jramos/cve-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jramos:feature/compliance-time-charts
Branches Tags
jramos:master jramos:ops/records jramos:feature/redesign jramos:fix/jira-api-compliance jramos:feature/atlas-integration jramos:feature/multimetricselect jramos:feature/cve-tooltip jramos:feature/queuecards jramos:feature/compliance-time-charts jramos:feature/reporting-todo-queue jramos:feature/reporting-metrics-piechart jramos:feature/reporting-page jramos:feature/workflow jramos:enhancement/midpanel jramos:feature/archer jramos:enhancement/panel jramos:feature/weekly-report-upload jramos:feature/ivanti-report jramos:feature/nvd-lookup
jramos:v2.3.0 jramos:v2.2.0 jramos:v2.1.0 jramos:v1.0.0
...
compare: jramos:04360cc4bc547c6cb4ceffd921392fbbaf6be9cd
Branches Tags
jramos:master jramos:ops/records jramos:feature/redesign jramos:fix/jira-api-compliance jramos:feature/atlas-integration jramos:feature/multimetricselect jramos:feature/cve-tooltip jramos:feature/queuecards jramos:feature/compliance-time-charts jramos:feature/reporting-todo-queue jramos:feature/reporting-metrics-piechart jramos:feature/reporting-page jramos:feature/workflow jramos:enhancement/midpanel jramos:feature/archer jramos:enhancement/panel jramos:feature/weekly-report-upload jramos:feature/ivanti-report jramos:feature/nvd-lookup
jramos:v2.3.0 jramos:v2.2.0 jramos:v2.1.0 jramos:v1.0.0

153 Commits
feature/co ... 04360cc4bc

Author SHA1 Message Date
Jordan Ramos
04360cc4bc Add CCP Metrics page with multi-vertical VCL upload and cross-org reporting 
New feature: multi-file per-vertical compliance xlsx upload with scoped
resolution logic, executive-level aggregated reporting, and drill-down
by vertical and metric. Supports daily upload cadence and batch commit.

Backend:
- Migration: add vertical column to compliance_items/uploads, create
  vcl_multi_vertical_summary table
- New route module: routes/vclMultiVertical.js with preview, commit,
  stats, trend, metric drill-down, device list, and burndown endpoints
- New helpers: parseVerticalFilename(), computeVerticalBurndown()
- Vertical-scoped resolution: uploading one vertical never resolves
  items from other verticals

Frontend:
- CCPMetricsPage with stats bar, trend chart, donut, vertical table
- Drill-down: vertical -> metrics by category -> device list
- Per-vertical burndown forecast chart
- MultiVerticalUploadModal: multi-file drag-drop, batch preview, commit
- Nav entry: CCP Metrics (Building2 icon)

Docs:
- Design brief for stakeholder meeting (docs/vcl-multi-vertical-design-brief.md)
 2026-05-14 09:49:59 -06:00
Jordan Ramos
d61383ac7b Add VCL reporting guide, update reference manual and config wizard; untrack .kiro/steering/workflow.md 2026-05-14 08:15:42 -06:00
Jordan Ramos
808625dab4 Fix requeue: fallback to finding_ids_json when queue items are deleted or absent 
The requeue endpoint now handles three scenarios:
1. Original queue items still exist — uses their finding data (ideal case)
2. Queue items deleted (Clear Completed) — looks up findings from
   ivanti_findings table using finding_ids_json
3. FP created outside dashboard (no queue_item_ids) — same fallback
   to finding_ids_json and ivanti_findings lookup
4. Last resort — creates queue items with just finding IDs if the
   findings aren't in ivanti_findings either
 2026-05-13 16:57:57 -06:00
Jordan Ramos
0fefd2a707 Add re-queue findings from rejected FP submissions 
New feature: users can re-queue findings from a rejected FP submission
back into the Ivanti todo queue under a different workflow type (FP,
Archer, CARD, GRANITE, or DECOM). Primary use case is when an FP is
rejected with a recommendation to submit an Archer risk acceptance.

Backend:
- New migration: add requeued_at column to ivanti_fp_submissions
- New endpoint: POST /api/ivanti/fp-workflow/submissions/:id/requeue
  - Validates workflow_type and vendor (required for FP/Archer/DECOM)
  - Creates new pending queue items from original finding data
  - Marks submission as requeued (prevents double re-queue)
  - Audit logs the action

Frontend (ReportingPage.js):
- RequeueConfirmDialog component with workflow type selector and vendor input
- Re-queue Findings button in Edit FP Modal header (rejected submissions only)
- Already re-queued label when submission.requeued_at is set
- Success notification on completion
 2026-05-13 16:46:49 -06:00
Jordan Ramos
828e7cc45d Sync FP submission lifecycle_status from Ivanti currentState on fetch 
When GET /submissions enriches submissions with Ivanti API data, it now
checks if batch.currentState (APPROVED, REJECTED, REWORK) differs from
the local lifecycle_status and updates the DB accordingly. This ensures
approved submissions get filtered out of the queue panel as intended.

Also changed safeText() to return null for non-string Ivanti note values
(arrays/objects) instead of JSON-stringifying them. The notes array
filters nulls via .filter(Boolean) so non-string data is simply hidden.
 2026-05-13 14:36:05 -06:00
Jordan Ramos
5126ccc6ae Fix History tab crash: coerce Ivanti note fields to strings before rendering 
PostgreSQL + Ivanti API enrichment can return non-string values
(objects/arrays) for currentStateUserNotes and similar fields.
React crashes silently (blank page, no console error) when trying
to render non-string values as children. Same root cause pattern
as Bug 3 in ivanti-panel-bugs-2026-05-12.

Added safeText() wrapper that coerces any non-string truthy value
to a JSON string before rendering in the History tab notes section.

Also fixed flaky property test: fc.date() could generate invalid
dates causing RangeError on .toISOString(). Added .filter() guard
and explicit UTC date bounds.
 2026-05-13 14:24:16 -06:00
Jordan Ramos
870c0e247a Fix History tab crash: coerce Ivanti note fields to strings before rendering 
PostgreSQL + Ivanti API enrichment can return non-string values
(objects/arrays) for currentStateUserNotes and similar fields.
React crashes silently (blank page, no console error) when trying
to render non-string values as children. Same root cause pattern
as Bug 3 in ivanti-panel-bugs-2026-05-12.

Added safeText() wrapper that coerces any non-string truthy value
to a JSON string before rendering in the History tab notes section.
 2026-05-13 12:01:52 -06:00
Jordan Ramos
671894ff5f Fix vcl-compliance-reporting test: stats.total → stats.total_devices 2026-05-13 09:56:30 -06:00
Jordan Ramos
0c6830fc6c Add interactive configuration wizard for deployment setup 2026-05-13 09:40:45 -06:00
Jordan Ramos
9eec63ea42 Add VCL vertical metadata: inline-editable team fields, JSDoc on compliance routes, stats query rewrite 2026-05-13 07:57:41 -06:00
Jordan Ramos
0d29a1b84e Document IVANTI_MANAGED_BUS env var in .env.example, reference manual, and API docs 2026-05-13 07:56:03 -06:00
Jordan Ramos
4416f6a25d Make EXPECTED_BUS configurable via IVANTI_MANAGED_BUS env var for multi-tenant drift classification 2026-05-12 15:27:58 -06:00
Jordan Ramos
97d378033b Revert EXPECTED_BUS to STEAM+ACCESS-ENG: findings leaving managed teams are BU reassignments 2026-05-12 15:22:52 -06:00
Jordan Ramos
537cf96a0a Fix BU drift checker: derive EXPECTED_BUS from IVANTI_BU_FILTER env var instead of hardcoded 2 BUs 2026-05-12 15:18:44 -06:00
Jordan Ramos
f3d7f2ac1d Fix archive bar chart: fmtDate now handles ISO datetime strings from PostgreSQL date columns 2026-05-12 14:57:15 -06:00
Jordan Ramos
8c93e86fe0 Fix Ivanti panel bugs: Invalid Date, wrong workflow count, crash on archive click, BU scope filtering 2026-05-12 14:21:46 -06:00
Jordan Ramos
d093a3d113 Add VCL compliance reporting: exec report page, device metadata fields, bulk upload 2026-05-11 15:48:10 -06:00
Jordan Ramos
955036145d Fix property test CI failure: mock db module before importing route 2026-05-11 14:51:16 -06:00
Jordan Ramos
7245352496 Add FP submissions cleanup: auto-clear approved, dismiss rejected, collapsible section 2026-05-11 14:29:50 -06:00
Jordan Ramos
cda1eaadc9 Add DECOM workflow type, auto-note/hide on decom, show CVEs on CARD queue items, auto-run migrations in pipeline 
- Add DECOM to queue workflow types (red badge, inventory-style display)
- When findings are added as DECOM, auto-set note to 'DECOM' and hide row
- Hidden rows are excluded from donut charts (removes from pending count)
- Show CVEs on CARD/GRANITE/DECOM queue items (was previously omitted)
- Add backend/migrations/run-all.js for CI/CD auto-migration execution
- Pipeline now runs migrations before service restart on both staging and prod
- Add add_decom_workflow_type.js migration (updates CHECK constraint)
 2026-05-08 14:51:05 -06:00
Jordan Ramos
3cf0d6be3d Fix CI: install root deps in frontend test job for cross-directory backend imports 2026-05-08 13:55:15 -06:00
Jordan Ramos
cc652ba964 Fix CI: add npm ci to each job since runner cache is unreliable, use local jest binary 2026-05-08 13:35:50 -06:00
Jordan Ramos
f76996a161 Fix CI: add express/pg devDeps for atlas test, allow lint warnings, drop forceExit 2026-05-08 13:25:58 -06:00
Jordan Ramos
b870f47e67 Fix CI: allow 10 lint warnings for unused vars, drop --forceExit from frontend tests 2026-05-08 13:18:17 -06:00
Jordan Ramos
890d7b82dc Fix CI: exclude test files from lint, mock db.js in jira test for runner env 2026-05-08 13:11:06 -06:00
Jordan Ramos
1b0fc072cc Track package-lock.json files for deterministic CI installs 2026-05-08 13:05:20 -06:00
Jordan Ramos
3f00f4c941 Fix pipeline: remove verify-staging from deploy-production needs (manual gate is sufficient) 2026-05-08 13:02:12 -06:00
Jordan Ramos
eef324936d Fix pipeline: mark verify-staging as optional dependency for deploy-production 2026-05-08 12:57:39 -06:00
Jordan Ramos
de2c5f245e Add CI/CD pipeline, feedback modal, Atlas qualys_id fallback, and health endpoint 
- Rewrite .gitlab-ci.yml with proper stages, blocking tests, staging
  environment on dev box, and SSH-based production deploy to 71.85.90.6
- Add POST /api/health endpoint for pipeline verification
- Add POST /atlas/hosts/:hostId/refresh-cache for Atlas cache staleness
- AtlasSlideOutPanel: auto-resolve qualys_id from Atlas vulnerabilities,
  prefer qualys_id over active_host_findings_id, retry on failure
- Add FeedbackModal component with bug report button in header and
  feature request in UserMenu, creates GitLab issues via /api/feedback
- Fix all frontend test failures (ESM transforms, TextDecoder polyfill,
  fast-check resolution, App.test.js boilerplate replacement)
- Fix root package.json test script to run jest
- Add deploy/ directory with staging systemd service and setup script
 2026-05-08 12:50:11 -06:00
Jordan Ramos
86fdd084ac docs: update README and reference manual for PostgreSQL migration and systemd scripts 2026-05-08 09:17:38 -06:00
Jordan Ramos
f657351219 Switch start/stop scripts to use systemd services 2026-05-07 16:27:47 -06:00
Jordan Ramos
3db84a377b Fix null bu_teams in postgres migration, add retry logic to deploy script 2026-05-07 13:28:19 -06:00
Jordan Ramos
1b8790ff16 fix: add missing created_by column to archer_tickets table 2026-05-06 15:29:20 -06:00
Jordan Ramos
cf43e85c38 fix: scope FP workflow counts donut by BU 
- Rewrite /fp-workflow-counts endpoint to query ivanti_findings table
  directly with optional teams ILIKE filter (replaces pre-computed JSON blob)
- Frontend passes getActiveTeamsParam() to FP counts fetch
- FP counts refresh on scope toggle change alongside open/closed counts
- Both FP Finding Status and FP Workflow Status donuts now respect BU scope
 2026-05-06 15:19:34 -06:00
Jordan Ramos
6163be626e ops: add docker-compose.yml and deploy-postgres.sh for production cutover 
- docker-compose.yml: Postgres 16 Alpine on port 5433 with healthcheck
- scripts/deploy-postgres.sh: one-shot deployment script that handles
  container startup, schema creation, npm install, data migration, and
  frontend build
- Backup SQLite database as cve_database.db.pre-postgres-backup
 2026-05-06 15:07:06 -06:00
Jordan Ramos
573903a885 feat: per-BU trend lines in counts history chart 
- Create ivanti_counts_history_by_bu table (bu_ownership, state, count per sync)
- Sync writes per-BU snapshot alongside global history on each sync
- Seed table with current counts for immediate first data point
- GET /counts/history accepts ?teams param — queries per-BU table when filtered
- IvantiCountsChart accepts teamsParam prop, re-fetches on scope change
- ReportingPage passes getActiveTeamsParam() to the chart
- Historical per-BU data accumulates from this point forward
- Global history (no filter) still uses the original aggregate table
 2026-05-06 13:38:38 -06:00
Jordan Ramos
77f113e9ae fix: load dotenv in db.js so DATABASE_URL is available on import 2026-05-06 12:30:45 -06:00
Jordan Ramos
8cd73c126e feat(postgres): data migration + per-BU closed counts in frontend 
- Create backend/scripts/migrate-to-postgres.js (one-time SQLite→Postgres copy)
- Successfully migrated: 6 users, 21 CVEs, 6307 findings, 20965 compliance items,
  138 archives, 67 atlas plans, all notes/overrides merged
- All 22 tables verified with matching row counts
- Frontend StatusDonut now uses server-provided per-BU counts (no more N/A)
- Counts endpoint called with teams param on scope change
- Re-fetch counts when admin scope toggle changes
 2026-05-06 12:26:54 -06:00
Jordan Ramos
e30ad79f2a feat(postgres): rewrite Ivanti findings to individual rows 
- Replace 2.6MB JSON blob with individual rows in ivanti_findings table
- Batch upsert via INSERT ... ON CONFLICT in chunks of 100
- Sync stores both open AND closed findings as rows with state column
- Per-BU closed counts now possible via SQL GROUP BY
- GET /findings queries indexed table with optional ILIKE BU filter
- GET /counts returns per-BU open+closed via GROUP BY state
- Notes and overrides are columns on ivanti_findings (no separate tables)
- Removed: readState, readStateWithNotes, _findingsCache, initTables
- Preserved: extractFinding, archive detection, FP workflow counts, anomaly log
- Response shape unchanged — frontend works without modification
 2026-05-06 12:12:34 -06:00
Jordan Ramos
33927b150b feat(postgres): migrate all route files from SQLite to pg pool 
- All 16 route files now import pool from ../db directly
- Removed db parameter from all factory functions
- All callbacks replaced with async/await pool.query()
- All ? placeholders converted to $1, $2... numbered params
- datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING
- LIKE → ILIKE for case-insensitive searches
- Error detection: err.code === '23505' for unique violations
- server.js no longer passes pool/db/requireAuth to route factories
- Only ivantiFindings.js still receives pool (pending task 8 rewrite)
 2026-05-06 11:44:17 -06:00
Jordan Ramos
845d843e71 feat(postgres): infrastructure setup and schema creation (tasks 1-2) 
- Install pg (node-postgres) dependency
- Create backend/db.js connection pool module (max 10, auto-reconnect)
- Install Docker and spin up steam-postgres container on port 5433
- Create backend/db-schema.sql with complete Postgres DDL (24 tables)
- Replace findings_json blob with ivanti_findings table (individual rows)
- Merge notes/overrides into findings table columns
- Add proper indexes: state, bu_ownership, severity, composite
- Create backend/setup-postgres.js for idempotent schema initialization
- Add DATABASE_URL to .env and .env.example
- Update migration plan docs with Docker setup commands
- Verify: schema executes cleanly, pool connects, 24 tables created
 2026-05-05 15:47:09 -06:00
Jordan Ramos
5cdca09f40 docs: add Postgres migration plan and Kiro spec 
- docs/guides/postgres-migration-plan.md: full migration manual with
  phases, port allocation, rollback plan, and timeline
- .kiro/specs/postgres-migration/: requirements, design, and tasks
- Replaces findings_json blob with individual indexed rows
- Enables per-BU closed counts via SQL queries
- Uses existing Postgres instance (port 5432), new cve_dashboard DB
- Testing on port 3003, cutover to 3001 with 30s downtime
 2026-05-05 15:04:14 -06:00
Jordan Ramos
bd5fcccacf perf: client-side BU filtering for instant scope switching 
- Fetch ALL findings once on mount (no teams param to backend)
- Filter client-side via scopedFindings useMemo keyed on adminScope
- Eliminates 5-10s round-trip on every scope change
- Open vs Closed donut now uses scopedFindings.length for open count
- Closed count remains global (no per-BU closed data available)
- Action Coverage donut automatically scoped via visibleFindings chain
- Remove server-side teams param from counts fetch (client handles it)
 2026-05-05 12:08:01 -06:00
Jordan Ramos
df3173a720 feat: replace binary scope toggle with multi-select BU picker 
- Add IVANTI_BU_FILTER to .env with all four BUs (STEAM, ACCESS-ENG, ACCESS-OPS, INTELDEV)
- Rework AdminScopeToggle from binary (My Teams/All) to multi-select dropdown
- Admin can now pick any combination of BUs to view
- Presets: 'All BUs' and 'My Teams' for quick selection
- Individual team checkboxes for custom combinations
- Selection persisted in localStorage as JSON array
- AuthContext updated: adminScope is now an array of selected teams
- getActiveTeamsParam() returns comma-joined selected teams (empty = no filter)
- getAvailableTeams() returns selected teams for compliance selector
 2026-05-05 11:31:15 -06:00
Jordan Ramos
9b8ae6cd79 fix: move AdminScopeToggle from NavDrawer to main header bar 
Places the scope toggle next to the UserMenu avatar in the top-right
header area so it's always visible without opening the nav drawer.
 2026-05-05 11:21:59 -06:00
Jordan Ramos
2656df94d3 feat: add multi-BU tenancy with per-user team scoping (Option B) 
- Add bu_teams column to users table (migration + fresh schema)
- Create shared KNOWN_TEAMS constant and validateTeams helper
- Expose user teams in auth middleware, login, and /me responses
- Add bu_teams CRUD to user management routes with audit logging
- Make Ivanti FINDINGS_FILTERS configurable via IVANTI_BU_FILTER env var
- Add query-time team filtering to GET /findings and /findings/counts
- Update AuthContext with teams helpers and admin scope toggle
- Create AdminScopeToggle component (My Teams / All BUs)
- Scope ReportingPage findings fetch by user teams
- Scope CompliancePage team selector by user teams
- Scope ExportsPage findings exports by user teams
- Add BU teams multi-select to UserManagement create/edit forms
- Display team badges in user list table
 2026-05-05 11:04:53 -06:00
Jordan Ramos
af951fdc12 chore: remove .kiro specs, hooks, and steering from release — development tooling only 2026-05-01 21:28:59 +00:00
Jordan Ramos
7f7d3a2977 release: v1.0.0 — clean README, changelog, full reference manual, dead code removal, package metadata 2026-05-01 21:18:31 +00:00
Jordan Ramos
034d3963b9 chore: reorganize docs, document migrations, gitignore operational files for v1.0.0 release 2026-05-01 20:53:39 +00:00
Jordan Ramos
c8b3626ac5 feat: consolidate setup.js with complete v1.0.0 schema — all tables, indexes, triggers for fresh deployments 2026-05-01 20:13:52 +00:00
Jordan Ramos
8e377bb85f chore: enable GPG-signed commits for code provenance 2026-05-01 19:50:31 +00:00
root
5a9df2103f fix: aggregate anomaly data per day instead of taking latest — fixes missing returned bars when multiple syncs per day 2026-05-01 19:29:11 +00:00
root
bfa52c7f8f fix: reclassify BU reassignment round-trips and fix backfill date-ordering bug 2026-05-01 17:36:28 +00:00
root
3202b0707c feat: add backfill script for return classification on existing anomaly log rows 2026-05-01 17:27:49 +00:00
root
15abf8bae4 feat: add return classification for archive chart, CARD API integration, compliance charts, systemd services 2026-05-01 17:15:41 +00:00
jramos
8df961cce8 Merge pull request 'Switch Jira API calls to GET-based JQL search with project scoping' (#9) from fix/jira-api-compliance into master 
Reviewed-on: #9
 2026-04-29 08:16:44 -06:00
root
7a179f19a1 Switch Jira API calls to GET-based JQL search with project scoping 
- getIssue now uses GET /rest/api/2/search with JQL instead of
  GET /rest/api/2/issue/{key} for Charter compliance
- searchIssues switched from POST to GET with URL-encoded query params
- searchIssuesByKeys adds project scoping to JQL clause
- Updated UAT tests and API use-case docs to match
 2026-04-29 14:12:04 +00:00
root
4f960d0866 Update README and Jira UAT test script 2026-04-28 18:44:14 +00:00
root
caa1d539cc Add CARD API integration spec, Atlas metrics updates, NavDrawer and server.js cleanup, reference docs 2026-04-28 16:38:18 +00:00
root
b1069b1a05 Add Jira Data Center integration with UAT test script and use case docs 2026-04-28 16:36:54 +00:00
root
1186f9f807 Fix build: remove unused imports, set CI=false for react-scripts build 2026-04-28 14:22:19 +00:00
root
e13b18c169 Allow frontend test failures for pre-existing ESM/env test suite issues 2026-04-28 00:20:12 +00:00
root
05d47c91a8 Remove node_modules artifacts, rely on cache for shell executor 2026-04-28 00:08:17 +00:00
root
b0c3daba01 Fix CI pipeline to use npm install instead of npm ci (no lockfile in repo) 2026-04-28 00:04:44 +00:00
root
675847de0c Add GitLab CI/CD pipeline with install, lint, test, build, and deploy stages 2026-04-27 23:08:32 +00:00
root
623b57ca06 Fix Atlas vulnerability response parsing — API returns arrays per host, not objects 2026-04-27 16:21:19 +00:00
root
06c6821d85 Add multi-select qualys_id picker to bulk Atlas action plan modal with auto-fetch from Atlas API 2026-04-24 22:07:55 +00:00
root
8da62f0f14 Require qualys_id for risk_acceptance in bulk Atlas action plan modal 2026-04-24 21:58:53 +00:00
root
5a9dc007db Add bulk Atlas action plan creation from row selection toolbar 2026-04-24 21:49:04 +00:00
root
3f9e1da2a3 Fix findings export to use overridden hostname and DNS values 2026-04-24 21:38:43 +00:00
root
7ea4ceb8df Add backfill script for anomaly log historical data 2026-04-24 21:16:35 +00:00
root
00a6f7ae0f Add archive activity sparkline to findings trend chart and update investigation doc 2026-04-24 21:06:35 +00:00
root
69809955a9 Remove diagnostic scripts and xlsx export from tracking, add to gitignore 2026-04-24 20:36:46 +00:00
root
6ee68f5521 Add sync anomaly detection, BU drift monitoring, and findings count investigation 
- Add BU drift checker that classifies archived findings as BU reassignment,
  severity drift, closure, or decommission via unfiltered Ivanti API queries
- Add post-sync anomaly summary with significance threshold and classification
  breakdown stored in ivanti_sync_anomaly_log table
- Add per-finding BU tracking that detects BU changes across syncs and records
  them in ivanti_finding_bu_history table
- Add drift guard that skips trend history writes when total drops more than 50%
- Add CLOSED_GONE archive state for findings that vanish from the closed set
- Add anomaly banner UI on Vulnerability Triage page for significant sync changes
- Add API endpoints for anomaly latest/history and BU change tracking
- Add diagnostic scripts for drift checking and BU reassignment verification
- Add investigation document and xlsx export for the April 2026 BU reassignment
  incident where 109 findings were moved to SDIT-CSD-ITLS-PIES
- Migrations required: add_closed_gone_state.js, add_sync_anomaly_tables.js
 2026-04-24 20:34:34 +00:00
root
5ffedad02f Add Atlas metrics reporting, security audit tracker, and spec documents 2026-04-24 17:30:06 +00:00
root
8bf8dc55dd Add user profile panel with self-service password change and dark theme UserMenu 2026-04-24 17:29:06 +00:00
root
53439b2af8 Add Atlas exports and custom Atlas InfoSec icon 
Exports page:
- Add Atlas Action Plans export card with three reports: Full Status,
  Coverage Gaps, and Full Report (multi-sheet with active, gaps, history)
- Reports join Atlas cache with Ivanti findings for hostname, IP, BU context

Atlas icon:
- Add AtlasIcon SVG component matching the Atlas InfoSec logo (badge with globe)
- Replace Database icon with AtlasIcon on exports card, sync button, and panel header
 2026-04-23 22:18:23 +00:00
root
4c04c9870a Add Atlas InfoSec action plans integration 
Integrate Atlas InfoSec API to manage compliance action plans directly from
the ReportingPage. Users can view, create, and update action plans for host
findings without switching to the Atlas web tool.

Backend:
- Add atlasApi.js helper with Basic Auth, TLS skip, GET/PUT/PATCH/POST
- Add atlas_action_plans_cache migration for SQLite cache table
- Add atlas.js router with sync, status, and proxy CRUD endpoints
- Mount Atlas router at /api/atlas in server.js
- Extract hostId from Ivanti host findings during sync

Frontend:
- Add AtlasBadge component (amber=needs plan, green=has plan)
- Add AtlasSlideOutPanel with plan list, create form, edit capability
- Separate active plans from inactive history in collapsible section
- Custom dark-themed plan type dropdown
- Optimistic local state shows pending plans immediately after creation
- Atlas sync button on ReportingPage toolbar
- Prepopulate finding ID in create form from clicked row

Environment:
- Add ATLAS_API_URL, ATLAS_API_USER, ATLAS_API_PASS, ATLAS_SKIP_TLS to .env.example
 2026-04-23 21:52:53 +00:00
root
e1b000870c Enforce 120-day maximum on FP workflow expiration date 2026-04-22 19:52:06 +00:00
root
f3ba322403 Fix variant pill labels to show short priority tag instead of full description 2026-04-22 18:37:54 +00:00
root
0bea387ac9 Add grouped metric health cards with variant pills, hover tooltips, and info panel to compliance page 2026-04-22 18:30:59 +00:00
root
aa3ce3bae9 Replace window.confirm() with themed ConfirmModal across dashboard 2026-04-20 21:54:37 +00:00
root
0cdaecf890 Add themed admin page with user management, audit log, and system info panels; add compliance note delete functionality 2026-04-20 21:39:43 +00:00
root
043c85cc69 Add admin page overhaul and compliance schema drift check specs, compliance upload improvements, drift checker helper 2026-04-20 20:12:12 +00:00
jramos
6082721452 Sync all local changes for remote dev server migration 2026-04-20 10:23:47 -06:00
jramos
a214393723 Add compliance-staging folder, gitignore agents, update docs and kiro config 2026-04-16 14:41:52 -06:00
jramos
f141fa58a1 Add multi-metric note selection to compliance detail panel 2026-04-16 14:28:44 -06:00
jramos
e1b0236874 feat: add FP attachment library — attach existing CVE documents to FP submissions 
- Add GET /api/ivanti/fp-workflow/documents/search endpoint for querying the document library
- Update POST /api/ivanti/fp-workflow to accept libraryDocIds for attaching library documents on create
- Update POST .../submissions/:id/attachments to accept libraryDocIds on edit
- Add AttachmentSourcePicker component with local upload and library search modes
- Integrate picker into FpWorkflowModal (create) and FpEditModal (edit)
- Track attachment source (local/library) in attachment_results_json for traceability
 2026-04-15 15:27:21 -06:00
jramos
ed48522932 feat: add row visibility controls to Reporting page — hide/bulk-hide rows, localStorage persistence, visibility manager popover, chart/export integration 2026-04-15 13:15:01 -06:00
jramos
938dda400a feat: improve archive finding clarity with finding IDs, historical severity labels, and related active finding indicators 2026-04-15 10:18:19 -06:00
jramos
732873dd6a feat: add migration for GRANITE workflow_type CHECK constraint 2026-04-14 15:44:17 -06:00
jramos
0fe8e94d51 feat: add GRANITE as fourth workflow type in Ivanti queue 
- Add GRANITE to VALID_WORKFLOW_TYPES in backend (no vendor required, same as CARD)
- Update vendor validation and error messages across all endpoints (single add, batch, PUT, redirect)
- Add GRANITE option to RedirectModal with warm slate color (#A1887F)
- Rename QueuePanel CARD section to Inventory, group CARD + GRANITE with sub-divider
- Add GRANITE to AddToQueuePopover and SelectionToolbar
- Update spec docs (requirements, design, tasks)
 2026-04-14 15:38:22 -06:00
jramos
28bce28fc9 docs: add knowledge base guides for reporting, compliance, queue operations, user management, and CVE tracking 2026-04-13 16:52:19 -06:00
jramos
72fd79ea42 docs: add knowledge base article for FP queue and submission editing workflow 2026-04-13 16:38:31 -06:00
jramos
f63c286458 fix: show all Ivanti reviewer notes (rework, approval, current/previous state) in history tab 2026-04-13 16:14:27 -06:00
jramos
93c144576f docs: document map endpoint behavior — JSON only, one finding per call, UUID resolution flow 2026-04-13 16:03:57 -06:00
jramos
fa3b045a2f fix: map findings one at a time via JSON POST, only mark successfully mapped queue items as complete 2026-04-13 15:59:55 -06:00
jramos
4583d09750 chore: remove debug logging, remove unused ivantiMultipartPost import 2026-04-13 14:31:36 -06:00
jramos
75ac8c823a feat: show finding IDs in history, display Ivanti reviewer notes (rework/approval feedback) in history tab 2026-04-13 14:25:14 -06:00
jramos
68e36b4bac docs: document Ivanti API limitations — attach endpoint broken, search by ID unsupported, UUID not in create response 2026-04-13 14:14:39 -06:00
jramos
d24b45b404 fix: disable attach-to-existing endpoint (Ivanti API returns 400), show redirect message instead 2026-04-13 14:10:55 -06:00
jramos
d64eb7eec4 fix: use 'file' field name with proper MIME type for attach endpoint 2026-04-13 14:07:13 -06:00
jramos
6cb65fddc1 fix: use ivantiFormPost with 'files' field name for attach endpoint (matches create) 2026-04-13 14:05:05 -06:00
jramos
0ca83c6736 fix: revert map to multipart-only, add attachment upload logging 2026-04-13 14:02:28 -06:00
jramos
06268880da fix: try JSON POST first for map endpoint, fall back to multipart on 500/415 2026-04-13 13:56:00 -06:00
jramos
b4f0ddcb78 fix: use JSON POST instead of multipart for Ivanti map endpoint 2026-04-13 13:55:15 -06:00
jramos
55e3e074a5 debug: log Ivanti map endpoint response details on failure 2026-04-13 13:30:10 -06:00
jramos
66bbeb84a5 fix: search by workflow name instead of numeric ID to resolve UUID 2026-04-13 13:16:09 -06:00
jramos
4578f8cd85 debug: log full Ivanti search response to diagnose UUID resolution 2026-04-13 13:10:31 -06:00
jramos
5469a86e6e debug: add logging to UUID resolver to identify correct field name from Ivanti search response 2026-04-13 13:02:08 -06:00
jramos
2b6db1f903 fix: resolve UUID for map/attach endpoints, fix attachment field name mismatch 
- Add resolveWorkflowBatchUuid helper that searches Ivanti API for UUID by batch ID and caches it locally
- Use UUID resolver in findings and attachments endpoints instead of relying on stored UUID
- Store UUID on new FP creation by searching Ivanti after workflow batch is created
- Fix frontend attachment upload field name from 'files' to 'attachments' to match Multer config
 2026-04-13 12:53:13 -06:00
jramos
7c97bc3a84 Fixed Multer config .array from files to attachements 2026-04-13 12:45:37 -06:00
jramos
835fbf26e7 fix: revert clickable workflow badges, fix migration default, auto-sync submission lifecycle status from Ivanti findings 
- Revert workflow badge to static (non-clickable) — queue panel is the entry point
- Fix migration: use DEFAULT NULL for updated_at (SQLite disallows CURRENT_TIMESTAMP in ALTER TABLE)
- Add useMemo enrichment to cross-reference submission lifecycle_status with actual Ivanti workflow state from findings data
 2026-04-13 12:39:47 -06:00
jramos
c4aaeff2a1 fixed const constraint default 2026-04-13 12:30:43 -06:00
jramos
df30430956 feat: add FP submission editing with lifecycle tracking, clickable workflow badges, and edit modal 
- Add migration for lifecycle_status, batch UUID, updated_at columns and submission history table
- Add backend endpoints: GET/PUT/POST/PATCH for viewing, editing, adding findings/attachments, and status changes
- Add pure helpers: validateLifecycleTransition, mergeFindings, buildSubmissionHistoryEntry
- Add FpEditModal with tabbed UI (Details, Findings, Attachments, History)
- Make workflow badges clickable for Reworked/Rejected/Expired states with pencil icon
- Add submissions list section to QueuePanel with lifecycle status badges
- Wire state and data flow in ReportingPage for submissions fetch and edit callbacks
 2026-04-13 12:27:56 -06:00
jramos
57f11c362b docs: update README with queue redirect, CVE tooltips, FP workflow submission, and missing migrations 2026-04-09 16:18:22 -06:00
jramos
4df83d36dd fix: include hostname overrides in all queue endpoint responses 2026-04-09 16:11:52 -06:00
jramos
0a7a7c2827 feat: add Ivanti Queue redirect for completed items 2026-04-09 16:01:36 -06:00
jramos
1963faf9b8 fix: queue now uses edited hostname override instead of original Ivanti value 2026-04-09 15:25:16 -06:00
jramos
9b36a58959 feat: add CVE tooltip on hover in Reporting Page 
- Add GET /api/cves/:cveId/tooltip backend endpoint with description truncation
- Create CveTooltip portal component with caching, severity badges, and viewport-aware positioning
- Integrate tooltip into ReportingPage with 300ms hover delay on CVE badge spans
 2026-04-09 14:42:23 -06:00
jramos
690c30aac0 feat: add hostname and IP display to Ivanti queue panel 
- Add migration to add hostname column to ivanti_todo_queue table
- Update POST and batch POST endpoints to accept and store hostname
- Pass hostName from findings data when adding items to queue
- Display hostname and IP address in CARD queue section
- Display hostname and IP address in vendor (FP/Archer) queue sections
 2026-04-09 11:56:56 -06:00
jramos
fc68097821 fix: remove dual-mode checkbox — clicks always toggle selection, no more popover on first click 2026-04-09 10:01:18 -06:00
jramos
d9fdaf5cbb fix: move selection useEffects after filtered/addPopover declarations to fix ReferenceError 2026-04-09 09:56:33 -06:00
jramos
cb3da6980c Merge feature/batchqueue into master — batch finding disposition 2026-04-09 09:50:24 -06:00
jramos
ccc3576706 feat: add batch finding disposition — multi-select findings and bulk add to Ivanti queue 2026-04-09 09:49:40 -06:00
jramos
5405926550 Merge feature/submit-workflow into master — Ivanti FP workflow submission 2026-04-08 12:45:28 -06:00
jramos
328e48ea8c fix: accept HTTP 202 as success from Ivanti workflow creation 
Ivanti returns 202 (Accepted) for async job creation, not just 200/201.
 2026-04-08 12:26:35 -06:00
jramos
41f9c35586 fix: correct subjectFilterRequest format and add Ivanti API docs 
The subjectFilterRequest field requires a nested structure:
{ subject: 'hostFinding', filterRequest: { filters: [...] } }

Previous attempts with flat { filters: [] } or { subject, filters }
caused Ivanti to return 500. The filterRequest wrapper is required.

Also adds docs/ivanti-api-reference.md documenting all known endpoints,
field formats, and the subjectFilterRequest structure so we don't have
to reverse-engineer the Swagger again.
 2026-04-08 12:20:09 -06:00
jramos
729dada05c fix: correct subjectFilterRequest format for Ivanti FP workflow API 
The API expects { subject: 'hostFinding', filterRequest: { filters } }
not a flat filter object. Confirmed working via direct curl test —
workflow ID 33418832 created successfully.
 2026-04-08 12:18:41 -06:00
jramos
5d417edf82 fix: align subjectFilterRequest with Ivanti search filter schema 
Remove extra fields (orWithPrevious, implicitFilters, subject) that
aren't in the Swagger filter schema. Add projection and sort fields
to match the search endpoint format.
 2026-04-08 12:08:08 -06:00
jramos
03e60c9daf fix: rewrite FP workflow to use Ivanti multipart/form-data API 
The /workflowBatch/falsePositive/request endpoint expects
multipart/form-data with text fields (name, reason, description,
expirationDate, overrideControl, subjectFilterRequest, isEmptyWorkflow)
and inline file uploads — not a JSON body with separate attachment calls.

- Add ivantiFormPost() helper for mixed form fields + files
- Replace buildIvantiPayload with buildIvantiFormFields + buildSubjectFilterRequest
- Remove separate attachment upload loop (files sent inline)
- Update response handling for { id, created } shape
 2026-04-08 10:18:45 -06:00
jramos
ee9403ab47 fix: correct Ivanti API endpoint paths for FP workflow creation and attachment 
- Creation: /workflowBatch -> /workflowBatch/falsePositive/request
- Attachment: /workflowBatch/{id}/attachment -> /workflowBatch/falsePositive/{uuid}/attach
- Paths confirmed against platform4.risksense.com swagger spec
 2026-04-08 10:08:14 -06:00
jramos
3d04cd393f fix: remove no-op status ternary, dead code, and redundant calls 
- Fix copy-paste bug in ivantiFpWorkflow.js where both ternary branches
  returned 'partial'; simplified to direct assignment
- Remove unused shouldShowFpButton() from ReportingPage.js (canWrite
  from useAuth() is used instead)
- Hoist repeated isCreateFpButtonEnabled() calls into a single variable
  in QueuePanel render
 2026-04-08 09:38:39 -06:00
jramos
382bc81a7e feat: add Ivanti FP workflow submission from Queue 
- Add shared ivantiApi.js helper (ivantiPost + ivantiMultipartPost)
- Add ivantiFpWorkflow.js backend route with validation, Ivanti API
  workflow creation, attachment uploads, submission tracking, and audit
- Add add_fp_submissions_table.js migration
- Wire route into server.js at /api/ivanti/fp-workflow
- Add FpWorkflowModal component in ReportingPage.js with form fields,
  drag-and-drop file upload, progress indicator, and result views
- Add Create FP Workflow button to QueuePanel footer (editor/admin only)
- Refactor ivantiWorkflows.js and ivantiFindings.js to use shared helper
 2026-04-07 16:20:24 -06:00
jramos
7302ece958 docs: add Upgrade section and Troubleshooting TOC link to README 2026-04-07 13:43:50 -06:00
jramos
80d80c099f docs: add NODE_ENV/Secure cookie warning and troubleshooting section to README 2026-04-07 12:09:27 -06:00
jramos
a2a43a8685 Merge maintenance/security-audit1: security audit remediation and README update 2026-04-07 11:31:41 -06:00
jramos
a711972054 docs: update README for group-based access control, security hardening, and current architecture 
- Replace role-based docs with group-based (Admin, Standard_User, Leadership, Read_Only)
- Update API reference with correct group requirements and new endpoints (JIRA tickets, archive, todo-queue)
- Remove hardcoded default credentials from installation instructions
- Document SESSION_SECRET as required with generation instructions
- Add new migrations to install sequence (archive, timestamps, counts history, user_groups, created_by)
- Update architecture tree with new files (ivantiArchive, ComplianceChartsPanel, etc.)
- Update security model with rate limiting, sandbox iframe, rehype-sanitize, Content-Disposition sanitization
- Update database schema docs with created_by columns, user_group triggers, cascade deletes
- Fix middleware reference from requireRole to requireGroup
- Remove stale admin123 references throughout
 2026-04-07 11:29:33 -06:00
jramos
8a6a3485e9 security: address audit findings C-4 through M-8 
Critical:
- C-4: Add express-rate-limit to login (20 attempts/15min)
- C-5: Remove default credentials from LoginForm.js
- C-6: Add sandbox attribute to KB document iframe

High:
- H-2: Hard-fail on startup if SESSION_SECRET env var is missing
- H-6: Sanitize filenames in Content-Disposition headers
- H-7: Fix KB upload race condition — move file after DB insert succeeds
- H-8: Generate random admin password in setup.js instead of hardcoded
- H-9: Add rehype-sanitize to ReactMarkdown (requires npm install)

Medium:
- M-4: Fix loose equality (==) to strict (===) in users.js self-checks
- M-5: Add hostname format regex validation in compliance notes
- M-6: Fix vendor trim-before-validate in ivantiTodoQueue.js
- M-7: Sanitize original filename in compliance temp JSON
- M-8: Pull CSP frame-ancestors from CORS_ORIGINS env var

New dependencies needed:
- backend: express-rate-limit (npm install in root)
- frontend: rehype-sanitize (npm install in frontend/)
 2026-04-07 10:23:10 -06:00
jramos
169a0d2337 Merge feature/usergroups: group-based access control (Admin, Standard_User, Leadership, Read_Only) 2026-04-07 10:11:21 -06:00
jramos
c50fc5d8a8 fix: address all 11 review items for group-based access control 
Bugs fixed:
- knowledgeBase.js: logAudit calls converted from positional args to object signature
- archerTickets.js: targetType/targetId renamed to entityType/entityId
- server.js: single CVE delete now has cascade/compliance check for Standard_User

Unprotected endpoints secured:
- ivantiTodoQueue.js: POST/PUT/DELETE now require Admin or Standard_User
- ivantiFindings.js: PUT note and POST sync now require Admin or Standard_User
- compliance.js: POST notes now requires Admin or Standard_User
- ivantiWorkflows.js: POST sync now requires Admin or Standard_User
- auth.js: cleanup-sessions now requires Admin via requireAuth + requireGroup

Additional fixes:
- ExportsPage.js: canExport() guard blocks Read_Only users
- knowledgeBase.js: Standard_User delete checks created_by ownership
- Migration: added INSERT/UPDATE triggers to enforce valid user_group values
 2026-04-07 10:09:18 -06:00
jramos
e9e2c0961d fix: address all 11 review items for group-based access control 
Bugs fixed:
- knowledgeBase.js: logAudit calls converted from positional args to object signature
- archerTickets.js: targetType/targetId renamed to entityType/entityId
- server.js: single CVE delete now has cascade/compliance check for Standard_User

Unprotected endpoints secured:
- ivantiTodoQueue.js: POST/PUT/DELETE now require Admin or Standard_User
- ivantiFindings.js: PUT note and POST sync now require Admin or Standard_User
- compliance.js: POST notes now requires Admin or Standard_User
- ivantiWorkflows.js: POST sync now requires Admin or Standard_User
- auth.js: cleanup-sessions now requires Admin via requireAuth + requireGroup

Additional fixes:
- ExportsPage.js: canExport() guard blocks Read_Only users
- knowledgeBase.js: Standard_User delete checks created_by ownership
- Migration: added INSERT/UPDATE triggers to enforce valid user_group values
 2026-04-07 09:52:26 -06:00
jramos
d910af847e fix: wire up admin page route to render UserManagement component 2026-04-06 16:25:59 -06:00
jramos
73fd747576 feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) 
- Add user_group migration and created_by column migration
- Replace requireRole middleware with requireGroup
- Update all backend routes to use group-based authorization
- Add Standard_User conditional delete with ownership, state, and compliance checks
- Add cascade impact check for CVE deletes
- Update AuthContext with group-based permission helpers
- Update all frontend components for group-based rendering
- Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention
 2026-04-06 16:18:07 -06:00
jramos
1ef57b0504 feat(archive): add finding archive tracking to Ivanti sync pipeline 
Adds a four-state lifecycle tracker (ACTIVE → ARCHIVED → RETURNED → CLOSED)
to detect and monitor findings that disappear from Ivanti sync results due to
severity score drift rather than actual remediation.

