Upload and process Excel file - - `GET /api/weekly-reports` - List all reports - - `GET /api/weekly-reports/:id/download/:type` - Download original or processed file - - `DELETE /api/weekly-reports/:id` - Delete report (admin only) - -4. **Python Script** (`backend/scripts/split_cve_report.py`) - - Moved from ~/Documents to backend/scripts - - Splits comma-separated CVE IDs into separate rows - - Duplicates device/IP data for each CVE - -### Frontend Changes - -1. **Weekly Report Modal** (`frontend/src/components/WeeklyReportModal.js`) - - Phase-based UI: idle → uploading → processing → success - - File upload with .xlsx validation - - Display existing reports with current report indicator (★) - - Download buttons for both original and processed files - -2. **App.js Integration** - - Added "Weekly Report" button next to NVD Sync button - - State management for modal visibility - - Modal rendering - -## How to Use - -### Starting the Application - -1. **Backend:** - ```bash - cd backend - node server.js - ``` - -2. **Frontend:** - ```bash - cd frontend - npm start - ``` - -### Using the Feature - -1. **Access the Feature** - - Login as an editor or admin user - - Look for the "Weekly Report" button in the top header (next to "NVD Sync") - -2. **Upload a Report** - - Click the "Weekly Report" button - - Click "Choose File" and select your .xlsx file - - Click "Upload & Process" - - Wait for processing to complete (usually 5-10 seconds) - -3. **Download Processed Report** - - After upload succeeds, you'll see row counts (e.g., "45 → 67 rows") - - Click "Download Processed" to get the split version - - The current week's report is marked with a ★ star icon - -4. **Access Previous Reports** - - All previous reports are listed below the upload section - - Click the download icons to get original or processed versions - - Reports are labeled as "This week's report", "Last week's report", or by date - -### What the Processing Does - -**Before Processing:** -| HOSTNAME | IP | CVE ID | -|----------|------------|---------------------------| -| server01 | 10.0.0.1 | CVE-2024-1234, CVE-2024-5678 | - -**After Processing:** -| HOSTNAME | IP | CVE ID | -|----------|------------|---------------------------| -| server01 | 10.0.0.1 | CVE-2024-1234 | -| server01 | 10.0.0.1 | CVE-2024-5678 | - -Each CVE now has its own row, making it easy to: -- Sort by CVE ID -- Filter for specific CVEs -- Research CVEs one by one per device - -## File Locations - -### New Files Created - -``` -backend/ - scripts/ - split_cve_report.py # Python script for CVE splitting - requirements.txt # Python dependencies - routes/ - weeklyReports.js # API endpoints - helpers/ - excelProcessor.js # Python integration - migrations/ - add_weekly_reports_table.js # Database migration - uploads/ - weekly_reports/ # Uploaded and processed files - -frontend/ - src/ - components/ - WeeklyReportModal.js # Upload modal UI -``` - -### Modified Files - -``` -backend/ - server.js # Added route mounting - -frontend/ - src/ - App.js # Added button and modal -``` - -## Security & Permissions - -- **Upload**: Requires editor or admin role -- **Download**: Any authenticated user -- **Delete**: Admin only -- **File Validation**: Only .xlsx files accepted, 10MB limit -- **Audit Logging**: All uploads, downloads, and deletions are logged - -## Troubleshooting - -### Backend Issues - -**Python not found:** -```bash -# Install Python 3 -sudo apt-get install python3 -``` - -**Missing dependencies:** -```bash -# Install pandas and openpyxl -pip3 install pandas openpyxl -``` - -**Port already in use:** -```bash -# Find and kill process using port 3001 -lsof -i :3001 -kill -9 -``` - -### Frontend Issues - -**Button not visible:** -- Make sure you're logged in as editor or admin -- Viewer role cannot upload