Added NVD lookup features and optional NVD API key in .env file

backend/.env.example

@@ -2,3 +2,7 @@
 PORT=3001
 API_HOST=localhost
 CORS_ORIGINS=http://localhost:3000
+
+# NVD API Key (optional - increases rate limit from 5 to 50 requests per 30s)
+# Request one at https://nvd.nist.gov/developers/request-an-api-key
+NVD_API_KEY=

backend/routes/nvdLookup.js

@@ -0,0 +1,94 @@
+// NVD CVE Lookup Routes
+const express = require('express');
+
+const CVE_ID_PATTERN = /^CVE-\d{4}-\d{4,}$/;
+
+function createNvdLookupRouter(db, requireAuth) {
+    const router = express.Router();
+
+    // All routes require authentication
+    router.use(requireAuth(db));
+
+    // Lookup CVE details from NVD API 2.0
+    router.get('/lookup/:cveId', async (req, res) => {
+        const { cveId } = req.params;
+
+        if (!CVE_ID_PATTERN.test(cveId)) {
+            return res.status(400).json({ error: 'Invalid CVE ID format. Expected CVE-YYYY-NNNNN.' });
+        }
+
+        const url = `https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=${encodeURIComponent(cveId)}`;
+        const headers = {};
+        if (process.env.NVD_API_KEY) {
+            headers['apiKey'] = process.env.NVD_API_KEY;
+        }
+
+        try {
+            const response = await fetch(url, {
+                headers,
+                signal: AbortSignal.timeout(10000)
+            });
+
+            if (response.status === 404) {
+                return res.status(404).json({ error: 'CVE not found in NVD.' });
+            }
+
+            if (response.status === 429) {
+                return res.status(429).json({ error: 'NVD API rate limit exceeded. Try again later.' });
+            }
+
+            if (!response.ok) {
+                return res.status(502).json({ error: `NVD API returned status ${response.status}.` });
+            }
+
+            const data = await response.json();
+
+            if (!data.vulnerabilities || data.vulnerabilities.length === 0) {
+                return res.status(404).json({ error: 'CVE not found in NVD.' });
+            }
+
+            const vuln = data.vulnerabilities[0].cve;
+
+            // Extract English description
+            const descriptionEntry = vuln.descriptions?.find(d => d.lang === 'en');
+            const description = descriptionEntry ? descriptionEntry.value : '';
+
+            // Extract severity with cascade: CVSS v3.1 → v3.0 → v2.0
+            let severity = null;
+            const metrics = vuln.metrics || {};
+
+            if (metrics.cvssMetricV31 && metrics.cvssMetricV31.length > 0) {
+                severity = metrics.cvssMetricV31[0].cvssData?.baseSeverity;
+            } else if (metrics.cvssMetricV30 && metrics.cvssMetricV30.length > 0) {
+                severity = metrics.cvssMetricV30[0].cvssData?.baseSeverity;
+            } else if (metrics.cvssMetricV2 && metrics.cvssMetricV2.length > 0) {
+                severity = metrics.cvssMetricV2[0].baseSeverity;
+            }
+
+            // Map NVD severity strings to app levels
+            const severityMap = {
+                'CRITICAL': 'Critical',
+                'HIGH': 'High',
+                'MEDIUM': 'Medium',
+                'LOW': 'Low'
+            };
+            severity = severity ? (severityMap[severity.toUpperCase()] || 'Medium') : 'Medium';
+
+            // Extract published date (YYYY-MM-DD)
+            const publishedRaw = vuln.published;
+            const published_date = publishedRaw ? publishedRaw.split('T')[0] : '';
+
+            res.json({ description, severity, published_date });
+        } catch (err) {
+            if (err.name === 'TimeoutError' || err.name === 'AbortError') {
+                return res.status(504).json({ error: 'NVD API request timed out.' });
+            }
+            console.error('NVD lookup error:', err);
+            res.status(502).json({ error: 'Failed to reach NVD API.' });
+        }
+    });
+
+    return router;
+}
+
+module.exports = createNvdLookupRouter;