- Archive detection runs automatically after each sync, comparing previous
  and current finding sets to identify disappearances and reappearances
- Full transition history stored in ivanti_finding_archives and
  ivanti_archive_transitions tables with timestamps and severity scores
- Three new API endpoints: /api/ivanti/archive, /api/ivanti/archive/stats,
  /api/ivanti/archive/:findingId/history
- Archive Summary Bar UI on the home page shows counts for each state
  (Active, Archived, Returned, Closed) with click-through finding lists
- Two new migrations: add_finding_archive_tables, add_archer_tickets_timestamps
- Mermaid diagram support added to Knowledge Base viewer
 2026-04-06 09:51:56 -06:00
jramos
d1fe0bf455 fix: resolve 5 pre-merge issues in finding archive tracking 
1. ACTIVE state never populated — stats endpoint now computes ACTIVE from live findings cache count instead of querying archive table

2. CHECK constraint mismatch — migration now uses 3-state constraint (ARCHIVED, RETURNED, CLOSED) matching runtime initArchiveTables()

3. Archive filter click non-functional — handleArchiveStateClick now fetches and renders filtered archive list below summary bar

4. Hook glob pattern mismatch — changed **/migrate*.js to **/migrations/*.js so hook fires for actual migration filenames

5. Stale stats after sync — ArchiveSummaryBar polls every 60s and refreshes immediately after workflow sync via refreshKey prop
 2026-04-03 15:51:18 -06:00
jramos
3f7887eba6 added hooks 2026-04-03 15:29:05 -06:00
jramos
9bd5a52661 feat: implement finding archive tracking system 
- Add migration script for ivanti_finding_archives and ivanti_archive_transitions tables
- Add archive detection logic (detectArchiveChanges, detectClosedFindings) in sync pipeline
- Add archive API router with list, stats, and history endpoints at /api/ivanti/archive
- Add ArchiveSummaryBar UI component with four state cards (ACTIVE, ARCHIVED, RETURNED, CLOSED)
- Integrate ArchiveSummaryBar into Ivanti findings page in App.js
- Register archive router in server.js
 2026-04-03 15:20:04 -06:00
jramos
2b4ec5d8e2 added kiro specs 2026-04-03 13:48:04 -06:00
jramos
62592e9821 add kiro steering files 2026-04-03 09:27:12 -06:00
jramos
2fead2cfef feat(kb): render Mermaid diagrams in Knowledge Base viewer 
Installs mermaid v11 and adds a custom ReactMarkdown code renderer
that intercepts fenced mermaid blocks and renders them as SVG diagrams
using the dark theme. SVGs are made responsive (width: 100%).
Non-mermaid code blocks are unchanged.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-02 15:37:00 -06:00
jramos
7c0ba41514 fix(migrations): add created_at/updated_at to archer_tickets if missing 
Production instances where the table was created before these columns
were added to the schema will see 500 errors on all /api/archer-tickets
endpoints. This migration safely checks PRAGMA table_info before each
ALTER TABLE so it is idempotent and safe to run multiple times.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-02 15:23:38 -06:00
jramos
9c6c03a518 feat: time-based charts, Vulnerability Triage rename, Knowledge Base page 
Merges feature/compliance-time-charts into master.

Changes included:
- Compliance page: 6 Recharts trend charts (active totals, deltas, per-team,
  MTTR, recurring items, Archer pipeline)
- Ivanti findings trend chart on Vulnerability Triage page: open/closed
  counts history stored on every sync, aggregated to end-of-day snapshots
- Rename 'Reporting' page to 'Vulnerability Triage' throughout (nav, routes,
  docs, all cross-page navigation references)
- Knowledge Base page: full article library with category filter, search,
  inline viewer, upload/delete for editor+ roles
- Remove Knowledge Base sidebar panel from home page (now lives on KB page);
  home layout adjusts to 2-column (9+3)
- Add ivanti_counts_history migration script for documentation consistency
- Update security-posture-workflow-diagrams.md and team-training-agenda.md
  to reflect Vulnerability Triage page name

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-02 14:53:13 -06:00
184 changed files with 125083 additions and 5181 deletions
Expand all files Collapse all files

BIN
.compliance-staging/.gitkeep Normal file
View File

Binary file not shown.

30
.gitignore vendored
View File

@@ -1,6 +1,5 @@
# Node modules # Node modules
node_modules/ node_modules/
package-lock.json
# Database # Database
backend/cve_database.db backend/cve_database.db
@@ -39,10 +38,6 @@ frontend.pid
backend/uploads/temp/ backend/uploads/temp/
feature_request*.md feature_request*.md
# Planning docs
docs/aeo-compliance-ui-plan.md
docs/aeo-compliance-wireframe.md
# AI tooling config # AI tooling config
.claude/ .claude/
ai_notes.md ai_notes.md
@@ -51,3 +46,28 @@ backend/add_vendor_to_documents.js
backend/fix_multivendor_constraint.js backend/fix_multivendor_constraint.js
backend/server.js-backup backend/server.js-backup
backend/setup.js-backup backend/setup.js-backup
# Compliance staging — keep folder, ignore contents
.compliance-staging/*
!.compliance-staging/.gitkeep
# Kiro agents (local only)
.kiro/
# Zip files
*.zip
# Production DB copies
cve_database_prod.db
cve_database.db.prod
cve_database.db.backup
database.db
# Operations — local admin records, UAT logs, firewall requests, data exports
docs/operations/
# Data exports — local spreadsheets
docs/data-exports/
# Python cache
__pycache__/

300
.gitlab-ci.yml Normal file
View File

@@ -0,0 +1,300 @@
# =============================================================================
# GitLab CI/CD Pipeline — STEAM Security Dashboard
# =============================================================================
#
# Pipeline stages:
# 1. install — install dependencies for backend and frontend
# 2. lint — run linters / static checks
# 3. test — run backend (Jest) and frontend (react-scripts) tests
# 4. build — produce the production frontend bundle
# 5. deploy — deploy to staging (local) or production (SSH to 71.85.90.6)
# 6. verify — post-deploy health checks
#
# Environments:
# staging — dashboard-dev:3100 (auto-deploy on main/master)
# production — 71.85.90.6:3001 (manual trigger, requires staging verification)
#
# Executor: shell (runs on dashboard-dev using system Node.js)
# =============================================================================
# ---------------------------------------------------------------------------
# Variables
# ---------------------------------------------------------------------------
variables:
PROD_HOST: "71.85.90.6"
PROD_USER: "root"
PROD_DIR: "/home/cve-dashboard"
STAGING_DIR: "/home/cve-dashboard-staging"
# ---------------------------------------------------------------------------
# Global cache — persists node_modules between pipeline runs
# ---------------------------------------------------------------------------
cache:
key: ${CI_COMMIT_REF_SLUG}
paths:
- node_modules/
- frontend/node_modules/
policy: pull
# ---------------------------------------------------------------------------
# Stages
# ---------------------------------------------------------------------------
stages:
- install
- lint
- test
- build
- deploy
- verify
# =============================================================================
# STAGE 1: Install dependencies
# =============================================================================
install-backend:
stage: install
script:
- npm ci --prefer-offline
cache:
key: ${CI_COMMIT_REF_SLUG}
paths:
- node_modules/
policy: pull-push
install-frontend:
stage: install
script:
- cd frontend && npm ci --prefer-offline
cache:
key: ${CI_COMMIT_REF_SLUG}
paths:
- frontend/node_modules/
policy: pull-push
# =============================================================================
# STAGE 2: Lint / static analysis
# =============================================================================
lint-frontend:
stage: lint
script:
- cd frontend && npm ci --prefer-offline && npx eslint src/ --ignore-pattern '**/__tests__/**' --ignore-pattern '**/*.test.js' --max-warnings 10
needs:
- install-frontend
lint-backend:
stage: lint
script:
- npm ci --prefer-offline
- node -c backend/server.js
- node -c backend/routes/*.js
- node -c backend/helpers/*.js
- node -c backend/middleware/*.js
needs:
- install-backend
# =============================================================================
# STAGE 3: Tests
# =============================================================================
test-backend:
stage: test
script:
- npm ci --prefer-offline
- ./node_modules/.bin/jest --ci --forceExit backend/__tests__/
timeout: 5 minutes
needs:
- install-backend
test-frontend:
stage: test
script:
- npm ci --prefer-offline
- cd frontend && npm ci --prefer-offline && CI=true npx react-scripts test --watchAll=false --ci
timeout: 5 minutes
needs:
- install-frontend
# =============================================================================
# STAGE 4: Build
# =============================================================================
build-frontend:
stage: build
script:
- cd frontend && npm ci --prefer-offline && CI=false REACT_APP_API_BASE=/api REACT_APP_API_HOST="" npm run build
artifacts:
paths:
- frontend/build/
expire_in: 7 days
needs:
- test-frontend
- lint-frontend
# =============================================================================
# STAGE 5: Deploy
# =============================================================================
# ---------------------------------------------------------------------------
# Staging — auto-deploys on main/master to dashboard-dev:3100
# ---------------------------------------------------------------------------
deploy-staging:
stage: deploy
rules:
- if: $CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "master"
when: on_success
environment:
name: staging
url: http://localhost:3100
script:
- echo "Deploying to staging (dashboard-dev:3100)..."
# Ensure staging directory exists
- mkdir -p ${STAGING_DIR}
# Sync code (exclude .git, node_modules, uploads, logs)
- rsync -a --delete
--exclude='.git'
--exclude='node_modules'
--exclude='frontend/node_modules'
--exclude='frontend/build'
--exclude='backend/uploads'
--exclude='*.log'
--exclude='*.db'
--exclude='.env'
${CI_PROJECT_DIR}/ ${STAGING_DIR}/
# Copy built frontend
- cp -r ${CI_PROJECT_DIR}/frontend/build ${STAGING_DIR}/frontend/build
# Install deps in staging
- cd ${STAGING_DIR} && npm ci --prefer-offline
- cd ${STAGING_DIR}/frontend && npm ci --prefer-offline
# Ensure staging .env exists
- |
if [ ! -f "${STAGING_DIR}/backend/.env" ]; then
cp ${CI_PROJECT_DIR}/backend/.env ${STAGING_DIR}/backend/.env
sed -i 's/^PORT=.*/PORT=3100/' ${STAGING_DIR}/backend/.env
grep -q "^PORT=" ${STAGING_DIR}/backend/.env || echo "PORT=3100" >> ${STAGING_DIR}/backend/.env
fi
# Run migrations
- cd ${STAGING_DIR}/backend && node migrations/run-all.js
# Restart staging service
- sudo systemctl restart cve-backend-staging || sudo systemctl start cve-backend-staging || true
- echo "Staging deploy complete."
needs:
- build-frontend
- test-backend
# ---------------------------------------------------------------------------
# Production — manual trigger, SSH to 71.85.90.6
# ---------------------------------------------------------------------------
deploy-production:
stage: deploy
rules:
- if: $CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "master"
when: manual
environment:
name: production
url: http://71.85.90.6:3001
script:
- echo "Deploying to production (${PROD_HOST})..."
# Record current commit on prod for rollback
- ssh ${PROD_USER}@${PROD_HOST} "cd ${PROD_DIR} && git rev-parse HEAD 2>/dev/null || echo none" > /tmp/prod-prev-commit
- echo "Previous production commit:$(cat /tmp/prod-prev-commit)"
# Sync code to production (exclude local-only files)
- rsync -az --delete
--exclude='.git'
--exclude='node_modules'
--exclude='frontend/node_modules'
--exclude='frontend/build'
--exclude='backend/uploads'
--exclude='*.log'
--exclude='*.db'
--exclude='.env'
--exclude='.compliance-staging'
${CI_PROJECT_DIR}/ ${PROD_USER}@${PROD_HOST}:${PROD_DIR}/
# Copy built frontend
- rsync -az ${CI_PROJECT_DIR}/frontend/build/ ${PROD_USER}@${PROD_HOST}:${PROD_DIR}/frontend/build/
# Install deps on production
- ssh ${PROD_USER}@${PROD_HOST} "cd ${PROD_DIR} && npm ci --prefer-offline"
- ssh ${PROD_USER}@${PROD_HOST} "cd ${PROD_DIR}/frontend && npm ci --prefer-offline"
# Run migrations
- ssh ${PROD_USER}@${PROD_HOST} "cd ${PROD_DIR}/backend && node migrations/run-all.js"
# Restart services — install systemd unit if not present
- ssh ${PROD_USER}@${PROD_HOST} "test -f /etc/systemd/system/cve-backend.service" || scp ${CI_PROJECT_DIR}/deploy/cve-backend-production.service ${PROD_USER}@${PROD_HOST}:/etc/systemd/system/cve-backend.service
- ssh ${PROD_USER}@${PROD_HOST} "systemctl daemon-reload && systemctl enable cve-backend && systemctl restart cve-backend"
- echo "Production deploy complete."
needs:
- build-frontend
- test-backend
# =============================================================================
# STAGE 6: Post-deploy verification
# =============================================================================
# ---------------------------------------------------------------------------
# Staging health check
# ---------------------------------------------------------------------------
verify-staging:
stage: verify
rules:
- if: $CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "master"
when: on_success
script:
- echo "Verifying staging..."
- sleep 3
- |
for i in 1 2 3 4 5; do
STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:3100/api/health 2>/dev/null || echo "000")
if [ "$STATUS" = "200" ]; then
echo "Staging health check passed (attempt $i)"
break
fi
echo "Staging not ready (status: $STATUS), retrying... (attempt $i/5)"
sleep 3
done
if [ "$STATUS" != "200" ]; then
echo "FAILED: Staging health check failed after 5 attempts"
exit 1
fi
- echo "Staging verification passed."
needs:
- deploy-staging
# ---------------------------------------------------------------------------
# Production health check — rolls back on failure
# ---------------------------------------------------------------------------
verify-production:
stage: verify
rules:
- if: $CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "master"
when: on_success
script:
- echo "Verifying production..."
- sleep 3
- |
for i in 1 2 3 4 5 6 7 8 9 10; do
STATUS=$(curl -s -o /dev/null -w "%{http_code}" http://${PROD_HOST}:3001/api/health 2>/dev/null || echo "000")
if [ "$STATUS" = "200" ]; then
echo "Production health check passed (attempt $i)"
break
fi
echo "Production not ready (status: $STATUS), retrying... (attempt $i/10)"
sleep 3
done
if [ "$STATUS" != "200" ]; then
echo "FAILED: Production health check failed — initiating rollback"
PREV_COMMIT=$(cat /tmp/prod-prev-commit 2>/dev/null || echo "")
if [ -n "$PREV_COMMIT" ] && [ "$PREV_COMMIT" != "none" ]; then
echo "Rolling back to $PREV_COMMIT..."
# Re-sync the previous version
ssh ${PROD_USER}@${PROD_HOST} "cd ${PROD_DIR} && git checkout ${PREV_COMMIT} --force 2>/dev/null" || true
ssh ${PROD_USER}@${PROD_HOST} "cd ${PROD_DIR} && npm ci --prefer-offline"
ssh ${PROD_USER}@${PROD_HOST} "systemctl restart cve-backend"
echo "Rollback complete. Verify manually."
else
echo "No previous commit recorded — manual intervention required."
fi
exit 1
fi
- echo "Production verification passed."
needs:
- deploy-production
allow_failure: false

59
CHANGELOG.md Normal file
View File

@@ -0,0 +1,59 @@
# Changelog
## v1.0.0 — 2026-05-01
First official release. Consolidates all features developed since initial commit into a stable, documented, deployment-ready package.
### Core Platform
- CVE tracking with multi-vendor support, document storage, and NVD API auto-fill
- Session-based authentication with four user groups (Admin, Standard_User, Leadership, Read_Only)
- Full audit logging of all state-changing actions
- Dark tactical intelligence UI theme with monospace typography
### Ivanti Integration
- Live sync of open host findings from Ivanti/RiskSense API (auto-sync every 24h)
- Reporting page with donut metric charts, advanced per-column filtering, inline editing
- FP workflow submission directly to Ivanti API with file attachments
- Ivanti Queue — personal staging list for batch FP, Archer, CARD, and Granite workflows
- Queue item redirect between workflow types after completion
- Row visibility controls with localStorage persistence
### Archive and Anomaly Tracking
- Automatic detection of disappeared and returned findings across syncs
- BU drift checker — classifies archived findings by reason (BU reassignment, severity drift, closed on platform, decommissioned)
- Return classification — explains why findings came back (BU reassigned back, severity re-escalated, etc.)
- Findings Trend chart with archive activity sparkline and shift reason tooltips
- Anomaly banner for significant archive events
### Compliance (AEO Posture)
- Weekly NTS_AEO xlsx upload with diff preview (new, resolved, recurring)
- Schema drift detection with breaking/silent-miss/cosmetic classification
- Admin config reconciliation for parser updates
- Per-team metric health cards with grouped categories and variant pills
- Device-level violation tracking with timestamped notes history
- Multi-metric note grouping
- Upload rollback support
### Integrations
- Jira Data Center — create, sync, and track tickets linked to CVE/vendor pairs
- Archer — risk acceptance exception tracking (EXC numbers)
- Atlas InfoSec — action plan cache, bulk creation from row selection, metrics reporting
- CARD API — Granite/CARD asset lookup for network device workflows
- NVD API — auto-fill CVE metadata with bulk sync support
### Knowledge Base
- Internal document library with inline PDF and Markdown rendering
- Category-based browsing and search
### Admin
- Full-page admin panel with user management, audit log, and system info tabs
- Themed confirm modals replacing browser dialogs
- User profile panel with self-service password change
### Infrastructure
- Consolidated `setup.js` with complete database schema (27 tables, all indexes and triggers)
- systemd service files for persistent deployment
- GitLab CI/CD pipeline (install, lint, test, build, deploy)
- GPG-signed commits for code provenance
- Organized documentation structure (api, design, guides, security, testing, troubleshooting)
- Migration scripts documented and retained for existing deployment upgrades

865
README.md
View File

@@ -1,820 +1,141 @@
# STEAM Security Dashboard # STEAM Security Dashboard v1.0.0
A self-hosted vulnerability management dashboard for the NTS-AEO-STEAM and NTS-AEO-ACCESS-ENG business units. Centralises CVE tracking, Ivanti host finding triage, AEO compliance posture, FP and Archer exception workflows, and internal documentation in a single interface. A self-hosted vulnerability management dashboard for the NTS-AEO-STEAM and NTS-AEO-ACCESS-ENG business units. Centralises CVE tracking, Ivanti host finding triage, AEO compliance posture, FP/Archer/CARD exception workflows, and internal documentation in a single interface.
--- ## Quick Start
## Table of Contents ### Prerequisites
- [Overview](#overview) - Node.js 18+
- [Tech Stack](#tech-stack) - Docker (for PostgreSQL 16 container)
- [Prerequisites](#prerequisites) - Python 3 with `python3-pandas` and `python3-openpyxl` (for compliance xlsx parsing)
- [Installation](#installation)
- [Configuration](#configuration)
- [Running the Application](#running-the-application)
- [Features](#features)
- [Authentication and User Roles](#authentication-and-user-roles)
- [Home — CVE Management](#home--cve-management)
- [Reporting — Host Findings](#reporting--host-findings)
- [Ivanti Queue](#ivanti-queue)
- [Compliance — AEO Posture](#compliance--aeo-posture)
- [Knowledge Base](#knowledge-base)
- [Exports](#exports)
- [Archer Risk Acceptance Tickets](#archer-risk-acceptance-tickets)
- [User Management (Admin)](#user-management-admin)
- [Audit Log (Admin)](#audit-log-admin)
- [Scripts](#scripts)
- [API Reference](#api-reference)
- [Architecture](#architecture)
- [Database Schema](#database-schema)
- [Security Model](#security-model)
- [Migrations](#migrations)
--- ### Install
## Overview
The STEAM Security Dashboard answers a common problem in vulnerability management: tracking which CVEs have been addressed, whether supporting vendor documentation exists, where each finding is in the remediation or exception workflow, and how the team's overall AEO compliance posture is trending week over week.
The application provides:
- A searchable, filterable CVE list with per-vendor tracking and document storage
- NVD API integration to auto-populate CVE metadata
- **Ivanti/RiskSense integration** — sync open host findings with live FP workflow tracking
- **Reporting page** with donut charts, advanced per-column filtering, inline editing, Ivanti Queue, and CSV/XLSX export
- **Ivanti Queue** — personal staging list for batch-processing FP, Archer, and CARD workflows
- **AEO Compliance page** — weekly xlsx upload, diff preview, per-team metric health cards, device-level violation tracking with notes history
- Archer risk acceptance ticket tracking (EXC numbers) linked to CVE/vendor pairs
- A knowledge base for internal documentation and policies
- Role-based access control with a full audit trail
---
## Tech Stack
| Layer | Technology |
|---|---|
| Backend | Node.js, Express 5 |
| Database | SQLite3 |
| File uploads | Multer 2 |
| Auth | bcryptjs, cookie-based sessions |
| Frontend | React 19, lucide-react, xlsx |
| Compliance xlsx parsing | Python 3, pandas, openpyxl |
| Bulk notes import | Python 3 (stdlib only) |
---
## Prerequisites
- Node.js 18 or later
- npm
- Python 3 with `python3-pandas` and `python3-openpyxl` apt packages (required for compliance xlsx parsing)
---
## Installation
### 1. Clone the repository
```bash ```bash
git clone <repo-url> git clone <repo-url>
cd cve-dashboard cd cve-dashboard
```
### 2. Install backend dependencies # Backend dependencies
```bash
cd backend
npm install npm install
```
### 3. Install frontend dependencies # Frontend dependencies
cd frontend && npm install && cd ..
```bash # Python dependencies (Ubuntu/Debian)
cd frontend
npm install
```
### 4. Install Python dependencies
Install via apt — this is the correct approach on Ubuntu/Debian and mirrors the dev server setup:
```bash
apt install -y python3-pandas python3-openpyxl apt install -y python3-pandas python3-openpyxl
``` ```
> If apt packages are unavailable or you need a specific version, see `docs/python-venv-setup.md` for the venv fallback approach. ### Configure
> The bulk notes import script (`import_notes_from_csv.py`) uses only Python stdlib and does **not** require these packages.
### 5. Initialize the database
Run once from the `backend/` directory to create the SQLite database, all tables, indexes, and a default admin user:
```bash ```bash
cd backend cp backend/.env.example backend/.env
node setup.js # Edit backend/.env — at minimum set SESSION_SECRET and DATABASE_URL:
# openssl rand -base64 32
``` ```
This creates `backend/cve_database.db` and a default admin account: See `backend/.env.example` for all available options including `DATABASE_URL`, Ivanti API, Jira, and Atlas integration keys.
- Username: `admin`
- Password: `admin123`
**Change the admin password immediately after first login.** ### Start PostgreSQL
### 6. Run database migrations The deploy script handles the full Postgres setup — container, schema, dependencies, and data migration from SQLite:
Apply all feature migrations in order:
```bash ```bash
cd backend chmod +x scripts/deploy-postgres.sh
node migrations/add_knowledge_base_table.js ./scripts/deploy-postgres.sh
node migrations/add_archer_tickets_table.js
node migrations/add_ivanti_sync_table.js
node migrations/add_ivanti_findings_tables.js
node migrations/add_ivanti_todo_queue_table.js
node migrations/add_card_workflow_type.js
node migrations/add_todo_queue_ip_address.js
node migrations/add_compliance_tables.js
``` ```
### 7. Build the frontend For fresh installs without an existing SQLite database, the script creates the schema and skips migration.
### Build and Run
```bash ```bash
cd frontend # Build frontend
npm run build cd frontend && npm run build && cd ..
# Start servers
./start-servers.sh
``` ```
Or use `npm start` for the development server (see [Running the Application](#running-the-application)). Dashboard: http://localhost:3000 · API: http://localhost:3001
--- The helper scripts use `systemctl` under the hood — the systemd units in `systemd/` must be installed first. See the full manual for setup instructions.
## Configuration
The application is configured via `.env` files. These files are gitignored and must be created manually per environment.
### Backend: `backend/.env`
```env
PORT=3001
API_HOST=localhost
CORS_ORIGINS=http://YOUR_IP:3000
SESSION_SECRET=change-this-to-a-long-random-string
NODE_ENV=production
# Optional: NVD API key for higher rate limits (50 req/30s vs 5 req/30s)
# Register at https://nvd.nist.gov/developers/request-an-api-key
NVD_API_KEY=your-key-here
# Ivanti / RiskSense integration (required for Reporting page sync)
IVANTI_API_KEY=your-ivanti-api-key
IVANTI_CLIENT_ID=1550
# Optional: filter workflows to a specific person's submissions
IVANTI_FIRST_NAME=
IVANTI_LAST_NAME=
# Set to 'true' if your network has SSL inspection / self-signed certs
IVANTI_SKIP_TLS=false
```
### Frontend: `frontend/.env`
```env
REACT_APP_API_BASE=http://YOUR_IP:3001/api
REACT_APP_API_HOST=http://YOUR_IP:3001
```
Replace `YOUR_IP` with the machine's IP address or hostname. Use `localhost` for local-only access.
> **Important:** React caches environment variables at build/start time. After changing `frontend/.env`, fully restart the frontend process — a browser refresh alone is not sufficient.
---
## Running the Application
### Using the helper scripts (recommended)
From the project root:
```bash
./start-servers.sh # Starts backend and frontend in the background
./stop-servers.sh # Stops all servers
```
The start script saves PIDs to `backend.pid` and `frontend.pid`. Logs are written to `backend/backend.log` and `frontend/frontend.log`.
### Running manually
```bash
# Terminal 1 — backend
cd backend
node server.js
# Terminal 2 — frontend (development server)
cd frontend
npm start
```
### Default ports
| Service | URL |
|---|---|
| Frontend | http://localhost:3000 |
| Backend API | http://localhost:3001 |
---
## Features ## Features
### Authentication and User Roles | Feature | Description |
|---------|-------------|
All routes require authentication. Three roles are supported: | **CVE Management** | Track CVEs across multiple vendors with document storage and NVD auto-fill |
| **Reporting** | Ivanti host finding triage with donut charts, inline editing, advanced filtering, CSV/XLSX export |
| Role | Permissions | | **Ivanti Queue** | Personal staging list for batch FP, Archer, CARD, and Granite workflows |
|---|---| | **FP Workflow** | Submit false positive workflows directly to Ivanti API with attachments |
| `viewer` | Read-only: CVEs, documents, findings, reports, knowledge base, Archer tickets, compliance data | | **Compliance** | Weekly AEO xlsx upload with diff preview, drift detection, per-team metric health cards |
| `editor` | All viewer permissions plus: create/update CVEs, upload documents, sync Ivanti findings, save notes and overrides, manage knowledge base, manage Archer tickets, upload compliance reports, manage Ivanti Queue | | **Archive Tracking** | Automatic detection of disappeared/returned findings with BU reassignment classification |
| `admin` | All editor permissions plus: delete documents, delete reports, manage users, view audit logs | | **Findings Trend** | Historical open vs closed chart with archive activity sparkline and shift reason tooltips |
| **Jira Integration** | Create, sync, and track Jira Data Center tickets linked to CVE/vendor pairs |
Sessions expire after 24 hours. Session tokens are stored in `httpOnly` cookies. | **Archer Tickets** | Track risk acceptance exceptions (EXC numbers) linked to findings |
| **CARD API** | Granite/CARD asset lookup integration for network device workflows |
--- | **Knowledge Base** | Internal document library with inline PDF/Markdown viewing |
| **Access Control** | Four user groups (Admin, Standard_User, Leadership, Read_Only) with full audit trail |
### Home — CVE Management
## Project Structure
The home page is the primary CVE research and tracking tool.
**CVE List**
- Search CVEs by keyword (matches CVE ID, vendor, description)
- Filter by vendor, severity (Critical / High / Medium / Low), and status
- Color-coded severity badges: Critical (red), High (amber), Medium (sky blue), Low (green)
- Paginated list view
**CVE Operations (editor/admin)**
- Add a new CVE entry — NVD auto-fill populates description, severity, and published date automatically
- Edit any field on an existing CVE entry
- Update status for all vendor rows matching a CVE ID in one click
- Delete a single vendor entry or all vendor entries for a CVE ID
- The same CVE ID can be tracked across multiple vendors independently
**Document Management**
- Upload documents attached to a CVE/vendor pair
- Supported document types: `advisory`, `email`, `screenshot`, `patch`, `other`
- Allowed file extensions: PDF, images (PNG, JPG, GIF, BMP, TIFF), Office documents (DOC, DOCX, XLS, XLSX, PPT, PPTX), text files (TXT, MD, CSV, LOG), email files (MSG, EML), and others (RTF, HTML, XML, JSON, YAML, ODF variants, ZIP, GZ, TAR, 7Z)
- File size limit: 10 MB per upload
- Admins can delete documents
**NVD Integration**
- Auto-fill CVE description, severity, and published date from the NIST NVD API 2.0 when adding a new CVE
- Bulk NVD Sync (editor/admin): fetch updated metadata for all CVEs in the database in one operation
- CVSS severity cascade: v3.1 preferred, then v3.0, then v2.0
- Rate-limit aware: respects NVD's 5 req/30s unauthenticated limit; with `NVD_API_KEY` the limit increases to 50 req/30s
**Archer Ticket Quick Navigation**
- Archer EXC numbers shown on CVE rows
- Clicking an EXC badge navigates to the Reporting page pre-filtered to findings with that EXC number
**Calendar Widget**
- Shows current month with red dot indicators on dates where Ivanti findings are due
- Click a date to navigate to the Reporting page filtered to that due date
---
### Reporting — Host Findings
The Reporting page is the core operational view for remediation tracking. It integrates with Ivanti/RiskSense to show all host findings for the configured business units.
#### Syncing Data
Click **Sync** (top right) to pull the latest findings from Ivanti. The sync:
1. Fetches all open host findings matching your BU filters and severity range (8.59.9 VRR)
2. Fetches the closed finding count separately
3. Sweeps closed findings to capture FP workflow states (including Approved FPs now closed)
4. Stores everything in the local SQLite cache
Findings are also auto-synced on a 24-hour schedule. The last sync timestamp is shown at the top of the page.
> `IVANTI_API_KEY` must be set in `backend/.env` for sync to work.
#### Metric Charts
| Chart | What it shows |
|---|---|
| **Open vs Closed** | Total open vs closed host findings direct from the Ivanti API |
| **Action Coverage** | Findings by action taken: FP Request · Archer Exception · Pending. Click a segment to filter the table. |
| **FP Finding Status** | How many *findings* are in each FP workflow state (Actionable, Requested, Reworked, Approved, Rejected, Expired) |
| **FP Workflow Status** | How many *unique FP# ticket IDs* are in each state — one ticket can cover many findings |
#### Findings Table
Each row represents a single Ivanti host finding.
| Column | Description |
|---|---|
| Finding ID | Ivanti finding identifier |
| Severity | Numerical VRR score with group label (CRITICAL / HIGH) |
| Title | Vulnerability title |
| CVEs | Associated CVE IDs — up to 2 shown, remainder as "+N" badge |
| Host | Hostname — inline editable |
| IP Address | Host IP address |
| DNS | DNS/FQDN — inline editable |
| Due Date | Remediation due date; red if overdue, amber if within 30 days |
| SLA | SLA status: OVERDUE / AT_RISK / WITHIN_SLA |
| BU | Business unit |
| Workflow | FP# ticket ID and state badge — colour-coded by urgency |
| Last Found | Last detection date from Ivanti |
| Notes | Free-form notes — inline editable, persists across syncs |
**Inline editing:** Click a Host or DNS cell to override the Ivanti value. An amber dot (●) marks overridden cells; use the revert button (↻) to restore the original. Overrides survive re-syncs.
**Filtering:** Click ⊙ on any column header for multi-select filtering. The `— empty —` option filters to findings with no value in that column. Multiple filters are ANDed. The Action Coverage chart also acts as a filter.
**Column management:** Toggle visibility and drag to reorder via the **Columns** button. Order and visibility persist to `localStorage`.
**Export:** Click **Export** to download the current filtered view as CSV or XLSX.
---
### Ivanti Queue
A personal staging list for batch-processing FP, Archer, and CARD workflows without context-switching into Ivanti mid-review.
**Adding items:** Check the checkbox at the far left of any finding row. A popover appears:
- For **FP** and **Archer** items: enter the Vendor / Platform (e.g., "Juniper MX", "Cisco IOS-XE")
- For **CARD** items: no vendor entry required — the IP address is captured automatically
- Select the workflow type: **FP**, **Archer**, or **CARD**
- Click **Add to Queue** — the row checkbox turns solid blue
**Queue panel:** Click the **Queue** button (top right of Reporting page) to open the slide-out panel:
- **CARD** items appear at the top in their own section with the IP address displayed
- **FP and Archer** items are grouped alphabetically by vendor below
- Badges show workflow type: amber = FP, sky = Archer, green = CARD
**Working the queue:**
- Check the green checkbox on an item to mark it complete (strikethrough at reduced opacity)
- Delete individual items with the trash icon, or select multiple and use **Delete (N)**
- **Clear Completed** removes all marked-complete items at once
Queue items are stored in the database, are **personal to your login**, and persist across sessions and page refreshes.
---
### Compliance — AEO Posture
The Compliance page tracks NTS-AEO team posture against the AEO compliance framework using weekly xlsx reports exported from the NTS_AEO reporting system.
#### Upload Workflow
Editors and admins can upload a new compliance report via the **Upload Report** button:
1. Drop or browse for the `NTS_AEO_YYYY_MM_DD.xlsx` file
2. The report is parsed server-side and a **diff preview** is shown — new violations, resolved items, and recurring items since the last upload
3. Click **Confirm Upload** to commit. The upload is recorded and the device table updates immediately.
The report date is extracted automatically from the filename.
#### Metric Health Cards
Each AEO metric (e.g., `2.3.4i`, `5.2.4`) is shown as a health card displaying:
- Compliance percentage vs target
- Status: Meets/Exceeds Target · Within 15% of Target · Below 15% of Target
Click a card to filter the device table to only devices failing that metric.
#### Device Table
Shows all devices currently failing one or more metrics (Active tab) or previously resolved (Resolved tab). Columns: Hostname, IP Address, Type, Failing Metrics, Times Seen. Click a row to open the detail panel.
#### Detail Panel
A slide-out panel for a selected device showing:
- **Failing Metrics** — each metric with surfaced extra fields (CVEs, SLA status, due date, OS, EoL, Splunk last seen, MFA software)
- For **2.3.x vulnerability metrics**: the `Ivanti_Vulnerability_ID` is displayed with a **View in Reporting →** button that navigates directly to the Reporting page
- **Resolved Metrics** — previously failing metrics now back in compliance
- **History** — how many times the device has appeared on the report and since when
- **Notes** — timestamped notes per metric with a multi-metric selector if multiple metrics are failing
Notes persist across uploads and are keyed to the device hostname and metric ID.
#### Teams
Only **STEAM** and **ACCESS-ENG** teams are tracked. The team selector at the top of the page switches context between them.
---
### Knowledge Base
A document library for internal reference material — policies, runbooks, vendor advisories, and process guides.
- Upload documents with a title, optional description, and category
- View documents inline in the browser (PDFs render in an iframe; Markdown files render as HTML)
- Download any document
- Filter and browse by category
- Editors and admins can upload and delete; all authenticated users can view
Allowed file types: PDF, Markdown, TXT, Office documents (DOC, DOCX, XLS, XLSX, PPT, PPTX), HTML, JSON, YAML, and images (PNG, JPG, GIF).
---
### Exports
Bulk export tools for reports and data extracts.
---
### Archer Risk Acceptance Tickets
Track Archer exception tickets (EXC numbers) linked to specific CVE/vendor pairs.
- EXC number format: `EXC-NNNNN`
- Statuses: `Draft`, `Open`, `Under Review`, `Accepted`
- Optional Archer URL field for deep-linking to the Archer record
- Filter tickets by CVE ID, vendor, or status
- Clicking an EXC badge on the Home page navigates to the Reporting page pre-filtered to findings with that EXC number in their notes
---
### User Management (Admin)
- Create users with a role assignment
- Change username, email, password, role, or active status
- Deactivating a user immediately invalidates all their active sessions
- Admins cannot demote themselves or deactivate their own account
---
### Audit Log (Admin)
Every state-changing action is recorded with the user identity, IP address, action type, target entity, and a before/after payload. Admins can view the log filtered by user, action type, entity type, and date range. Results are paginated (25 per page).
---
## Scripts
### `backend/scripts/parse_compliance_xlsx.py`
Called automatically by the compliance upload flow. Parses the NTS_AEO xlsx report and outputs structured JSON to stdout for consumption by the Node compliance route.
- Reads all detail sheets; skips `Summary` and `CMDB_9box`
- Filters to rows where `Compliant == False`
- Extracts hostname, IP, device type, team, and metric ID per row
- Captures all non-core columns in `extra_json` (CVEs, SLA status, OS, EoL, Splunk, MFA, Ivanti_Vulnerability_ID, etc.)
- Parses `Summary` sheet for per-team metric health (compliance_pct, target, status)
- Extracts report date from the filename (`NTS_AEO_YYYY_MM_DD.xlsx`)
**Dependencies:** `pandas>=2.0.0`, `openpyxl>=3.0.0`
---
### `backend/scripts/import_notes_from_csv.py`
Bulk-import notes into the findings cache from a CSV file. Useful for onboarding existing notes or migrating from a spreadsheet.
**CSV format:**
```csv
ID,NOTES
12345678,EXC-5754
87654321,Patched in Feb maintenance window
```
**Usage:**
```bash
cd backend/scripts
# Preview what would be imported (no writes)
python3 import_notes_from_csv.py input.csv --dry-run
# Import against the default database path
python3 import_notes_from_csv.py input.csv
# Import against a specific database
python3 import_notes_from_csv.py input.csv --db /path/to/cve_database.db
```
| Argument | Description |
|---|---|
| `csv_file` | Path to the input CSV (required) |
| `--db` | Path to the SQLite database (default: `../cve_database.db`) |
| `--dry-run` | Preview changes without writing to the database |
- Notes longer than 255 characters are truncated with a warning
- Finding IDs not present in the active Ivanti cache are skipped
- Uses UPSERT — running the same CSV twice is safe
**Dependencies:** Python stdlib only (no pip install required).
---
## API Reference
All endpoints are prefixed with `/api`. All endpoints except `/api/auth/login` and `/api/auth/logout` require a valid session cookie.
### Auth
| Method | Path | Auth | Description |
|---|---|---|---|
| POST | `/api/auth/login` | Public | Log in, receive session cookie |
| POST | `/api/auth/logout` | Public | Invalidate session |
| GET | `/api/auth/me` | Session | Get current user info |
| POST | `/api/auth/cleanup-sessions` | Session | Delete expired sessions |
### CVEs
| Method | Path | Role | Description |
|---|---|---|---|
| GET | `/api/cves` | viewer+ | List CVEs; query params: `search`, `vendor`, `severity`, `status` |
| POST | `/api/cves` | editor+ | Create a new CVE entry |
| PUT | `/api/cves/:id` | editor+ | Update a CVE entry by row ID |
| PATCH | `/api/cves/:cveId/status` | editor+ | Update status for all vendor rows matching a CVE ID |
| DELETE | `/api/cves/:id` | editor+ | Delete a single CVE vendor entry |
| DELETE | `/api/cves/by-cve-id/:cveId` | editor+ | Delete all vendor entries for a CVE ID |
| GET | `/api/cves/check/:cveId` | viewer+ | Quick check: existence and status of a CVE |
| GET | `/api/cves/distinct-ids` | viewer+ | All distinct CVE IDs (used by NVD sync) |
| GET | `/api/cves/:cveId/vendors` | viewer+ | All vendor entries for a specific CVE ID |
### Documents
| Method | Path | Role | Description |
|---|---|---|---|
| GET | `/api/cves/:cveId/documents` | viewer+ | List documents for a CVE; optional `?vendor=` filter |
| POST | `/api/cves/:cveId/documents` | editor+ | Upload a document for a CVE/vendor pair |
| DELETE | `/api/documents/:id` | admin | Delete a document and its file from disk |
### NVD
| Method | Path | Role | Description |
|---|---|---|---|
| GET | `/api/nvd/lookup/:cveId` | viewer+ | Look up a single CVE in the NVD 2.0 API |
| POST | `/api/cves/nvd-sync` | editor+ | Bulk update CVE metadata from NVD |
### Ivanti — Host Findings
| Method | Path | Role | Description |
|---|---|---|---|
| GET | `/api/ivanti/findings` | viewer+ | Get cached findings with notes and overrides merged in |
| POST | `/api/ivanti/findings/sync` | viewer+ | Trigger an immediate findings sync from Ivanti |
| GET | `/api/ivanti/findings/counts` | viewer+ | Open vs closed finding totals |
| GET | `/api/ivanti/findings/fp-workflow-counts` | viewer+ | FP workflow state breakdown |
| PUT | `/api/ivanti/findings/:findingId/override` | editor+ | Override `hostName` or `dns`; empty value clears the override |
| PUT | `/api/ivanti/findings/:findingId/note` | viewer+ | Save or update a finding note (max 255 chars) |
### Ivanti — Workflows
| Method | Path | Role | Description |
|---|---|---|---|
| GET | `/api/ivanti/workflows` | viewer+ | Get cached workflow data |
| POST | `/api/ivanti/workflows/sync` | viewer+ | Trigger an immediate workflow sync |
### Ivanti Queue
| Method | Path | Role | Description |
|---|---|---|---|
| GET | `/api/ivanti/queue` | viewer+ | Get all queue items for the current user |
| POST | `/api/ivanti/queue` | editor+ | Add a finding to the queue |
| PATCH | `/api/ivanti/queue/:id` | editor+ | Update a queue item (mark complete, edit vendor/type) |
| DELETE | `/api/ivanti/queue/:id` | editor+ | Delete a single queue item |
| DELETE | `/api/ivanti/queue` | editor+ | Delete multiple queue items (body: `{ ids: [...] }`) |
### Compliance
| Method | Path | Role | Description |
|---|---|---|---|
| POST | `/api/compliance/preview` | editor+ | Parse an xlsx upload and return diff + temp file path |
| POST | `/api/compliance/commit` | editor+ | Commit a previewed upload to the database |
| GET | `/api/compliance/uploads` | viewer+ | List all compliance upload records |
| GET | `/api/compliance/summary` | viewer+ | Metric health summary; `?team=STEAM` |
| GET | `/api/compliance/items` | viewer+ | Device list; `?team=STEAM&status=active` |
| GET | `/api/compliance/items/:hostname` | viewer+ | Full detail for a device (metrics + notes) |
| GET | `/api/compliance/notes/:hostname/:metricId` | viewer+ | Notes for a specific hostname/metric |
| POST | `/api/compliance/notes` | editor+ | Add a note for a hostname/metric |
### Knowledge Base
| Method | Path | Role | Description |
|---|---|---|---|
| POST | `/api/knowledge-base/upload` | editor+ | Upload a new knowledge base document |
| GET | `/api/knowledge-base` | viewer+ | List all articles |
| GET | `/api/knowledge-base/:id` | viewer+ | Get article metadata |
| GET | `/api/knowledge-base/:id/content` | viewer+ | Get file content for inline display |
| GET | `/api/knowledge-base/:id/download` | viewer+ | Download the file |
| DELETE | `/api/knowledge-base/:id` | editor+ | Delete article and file |
### Archer Tickets
| Method | Path | Role | Description |
|---|---|---|---|
| GET | `/api/archer-tickets` | viewer+ | List tickets; optional filters: `cve_id`, `vendor`, `status` |
| POST | `/api/archer-tickets` | editor+ | Create a new Archer ticket |
| PUT | `/api/archer-tickets/:id` | editor+ | Update an Archer ticket |
| DELETE | `/api/archer-tickets/:id` | editor+ | Delete an Archer ticket |
### Users (Admin only)
| Method | Path | Role | Description |
|---|---|---|---|
| GET | `/api/users` | admin | List all users |
| GET | `/api/users/:id` | admin | Get a single user |
| POST | `/api/users` | admin | Create a user |
| PATCH | `/api/users/:id` | admin | Update a user |
| DELETE | `/api/users/:id` | admin | Delete a user |
### Audit Logs (Admin only)
| Method | Path | Role | Description |
|---|---|---|---|
| GET | `/api/audit-logs` | admin | Paginated audit log; filters: `user`, `action`, `entityType`, `startDate`, `endDate` |
| GET | `/api/audit-logs/actions` | admin | List distinct action types for filter dropdowns |
### Utility
| Method | Path | Role | Description |
|---|---|---|---|
| GET | `/api/vendors` | viewer+ | List all distinct vendor names |
| GET | `/api/stats` | viewer+ | Dashboard statistics |
---
## Architecture
``` ```
cve-dashboard/ cve-dashboard/
├── start-servers.sh # Start backend + frontend in background
├── stop-servers.sh # Stop all servers
├── backend/ ├── backend/
│ ├── server.js # Express app — routes, middleware, security headers │ ├── server.js # Express API server
│ ├── setup.js # One-time DB initialization and default admin creation │ ├── db.js # PostgreSQL connection pool (pg)
│ ├── cve_database.db # SQLite database (gitignored) │ ├── db-schema.sql # Complete DDL for fresh Postgres setup
│ ├── uploads/ # File storage root (gitignored) │ ├── setup-postgres.js # Schema initializer (runs db-schema.sql)
│ ├── <CVE-ID>/<vendor>/ # CVE documents │ ├── routes/ # API route handlers
│ ├── knowledge_base/ # Knowledge base documents │ ├── helpers/ # API clients (Ivanti, Jira, Atlas, CARD)
│ └── temp/ # Temporary upload staging ├── middleware/ # Auth middleware
│ ├── routes/ │ ├── migrations/ # Schema migrations (legacy SQLite deployments)
│ ├── auth.js # Login, logout, session check └── scripts/ # Compliance parser, data import utilities
│ │ ├── users.js # User CRUD (admin) ├── frontend/
│ ├── auditLog.js # Audit log viewer (admin) │ ├── src/
│ │ ├── nvdLookup.js # NVD API proxy │ │ ├── App.js # Main app with routing
│ │ ├── knowledgeBase.js # Knowledge base document management │ │ ├── components/ # React components
│ │ ── archerTickets.js # Archer EXC ticket CRUD │ │ ── contexts/ # Auth context
│ ├── ivantiWorkflows.js # Ivanti workflow batch sync and cache └── public/
│ │ ├── ivantiFindings.js # Ivanti host findings sync, notes, overrides, FP counts ├── docs/
│ ├── ivantiTodoQueue.js # Ivanti Queue — personal FP/Archer/CARD staging list │ ├── api/ # API specs (Ivanti, Atlas, Jira)
│ └── compliance.js # AEO compliance upload, diff, device tracking, notes ├── design/ # Design system, workflow diagrams
│ ├── middleware/ │ ├── guides/ # User guides, full reference manual
│ └── auth.js # requireAuth and requireRole middleware ├── security/ # Security audits and remediation plans
│ ├── helpers/ │ ├── testing/ # Test plans and scripts
│ ├── auditLog.js # logAudit helper (fire-and-forget) └── troubleshooting/ # Investigation scripts and reports
│ ├── migrations/ ├── docker-compose.yml # PostgreSQL 16 container definition
│ │ ├── add_knowledge_base_table.js ├── scripts/
│ ├── add_archer_tickets_table.js └── deploy-postgres.sh # One-time deployment: container, schema, migration
├── add_ivanti_sync_table.js ├── systemd/ # systemd service files
│ │ ├── add_ivanti_findings_tables.js ├── start-servers.sh
│ │ ├── add_ivanti_todo_queue_table.js # Ivanti Queue table └── stop-servers.sh
│ │ ├── add_card_workflow_type.js # CARD workflow type support
│ │ ├── add_todo_queue_ip_address.js # IP address column on queue items
│ │ └── add_compliance_tables.js # AEO compliance tables
│ └── scripts/
│ ├── parse_compliance_xlsx.py # Parses NTS_AEO xlsx compliance reports
│ ├── import_notes_from_csv.py # Bulk-import finding notes from CSV
│ └── requirements.txt # pandas, openpyxl
└── frontend/
└── src/
├── App.js # Home dashboard — CVE list, filters, modals, calendar
├── App.css # Global styles and CSS variables
├── contexts/
│ └── AuthContext.js # Auth state provider (login, logout, role helpers)
└── components/
├── LoginForm.js # Login page
├── NavDrawer.js # Side navigation drawer
├── UserMenu.js # User dropdown in header
├── CalendarWidget.js # Due-date calendar with Ivanti finding indicators
├── UserManagement.js # Admin user management panel
├── AuditLog.js # Admin audit log viewer
├── NvdSyncModal.js # Bulk NVD sync dialog
├── KnowledgeBaseModal.js # Knowledge base upload/list modal
├── KnowledgeBaseViewer.js # Inline document viewer
└── pages/
├── ReportingPage.js # Host findings: charts, table, queue, export
├── CompliancePage.js # AEO compliance: metric cards, device table
├── ComplianceUploadModal.js # xlsx upload with diff preview
├── ComplianceDetailPanel.js # Per-device metrics, history, notes
├── KnowledgeBasePage.js # Knowledge base page
└── ExportsPage.js # Exports page
``` ```
--- ## Tech Stack
## Database Schema | Layer | Technology |
|-------|------------|
| Backend | Node.js 18+, Express 5 |
| Database | PostgreSQL 16 (Docker, port 5433) |
| Frontend | React 19, Recharts, Lucide React |
| Auth | bcryptjs, cookie-based sessions, express-rate-limit |
| Compliance | Python 3, pandas, openpyxl |
### Core tables (created by `setup.js`) ## Documentation
**`cves`** — One row per CVE/vendor pair. `UNIQUE(cve_id, vendor)`. - **[Full Reference Manual](docs/guides/full-reference-manual.md)** — comprehensive feature documentation, API reference, database schema, security model, and configuration details
- **[Postgres Migration Plan](docs/guides/postgres-migration-plan.md)** — architecture decisions, schema design, and cutover procedure for the SQLite to PostgreSQL migration
- **[Migration Guide](backend/migrations/README.md)** — schema migration scripts for upgrading existing deployments
- **[Design System](docs/design/design-system.md)** — UI component patterns and color system
- **[Ivanti API Reference](docs/api/ivanti-api-reference.md)** — Ivanti/RiskSense API integration details
- **[Jira API Use Cases](docs/api/jira-api-use-cases.md)** — Jira Data Center API compliance summary
**`documents`** — Files attached to a CVE/vendor pair. Foreign key to `cves(cve_id)`. ## License
**`required_documents`** — Vendor-specific document requirements. Internal use only — Charter Communications / NTS-AEO.
**`users`** — Accounts with roles: `admin`, `editor`, `viewer`.
**`sessions`** — Active sessions with 24-hour expiry.
**`audit_logs`** — Append-only log of all state-changing actions.
### Feature tables (added by migrations)
**`knowledge_base`** — Document library entries with title, slug, category, description, and file metadata.
**`archer_tickets`** — Archer EXC exception tickets linked to CVE/vendor pairs. `UNIQUE(exc_number)`.
**`ivanti_sync_state`** — Single-row cache for Ivanti workflow batch data.
**`ivanti_findings_cache`** — Single-row cache for Ivanti host findings.
**`ivanti_finding_notes`** — Persistent per-finding notes keyed by finding ID. Survives cache refreshes. `UNIQUE(finding_id)`.
**`ivanti_counts_cache`** — Single-row cache for finding metrics: open/closed counts, FP workflow state breakdowns by finding and by unique ticket ID.
**`ivanti_finding_overrides`** — Editor-applied overrides for `hostName` and `dns` fields. `UNIQUE(finding_id, field)`.
**`ivanti_todo_queue`** — Personal per-user queue of findings staged for FP, Archer, or CARD processing. Keyed by `(user_id, finding_id)`.
**`compliance_uploads`** — Record of each compliance xlsx upload: filename, report date, uploader, timestamp, and new/resolved/recurring counts.
**`compliance_items`** — One row per device/metric violation. Tracks hostname, IP, device type, team, metric ID, category, `extra_json` (all non-core xlsx columns), status (active/resolved), first seen upload, and times seen. Identity key: `(hostname, metric_id)`.
**`compliance_notes`** — Timestamped notes per hostname/metric. Multiple notes per combination are supported. Foreign-key linked to compliance items.
### View
**`cve_document_status`** — Aggregates document counts per CVE/vendor and derives a `compliance_status` (`Complete` when an advisory is present, otherwise `Missing Required Docs`).
--- ---
## Security Model *Designed and built by Jordan Ramos (jordan.ramos@spectrum.com)*
### File upload security
- Extension allowlist enforced by Multer; executables (`.exe`, `.js`, `.sh`, `.py`, `.bat`, etc.) are blocked
- MIME type prefix validation in addition to extension checking
- 10 MB per-file size limit
- Filenames are sanitized: path separators, `..` sequences, null bytes, and non-alphanumeric characters are removed
### Path traversal prevention
- `sanitizePathSegment()` strips `/`, `\`, `..`, and null bytes from any value used in `path.join()`
- `isPathWithinUploads()` verifies resolved paths stay within the uploads root before any file operation
### Input validation
- CVE ID must match `/^CVE-\d{4}-\d{4,}$/`
- Severity must be one of: `Critical`, `High`, `Medium`, `Low`
- Status must be one of: `Open`, `Addressed`, `In Progress`, `Resolved`
- Archer EXC numbers must match `/^EXC-\d+$/`
- Finding override field must be one of: `hostName`, `dns`
- All database operations use prepared statements — no string interpolation in SQL
### Error handling
- 500 responses never expose internal error messages to the client
- Full errors are logged server-side only
- Descriptive 400/409 responses contain only application-authored validation messages
### Security headers
Applied to all responses:
- `X-Content-Type-Options: nosniff`
- `X-Frame-Options: SAMEORIGIN`
- `X-XSS-Protection: 1; mode=block`
- `Referrer-Policy: strict-origin-when-cross-origin`
- `Permissions-Policy: camera=(), microphone=(), geolocation=()`
### Session cookies
`httpOnly: true`, `sameSite: lax`, `secure: true` in production (`NODE_ENV=production`).
---
## Migrations
Migrations are standalone Node.js scripts. Run them in the listed order on a fresh install. All use `CREATE TABLE IF NOT EXISTS` or `ALTER TABLE ... ADD COLUMN IF NOT EXISTS` and are safe to re-run.
```bash
cd backend
node migrations/add_knowledge_base_table.js
node migrations/add_archer_tickets_table.js
node migrations/add_ivanti_sync_table.js
node migrations/add_ivanti_findings_tables.js
node migrations/add_ivanti_todo_queue_table.js
node migrations/add_card_workflow_type.js
node migrations/add_todo_queue_ip_address.js
node migrations/add_compliance_tables.js
```
For deployments upgrading from an older schema, the following legacy migration scripts are also available in `backend/`:
- `migrate_multivendor.js` — Adds multi-vendor support to an older single-vendor schema
- `migrate-audit-log.js` — Adds the `audit_logs` table to pre-auth deployments
- `migrate-to-1.1.js` — General 1.0 → 1.1 schema update
> Several columns (`fp_workflow_counts_json`, `fp_id_counts_json`, `seen_count`, `summary_json`) are added automatically via idempotent `ALTER TABLE` statements each time the server starts. No manual re-run is needed.