reports - -**Upload fails:** -- Check file is .xlsx format (not .xls or .csv) -- Ensure file has "Vulnerabilities" sheet with "CVE ID" column -- Check file size is under 10MB - -**Processing timeout:** -- Large files (10,000+ rows) may timeout -- Try reducing file size or increase timeout in `excelProcessor.js` - -## Testing Checklist - -- [x] Backend starts without errors -- [x] Frontend compiles successfully -- [x] Database migration completed -- [x] Python dependencies installed -- [ ] Upload .xlsx file (manual test in browser) -- [ ] Verify processed file has split CVEs (manual test) -- [ ] Download original and processed files (manual test) -- [ ] Verify current report marked with star (manual test) -- [ ] Test as viewer - button should be hidden (manual test) - -## Future Enhancements - -Possible improvements: -- Progress bar during Python processing -- Email notifications when processing completes -- Scheduled automatic uploads -- Report comparison (diff between weeks) -- Export to other formats (CSV, JSON) -- Bulk delete old reports -- Report validation before upload - -## Support - -For issues or questions: -1. Check the troubleshooting section above -2. Review audit logs for error details -3. Check browser console for frontend errors -4. Review backend server logs for API errors diff --git a/architecture.excalidraw b/architecture.excalidraw index 0589209..b3fa25f 100644 --- a/architecture.excalidraw +++ b/architecture.excalidraw @@ -251,14 +251,14 @@ "updated": 1, "link": null, "locked": false, - "text": "Backend API (Express.js)\nPort: 3001\n\nRoutes:\n• /api/auth - Authentication (login/logout)\n• /api/users - User management\n• /api/cves - CVE operations\n• /api/documents - Document upload/download\n• /api/audit-log - Audit logging\n• /api/nvd-lookup - NVD integration\n• /api/weekly-reports - Weekly reports", + "text": "Backend API (Express.js)\nPort: 3001\n\nRoutes:\n• /api/auth - Authentication (login/logout)\n• /api/users - User management\n• /api/cves - CVE operations\n• /api/documents - Document upload/download\n• /api/audit-log - Audit logging\n• /api/nvd-lookup - NVD integration", "fontSize": 14, "fontFamily": 1, "textAlign": "left", "verticalAlign": "middle", "baseline": 163, "containerId": "backend-box", - "originalText": "Backend API (Express.js)\nPort: 3001\n\nRoutes:\n• /api/auth - Authentication (login/logout)\n• /api/users - User management\n• /api/cves - CVE operations\n• /api/documents - Document upload/download\n• /api/audit-log - Audit logging\n• /api/nvd-lookup - NVD integration\n• /api/weekly-reports - Weekly reports" + "originalText": "Backend API (Express.js)\nPort: 3001\n\nRoutes:\n• /api/auth - Authentication (login/logout)\n• /api/users - User management\n• /api/cves - CVE operations\n• /api/documents - Document upload/download\n• /api/audit-log - Audit logging\n• /api/nvd-lookup - NVD integration" }, { "id": "db-box", @@ -820,14 +820,14 @@ "updated": 1, "link": null, "locked": false, - "text": "Key Features:\n• Quick CVE status check\n• Multi-vendor support\n• Document management\n• Compliance tracking\n• Search & filter\n• Weekly report uploads\n• Audit logging", + "text": "Key Features:\n• Quick CVE status check\n• Multi-vendor support\n• Document management\n• Compliance tracking\n• Search & filter\n• Audit logging", "fontSize": 12, "fontFamily": 1, "textAlign": "left", "verticalAlign": "top", "baseline": 113, "containerId": null, - "originalText": "Key Features:\n• Quick CVE status check\n• Multi-vendor support\n• Document management\n• Compliance tracking\n• Search & filter\n• Weekly report uploads\n• Audit logging" + "originalText": "Key Features:\n• Quick CVE status check\n• Multi-vendor support\n• Document management\n• Compliance tracking\n• Search & filter\n• Audit logging" } ], "appState": {