jramos/cve-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
400 Commits 19 Branches 4 Tags
v2.3.0
Commit Graph

8 Commits

Author SHA1 Message Date
Jordan Ramos
2656df94d3 feat: add multi-BU tenancy with per-user team scoping (Option B) 
- Add bu_teams column to users table (migration + fresh schema)
- Create shared KNOWN_TEAMS constant and validateTeams helper
- Expose user teams in auth middleware, login, and /me responses
- Add bu_teams CRUD to user management routes with audit logging
- Make Ivanti FINDINGS_FILTERS configurable via IVANTI_BU_FILTER env var
- Add query-time team filtering to GET /findings and /findings/counts
- Update AuthContext with teams helpers and admin scope toggle
- Create AdminScopeToggle component (My Teams / All BUs)
- Scope ReportingPage findings fetch by user teams
- Scope CompliancePage team selector by user teams
- Scope ExportsPage findings exports by user teams
- Add BU teams multi-select to UserManagement create/edit forms
- Display team badges in user list table
 2026-05-05 11:04:53 -06:00
Jordan Ramos
c8b3626ac5 feat: consolidate setup.js with complete v1.0.0 schema — all tables, indexes, triggers for fresh deployments 2026-05-01 20:13:52 +00:00
jramos
8a6a3485e9 security: address audit findings C-4 through M-8 
Critical:
- C-4: Add express-rate-limit to login (20 attempts/15min)
- C-5: Remove default credentials from LoginForm.js
- C-6: Add sandbox attribute to KB document iframe

High:
- H-2: Hard-fail on startup if SESSION_SECRET env var is missing
- H-6: Sanitize filenames in Content-Disposition headers
- H-7: Fix KB upload race condition — move file after DB insert succeeds
- H-8: Generate random admin password in setup.js instead of hardcoded
- H-9: Add rehype-sanitize to ReactMarkdown (requires npm install)

Medium:
- M-4: Fix loose equality (==) to strict (===) in users.js self-checks
- M-5: Add hostname format regex validation in compliance notes
- M-6: Fix vendor trim-before-validate in ivantiTodoQueue.js
- M-7: Sanitize original filename in compliance temp JSON
- M-8: Pull CSP frame-ancestors from CORS_ORIGINS env var

New dependencies needed:
- backend: express-rate-limit (npm install in root)
- frontend: rehype-sanitize (npm install in frontend/)
 2026-04-07 10:23:10 -06:00
jramos
1a578b23c1 Audit logging feature files 2026-01-29 15:10:29 -07:00
jramos
836a9f3774 completed test plan - pass, modified setup.js 2026-01-29 03:47:15 +00:00
jramos
da14c92d98 added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00
jramos
88c33cae04 Fix: Enable multi-vendor support for CVE entries 
- Changed CVEs table constraint from UNIQUE(cve_id) to UNIQUE(cve_id, vendor)
- Added vendor column to documents table for proper file organization
- Updated backend INSERT statements to include vendor field in both CVE and document creation
- Fixed document retrieval to filter by vendor
- Created corrected setup.js that includes multi-vendor support from initial setup
- Added migration scripts for existing databases

Resolves #1: Users can now add the same CVE-ID with multiple different vendors, each maintaining separate document storage organized as CVE-ID/Vendor/files
 2026-01-28 14:49:03 +00:00
jramos
80f32b0412 Initial commit: CVE Dashboard v1.0 2026-01-27 04:06:03 +00:00