59
backend/.env.example
View File

@@ -3,6 +3,10 @@ PORT=3001
API_HOST=localhost API_HOST=localhost
CORS_ORIGINS=http://localhost:3000 CORS_ORIGINS=http://localhost:3000
# Session secret — REQUIRED. Server will not start without this.
# Generate with: openssl rand -base64 32
SESSION_SECRET=
# NVD API Key (optional - increases rate limit from 5 to 50 requests per 30s) # NVD API Key (optional - increases rate limit from 5 to 50 requests per 30s)
# Request one at https://nvd.nist.gov/developers/request-an-api-key # Request one at https://nvd.nist.gov/developers/request-an-api-key
NVD_API_KEY= NVD_API_KEY=
@@ -13,5 +17,60 @@ IVANTI_API_KEY=
IVANTI_CLIENT_ID=1550 IVANTI_CLIENT_ID=1550
IVANTI_FIRST_NAME= IVANTI_FIRST_NAME=
IVANTI_LAST_NAME= IVANTI_LAST_NAME=
# Comma-separated list of BU values to sync from Ivanti.
# Broadening this pulls findings for additional BUs into the local cache.
# Users see only their assigned teams' findings (filtered at query time).
# Default if unset: NTS-AEO-ACCESS-ENG,NTS-AEO-STEAM
IVANTI_BU_FILTER=NTS-AEO-ACCESS-ENG,NTS-AEO-STEAM
# Comma-separated list of BUs considered "managed" for drift classification.
# Findings leaving these BUs are classified as bu_reassignment in the archive.
# Default if unset: NTS-AEO-ACCESS-ENG,NTS-AEO-STEAM
IVANTI_MANAGED_BUS=NTS-AEO-ACCESS-ENG,NTS-AEO-STEAM
# Set to true if behind Charter's SSL inspection proxy (replicates Python verify=False) # Set to true if behind Charter's SSL inspection proxy (replicates Python verify=False)
IVANTI_SKIP_TLS=false IVANTI_SKIP_TLS=false
# Atlas InfoSec API (atlas-infosec.caas.charterlab.com)
# Service account credentials for Basic Auth — used to sync and manage action plans
ATLAS_API_URL=
ATLAS_API_USER=
ATLAS_API_PASS=
# Set to true if behind Charter's SSL inspection proxy (disables TLS cert verification)
ATLAS_SKIP_TLS=false
# Jira Data Center REST API
# VPN or Charter Network connection required for all Jira instances.
# Service accounts use Basic Auth (JIRA_API_USER + JIRA_API_TOKEN).
# PATs require ATLSUP approval and naming convention: Function - Team - ATLSUP-XXXXX
# Rate limits: 1440 requests/day, burst of 60/minute.
JIRA_BASE_URL=
JIRA_AUTH_METHOD=basic
# Basic Auth — service account credentials
JIRA_API_USER=
JIRA_API_TOKEN=
# PAT Auth — set JIRA_AUTH_METHOD=pat to use
JIRA_PAT=
# Default project key and issue type for creating issues from the dashboard
JIRA_PROJECT_KEY=
JIRA_ISSUE_TYPE=Task
# Set to true if behind Charter's SSL inspection proxy
JIRA_SKIP_TLS=false
# CARD Asset Ownership API (card.charter.com / card.caas.stage.charterlab.com)
# OAuth Bearer token auth — service account must be onboarded with the CARD team.
# Tokens are acquired automatically via Basic Auth and cached for 1 hour.
CARD_API_URL=
CARD_API_USER=
CARD_API_PASS=
# Set to true if behind Charter's SSL inspection proxy
CARD_SKIP_TLS=false
# PostgreSQL Database (Docker container steam-postgres)
# If set, the backend uses Postgres instead of SQLite.
# Format: postgresql://user:password@host:port/database
DATABASE_URL=postgresql://steam:<password>@localhost:5433/cve_dashboard
# GitLab Feedback Integration (bug reports and feature requests from the dashboard)
# PAT needs 'api' scope. Project ID is the numeric ID from GitLab project settings.
GITLAB_URL=http://steam-gitlab.charterlab.com
GITLAB_PROJECT_ID=
GITLAB_PAT=

48
backend/__tests__/auth-password-change.property.test.js Normal file
View File

@@ -0,0 +1,48 @@
/**
* Property-Based Test: Password Change Round-Trip
*
* Feature: user-profile, Property 3: Password change round-trip
*
* For any valid current password and any new password of 8+ characters,
* after a successful change, bcrypt.compare(newPassword, storedHash) returns true.
*
* Validates: Requirements 2.2, 2.7
*/
const fc = require('fast-check');
const bcrypt = require('bcryptjs');
// bcrypt cost factor — production uses 10, but we use 4 (the minimum) here
// to keep 100 iterations feasible within test timeouts. The round-trip property
// holds regardless of cost factor.
const BCRYPT_COST = 4;
describe('Feature: user-profile, Property 3: Password change round-trip', () => {
it('after a password change, bcrypt.compare(newPassword, newHash) returns true', async () => {
await fc.assert(
fc.asyncProperty(
// Current password: any non-empty string (length >= 1)
fc.string({ minLength: 1, maxLength: 72 }),
// New password: any string of length >= 8 (bcrypt max input is 72 bytes)
fc.string({ minLength: 8, maxLength: 72 }),
async (currentPassword, newPassword) => {
// Step 1: Hash the current password (simulates existing stored hash)
const currentHash = await bcrypt.hash(currentPassword, BCRYPT_COST);
// Step 2: Verify the current password against the stored hash
// (simulates the bcrypt.compare check in the change-password route)
const currentPasswordValid = await bcrypt.compare(currentPassword, currentHash);
expect(currentPasswordValid).toBe(true);
// Step 3: Hash the new password (simulates bcrypt.hash(newPassword, 10) in the route)
const newHash = await bcrypt.hash(newPassword, BCRYPT_COST);
// Step 4: Verify the new password matches the new hash (round-trip property)
const newPasswordValid = await bcrypt.compare(newPassword, newHash);
expect(newPasswordValid).toBe(true);
}
),
{ numRuns: 100 }
);
}, 120000); // 2-minute timeout for 100 bcrypt iterations
});

84
backend/__tests__/auth-profile-completeness.property.test.js Normal file
View File

@@ -0,0 +1,84 @@
/**
* Property-Based Test: Profile API Returns Complete User Data Matching Database
*
* Feature: user-profile, Property 2: Profile API returns complete user data matching database
*
* For any active user record, the profile route's mapping logic produces a
* response object with all 6 required fields (id, username, email, group,
* created_at, last_login) and each value matches the corresponding column
* in the users table. The `group` field maps from the `user_group` column.
*
* Validates: Requirements 4.1
*/
const fc = require('fast-check');
/**
* Simulates the exact mapping logic from GET /api/auth/profile in routes/auth.js:
*
* res.json({
* id: user.id,
* username: user.username,
* email: user.email,
* group: user.user_group,
* created_at: user.created_at,
* last_login: user.last_login
* });
*/
function mapUserRowToProfileResponse(user) {
return {
id: user.id,
username: user.username,
email: user.email,
group: user.user_group,
created_at: user.created_at,
last_login: user.last_login
};
}
describe('Feature: user-profile, Property 2: Profile API returns complete user data matching database', () => {
it('profile response contains all 6 required fields matching the database row', () => {
fc.assert(
fc.property(
// Generate arbitrary user rows matching the users table schema
fc.record({
id: fc.integer({ min: 1, max: 1000000 }),
username: fc.string({ minLength: 1, maxLength: 50 }),
email: fc.string({ minLength: 3, maxLength: 255 }),
user_group: fc.constantFrom('Admin', 'Standard_User', 'Read_Only'),
created_at: fc.integer({ min: 1577836800000, max: 1924991999000 })
.map(ts => new Date(ts).toISOString().replace('T', ' ').slice(0, 19)),
last_login: fc.oneof(
fc.integer({ min: 1577836800000, max: 1924991999000 })
.map(ts => new Date(ts).toISOString().replace('T', ' ').slice(0, 19)),
fc.constant(null)
),
is_active: fc.constant(1)
}),
(userRow) => {
const response = mapUserRowToProfileResponse(userRow);
// Assert all 6 required fields are present
expect(response).toHaveProperty('id');
expect(response).toHaveProperty('username');
expect(response).toHaveProperty('email');
expect(response).toHaveProperty('group');
expect(response).toHaveProperty('created_at');
expect(response).toHaveProperty('last_login');
// Assert each value matches the corresponding database column
expect(response.id).toBe(userRow.id);
expect(response.username).toBe(userRow.username);
expect(response.email).toBe(userRow.email);
expect(response.group).toBe(userRow.user_group); // group maps from user_group
expect(response.created_at).toBe(userRow.created_at);
expect(response.last_login).toBe(userRow.last_login);
// Assert exactly 6 keys — no extra fields leaked
expect(Object.keys(response)).toHaveLength(6);
}
),
{ numRuns: 100 }
);
});
});

39
backend/__tests__/auth-short-password.property.test.js Normal file
View File

@@ -0,0 +1,39 @@
/**
* Property-Based Test: Short Passwords Are Rejected (Server-Side)
*
* Feature: user-profile, Property 6 (server-side): Short passwords are rejected
*
* For any string of length 0 to 7, the server-side validation logic
* (newPassword.length < 8) correctly identifies them as too short,
* meaning the password change would return 400 and the stored hash
* would remain unchanged.
*
* Validates: Requirements 2.5, 5.4
*/
const fc = require('fast-check');
describe('Feature: user-profile, Property 6 (server-side): Short passwords are rejected', () => {
it('any string of length 07 is rejected by the server-side length validation', () => {
fc.assert(
fc.property(
// Generate arbitrary strings of length 0 to 7
fc.string({ minLength: 0, maxLength: 7 }),
(shortPassword) => {
// This is the exact validation check from POST /api/auth/change-password:
// if (newPassword.length < 8) return res.status(400).json({ error: '...' })
const wouldBeRejected = shortPassword.length < 8;
// Every generated string must be rejected by the validation
expect(wouldBeRejected).toBe(true);
// The stored hash remains unchanged because the route returns
// early before reaching the bcrypt.hash / UPDATE query.
// This is a structural guarantee — the early return prevents
// any mutation of the password_hash column.
}
),
{ numRuns: 100 }
);
});
});

53
backend/__tests__/auth-wrong-password.property.test.js Normal file
View File

@@ -0,0 +1,53 @@
/**
* Property-Based Test: Incorrect Current Password Is Always Rejected
*
* Feature: user-profile, Property 4: Incorrect current password is always rejected
*
* For any password string that does not match the user's current password,
* the endpoint returns 401 and the stored hash remains unchanged.
*
* Validates: Requirements 2.3
*/
const fc = require('fast-check');
const bcrypt = require('bcryptjs');
// bcrypt cost factor — production uses 10, but we use 4 (the minimum) here
// to keep 100 iterations feasible within test timeouts. The rejection property
// holds regardless of cost factor.
const BCRYPT_COST = 4;
describe('Feature: user-profile, Property 4: Incorrect current password is always rejected', () => {
it('bcrypt.compare rejects any wrong password and the stored hash remains unchanged', async () => {
await fc.assert(
fc.asyncProperty(
// Current password: any non-empty string (bcrypt max input is 72 bytes)
fc.string({ minLength: 1, maxLength: 72 }),
// Wrong password: any non-empty string (will be filtered to differ from current)
fc.string({ minLength: 1, maxLength: 72 }),
async (currentPassword, wrongPassword) => {
// Ensure the wrong password is always different from the current password
fc.pre(wrongPassword !== currentPassword);
// Step 1: Hash the current password (simulates existing stored hash)
const currentHash = await bcrypt.hash(currentPassword, BCRYPT_COST);
// Capture the hash before the failed attempt
const hashBefore = currentHash;
// Step 2: Attempt to verify the wrong password against the stored hash
// (simulates the bcrypt.compare check in the change-password route)
const isValid = await bcrypt.compare(wrongPassword, currentHash);
// The wrong password must always be rejected
expect(isValid).toBe(false);
// Step 3: The stored hash remains unchanged after the failed attempt
// (no mutation should occur on rejection)
expect(currentHash).toBe(hashBefore);
}
),
{ numRuns: 100 }
);
}, 120000); // 2-minute timeout for 100 bcrypt iterations
});

108
backend/__tests__/fp-submissions-cleanup.property.test.js Normal file
View File

@@ -0,0 +1,108 @@
/**
* Property-Based Tests: FP Submissions Cleanup
*
* Feature: fp-submissions-cleanup
*
* Tests the pure filtering functions used to determine which FP submissions
* are visible in the Queue Panel and which show the dismiss button.
*
* Validates: Requirements 1.1, 2.1, 2.2, 2.3
*/
const fc = require('fast-check');
// Mock db pool before importing the route module (avoids DATABASE_URL requirement)
jest.mock('../db', () => ({
query: jest.fn(() => Promise.resolve({ rows: [], rowCount: 0 })),
}));
// Mock dependencies that the route module imports
jest.mock('../helpers/auditLog', () => jest.fn());
jest.mock('../helpers/ivantiApi', () => ({
ivantiFormPost: jest.fn(),
ivantiPost: jest.fn(),
}));
const { filterVisibleSubmissions, shouldShowDismissButton } = require('../routes/ivantiFpWorkflow');
// --- Generators ---
const lifecycleStatusArb = fc.constantFrom('submitted', 'approved', 'rejected', 'rework', 'resubmitted');
const dismissedAtArb = fc.oneof(
fc.constant(null),
fc.date({ min: new Date('2020-01-01T00:00:00.000Z'), max: new Date('2030-12-31T00:00:00.000Z') })
.filter(d => !isNaN(d.getTime()))
.map(d => d.toISOString())
);
const submissionArb = fc.record({
id: fc.integer({ min: 1, max: 100000 }),
lifecycle_status: lifecycleStatusArb,
dismissed_at: dismissedAtArb,
user_id: fc.integer({ min: 1, max: 1000 }),
ivanti_workflow_batch_id: fc.string({ minLength: 1, maxLength: 20 })
});
const submissionsArrayArb = fc.array(submissionArb, { minLength: 0, maxLength: 50 });
// --- Property 1: Submission Visibility Filter ---
describe('Feature: fp-submissions-cleanup, Property 1: Submission Visibility Filter', () => {
/**
* For any array of FP submission objects with arbitrary lifecycle_status values
* and arbitrary dismissed_at values, filterVisibleSubmissions(submissions) should
* return only submissions where lifecycle_status is NOT "approved" AND dismissed_at
* is null. Additionally, every submission in the input that satisfies both conditions
* must appear in the output, and the output length must be <= input length.
*
* Validates: Requirements 1.1, 2.2, 2.3
*/
it('returns only non-approved and non-dismissed submissions', () => {
fc.assert(
fc.property(submissionsArrayArb, (submissions) => {
const result = filterVisibleSubmissions(submissions);
// Output length must be <= input length
expect(result.length).toBeLessThanOrEqual(submissions.length);
// Every item in the result must be non-approved and non-dismissed
for (const s of result) {
expect(s.lifecycle_status).not.toBe('approved');
expect(s.dismissed_at).toBeNull();
}
// Every input item that satisfies both conditions must appear in the output
const expected = submissions.filter(
s => s.lifecycle_status !== 'approved' && s.dismissed_at == null
);
expect(result).toEqual(expected);
}),
{ numRuns: 100 }
);
});
});
// --- Property 2: Dismiss Button Visibility Predicate ---
describe('Feature: fp-submissions-cleanup, Property 2: Dismiss Button Visibility Predicate', () => {
/**
* For any FP submission object with a lifecycle_status value drawn from
* {submitted, approved, rejected, rework, resubmitted} and a dismissed_at value
* (null or timestamp), the dismiss button should be rendered if and only if
* lifecycle_status === 'rejected' AND dismissed_at is null.
*
* Validates: Requirements 2.1
*/
it('returns true iff status is rejected and dismissed_at is null', () => {
fc.assert(
fc.property(submissionArb, (submission) => {
const result = shouldShowDismissButton(submission);
const expected = submission.lifecycle_status === 'rejected' && submission.dismissed_at == null;
expect(result).toBe(expected);
}),
{ numRuns: 100 }
);
});
});

240
backend/__tests__/fp-submissions-cleanup.test.js Normal file
View File

@@ -0,0 +1,240 @@
/**
* Unit and Integration Tests: FP Submissions Cleanup
*
* Feature: fp-submissions-cleanup
*
* Tests cover:
* - Dismiss endpoint (happy path, wrong status, ownership check, not found)
* - Filter edge cases (all approved, all dismissed, mixed, empty array)
* - Integration: dismissed submissions remain in DB but are excluded from filtered list
*/
const http = require('http');
const express = require('express');
// Mock auth middleware to bypass real session checks
jest.mock('../middleware/auth', () => ({
requireAuth: () => (req, res, next) => {
req.user = { id: 1, username: 'testuser', group: 'Admin' };
next();
},
requireGroup: () => (req, res, next) => next(),
}));
// Mock audit log as a no-op
jest.mock('../helpers/auditLog', () => jest.fn());
// Mock ivantiApi to avoid real network calls
jest.mock('../helpers/ivantiApi', () => ({
ivantiFormPost: jest.fn(),
ivantiPost: jest.fn(),
}));
// Mock the db pool
const mockPool = {
query: jest.fn(() => Promise.resolve({ rows: [], rowCount: 0 })),
};
jest.mock('../db', () => mockPool);
const createIvantiFpWorkflowRouter = require('../routes/ivantiFpWorkflow');
const { filterVisibleSubmissions, shouldShowDismissButton } = require('../routes/ivantiFpWorkflow');
// --- HTTP helper ---
function request(server, method, path, body) {
return new Promise((resolve, reject) => {
const addr = server.address();
const options = {
hostname: '127.0.0.1',
port: addr.port,
path,
method,
headers: { 'Content-Type': 'application/json' },
};
const req = http.request(options, (res) => {
const chunks = [];
res.on('data', (chunk) => chunks.push(chunk));
res.on('end', () => {
const body = Buffer.concat(chunks).toString();
let json;
try { json = JSON.parse(body); } catch (e) { json = null; }
resolve({ statusCode: res.statusCode, body: json });
});
});
req.on('error', reject);
if (body) req.write(JSON.stringify(body));
req.end();
});
}
// --- Dismiss Endpoint Tests (Task 8.1) ---
describe('PATCH /submissions/:id/dismiss', () => {
let app, server;
beforeAll((done) => {
app = express();
app.use(express.json());
app.use('/api/ivanti/fp-workflow', createIvantiFpWorkflowRouter());
server = app.listen(0, '127.0.0.1', done);
});
afterAll((done) => {
server.close(done);
});
beforeEach(() => {
mockPool.query.mockReset();
});
it('happy path — dismisses a rejected submission owned by the user', async () => {
// First query: SELECT submission
mockPool.query.mockResolvedValueOnce({
rows: [{
id: 42,
user_id: 1,
lifecycle_status: 'rejected',
dismissed_at: null,
ivanti_workflow_batch_id: 'WF-100'
}],
});
// Second query: UPDATE dismissed_at
mockPool.query.mockResolvedValueOnce({ rowCount: 1 });
const res = await request(server, 'PATCH', '/api/ivanti/fp-workflow/submissions/42/dismiss');
expect(res.statusCode).toBe(200);
expect(res.body).toEqual({ success: true });
// Verify the UPDATE was called with the correct SQL pattern
expect(mockPool.query).toHaveBeenCalledTimes(2);
const updateCall = mockPool.query.mock.calls[1];
expect(updateCall[0]).toContain('dismissed_at');
expect(updateCall[1]).toContain('42');
});
it('returns 404 when submission does not exist', async () => {
mockPool.query.mockResolvedValueOnce({ rows: [] });
const res = await request(server, 'PATCH', '/api/ivanti/fp-workflow/submissions/999/dismiss');
expect(res.statusCode).toBe(404);
expect(res.body.error).toBe('Submission not found.');
});
it('returns 403 when user does not own the submission', async () => {
mockPool.query.mockResolvedValueOnce({
rows: [{
id: 42,
user_id: 99, // different user
lifecycle_status: 'rejected',
dismissed_at: null,
ivanti_workflow_batch_id: 'WF-100'
}],
});
const res = await request(server, 'PATCH', '/api/ivanti/fp-workflow/submissions/42/dismiss');
expect(res.statusCode).toBe(403);
expect(res.body.error).toBe('You can only dismiss your own submissions.');
});
it('returns 400 when submission is not in rejected status', async () => {
mockPool.query.mockResolvedValueOnce({
rows: [{
id: 42,
user_id: 1,
lifecycle_status: 'submitted',
dismissed_at: null,
ivanti_workflow_batch_id: 'WF-100'
}],
});
const res = await request(server, 'PATCH', '/api/ivanti/fp-workflow/submissions/42/dismiss');
expect(res.statusCode).toBe(400);
expect(res.body.error).toBe('Only rejected submissions can be dismissed.');
});
});
// --- Filter Edge Cases (Task 8.2) ---
describe('filterVisibleSubmissions — edge cases', () => {
it('returns empty array when all submissions are approved', () => {
const submissions = [
{ id: 1, lifecycle_status: 'approved', dismissed_at: null },
{ id: 2, lifecycle_status: 'approved', dismissed_at: null },
{ id: 3, lifecycle_status: 'approved', dismissed_at: null },
];
expect(filterVisibleSubmissions(submissions)).toEqual([]);
});
it('returns empty array when all submissions are dismissed', () => {
const submissions = [
{ id: 1, lifecycle_status: 'rejected', dismissed_at: '2026-05-01T12:00:00Z' },
{ id: 2, lifecycle_status: 'submitted', dismissed_at: '2026-04-15T08:00:00Z' },
{ id: 3, lifecycle_status: 'rework', dismissed_at: '2026-03-20T10:00:00Z' },
];
expect(filterVisibleSubmissions(submissions)).toEqual([]);
});
it('returns correct subset for mixed statuses', () => {
const submissions = [
{ id: 1, lifecycle_status: 'approved', dismissed_at: null },
{ id: 2, lifecycle_status: 'rejected', dismissed_at: null },
{ id: 3, lifecycle_status: 'submitted', dismissed_at: '2026-05-01T12:00:00Z' },
{ id: 4, lifecycle_status: 'rework', dismissed_at: null },
{ id: 5, lifecycle_status: 'resubmitted', dismissed_at: null },
];
const result = filterVisibleSubmissions(submissions);
expect(result).toEqual([
{ id: 2, lifecycle_status: 'rejected', dismissed_at: null },
{ id: 4, lifecycle_status: 'rework', dismissed_at: null },
{ id: 5, lifecycle_status: 'resubmitted', dismissed_at: null },
]);
});
it('returns empty array for empty input', () => {
expect(filterVisibleSubmissions([])).toEqual([]);
});
});
// --- Integration Test (Task 8.3) ---
describe('Integration: dismissed submissions remain in DB but are excluded from filtered list', () => {
it('dismissed submission is still in the database but excluded by filterVisibleSubmissions', async () => {
// Simulate the full database state after a dismiss operation:
// The submission record still exists with dismissed_at set
const allSubmissionsInDb = [
{ id: 1, lifecycle_status: 'submitted', dismissed_at: null, user_id: 1 },
{ id: 2, lifecycle_status: 'rejected', dismissed_at: '2026-05-01T12:00:00Z', user_id: 1 },
{ id: 3, lifecycle_status: 'approved', dismissed_at: null, user_id: 1 },
{ id: 4, lifecycle_status: 'rejected', dismissed_at: null, user_id: 1 },
];
// The dismissed submission (id: 2) is still in the database
const dismissedSubmission = allSubmissionsInDb.find(s => s.id === 2);
expect(dismissedSubmission).toBeDefined();
expect(dismissedSubmission.dismissed_at).not.toBeNull();
// But when we filter for visible submissions, it's excluded
const visibleSubmissions = filterVisibleSubmissions(allSubmissionsInDb);
// Dismissed submission (id: 2) is NOT in the visible list
expect(visibleSubmissions.find(s => s.id === 2)).toBeUndefined();
// Approved submission (id: 3) is also NOT in the visible list
expect(visibleSubmissions.find(s => s.id === 3)).toBeUndefined();
// Non-dismissed, non-approved submissions ARE in the visible list
expect(visibleSubmissions).toEqual([
{ id: 1, lifecycle_status: 'submitted', dismissed_at: null, user_id: 1 },
{ id: 4, lifecycle_status: 'rejected', dismissed_at: null, user_id: 1 },
]);
// Verify the original array is unchanged (submissions remain in DB)
expect(allSubmissionsInDb.length).toBe(4);
expect(allSubmissionsInDb.find(s => s.id === 2)).toBeDefined();
});
});

108
backend/__tests__/jira-jql-window-invariant.property.test.js Normal file
View File

@@ -0,0 +1,108 @@
/**
* Property-Based Test: JQL Window Invariant
*
* Feature: jira-api-compliance-cleanup, Property 1: JQL window is always 72 hours in bulk sync
*
* For any non-empty array of valid-looking issue keys passed to searchIssuesByKeys(),
* the generated JQL string SHALL contain the substring `updated >= -72h` and
* SHALL contain the substring `project =`.
*
* Validates: Requirements 2.1, 2.3
*/
const fc = require('fast-check');
// Capture the JQL that flows through the HTTP layer.
let capturedJql = null;
// Mock https to intercept the request URL (which contains the JQL) and return
// a fake 200 response. This prevents real network calls while letting the
// real searchIssuesByKeys → searchIssues → jiraGet → jiraRequest chain execute.
jest.mock('https', () => ({
request: jest.fn((options, callback) => {
const fullPath = options.path || '';
const jqlMatch = fullPath.match(/[?&]jql=([^&]*)/);
if (jqlMatch) {
capturedJql = decodeURIComponent(jqlMatch[1]);
}
const mockResponse = {
statusCode: 200,
on: jest.fn((event, handler) => {
if (event === 'data') {
handler(JSON.stringify({ total: 0, issues: [] }));
}
if (event === 'end') {
handler();
}
}),
};
// Use setImmediate so the callback fires on the same tick after promises
// resolve, but still asynchronously as Node's http expects.
setImmediate(() => callback(mockResponse));
return {
on: jest.fn(),
write: jest.fn(),
end: jest.fn(),
destroy: jest.fn(),
};
}),
}));
// Set required env vars before requiring the module so the module-level
// constants pick them up.
process.env.JIRA_PROJECT_KEY = 'TESTPROJ';
process.env.JIRA_BASE_URL = 'https://jira.example.com';
process.env.JIRA_API_USER = 'testuser';
process.env.JIRA_API_TOKEN = 'testtoken';
const jiraApi = require('../helpers/jiraApi');
describe('Feature: jira-api-compliance-cleanup, Property 1: JQL window is always 72h in bulk sync', () => {
// Use fake timers so the rate-limiter's inter-request delays (12 seconds)
// resolve instantly. We preserve setImmediate so the https mock callback
// still fires asynchronously as expected.
beforeAll(() => {
jest.useFakeTimers({ doNotFake: ['setImmediate', 'nextTick'] });
});
afterAll(() => {
jest.useRealTimers();
});
beforeEach(() => {
capturedJql = null;
});
// Generator: produces a valid Jira issue key like "AB-1", "PROJ-42", etc.
const issueKeyArb = fc.tuple(
fc.stringMatching(/^[A-Z]{2,10}$/),
fc.integer({ min: 1, max: 99999 })
).map(([prefix, num]) => `${prefix}-${num}`);
// Generator: non-empty array of issue keys (1 to 50 keys)
const issueKeysArb = fc.array(issueKeyArb, { minLength: 1, maxLength: 50 });
it('searchIssuesByKeys() always generates JQL containing `updated >= -72h` and `project =`', async () => {
await fc.assert(
fc.asyncProperty(issueKeysArb, async (issueKeys) => {
capturedJql = null;
// Start the call — it will hit waitForDelay which uses setTimeout
const promise = jiraApi.searchIssuesByKeys(issueKeys);
// Advance fake timers to resolve any pending setTimeout from the
// rate limiter's waitForDelay function.
jest.advanceTimersByTime(5000);
await promise;
expect(capturedJql).not.toBeNull();
expect(capturedJql).toContain('updated >= -72h');
expect(capturedJql).toContain('project =');
}),
{ numRuns: 100 }
);
}, 60000);
});

151
backend/__tests__/jira-route-removal.test.js Normal file
View File

@@ -0,0 +1,151 @@
/**
* Example-Based Tests: Route Removal and Remaining Routes
*
* Feature: jira-api-compliance-cleanup
*
* Property 2: Search route is absent from router (Example)
* After the route removal, a POST request to /api/jira/search SHALL return HTTP 404.
* Validates: Requirements 1.1, 1.2
*
* Property 3: Existing routes remain functional after search route removal (Example)
* The routes GET /lookup/:issueKey, POST /sync-all, POST /:id/sync, and
* POST /create-in-jira SHALL continue to respond with non-404 status codes.
* Validates: Requirements 1.3, 1.4, 1.5, 1.6
*/
const http = require('http');
const express = require('express');
// Mock the auth middleware so routes don't require real sessions/cookies.
jest.mock('../middleware/auth', () => ({
requireAuth: () => (req, res, next) => {
req.user = { id: 1, username: 'test', group: 'Admin' };
next();
},
requireGroup: () => (req, res, next) => next(),
}));
// Mock the audit log helper to be a no-op.
jest.mock('../helpers/auditLog', () => jest.fn());
// Mock the db module to avoid requiring DATABASE_URL in CI
jest.mock('../db', () => ({
query: jest.fn(() => Promise.resolve({ rows: [] })),
}));
// Mock the jiraApi helper — mark it as not configured so routes return 503
// (which is fine; we only care that they are NOT 404).
jest.mock('../helpers/jiraApi', () => ({
isConfigured: false,
getRateLimitStatus: jest.fn(() => ({
burst: { remaining: 60, limit: 60 },
daily: { remaining: 1440, limit: 1440 },
})),
}));
const createJiraTicketsRouter = require('../routes/jiraTickets');
// Minimal db mock — callback-style methods that return empty results.
function createMockDb() {
return {
get: jest.fn((_sql, _params, cb) => cb(null, null)),
all: jest.fn((_sql, _params, cb) => cb(null, [])),
run: jest.fn(function (_sql, _params, cb) {
if (typeof cb === 'function') cb.call({ lastID: 1, changes: 0 }, null);
}),
};
}
/**
* Helper: send an HTTP request to the test server and return { statusCode }.
*/
function request(server, method, path, body) {
return new Promise((resolve, reject) => {
const addr = server.address();
const options = {
hostname: '127.0.0.1',
port: addr.port,
path,
method,
headers: { 'Content-Type': 'application/json' },
};
const req = http.request(options, (res) => {
// Consume the response body so the socket closes cleanly.
const chunks = [];
res.on('data', (chunk) => chunks.push(chunk));
res.on('end', () => {
resolve({ statusCode: res.statusCode });
});
});
req.on('error', reject);
if (body) {
req.write(JSON.stringify(body));
}
req.end();
});
}
describe('Feature: jira-api-compliance-cleanup — route removal tests', () => {
let app;
let server;
beforeAll((done) => {
const db = createMockDb();
app = express();
app.use(express.json());
app.use('/api/jira-tickets', createJiraTicketsRouter(db));
// Listen on a random available port.
server = app.listen(0, '127.0.0.1', done);
});
afterAll((done) => {
server.close(done);
});
// ---------------------------------------------------------------------------
// Property 2: POST /api/jira-tickets/search returns 404
// Validates: Requirements 1.1, 1.2
// ---------------------------------------------------------------------------
describe('Property 2: Search route is absent', () => {
it('POST /api/jira-tickets/search returns HTTP 404', async () => {
const res = await request(server, 'POST', '/api/jira-tickets/search', {
jql: 'project = TEST',
});
expect(res.statusCode).toBe(404);
});
});
// ---------------------------------------------------------------------------
// Property 3: Remaining routes respond with non-404 status codes
// Validates: Requirements 1.3, 1.4, 1.5, 1.6
// ---------------------------------------------------------------------------
describe('Property 3: Existing routes remain functional', () => {
it('GET /api/jira-tickets/lookup/:issueKey returns non-404', async () => {
const res = await request(server, 'GET', '/api/jira-tickets/lookup/TEST-1');
expect(res.statusCode).not.toBe(404);
});
it('POST /api/jira-tickets/sync-all returns non-404', async () => {
const res = await request(server, 'POST', '/api/jira-tickets/sync-all');
expect(res.statusCode).not.toBe(404);
});
it('POST /api/jira-tickets/:id/sync returns non-404', async () => {
const res = await request(server, 'POST', '/api/jira-tickets/1/sync');
expect(res.statusCode).not.toBe(404);
});
it('POST /api/jira-tickets/create-in-jira returns non-404', async () => {
const res = await request(server, 'POST', '/api/jira-tickets/create-in-jira', {
cve_id: 'CVE-2024-12345',
vendor: 'TestVendor',
summary: 'Test summary',
});
expect(res.statusCode).not.toBe(404);
});
});
});

501
backend/__tests__/vcl-compliance-reporting.property.test.js Normal file
View File