backend/server.js

@@ -17,6 +17,7 @@ const createAuthRouter = require('./routes/auth');
 const createUsersRouter = require('./routes/users');
 const createAuditLogRouter = require('./routes/auditLog');
 const logAudit = require('./helpers/auditLog');
+const createNvdLookupRouter = require('./routes/nvdLookup');
 
 const app = express();
 const PORT = process.env.PORT || 3001;
@@ -56,6 +57,9 @@ app.use('/api/users', createUsersRouter(db, requireAuth, requireRole, logAudit))
 // Audit log routes (admin only)
 app.use('/api/audit-logs', createAuditLogRouter(db, requireAuth, requireRole));
 
+// NVD lookup routes (authenticated users)
+app.use('/api/nvd', createNvdLookupRouter(db, requireAuth));
+
 // Simple storage - upload to temp directory first
 const storage = multer.diskStorage({
     destination: (req, file, cb) => {
@@ -125,6 +129,14 @@ app.get('/api/cves', requireAuth(db), (req, res) => {
     });
 });
 
+// Get distinct CVE IDs for NVD sync (authenticated users)
+app.get('/api/cves/distinct-ids', requireAuth(db), (req, res) => {
+    db.all('SELECT DISTINCT cve_id FROM cves ORDER BY cve_id', [], (err, rows) => {
+        if (err) return res.status(500).json({ error: err.message });
+        res.json(rows.map(r => r.cve_id));
+    });
+});
+
 // Check if CVE exists and get its status - UPDATED FOR MULTI-VENDOR (authenticated users)
 app.get('/api/cves/check/:cveId', requireAuth(db), (req, res) => {
     const { cveId } = req.params;
@@ -262,6 +274,73 @@ app.patch('/api/cves/:cveId/status', requireAuth(db), requireRole('editor', 'adm
     });
 });
 
+// Bulk sync CVE data from NVD (editor or admin)
+app.post('/api/cves/nvd-sync', requireAuth(db), requireRole('editor', 'admin'), (req, res) => {
+    const { updates } = req.body;
+    if (!Array.isArray(updates) || updates.length === 0) {
+        return res.status(400).json({ error: 'No updates provided' });
+    }
+
+    let updated = 0;
+    const errors = [];
+    let completed = 0;
+
+    db.serialize(() => {
+        updates.forEach((entry) => {
+            const fields = [];
+            const values = [];
+            if (entry.description !== null && entry.description !== undefined) {
+                fields.push('description = ?');
+                values.push(entry.description);
+            }
+            if (entry.severity !== null && entry.severity !== undefined) {
+                fields.push('severity = ?');
+                values.push(entry.severity);
+            }
+            if (entry.published_date !== null && entry.published_date !== undefined) {
+                fields.push('published_date = ?');
+                values.push(entry.published_date);
+            }
+            if (fields.length === 0) {
+                completed++;
+                if (completed === updates.length) sendResponse();
+                return;
+            }
+            fields.push('updated_at = CURRENT_TIMESTAMP');
+            values.push(entry.cve_id);
+
+            db.run(
+                `UPDATE cves SET ${fields.join(', ')} WHERE cve_id = ?`,
+                values,
+                function(err) {
+                    if (err) {
+                        errors.push({ cve_id: entry.cve_id, error: err.message });
+                    } else {
+                        updated += this.changes;
+                    }
+                    completed++;
+                    if (completed === updates.length) sendResponse();
+                }
+            );
+        });
+    });
+
+    function sendResponse() {
+        logAudit(db, {
+            userId: req.user.id,
+            username: req.user.username,
+            action: 'cve_nvd_sync',
+            entityType: 'cve',
+            entityId: null,
+            details: { count: updated, cve_ids: updates.map(u => u.cve_id) },
+            ipAddress: req.ip
+        });
+        const result = { message: 'NVD sync completed', updated };
+        if (errors.length > 0) result.errors = errors;
+        res.json(result);
+    }
+});
+
 // ========== DOCUMENT ENDPOINTS ==========
 
 // Get documents for a CVE - FILTER BY VENDOR (authenticated users)