@@ -0,0 +1,501 @@
/**
* Property-Based Tests: VCL Compliance Reporting
*
* Feature: vcl-compliance-reporting
*
* Tests the pure helper functions used for VCL compliance reporting computations.
*
* Validates: Requirements 2.4, 2.5, 3.2, 3.3, 5.2, 5.3, 6.1, 6.3, 7.5, 8.2, 8.3, 8.4, 8.7, 9.2, 9.3, 9.6
*/
const fc = require('fast-check');
// Mock db pool before importing anything (avoids DATABASE_URL requirement)
jest.mock('../db', () => ({
query: jest.fn(() => Promise.resolve({ rows: [], rowCount: 0 })),
connect: jest.fn(() => Promise.resolve({
query: jest.fn(() => Promise.resolve({ rows: [], rowCount: 0 })),
release: jest.fn(),
})),
}));
// Mock dependencies that the route module imports
jest.mock('../helpers/auditLog', () => jest.fn());
jest.mock('../helpers/ivantiApi', () => ({
ivantiFormPost: jest.fn(),
ivantiPost: jest.fn(),
}));
const {
truncateText,
validateRemediationPlan,
computeVCLStats,
formatPct,
categorizeNonCompliant,
rankHeavyHitters,
computeForecastBurndown,
matchByHostname,
computeBulkDiff,
mapColumnHeaders,
isValidDateString,
} = require('../helpers/vclHelpers');
// --- Generators ---
const hostnameArb = fc.stringMatching(/^[a-zA-Z0-9._-]+$/, { minLength: 1, maxLength: 30 });
const validDateArb = fc.record({
year: fc.integer({ min: 2020, max: 2030 }),
month: fc.integer({ min: 1, max: 12 }),
day: fc.integer({ min: 1, max: 28 }), // 1-28 always valid
}).map(({ year, month, day }) =>
`${year}-${String(month).padStart(2, '0')}-${String(day).padStart(2, '0')}`
);
const complianceItemArb = fc.record({
hostname: hostnameArb,
is_compliant: fc.boolean(),
in_scope: fc.constant(true),
});
const nonCompliantItemArb = fc.record({
hostname: hostnameArb,
resolution_date: fc.oneof(fc.constant(null), validDateArb),
});
const verticalArb = fc.record({
vertical: fc.string({ minLength: 1, maxLength: 20 }),
team: fc.string({ minLength: 1, maxLength: 20 }),
non_compliant: fc.integer({ min: 0, max: 1000 }),
});
// --- Property 2: Text Truncation ---
describe('Feature: vcl-compliance-reporting, Property 2: Text Truncation', () => {
/**
* For any string, truncateText(text, 80) should return the original string if its
* length is <= 80, or the first 80 characters followed by "…" if its length exceeds 80.
*
* **Validates: Requirements 2.4**
*/
it('returns original for short strings, truncated + ellipsis for long strings', () => {
fc.assert(
fc.property(
fc.string({ minLength: 0, maxLength: 200 }),
fc.integer({ min: 1, max: 100 }),
(text, maxLen) => {
const result = truncateText(text, maxLen);
if (text.length <= maxLen) {
expect(result).toBe(text);
} else {
expect(result).toBe(text.slice(0, maxLen) + '\u2026');
expect(result.length).toBe(maxLen + 1);
}
}
),
{ numRuns: 100 }
);
});
});
// --- Property 3: Remediation Plan Length Validation ---
describe('Feature: vcl-compliance-reporting, Property 3: Remediation Plan Length Validation', () => {
/**
* For any string, validateRemediationPlan(text) should return valid if and only if
* the string length is <= 2000 characters.
*
* **Validates: Requirements 2.5, 9.4**
*/
it('accepts strings <= 2000 chars, rejects longer', () => {
fc.assert(
fc.property(
fc.string({ minLength: 1, maxLength: 3000 }),
(text) => {
const result = validateRemediationPlan(text);
if (text.length <= 2000) {
expect(result.valid).toBe(true);
} else {
expect(result.valid).toBe(false);
expect(result.error).toBeDefined();
}
}
),
{ numRuns: 100 }
);
});
});
// --- Property 4: Summary Statistics Computation Invariants ---
describe('Feature: vcl-compliance-reporting, Property 4: Summary Statistics Computation Invariants', () => {
/**
* For any set of compliance items, computeVCLStats produces correct arithmetic:
* non_compliant + compliant = in_scope, and correct percentage.
*
* **Validates: Requirements 3.2, 7.3**
*/
it('non_compliant + compliant = in_scope, correct percentage', () => {
fc.assert(
fc.property(
fc.array(complianceItemArb, { minLength: 0, maxLength: 50 }),
fc.integer({ min: 0, max: 100 }),
(items, targetPct) => {
const stats = computeVCLStats(items, targetPct);
// in_scope items are those with in_scope === true
const in_scope = items.filter(i => i.in_scope).length;
const compliant = items.filter(i => i.is_compliant).length;
expect(stats.non_compliant + stats.compliant).toBe(stats.in_scope);
expect(stats.in_scope).toBe(in_scope);
expect(stats.compliant).toBe(compliant);
if (in_scope > 0) {
expect(stats.compliance_pct).toBe(Math.round((compliant / in_scope) * 100));
} else {
expect(stats.compliance_pct).toBe(0);
}
expect(stats.target_pct).toBe(targetPct);
}
),
{ numRuns: 100 }
);
});
});
// --- Property 5: Percentage Formatting ---
describe('Feature: vcl-compliance-reporting, Property 5: Percentage Formatting', () => {
/**
* For any decimal number between 0 and 1, formatPct produces a string matching /^\d{1,3}%$/.
*
* **Validates: Requirements 3.3**
*/
it('produces correct percentage string matching /^\\d{1,3}%$/', () => {
fc.assert(
fc.property(
fc.double({ min: 0, max: 1, noNaN: true }),
(decimal) => {
const result = formatPct(decimal);
expect(result).toMatch(/^\d{1,3}%$/);
expect(result).toBe(Math.round(decimal * 100) + '%');
}
),
{ numRuns: 100 }
);
});
});
// --- Property 6: Non-Compliant Device Categorization Partition ---
describe('Feature: vcl-compliance-reporting, Property 6: Non-Compliant Device Categorization Partition', () => {
/**
* For any array of non-compliant device objects, categorizeNonCompliant produces
* two groups (blocked, in_progress) where blocked.count + in_progress.count = items.length.
*
* **Validates: Requirements 5.2, 5.3**
*/
it('two groups sum to total', () => {
fc.assert(
fc.property(
fc.array(nonCompliantItemArb, { minLength: 0, maxLength: 50 }),
(items) => {
const result = categorizeNonCompliant(items);
expect(result.blocked.count + result.in_progress.count).toBe(items.length);
if (items.length > 0) {
expect(result.blocked.pct).toBe(Math.round((result.blocked.count / items.length) * 100));
expect(result.in_progress.pct).toBe(Math.round((result.in_progress.count / items.length) * 100));
} else {
expect(result.blocked.pct).toBe(0);
expect(result.in_progress.pct).toBe(0);
}
}
),
{ numRuns: 100 }
);
});
});
// --- Property 7: Heavy Hitters Descending Sort ---
describe('Feature: vcl-compliance-reporting, Property 7: Heavy Hitters Descending Sort', () => {
/**
* For any array of vertical objects, rankHeavyHitters returns the array sorted
* in non-increasing order by non_compliant.
*
* **Validates: Requirements 6.1, 6.3**
*/
it('sorted non-increasing by non_compliant', () => {
fc.assert(
fc.property(
fc.array(verticalArb, { minLength: 0, maxLength: 30 }),
(verticals) => {
const result = rankHeavyHitters(verticals);
expect(result.length).toBe(verticals.length);
for (let i = 1; i < result.length; i++) {
expect(result[i - 1].non_compliant).toBeGreaterThanOrEqual(result[i].non_compliant);
}
}
),
{ numRuns: 100 }
);
});
});
// --- Property 8: Forecasted Burndown Projection ---
describe('Feature: vcl-compliance-reporting, Property 8: Forecasted Burndown Projection', () => {
/**
* For any set of non-compliant devices with resolution_date values,
* computeForecastBurndown produces monthly buckets where the sum of all
* monthly forecast counts equals the number of items with non-null resolution_dates.
*
* **Validates: Requirements 7.5**
*/
it('bucket sum = count of items with non-null resolution_dates', () => {
fc.assert(
fc.property(
fc.array(nonCompliantItemArb, { minLength: 0, maxLength: 50 }),
(items) => {
const buckets = computeForecastBurndown(items);
const bucketSum = Object.values(buckets).reduce((sum, count) => sum + count, 0);
const itemsWithDate = items.filter(i => i.resolution_date != null).length;
expect(bucketSum).toBe(itemsWithDate);
}
),
{ numRuns: 100 }
);
});
});
// --- Property 9: Hostname Matching with Unmatched Flagging ---
describe('Feature: vcl-compliance-reporting, Property 9: Hostname Matching with Unmatched Flagging', () => {
/**
* For any array of uploaded rows and a set of existing hostnames,
* matchByHostname produces matched + unmatched = total, and matched hostnames
* all exist in the set.
*
* **Validates: Requirements 8.2, 8.7**
*/
it('matched + unmatched = total, matched hostnames in set', () => {
fc.assert(
fc.property(
fc.array(fc.record({ hostname: hostnameArb }), { minLength: 0, maxLength: 30 }),
fc.array(hostnameArb, { minLength: 0, maxLength: 20 }),
(rows, existingList) => {
const existingSet = new Set(existingList);
const { matched, unmatched } = matchByHostname(rows, existingSet);
expect(matched.length + unmatched.length).toBe(rows.length);
for (const row of matched) {
expect(existingSet.has(row.hostname)).toBe(true);
}
for (const row of unmatched) {
expect(existingSet.has(row.hostname)).toBe(false);
}
}
),
{ numRuns: 100 }
);
});
});
// --- Property 10: Bulk Diff Change Detection ---
describe('Feature: vcl-compliance-reporting, Property 10: Bulk Diff Change Detection', () => {
/**
* For any array of matched row pairs, computeBulkDiff flags a row as "changed"
* if and only if at least one field value differs.
*
* **Validates: Requirements 8.3, 8.4**
*/
it('changed iff at least one field differs', () => {
const fieldValueArb = fc.oneof(fc.constant(null), fc.string({ minLength: 1, maxLength: 20 }));
// When uploaded values match current data exactly, status should be 'unchanged'
fc.assert(
fc.property(
fc.array(hostnameArb, { minLength: 1, maxLength: 20 }).chain(hostnames => {
// Ensure unique hostnames to avoid map overwrite issues
const uniqueHostnames = [...new Set(hostnames)];
return fc.tuple(
...uniqueHostnames.map(h =>
fc.record({
hostname: fc.constant(h),
resolution_date: fieldValueArb,
remediation_plan: fieldValueArb,
notes: fieldValueArb,
})
)
);
}),
(matchedRows) => {
// Build currentData with same values as uploaded
const currentData = new Map();
for (const row of matchedRows) {
currentData.set(row.hostname, {
resolution_date: row.resolution_date,
remediation_plan: row.remediation_plan,
notes: row.notes,
});
}
const results = computeBulkDiff(matchedRows, currentData);
for (const r of results) {
expect(r.status).toBe('unchanged');
}
}
),
{ numRuns: 50 }
);
// When at least one field differs, status should be 'changed'
fc.assert(
fc.property(
hostnameArb,
fc.string({ minLength: 1, maxLength: 20 }),
fc.string({ minLength: 1, maxLength: 20 }),
(hostname, oldVal, newVal) => {
fc.pre(oldVal !== newVal);
const matchedRows = [{ hostname, resolution_date: newVal }];
const currentData = new Map();
currentData.set(hostname, { resolution_date: oldVal, remediation_plan: null, notes: null });
const results = computeBulkDiff(matchedRows, currentData);
expect(results[0].status).toBe('changed');
}
),
{ numRuns: 50 }
);
});
});
// --- Property 11: Column Header Mapping ---
describe('Feature: vcl-compliance-reporting, Property 11: Column Header Mapping', () => {
/**
* mapColumnHeaders correctly identifies known columns case-insensitively.
*
* **Validates: Requirements 9.2**
*/
it('identifies known columns case-insensitively', () => {
const knownHeaders = ['Hostname', 'Resolution Date', 'Remediation Plan', 'Notes',
'hostname', 'resolution_date', 'remediation_plan', 'notes',
'HOSTNAME', 'RESOLUTION DATE', 'REMEDIATION PLAN', 'NOTES'];
const caseVariantArb = fc.constantFrom(...knownHeaders);
const unknownHeaderArb = fc.stringMatching(/^[a-z]{5,10}$/).filter(
s => !['hostname', 'notes'].includes(s.toLowerCase())
);
fc.assert(
fc.property(
fc.array(fc.oneof(caseVariantArb, unknownHeaderArb), { minLength: 1, maxLength: 10 }),
(headers) => {
const mapping = mapColumnHeaders(headers);
// Every mapped key should be a known field
const validKeys = new Set(['hostname', 'resolution_date', 'remediation_plan', 'notes']);
for (const key of Object.keys(mapping)) {
expect(validKeys.has(key)).toBe(true);
}
// Check that known headers are mapped correctly
for (let i = 0; i < headers.length; i++) {
const normalized = headers[i].trim().toLowerCase();
if (normalized === 'hostname') {
expect(mapping.hostname).toBeDefined();
}
if (normalized === 'resolution date' || normalized === 'resolution_date') {
expect(mapping.resolution_date).toBeDefined();
}
if (normalized === 'remediation plan' || normalized === 'remediation_plan') {
expect(mapping.remediation_plan).toBeDefined();
}
if (normalized === 'notes') {
expect(mapping.notes).toBeDefined();
}
}
}
),
{ numRuns: 100 }
);
});
});
// --- Property 12: Date String Validation ---
describe('Feature: vcl-compliance-reporting, Property 12: Date String Validation', () => {
/**
* isValidDateString rejects invalid calendar dates and non-date strings.
* Returns true only for valid YYYY-MM-DD dates.
*
* **Validates: Requirements 9.3**
*/
it('rejects invalid dates and non-date strings', () => {
// Valid dates should return true
fc.assert(
fc.property(validDateArb, (dateStr) => {
expect(isValidDateString(dateStr)).toBe(true);
}),
{ numRuns: 50 }
);
// Invalid dates should return false
const invalidDateArb = fc.oneof(
fc.constant(null),
fc.constant(''),
fc.constant('not-a-date'),
fc.constant('2026-02-30'),
fc.constant('2026-13-01'),
fc.constant('2026-00-15'),
fc.constant('abcd-ef-gh'),
fc.integer().map(n => String(n)),
fc.string({ minLength: 1, maxLength: 5 }),
);
fc.assert(
fc.property(invalidDateArb, (val) => {
expect(isValidDateString(val)).toBe(false);
}),
{ numRuns: 50 }
);
});
});
// --- Property 13: Row Count Arithmetic Invariant ---
describe('Feature: vcl-compliance-reporting, Property 13: Row Count Arithmetic (matched + unmatched = total)', () => {
/**
* For any bulk upload, matched + unmatched = total input rows.
*
* **Validates: Requirements 9.6**
*/
it('matched + unmatched = total invariant holds', () => {
fc.assert(
fc.property(
fc.array(fc.record({ hostname: hostnameArb }), { minLength: 0, maxLength: 50 }),
fc.array(hostnameArb, { minLength: 0, maxLength: 30 }),
(rows, existingList) => {
const existingSet = new Set(existingList);
const { matched, unmatched } = matchByHostname(rows, existingSet);
// Core invariant: matched + unmatched = total
expect(matched.length + unmatched.length).toBe(rows.length);
}
),
{ numRuns: 100 }
);
});
});

316
backend/__tests__/vcl-compliance-reporting.test.js Normal file
View File

@@ -0,0 +1,316 @@
/**
* Unit and Integration Tests: VCL Compliance Reporting
*
* Feature: vcl-compliance-reporting
*
* Tests cover:
* - PATCH /items/:hostname/metadata (happy path, invalid date, plan too long, not found)
* - GET /vcl/stats with no data (zero/empty response)
* - Bulk preview with all unmatched hostnames
* - Bulk preview with mixed valid/invalid rows
* - Integration test for full bulk flow (preview → commit)
* - Trend endpoint with < 2 months (no forecast)
*/
const http = require('http');
const express = require('express');
// Mock auth middleware to bypass real session checks
jest.mock('../middleware/auth', () => ({
requireAuth: () => (req, res, next) => {
req.user = { id: 1, username: 'testuser', group: 'Admin' };
next();
},
requireGroup: () => (req, res, next) => next(),
}));
// Mock audit log as a no-op
jest.mock('../helpers/auditLog', () => jest.fn());
// Mock ivantiApi to avoid real network calls
jest.mock('../helpers/ivantiApi', () => ({
ivantiFormPost: jest.fn(),
ivantiPost: jest.fn(),
}));
// Mock the db pool
const mockPool = {
query: jest.fn(() => Promise.resolve({ rows: [], rowCount: 0 })),
connect: jest.fn(() => Promise.resolve({
query: jest.fn(() => Promise.resolve({ rows: [], rowCount: 0 })),
release: jest.fn(),
})),
};
jest.mock('../db', () => mockPool);
// Mock driftChecker to avoid file system dependencies
jest.mock('../helpers/driftChecker', () => ({
loadConfig: jest.fn(() => ({})),
compareSchemaToDrift: jest.fn(() => null),
reconcileConfig: jest.fn(() => ({ changes: [] })),
}));
const { createComplianceRouter } = require('../routes/compliance');
// --- HTTP helper ---
function request(server, method, path, body) {
return new Promise((resolve, reject) => {
const addr = server.address();
const options = {
hostname: '127.0.0.1',
port: addr.port,
path,
method,
headers: { 'Content-Type': 'application/json' },
};
const req = http.request(options, (res) => {
const chunks = [];
res.on('data', (chunk) => chunks.push(chunk));
res.on('end', () => {
const rawBody = Buffer.concat(chunks).toString();
let json;
try { json = JSON.parse(rawBody); } catch (e) { json = null; }
resolve({ statusCode: res.statusCode, body: json });
});
});
req.on('error', reject);
if (body) req.write(JSON.stringify(body));
req.end();
});
}
// --- Setup ---
let app, server;
beforeAll((done) => {
app = express();
app.use(express.json());
// Mock multer upload middleware
const mockUpload = { single: () => (req, res, next) => next() };
const router = createComplianceRouter(mockUpload);
app.use('/api/compliance', router);
server = app.listen(0, '127.0.0.1', done);
});
afterAll((done) => {
server.close(done);
});
beforeEach(() => {
mockPool.query.mockReset();
mockPool.connect.mockReset();
mockPool.query.mockResolvedValue({ rows: [], rowCount: 0 });
});
// --- 18.1: PATCH /items/:hostname/metadata ---
describe('PATCH /items/:hostname/metadata', () => {
it('happy path — updates resolution_date and remediation_plan', async () => {
mockPool.query.mockResolvedValueOnce({ rows: [], rowCount: 2 });
const res = await request(server, 'PATCH', '/api/compliance/items/srv-001/metadata', {
resolution_date: '2026-06-15',
remediation_plan: 'Patch in next maintenance window',
});
expect(res.statusCode).toBe(200);
expect(res.body.updated).toBe(2);
});
it('returns 400 for invalid date format', async () => {
const res = await request(server, 'PATCH', '/api/compliance/items/srv-001/metadata', {
resolution_date: 'not-a-date',
});
expect(res.statusCode).toBe(400);
expect(res.body.error).toContain('Invalid resolution_date format');
});
it('returns 400 when remediation plan exceeds 2000 characters', async () => {
const longPlan = 'x'.repeat(2001);
const res = await request(server, 'PATCH', '/api/compliance/items/srv-001/metadata', {
remediation_plan: longPlan,
});
expect(res.statusCode).toBe(400);
expect(res.body.error).toContain('2000 characters');
});
it('returns 404 when hostname not found', async () => {
mockPool.query.mockResolvedValueOnce({ rows: [], rowCount: 0 });
const res = await request(server, 'PATCH', '/api/compliance/items/nonexistent-host/metadata', {
resolution_date: '2026-06-15',
});
expect(res.statusCode).toBe(404);
expect(res.body.error).toBe('Device not found');
});
});
// --- 18.2: GET /vcl/stats with no data ---
describe('GET /vcl/stats with no data', () => {
it('returns zero/empty response when no compliance data exists', async () => {
// First query: active items
mockPool.query.mockResolvedValueOnce({ rows: [] });
// Second query: latest upload
mockPool.query.mockResolvedValueOnce({ rows: [] });
const res = await request(server, 'GET', '/api/compliance/vcl/stats');
expect(res.statusCode).toBe(200);
expect(res.body.stats).toBeDefined();
expect(res.body.stats.total_devices).toBe(0);
expect(res.body.stats.in_scope).toBe(0);
expect(res.body.stats.compliant).toBe(0);
expect(res.body.stats.non_compliant).toBe(0);
expect(res.body.stats.compliance_pct).toBe(0);
expect(res.body.donut).toBeDefined();
expect(res.body.heavy_hitters).toEqual([]);
expect(res.body.vertical_breakdown).toEqual([]);
});
});
// --- 18.3: Bulk preview with all unmatched hostnames ---
describe('POST /vcl/bulk-preview — all unmatched', () => {
it('returns all rows as unmatched when no hostnames exist in DB', async () => {
// Query for existing hostnames returns empty
mockPool.query.mockResolvedValueOnce({ rows: [] });
const res = await request(server, 'POST', '/api/compliance/vcl/bulk-preview', {
rows: [
{ hostname: 'unknown-1', resolution_date: '2026-06-15' },
{ hostname: 'unknown-2', resolution_date: '2026-07-01' },
{ hostname: 'unknown-3', resolution_date: '2026-08-01' },
],
});
expect(res.statusCode).toBe(200);
expect(res.body.matched).toBe(0);
expect(res.body.unmatched).toBe(3);
expect(res.body.changes).toBe(0);
expect(res.body.unmatched_rows).toEqual(['unknown-1', 'unknown-2', 'unknown-3']);
});
});
// --- 18.4: Bulk preview with mixed valid/invalid rows ---
describe('POST /vcl/bulk-preview — mixed valid/invalid', () => {
it('correctly classifies valid and invalid rows', async () => {
// Query for existing hostnames
mockPool.query
.mockResolvedValueOnce({
rows: [
{ hostname: 'srv-001' },
{ hostname: 'srv-002' },
{ hostname: 'srv-003' },
],
})
// Query for current data (DISTINCT ON)
.mockResolvedValueOnce({
rows: [
{ hostname: 'srv-001', resolution_date: null, remediation_plan: null },
{ hostname: 'srv-003', resolution_date: null, remediation_plan: null },
],
});
const res = await request(server, 'POST', '/api/compliance/vcl/bulk-preview', {
rows: [
{ hostname: 'srv-001', resolution_date: '2026-06-15' }, // valid, matched
{ hostname: 'srv-002', resolution_date: 'bad-date' }, // invalid date, matched
{ hostname: 'srv-003', resolution_date: '2026-07-01' }, // valid, matched
{ hostname: 'unknown-1', resolution_date: '2026-08-01' }, // unmatched
],
});
expect(res.statusCode).toBe(200);
expect(res.body.matched).toBe(3);
expect(res.body.unmatched).toBe(1);
expect(res.body.invalid).toBe(1);
expect(res.body.invalid_rows[0].hostname).toBe('srv-002');
expect(res.body.invalid_rows[0].errors[0]).toContain('invalid date');
expect(res.body.unmatched_rows).toEqual(['unknown-1']);
});
});
// --- 18.5: Integration test for full bulk flow ---
describe('Integration: full bulk upload flow (preview → commit)', () => {
it('preview shows changes, commit updates DB', async () => {
// --- Preview phase ---
// Query for existing hostnames
mockPool.query
.mockResolvedValueOnce({
rows: [{ hostname: 'srv-001' }, { hostname: 'srv-002' }],
})
// Query for current data
.mockResolvedValueOnce({
rows: [
{ hostname: 'srv-001', resolution_date: null, remediation_plan: null },
{ hostname: 'srv-002', resolution_date: '2026-01-01', remediation_plan: 'Old plan' },
],
});
const previewRes = await request(server, 'POST', '/api/compliance/vcl/bulk-preview', {
rows: [
{ hostname: 'srv-001', resolution_date: '2026-06-15', remediation_plan: 'New plan' },
{ hostname: 'srv-002', resolution_date: '2026-01-01', remediation_plan: 'Old plan' }, // unchanged
],
});
expect(previewRes.statusCode).toBe(200);
expect(previewRes.body.matched).toBe(2);
expect(previewRes.body.changes).toBe(1); // only srv-001 changed
// --- Commit phase ---
const mockClient = {
query: jest.fn(),
release: jest.fn(),
};
mockClient.query
.mockResolvedValueOnce({}) // BEGIN
.mockResolvedValueOnce({ rowCount: 1 }) // UPDATE srv-001
.mockResolvedValueOnce({}); // COMMIT
mockPool.connect.mockResolvedValueOnce(mockClient);
const commitRes = await request(server, 'POST', '/api/compliance/vcl/bulk-commit', {
changes: [
{ hostname: 'srv-001', resolution_date: '2026-06-15', remediation_plan: 'New plan' },
],
});
expect(commitRes.statusCode).toBe(200);
expect(commitRes.body.committed).toBe(1);
expect(mockClient.query).toHaveBeenCalledWith('BEGIN');
expect(mockClient.query).toHaveBeenCalledWith('COMMIT');
});
});
// --- 18.6: Trend endpoint with < 2 months (no forecast) ---
describe('GET /vcl/trend — fewer than 2 months', () => {
it('returns data without forecast when < 2 months exist', async () => {
mockPool.query.mockResolvedValueOnce({
rows: [
{ snapshot_month: '2026-01', compliant_count: 900, compliance_pct: '82.0' },
],
});
const res = await request(server, 'GET', '/api/compliance/vcl/trend');
expect(res.statusCode).toBe(200);
expect(res.body.months).toHaveLength(1);
expect(res.body.months[0].month).toBe('2026-01');
expect(res.body.months[0].forecast_pct).toBeNull();
expect(res.body.months[0].target_pct).toBe(95);
});
});

BIN
backend/cve_database.db.backupNVD Normal file
View File

Binary file not shown.

BIN
backend/cve_database.db.pre-postgres-backup Normal file
View File

Binary file not shown.

479
backend/db-schema.sql Normal file
View File

@@ -0,0 +1,479 @@
-- =============================================================================
-- CVE Dashboard — Complete PostgreSQL Schema (v1.0.0)
-- =============================================================================
-- Translates the full SQLite schema (setup.js) to PostgreSQL 16.
-- Designed for idempotent execution: safe to run multiple times via psql or
-- pool.query() without errors or duplicate data.
--
-- Usage:
-- psql -h localhost -p 5433 -U steam -d cve_dashboard -f backend/db-schema.sql
-- OR
-- const schema = fs.readFileSync('backend/db-schema.sql', 'utf8');
-- await pool.query(schema);
-- =============================================================================
-- =============================================================================
-- Core CVE tracking tables
-- =============================================================================
CREATE TABLE IF NOT EXISTS cves (
id SERIAL PRIMARY KEY,
cve_id VARCHAR(20) NOT NULL,
vendor VARCHAR(100) NOT NULL,
severity VARCHAR(20) NOT NULL,
description TEXT,
published_date DATE,
status VARCHAR(50) DEFAULT 'Open',
created_at TIMESTAMPTZ DEFAULT NOW(),
updated_at TIMESTAMPTZ DEFAULT NOW(),
created_by INTEGER,
UNIQUE(cve_id, vendor)
);
CREATE INDEX IF NOT EXISTS idx_cve_id ON cves(cve_id);
CREATE INDEX IF NOT EXISTS idx_vendor ON cves(vendor);
CREATE INDEX IF NOT EXISTS idx_severity ON cves(severity);
CREATE INDEX IF NOT EXISTS idx_status ON cves(status);
CREATE TABLE IF NOT EXISTS documents (
id SERIAL PRIMARY KEY,
cve_id VARCHAR(20) NOT NULL,
vendor VARCHAR(100) NOT NULL,
name VARCHAR(255) NOT NULL,
type VARCHAR(50) NOT NULL,
file_path VARCHAR(500) NOT NULL,
file_size VARCHAR(20),
mime_type VARCHAR(100),
uploaded_at TIMESTAMPTZ DEFAULT NOW(),
notes TEXT
);
CREATE INDEX IF NOT EXISTS idx_doc_cve_id ON documents(cve_id);
CREATE INDEX IF NOT EXISTS idx_doc_vendor ON documents(vendor);
CREATE INDEX IF NOT EXISTS idx_doc_type ON documents(type);
CREATE TABLE IF NOT EXISTS required_documents (
id SERIAL PRIMARY KEY,
vendor VARCHAR(100) NOT NULL,
document_type VARCHAR(50) NOT NULL,
is_mandatory BOOLEAN DEFAULT TRUE,
description TEXT,
UNIQUE(vendor, document_type)
);
-- =============================================================================
-- Authentication and session management
-- =============================================================================
CREATE TABLE IF NOT EXISTS users (
id SERIAL PRIMARY KEY,
username VARCHAR(50) UNIQUE NOT NULL,
email VARCHAR(255) UNIQUE NOT NULL,
password_hash VARCHAR(255) NOT NULL,
role VARCHAR(20) NOT NULL DEFAULT 'viewer' CHECK (role IN ('admin', 'editor', 'viewer')),
is_active BOOLEAN DEFAULT TRUE,
created_at TIMESTAMPTZ DEFAULT NOW(),
last_login TIMESTAMPTZ,
user_group VARCHAR(20) NOT NULL DEFAULT 'Read_Only'
CHECK (user_group IN ('Admin', 'Standard_User', 'Leadership', 'Read_Only')),
bu_teams TEXT NOT NULL DEFAULT ''
);
CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
CREATE INDEX IF NOT EXISTS idx_users_user_group ON users(user_group);
CREATE TABLE IF NOT EXISTS sessions (
id SERIAL PRIMARY KEY,
session_id VARCHAR(255) UNIQUE NOT NULL,
user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
expires_at TIMESTAMPTZ NOT NULL,
created_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_sessions_session_id ON sessions(session_id);
CREATE INDEX IF NOT EXISTS idx_sessions_user_id ON sessions(user_id);
CREATE INDEX IF NOT EXISTS idx_sessions_expires ON sessions(expires_at);
-- =============================================================================
-- Audit logging
-- =============================================================================
CREATE TABLE IF NOT EXISTS audit_logs (
id SERIAL PRIMARY KEY,
user_id INTEGER,
username VARCHAR(50) NOT NULL,
action VARCHAR(50) NOT NULL,
entity_type VARCHAR(50) NOT NULL,
entity_id VARCHAR(100),
details TEXT,
ip_address VARCHAR(45),
created_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_audit_user_id ON audit_logs(user_id);
CREATE INDEX IF NOT EXISTS idx_audit_action ON audit_logs(action);
CREATE INDEX IF NOT EXISTS idx_audit_entity_type ON audit_logs(entity_type);
CREATE INDEX IF NOT EXISTS idx_audit_created_at ON audit_logs(created_at);
-- =============================================================================
-- Jira integration
-- =============================================================================
CREATE TABLE IF NOT EXISTS jira_tickets (
id SERIAL PRIMARY KEY,
cve_id TEXT NOT NULL,
vendor TEXT NOT NULL,
ticket_key TEXT NOT NULL,
url TEXT,
summary TEXT,
status TEXT DEFAULT 'Open' CHECK (status IN ('Open', 'In Progress', 'Closed')),
created_at TIMESTAMPTZ DEFAULT NOW(),
updated_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_jira_tickets_cve ON jira_tickets(cve_id, vendor);
CREATE INDEX IF NOT EXISTS idx_jira_tickets_status ON jira_tickets(status);
-- =============================================================================
-- Archer integration
-- =============================================================================
CREATE TABLE IF NOT EXISTS archer_tickets (
id SERIAL PRIMARY KEY,
exc_number TEXT NOT NULL UNIQUE,
archer_url TEXT,
status TEXT DEFAULT 'Draft' CHECK (status IN ('Draft', 'Open', 'Under Review', 'Accepted')),
cve_id TEXT NOT NULL,
vendor TEXT NOT NULL,
created_by INTEGER REFERENCES users(id),
created_at TIMESTAMPTZ DEFAULT NOW(),
updated_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_archer_tickets_cve ON archer_tickets(cve_id, vendor);
CREATE INDEX IF NOT EXISTS idx_archer_tickets_status ON archer_tickets(status);
CREATE INDEX IF NOT EXISTS idx_archer_tickets_exc ON archer_tickets(exc_number);
-- =============================================================================
-- Knowledge base
-- =============================================================================
CREATE TABLE IF NOT EXISTS knowledge_base (
id SERIAL PRIMARY KEY,
title VARCHAR(255) NOT NULL,
slug VARCHAR(255) UNIQUE NOT NULL,
description TEXT,
category VARCHAR(100),
file_path VARCHAR(500),
file_name VARCHAR(255),
file_type VARCHAR(50),
file_size INTEGER,
created_at TIMESTAMPTZ DEFAULT NOW(),
updated_at TIMESTAMPTZ DEFAULT NOW(),
created_by INTEGER REFERENCES users(id)
);
CREATE INDEX IF NOT EXISTS idx_knowledge_base_slug ON knowledge_base(slug);
CREATE INDEX IF NOT EXISTS idx_knowledge_base_category ON knowledge_base(category);
CREATE INDEX IF NOT EXISTS idx_knowledge_base_created_at ON knowledge_base(created_at DESC);
-- =============================================================================
-- Ivanti findings — individual rows (replaces findings_json blob)
-- =============================================================================
CREATE TABLE IF NOT EXISTS ivanti_findings (
id TEXT PRIMARY KEY,
host_id INTEGER,
title TEXT NOT NULL DEFAULT '',
severity NUMERIC(4,2) NOT NULL DEFAULT 0,
vrr_group TEXT NOT NULL DEFAULT '',
host_name TEXT NOT NULL DEFAULT '',
ip_address TEXT NOT NULL DEFAULT '',
dns TEXT NOT NULL DEFAULT '',
status TEXT NOT NULL DEFAULT '',
sla_status TEXT NOT NULL DEFAULT '',
due_date DATE,
last_found_on DATE,
bu_ownership TEXT NOT NULL DEFAULT '',
cves TEXT[] DEFAULT '{}',
workflow_id TEXT,
workflow_state TEXT,
workflow_type TEXT,
state TEXT NOT NULL DEFAULT 'open' CHECK (state IN ('open', 'closed')),
note TEXT NOT NULL DEFAULT '',
override_host_name TEXT,
override_dns TEXT,
synced_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_findings_state ON ivanti_findings(state);
CREATE INDEX IF NOT EXISTS idx_findings_bu ON ivanti_findings(bu_ownership);
CREATE INDEX IF NOT EXISTS idx_findings_severity ON ivanti_findings(severity);
CREATE INDEX IF NOT EXISTS idx_findings_state_bu ON ivanti_findings(state, bu_ownership);
-- =============================================================================
-- Ivanti sync state (single-row pattern — replaces ivanti_findings_cache metadata)
-- =============================================================================
CREATE TABLE IF NOT EXISTS ivanti_sync_state (
id INTEGER PRIMARY KEY DEFAULT 1 CHECK (id = 1),
total INTEGER DEFAULT 0,
workflows_json TEXT DEFAULT '[]',
synced_at TIMESTAMPTZ,
sync_status TEXT DEFAULT 'never',
error_message TEXT
);
-- =============================================================================
-- Ivanti counts cache (single-row pattern for FP workflow counts)
-- =============================================================================
CREATE TABLE IF NOT EXISTS ivanti_counts_cache (
id INTEGER PRIMARY KEY DEFAULT 1 CHECK (id = 1),
open_count INTEGER DEFAULT 0,
closed_count INTEGER DEFAULT 0,
synced_at TIMESTAMPTZ,
fp_workflow_counts_json TEXT DEFAULT '{}',
fp_id_counts_json TEXT DEFAULT '{}'
);
-- =============================================================================
-- Ivanti counts history
-- =============================================================================
CREATE TABLE IF NOT EXISTS ivanti_counts_history (
id SERIAL PRIMARY KEY,
open_count INTEGER NOT NULL,
closed_count INTEGER NOT NULL,
recorded_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE TABLE IF NOT EXISTS ivanti_counts_history_by_bu (
id SERIAL PRIMARY KEY,
bu_ownership TEXT NOT NULL,
state TEXT NOT NULL CHECK (state IN ('open', 'closed')),
count INTEGER NOT NULL DEFAULT 0,
recorded_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_counts_history_bu ON ivanti_counts_history_by_bu(bu_ownership);
CREATE INDEX IF NOT EXISTS idx_counts_history_bu_date ON ivanti_counts_history_by_bu(recorded_at);
-- =============================================================================
-- Ivanti FP (False Positive) submissions
-- =============================================================================
CREATE TABLE IF NOT EXISTS ivanti_fp_submissions (
id SERIAL PRIMARY KEY,
user_id INTEGER NOT NULL,
username TEXT NOT NULL,
ivanti_workflow_batch_id INTEGER,
ivanti_generated_id TEXT,
ivanti_workflow_batch_uuid TEXT,
workflow_name TEXT NOT NULL,
reason TEXT NOT NULL,
description TEXT,
expiration_date TEXT NOT NULL,
scope_override TEXT NOT NULL DEFAULT 'Authorized',
finding_ids_json TEXT NOT NULL,
queue_item_ids_json TEXT NOT NULL,
attachment_count INTEGER DEFAULT 0,
attachment_results_json TEXT,
status TEXT NOT NULL DEFAULT 'success' CHECK (status IN ('success', 'partial', 'failed')),
lifecycle_status TEXT NOT NULL DEFAULT 'submitted'
CHECK (lifecycle_status IN ('submitted', 'approved', 'rejected', 'rework', 'resubmitted')),
error_message TEXT,
created_at TIMESTAMPTZ DEFAULT NOW(),
updated_at TIMESTAMPTZ DEFAULT NULL
);
CREATE INDEX IF NOT EXISTS idx_fp_submissions_user ON ivanti_fp_submissions(user_id);
CREATE INDEX IF NOT EXISTS idx_fp_submissions_ivanti_id ON ivanti_fp_submissions(ivanti_generated_id);
CREATE TABLE IF NOT EXISTS ivanti_fp_submission_history (
id SERIAL PRIMARY KEY,
submission_id INTEGER NOT NULL REFERENCES ivanti_fp_submissions(id) ON DELETE CASCADE,
user_id INTEGER NOT NULL,
username TEXT NOT NULL,
change_type TEXT NOT NULL CHECK (change_type IN (
'created', 'fields_updated', 'findings_added',
'attachments_added', 'status_changed'
)),
change_details_json TEXT,
created_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_fp_history_submission ON ivanti_fp_submission_history(submission_id);
-- =============================================================================
-- Ivanti todo queue (FP, Archer, CARD, GRANITE workflows)
-- =============================================================================
CREATE TABLE IF NOT EXISTS ivanti_todo_queue (
id SERIAL PRIMARY KEY,
user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
finding_id TEXT NOT NULL,
finding_title TEXT,
cves_json TEXT,
ip_address TEXT,
hostname TEXT,
vendor TEXT NOT NULL,
workflow_type TEXT NOT NULL CHECK (workflow_type IN ('FP', 'Archer', 'CARD', 'GRANITE', 'DECOM')),
status TEXT NOT NULL DEFAULT 'pending' CHECK (status IN ('pending', 'complete')),
created_at TIMESTAMPTZ DEFAULT NOW(),
updated_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_todo_queue_user ON ivanti_todo_queue(user_id, status);
-- =============================================================================
-- Ivanti archive detection and anomaly tracking
-- =============================================================================
CREATE TABLE IF NOT EXISTS ivanti_finding_archives (
id SERIAL PRIMARY KEY,
finding_id TEXT NOT NULL UNIQUE,
finding_title TEXT NOT NULL DEFAULT '',
host_name TEXT NOT NULL DEFAULT '',
ip_address TEXT NOT NULL DEFAULT '',
current_state TEXT NOT NULL CHECK (current_state IN ('ARCHIVED', 'RETURNED', 'CLOSED', 'CLOSED_GONE')),
last_severity NUMERIC(4,2) NOT NULL DEFAULT 0,
first_archived_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
last_transition_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
created_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_archive_finding_id ON ivanti_finding_archives(finding_id);
CREATE INDEX IF NOT EXISTS idx_archive_current_state ON ivanti_finding_archives(current_state);
CREATE TABLE IF NOT EXISTS ivanti_archive_transitions (
id SERIAL PRIMARY KEY,
archive_id INTEGER NOT NULL REFERENCES ivanti_finding_archives(id),
from_state TEXT NOT NULL,
to_state TEXT NOT NULL,
severity_at_transition NUMERIC(4,2) NOT NULL DEFAULT 0,
reason TEXT NOT NULL DEFAULT '',
transitioned_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_transition_archive_id ON ivanti_archive_transitions(archive_id);
CREATE TABLE IF NOT EXISTS ivanti_sync_anomaly_log (
id SERIAL PRIMARY KEY,
sync_timestamp TIMESTAMPTZ NOT NULL DEFAULT NOW(),
open_count_delta INTEGER NOT NULL DEFAULT 0,
closed_count_delta INTEGER NOT NULL DEFAULT 0,
newly_archived_count INTEGER NOT NULL DEFAULT 0,
returned_count INTEGER NOT NULL DEFAULT 0,
classification_json TEXT NOT NULL DEFAULT '{}',
return_classification_json TEXT NOT NULL DEFAULT '{}',
is_significant BOOLEAN NOT NULL DEFAULT FALSE,
created_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_anomaly_sync_timestamp ON ivanti_sync_anomaly_log(sync_timestamp);
CREATE TABLE IF NOT EXISTS ivanti_finding_bu_history (
id SERIAL PRIMARY KEY,
finding_id TEXT NOT NULL,
finding_title TEXT NOT NULL DEFAULT '',
host_name TEXT NOT NULL DEFAULT '',
previous_bu TEXT NOT NULL,
new_bu TEXT NOT NULL,
detected_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
created_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_bu_history_finding_id ON ivanti_finding_bu_history(finding_id);
CREATE INDEX IF NOT EXISTS idx_bu_history_detected_at ON ivanti_finding_bu_history(detected_at);
-- =============================================================================
-- Atlas action plans cache
-- =============================================================================
CREATE TABLE IF NOT EXISTS atlas_action_plans_cache (
id SERIAL PRIMARY KEY,
host_id INTEGER NOT NULL UNIQUE,
has_action_plan BOOLEAN NOT NULL DEFAULT FALSE,
plan_count INTEGER NOT NULL DEFAULT 0,
plans_json TEXT NOT NULL DEFAULT '[]',
synced_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_atlas_cache_host_id ON atlas_action_plans_cache(host_id);
-- =============================================================================
-- Compliance (NTS AEO) tracking
-- =============================================================================
CREATE TABLE IF NOT EXISTS compliance_uploads (
id SERIAL PRIMARY KEY,
filename TEXT NOT NULL,
report_date TEXT,
uploaded_by INTEGER REFERENCES users(id) ON DELETE SET NULL,
uploaded_at TIMESTAMPTZ DEFAULT NOW(),
new_count INTEGER DEFAULT 0,
resolved_count INTEGER DEFAULT 0,
recurring_count INTEGER DEFAULT 0,
summary_json TEXT
);
CREATE TABLE IF NOT EXISTS compliance_items (
id SERIAL PRIMARY KEY,
upload_id INTEGER NOT NULL REFERENCES compliance_uploads(id) ON DELETE CASCADE,
hostname TEXT NOT NULL,
ip_address TEXT,
device_type TEXT,
team TEXT,
metric_id TEXT NOT NULL,
metric_desc TEXT,
category TEXT,
extra_json TEXT,
status TEXT NOT NULL DEFAULT 'active' CHECK (status IN ('active', 'resolved')),
first_seen_upload_id INTEGER REFERENCES compliance_uploads(id) ON DELETE SET NULL,
resolved_upload_id INTEGER REFERENCES compliance_uploads(id) ON DELETE SET NULL,
seen_count INTEGER DEFAULT 1,
created_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_compliance_items_upload ON compliance_items(upload_id);
CREATE INDEX IF NOT EXISTS idx_compliance_items_identity ON compliance_items(hostname, metric_id);
CREATE INDEX IF NOT EXISTS idx_compliance_items_team_status ON compliance_items(team, status);
CREATE TABLE IF NOT EXISTS compliance_notes (
id SERIAL PRIMARY KEY,
hostname TEXT NOT NULL,
metric_id TEXT NOT NULL,
note TEXT NOT NULL,
group_id TEXT,
created_by INTEGER REFERENCES users(id) ON DELETE SET NULL,
created_at TIMESTAMPTZ DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_compliance_notes_identity ON compliance_notes(hostname, metric_id);
CREATE INDEX IF NOT EXISTS idx_compliance_notes_group ON compliance_notes(group_id);
-- =============================================================================
-- Seed data
-- =============================================================================
-- Required documents (idempotent via unique constraint on vendor + document_type)
INSERT INTO required_documents (vendor, document_type, is_mandatory, description) VALUES
('Microsoft', 'advisory', TRUE, 'Official Microsoft Security Advisory'),
('Microsoft', 'screenshot', FALSE, 'Proof of patch application'),
('Cisco', 'advisory', TRUE, 'Cisco Security Advisory'),
('Oracle', 'advisory', TRUE, 'Oracle Security Alert'),
('VMware', 'advisory', TRUE, 'VMware Security Advisory'),
('Adobe', 'advisory', TRUE, 'Adobe Security Bulletin')
ON CONFLICT (vendor, document_type) DO NOTHING;
-- Ivanti sync state — ensure single row exists
INSERT INTO ivanti_sync_state (id, total, workflows_json, sync_status)
VALUES (1, 0, '[]', 'never')
ON CONFLICT (id) DO NOTHING;
-- Ivanti counts cache — ensure single row exists
INSERT INTO ivanti_counts_cache (id, open_count, closed_count, fp_workflow_counts_json, fp_id_counts_json)
VALUES (1, 0, 0, '{}', '{}')
ON CONFLICT (id) DO NOTHING;

46
backend/db.js Normal file
View File

@@ -0,0 +1,46 @@
// PostgreSQL Connection Pool
// All route files import this module instead of receiving a sqlite3 `db` parameter.
// Configured via DATABASE_URL environment variable.
// Ensure dotenv is loaded before accessing env vars
require('dotenv').config({ path: require('path').join(__dirname, '.env') });
const { Pool } = require('pg');
if (!process.env.DATABASE_URL) {
console.error('[DB] FATAL: DATABASE_URL environment variable is not set.');
console.error('[DB] Expected format: postgresql://user:password@host:port/database');
process.exit(1);
}
const pool = new Pool({
connectionString: process.env.DATABASE_URL,
max: 10, // Maximum connections in pool
idleTimeoutMillis: 30000, // Close idle connections after 30s
connectionTimeoutMillis: 5000, // Fail if connection takes >5s
});
// Log unexpected pool errors (connection drops, etc.)
pool.on('error', (err) => {
console.error('[DB Pool] Unexpected error on idle client:', err.message);
});
// Track active connections and warn when approaching exhaustion
let _activeCount = 0;
pool.on('acquire', () => {
_activeCount++;
if (_activeCount >= 8) {
console.warn(`[DB Pool] WARNING: ${_activeCount}/10 connections active — approaching exhaustion`);
}
});
pool.on('release', () => { _activeCount--; });
// Health check — verify connection on startup
pool.query('SELECT NOW()')
.then(() => console.log('[DB Pool] Connected to PostgreSQL'))
.catch((err) => {
console.error('[DB Pool] Failed to connect:', err.message);
console.error('[DB Pool] Check DATABASE_URL and ensure Postgres is running on port 5433');
});
module.exports = pool;

104
backend/helpers/atlasApi.js Normal file
View File

@@ -0,0 +1,104 @@
// Shared Atlas InfoSec API helpers
// Centralizes HTTP calls so the atlas router uses a single implementation.
// Follows the same promise-based pattern as ivantiApi.js.
const https = require('https');
const http = require('http');
// ---------------------------------------------------------------------------
// Configuration — read from process.env at module load
// ---------------------------------------------------------------------------
const ATLAS_API_URL = process.env.ATLAS_API_URL || '';
const ATLAS_API_USER = process.env.ATLAS_API_USER || '';
const ATLAS_API_PASS = process.env.ATLAS_API_PASS || '';
const ATLAS_SKIP_TLS = process.env.ATLAS_SKIP_TLS === 'true';
const requiredVars = ['ATLAS_API_URL', 'ATLAS_API_USER', 'ATLAS_API_PASS'];
const missingVars = requiredVars.filter((v) => !process.env[v]);
if (missingVars.length > 0) {
console.warn(`[atlas-api] WARNING: Missing required environment variables: ${missingVars.join(', ')}. Atlas API calls will fail.`);
}
const isConfigured = missingVars.length === 0;
// ---------------------------------------------------------------------------
// Generic request — supports GET, PUT, PATCH, POST
// ---------------------------------------------------------------------------
function atlasRequest(method, urlPath, body, options) {
const timeout = (options && options.timeout) || 15000;
const authString = Buffer.from(ATLAS_API_USER + ':' + ATLAS_API_PASS).toString('base64');
const fullUrl = new URL(ATLAS_API_URL + urlPath);
const isHttps = fullUrl.protocol === 'https:';
const transport = isHttps ? https : http;
const headers = {
'accept': 'application/json',
'authorization': 'Basic ' + authString
};
let bodyStr = null;
if (body !== null && body !== undefined) {
bodyStr = JSON.stringify(body);
headers['content-type'] = 'application/json';
headers['content-length'] = Buffer.byteLength(bodyStr);
}
return new Promise((resolve, reject) => {
const reqOptions = {
hostname: fullUrl.hostname,
port: fullUrl.port || (isHttps ? 443 : 80),
path: fullUrl.pathname + fullUrl.search,
method: method,
headers: headers,
timeout: timeout
};
if (isHttps) {
reqOptions.rejectUnauthorized = !ATLAS_SKIP_TLS;
}
const req = transport.request(reqOptions, (res) => {
let data = '';
res.on('data', (chunk) => { data += chunk; });
res.on('end', () => resolve({ status: res.statusCode, body: data }));
});
req.on('timeout', () => req.destroy(new Error(method + ' ' + urlPath + ' timed out')));
req.on('error', (err) => {
reject(new Error(method + ' ' + urlPath + ' failed: ' + err.message));
});
if (bodyStr) {
req.write(bodyStr);
}
req.end();
});
}
// ---------------------------------------------------------------------------
// Convenience wrappers
// ---------------------------------------------------------------------------
function atlasGet(urlPath, options) {
return atlasRequest('GET', urlPath, null, options);
}
function atlasPut(urlPath, body, options) {
return atlasRequest('PUT', urlPath, body, options);
}
function atlasPatch(urlPath, body, options) {
return atlasRequest('PATCH', urlPath, body, options);
}
function atlasPost(urlPath, body, options) {
return atlasRequest('POST', urlPath, body, options);
}
module.exports = {
isConfigured,
atlasRequest,
atlasGet,
atlasPut,
atlasPatch,
atlasPost
};

18
backend/helpers/auditLog.js
View File

@@ -1,21 +1,19 @@
// Audit Log Helper // Audit Log Helper
// Fire-and-forget insert - never blocks the response // Fire-and-forget insert - never blocks the response
const pool = require('../db');
function logAudit(db, { userId, username, action, entityType, entityId, details, ipAddress }) { function logAudit({ userId, username, action, entityType, entityId, details, ipAddress }) {
const detailsStr = details && typeof details === 'object' const detailsStr = details && typeof details === 'object'
? JSON.stringify(details) ? JSON.stringify(details)
: details || null; : details || null;
db.run( pool.query(
`INSERT INTO audit_logs (user_id, username, action, entity_type, entity_id, details, ip_address) `INSERT INTO audit_logs (user_id, username, action, entity_type, entity_id, details, ip_address)
VALUES (?, ?, ?, ?, ?, ?, ?)`, VALUES ($1, $2, $3, $4, $5, $6, $7)`,
[userId || null, username || 'unknown', action, entityType, entityId || null, detailsStr, ipAddress || null], [userId || null, username || 'unknown', action, entityType, entityId || null, detailsStr, ipAddress || null]
(err) => { ).catch((err) => {
if (err) { console.error('Audit log error:', err.message);
console.error('Audit log error:', err.message); });
}
}
);
} }
module.exports = logAudit; module.exports = logAudit;

305
backend/helpers/cardApi.js Normal file
View File

@@ -0,0 +1,305 @@
// Shared CARD API helpers
// Centralizes HTTP calls for the CARD asset ownership API.
// Follows the same promise-based pattern as atlasApi.js, with the addition
// of OAuth Bearer token management (auto-acquire, cache, refresh, 401 retry).
//
// CARD API versioning:
// - Read endpoints (GET): /api/v1/...
// - Mutation endpoints (POST): /api/v2/...
const https = require('https');
const http = require('http');
// ---------------------------------------------------------------------------
// Configuration — read from process.env at module load
// ---------------------------------------------------------------------------
const CARD_API_URL = process.env.CARD_API_URL || '';
const CARD_API_USER = process.env.CARD_API_USER || '';
const CARD_API_PASS = process.env.CARD_API_PASS || '';
const CARD_SKIP_TLS = process.env.CARD_SKIP_TLS === 'true';
const requiredVars = ['CARD_API_URL', 'CARD_API_USER', 'CARD_API_PASS'];
const missingVars = requiredVars.filter((v) => !process.env[v]);
if (missingVars.length > 0) {
console.warn(`[card-api] WARNING: Missing required environment variables: ${missingVars.join(', ')}. CARD API calls will fail.`);
}
const isConfigured = missingVars.length === 0;
// ---------------------------------------------------------------------------
// Token Manager — OAuth Bearer token with 1-hour TTL
// ---------------------------------------------------------------------------
let cachedToken = null; // { token: string, expiresAt: number (epoch ms) }
function tokenIsValid() {
if (!cachedToken) return false;
// Refresh if within 60 seconds of expiry
return cachedToken.expiresAt - Date.now() > 60_000;
}
function invalidateToken() {
cachedToken = null;
}
/**
* Acquire a new Bearer token from CARD /api/v1/auth/get_token using Basic Auth.
* Caches the token in memory with a 1-hour TTL.
*/
function acquireToken(timeout) {
const authString = Buffer.from(CARD_API_USER + ':' + CARD_API_PASS).toString('base64');
const fullUrl = new URL(CARD_API_URL + '/api/v1/auth/get_token');
const isHttps = fullUrl.protocol === 'https:';
const transport = isHttps ? https : http;
return new Promise((resolve, reject) => {
const reqOptions = {
hostname: fullUrl.hostname,
port: fullUrl.port || (isHttps ? 443 : 80),
path: fullUrl.pathname + fullUrl.search,
method: 'POST',
headers: {
'accept': 'application/json',
'authorization': 'Basic ' + authString,
'content-length': '0',
},
timeout: timeout || 15000,
};
if (isHttps) {
reqOptions.rejectUnauthorized = !CARD_SKIP_TLS;
}
const req = transport.request(reqOptions, (res) => {
let data = '';
res.on('data', (chunk) => { data += chunk; });
res.on('end', () => {
if (res.statusCode < 200 || res.statusCode >= 300) {
return reject(new Error(
`[card-api] Token acquisition failed with HTTP ${res.statusCode}: ${data.substring(0, 500)}`
));
}
// The CARD API returns the token as a JSON string or object.
// Try to parse; fall back to raw body as the token string.
let token;
try {
const parsed = JSON.parse(data);
token = typeof parsed === 'string' ? parsed
: parsed.token || parsed.access_token || data.trim();
} catch (_) {
// Response may be a plain token string (unquoted)
token = data.trim();
}
if (!token) {
return reject(new Error('[card-api] Token parse failure: empty token in response body.'));
}
cachedToken = {
token,
expiresAt: Date.now() + 60 * 60 * 1000, // 1-hour TTL
};
resolve(cachedToken.token);
});
});
req.on('timeout', () => req.destroy(new Error('GET /api/v1/auth/get_token timed out')));
req.on('error', (err) => {
reject(new Error(`[card-api] GET /api/v1/auth/get_token failed: ${err.message}`));
});
req.end();
});
}
/**
* Ensure we have a valid Bearer token, acquiring or refreshing as needed.
*/
async function ensureToken(timeout) {
if (tokenIsValid()) return cachedToken.token;
return acquireToken(timeout);
}
// ---------------------------------------------------------------------------
// Generic request — supports GET and POST with Bearer auth + 401 retry
// ---------------------------------------------------------------------------
async function cardRequest(method, urlPath, body, options) {
const timeout = (options && options.timeout) || 15000;
const skipAuth = (options && options.skipAuth) || false;
async function doRequest(bearerToken) {
const fullUrl = new URL(CARD_API_URL + urlPath);
const isHttps = fullUrl.protocol === 'https:';
const transport = isHttps ? https : http;
const headers = { 'accept': 'application/json' };
if (bearerToken) {
headers['authorization'] = 'Bearer ' + bearerToken;
}
let bodyStr = null;
if (body !== null && body !== undefined) {
bodyStr = JSON.stringify(body);
headers['content-type'] = 'application/json';
headers['content-length'] = Buffer.byteLength(bodyStr);
}
return new Promise((resolve, reject) => {
const reqOptions = {
hostname: fullUrl.hostname,
port: fullUrl.port || (isHttps ? 443 : 80),
path: fullUrl.pathname + fullUrl.search,
method,
headers,
timeout,
};
if (isHttps) {
reqOptions.rejectUnauthorized = !CARD_SKIP_TLS;
}
const req = transport.request(reqOptions, (res) => {
let data = '';
res.on('data', (chunk) => { data += chunk; });
res.on('end', () => resolve({ status: res.statusCode, body: data }));
});
req.on('timeout', () => req.destroy(new Error(`${method} ${urlPath} timed out`)));
req.on('error', (err) => {
reject(new Error(`[card-api] ${method} ${urlPath} failed: ${err.message}`));
});
if (bodyStr) req.write(bodyStr);
req.end();
});
}
// Skip auth for the token endpoint itself
if (skipAuth) {
return doRequest(null);
}
// Normal flow: ensure token → request → retry once on 401
let token = await ensureToken(timeout);
let result = await doRequest(token);
if (result.status === 401) {
// Invalidate and retry exactly once
invalidateToken();
token = await ensureToken(timeout);
result = await doRequest(token);
}
return result;
}
// ---------------------------------------------------------------------------
// Convenience wrappers
// ---------------------------------------------------------------------------
function cardGet(urlPath, options) {
return cardRequest('GET', urlPath, null, options);
}
function cardPost(urlPath, body, options) {
return cardRequest('POST', urlPath, body, options);
}
// ---------------------------------------------------------------------------
// High-level helpers used by the UAT test and routes
// ---------------------------------------------------------------------------
/**
* Test connection by acquiring a token. Returns { ok, token } or { ok, error }.
*/
async function testConnection() {
try {
const token = await acquireToken();
return { ok: true, token: token.substring(0, 12) + '...' };
} catch (err) {
return { ok: false, error: err.message };
}
}
/**
* GET /api/v1/teams — list all CARD teams.
*/
async function getTeams() {
const res = await cardGet('/api/v1/teams');
return { status: res.status, body: res.body, ok: res.status >= 200 && res.status < 300 };
}
/**
* GET /api/v1/team/{teamName}/assets — list assets for a team.
*/
async function getTeamAssets(teamName, { disposition, page, pageSize } = {}) {
const params = new URLSearchParams();
if (disposition) params.set('disposition', disposition);
if (page) params.set('page', String(page));
params.set('page_size', String(pageSize || 50));
const qs = params.toString();
const res = await cardGet(`/api/v1/team/${encodeURIComponent(teamName)}/assets${qs ? '?' + qs : ''}`);
return { status: res.status, body: res.body, ok: res.status >= 200 && res.status < 300 };
}
/**
* GET /api/v1/owner/{assetId} — get owner record including update_token.
*/
async function getOwner(assetId) {
const res = await cardGet(`/api/v1/owner/${encodeURIComponent(assetId)}`);
return { status: res.status, body: res.body, ok: res.status >= 200 && res.status < 300 };
}
/**
* POST /api/v2/owner/{assetId}/confirm — confirm asset to a team.
*/
async function confirmAsset(assetId, teamName, updateToken, comment) {
const params = new URLSearchParams({ update_token: updateToken });
if (comment) params.set('comment', comment);
const res = await cardPost(
`/api/v2/owner/${encodeURIComponent(assetId)}/confirm?${params.toString()}`,
{ name: teamName }
);
return { status: res.status, body: res.body, ok: res.status >= 200 && res.status < 300 };
}
/**
* POST /api/v2/owner/{assetId}/decline — decline asset from a team.
*/
async function declineAsset(assetId, teamName, updateToken, comment) {
const params = new URLSearchParams({ update_token: updateToken });
if (comment) params.set('comment', comment);
const res = await cardPost(
`/api/v2/owner/${encodeURIComponent(assetId)}/decline?${params.toString()}`,
{ name: teamName }
);
return { status: res.status, body: res.body, ok: res.status >= 200 && res.status < 300 };
}
/**
* POST /api/v2/owner/{assetId}/{fromTeam}/redirect — redirect asset between teams.
*/
async function redirectAsset(assetId, fromTeam, toTeam, updateToken) {
const params = new URLSearchParams({ update_token: updateToken });
const res = await cardPost(
`/api/v2/owner/${encodeURIComponent(assetId)}/${encodeURIComponent(fromTeam)}/redirect?${params.toString()}`,
{ name: toTeam }
);
return { status: res.status, body: res.body, ok: res.status >= 200 && res.status < 300 };
}
module.exports = {
isConfigured,
missingVars,
cardRequest,
cardGet,
cardPost,
testConnection,
getTeams,
getTeamAssets,
getOwner,
confirmAsset,
declineAsset,
redirectAsset,
invalidateToken,
};

332
backend/helpers/driftChecker.js Normal file
View File

@@ -0,0 +1,332 @@
// Drift Checker — compares xlsx schema against parser config to detect structural drift
// Returns categorised findings: breaking, silent_miss, cosmetic
const fs = require('fs');
const path = require('path');
/**
* Load and validate the compliance parser configuration file.
* @param {string} configPath — absolute or relative path to compliance_config.json
* @returns {object} parsed config with metric_categories, core_cols, skip_sheets
* @throws {Error} descriptive error if file missing, invalid JSON, or missing required keys
*/
function loadConfig(configPath) {
let raw;
try {
raw = fs.readFileSync(configPath, 'utf8');
} catch (err) {
if (err.code === 'ENOENT') {
throw new Error(`Configuration file not found: ${configPath}`);
}
throw new Error(`Failed to read configuration file: ${err.message}`);
}
let config;
try {
config = JSON.parse(raw);
} catch (err) {
throw new Error(`Configuration file contains invalid JSON: ${err.message}`);
}
if (!config.metric_categories || typeof config.metric_categories !== 'object' || Array.isArray(config.metric_categories)) {
throw new Error('Configuration file is missing required key "metric_categories" (must be an object)');
}
if (!Array.isArray(config.core_cols)) {
throw new Error('Configuration file is missing required key "core_cols" (must be an array)');
}
if (!Array.isArray(config.skip_sheets)) {
throw new Error('Configuration file is missing required key "skip_sheets" (must be an array)');
}
return config;
}
/**
* Compare an xlsx schema against the parser config and produce a drift report.
* @param {object} schema — output of extract_xlsx_schema.py: { sheets: [{ name, columns, metric_values? }] }
* @param {object} config — parsed compliance_config.json: { metric_categories, core_cols, skip_sheets }
* @returns {{ breaking: Array, silent_miss: Array, cosmetic: Array }}
*/
function compareSchemaToDrift(schema, config) {
const breaking = [];
const silent_miss = [];
const cosmetic = [];
const metricCategoryKeys = new Set(Object.keys(config.metric_categories));
const coreCols = new Set(config.core_cols);
const skipSheets = new Set(config.skip_sheets);
// Build lookup of xlsx sheet names and find the Summary sheet
const xlsxSheetNames = new Set();
let summarySheet = null;
for (const sheet of schema.sheets) {
xlsxSheetNames.add(sheet.name);
if (sheet.name === 'Summary') {
summarySheet = sheet;
}
}
// Identify detail sheets: present in xlsx AND not in skip_sheets
const detailSheets = schema.sheets.filter(s => !skipSheets.has(s.name));
// Build set of metric values from the Summary sheet (used by multiple rules)
const summaryMetrics = new Set(
(summarySheet && Array.isArray(summarySheet.metric_values)) ? summarySheet.metric_values : []
);
// --- Breaking rules ---
// Missing core column: a detail sheet is missing a column from core_cols.
// Collect per-column stats first, then classify: if a column is missing from
// ALL detail sheets it's breaking. If missing from only some (e.g. 5.8.1 uses
// CMDB columns), it's cosmetic — the parser handles it via extra_json.
const coreColMissingMap = {}; // col -> [sheet names missing it]
for (const sheet of detailSheets) {
const sheetCols = new Set(sheet.columns || []);
for (const coreCol of config.core_cols) {
if (!sheetCols.has(coreCol)) {
if (!coreColMissingMap[coreCol]) coreColMissingMap[coreCol] = [];
coreColMissingMap[coreCol].push(sheet.name);
}
}
}
for (const coreCol of Object.keys(coreColMissingMap)) {
const missingSheets = coreColMissingMap[coreCol];
if (detailSheets.length > 0 && missingSheets.length >= detailSheets.length) {
// Missing from ALL detail sheets — genuinely breaking
breaking.push({
severity: 'breaking',
message: `Core column "${coreCol}" is missing from all ${detailSheets.length} detail sheet(s)`,
value: coreCol,
sheet: null
});
} else {
// Missing from some sheets — structural difference, not drift
cosmetic.push({
severity: 'cosmetic',
message: `Core column "${coreCol}" is missing from ${missingSheets.length} of ${detailSheets.length} detail sheet(s): ${missingSheets.join(', ')}`,
value: coreCol,
sheet: null
});
}
}
// Missing detail sheet: a sheet in metric_categories (not in skip_sheets) is absent from xlsx.
// If the metric still appears in the Summary's metric_values, it's tracked but has zero
// violations this week — downgrade to cosmetic instead of breaking.
for (const metricKey of metricCategoryKeys) {
if (!skipSheets.has(metricKey) && !xlsxSheetNames.has(metricKey)) {
if (summaryMetrics.has(metricKey)) {
cosmetic.push({
severity: 'cosmetic',
message: `Metric "${metricKey}" has no detail sheet this week — still tracked in Summary (zero violations)`,
value: metricKey,
sheet: null
});
} else {
breaking.push({
severity: 'breaking',
message: `Expected detail sheet "${metricKey}" (metric category) is missing from the workbook`,
value: metricKey,
sheet: null
});
}
}
}
// --- Silent-miss rules ---
// Unknown metric value: a metric value in Summary is not a key in metric_categories
if (summarySheet && Array.isArray(summarySheet.metric_values)) {
for (const metricVal of summarySheet.metric_values) {
if (!metricCategoryKeys.has(metricVal)) {
silent_miss.push({
severity: 'silent_miss',
message: `Unknown metric "${metricVal}" in Summary — not in metric_categories`,
value: metricVal,
sheet: 'Summary'
});
}
}
}
// Unknown sheet: an xlsx sheet not in skip_sheets and not in metric_categories
for (const sheet of schema.sheets) {
if (!skipSheets.has(sheet.name) && !metricCategoryKeys.has(sheet.name)) {
silent_miss.push({
severity: 'silent_miss',
message: `Unknown sheet "${sheet.name}" — not in skip_sheets or metric_categories`,
value: sheet.name,
sheet: sheet.name
});
}
}
// --- Cosmetic rules ---
// New column in detail sheet: a detail sheet has columns not in core_cols
for (const sheet of detailSheets) {
for (const col of (sheet.columns || [])) {
if (!coreCols.has(col)) {
cosmetic.push({
severity: 'cosmetic',
message: `New column "${col}" in sheet "${sheet.name}" — will be captured in extra_json`,
value: col,
sheet: sheet.name
});
}
}
}
// Stale metric category: a key in metric_categories not in Summary metric values
for (const metricKey of metricCategoryKeys) {
if (!summaryMetrics.has(metricKey)) {
cosmetic.push({
severity: 'cosmetic',
message: `Stale metric category "${metricKey}" — not found in Summary sheet metric values`,
value: metricKey,
sheet: null
});
}
}
return { breaking, silent_miss, cosmetic };
}
/**
* Reconcile the parser config to resolve breaking drift findings.
*
* Breaking — "missing detail sheet":
* A metric_categories key has no matching xlsx sheet. But if the metric
* still appears in the Summary sheet's metric_values, it's a legitimate
* tracked metric that simply doesn't have violations this week — keep it.
* Only remove metrics absent from BOTH the xlsx sheets AND the Summary.
*
* Breaking — "missing core column":
* A core_cols entry is absent from one or more detail sheets. Only remove
* if the column is missing from ALL detail sheets (some sheets like 5.8.1
* have a completely different column structure and shouldn't cause removal).
*
* Silent-miss — "unknown metric":
* A metric value in the Summary is not in metric_categories. Add it as 'Other'.
*
* Silent-miss — "unknown sheet":
* Left as a warning. Auto-adding unknown sheets creates a reconcile loop.
*
* @param {string} configPath — path to compliance_config.json
* @param {object} driftReport — the drift report from compareSchemaToDrift()
* @param {object} [schema] — optional xlsx schema (with sheets[].name and Summary metric_values)
* @returns {{ changes: Array<{ action: string, key: string, value: string }>, config: object }}
*/
function reconcileConfig(configPath, driftReport, schema) {
const config = loadConfig(configPath);
const changes = [];
// Build a set of metric values from the Summary sheet (if schema provided)
const summaryMetrics = new Set();
if (schema && Array.isArray(schema.sheets)) {
const summarySheet = schema.sheets.find(function(s) { return s.name === 'Summary'; });
if (summarySheet && Array.isArray(summarySheet.metric_values)) {
summarySheet.metric_values.forEach(function(v) { summaryMetrics.add(v); });
}
}
// Build a set of xlsx sheet names (if schema provided)
const xlsxSheetNames = new Set();
if (schema && Array.isArray(schema.sheets)) {
schema.sheets.forEach(function(s) { xlsxSheetNames.add(s.name); });
}
// Count how many detail sheets exist in the xlsx (excluding skip_sheets)
const skipSheets = new Set(config.skip_sheets);
const detailSheetCount = schema
? schema.sheets.filter(function(s) { return !skipSheets.has(s.name); }).length
: 0;
// --- Resolve breaking findings ---
for (const finding of (driftReport.breaking || [])) {
// Missing detail sheet: remove from metric_categories ONLY if the metric
// is also absent from the Summary's metric_values. If it's in the Summary,
// it's still a tracked metric — the sheet just has zero violations this week.
if (finding.message.includes('is missing from the workbook') && finding.value in config.metric_categories) {
if (summaryMetrics.has(finding.value)) {
// Metric is in the Summary — keep it, just note it's sheet-less this week
changes.push({
action: 'kept',
key: 'metric_categories',
value: finding.value,
detail: `Kept metric "${finding.value}" — no detail sheet this week but still tracked in Summary`
});
} else {
const oldCategory = config.metric_categories[finding.value];
delete config.metric_categories[finding.value];
changes.push({
action: 'removed',
key: 'metric_categories',
value: finding.value,
detail: `Removed stale metric category "${finding.value}" (was "${oldCategory}") — absent from both workbook sheets and Summary`
});
}
}
// Missing core column: only remove if the column is missing from ALL detail sheets.
// Some sheets (e.g. 5.8.1 with CMDB columns) have a completely different structure
// and shouldn't cause removal of columns that exist in most other sheets.
if (finding.message.includes('is missing core column') && config.core_cols.includes(finding.value)) {
if (!changes.some(function(c) { return c.key === 'core_cols' && c.value === finding.value; })) {
const missingFromCount = (driftReport.breaking || []).filter(
function(f) { return f.message.includes('is missing core column') && f.value === finding.value; }
).length;
if (detailSheetCount > 0 && missingFromCount >= detailSheetCount) {
// Missing from ALL detail sheets — safe to remove
config.core_cols = config.core_cols.filter(function(c) { return c !== finding.value; });
changes.push({
action: 'removed',
key: 'core_cols',
value: finding.value,
detail: `Removed core column "${finding.value}" — missing from all ${detailSheetCount} detail sheet(s)`
});
} else {
// Missing from some sheets but present in others — keep it
changes.push({
action: 'kept',
key: 'core_cols',
value: finding.value,
detail: `Kept core column "${finding.value}" — missing from ${missingFromCount} of ${detailSheetCount} detail sheet(s)`
});
}
}
}
}
// --- Resolve silent-miss findings ---
for (const finding of (driftReport.silent_miss || [])) {
// Unknown metric in Summary: add to metric_categories as 'Other'
if (finding.message.includes('not in metric_categories') && !(finding.value in config.metric_categories)) {
config.metric_categories[finding.value] = 'Other';
changes.push({
action: 'added',
key: 'metric_categories',
value: finding.value,
detail: `Added new metric "${finding.value}" to metric_categories as "Other"`
});
}
// Unknown sheet: left as a warning — auto-adding creates a reconcile loop.
}
// Only write if there were actual config mutations (not just 'kept' entries)
const hasMutations = changes.some(function(c) { return c.action !== 'kept'; });
if (hasMutations) {
fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n', 'utf8');
}
return { changes, config };
}
module.exports = { compareSchemaToDrift, loadConfig, reconcileConfig };

154
backend/helpers/ivantiApi.js Normal file
View File

@@ -0,0 +1,154 @@
// Shared Ivanti / RiskSense API helpers
// Centralizes HTTP calls so ivantiWorkflows.js, ivantiFindings.js, and
// ivantiFpWorkflow.js all use the same implementation.
const https = require('https');
const IVANTI_URL_BASE = 'https://platform4.risksense.com/api/v1';
// ---------------------------------------------------------------------------
// JSON POST — used for search, workflow creation, etc.
// ---------------------------------------------------------------------------
function ivantiPost(urlPath, body, apiKey, skipTls) {
const bodyStr = JSON.stringify(body);
const fullUrl = new URL(IVANTI_URL_BASE + urlPath);
return new Promise((resolve, reject) => {
const options = {
hostname: fullUrl.hostname,
path: fullUrl.pathname + fullUrl.search,
method: 'POST',
headers: {
'accept': '*/*',
'content-type': 'application/json',
'x-api-key': apiKey,
'x-http-client-type': 'browser',
'content-length': Buffer.byteLength(bodyStr)
},
rejectUnauthorized: !skipTls,
timeout: 15000
};
const req = https.request(options, (res) => {
let data = '';
res.on('data', (chunk) => { data += chunk; });
res.on('end', () => resolve({ status: res.statusCode, body: data }));
});
req.on('timeout', () => req.destroy(new Error('Request timed out')));
req.on('error', reject);
req.write(bodyStr);
req.end();
});
}
// ---------------------------------------------------------------------------
// Multipart POST — used for file attachment uploads.
// Constructs multipart/form-data manually using Node's https module.
// ---------------------------------------------------------------------------
function ivantiMultipartPost(urlPath, fileBuffer, fileName, apiKey, skipTls) {
const boundary = '----IvantiUpload' + Date.now().toString(36) + Math.random().toString(36).slice(2);
const fullUrl = new URL(IVANTI_URL_BASE + urlPath);
// Build multipart body
const preamble = Buffer.from(
`--${boundary}\r\n` +
`Content-Disposition: form-data; name="file"; filename="${fileName}"\r\n` +
`Content-Type: application/octet-stream\r\n\r\n`
);
const epilogue = Buffer.from(`\r\n--${boundary}--\r\n`);
const bodyBuffer = Buffer.concat([preamble, fileBuffer, epilogue]);
return new Promise((resolve, reject) => {
const options = {
hostname: fullUrl.hostname,
path: fullUrl.pathname + fullUrl.search,
method: 'POST',
headers: {
'accept': '*/*',
'content-type': `multipart/form-data; boundary=${boundary}`,
'x-api-key': apiKey,
'x-http-client-type': 'browser',
'content-length': bodyBuffer.length
},
rejectUnauthorized: !skipTls,
timeout: 30000
};
const req = https.request(options, (res) => {
let data = '';
res.on('data', (chunk) => { data += chunk; });
res.on('end', () => resolve({ status: res.statusCode, body: data }));
});
req.on('timeout', () => req.destroy(new Error('Request timed out')));
req.on('error', reject);
req.write(bodyBuffer);
req.end();
});
}
// ---------------------------------------------------------------------------
// Multipart form POST — used for endpoints that accept mixed form fields + files.
// fields: array of { name, value } for text form fields
// files: array of { name, buffer, filename } for file uploads
// ---------------------------------------------------------------------------
function ivantiFormPost(urlPath, fields, files, apiKey, skipTls) {
const boundary = '----IvantiForm' + Date.now().toString(36) + Math.random().toString(36).slice(2);
const fullUrl = new URL(IVANTI_URL_BASE + urlPath);
const parts = [];
// Text fields
for (const { name, value } of fields) {
parts.push(Buffer.from(
`--${boundary}\r\n` +
`Content-Disposition: form-data; name="${name}"\r\n\r\n` +
`${value}\r\n`
));
}
// File fields
for (const { name, buffer, filename, contentType } of files) {
parts.push(Buffer.from(
`--${boundary}\r\n` +
`Content-Disposition: form-data; name="${name}"; filename="${filename}"\r\n` +
`Content-Type: ${contentType || 'application/octet-stream'}\r\n\r\n`
));
parts.push(buffer);
parts.push(Buffer.from('\r\n'));
}
parts.push(Buffer.from(`--${boundary}--\r\n`));
const bodyBuffer = Buffer.concat(parts);
return new Promise((resolve, reject) => {
const options = {
hostname: fullUrl.hostname,
path: fullUrl.pathname + fullUrl.search,
method: 'POST',
headers: {
'accept': '*/*',
'content-type': `multipart/form-data; boundary=${boundary}`,
'x-api-key': apiKey,
'x-http-client-type': 'browser',
'content-length': bodyBuffer.length
},
rejectUnauthorized: !skipTls,
timeout: 60000
};
const req = https.request(options, (res) => {
let data = '';
res.on('data', (chunk) => { data += chunk; });
res.on('end', () => resolve({ status: res.statusCode, body: data }));
});
req.on('timeout', () => req.destroy(new Error('Request timed out')));
req.on('error', reject);
req.write(bodyBuffer);
req.end();
});
}
module.exports = { IVANTI_URL_BASE, ivantiPost, ivantiMultipartPost, ivantiFormPost };

453
backend/helpers/jiraApi.js Normal file
View File

@@ -0,0 +1,453 @@
// Shared Jira Data Center REST API helpers
// Centralizes HTTP calls for Jira issue operations.
// Follows the same promise-based pattern as atlasApi.js and ivantiApi.js.
//
// =========================================================================
// Charter Jira REST API Compliance
// =========================================================================
// Authentication:
// - Service accounts use Basic Auth (required for shared integrations).
// - PATs require ATLSUP approval and naming convention:
// Function - Team - Approved ATLSUP ticket
// - SSO must NOT be used for REST API integrations.
//
// Rate limiting (Charter-posted):
// - 1 440 requests/day max
// - Burst cap of 60 requests/minute (accumulates 1 req/idle minute)
// - 429 response when limits are hit server-side
//
// Automation delays (Charter requirement):
// - 1 second delay between GET requests
// - 2 second delay between PUT, POST, or DELETE requests
//
// Forbidden patterns:
// - /rest/api/2/field — must specify fields explicitly in every call
// - /rest/api/2/issue/bulk — bulk updates are not allowed
// - Single-issue GET loops — use bulk JQL search instead
//
// Required patterns:
// - All GET requests MUST include a ?fields= parameter
// - JQL MUST include at least one of: project+updated, assignee+updated,
// status+updated
// - JQL should use &updated>=-Xh to only fetch changed issues
// - maxResults=1000 for search queries
// - Issues must be updated one at a time (no bulk PUT)
// =========================================================================
const https = require('https');
const http = require('http');
// ---------------------------------------------------------------------------
// Configuration — read from process.env at module load
// ---------------------------------------------------------------------------
const JIRA_BASE_URL = process.env.JIRA_BASE_URL || '';
const JIRA_AUTH_METHOD = (process.env.JIRA_AUTH_METHOD || 'basic').toLowerCase();
const JIRA_API_USER = process.env.JIRA_API_USER || '';
const JIRA_API_TOKEN = process.env.JIRA_API_TOKEN || '';
const JIRA_PAT = process.env.JIRA_PAT || '';
const JIRA_SKIP_TLS = process.env.JIRA_SKIP_TLS === 'true';
const JIRA_PROJECT_KEY = process.env.JIRA_PROJECT_KEY || '';
const JIRA_ISSUE_TYPE = process.env.JIRA_ISSUE_TYPE || 'Task';
const requiredVars = JIRA_AUTH_METHOD === 'pat'
? ['JIRA_BASE_URL', 'JIRA_PAT']
: ['JIRA_BASE_URL', 'JIRA_API_USER', 'JIRA_API_TOKEN'];
const missingVars = requiredVars.filter((v) => !process.env[v]);
if (missingVars.length > 0) {
console.warn(`[jira-api] WARNING: Missing required environment variables: ${missingVars.join(', ')}. Jira API calls will fail.`);
}
const isConfigured = missingVars.length === 0;
// ---------------------------------------------------------------------------
// Default fields — every GET must specify fields explicitly.
// /rest/api/2/field is forbidden; we define the field list here.
// ---------------------------------------------------------------------------
const DEFAULT_FIELDS = [
'summary', 'status', 'assignee', 'created', 'updated',
'priority', 'issuetype', 'project', 'resolution'
];
// ---------------------------------------------------------------------------
// Rate limiter — enforces Charter's posted limits
// 1 440 events/day, burst of 60 events/minute
// ---------------------------------------------------------------------------
const DAILY_LIMIT = 1440;
const BURST_LIMIT = 60;
const MINUTE_MS = 60 * 1000;
const DAY_MS = 24 * 60 * 60 * 1000;
let dailyLog = [];
let minuteLog = [];
function pruneLog(log, windowMs) {
const cutoff = Date.now() - windowMs;
while (log.length > 0 && log[0] < cutoff) {
log.shift();
}
}
function checkRateLimit() {
pruneLog(dailyLog, DAY_MS);
pruneLog(minuteLog, MINUTE_MS);
if (dailyLog.length >= DAILY_LIMIT) {
return { allowed: false, reason: `Daily Jira API limit reached (${DAILY_LIMIT}/day). Resets at midnight.` };
}
if (minuteLog.length >= BURST_LIMIT) {
return { allowed: false, reason: `Burst Jira API limit reached (${BURST_LIMIT}/min). Wait and retry.` };
}
return { allowed: true };
}
function recordRequest() {
const now = Date.now();
dailyLog.push(now);
minuteLog.push(now);
}
/**
* Return current rate limit usage for diagnostics.
*/
function getRateLimitStatus() {
pruneLog(dailyLog, DAY_MS);
pruneLog(minuteLog, MINUTE_MS);
return {
daily: { used: dailyLog.length, limit: DAILY_LIMIT, remaining: DAILY_LIMIT - dailyLog.length },
burst: { used: minuteLog.length, limit: BURST_LIMIT, remaining: BURST_LIMIT - minuteLog.length }
};
}
// ---------------------------------------------------------------------------
// Inter-request delay — Charter automation requirements
// 1s between GETs, 2s between PUT/POST/DELETE
// ---------------------------------------------------------------------------
const GET_DELAY_MS = 1000;
const WRITE_DELAY_MS = 2000;
let lastRequestTime = 0;
let lastRequestMethod = '';
/**
* Wait the required delay before issuing the next request.
* GET → 1s, PUT/POST/DELETE → 2s since the previous request.
*/
function waitForDelay(method) {
const now = Date.now();
const requiredDelay = (lastRequestMethod === 'GET') ? GET_DELAY_MS
: (lastRequestMethod !== '') ? WRITE_DELAY_MS : 0;
const elapsed = now - lastRequestTime;
const remaining = requiredDelay - elapsed;
if (remaining > 0) {
return new Promise(resolve => setTimeout(resolve, remaining));
}
return Promise.resolve();
}
// ---------------------------------------------------------------------------
// Blocked endpoint guard
// ---------------------------------------------------------------------------
const BLOCKED_PATHS = [
'/rest/api/2/field', // Must specify fields in call, not query field list
'/rest/api/2/issue/bulk', // Bulk updates are not allowed
];
function isBlockedPath(urlPath) {
return BLOCKED_PATHS.some(blocked => urlPath.startsWith(blocked));
}
// ---------------------------------------------------------------------------
// Generic request — supports GET, POST, PUT, DELETE
// Enforces rate limits, inter-request delays, and blocked-path guards.
// ---------------------------------------------------------------------------
async function jiraRequest(method, urlPath, body, options) {
// Block forbidden endpoints
if (isBlockedPath(urlPath)) {
return Promise.reject(new Error(`Blocked: ${urlPath} is not allowed per Charter Jira API policy.`));
}
const limit = checkRateLimit();
if (!limit.allowed) {
return Promise.reject(new Error(limit.reason));
}
// Enforce inter-request delay
await waitForDelay(method);
const timeout = (options && options.timeout) || 15000;
const fullUrl = new URL(JIRA_BASE_URL + urlPath);
const isHttps = fullUrl.protocol === 'https:';
const transport = isHttps ? https : http;
const headers = {
'accept': 'application/json'
};
// Auth header
if (JIRA_AUTH_METHOD === 'pat') {
headers['authorization'] = 'Bearer ' + JIRA_PAT;
} else {
const authString = Buffer.from(JIRA_API_USER + ':' + JIRA_API_TOKEN).toString('base64');
headers['authorization'] = 'Basic ' + authString;
}
let bodyStr = null;
if (body !== null && body !== undefined) {
bodyStr = JSON.stringify(body);
headers['content-type'] = 'application/json';
headers['content-length'] = Buffer.byteLength(bodyStr);
}
recordRequest();
lastRequestTime = Date.now();
lastRequestMethod = method;
return new Promise((resolve, reject) => {
const reqOptions = {
hostname: fullUrl.hostname,
port: fullUrl.port || (isHttps ? 443 : 80),
path: fullUrl.pathname + fullUrl.search,
method: method,
headers: headers,
timeout: timeout
};
if (isHttps) {
reqOptions.rejectUnauthorized = !JIRA_SKIP_TLS;
}
const req = transport.request(reqOptions, (res) => {
let data = '';
res.on('data', (chunk) => { data += chunk; });
res.on('end', () => {
if (res.statusCode === 429) {
resolve({ status: 429, body: data, rateLimited: true });
} else {
resolve({ status: res.statusCode, body: data });
}
});
});
req.on('timeout', () => req.destroy(new Error(method + ' ' + urlPath + ' timed out')));
req.on('error', (err) => {
reject(new Error(method + ' ' + urlPath + ' failed: ' + err.message));
});
if (bodyStr) {
req.write(bodyStr);
}
req.end();
});
}
// ---------------------------------------------------------------------------
// Convenience wrappers
// ---------------------------------------------------------------------------
function jiraGet(urlPath, options) {
return jiraRequest('GET', urlPath, null, options);
}
function jiraPost(urlPath, body, options) {
return jiraRequest('POST', urlPath, body, options);
}
function jiraPut(urlPath, body, options) {
return jiraRequest('PUT', urlPath, body, options);
}
function jiraDelete(urlPath, options) {
return jiraRequest('DELETE', urlPath, null, options);
}
// ---------------------------------------------------------------------------
// High-level Jira operations — all comply with Charter requirements
// ---------------------------------------------------------------------------
/**
* Fetch a single issue by key using a GET with explicit ?fields= parameter.
* Charter requires all GETs to specify fields — /rest/api/2/field is forbidden.
*
* NOTE: For syncing multiple tickets, prefer searchIssuesByKeys() which uses
* a single bulk JQL search instead of one GET per issue.
*
* @param {string} issueKey - e.g. "VULN-123"
* @param {string[]} [fields] - Jira field names to return
*/
async function getIssue(issueKey, fields) {
const jql = `key = "${issueKey}" AND project = ${JIRA_PROJECT_KEY}`;
const result = await searchIssues(jql, { fields: fields || DEFAULT_FIELDS, maxResults: 1, startAt: 0 });
if (result.ok && result.data.issues && result.data.issues.length > 0) {
return { ok: true, data: result.data.issues[0] };
}
if (result.ok && (!result.data.issues || result.data.issues.length === 0)) {
return { ok: false, status: 404, body: 'Issue not found' };
}
return result;
}
/**
* Bulk-fetch issues by their keys using a single JQL search.
* This is the Charter-compliant way to sync multiple tickets — avoids
* querying one issue at a time.
*
* @param {string[]} issueKeys - Array of Jira issue keys
* @param {object} [opts] - { fields, maxResults }
*/
async function searchIssuesByKeys(issueKeys, opts) {
if (!issueKeys || issueKeys.length === 0) {
return { ok: true, data: { total: 0, issues: [] } };
}
// Build JQL: key in (KEY-1, KEY-2, ...) — Charter requires project+updated
// or similar, but key-based search is inherently scoped. We add updated
// clause for compliance.
const keyList = issueKeys.map(k => `"${k}"`).join(', ');
const jql = `key in (${keyList}) AND updated >= -72h AND project = ${JIRA_PROJECT_KEY}`;
const fields = (opts && opts.fields) || DEFAULT_FIELDS;
const maxResults = Math.min((opts && opts.maxResults) || 1000, 1000);
return searchIssues(jql, { fields, maxResults, startAt: 0 });
}
/**
* Search issues via JQL (POST to /rest/api/2/search).
* Charter requirements enforced:
* - fields array is always specified (never omitted)
* - maxResults capped at 1000
*
* The caller is responsible for including an &updated clause in the JQL
* for recurring/scheduled queries.
*
* @param {string} jql - JQL query string
* @param {object} [opts] - { startAt, maxResults, fields }
*/
async function searchIssues(jql, opts) {
const startAt = (opts && opts.startAt) || 0;
const maxResults = Math.min((opts && opts.maxResults) || 1000, 1000);
const fields = (opts && opts.fields) || DEFAULT_FIELDS;
const fieldList = encodeURIComponent(fields.join(','));
const encodedJql = encodeURIComponent(jql);
const queryString = `?jql=${encodedJql}&fields=${fieldList}&maxResults=${maxResults}&startAt=${startAt}`;
const res = await jiraGet('/rest/api/2/search' + queryString);
if (res.status === 200) {
return { ok: true, data: JSON.parse(res.body) };
}
return { ok: false, status: res.status, body: res.body, rateLimited: res.rateLimited };
}
/**
* Create a new Jira issue (POST, subject to 2s delay).
* @param {object} fields - Jira issue fields object
*/
async function createIssue(fields) {
const res = await jiraPost('/rest/api/2/issue', { fields });
if (res.status === 201) {
return { ok: true, data: JSON.parse(res.body) };
}
return { ok: false, status: res.status, body: res.body, rateLimited: res.rateLimited };
}
/**
* Update a single Jira issue (PUT, subject to 2s delay).
* Charter forbids bulk updates — issues must be updated one at a time.
* @param {string} issueKey
* @param {object} fields - Fields to update
*/
async function updateIssue(issueKey, fields) {
const res = await jiraPut(
`/rest/api/2/issue/${encodeURIComponent(issueKey)}`,
{ fields }
);
// Jira returns 204 on successful update
if (res.status === 204) {
return { ok: true };
}
return { ok: false, status: res.status, body: res.body, rateLimited: res.rateLimited };
}
/**
* Add a comment to an existing issue (POST, subject to 2s delay).
*/
async function addComment(issueKey, commentBody) {
const res = await jiraPost(
`/rest/api/2/issue/${encodeURIComponent(issueKey)}/comment`,
{ body: commentBody }
);
if (res.status === 201) {
return { ok: true, data: JSON.parse(res.body) };
}
return { ok: false, status: res.status, body: res.body, rateLimited: res.rateLimited };
}
/**
* Transition an issue to a new status (POST, subject to 2s delay).
* @param {string} issueKey
* @param {string} transitionId
*/
async function transitionIssue(issueKey, transitionId) {
const res = await jiraPost(
`/rest/api/2/issue/${encodeURIComponent(issueKey)}/transitions`,
{ transition: { id: transitionId } }
);
if (res.status === 204) {
return { ok: true };
}
return { ok: false, status: res.status, body: res.body, rateLimited: res.rateLimited };
}
/**
* Get available transitions for an issue.
* Uses GET with explicit fields parameter (transitions endpoint returns
* transitions by default, but we include the query param for compliance).
*/
async function getTransitions(issueKey) {
const res = await jiraGet(
`/rest/api/2/issue/${encodeURIComponent(issueKey)}/transitions`
);
if (res.status === 200) {
return { ok: true, data: JSON.parse(res.body) };
}
return { ok: false, status: res.status, body: res.body, rateLimited: res.rateLimited };
}
/**
* Test connectivity — calls /rest/api/2/myself to verify credentials.
* This is a lightweight GET that returns the authenticated user.
*/
async function testConnection() {
try {
const res = await jiraGet('/rest/api/2/myself');
if (res.status === 200) {
const user = JSON.parse(res.body);
return { ok: true, user: { name: user.name, displayName: user.displayName, emailAddress: user.emailAddress } };
}
return { ok: false, status: res.status, body: res.body };
} catch (err) {
return { ok: false, error: err.message };
}
}
module.exports = {
isConfigured,
jiraRequest,
jiraGet,
jiraPost,
jiraPut,
jiraDelete,
getIssue,
searchIssuesByKeys,
searchIssues,
createIssue,
updateIssue,
addComment,
transitionIssue,
getTransitions,
testConnection,
getRateLimitStatus,
DEFAULT_FIELDS,
JIRA_PROJECT_KEY,
JIRA_ISSUE_TYPE
};

26
backend/helpers/teams.js Normal file
View File

@@ -0,0 +1,26 @@
// Shared BU team constants and validation
// Used by user management routes, auth middleware, and frontend-facing endpoints.
const KNOWN_TEAMS = ['STEAM', 'ACCESS-ENG', 'ACCESS-OPS', 'INTELDEV'];
/**
* Parse and validate a comma-separated teams string.
* @param {string} teamsString - Comma-separated team identifiers (e.g. 'STEAM,ACCESS-ENG')
* @returns {{ valid: boolean, teams: string[], invalid: string[] }}
*/
function validateTeams(teamsString) {
if (!teamsString || typeof teamsString !== 'string' || teamsString.trim() === '') {
return { valid: true, teams: [], invalid: [] };
}
const teams = teamsString.split(',').map(t => t.trim()).filter(Boolean);
const invalid = teams.filter(t => !KNOWN_TEAMS.includes(t));
return {
valid: invalid.length === 0,
teams,
invalid
};
}
module.exports = { KNOWN_TEAMS, validateTeams };

295
backend/helpers/vclHelpers.js Normal file
View File

@@ -0,0 +1,295 @@
// Pure helper functions for VCL Compliance Reporting
// No database dependencies — all functions are stateless and testable in isolation.
/**
* Truncates text to maxLen characters with an ellipsis.
* Returns '' for null/undefined input.
*/
function truncateText(text, maxLen = 80) {
if (text == null) return '';
if (text.length <= maxLen) return text;
return text.slice(0, maxLen) + '\u2026';
}
/**
* Validates that a remediation plan does not exceed 2000 characters.
* Null/undefined/empty values are considered valid (no plan documented).
*/
function validateRemediationPlan(text) {
if (text == null || text === '') return { valid: true };
if (text.length > 2000) return { valid: false, error: 'Remediation plan exceeds 2000 characters' };
return { valid: true };
}
/**
* Returns true only for strings parseable as real calendar dates.
* Rejects null, undefined, empty string, and invalid dates like "2026-02-30".
*/
function isValidDateString(str) {
if (str == null || str === '') return false;
if (typeof str !== 'string') return false;
// Expect YYYY-MM-DD format
const match = str.match(/^(\d{4})-(\d{2})-(\d{2})$/);
if (!match) return false;
const year = parseInt(match[1], 10);
const month = parseInt(match[2], 10);
const day = parseInt(match[3], 10);
// Month must be 1-12
if (month < 1 || month > 12) return false;
// Create date and verify components match (catches invalid days like Feb 30)
const date = new Date(year, month - 1, day);
return (
date.getFullYear() === year &&
date.getMonth() === month - 1 &&
date.getDate() === day
);
}
/**
* Formats a decimal as a whole-number percentage string.
* Returns '0%' for null, undefined, or NaN input.
*/
function formatPct(decimal) {
if (decimal == null || isNaN(decimal)) return '0%';
return Math.round(decimal * 100) + '%';
}
/**
* Computes VCL summary statistics from an array of device objects.
* Each item should have at least { is_compliant: boolean, in_scope: boolean }.
*/
function computeVCLStats(items, targetPct) {
const total = items.length;
const in_scope = items.filter(item => item.in_scope).length;
const compliant = items.filter(item => item.is_compliant).length;
const non_compliant = in_scope - compliant;
const remediations_required = non_compliant;
const compliance_pct = in_scope > 0 ? Math.round((compliant / in_scope) * 100) : 0;
return {
total,
in_scope,
compliant,
non_compliant,
remediations_required,
compliance_pct,
target_pct: targetPct,
};
}
/**
* Partitions non-compliant items into "blocked" (no resolution_date) and
* "in_progress" (resolution_date set). Returns counts and percentages.
*/
function categorizeNonCompliant(items) {
const total = items.length;
const blocked = items.filter(item => item.resolution_date == null);
const in_progress = items.filter(item => item.resolution_date != null);
return {
blocked: {
count: blocked.length,
pct: total > 0 ? Math.round((blocked.length / total) * 100) : 0,
},
in_progress: {
count: in_progress.length,
pct: total > 0 ? Math.round((in_progress.length / total) * 100) : 0,
},
};
}
/**
* Sorts verticals by non_compliant count in descending order.
* Returns a new sorted array (does not mutate input).
*/
function rankHeavyHitters(verticalData) {
return [...verticalData].sort((a, b) => b.non_compliant - a.non_compliant);
}
/**
* Buckets non-compliant items by resolution_date month (YYYY-MM).
* Items with null resolution_date are skipped.
* Returns an object like { '2026-05': 3, '2026-06': 7 }.
*/
function computeForecastBurndown(items) {
const buckets = {};
for (const item of items) {
if (item.resolution_date == null) continue;
const dateStr = typeof item.resolution_date === 'string'
? item.resolution_date
: item.resolution_date.toISOString().slice(0, 10);
const month = dateStr.slice(0, 7); // YYYY-MM
buckets[month] = (buckets[month] || 0) + 1;
}
return buckets;
}
/**
* Matches uploaded rows to existing hostnames.
* Returns { matched: [...], unmatched: [...] }.
*/
function matchByHostname(uploadedRows, existingHostnames) {
const matched = [];
const unmatched = [];
for (const row of uploadedRows) {
if (existingHostnames.has(row.hostname)) {
matched.push(row);
} else {
unmatched.push(row);
}
}
return { matched, unmatched };
}
/**
* Compares uploaded row values against current DB values.
* currentData is a Map of hostname -> { resolution_date, remediation_plan, notes }.
* Returns array of { hostname, status: 'changed'|'unchanged', fields: { fieldName: { old, new } } }.
*/
function computeBulkDiff(matchedRows, currentData) {
const results = [];
const COMPARE_FIELDS = ['resolution_date', 'remediation_plan', 'notes'];
for (const row of matchedRows) {
const current = currentData.get(row.hostname) || {};
const fields = {};
let hasChange = false;
for (const field of COMPARE_FIELDS) {
if (field in row) {
const oldVal = current[field] != null ? current[field] : null;
const newVal = row[field] != null ? row[field] : null;
if (oldVal !== newVal) {
fields[field] = { old: oldVal, new: newVal };
hasChange = true;
}
}
}
results.push({
hostname: row.hostname,
status: hasChange ? 'changed' : 'unchanged',
fields,
});
}
return results;
}
/**
* Maps column header strings to known field names (case-insensitive).
* Returns a mapping object like { hostname: 0, resolution_date: 3 } where values are column indices.
*/
function mapColumnHeaders(headers) {
const mapping = {};
const KNOWN_MAPPINGS = {
hostname: 'hostname',
'resolution date': 'resolution_date',
resolution_date: 'resolution_date',
'remediation plan': 'remediation_plan',
remediation_plan: 'remediation_plan',
notes: 'notes',
};
for (let i = 0; i < headers.length; i++) {
const normalized = headers[i].trim().toLowerCase();
if (KNOWN_MAPPINGS[normalized]) {
mapping[KNOWN_MAPPINGS[normalized]] = i;
}
}
return mapping;
}
/**
* Extracts vertical code and report date from a filename.
* Pattern: <VERTICAL>_YYYY_MM_DD.xlsx
* The vertical is everything before the trailing _YYYY_MM_DD portion.
*
* Examples:
* NTS_AEO_2026_05_11.xlsx → { vertical: 'NTS_AEO', date: '2026-05-11' }
* SDIT_CISO_2026_05_11.xlsx → { vertical: 'SDIT_CISO', date: '2026-05-11' }
* SR_2026_05_11.xlsx → { vertical: 'SR', date: '2026-05-11' }
* AllOthers_2026_05_11.xlsx → { vertical: 'AllOthers', date: '2026-05-11' }
*
* Returns null if the filename does not match the expected pattern.
*/
function parseVerticalFilename(filename) {
// Strip .xlsx extension (case-insensitive)
const stem = filename.replace(/\.xlsx$/i, '');
// Match: everything up to the last _YYYY_MM_DD
const match = stem.match(/^(.+?)_(\d{4})_(\d{2})_(\d{2})$/);
if (!match) return null;
const vertical = match[1];
const date = `${match[2]}-${match[3]}-${match[4]}`;
// Validate the date portion is a real date
if (!isValidDateString(date)) return null;
return { vertical, date };
}
/**
* Computes per-vertical burndown forecast from non-compliant items.
* Returns breakdown of items with/without resolution dates and monthly projections.
*/
function computeVerticalBurndown(items) {
const total = items.length;
const withDates = items.filter(i => i.resolution_date != null);
const blockers = items.filter(i => i.resolution_date == null);
// Bucket by month
const monthly = {};
for (const item of withDates) {
const dateStr = typeof item.resolution_date === 'string'
? item.resolution_date
: item.resolution_date.toISOString().slice(0, 10);
const month = dateStr.slice(0, 7); // YYYY-MM
monthly[month] = (monthly[month] || 0) + 1;
}
// Cumulative projection — how many remain after each month
let remaining = total;
const projection = {};
for (const month of Object.keys(monthly).sort()) {
remaining -= monthly[month];
projection[month] = { remediated: monthly[month], remaining };
}
// Projected clear date — first month where remaining hits 0 (excluding blockers)
let projectedClearDate = null;
if (blockers.length === 0 && Object.keys(projection).length > 0) {
const sortedMonths = Object.keys(projection).sort();
projectedClearDate = sortedMonths[sortedMonths.length - 1];
}
return {
total,
blockers: blockers.length,
with_dates: withDates.length,
monthly,
projection,
projected_clear_date: projectedClearDate,
};
}
module.exports = {
truncateText,
validateRemediationPlan,
isValidDateString,
formatPct,
computeVCLStats,
categorizeNonCompliant,
rankHeavyHitters,
computeForecastBurndown,
matchByHostname,
computeBulkDiff,
mapColumnHeaders,
parseVerticalFilename,
computeVerticalBurndown,
};

43
backend/middleware/auth.js
View File

@@ -1,7 +1,8 @@
// Authentication Middleware // Authentication Middleware
const pool = require('../db');
// Require authenticated user // Require authenticated user — no parameters needed, pool is imported directly
function requireAuth(db) { function requireAuth() {
return async (req, res, next) => { return async (req, res, next) => {
const sessionId = req.cookies?.session_id; const sessionId = req.cookies?.session_id;
@@ -10,19 +11,15 @@ function requireAuth(db) {
} }
try { try {
const session = await new Promise((resolve, reject) => { const { rows } = await pool.query(
db.get( `SELECT s.*, u.id as user_id, u.username, u.email, u.role, u.user_group, u.bu_teams, u.is_active
`SELECT s.*, u.id as user_id, u.username, u.email, u.role, u.is_active FROM sessions s
FROM sessions s JOIN users u ON s.user_id = u.id
JOIN users u ON s.user_id = u.id WHERE s.session_id = $1 AND s.expires_at > NOW()`,
WHERE s.session_id = ? AND s.expires_at > datetime('now')`, [sessionId]
[sessionId], );
(err, row) => {
if (err) reject(err); const session = rows[0];
else resolve(row);
}
);
});
if (!session) { if (!session) {
return res.status(401).json({ error: 'Session expired or invalid' }); return res.status(401).json({ error: 'Session expired or invalid' });
@@ -37,7 +34,9 @@ function requireAuth(db) {
id: session.user_id, id: session.user_id,
username: session.username, username: session.username,
email: session.email, email: session.email,
role: session.role role: session.role,
group: session.user_group,
teams: session.bu_teams ? session.bu_teams.split(',').filter(Boolean) : []
}; };
next(); next();
@@ -48,18 +47,18 @@ function requireAuth(db) {
}; };
} }
// Require specific role(s) // Require specific group(s)
function requireRole(...allowedRoles) { function requireGroup(...allowedGroups) {
return (req, res, next) => { return (req, res, next) => {
if (!req.user) { if (!req.user) {
return res.status(401).json({ error: 'Authentication required' }); return res.status(401).json({ error: 'Authentication required' });
} }
if (!allowedRoles.includes(req.user.role)) { if (!allowedGroups.includes(req.user.group)) {
return res.status(403).json({ return res.status(403).json({
error: 'Insufficient permissions', error: 'Insufficient permissions',
required: allowedRoles, required: allowedGroups,
current: req.user.role current: req.user.group
}); });
} }
@@ -67,4 +66,4 @@ function requireRole(...allowedRoles) {
}; };
} }
module.exports = { requireAuth, requireRole }; module.exports = { requireAuth, requireGroup };

96
backend/migrate-audit-log.js
View File

@@ -1,96 +0,0 @@
#!/usr/bin/env node
// Migration script: Add audit_logs table
// Run: node migrate-audit-log.js
const sqlite3 = require('sqlite3').verbose();
const fs = require('fs');
const DB_FILE = './cve_database.db';
const BACKUP_FILE = `./cve_database_backup_${Date.now()}.db`;
function run(db, sql, params = []) {
return new Promise((resolve, reject) => {
db.run(sql, params, function(err) {
if (err) reject(err);
else resolve(this);
});
});
}
function get(db, sql, params = []) {
return new Promise((resolve, reject) => {
db.get(sql, params, (err, row) => {
if (err) reject(err);
else resolve(row);
});
});
}
async function migrate() {
console.log('╔════════════════════════════════════════════════════════╗');
console.log('║ CVE Database Migration: Add Audit Logs ║');
console.log('╚════════════════════════════════════════════════════════╝\n');
if (!fs.existsSync(DB_FILE)) {
console.log('❌ Database not found. Run setup.js for fresh install.');
process.exit(1);
}
// Backup database
console.log('📦 Creating backup...');
fs.copyFileSync(DB_FILE, BACKUP_FILE);
console.log(` ✓ Backup saved to: ${BACKUP_FILE}\n`);
const db = new sqlite3.Database(DB_FILE);
try {
// Check if table already exists
const exists = await get(db,
"SELECT name FROM sqlite_master WHERE type='table' AND name='audit_logs'"
);
if (exists) {
console.log('⏭️ audit_logs table already exists, nothing to do.');
} else {
console.log('1⃣ Creating audit_logs table...');
await run(db, `
CREATE TABLE audit_logs (
id INTEGER PRIMARY KEY AUTOINCREMENT,
user_id INTEGER,
username VARCHAR(50) NOT NULL,
action VARCHAR(50) NOT NULL,
entity_type VARCHAR(50) NOT NULL,
entity_id VARCHAR(100),
details TEXT,
ip_address VARCHAR(45),
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
)
`);
console.log(' ✓ Table created');
console.log('2⃣ Creating indexes...');
await run(db, 'CREATE INDEX IF NOT EXISTS idx_audit_user_id ON audit_logs(user_id)');
await run(db, 'CREATE INDEX IF NOT EXISTS idx_audit_action ON audit_logs(action)');
await run(db, 'CREATE INDEX IF NOT EXISTS idx_audit_entity_type ON audit_logs(entity_type)');
await run(db, 'CREATE INDEX IF NOT EXISTS idx_audit_created_at ON audit_logs(created_at)');
console.log(' ✓ Indexes created');
}
console.log('\n╔════════════════════════════════════════════════════════╗');
console.log('║ MIGRATION COMPLETE! ║');
console.log('╚════════════════════════════════════════════════════════╝');
console.log('\n📋 Summary:');
console.log(' ✓ audit_logs table ready');
console.log(`\n💾 Backup saved: ${BACKUP_FILE}`);
console.log('\n🚀 Restart your server to apply changes.\n');
} catch (error) {
console.error('\n❌ Migration failed:', error.message);
console.log(`\n🔄 To restore from backup: cp ${BACKUP_FILE} ${DB_FILE}`);
process.exit(1);
} finally {
db.close();
}
}
migrate();

289
backend/migrate-to-1.1.js
View File

@@ -1,289 +0,0 @@
#!/usr/bin/env node
// Migration script: v1.0.0 -> v1.1.0
// Adds: users, sessions tables, multi-vendor support, vendor column in documents
// Run: node migrate-to-1.1.js
const sqlite3 = require('sqlite3').verbose();
const bcrypt = require('bcryptjs');
const fs = require('fs');
const path = require('path');
const DB_FILE = './cve_database.db';
const BACKUP_FILE = `./cve_database_backup_${Date.now()}.db`;
async function migrate() {
console.log('╔════════════════════════════════════════════════════════╗');
console.log('║ CVE Database Migration: v1.0.0 → v1.1.0 ║');
console.log('╚════════════════════════════════════════════════════════╝\n');
// Check if database exists
if (!fs.existsSync(DB_FILE)) {
console.log('❌ Database not found. Run setup.js for fresh install.');
process.exit(1);
}
// Backup database
console.log('📦 Creating backup...');
fs.copyFileSync(DB_FILE, BACKUP_FILE);
console.log(` ✓ Backup saved to: ${BACKUP_FILE}\n`);
const db = new sqlite3.Database(DB_FILE);
try {
// Run migrations in sequence
await addUsersTable(db);
await addSessionsTable(db);
await addVendorToDocuments(db);
await updateCvesConstraint(db);
await createDefaultAdmin(db);
await updateView(db);
console.log('\n╔════════════════════════════════════════════════════════╗');
console.log('║ MIGRATION COMPLETE! ║');
console.log('╚════════════════════════════════════════════════════════╝');
console.log('\n📋 Summary:');
console.log(' ✓ Users table added');
console.log(' ✓ Sessions table added');
console.log(' ✓ Vendor column added to documents');
console.log(' ✓ Multi-vendor constraint applied to cves');
console.log(' ✓ Default admin user created (admin/admin123)');
console.log(`\n💾 Backup saved: ${BACKUP_FILE}`);
console.log('\n🚀 Restart your server to apply changes.\n');
} catch (error) {
console.error('\n❌ Migration failed:', error.message);
console.log(`\n🔄 To restore from backup: cp ${BACKUP_FILE} ${DB_FILE}`);
process.exit(1);
} finally {
db.close();
}
}
function run(db, sql, params = []) {
return new Promise((resolve, reject) => {
db.run(sql, params, function(err) {
if (err) reject(err);
else resolve(this);
});
});
}
function get(db, sql, params = []) {
return new Promise((resolve, reject) => {
db.get(sql, params, (err, row) => {
if (err) reject(err);
else resolve(row);
});
});
}
function all(db, sql, params = []) {
return new Promise((resolve, reject) => {
db.all(sql, params, (err, rows) => {
if (err) reject(err);
else resolve(rows);
});
});
}
async function addUsersTable(db) {
console.log('1⃣ Adding users table...');
const exists = await get(db,
"SELECT name FROM sqlite_master WHERE type='table' AND name='users'"
);
if (exists) {
console.log(' ⏭️ Users table already exists, skipping');
return;
}
await run(db, `
CREATE TABLE users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
username VARCHAR(50) UNIQUE NOT NULL,
email VARCHAR(255) UNIQUE NOT NULL,
password_hash VARCHAR(255) NOT NULL,
role VARCHAR(20) NOT NULL DEFAULT 'viewer',
is_active BOOLEAN DEFAULT 1,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
last_login TIMESTAMP,
CHECK (role IN ('admin', 'editor', 'viewer'))
)
`);
await run(db, 'CREATE INDEX IF NOT EXISTS idx_users_username ON users(username)');
console.log(' ✓ Users table created');
}
async function addSessionsTable(db) {
console.log('2⃣ Adding sessions table...');
const exists = await get(db,
"SELECT name FROM sqlite_master WHERE type='table' AND name='sessions'"
);
if (exists) {
console.log(' ⏭️ Sessions table already exists, skipping');
return;
}
await run(db, `
CREATE TABLE sessions (
id INTEGER PRIMARY KEY AUTOINCREMENT,
session_id VARCHAR(255) UNIQUE NOT NULL,
user_id INTEGER NOT NULL,
expires_at TIMESTAMP NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
)
`);
await run(db, 'CREATE INDEX IF NOT EXISTS idx_sessions_session_id ON sessions(session_id)');
await run(db, 'CREATE INDEX IF NOT EXISTS idx_sessions_user_id ON sessions(user_id)');
await run(db, 'CREATE INDEX IF NOT EXISTS idx_sessions_expires ON sessions(expires_at)');
console.log(' ✓ Sessions table created');
}
async function addVendorToDocuments(db) {
console.log('3⃣ Adding vendor column to documents...');
// Check if vendor column exists
const columns = await all(db, "PRAGMA table_info(documents)");
const hasVendor = columns.some(col => col.name === 'vendor');
if (hasVendor) {
console.log(' ⏭️ Vendor column already exists, skipping');
return;
}
// Add vendor column
await run(db, "ALTER TABLE documents ADD COLUMN vendor VARCHAR(100)");
// Populate vendor from the cves table based on cve_id
await run(db, `
UPDATE documents
SET vendor = (
SELECT c.vendor
FROM cves c
WHERE c.cve_id = documents.cve_id
LIMIT 1
)
WHERE vendor IS NULL
`);
// Set default for any remaining nulls
await run(db, "UPDATE documents SET vendor = 'Unknown' WHERE vendor IS NULL");
await run(db, 'CREATE INDEX IF NOT EXISTS idx_doc_vendor ON documents(vendor)');
console.log(' ✓ Vendor column added and populated');
}
async function updateCvesConstraint(db) {
console.log('4⃣ Updating CVEs table for multi-vendor support...');
// Check current schema
const tableInfo = await get(db,
"SELECT sql FROM sqlite_master WHERE type='table' AND name='cves'"
);
if (tableInfo.sql.includes('UNIQUE(cve_id, vendor)')) {
console.log(' ⏭️ Multi-vendor constraint already exists, skipping');
return;
}
// SQLite doesn't support ALTER CONSTRAINT, so we need to rebuild the table
console.log(' 📋 Rebuilding table with new constraint...');
// Create new table with correct schema
await run(db, `
CREATE TABLE cves_new (
id INTEGER PRIMARY KEY AUTOINCREMENT,
cve_id VARCHAR(20) NOT NULL,
vendor VARCHAR(100) NOT NULL,
severity VARCHAR(20) NOT NULL,
description TEXT,
published_date DATE,
status VARCHAR(50) DEFAULT 'Open',
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
UNIQUE(cve_id, vendor)
)
`);
// Copy data
await run(db, `
INSERT INTO cves_new (id, cve_id, vendor, severity, description, published_date, status, created_at, updated_at)
SELECT id, cve_id, vendor, severity, description, published_date, status, created_at, updated_at
FROM cves
`);
// Drop old table
await run(db, 'DROP TABLE cves');
// Rename new table
await run(db, 'ALTER TABLE cves_new RENAME TO cves');
// Recreate indexes
await run(db, 'CREATE INDEX IF NOT EXISTS idx_cve_id ON cves(cve_id)');
await run(db, 'CREATE INDEX IF NOT EXISTS idx_vendor ON cves(vendor)');
await run(db, 'CREATE INDEX IF NOT EXISTS idx_severity ON cves(severity)');
await run(db, 'CREATE INDEX IF NOT EXISTS idx_status ON cves(status)');
console.log(' ✓ Multi-vendor constraint applied');
}
async function createDefaultAdmin(db) {
console.log('5⃣ Creating default admin user...');
const exists = await get(db, "SELECT id FROM users WHERE username = 'admin'");
if (exists) {
console.log(' ⏭️ Admin user already exists, skipping');
return;
}
const passwordHash = await bcrypt.hash('admin123', 10);
await run(db, `
INSERT INTO users (username, email, password_hash, role, is_active)
VALUES (?, ?, ?, ?, ?)
`, ['admin', 'admin@localhost', passwordHash, 'admin', 1]);
console.log(' ✓ Admin user created (admin/admin123)');
}
async function updateView(db) {
console.log('6⃣ Updating document status view...');
// Drop old view if exists
await run(db, 'DROP VIEW IF EXISTS cve_document_status');
// Create updated view with multi-vendor support
await run(db, `
CREATE VIEW cve_document_status AS
SELECT
c.id as record_id,
c.cve_id,
c.vendor,
c.severity,
c.status,
COUNT(DISTINCT d.id) as total_documents,
COUNT(DISTINCT CASE WHEN d.type = 'advisory' THEN d.id END) as advisory_count,
COUNT(DISTINCT CASE WHEN d.type = 'email' THEN d.id END) as email_count,
COUNT(DISTINCT CASE WHEN d.type = 'screenshot' THEN d.id END) as screenshot_count,
CASE
WHEN COUNT(DISTINCT CASE WHEN d.type = 'advisory' THEN d.id END) > 0
THEN 'Complete'
ELSE 'Missing Required Docs'
END as compliance_status
FROM cves c
LEFT JOIN documents d ON c.cve_id = d.cve_id AND c.vendor = d.vendor
GROUP BY c.id, c.cve_id, c.vendor, c.severity, c.status
`);
console.log(' ✓ View updated');
}
// Run migration
migrate();

39
backend/migrate_jira_tickets.js
View File

@@ -1,39 +0,0 @@
// Migration: Add jira_tickets table
const sqlite3 = require('sqlite3').verbose();
const path = require('path');
const dbPath = path.join(__dirname, 'cve_database.db');
const db = new sqlite3.Database(dbPath);
console.log('Starting JIRA tickets migration...');
db.serialize(() => {
// Create jira_tickets table
db.run(`
CREATE TABLE IF NOT EXISTS jira_tickets (
id INTEGER PRIMARY KEY AUTOINCREMENT,
cve_id TEXT NOT NULL,
vendor TEXT NOT NULL,
ticket_key TEXT NOT NULL,
url TEXT,
summary TEXT,
status TEXT DEFAULT 'Open' CHECK(status IN ('Open', 'In Progress', 'Closed')),
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (cve_id, vendor) REFERENCES cves(cve_id, vendor) ON DELETE CASCADE
)
`, (err) => {
if (err) console.error('Error creating table:', err);
else console.log('✓ jira_tickets table created');
});
// Create indexes
db.run('CREATE INDEX IF NOT EXISTS idx_jira_tickets_cve ON jira_tickets(cve_id, vendor)');
db.run('CREATE INDEX IF NOT EXISTS idx_jira_tickets_status ON jira_tickets(status)');
console.log('✓ Indexes created');
});
db.close(() => {
console.log('Migration complete!');
});

128
backend/migrate_multivendor.js
View File

@@ -1,128 +0,0 @@
const sqlite3 = require('sqlite3').verbose();
const db = new sqlite3.Database('./cve_database.db');
console.log('🔄 Starting database migration for multi-vendor support...\n');
db.serialize(() => {
// Backup existing data
console.log('📦 Creating backup tables...');
db.run(`CREATE TABLE IF NOT EXISTS cves_backup AS SELECT * FROM cves`, (err) => {
if (err) console.error('Backup error:', err);
else console.log('✓ CVEs backed up');
});
db.run(`CREATE TABLE IF NOT EXISTS documents_backup AS SELECT * FROM documents`, (err) => {
if (err) console.error('Backup error:', err);
else console.log('✓ Documents backed up');
});
// Drop old table
console.log('\n🗑 Dropping old cves table...');
db.run(`DROP TABLE IF EXISTS cves`, (err) => {
if (err) {
console.error('Drop error:', err);
return;
}
console.log('✓ Old table dropped');
// Create new table with UNIQUE(cve_id, vendor) instead of UNIQUE(cve_id)
console.log('\n🏗 Creating new cves table with multi-vendor support...');
db.run(`
CREATE TABLE cves (
id INTEGER PRIMARY KEY AUTOINCREMENT,
cve_id VARCHAR(20) NOT NULL,
vendor VARCHAR(100) NOT NULL,
severity VARCHAR(20) NOT NULL,
description TEXT,
published_date DATE,
status VARCHAR(50) DEFAULT 'Open',
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
UNIQUE(cve_id, vendor)
)
`, (err) => {
if (err) {
console.error('Create error:', err);
return;
}
console.log('✓ New table created with UNIQUE(cve_id, vendor)');
// Restore data
console.log('\n📥 Restoring data...');
db.run(`INSERT INTO cves SELECT * FROM cves_backup`, (err) => {
if (err) {
console.error('Restore error:', err);
return;
}
console.log('✓ Data restored');
// Recreate indexes
console.log('\n🔍 Creating indexes...');
db.run(`CREATE INDEX idx_cve_id ON cves(cve_id)`, () => {
console.log('✓ Index: idx_cve_id');
});
db.run(`CREATE INDEX idx_vendor ON cves(vendor)`, () => {
console.log('✓ Index: idx_vendor');
});
db.run(`CREATE INDEX idx_severity ON cves(severity)`, () => {
console.log('✓ Index: idx_severity');
});
db.run(`CREATE INDEX idx_status ON cves(status)`, () => {
console.log('✓ Index: idx_status');
});
// Update view
console.log('\n👁 Updating cve_document_status view...');
db.run(`DROP VIEW IF EXISTS cve_document_status`, (err) => {
if (err) console.error('Drop view error:', err);
db.run(`
CREATE VIEW cve_document_status AS
SELECT
c.id as record_id,
c.cve_id,
c.vendor,
c.severity,
c.status,
COUNT(DISTINCT d.id) as total_documents,
COUNT(DISTINCT CASE WHEN d.type = 'advisory' THEN d.id END) as advisory_count,
COUNT(DISTINCT CASE WHEN d.type = 'email' THEN d.id END) as email_count,
COUNT(DISTINCT CASE WHEN d.type = 'screenshot' THEN d.id END) as screenshot_count,
CASE
WHEN COUNT(DISTINCT CASE WHEN d.type = 'advisory' THEN d.id END) > 0
THEN 'Complete'
ELSE 'Missing Required Docs'
END as compliance_status
FROM cves c
LEFT JOIN documents d ON c.cve_id = d.cve_id AND c.vendor = d.vendor
GROUP BY c.id, c.cve_id, c.vendor, c.severity, c.status
`, (err) => {
if (err) {
console.error('Create view error:', err);
} else {
console.log('✓ View recreated');
}
console.log('\n✅ Migration complete!');
console.log('\n📊 Summary:');
db.get('SELECT COUNT(*) as count FROM cves', (err, row) => {
if (!err) console.log(` Total CVE entries: ${row.count}`);
db.get('SELECT COUNT(DISTINCT cve_id) as count FROM cves', (err, row) => {
if (!err) console.log(` Unique CVE IDs: ${row.count}`);
console.log('\n💡 Next steps:');
console.log(' 1. Restart backend: pkill -f "node server.js" && node server.js &');
console.log(' 2. Replace frontend/src/App.js with multi-vendor version');
console.log(' 3. Test by adding same CVE with multiple vendors\n');
db.close();
});
});
});
});
});
});
});
});

41
backend/migrations/README.md Normal file
View File

@@ -0,0 +1,41 @@
# Database Migrations
These migration scripts were used to evolve the database schema during development. **They are NOT needed for fresh deployments**`setup.js` contains the complete v1.0.0 schema.
These are retained for reference and for upgrading existing deployments that were set up before v1.0.0.
## Schema Migrations (run in order for existing deployments)
| Script | Purpose |
|--------|---------|
| `add_ivanti_sync_table.js` | Creates `ivanti_sync_state` table for tracking Ivanti sync status |
| `add_ivanti_findings_tables.js` | Creates `ivanti_findings_cache`, `ivanti_finding_notes`, `ivanti_counts_cache`, `ivanti_finding_overrides` tables |
| `add_ivanti_counts_history_table.js` | Creates `ivanti_counts_history` table for trend chart data |
| `add_ivanti_todo_queue_table.js` | Creates `ivanti_todo_queue` table for FP/Archer workflow queuing |
| `add_todo_queue_hostname.js` | Adds `hostname` column to `ivanti_todo_queue` |
| `add_todo_queue_ip_address.js` | Adds `ip_address` column to `ivanti_todo_queue` |
| `add_fp_submissions_table.js` | Creates `ivanti_fp_submissions` table for false positive workflow tracking |
| `add_fp_submission_editing.js` | Adds `lifecycle_status`, `ivanti_workflow_batch_uuid`, `updated_at` columns and `ivanti_fp_submission_history` table |
| `add_knowledge_base_table.js` | Creates `knowledge_base` table for KB article storage |
| `add_user_groups.js` | Adds `user_group` column to `users` table with validation triggers |
| `add_created_by_columns.js` | Adds `created_by` column to `compliance_notes` and `knowledge_base` tables |
| `add_compliance_tables.js` | Creates `compliance_uploads`, `compliance_items`, `compliance_notes` tables |
| `add_compliance_notes_group_id.js` | Adds `group_id` column to `compliance_notes` for multi-metric note grouping |
| `add_archer_tickets_table.js` | Creates `archer_tickets` table for Archer exception tracking |
| `add_archer_tickets_timestamps.js` | Adds `created_at` and `updated_at` columns to `archer_tickets` |
| `add_jira_sync_columns.js` | Adds Jira sync-related columns to `jira_tickets` |
| `add_card_workflow_type.js` | Adds `CARD` to `workflow_type` CHECK constraint on `ivanti_todo_queue` |
| `add_granite_workflow_type.js` | Adds `GRANITE` to `workflow_type` CHECK constraint on `ivanti_todo_queue` |
| `add_finding_archive_tables.js` | Creates `ivanti_finding_archives` and `ivanti_archive_transitions` tables |
| `add_closed_gone_state.js` | Adds `CLOSED_GONE` to `current_state` CHECK constraint on `ivanti_finding_archives` |
| `add_sync_anomaly_tables.js` | Creates `ivanti_sync_anomaly_log` and `ivanti_finding_bu_history` tables |
| `add_atlas_action_plans_cache.js` | Creates `atlas_action_plans_cache` table for Atlas API caching |
| `add_return_classification.js` | Adds `return_classification_json` column to `ivanti_sync_anomaly_log` |
## Data Migrations (one-time backfills)
| Script | Purpose |
|--------|---------|
| `backfill_anomaly_log.js` | Synthesizes anomaly log entries from existing archive transitions for historical chart data |
| `backfill_return_classification.js` | Populates `return_classification_json` for existing anomaly rows with returned findings. Supports `--force` flag to re-run. |
| `reclassify_bu_roundtrips.js` | Reclassifies archive transitions that were BU reassignment round-trips (archived then returned within 14 days) from the default `severity_score_drift` to `bu_reassignment` |

56
backend/migrations/add_archer_tickets_timestamps.js Normal file
View File

@@ -0,0 +1,56 @@
// Migration: Add created_at / updated_at columns to archer_tickets
//
// SQLite does not support ALTER TABLE ADD COLUMN IF NOT EXISTS, so we check
// PRAGMA table_info first and only add the column when it is absent.
//
// Run on any instance where archer_tickets was created before these columns
// were added to the schema (symptoms: every /api/archer-tickets call → 500).
//
// Usage: node backend/migrations/add_archer_tickets_timestamps.js
const sqlite3 = require('sqlite3').verbose();
const path = require('path');
const dbPath = path.join(__dirname, '..', 'cve_database.db');
const db = new sqlite3.Database(dbPath);
console.log('Starting archer_tickets timestamp migration...');
db.all('PRAGMA table_info(archer_tickets)', [], (err, columns) => {
if (err) {
console.error('Error reading table info:', err);
return db.close();
}
const names = columns.map(c => c.name);
db.serialize(() => {
if (!names.includes('created_at')) {
db.run(
`ALTER TABLE archer_tickets ADD COLUMN created_at DATETIME DEFAULT CURRENT_TIMESTAMP`,
(err) => {
if (err) console.error('Error adding created_at:', err);
else console.log('✓ created_at column added');
}
);
} else {
console.log('✓ created_at already exists — skipping');
}
if (!names.includes('updated_at')) {
db.run(
`ALTER TABLE archer_tickets ADD COLUMN updated_at DATETIME DEFAULT CURRENT_TIMESTAMP`,
(err) => {
if (err) console.error('Error adding updated_at:', err);
else console.log('✓ updated_at column added');
}
);
} else {
console.log('✓ updated_at already exists — skipping');
}
});
db.close(() => {
console.log('Migration complete. Restart the backend server.');
});
});

37
backend/migrations/add_atlas_action_plans_cache.js Normal file
View File

@@ -0,0 +1,37 @@
// Migration: Add atlas_action_plans_cache table
const sqlite3 = require('sqlite3').verbose();
const path = require('path');
const dbPath = path.join(__dirname, '..', 'cve_database.db');
const db = new sqlite3.Database(dbPath);
console.log('Starting Atlas action plans cache migration...');
db.serialize(() => {
// Cache table — one row per host, holding cached Atlas action plan status
db.run(`
CREATE TABLE IF NOT EXISTS atlas_action_plans_cache (
id INTEGER PRIMARY KEY AUTOINCREMENT,
host_id INTEGER NOT NULL UNIQUE,
has_action_plan INTEGER NOT NULL DEFAULT 0,
plan_count INTEGER NOT NULL DEFAULT 0,
plans_json TEXT NOT NULL DEFAULT '[]',
synced_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
)
`, (err) => {
if (err) console.error('Error creating atlas_action_plans_cache table:', err);
else console.log('✓ atlas_action_plans_cache table created');
});
db.run(`
CREATE INDEX IF NOT EXISTS idx_atlas_cache_host_id
ON atlas_action_plans_cache(host_id)
`, (err) => {
if (err) console.error('Error creating host_id index:', err);
else console.log('✓ idx_atlas_cache_host_id index created');
});
});
db.close(() => {
console.log('Migration complete!');
});

130
backend/migrations/add_closed_gone_state.js Normal file
View File

@@ -0,0 +1,130 @@
// Migration: Add CLOSED_GONE state to ivanti_finding_archives
//
// The archive table tracks findings that disappear from the Open findings set.
// Previously it only tracked: ARCHIVED → RETURNED → CLOSED.
//
// This migration adds a CLOSED_GONE state for findings that were confirmed
// in the Ivanti Closed set but then disappeared from it on a subsequent sync.
// This closes a visibility gap where findings could vanish from the Closed API
// results (e.g., due to VRR rescore below the severity threshold) without
// being tracked.
//
// SQLite does not support ALTER TABLE to modify CHECK constraints, so this
// migration recreates the table with the expanded constraint.
//
// Safe to re-run — uses IF NOT EXISTS and checks for existing data.
//
// Usage: node backend/migrations/add_closed_gone_state.js
const path = require('path');
const sqlite3 = require('sqlite3').verbose();
const dbPath = path.join(__dirname, '..', 'cve_database.db');
const db = new sqlite3.Database(dbPath);
console.log('Starting CLOSED_GONE state migration...');
function run(sql, params = []) {
return new Promise((resolve, reject) => {
db.run(sql, params, function (err) {
if (err) reject(err);
else resolve(this);
});
});
}
function all(sql, params = []) {
return new Promise((resolve, reject) => {
db.all(sql, params, (err, rows) => {
if (err) reject(err);
else resolve(rows || []);
});
});
}
async function migrate() {
// Check if the table already has the CLOSED_GONE state
const tableInfo = await all("SELECT sql FROM sqlite_master WHERE name='ivanti_finding_archives'");
if (tableInfo.length > 0 && tableInfo[0].sql.includes('CLOSED_GONE')) {
console.log('✓ ivanti_finding_archives already has CLOSED_GONE state — skipping');
return;
}
if (tableInfo.length === 0) {
// Table doesn't exist yet — create it fresh with the new constraint
await run(`
CREATE TABLE ivanti_finding_archives (
id INTEGER PRIMARY KEY AUTOINCREMENT,
finding_id TEXT NOT NULL UNIQUE,
finding_title TEXT NOT NULL DEFAULT '',
host_name TEXT NOT NULL DEFAULT '',
ip_address TEXT NOT NULL DEFAULT '',
current_state TEXT NOT NULL CHECK(current_state IN ('ARCHIVED','RETURNED','CLOSED','CLOSED_GONE')),
last_severity REAL NOT NULL DEFAULT 0,
first_archived_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
last_transition_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP
)
`);
console.log('✓ Created ivanti_finding_archives with CLOSED_GONE state');
return;
}
// Table exists but needs the constraint updated — recreate with data migration
console.log(' Recreating table with expanded CHECK constraint...');
await run('BEGIN TRANSACTION');
try {
// 1. Rename existing table
await run('ALTER TABLE ivanti_finding_archives RENAME TO ivanti_finding_archives_old');
// 2. Create new table with expanded constraint
await run(`
CREATE TABLE ivanti_finding_archives (
id INTEGER PRIMARY KEY AUTOINCREMENT,
finding_id TEXT NOT NULL UNIQUE,
finding_title TEXT NOT NULL DEFAULT '',
host_name TEXT NOT NULL DEFAULT '',
ip_address TEXT NOT NULL DEFAULT '',
current_state TEXT NOT NULL CHECK(current_state IN ('ARCHIVED','RETURNED','CLOSED','CLOSED_GONE')),
last_severity REAL NOT NULL DEFAULT 0,
first_archived_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
last_transition_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP
)
`);
// 3. Copy data
await run(`
INSERT INTO ivanti_finding_archives
(id, finding_id, finding_title, host_name, ip_address, current_state,
last_severity, first_archived_at, last_transition_at, created_at)
SELECT id, finding_id, finding_title, host_name, ip_address, current_state,
last_severity, first_archived_at, last_transition_at, created_at
FROM ivanti_finding_archives_old
`);
// 4. Recreate indexes
await run('CREATE INDEX IF NOT EXISTS idx_archive_finding_id ON ivanti_finding_archives(finding_id)');
await run('CREATE INDEX IF NOT EXISTS idx_archive_current_state ON ivanti_finding_archives(current_state)');
// 5. Drop old table
await run('DROP TABLE ivanti_finding_archives_old');
await run('COMMIT');
console.log('✓ ivanti_finding_archives updated with CLOSED_GONE state');
} catch (err) {
await run('ROLLBACK').catch(() => {});
throw err;
}
}
migrate()
.then(() => {
console.log('Migration complete.');
db.close();
})
.catch((err) => {
console.error('Migration failed:', err);
db.close();
process.exit(1);
});

29
backend/migrations/add_compliance_notes_group_id.js Normal file
View File

@@ -0,0 +1,29 @@
// Migration: Add group_id column to compliance_notes table
const sqlite3 = require('sqlite3').verbose();
const path = require('path');
const dbPath = path.join(__dirname, '..', 'cve_database.db');
const db = new sqlite3.Database(dbPath);
console.log('Starting add_compliance_notes_group_id migration...');
db.serialize(() => {
db.run(`ALTER TABLE compliance_notes ADD COLUMN group_id TEXT`, (err) => {
if (err) console.error('Error adding group_id column:', err);
else console.log('✓ group_id column added to compliance_notes');
});
db.run(`CREATE INDEX IF NOT EXISTS idx_compliance_notes_group ON compliance_notes(group_id)`, (err) => {
if (err) console.error('Error creating group_id index:', err);
else console.log('✓ idx_compliance_notes_group created');
});
db.run(`UPDATE compliance_notes SET group_id = 'legacy-' || id WHERE group_id IS NULL`, (err) => {
if (err) console.error('Error backfilling group_id:', err);
else console.log('✓ Existing rows backfilled with legacy group_id');
});
});
db.close(() => {
console.log('Migration complete!');
});

76
backend/migrations/add_created_by_columns.js Normal file
View File

@@ -0,0 +1,76 @@
// Migration: Add created_by column to cves, archer_tickets, and jira_tickets tables
// Stores the user ID of the creator for ownership-based delete checks.
// Idempotent — safe to run multiple times.
const sqlite3 = require('sqlite3').verbose();
const path = require('path');
/**
* Run the migration against the given database instance.
* Exported for testing with in-memory databases.
* @param {sqlite3.Database} db
* @returns {Promise<void>}
*/
function runMigration(db) {
return new Promise((resolve, reject) => {
const tables = ['cves', 'archer_tickets', 'jira_tickets'];
let completed = 0;
db.serialize(() => {
tables.forEach((table) => {
db.all(`PRAGMA table_info(${table})`, (err, columns) => {
if (err) {
// Table may not exist yet — skip gracefully
console.log(`⚠ Could not inspect ${table}: ${err.message} — skipping`);
completed++;
if (completed === tables.length) resolve();
return;
}
const hasCreatedBy = columns.some(col => col.name === 'created_by');
if (hasCreatedBy) {
console.log(`${table}.created_by already exists — skipping`);
completed++;
if (completed === tables.length) resolve();
return;
}
db.run(
`ALTER TABLE ${table} ADD COLUMN created_by INTEGER REFERENCES users(id)`,
(err) => {
if (err) {
reject(err);
return;
}
console.log(`✓ Added created_by column to ${table}`);
completed++;
if (completed === tables.length) resolve();
}
);
});
});
});
});
}
// Run directly if executed as a script
if (require.main === module) {
const dbPath = path.join(__dirname, '..', 'cve_database.db');
const db = new sqlite3.Database(dbPath);
console.log('Starting add_created_by_columns migration...');
runMigration(db)
.then(() => {
console.log('Migration complete!');
db.close(() => {
console.log('Database connection closed.');
});
})
.catch((err) => {
console.error('Migration failed:', err);
db.close();
process.exit(1);
});
}
module.exports = { runMigration };

33
backend/migrations/add_decom_workflow_type.js Normal file
View File

@@ -0,0 +1,33 @@
// Migration: Add DECOM to workflow_type CHECK constraint on ivanti_todo_queue
// Run from backend/: node migrations/add_decom_workflow_type.js
const pool = require('../db');
async function migrate() {
console.log('Starting add_decom_workflow_type migration...');
try {
// Drop the existing constraint and add the updated one
await pool.query(`
ALTER TABLE ivanti_todo_queue
DROP CONSTRAINT IF EXISTS ivanti_todo_queue_workflow_type_check
`);
console.log('✓ Dropped old workflow_type constraint');
await pool.query(`
ALTER TABLE ivanti_todo_queue
ADD CONSTRAINT ivanti_todo_queue_workflow_type_check
CHECK (workflow_type IN ('FP', 'Archer', 'CARD', 'GRANITE', 'DECOM'))
`);
console.log('✓ Added updated workflow_type constraint (includes DECOM)');
console.log('Migration complete!');
} catch (err) {
console.error('Migration failed:', err.message);
process.exit(1);
} finally {
await pool.end();
}
}
migrate();

75
backend/migrations/add_finding_archive_tables.js Normal file
View File

@@ -0,0 +1,75 @@
// Migration: Add ivanti_finding_archives and ivanti_archive_transitions tables
const sqlite3 = require('sqlite3').verbose();
const path = require('path');
const dbPath = path.join(__dirname, '..', 'cve_database.db');
const db = new sqlite3.Database(dbPath);
console.log('Starting finding archive tables migration...');
db.serialize(() => {
// Archive records — one row per finding that has entered the archive lifecycle
db.run(`
CREATE TABLE IF NOT EXISTS ivanti_finding_archives (
id INTEGER PRIMARY KEY AUTOINCREMENT,
finding_id TEXT NOT NULL UNIQUE,
finding_title TEXT NOT NULL DEFAULT '',
host_name TEXT NOT NULL DEFAULT '',
ip_address TEXT NOT NULL DEFAULT '',
current_state TEXT NOT NULL CHECK(current_state IN ('ARCHIVED', 'RETURNED', 'CLOSED')),
last_severity REAL NOT NULL DEFAULT 0,
first_archived_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
last_transition_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP
)
`, (err) => {
if (err) console.error('Error creating ivanti_finding_archives table:', err);
else console.log('✓ ivanti_finding_archives table created');
});
// Transition history — one row per state change on an archive record
db.run(`
CREATE TABLE IF NOT EXISTS ivanti_archive_transitions (
id INTEGER PRIMARY KEY AUTOINCREMENT,
archive_id INTEGER NOT NULL,
from_state TEXT NOT NULL,
to_state TEXT NOT NULL,
severity_at_transition REAL NOT NULL DEFAULT 0,
reason TEXT NOT NULL DEFAULT '',
transitioned_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (archive_id) REFERENCES ivanti_finding_archives(id)
)
`, (err) => {
if (err) console.error('Error creating ivanti_archive_transitions table:', err);
else console.log('✓ ivanti_archive_transitions table created');
});
// Indexes for query performance
db.run(`
CREATE INDEX IF NOT EXISTS idx_archive_finding_id
ON ivanti_finding_archives(finding_id)
`, (err) => {
if (err) console.error('Error creating idx_archive_finding_id:', err);
else console.log('✓ idx_archive_finding_id index created');
});
db.run(`
CREATE INDEX IF NOT EXISTS idx_archive_current_state
ON ivanti_finding_archives(current_state)
`, (err) => {
if (err) console.error('Error creating idx_archive_current_state:', err);
else console.log('✓ idx_archive_current_state index created');
});
db.run(`
CREATE INDEX IF NOT EXISTS idx_transition_archive_id
ON ivanti_archive_transitions(archive_id)
`, (err) => {
if (err) console.error('Error creating idx_transition_archive_id:', err);
else console.log('✓ idx_transition_archive_id index created');
});
});
db.close(() => {
console.log('Migration complete!');
});

94
backend/migrations/add_fp_submission_editing.js Normal file
View File

@@ -0,0 +1,94 @@
// Migration: Add FP submission editing support (lifecycle status, batch UUID, history table)
const sqlite3 = require('sqlite3').verbose();
const path = require('path');
const dbPath = path.join(__dirname, '..', 'cve_database.db');
const db = new sqlite3.Database(dbPath);
console.log('Starting FP submission editing migration...');
db.serialize(() => {
// Add lifecycle_status column to ivanti_fp_submissions
// Wrapped in try/catch style via callback — SQLite throws if column already exists
db.run(
`ALTER TABLE ivanti_fp_submissions ADD COLUMN lifecycle_status TEXT NOT NULL DEFAULT 'submitted' CHECK(lifecycle_status IN ('submitted', 'approved', 'rejected', 'rework', 'resubmitted'))`,
(err) => {
if (err) {
if (err.message.includes('duplicate column')) {
console.log('✓ lifecycle_status column already exists');
} else {
console.error('Error adding lifecycle_status column:', err.message);
}
} else {
console.log('✓ lifecycle_status column added');
}
}
);
// Add ivanti_workflow_batch_uuid column
db.run(
`ALTER TABLE ivanti_fp_submissions ADD COLUMN ivanti_workflow_batch_uuid TEXT`,
(err) => {
if (err) {
if (err.message.includes('duplicate column')) {
console.log('✓ ivanti_workflow_batch_uuid column already exists');
} else {
console.error('Error adding ivanti_workflow_batch_uuid column:', err.message);
}
} else {
console.log('✓ ivanti_workflow_batch_uuid column added');
}
}
);
// Add updated_at column (SQLite requires constant defaults for ALTER TABLE, so default to NULL)
db.run(
`ALTER TABLE ivanti_fp_submissions ADD COLUMN updated_at DATETIME DEFAULT NULL`,
(err) => {
if (err) {
if (err.message.includes('duplicate column')) {
console.log('✓ updated_at column already exists');
} else {
console.error('Error adding updated_at column:', err.message);
}
} else {
console.log('✓ updated_at column added');
}
}
);
// Create submission history table
db.run(`
CREATE TABLE IF NOT EXISTS ivanti_fp_submission_history (
id INTEGER PRIMARY KEY AUTOINCREMENT,
submission_id INTEGER NOT NULL,
user_id INTEGER NOT NULL,
username TEXT NOT NULL,
change_type TEXT NOT NULL CHECK(change_type IN (
'created', 'fields_updated', 'findings_added',
'attachments_added', 'status_changed'
)),
change_details_json TEXT,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (submission_id) REFERENCES ivanti_fp_submissions(id) ON DELETE CASCADE
)
`, (err) => {
if (err) console.error('Error creating history table:', err.message);
else console.log('✓ ivanti_fp_submission_history table created');
});
// Create index on submission_id for history lookups
db.run(
`CREATE INDEX IF NOT EXISTS idx_fp_history_submission ON ivanti_fp_submission_history(submission_id)`,
(err) => {
if (err) console.error('Error creating history index:', err.message);
else console.log('✓ idx_fp_history_submission index created');
}
);
console.log('✓ Migration statements queued');
});
db.close(() => {
console.log('Migration complete!');
});

17
backend/migrations/add_fp_submissions_dismissed.js Normal file
View File

@@ -0,0 +1,17 @@
// Migration: Add dismissed_at column to ivanti_fp_submissions table
const pool = require('../db');
async function run() {
console.log('Starting FP submissions dismissed migration...');
try {
await pool.query(`ALTER TABLE ivanti_fp_submissions ADD COLUMN IF NOT EXISTS dismissed_at TIMESTAMPTZ DEFAULT NULL`);
console.log('✓ dismissed_at column added (or already exists)');
} catch (err) {
console.error('Error adding dismissed_at column:', err.message);
process.exit(1);
}
console.log('Migration complete.');
process.exit(0);
}
run();

17
backend/migrations/add_fp_submissions_requeued_at.js Normal file
View File

@@ -0,0 +1,17 @@
// Migration: Add requeued_at column to ivanti_fp_submissions table
const pool = require('../db');
async function run() {
console.log('Starting FP submissions requeued_at migration...');
try {
await pool.query(`ALTER TABLE ivanti_fp_submissions ADD COLUMN IF NOT EXISTS requeued_at TIMESTAMPTZ DEFAULT NULL`);
console.log('✓ requeued_at column added (or already exists)');
} catch (err) {
console.error('Error adding requeued_at column:', err.message);
process.exit(1);
}
console.log('Migration complete.');
process.exit(0);
}
run();

57
backend/migrations/add_fp_submissions_table.js Normal file
View File

@@ -0,0 +1,57 @@
// Migration: Add ivanti_fp_submissions table
const sqlite3 = require('sqlite3').verbose();
const path = require('path');
const dbPath = path.join(__dirname, '..', 'cve_database.db');
const db = new sqlite3.Database(dbPath);
console.log('Starting ivanti_fp_submissions migration...');
db.serialize(() => {
db.run(`
CREATE TABLE IF NOT EXISTS ivanti_fp_submissions (
id INTEGER PRIMARY KEY AUTOINCREMENT,
user_id INTEGER NOT NULL,
username TEXT NOT NULL,
ivanti_workflow_batch_id INTEGER,
ivanti_generated_id TEXT,
workflow_name TEXT NOT NULL,
reason TEXT NOT NULL,
description TEXT,
expiration_date TEXT NOT NULL,
scope_override TEXT NOT NULL DEFAULT 'Authorized',
finding_ids_json TEXT NOT NULL,
queue_item_ids_json TEXT NOT NULL,
attachment_count INTEGER DEFAULT 0,
attachment_results_json TEXT,
status TEXT NOT NULL DEFAULT 'success' CHECK(status IN ('success', 'partial', 'failed')),
error_message TEXT,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP
)
`, (err) => {
if (err) console.error('Error creating table:', err);
else console.log('✓ ivanti_fp_submissions table created');
});
db.run(
'CREATE INDEX IF NOT EXISTS idx_fp_submissions_user ON ivanti_fp_submissions(user_id)',
(err) => {
if (err) console.error('Error creating index:', err);
else console.log('✓ user_id index created');
}
);
db.run(
'CREATE INDEX IF NOT EXISTS idx_fp_submissions_ivanti_id ON ivanti_fp_submissions(ivanti_generated_id)',
(err) => {
if (err) console.error('Error creating index:', err);
else console.log('✓ ivanti_generated_id index created');
}
);
console.log('✓ Migration statements queued');
});
db.close(() => {
console.log('Migration complete!');
});

80
backend/migrations/add_granite_workflow_type.js Normal file
View File

@@ -0,0 +1,80 @@
// Migration: Add GRANITE to workflow_type CHECK constraint on ivanti_todo_queue
// SQLite cannot ALTER a CHECK constraint, so this recreates the table.
const sqlite3 = require('sqlite3').verbose();
const path = require('path');
const dbPath = path.join(__dirname, '..', 'cve_database.db');
const db = new sqlite3.Database(dbPath);
console.log('Starting add_granite_workflow_type migration...');
db.serialize(() => {
db.run('PRAGMA foreign_keys = OFF', (err) => {
if (err) console.error('PRAGMA error:', err);
});
db.run('BEGIN TRANSACTION', (err) => {
if (err) { console.error('BEGIN error:', err); return; }
});
db.run(`
CREATE TABLE ivanti_todo_queue_new (
id INTEGER PRIMARY KEY AUTOINCREMENT,
user_id INTEGER NOT NULL,
finding_id TEXT NOT NULL,
finding_title TEXT,
cves_json TEXT,
ip_address TEXT,
hostname TEXT,
vendor TEXT NOT NULL,
workflow_type TEXT NOT NULL CHECK(workflow_type IN ('FP', 'Archer', 'CARD', 'GRANITE')),
status TEXT NOT NULL DEFAULT 'pending' CHECK(status IN ('pending', 'complete')),
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
)
`, (err) => {
if (err) console.error('Error creating new table:', err);
else console.log('✓ ivanti_todo_queue_new created');
});
db.run(
'INSERT INTO ivanti_todo_queue_new SELECT id, user_id, finding_id, finding_title, cves_json, ip_address, hostname, vendor, workflow_type, status, created_at, updated_at FROM ivanti_todo_queue',
(err) => {
if (err) console.error('Error copying data:', err);
else console.log('✓ Data copied');
}
);
db.run('DROP TABLE ivanti_todo_queue', (err) => {
if (err) console.error('Error dropping old table:', err);
else console.log('✓ Old table dropped');
});
db.run(
'ALTER TABLE ivanti_todo_queue_new RENAME TO ivanti_todo_queue',
(err) => {
if (err) console.error('Error renaming table:', err);
else console.log('✓ Table renamed');
}
);
db.run(
'CREATE INDEX IF NOT EXISTS idx_todo_queue_user ON ivanti_todo_queue(user_id, status)',
(err) => {
if (err) console.error('Error creating index:', err);
else console.log('✓ Index recreated');
}
);
db.run('COMMIT', (err) => {
if (err) console.error('COMMIT error:', err);
else console.log('✓ Transaction committed');
});
db.run('PRAGMA foreign_keys = ON', () => {}); // FIXME: Callback does not handle the error parameter (should be `(err) => { if (err) ... }`)
});
db.close(() => {
console.log('Migration complete!');
});

63
backend/migrations/add_jira_sync_columns.js Normal file
View File

@@ -0,0 +1,63 @@
// Migration: Add Jira API sync columns to jira_tickets table
// Adds jira_id, jira_status, and last_synced_at columns to support
// live synchronization with Jira Data Center REST API.
// Idempotent — safe to run multiple times.
const sqlite3 = require('sqlite3').verbose();
const path = require('path');
const dbPath = path.join(__dirname, '..', 'cve_database.db');
const db = new sqlite3.Database(dbPath);
console.log('Starting Jira sync columns migration...');
const newColumns = [
{ name: 'jira_id', sql: 'ALTER TABLE jira_tickets ADD COLUMN jira_id TEXT' },
{ name: 'jira_status', sql: 'ALTER TABLE jira_tickets ADD COLUMN jira_status TEXT' },
{ name: 'last_synced_at', sql: 'ALTER TABLE jira_tickets ADD COLUMN last_synced_at DATETIME' }
];
db.all('PRAGMA table_info(jira_tickets)', (err, columns) => {
if (err) {
console.error('Could not inspect jira_tickets:', err.message);
console.log('Run migrate_jira_tickets.js first to create the table.');
db.close();
return;
}
const existingNames = new Set(columns.map(c => c.name));
let pending = 0;
db.serialize(() => {
newColumns.forEach(({ name, sql }) => {
if (existingNames.has(name)) {
console.log(`✓ jira_tickets.${name} already exists — skipping`);
} else {
pending++;
db.run(sql, (runErr) => {
if (runErr) {
console.error(`✗ Failed to add ${name}:`, runErr.message);
} else {
console.log(`✓ Added jira_tickets.${name}`);
}
pending--;
if (pending === 0) finish();
});
}
});
// Create index on jira_id for lookups
db.run('CREATE INDEX IF NOT EXISTS idx_jira_tickets_jira_id ON jira_tickets(jira_id)', (idxErr) => {
if (idxErr) console.error('Index error:', idxErr.message);
else console.log('✓ jira_id index created');
});
if (pending === 0) finish();
});
});
function finish() {
db.close(() => {
console.log('Migration complete!');
});
}

57
backend/migrations/add_return_classification.js Normal file
View File

@@ -0,0 +1,57 @@
// Migration: Add return_classification_json column to ivanti_sync_anomaly_log
//
// Stores the classification breakdown for returned findings (e.g., how many
// returned due to BU reassignment back to team, severity re-escalation, etc.)
//
// Safe to re-run — uses ALTER TABLE with IF NOT EXISTS pattern.
//
// Usage: node backend/migrations/add_return_classification.js
const path = require('path');
const sqlite3 = require('sqlite3').verbose();
const dbPath = path.join(__dirname, '..', 'cve_database.db');
const db = new sqlite3.Database(dbPath);
console.log('Starting return classification migration...');
function run(sql, params = []) {
return new Promise((resolve, reject) => {
db.run(sql, params, function (err) {
if (err) reject(err);
else resolve(this);
});
});
}
function all(sql, params = []) {
return new Promise((resolve, reject) => {
db.all(sql, params, (err, rows) => {
if (err) reject(err);
else resolve(rows || []);
});
});
}
async function migrate() {
// Check if column already exists
const columns = await all(`PRAGMA table_info(ivanti_sync_anomaly_log)`);
const hasColumn = columns.some(c => c.name === 'return_classification_json');
if (!hasColumn) {
await run(`ALTER TABLE ivanti_sync_anomaly_log ADD COLUMN return_classification_json TEXT NOT NULL DEFAULT '{}'`);
console.log('✓ Added return_classification_json column to ivanti_sync_anomaly_log');
} else {
console.log('✓ return_classification_json column already exists — skipping');
}
}
migrate()
.then(() => {
console.log('Migration complete.');
db.close();
})
.catch((err) => {
console.error('Migration failed:', err);
db.close();
process.exit(1);
});

90
backend/migrations/add_sync_anomaly_tables.js Normal file
View File

@@ -0,0 +1,90 @@
// Migration: Add sync anomaly detection and BU drift monitoring tables
//
// Creates two new tables:
// - ivanti_sync_anomaly_log — stores one row per sync cycle with the
// anomaly summary breakdown (count deltas, classification, significance).
// - ivanti_finding_bu_history — records BU change events detected on
// individual findings across syncs.
//
// Safe to re-run — uses CREATE TABLE IF NOT EXISTS and CREATE INDEX IF NOT EXISTS.
//
// Usage: node backend/migrations/add_sync_anomaly_tables.js
const path = require('path');
const sqlite3 = require('sqlite3').verbose();
const dbPath = path.join(__dirname, '..', 'cve_database.db');
const db = new sqlite3.Database(dbPath);
console.log('Starting sync anomaly tables migration...');
function run(sql, params = []) {
return new Promise((resolve, reject) => {
db.run(sql, params, function (err) {
if (err) reject(err);
else resolve(this);
});
});
}
function all(sql, params = []) {
return new Promise((resolve, reject) => {
db.all(sql, params, (err, rows) => {
if (err) reject(err);
else resolve(rows || []);
});
});
}
async function migrate() {
// 1. Create ivanti_sync_anomaly_log table
await run(`
CREATE TABLE IF NOT EXISTS ivanti_sync_anomaly_log (
id INTEGER PRIMARY KEY AUTOINCREMENT,
sync_timestamp DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
open_count_delta INTEGER NOT NULL DEFAULT 0,
closed_count_delta INTEGER NOT NULL DEFAULT 0,
newly_archived_count INTEGER NOT NULL DEFAULT 0,
returned_count INTEGER NOT NULL DEFAULT 0,
classification_json TEXT NOT NULL DEFAULT '{}',
is_significant INTEGER NOT NULL DEFAULT 0,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP
)
`);
console.log('✓ ivanti_sync_anomaly_log table ready');
// 2. Create ivanti_finding_bu_history table
await run(`
CREATE TABLE IF NOT EXISTS ivanti_finding_bu_history (
id INTEGER PRIMARY KEY AUTOINCREMENT,
finding_id TEXT NOT NULL,
finding_title TEXT NOT NULL DEFAULT '',
host_name TEXT NOT NULL DEFAULT '',
previous_bu TEXT NOT NULL,
new_bu TEXT NOT NULL,
detected_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP
)
`);
console.log('✓ ivanti_finding_bu_history table ready');
// 3. Create indexes
await run('CREATE INDEX IF NOT EXISTS idx_anomaly_sync_timestamp ON ivanti_sync_anomaly_log(sync_timestamp)');
console.log('✓ idx_anomaly_sync_timestamp index ready');
await run('CREATE INDEX IF NOT EXISTS idx_bu_history_finding_id ON ivanti_finding_bu_history(finding_id)');
console.log('✓ idx_bu_history_finding_id index ready');
await run('CREATE INDEX IF NOT EXISTS idx_bu_history_detected_at ON ivanti_finding_bu_history(detected_at)');
console.log('✓ idx_bu_history_detected_at index ready');
}
migrate()
.then(() => {
console.log('Migration complete.');
db.close();
})
.catch((err) => {
console.error('Migration failed:', err);
db.close();
process.exit(1);
});

25
backend/migrations/add_todo_queue_hostname.js Normal file
View File

@@ -0,0 +1,25 @@
// Migration: Add hostname column to ivanti_todo_queue
const sqlite3 = require('sqlite3').verbose();
const path = require('path');
const dbPath = path.join(__dirname, '..', 'cve_database.db');
const db = new sqlite3.Database(dbPath);
console.log('Starting add_todo_queue_hostname migration...');
db.run(
'ALTER TABLE ivanti_todo_queue ADD COLUMN hostname TEXT',
(err) => {
if (err) {
// Column may already exist if migration was run before
if (err.message.includes('duplicate column name')) {
console.log('✓ hostname column already exists, skipping');
} else {
console.error('Error adding column:', err);
}
} else {
console.log('✓ hostname column added');
}
db.close(() => console.log('Migration complete!'));
}
);

68
backend/migrations/add_user_bu_teams.js Normal file
View File

@@ -0,0 +1,68 @@
// Migration: Add bu_teams column to users table
// Stores comma-separated BU team identifiers per user (e.g. 'STEAM,ACCESS-ENG')
// Existing users get empty string (admin must assign teams post-migration)
// Idempotent — safe to run multiple times
const sqlite3 = require('sqlite3').verbose();
const path = require('path');
const DB_FILE = path.join(__dirname, '..', 'cve_database.db');
/**
* Run the migration against the given database instance.
* Exported for testing with in-memory databases.
* @param {sqlite3.Database} db
* @returns {Promise<void>}
*/
function runMigration(db) {
return new Promise((resolve, reject) => {
db.serialize(() => {
// Check if bu_teams column already exists
db.all("PRAGMA table_info(users)", (err, columns) => {
if (err) {
reject(err);
return;
}
const hasBuTeams = columns.some(col => col.name === 'bu_teams');
if (hasBuTeams) {
console.log('✓ bu_teams column already exists — skipping migration');
resolve();
return;
}
console.log('Adding bu_teams column to users table...');
db.run(
`ALTER TABLE users ADD COLUMN bu_teams TEXT NOT NULL DEFAULT ''`,
(err) => {
if (err) {
reject(err);
return;
}
console.log('✓ Added bu_teams column (default: empty string)');
console.log(' Note: Admin must assign teams to existing users via user management UI');
resolve();
}
);
});
});
});
}
// Run directly if executed as a script
if (require.main === module) {
const db = new sqlite3.Database(DB_FILE);
runMigration(db)
.then(() => {
console.log('Migration complete.');
db.close();
})
.catch((err) => {
console.error('Migration failed:', err.message);
db.close();
process.exit(1);
});
}
module.exports = { runMigration };

146
backend/migrations/add_user_groups.js Normal file
View File

@@ -0,0 +1,146 @@
// Migration: Add user_group column to users table and map legacy roles
// Mapping: admin→Admin, editor→Standard_User, viewer→Read_Only
// NULL/unrecognized roles default to Read_Only
// Idempotent — safe to run multiple times
const sqlite3 = require('sqlite3').verbose();
const path = require('path');
/**
* Run the migration against the given database instance.
* Exported for testing with in-memory databases.
* @param {sqlite3.Database} db
* @returns {Promise<void>}
*/
function runMigration(db) {
return new Promise((resolve, reject) => {
db.serialize(() => {
// Check if user_group column already exists
db.all("PRAGMA table_info(users)", (err, columns) => {
if (err) {
reject(err);
return;
}
const hasUserGroup = columns.some(col => col.name === 'user_group');
if (hasUserGroup) {
console.log('✓ user_group column already exists — skipping migration');
resolve();
return;
}
console.log('Adding user_group column to users table...');
// SQLite doesn't support ADD COLUMN with CHECK inline in all versions,
// so we add the column first, map values, then recreate with constraint.
// However, SQLite also doesn't support ALTER TABLE ADD CONSTRAINT.
// Strategy: add column, map values, create index.
// The CHECK constraint is enforced via table rebuild.
db.run(
`ALTER TABLE users ADD COLUMN user_group VARCHAR(20) NOT NULL DEFAULT 'Read_Only'`,
(err) => {
if (err) {
reject(err);
return;
}
console.log('✓ Added user_group column');
// Map existing roles to groups
db.run(
`UPDATE users SET user_group = 'Admin' WHERE role = 'admin'`,
function(err) {
if (err) { reject(err); return; }
console.log(` ✓ Mapped ${this.changes} admin(s) → Admin`);
db.run(
`UPDATE users SET user_group = 'Standard_User' WHERE role = 'editor'`,
function(err) {
if (err) { reject(err); return; }
console.log(` ✓ Mapped ${this.changes} editor(s) → Standard_User`);
db.run(
`UPDATE users SET user_group = 'Read_Only' WHERE role = 'viewer'`,
function(err) {
if (err) { reject(err); return; }
console.log(` ✓ Mapped ${this.changes} viewer(s) → Read_Only`);
// Map NULL or unrecognized roles to Read_Only
db.run(
`UPDATE users SET user_group = 'Read_Only' WHERE user_group = 'Read_Only' AND role NOT IN ('admin', 'editor', 'viewer')`,
function(err) {
if (err) { reject(err); return; }
console.log(` ✓ Mapped ${this.changes} unrecognized role(s) → Read_Only`);
// Create index on user_group
db.run(
`CREATE INDEX IF NOT EXISTS idx_users_user_group ON users(user_group)`,
(err) => {
if (err) { reject(err); return; }
console.log('✓ Created idx_users_user_group index');
// Add CHECK constraint via trigger (SQLite can't ALTER TABLE ADD CONSTRAINT)
db.run(
`CREATE TRIGGER IF NOT EXISTS check_user_group_insert
BEFORE INSERT ON users
FOR EACH ROW
WHEN NEW.user_group NOT IN ('Admin', 'Standard_User', 'Leadership', 'Read_Only')
BEGIN
SELECT RAISE(ABORT, 'Invalid user_group value. Must be Admin, Standard_User, Leadership, or Read_Only');
END`,
(err) => {
if (err) { reject(err); return; }
db.run(
`CREATE TRIGGER IF NOT EXISTS check_user_group_update
BEFORE UPDATE OF user_group ON users
FOR EACH ROW
WHEN NEW.user_group NOT IN ('Admin', 'Standard_User', 'Leadership', 'Read_Only')
BEGIN
SELECT RAISE(ABORT, 'Invalid user_group value. Must be Admin, Standard_User, Leadership, or Read_Only');
END`,
(err) => {
if (err) { reject(err); return; }
console.log('✓ Created user_group validation triggers');
console.log('Migration complete!');
resolve();
}
);
}
);
}
);
}
);
}
);
}
);
}
);
}
);
});
});
});
}
// Run directly if executed as a script
if (require.main === module) {
const dbPath = path.join(__dirname, '..', 'cve_database.db');
const db = new sqlite3.Database(dbPath);
console.log('Starting add_user_groups migration...');
runMigration(db)
.then(() => {
db.close(() => {
console.log('Database connection closed.');
});
})
.catch((err) => {
console.error('Migration failed:', err);
db.close();
process.exit(1);
});
}
module.exports = { runMigration };

65
backend/migrations/add_vcl_multi_vertical.js Normal file
View File

@@ -0,0 +1,65 @@
// Migration: Add multi-vertical support for VCL compliance reporting
// Adds vertical column to compliance_items and compliance_uploads,
// creates vcl_multi_vertical_summary table for per-vertical metric data.
const pool = require('../db');
async function run() {
console.log('Starting VCL multi-vertical migration...');
try {
// Add vertical column to compliance_items
await pool.query(`ALTER TABLE compliance_items ADD COLUMN IF NOT EXISTS vertical TEXT DEFAULT NULL`);
console.log('✓ vertical column added to compliance_items');
await pool.query(`CREATE INDEX IF NOT EXISTS idx_compliance_items_vertical ON compliance_items(vertical)`);
console.log('✓ idx_compliance_items_vertical index created');
await pool.query(`CREATE INDEX IF NOT EXISTS idx_compliance_items_vertical_status ON compliance_items(vertical, status)`);
console.log('✓ idx_compliance_items_vertical_status index created');
await pool.query(`CREATE INDEX IF NOT EXISTS idx_compliance_items_vertical_metric ON compliance_items(vertical, metric_id, status)`);
console.log('✓ idx_compliance_items_vertical_metric index created');
// Add vertical column to compliance_uploads
await pool.query(`ALTER TABLE compliance_uploads ADD COLUMN IF NOT EXISTS vertical TEXT DEFAULT NULL`);
console.log('✓ vertical column added to compliance_uploads');
// Create summary table for per-vertical metric data from Summary sheets
await pool.query(`
CREATE TABLE IF NOT EXISTS vcl_multi_vertical_summary (
id SERIAL PRIMARY KEY,
upload_id INTEGER NOT NULL REFERENCES compliance_uploads(id) ON DELETE CASCADE,
vertical TEXT NOT NULL,
metric_id TEXT NOT NULL,
metric_desc TEXT DEFAULT '',
category TEXT DEFAULT 'Other',
team TEXT DEFAULT '',
priority TEXT DEFAULT '',
non_compliant INTEGER DEFAULT 0,
compliant INTEGER DEFAULT 0,
total INTEGER DEFAULT 0,
compliance_pct NUMERIC(5,2) DEFAULT 0,
target NUMERIC(5,2) DEFAULT 0,
status TEXT DEFAULT '',
created_at TIMESTAMPTZ DEFAULT NOW()
)
`);
console.log('✓ vcl_multi_vertical_summary table created');
await pool.query(`CREATE INDEX IF NOT EXISTS idx_vcl_multi_summary_vertical ON vcl_multi_vertical_summary(vertical)`);
console.log('✓ idx_vcl_multi_summary_vertical index created');
await pool.query(`CREATE INDEX IF NOT EXISTS idx_vcl_multi_summary_upload ON vcl_multi_vertical_summary(upload_id)`);
console.log('✓ idx_vcl_multi_summary_upload index created');
await pool.query(`CREATE INDEX IF NOT EXISTS idx_vcl_multi_summary_vertical_metric ON vcl_multi_vertical_summary(vertical, metric_id)`);
console.log('✓ idx_vcl_multi_summary_vertical_metric index created');
} catch (err) {
console.error('Migration error:', err.message);
process.exit(1);
}
console.log('Migration complete.');
process.exit(0);
}
run();

38
backend/migrations/add_vcl_reporting_columns.js Normal file
View File

@@ -0,0 +1,38 @@
// Migration: Add VCL reporting columns to compliance_items and create compliance_snapshots table
const pool = require('../db');
async function run() {
console.log('Starting VCL reporting migration...');
try {
await pool.query(`ALTER TABLE compliance_items ADD COLUMN IF NOT EXISTS resolution_date DATE DEFAULT NULL`);
console.log('✓ resolution_date column added (or already exists)');
await pool.query(`ALTER TABLE compliance_items ADD COLUMN IF NOT EXISTS remediation_plan TEXT DEFAULT NULL`);
console.log('✓ remediation_plan column added (or already exists)');
await pool.query(`
CREATE TABLE IF NOT EXISTS compliance_snapshots (
id SERIAL PRIMARY KEY,
snapshot_month TEXT NOT NULL,
vertical TEXT NOT NULL,
total_devices INTEGER NOT NULL DEFAULT 0,
compliant INTEGER NOT NULL DEFAULT 0,
non_compliant INTEGER NOT NULL DEFAULT 0,
compliance_pct NUMERIC(5,2) DEFAULT 0,
created_at TIMESTAMPTZ DEFAULT NOW(),
UNIQUE(snapshot_month, vertical)
)
`);
console.log('✓ compliance_snapshots table created (or already exists)');
await pool.query(`CREATE INDEX IF NOT EXISTS idx_compliance_snapshots_month ON compliance_snapshots(snapshot_month)`);
console.log('✓ idx_compliance_snapshots_month index created (or already exists)');
} catch (err) {
console.error('Migration error:', err.message);
process.exit(1);
}
console.log('Migration complete.');
process.exit(0);
}
run();

26
backend/migrations/add_vcl_vertical_metadata.js Normal file
View File

@@ -0,0 +1,26 @@
// Migration: Create vcl_vertical_metadata table for editable team-level notes, RAs, and compliance dates
const pool = require('../db');
async function run() {
console.log('Starting vcl_vertical_metadata migration...');
try {
await pool.query(`
CREATE TABLE IF NOT EXISTS vcl_vertical_metadata (
id SERIAL PRIMARY KEY,
team TEXT NOT NULL UNIQUE,
notes TEXT DEFAULT '',
risk_acceptances INTEGER DEFAULT 0,
compliance_date TEXT DEFAULT NULL,
updated_at TIMESTAMPTZ DEFAULT NOW()
)
`);
console.log('✓ vcl_vertical_metadata table created (or already exists)');
} catch (err) {
console.error('Migration error:', err.message);
process.exit(1);
}
console.log('Migration complete.');
process.exit(0);
}
run();

160
backend/migrations/backfill_anomaly_log.js Normal file
View File

@@ -0,0 +1,160 @@
#!/usr/bin/env node
// backfill_anomaly_log.js — One-time backfill of ivanti_sync_anomaly_log
//
// Synthesizes anomaly log entries from existing ivanti_archive_transitions
// and ivanti_counts_history data so the archive activity sparkline on the
// Findings Trend chart has historical data to display.
//
// Safe to run multiple times — checks for existing rows before inserting.
//
// Usage: node backend/migrations/backfill_anomaly_log.js
const path = require('path');
const sqlite3 = require('sqlite3').verbose();
const DB_PATH = path.join(__dirname, '..', 'cve_database.db');
function dbAll(db, sql, params = []) {
return new Promise((resolve, reject) => {
db.all(sql, params, (err, rows) => {
if (err) reject(err);
else resolve(rows || []);
});
});
}
function dbGet(db, sql, params = []) {
return new Promise((resolve, reject) => {
db.get(sql, params, (err, row) => {
if (err) reject(err);
else resolve(row);
});
});
}
function dbRun(db, sql, params = []) {
return new Promise((resolve, reject) => {
db.run(sql, params, function (err) {
if (err) reject(err);
else resolve(this);
});
});
}
async function main() {
const db = new sqlite3.Database(DB_PATH);
// Check if anomaly log already has data
const existing = await dbGet(db, 'SELECT COUNT(*) as cnt FROM ivanti_sync_anomaly_log');
if (existing.cnt > 0) {
console.log(`ivanti_sync_anomaly_log already has ${existing.cnt} rows — skipping backfill.`);
console.log('To force re-run, delete existing rows first:');
console.log(' sqlite3 backend/cve_database.db "DELETE FROM ivanti_sync_anomaly_log;"');
db.close();
return;
}
// Get archive transitions grouped by date
const transitions = await dbAll(db,
`SELECT DATE(transitioned_at) as date,
to_state,
reason,
COUNT(*) as cnt
FROM ivanti_archive_transitions
GROUP BY date, to_state, reason
ORDER BY date`
);
// Get counts history (last snapshot per day) for delta computation
const countsRows = await dbAll(db,
`SELECT date, open_count, closed_count FROM (
SELECT DATE(recorded_at) AS date,
open_count, closed_count,
ROW_NUMBER() OVER (
PARTITION BY DATE(recorded_at)
ORDER BY recorded_at DESC
) AS rn
FROM ivanti_counts_history
) WHERE rn = 1
ORDER BY date ASC`
);
// Build a map of date -> { open_count, closed_count }
const countsMap = {};
for (const row of countsRows) {
countsMap[row.date] = { open: row.open_count, closed: row.closed_count };
}
// Build per-date anomaly summaries from transitions
const dateMap = {};
for (const t of transitions) {
if (!dateMap[t.date]) {
dateMap[t.date] = { archived: 0, returned: 0, classification: {} };
}
const entry = dateMap[t.date];
if (t.to_state === 'ARCHIVED') {
entry.archived += t.cnt;
// All pre-feature transitions have reason 'severity_score_drift'
// but from the investigation we know the 04/24 batch was mostly
// BU reassignment. We can't retroactively classify without the
// Ivanti API, so we label them as 'unclassified' (pre-feature).
entry.classification.unclassified = (entry.classification.unclassified || 0) + t.cnt;
} else if (t.to_state === 'RETURNED') {
entry.returned += t.cnt;
}
// CLOSED transitions are not archive events — they're findings
// confirmed in the closed set, so we don't count them as archived.
}
// Compute deltas and insert rows
const dates = Object.keys(dateMap).sort();
let inserted = 0;
for (const date of dates) {
const entry = dateMap[date];
const counts = countsMap[date];
// Find the previous day's counts for delta computation
const dateIdx = countsRows.findIndex(r => r.date === date);
let openDelta = 0;
let closedDelta = 0;
if (counts && dateIdx > 0) {
const prev = countsRows[dateIdx - 1];
openDelta = counts.open - prev.open_count;
closedDelta = counts.closed - prev.closed_count;
}
const isSignificant = entry.archived > 5 ? 1 : 0;
const classificationJson = JSON.stringify(entry.classification);
await dbRun(db,
`INSERT INTO ivanti_sync_anomaly_log
(sync_timestamp, open_count_delta, closed_count_delta,
newly_archived_count, returned_count, classification_json, is_significant)
VALUES (?, ?, ?, ?, ?, ?, ?)`,
[
`${date}T23:59:00`,
openDelta,
closedDelta,
entry.archived,
entry.returned,
classificationJson,
isSignificant,
]
);
inserted++;
const sigLabel = isSignificant ? ' [SIGNIFICANT]' : '';
console.log(` ${date}: ${entry.archived} archived, ${entry.returned} returned, delta open=${openDelta} closed=${closedDelta}${sigLabel}`);
}
console.log(`\nBackfill complete: ${inserted} anomaly log entries created.`);
db.close();
}
main().catch(err => {
console.error('Fatal error:', err);
process.exit(1);
});

165
backend/migrations/backfill_return_classification.js Normal file
View File

@@ -0,0 +1,165 @@
#!/usr/bin/env node
// backfill_return_classification.js
//
// Retroactively populates return_classification_json for existing anomaly log
// rows that have returned_count > 0 but an empty return classification.
//
// For each such row, looks at archive transitions that went ARCHIVED → RETURNED
// on that date, then finds the *prior* archive reason (the most recent
// transition to ARCHIVED for that same archive record) to determine why the
// finding originally left — which tells us why it came back.
//
// Safe to run multiple times — only updates rows with empty classification.
//
// Usage: node backend/migrations/backfill_return_classification.js
const path = require('path');
const sqlite3 = require('sqlite3').verbose();
const DB_PATH = path.join(__dirname, '..', 'cve_database.db');
function dbAll(db, sql, params = []) {
return new Promise((resolve, reject) => {
db.all(sql, params, (err, rows) => {
if (err) reject(err);
else resolve(rows || []);
});
});
}
function dbGet(db, sql, params = []) {
return new Promise((resolve, reject) => {
db.get(sql, params, (err, row) => {
if (err) reject(err);
else resolve(row);
});
});
}
function dbRun(db, sql, params = []) {
return new Promise((resolve, reject) => {
db.run(sql, params, function (err) {
if (err) reject(err);
else resolve(this);
});
});
}
async function main() {
const db = new sqlite3.Database(DB_PATH);
// Find anomaly log rows that have returned findings but no return classification
const rows = await dbAll(db,
`SELECT id, sync_timestamp, returned_count, return_classification_json
FROM ivanti_sync_anomaly_log
WHERE returned_count > 0
ORDER BY sync_timestamp ASC`
);
if (rows.length === 0) {
console.log('No anomaly log rows with returned findings found — nothing to backfill.');
db.close();
return;
}
const force = process.argv.includes('--force');
let updated = 0;
let skipped = 0;
for (const row of rows) {
// Skip if already has a non-empty classification (unless --force)
if (!force) {
let existing = {};
try { existing = JSON.parse(row.return_classification_json || '{}'); } catch (_) {}
const hasData = Object.values(existing).some(v => v > 0);
if (hasData) {
skipped++;
continue;
}
}
// Find the date of this anomaly row
const date = row.sync_timestamp.split('T')[0].split(' ')[0];
// Find all ARCHIVED → RETURNED transitions on this date
const returnTransitions = await dbAll(db,
`SELECT archive_id
FROM ivanti_archive_transitions
WHERE to_state = 'RETURNED'
AND DATE(transitioned_at) = ?`,
[date]
);
if (returnTransitions.length === 0) {
// No transitions found for this date — try a wider window (±1 day)
// since sync_timestamp and transitioned_at might not align exactly
const wider = await dbAll(db,
`SELECT archive_id
FROM ivanti_archive_transitions
WHERE to_state = 'RETURNED'
AND DATE(transitioned_at) BETWEEN DATE(?, '-1 day') AND DATE(?, '+1 day')`,
[date, date]
);
if (wider.length === 0) {
console.log(` ${date}: ${row.returned_count} returned but no matching transitions found — skipping`);
continue;
}
returnTransitions.push(...wider);
}
// For each returned finding, look up the prior archive reason
const classification = { bu_reassignment: 0, severity_drift: 0, closed_on_platform: 0, decommissioned: 0 };
const seen = new Set();
for (const rt of returnTransitions) {
if (seen.has(rt.archive_id)) continue;
seen.add(rt.archive_id);
// Find the most recent ARCHIVED transition *before* this return
// (the reason it was archived before it came back)
const archiveTransition = await dbGet(db,
`SELECT reason FROM ivanti_archive_transitions
WHERE archive_id = ? AND to_state = 'ARCHIVED'
AND transitioned_at <= (
SELECT transitioned_at FROM ivanti_archive_transitions
WHERE archive_id = ? AND to_state = 'RETURNED'
AND DATE(transitioned_at) BETWEEN DATE(?, '-1 day') AND DATE(?, '+1 day')
ORDER BY transitioned_at DESC LIMIT 1
)
ORDER BY transitioned_at DESC LIMIT 1`,
[rt.archive_id, rt.archive_id, date, date]
);
if (archiveTransition && archiveTransition.reason) {
const reasonKey = archiveTransition.reason.split(':')[0];
if (reasonKey in classification) {
classification[reasonKey]++;
}
}
}
const classificationJson = JSON.stringify(classification);
await dbRun(db,
`UPDATE ivanti_sync_anomaly_log
SET return_classification_json = ?
WHERE id = ?`,
[classificationJson, row.id]
);
const parts = Object.entries(classification)
.filter(([, v]) => v > 0)
.map(([k, v]) => `${v} ${k}`);
const breakdown = parts.length > 0 ? parts.join(', ') : 'unclassified';
console.log(` ${date}: ${row.returned_count} returned — ${breakdown}`);
updated++;
}
console.log(`\nBackfill complete: ${updated} rows updated, ${skipped} already had data.`);
db.close();
}
main().catch(err => {
console.error('Fatal error:', err);
process.exit(1);
});

102
backend/migrations/reclassify_bu_roundtrips.js Normal file
View File

@@ -0,0 +1,102 @@
#!/usr/bin/env node
// reclassify_bu_roundtrips.js
//
// Reclassifies archive transitions that were part of a BU reassignment
// round-trip. These are findings that were archived (disappeared from sync)
// and then returned within a short window — indicating they were temporarily
// reassigned to a different BU and then reassigned back.
//
// The original drift checker couldn't classify these correctly because by the
// time it queried Ivanti, the findings had already been reassigned back to
// the expected BUs.
//
// After running this, re-run backfill_return_classification.js to update
// the anomaly log with the corrected reasons.
//
// Usage: node backend/migrations/reclassify_bu_roundtrips.js
const path = require('path');
const sqlite3 = require('sqlite3').verbose();
const DB_PATH = path.join(__dirname, '..', 'cve_database.db');
// Findings that were archived and returned within this many days are
// considered BU reassignment round-trips
const ROUNDTRIP_WINDOW_DAYS = 14;
function dbAll(db, sql, params = []) {
return new Promise((resolve, reject) => {
db.all(sql, params, (err, rows) => {
if (err) reject(err);
else resolve(rows || []);
});
});
}
function dbRun(db, sql, params = []) {
return new Promise((resolve, reject) => {
db.run(sql, params, function (err) {
if (err) reject(err);
else resolve(this);
});
});
}
async function main() {
const db = new sqlite3.Database(DB_PATH);
// Find archive transitions where the finding was archived and then returned
// within the roundtrip window, and the archive reason is still the default
// severity_score_drift placeholder
const roundtrips = await dbAll(db, `
SELECT
t_arch.id AS archive_transition_id,
t_arch.archive_id,
a.finding_id,
a.finding_title,
t_arch.reason AS current_reason,
DATE(t_arch.transitioned_at) AS archived_date,
DATE(t_ret.transitioned_at) AS returned_date,
JULIANDAY(t_ret.transitioned_at) - JULIANDAY(t_arch.transitioned_at) AS days_between
FROM ivanti_archive_transitions t_arch
JOIN ivanti_finding_archives a ON a.id = t_arch.archive_id
JOIN ivanti_archive_transitions t_ret
ON t_ret.archive_id = t_arch.archive_id
AND t_ret.to_state = 'RETURNED'
AND t_ret.transitioned_at > t_arch.transitioned_at
WHERE t_arch.to_state = 'ARCHIVED'
AND t_arch.reason = 'severity_score_drift'
AND (JULIANDAY(t_ret.transitioned_at) - JULIANDAY(t_arch.transitioned_at)) BETWEEN 0 AND ?
ORDER BY t_arch.transitioned_at DESC
`, [ROUNDTRIP_WINDOW_DAYS]);
if (roundtrips.length === 0) {
console.log('No BU reassignment round-trips found to reclassify.');
db.close();
return;
}
console.log(`Found ${roundtrips.length} archive transitions to reclassify as bu_reassignment:\n`);
let updated = 0;
for (const rt of roundtrips) {
console.log(` Finding ${rt.finding_id}: archived ${rt.archived_date}, returned ${rt.returned_date} (${Math.round(rt.days_between)}d) — ${rt.current_reason} → bu_reassignment`);
await dbRun(db,
`UPDATE ivanti_archive_transitions SET reason = 'bu_reassignment' WHERE id = ?`,
[rt.archive_transition_id]
);
updated++;
}
console.log(`\nReclassified ${updated} transitions.`);
console.log('\nNow run the return classification backfill to update anomaly log rows:');
console.log(' node backend/migrations/backfill_return_classification.js');
db.close();
}
main().catch(err => {
console.error('Fatal error:', err);
process.exit(1);
});

56
backend/migrations/run-all.js Normal file
View File

@@ -0,0 +1,56 @@
#!/usr/bin/env node
// Run all Postgres-compatible migrations in order.
// Each migration is idempotent (safe to re-run).
// Used by CI/CD pipeline during deploy to ensure schema is up to date.
//
// Usage: cd backend && node migrations/run-all.js
const { execSync } = require('child_process');
const path = require('path');
const fs = require('fs');
const MIGRATIONS_DIR = __dirname;
// Only run migrations that use the Postgres pool (not legacy SQLite ones).
// Add new migrations to this list as they're created.
const POSTGRES_MIGRATIONS = [
'add_decom_workflow_type.js',
'add_fp_submissions_dismissed.js',
'add_fp_submissions_requeued_at.js',
'add_vcl_reporting_columns.js',
'add_vcl_vertical_metadata.js',
'add_vcl_multi_vertical.js',
];
async function runAll() {
console.log(`[Migrations] Running ${POSTGRES_MIGRATIONS.length} Postgres migration(s)...`);
let succeeded = 0;
let failed = 0;
for (const file of POSTGRES_MIGRATIONS) {
const fullPath = path.join(MIGRATIONS_DIR, file);
if (!fs.existsSync(fullPath)) {
console.error(` [FAIL] ${file}: file not found`);
failed++;
continue;
}
try {
console.log(` [run] ${file}`);
execSync(`node ${fullPath}`, {
cwd: path.join(MIGRATIONS_DIR, '..'),
stdio: 'inherit',
timeout: 30000,
});
succeeded++;
} catch (err) {
console.error(` [FAIL] ${file}: exit code ${err.status}`);
failed++;
}
}
console.log(`[Migrations] Done: ${succeeded} applied, ${failed} failed`);
if (failed > 0) process.exit(1);
}
runAll();

237
backend/routes/archerTickets.js
View File

@@ -1,6 +1,7 @@
// routes/archerTickets.js // routes/archerTickets.js
const express = require('express'); const express = require('express');
const { requireAuth, requireRole } = require('../middleware/auth'); const pool = require('../db');
const { requireAuth, requireGroup } = require('../middleware/auth');
const logAudit = require('../helpers/auditLog'); const logAudit = require('../helpers/auditLog');
// Validation helpers // Validation helpers
@@ -13,42 +14,43 @@ function isValidVendor(vendor) {
return typeof vendor === 'string' && vendor.trim().length > 0 && vendor.length <= 200; return typeof vendor === 'string' && vendor.trim().length > 0 && vendor.length <= 200;
} }
function createArcherTicketsRouter(db) { function createArcherTicketsRouter() {
const router = express.Router(); const router = express.Router();
// Get all Archer tickets (with optional filters) // Get all Archer tickets (with optional filters)
router.get('/', requireAuth(db), (req, res) => { router.get('/', requireAuth(), async (req, res) => {
const { cve_id, vendor, status } = req.query; const { cve_id, vendor, status } = req.query;
let query = 'SELECT * FROM archer_tickets WHERE 1=1'; let query = 'SELECT * FROM archer_tickets WHERE 1=1';
const params = []; const params = [];
let paramIndex = 1;
if (cve_id) { if (cve_id) {
query += ' AND cve_id = ?'; query += ` AND cve_id = $${paramIndex++}`;
params.push(cve_id); params.push(cve_id);
} }
if (vendor) { if (vendor) {
query += ' AND vendor = ?'; query += ` AND vendor = $${paramIndex++}`;
params.push(vendor); params.push(vendor);
} }
if (status) { if (status) {
query += ' AND status = ?'; query += ` AND status = $${paramIndex++}`;
params.push(status); params.push(status);
} }
query += ' ORDER BY created_at DESC'; query += ' ORDER BY created_at DESC';
db.all(query, params, (err, rows) => { try {
if (err) { const { rows } = await pool.query(query, params);
console.error('Error fetching Archer tickets:', err);
return res.status(500).json({ error: 'Internal server error.' });
}
res.json(rows); res.json(rows);
}); } catch (err) {
console.error('Error fetching Archer tickets:', err);
res.status(500).json({ error: 'Internal server error.' });
}
}); });
// Create Archer ticket // Create Archer ticket
router.post('/', requireAuth(db), requireRole('editor', 'admin'), (req, res) => { router.post('/', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
const { exc_number, archer_url, status, cve_id, vendor } = req.body; const { exc_number, archer_url, status, cve_id, vendor } = req.body;
// Validation // Validation
@@ -73,38 +75,38 @@ function createArcherTicketsRouter(db) {
const validatedStatus = status || 'Draft'; const validatedStatus = status || 'Draft';
db.run( try {
`INSERT INTO archer_tickets (exc_number, archer_url, status, cve_id, vendor) const { rows } = await pool.query(
VALUES (?, ?, ?, ?, ?)`, `INSERT INTO archer_tickets (exc_number, archer_url, status, cve_id, vendor, created_by)
[exc_number.trim(), archer_url || null, validatedStatus, cve_id, vendor], VALUES ($1, $2, $3, $4, $5, $6)
function(err) { RETURNING id`,
if (err) { [exc_number.trim(), archer_url || null, validatedStatus, cve_id, vendor, req.user.id]
console.error('Error creating Archer ticket:', err); );
if (err.message.includes('UNIQUE constraint failed')) {
return res.status(409).json({ error: 'An Archer ticket with this EXC number already exists.' });
}
return res.status(500).json({ error: 'Internal server error.' });
}
logAudit(db, { logAudit({
userId: req.user.id, userId: req.user.id,
action: 'CREATE_ARCHER_TICKET', action: 'CREATE_ARCHER_TICKET',
targetType: 'archer_ticket', entityType: 'archer_ticket',
targetId: this.lastID, entityId: String(rows[0].id),
details: { exc_number, archer_url, status: validatedStatus, cve_id, vendor }, details: { exc_number, archer_url, status: validatedStatus, cve_id, vendor },
ipAddress: req.ip ipAddress: req.ip
}); });
res.status(201).json({ res.status(201).json({
id: this.lastID, id: rows[0].id,
message: 'Archer ticket created successfully' message: 'Archer ticket created successfully'
}); });
} catch (err) {
console.error('Error creating Archer ticket:', err);
if (err.code === '23505') {
return res.status(409).json({ error: 'An Archer ticket with this EXC number already exists.' });
} }
); res.status(500).json({ error: 'Internal server error.' });
}
}); });
// Update Archer ticket // Update Archer ticket
router.put('/:id', requireAuth(db), requireRole('editor', 'admin'), (req, res) => { router.put('/:id', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
const { id } = req.params; const { id } = req.params;
const { exc_number, archer_url, status } = req.body; const { exc_number, archer_url, status } = req.body;
@@ -124,29 +126,27 @@ function createArcherTicketsRouter(db) {
return res.status(400).json({ error: 'Invalid status. Must be Draft, Open, Under Review, or Accepted.' }); return res.status(400).json({ error: 'Invalid status. Must be Draft, Open, Under Review, or Accepted.' });
} }
// Get existing ticket try {
db.get('SELECT * FROM archer_tickets WHERE id = ?', [id], (err, existing) => { const { rows } = await pool.query('SELECT * FROM archer_tickets WHERE id = $1', [id]);
if (err) { const existing = rows[0];
console.error(err);
return res.status(500).json({ error: 'Internal server error.' });
}
if (!existing) { if (!existing) {
return res.status(404).json({ error: 'Archer ticket not found.' }); return res.status(404).json({ error: 'Archer ticket not found.' });
} }
const updates = []; const updates = [];
const params = []; const params = [];
let paramIndex = 1;
if (exc_number !== undefined) { if (exc_number !== undefined) {
updates.push('exc_number = ?'); updates.push(`exc_number = $${paramIndex++}`);
params.push(exc_number.trim()); params.push(exc_number.trim());
} }
if (archer_url !== undefined) { if (archer_url !== undefined) {
updates.push('archer_url = ?'); updates.push(`archer_url = $${paramIndex++}`);
params.push(archer_url || null); params.push(archer_url || null);
} }
if (status !== undefined) { if (status !== undefined) {
updates.push('status = ?'); updates.push(`status = $${paramIndex++}`);
params.push(status); params.push(status);
} }
@@ -154,86 +154,113 @@ function createArcherTicketsRouter(db) {
return res.status(400).json({ error: 'No fields to update.' }); return res.status(400).json({ error: 'No fields to update.' });
} }
updates.push('updated_at = CURRENT_TIMESTAMP'); updates.push('updated_at = NOW()');
params.push(id); params.push(id);
db.run( const result = await pool.query(
`UPDATE archer_tickets SET ${updates.join(', ')} WHERE id = ?`, `UPDATE archer_tickets SET ${updates.join(', ')} WHERE id = $${paramIndex}`,
params, params
function(err) {
if (err) {
console.error(err);
if (err.message.includes('UNIQUE constraint failed')) {
return res.status(409).json({ error: 'An Archer ticket with this EXC number already exists.' });
}
return res.status(500).json({ error: 'Internal server error.' });
}
logAudit(db, {
userId: req.user.id,
action: 'UPDATE_ARCHER_TICKET',
targetType: 'archer_ticket',
targetId: id,
details: { before: existing, changes: req.body },
ipAddress: req.ip
});
res.json({ message: 'Archer ticket updated successfully', changes: this.changes });
}
); );
});
logAudit({
userId: req.user.id,
action: 'UPDATE_ARCHER_TICKET',
entityType: 'archer_ticket',
entityId: String(id),
details: { before: existing, changes: req.body },
ipAddress: req.ip
});
res.json({ message: 'Archer ticket updated successfully', changes: result.rowCount });
} catch (err) {
console.error(err);
if (err.code === '23505') {
return res.status(409).json({ error: 'An Archer ticket with this EXC number already exists.' });
}
res.status(500).json({ error: 'Internal server error.' });
}
}); });
// Delete Archer ticket // Delete Archer ticket
router.delete('/:id', requireAuth(db), requireRole('editor', 'admin'), (req, res) => { router.delete('/:id', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
const { id } = req.params; const { id } = req.params;
db.get('SELECT * FROM archer_tickets WHERE id = ?', [id], (err, ticket) => { try {
if (err) { const { rows } = await pool.query('SELECT * FROM archer_tickets WHERE id = $1', [id]);
console.error(err); const ticket = rows[0];
return res.status(500).json({ error: 'Internal server error.' });
}
if (!ticket) { if (!ticket) {
return res.status(404).json({ error: 'Archer ticket not found.' }); return res.status(404).json({ error: 'Archer ticket not found.' });
} }
db.run('DELETE FROM archer_tickets WHERE id = ?', [id], function(err) { // Admin bypasses all delete restrictions
if (err) { if (req.user.group === 'Admin') {
console.error(err); return performArcherDelete();
return res.status(500).json({ error: 'Internal server error.' }); }
}
logAudit(db, { // Standard_User: ownership check
if (ticket.created_by && ticket.created_by !== req.user.id) {
return res.status(403).json({ error: 'You can only delete resources you created' });
}
// Standard_User: compliance linkage check
const excNumber = ticket.exc_number;
try {
const { rows: compLinks } = await pool.query(
`SELECT ci.id, ci.extra_json
FROM compliance_items ci
JOIN compliance_uploads cu ON ci.upload_id = cu.id
WHERE ci.status = 'active' AND ci.extra_json ILIKE $1`,
[`%${excNumber}%`]
);
const isLinked = (compLinks || []).some(cl => {
const json = cl.extra_json || '';
return json.includes(excNumber);
});
if (isLinked) {
return res.status(403).json({ error: 'Cannot delete ticket linked to compliance report. Contact an admin.' });
}
} catch (compErr) {
if (!compErr.message.includes('does not exist')) throw compErr;
}
return performArcherDelete();
async function performArcherDelete() {
await pool.query('DELETE FROM archer_tickets WHERE id = $1', [id]);
logAudit({
userId: req.user.id, userId: req.user.id,
action: 'DELETE_ARCHER_TICKET', action: 'DELETE_ARCHER_TICKET',
targetType: 'archer_ticket', entityType: 'archer_ticket',
targetId: id, entityId: String(id),
details: { deleted: ticket }, details: { deleted: ticket },
ipAddress: req.ip ipAddress: req.ip
}); });
res.json({ message: 'Archer ticket deleted successfully' }); res.json({ message: 'Archer ticket deleted successfully' });
}); }
}); } catch (err) {
console.error(err);
res.status(500).json({ error: 'Internal server error.' });
}
}); });
// GET /status-trend — ticket counts grouped by creation date + status // GET /status-trend — ticket counts grouped by creation date + status
// Used for time-based Archer pipeline chart on the Compliance page. router.get('/status-trend', requireAuth(), async (req, res) => {
router.get('/status-trend', requireAuth(db), (req, res) => { try {
db.all( const { rows } = await pool.query(
`SELECT DATE(created_at) AS date, status, COUNT(*) AS count `SELECT DATE(created_at) AS date, status, COUNT(*) AS count
FROM archer_tickets FROM archer_tickets
GROUP BY DATE(created_at), status GROUP BY DATE(created_at), status
ORDER BY date ASC`, ORDER BY date ASC`
[], );
(err, rows) => { res.json({ statusTrend: rows });
if (err) { } catch (err) {
console.error('Error fetching Archer status trend:', err); console.error('Error fetching Archer status trend:', err);
return res.status(500).json({ error: 'Internal server error.' }); res.status(500).json({ error: 'Internal server error.' });
} }
res.json({ statusTrend: rows });
}
);
}); });
return router; return router;

638
backend/routes/atlas.js Normal file
View File

@@ -0,0 +1,638 @@
// Atlas InfoSec Action Plans Routes
// Proxies CRUD operations to the Atlas API and maintains a local cache
// for fast badge rendering on the ReportingPage.
const express = require('express');
const pool = require('../db');
const { requireAuth, requireGroup } = require('../middleware/auth');
const logAudit = require('../helpers/auditLog');
const { isConfigured, atlasGet, atlasPut, atlasPatch, atlasPost } = require('../helpers/atlasApi');
const fs = require('fs');
const path = require('path');
const VALID_PLAN_TYPES = ['decommission', 'remediation', 'false_positive', 'risk_acceptance', 'scan_exclusion'];
const DATE_PATTERN = /^\d{4}-\d{2}-\d{2}$/;
// Diagnostic log helper
function syncLog(msg) {
const line = `${new Date().toISOString()} ${msg}\n`;
try { fs.appendFileSync(path.join(__dirname, '..', 'atlas-sync-debug.log'), line); } catch (_) { /* ignore */ }
console.log(msg);
}
// ---------------------------------------------------------------------------
// Pure aggregation function — exported for testability
// ---------------------------------------------------------------------------
function aggregateAtlasMetrics(rows) {
const result = {
totalHosts: rows.length,
hostsWithPlans: 0,
hostsWithoutPlans: 0,
plansByType: {},
plansByStatus: {},
totalPlans: 0
};
for (const row of rows) {
if (row.has_action_plan === true || row.has_action_plan === 1) {
result.hostsWithPlans++;
} else {
result.hostsWithoutPlans++;
}
let plans;
try {
plans = JSON.parse(row.plans_json);
} catch (e) {
continue;
}
if (!Array.isArray(plans)) continue;
for (const plan of plans) {
result.totalPlans++;
if (plan.plan_type) {
result.plansByType[plan.plan_type] = (result.plansByType[plan.plan_type] || 0) + 1;
}
if (plan.status) {
result.plansByStatus[plan.status] = (result.plansByStatus[plan.status] || 0) + 1;
}
}
}
return result;
}
// ---------------------------------------------------------------------------
// Router factory
// ---------------------------------------------------------------------------
function createAtlasRouter() {
const router = express.Router();
/**
* GET /metrics
*
* Returns aggregated Atlas action plan metrics from the local cache.
*
* @returns {Object} 200 - { totalHosts, hostsWithPlans, hostsWithoutPlans, plansByType, plansByStatus, totalPlans }
* @returns {Object} 503 - { error } when Atlas API is not configured
* @returns {Object} 500 - { error } on database failure
*/
router.get('/metrics', requireAuth(), async (req, res) => {
if (!isConfigured) {
return res.status(503).json({ error: 'Atlas API is not configured. Check ATLAS_API_URL, ATLAS_API_USER, and ATLAS_API_PASS environment variables.' });
}
try {
const { rows } = await pool.query(
`SELECT has_action_plan, plans_json FROM atlas_action_plans_cache`
);
const metrics = aggregateAtlasMetrics(rows);
res.json(metrics);
} catch (err) {
console.error('[Atlas] Error fetching metrics:', err.message);
res.status(500).json({ error: 'Failed to fetch Atlas metrics.' });
}
});
/**
* GET /status
*
* Returns the full atlas_action_plans_cache table contents for status display.
*
* @returns {Array} 200 - Array of { host_id, has_action_plan, plan_count, plans_json, synced_at }
* @returns {Object} 503 - { error } when Atlas API is not configured
* @returns {Object} 500 - { error } on database failure
*/
router.get('/status', requireAuth(), async (req, res) => {
if (!isConfigured) {
return res.status(503).json({ error: 'Atlas API is not configured. Check ATLAS_API_URL, ATLAS_API_USER, and ATLAS_API_PASS environment variables.' });
}
try {
const { rows } = await pool.query(
`SELECT host_id, has_action_plan, plan_count, plans_json, synced_at FROM atlas_action_plans_cache`
);
res.json(rows);
} catch (err) {
console.error('[Atlas] Error fetching status:', err.message);
res.status(500).json({ error: 'Failed to fetch Atlas status.' });
}
});
/**
* POST /sync
*
* Syncs action plan data from Atlas for all hosts found in ivanti_findings.
* Fetches plans per host in batches of 5 and upserts into the local cache.
* Requires Admin or Standard_User group.
*
* @returns {Object} 200 - { synced, withPlans, failed }
* @returns {Object} 503 - { error } when Atlas API is not configured
* @returns {Object} 500 - { error } on unexpected failure
*/
router.post('/sync', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
if (!isConfigured) {
return res.status(503).json({ error: 'Atlas API is not configured. Check ATLAS_API_URL, ATLAS_API_USER, and ATLAS_API_PASS environment variables.' });
}
try {
// Read Ivanti findings and extract unique non-null hostIds
const { rows: findingsRows } = await pool.query(
`SELECT DISTINCT host_id FROM ivanti_findings WHERE host_id IS NOT NULL AND host_id > 0`
);
const hostIds = findingsRows.map(r => r.host_id);
if (hostIds.length === 0) {
return res.json({ synced: 0, withPlans: 0, failed: 0 });
}
let synced = 0;
let withPlans = 0;
let failed = 0;
const BATCH_SIZE = 5;
for (let i = 0; i < hostIds.length; i += BATCH_SIZE) {
const batch = hostIds.slice(i, i + BATCH_SIZE);
const results = await Promise.allSettled(
batch.map(async (hostId) => {
const result = await atlasGet('/hosts/' + hostId + '/action-plans');
return { hostId, result };
})
);
for (const settled of results) {
if (settled.status === 'rejected') {
failed++;
console.warn('[Atlas Sync] Request failed for host:', settled.reason?.message || settled.reason);
continue;
}
const { hostId, result } = settled.value;
if (result.status >= 200 && result.status < 300) {
let allPlans = [];
let activePlans = [];
try {
const parsed = JSON.parse(result.body);
if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
activePlans = Array.isArray(parsed.active) ? parsed.active : [];
const inactive = Array.isArray(parsed.inactive) ? parsed.inactive : [];
allPlans = [...activePlans, ...inactive];
} else if (Array.isArray(parsed)) {
allPlans = parsed;
activePlans = parsed;
}
} catch (e) {
allPlans = [];
activePlans = [];
}
const planCount = activePlans.length;
const hasActionPlan = planCount > 0;
try {
if (!hasActionPlan) {
const { rows: existingRows } = await pool.query(
`SELECT has_action_plan, plans_json, synced_at FROM atlas_action_plans_cache WHERE host_id = $1`,
[hostId]
);
const existing = existingRows[0];
if (existing && existing.has_action_plan === true) {
let existingPlans = [];
try { existingPlans = JSON.parse(existing.plans_json || '[]'); } catch (_) {}
const hasBulkStub = existingPlans.some(p => p.source === 'bulk-create');
if (hasBulkStub) {
const ageMs = Date.now() - new Date(existing.synced_at).getTime();
const TEN_MINUTES = 10 * 60 * 1000;
if (ageMs < TEN_MINUTES) {
synced++;
withPlans++;
continue;
}
}
}
}
await pool.query(
`INSERT INTO atlas_action_plans_cache (host_id, has_action_plan, plan_count, plans_json, synced_at)
VALUES ($1, $2, $3, $4, NOW())
ON CONFLICT(host_id) DO UPDATE SET
has_action_plan = EXCLUDED.has_action_plan,
plan_count = EXCLUDED.plan_count,
plans_json = EXCLUDED.plans_json,
synced_at = EXCLUDED.synced_at`,
[hostId, hasActionPlan, planCount, JSON.stringify(allPlans)]
);
} catch (dbErr) {
console.error('[Atlas Sync] DB upsert failed for host', hostId, ':', dbErr.message);
}
synced++;
if (hasActionPlan) withPlans++;
} else {
failed++;
console.warn(`[Atlas Sync] Non-2xx response for host ${hostId}: status ${result.status}`);
}
}
}
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'ATLAS_SYNC',
entityType: 'atlas_action_plans',
entityId: null,
details: { synced, withPlans, failed, totalHosts: hostIds.length },
ipAddress: req.ip
});
res.json({ synced, withPlans, failed });
} catch (err) {
console.error('[Atlas Sync] Unexpected error:', err.message);
res.status(500).json({ error: 'Atlas sync failed: ' + err.message });
}
});
/**
* GET /hosts/:hostId/action-plans
*
* Proxies a request to Atlas to retrieve action plans for a specific host.
*
* @param {number} req.params.hostId - Positive integer host identifier
* @returns {Object} 2xx - Action plans response from Atlas API
* @returns {Object} 400 - { error } when hostId is invalid
* @returns {Object} 502 - { error } when Atlas API is unreachable
* @returns {Object} 503 - { error } when Atlas API is not configured
*/
router.get('/hosts/:hostId/action-plans', requireAuth(), async (req, res) => {
if (!isConfigured) {
return res.status(503).json({ error: 'Atlas API is not configured. Check ATLAS_API_URL, ATLAS_API_USER, and ATLAS_API_PASS environment variables.' });
}
const hostId = parseInt(req.params.hostId, 10);
if (!Number.isInteger(hostId) || hostId <= 0) {
return res.status(400).json({ error: 'hostId must be a positive integer' });
}
try {
const result = await atlasGet('/hosts/' + hostId + '/action-plans');
if (result.status >= 200 && result.status < 300) {
let body;
try { body = JSON.parse(result.body); } catch (e) { body = result.body; }
res.status(result.status).json(body);
} else {
let errorBody;
try { errorBody = JSON.parse(result.body); } catch (e) { errorBody = { error: result.body }; }
res.status(result.status).json(errorBody);
}
} catch (err) {
console.error('[Atlas] GET action-plans failed for host', hostId, ':', err.message);
res.status(502).json({ error: 'Failed to reach Atlas API: ' + err.message });
}
});
/**
* PUT /hosts/:hostId/action-plans
*
* Creates a new action plan for a host via the Atlas API.
* Requires Admin or Standard_User group.
*
* @param {number} req.params.hostId - Positive integer host identifier
* @param {Object} req.body
* @param {string} req.body.plan_type - One of: decommission, remediation, false_positive, risk_acceptance, scan_exclusion
* @param {string} req.body.commit_date - Date in YYYY-MM-DD format
* @returns {Object} 2xx - Created plan response from Atlas API
* @returns {Object} 400 - { error } when hostId, plan_type, or commit_date is invalid
* @returns {Object} 502 - { error } when Atlas API is unreachable
* @returns {Object} 503 - { error } when Atlas API is not configured
*/
router.put('/hosts/:hostId/action-plans', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
if (!isConfigured) {
return res.status(503).json({ error: 'Atlas API is not configured. Check ATLAS_API_URL, ATLAS_API_USER, and ATLAS_API_PASS environment variables.' });
}
const hostId = parseInt(req.params.hostId, 10);
if (!Number.isInteger(hostId) || hostId <= 0) {
return res.status(400).json({ error: 'hostId must be a positive integer' });
}
const { plan_type, commit_date } = req.body || {};
if (!plan_type || !VALID_PLAN_TYPES.includes(plan_type)) {
return res.status(400).json({ error: 'plan_type must be one of: ' + VALID_PLAN_TYPES.join(', ') });
}
if (!commit_date || !DATE_PATTERN.test(commit_date)) {
return res.status(400).json({ error: 'commit_date must be a valid YYYY-MM-DD date string' });
}
try {
const result = await atlasPut('/hosts/' + hostId + '/action-plans', req.body);
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'ATLAS_CREATE_PLAN',
entityType: 'atlas_action_plan',
entityId: String(hostId),
details: { hostId, plan_type, commit_date },
ipAddress: req.ip
});
if (result.status >= 200 && result.status < 300) {
let body;
try { body = JSON.parse(result.body); } catch (e) { body = result.body; }
res.status(result.status).json(body);
} else {
let errorBody;
try { errorBody = JSON.parse(result.body); } catch (e) { errorBody = { error: result.body }; }
res.status(result.status).json(errorBody);
}
} catch (err) {
console.error('[Atlas] PUT action-plans failed for host', hostId, ':', err.message);
res.status(502).json({ error: 'Failed to reach Atlas API: ' + err.message });
}
});
/**
* PATCH /hosts/:hostId/action-plans
*
* Updates an existing action plan for a host via the Atlas API.
* Requires Admin or Standard_User group.
*
* @param {number} req.params.hostId - Positive integer host identifier
* @param {Object} req.body
* @param {string} req.body.action_plan_id - Non-empty string identifying the plan to update
* @param {Object} req.body.updates - Object containing fields to update
* @returns {Object} 2xx - Updated plan response from Atlas API
* @returns {Object} 400 - { error } when hostId, action_plan_id, or updates is invalid
* @returns {Object} 502 - { error } when Atlas API is unreachable
* @returns {Object} 503 - { error } when Atlas API is not configured
*/
router.patch('/hosts/:hostId/action-plans', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
if (!isConfigured) {
return res.status(503).json({ error: 'Atlas API is not configured. Check ATLAS_API_URL, ATLAS_API_USER, and ATLAS_API_PASS environment variables.' });
}
const hostId = parseInt(req.params.hostId, 10);
if (!Number.isInteger(hostId) || hostId <= 0) {
return res.status(400).json({ error: 'hostId must be a positive integer' });
}
const { action_plan_id, updates } = req.body || {};
if (!action_plan_id || typeof action_plan_id !== 'string' || action_plan_id.trim() === '') {
return res.status(400).json({ error: 'action_plan_id is required and must be a non-empty string' });
}
if (!updates || typeof updates !== 'object' || Array.isArray(updates)) {
return res.status(400).json({ error: 'updates is required and must be an object' });
}
try {
const result = await atlasPatch('/hosts/' + hostId + '/action-plans', req.body);
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'ATLAS_UPDATE_PLAN',
entityType: 'atlas_action_plan',
entityId: String(hostId),
details: { hostId, action_plan_id },
ipAddress: req.ip
});
if (result.status >= 200 && result.status < 300) {
let body;
try { body = JSON.parse(result.body); } catch (e) { body = result.body; }
res.status(result.status).json(body);
} else {
let errorBody;
try { errorBody = JSON.parse(result.body); } catch (e) { errorBody = { error: result.body }; }
res.status(result.status).json(errorBody);
}
} catch (err) {
console.error('[Atlas] PATCH action-plans failed for host', hostId, ':', err.message);
res.status(502).json({ error: 'Failed to reach Atlas API: ' + err.message });
}
});
/**
* POST /hosts/bulk-action-plans
*
* Creates action plans for multiple hosts in a single request via the Atlas API.
* Optimistically updates the local cache with stub plans after a successful response.
* Requires Admin or Standard_User group.
*
* @param {Object} req.body
* @param {number[]} req.body.host_ids - Non-empty array of positive integer host identifiers
* @param {string} req.body.plan_type - One of: decommission, remediation, false_positive, risk_acceptance, scan_exclusion
* @param {string} req.body.commit_date - Date in YYYY-MM-DD format
* @returns {Object} 2xx - Bulk creation response from Atlas API
* @returns {Object} 400 - { error } when host_ids, plan_type, or commit_date is invalid
* @returns {Object} 502 - { error } when Atlas API is unreachable
* @returns {Object} 503 - { error } when Atlas API is not configured
*/
router.post('/hosts/bulk-action-plans', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
if (!isConfigured) {
return res.status(503).json({ error: 'Atlas API is not configured. Check ATLAS_API_URL, ATLAS_API_USER, and ATLAS_API_PASS environment variables.' });
}
const { host_ids, plan_type, commit_date } = req.body || {};
if (!Array.isArray(host_ids) || host_ids.length === 0) {
return res.status(400).json({ error: 'host_ids must be a non-empty array of positive integers' });
}
for (const id of host_ids) {
if (!Number.isInteger(id) || id <= 0) {
return res.status(400).json({ error: 'host_ids must be a non-empty array of positive integers' });
}
}
if (!plan_type || !VALID_PLAN_TYPES.includes(plan_type)) {
return res.status(400).json({ error: 'plan_type must be one of: ' + VALID_PLAN_TYPES.join(', ') });
}
if (!commit_date || !DATE_PATTERN.test(commit_date)) {
return res.status(400).json({ error: 'commit_date must be a valid YYYY-MM-DD date string' });
}
try {
const result = await atlasPost('/hosts/create-bulk-action-plans', req.body);
if (result.status >= 200 && result.status < 300) {
let body;
try { body = JSON.parse(result.body); } catch (e) { body = result.body; }
// Optimistically update local cache
for (const hid of host_ids) {
try {
const { rows: existingRows } = await pool.query(
`SELECT plan_count, plans_json FROM atlas_action_plans_cache WHERE host_id = $1`,
[hid]
);
const existing = existingRows[0];
let existingPlans = [];
if (existing && existing.plans_json) {
try { existingPlans = JSON.parse(existing.plans_json); } catch (_) {}
}
const stubPlan = { plan_type, commit_date, source: 'bulk-create', created_at: new Date().toISOString() };
const updatedPlans = [...existingPlans, stubPlan];
const newCount = updatedPlans.length;
await pool.query(
`INSERT INTO atlas_action_plans_cache (host_id, has_action_plan, plan_count, plans_json, synced_at)
VALUES ($1, true, $2, $3, NOW())
ON CONFLICT(host_id) DO UPDATE SET
has_action_plan = true,
plan_count = EXCLUDED.plan_count,
plans_json = EXCLUDED.plans_json,
synced_at = EXCLUDED.synced_at`,
[hid, newCount, JSON.stringify(updatedPlans)]
);
} catch (cacheErr) {
console.error('[Atlas] Cache update failed for host', hid, ':', cacheErr.message);
}
}
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'ATLAS_BULK_CREATE_PLANS',
entityType: 'atlas_action_plan',
entityId: null,
details: { host_ids, plan_type, commit_date, count: host_ids.length },
ipAddress: req.ip
});
res.status(result.status).json(body);
} else {
let errorBody;
try { errorBody = JSON.parse(result.body); } catch (e) { errorBody = { error: result.body }; }
res.status(result.status).json(errorBody);
}
} catch (err) {
console.error('[Atlas] POST bulk-action-plans failed:', err.message);
res.status(502).json({ error: 'Failed to reach Atlas API: ' + err.message });
}
});
/**
* POST /hosts/:hostId/refresh-cache
*
* Triggers Atlas to refresh its Ivanti data cache, then updates the local
* action plans cache for the specified host. Useful when action plan creation
* fails due to stale finding IDs.
* Requires Admin or Standard_User group.
*
* @param {number} req.params.hostId - Positive integer host identifier
* @returns {Object} 200 - { success, message } on successful cache refresh
* @returns {Object} 400 - { error } when hostId is invalid
* @returns {Object} 502 - { error } when Atlas API is unreachable
* @returns {Object} 503 - { error } when Atlas API is not configured
*/
router.post('/hosts/:hostId/refresh-cache', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
if (!isConfigured) {
return res.status(503).json({ error: 'Atlas API is not configured. Check ATLAS_API_URL, ATLAS_API_USER, and ATLAS_API_PASS environment variables.' });
}
const hostId = parseInt(req.params.hostId, 10);
if (!Number.isInteger(hostId) || hostId <= 0) {
return res.status(400).json({ error: 'hostId must be a positive integer' });
}
try {
const result = await atlasPost('/cache/refresh-ivanti', {}, { timeout: 30000 });
if (result.status >= 200 && result.status < 300) {
// Also refresh our local action plans cache for this host
const plansResult = await atlasGet('/hosts/' + hostId + '/action-plans');
if (plansResult.status >= 200 && plansResult.status < 300) {
let allPlans = [];
let activePlans = [];
try {
const parsed = JSON.parse(plansResult.body);
if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
activePlans = Array.isArray(parsed.active) ? parsed.active : [];
const inactive = Array.isArray(parsed.inactive) ? parsed.inactive : [];
allPlans = [...activePlans, ...inactive];
} else if (Array.isArray(parsed)) {
allPlans = parsed;
activePlans = parsed;
}
} catch (_) {}
const planCount = activePlans.length;
const hasActionPlan = planCount > 0;
await pool.query(
`INSERT INTO atlas_action_plans_cache (host_id, has_action_plan, plan_count, plans_json, synced_at)
VALUES ($1, $2, $3, $4, NOW())
ON CONFLICT(host_id) DO UPDATE SET
has_action_plan = EXCLUDED.has_action_plan,
plan_count = EXCLUDED.plan_count,
plans_json = EXCLUDED.plans_json,
synced_at = EXCLUDED.synced_at`,
[hostId, hasActionPlan, planCount, JSON.stringify(allPlans)]
);
}
res.json({ success: true, message: 'Atlas cache refreshed for host ' + hostId });
} else {
let errorBody;
try { errorBody = JSON.parse(result.body); } catch (e) { errorBody = { error: result.body }; }
res.status(result.status).json(errorBody);
}
} catch (err) {
console.error('[Atlas] POST refresh-cache failed for host', hostId, ':', err.message);
res.status(502).json({ error: 'Failed to reach Atlas API: ' + err.message });
}
});
/**
* POST /hosts/vulnerabilities
*
* Fetches Ivanti vulnerability data for the specified hosts from Atlas.
*
* @param {Object} req.body
* @param {number[]} req.body.host_ids - Non-empty array of positive integer host identifiers
* @returns {Object} 2xx - Vulnerability data response from Atlas API
* @returns {Object} 400 - { error } when host_ids is invalid
* @returns {Object} 502 - { error } when Atlas API is unreachable
* @returns {Object} 503 - { error } when Atlas API is not configured
*/
router.post('/hosts/vulnerabilities', requireAuth(), async (req, res) => {
if (!isConfigured) {
return res.status(503).json({ error: 'Atlas API is not configured. Check ATLAS_API_URL, ATLAS_API_USER, and ATLAS_API_PASS environment variables.' });
}
const { host_ids } = req.body || {};
if (!Array.isArray(host_ids) || host_ids.length === 0) {
return res.status(400).json({ error: 'host_ids must be a non-empty array of positive integers' });
}
for (const id of host_ids) {
if (!Number.isInteger(id) || id <= 0) {
return res.status(400).json({ error: 'host_ids must be a non-empty array of positive integers' });
}
}
try {
const result = await atlasPost('/ivanti-vulnerabilities-by-host', { host_ids }, { timeout: 30000 });
if (result.status >= 200 && result.status < 300) {
let body;
try { body = JSON.parse(result.body); } catch (e) { body = result.body; }
res.status(result.status).json(body);
} else {
let errorBody;
try { errorBody = JSON.parse(result.body); } catch (e) { errorBody = { error: result.body }; }
res.status(result.status).json(errorBody);
}
} catch (err) {
console.error('[Atlas] POST hosts/vulnerabilities failed:', err.message);
res.status(502).json({ error: 'Failed to reach Atlas API: ' + err.message });
}
});
return router;
}
module.exports = createAtlasRouter;
module.exports.aggregateAtlasMetrics = aggregateAtlasMetrics;

67
backend/routes/auditLog.js
View File

@@ -1,11 +1,13 @@
// Audit Log Routes (Admin only) // Audit Log Routes (Admin only)
const express = require('express'); const express = require('express');
const pool = require('../db');
const { requireAuth, requireGroup } = require('../middleware/auth');
function createAuditLogRouter(db, requireAuth, requireRole) { function createAuditLogRouter() {
const router = express.Router(); const router = express.Router();
// All routes require admin role // All routes require Admin group
router.use(requireAuth(db), requireRole('admin')); router.use(requireAuth(), requireGroup('Admin'));
// Get paginated audit logs with filters // Get paginated audit logs with filters
router.get('/', async (req, res) => { router.get('/', async (req, res) => {
@@ -24,25 +26,26 @@ function createAuditLogRouter(db, requireAuth, requireRole) {
let where = []; let where = [];
let params = []; let params = [];
let paramIndex = 1;
if (user) { if (user) {
where.push('username LIKE ?'); where.push(`username ILIKE $${paramIndex++}`);
params.push(`%${user}%`); params.push(`%${user}%`);
} }
if (action) { if (action) {
where.push('action = ?'); where.push(`action = $${paramIndex++}`);
params.push(action); params.push(action);
} }
if (entityType) { if (entityType) {
where.push('entity_type = ?'); where.push(`entity_type = $${paramIndex++}`);
params.push(entityType); params.push(entityType);
} }
if (startDate) { if (startDate) {
where.push('created_at >= ?'); where.push(`created_at >= $${paramIndex++}`);
params.push(startDate); params.push(startDate);
} }
if (endDate) { if (endDate) {
where.push('created_at <= ?'); where.push(`created_at <= $${paramIndex++}`);
params.push(endDate + ' 23:59:59'); params.push(endDate + ' 23:59:59');
} }
@@ -50,36 +53,25 @@ function createAuditLogRouter(db, requireAuth, requireRole) {
try { try {
// Get total count // Get total count
const countRow = await new Promise((resolve, reject) => { const countResult = await pool.query(
db.get( `SELECT COUNT(*) as total FROM audit_logs ${whereClause}`,
`SELECT COUNT(*) as total FROM audit_logs ${whereClause}`, params
params, );
(err, row) => { const total = parseInt(countResult.rows[0].total);
if (err) reject(err);
else resolve(row);
}
);
});
// Get paginated results // Get paginated results
const rows = await new Promise((resolve, reject) => { const dataResult = await pool.query(
db.all( `SELECT * FROM audit_logs ${whereClause} ORDER BY created_at DESC LIMIT $${paramIndex++} OFFSET $${paramIndex++}`,
`SELECT * FROM audit_logs ${whereClause} ORDER BY created_at DESC LIMIT ? OFFSET ?`, [...params, pageSize, offset]
[...params, pageSize, offset], );
(err, rows) => {
if (err) reject(err);
else resolve(rows);
}
);
});
res.json({ res.json({
logs: rows, logs: dataResult.rows,
pagination: { pagination: {
page: parseInt(page), page: parseInt(page),
limit: pageSize, limit: pageSize,
total: countRow.total, total: total,
totalPages: Math.ceil(countRow.total / pageSize) totalPages: Math.ceil(total / pageSize)
} }
}); });
} catch (err) { } catch (err) {
@@ -91,16 +83,9 @@ function createAuditLogRouter(db, requireAuth, requireRole) {
// Get distinct action types for filter dropdown // Get distinct action types for filter dropdown
router.get('/actions', async (req, res) => { router.get('/actions', async (req, res) => {
try { try {
const rows = await new Promise((resolve, reject) => { const { rows } = await pool.query(
db.all( 'SELECT DISTINCT action FROM audit_logs ORDER BY action'
'SELECT DISTINCT action FROM audit_logs ORDER BY action', );
(err, rows) => {
if (err) reject(err);
else resolve(rows);
}
);
});
res.json(rows.map(r => r.action)); res.json(rows.map(r => r.action));
} catch (err) { } catch (err) {
console.error('Audit log actions error:', err); console.error('Audit log actions error:', err);

304
backend/routes/auth.js
View File

@@ -2,12 +2,36 @@
const express = require('express'); const express = require('express');
const bcrypt = require('bcryptjs'); const bcrypt = require('bcryptjs');
const crypto = require('crypto'); const crypto = require('crypto');
const rateLimit = require('express-rate-limit');
const pool = require('../db');
const { requireAuth, requireGroup } = require('../middleware/auth');
function createAuthRouter(db, logAudit) { const loginLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 20, // 20 attempts per window
standardHeaders: true,
legacyHeaders: false,
message: { error: 'Too many login attempts. Please try again in 15 minutes.' }
});
function createAuthRouter(logAudit) {
const router = express.Router(); const router = express.Router();
// Login /**
router.post('/login', async (req, res) => { * POST /api/auth/login
*
* Authenticates a user with username and password, creates a session,
* and sets an httpOnly session cookie. Rate-limited to 20 attempts per 15 minutes.
*
* @body {string} username - The user's login username
* @body {string} password - The user's password
* @returns {object} 200 - { message: 'Login successful', user: { id, username, email, group } }
* @returns {object} 400 - { error: 'Username and password are required' }
* @returns {object} 401 - { error: 'Invalid username or password' } | { error: 'Account is disabled' }
* @returns {object} 429 - { error: 'Too many login attempts. Please try again in 15 minutes.' }
* @returns {object} 500 - { error: 'Login failed' }
*/
router.post('/login', loginLimiter, async (req, res) => {
const { username, password } = req.body; const { username, password } = req.body;
if (!username || !password) { if (!username || !password) {
@@ -16,19 +40,14 @@ function createAuthRouter(db, logAudit) {
try { try {
// Find user // Find user
const user = await new Promise((resolve, reject) => { const { rows } = await pool.query(
db.get( 'SELECT * FROM users WHERE username = $1',
'SELECT * FROM users WHERE username = ?', [username]
[username], );
(err, row) => { const user = rows[0];
if (err) reject(err);
else resolve(row);
}
);
});
if (!user) { if (!user) {
logAudit(db, { logAudit({
userId: null, userId: null,
username: username, username: username,
action: 'login_failed', action: 'login_failed',
@@ -41,7 +60,7 @@ function createAuthRouter(db, logAudit) {
} }
if (!user.is_active) { if (!user.is_active) {
logAudit(db, { logAudit({
userId: user.id, userId: user.id,
username: username, username: username,
action: 'login_failed', action: 'login_failed',
@@ -56,7 +75,7 @@ function createAuthRouter(db, logAudit) {
// Verify password // Verify password
const validPassword = await bcrypt.compare(password, user.password_hash); const validPassword = await bcrypt.compare(password, user.password_hash);
if (!validPassword) { if (!validPassword) {
logAudit(db, { logAudit({
userId: user.id, userId: user.id,
username: username, username: username,
action: 'login_failed', action: 'login_failed',
@@ -73,28 +92,16 @@ function createAuthRouter(db, logAudit) {
const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000); // 24 hours const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000); // 24 hours
// Create session // Create session
await new Promise((resolve, reject) => { await pool.query(
db.run( 'INSERT INTO sessions (session_id, user_id, expires_at) VALUES ($1, $2, $3)',
'INSERT INTO sessions (session_id, user_id, expires_at) VALUES (?, ?, ?)', [sessionId, user.id, expiresAt.toISOString()]
[sessionId, user.id, expiresAt.toISOString()], );
(err) => {
if (err) reject(err);
else resolve();
}
);
});
// Update last login // Update last login
await new Promise((resolve, reject) => { await pool.query(
db.run( 'UPDATE users SET last_login = NOW() WHERE id = $1',
'UPDATE users SET last_login = CURRENT_TIMESTAMP WHERE id = ?', [user.id]
[user.id], );
(err) => {
if (err) reject(err);
else resolve();
}
);
});
// Set cookie // Set cookie
res.cookie('session_id', sessionId, { res.cookie('session_id', sessionId, {
@@ -104,13 +111,13 @@ function createAuthRouter(db, logAudit) {
maxAge: 24 * 60 * 60 * 1000 // 24 hours maxAge: 24 * 60 * 60 * 1000 // 24 hours
}); });
logAudit(db, { logAudit({
userId: user.id, userId: user.id,
username: user.username, username: user.username,
action: 'login', action: 'login',
entityType: 'auth', entityType: 'auth',
entityId: null, entityId: null,
details: { role: user.role }, details: { group: user.user_group },
ipAddress: req.ip ipAddress: req.ip
}); });
@@ -120,7 +127,8 @@ function createAuthRouter(db, logAudit) {
id: user.id, id: user.id,
username: user.username, username: user.username,
email: user.email, email: user.email,
role: user.role group: user.user_group,
teams: user.bu_teams ? user.bu_teams.split(',').filter(Boolean) : []
} }
}); });
} catch (err) { } catch (err) {
@@ -129,33 +137,44 @@ function createAuthRouter(db, logAudit) {
} }
}); });
// Logout /**
* POST /api/auth/logout
*
* Ends the current user session by deleting it from the database
* and clearing the session cookie.
*
* @returns {object} 200 - { message: 'Logged out successfully' }
*/
router.post('/logout', async (req, res) => { router.post('/logout', async (req, res) => {
const sessionId = req.cookies?.session_id; const sessionId = req.cookies?.session_id;
if (sessionId) { if (sessionId) {
// Look up user before deleting session // Look up user before deleting session
const session = await new Promise((resolve) => { let session = null;
db.get( try {
const { rows } = await pool.query(
`SELECT u.id as user_id, u.username FROM sessions s `SELECT u.id as user_id, u.username FROM sessions s
JOIN users u ON s.user_id = u.id JOIN users u ON s.user_id = u.id
WHERE s.session_id = ?`, WHERE s.session_id = $1`,
[sessionId], [sessionId]
(err, row) => resolve(row || null)
); );
}); session = rows[0] || null;
} catch (err) {
// Non-critical — proceed with logout
}
// Delete session from database // Delete session from database
await new Promise((resolve) => { try {
db.run( await pool.query(
'DELETE FROM sessions WHERE session_id = ?', 'DELETE FROM sessions WHERE session_id = $1',
[sessionId], [sessionId]
() => resolve()
); );
}); } catch (err) {
// Non-critical — proceed with logout
}
if (session) { if (session) {
logAudit(db, { logAudit({
userId: session.user_id, userId: session.user_id,
username: session.username, username: session.username,
action: 'logout', action: 'logout',
@@ -172,7 +191,16 @@ function createAuthRouter(db, logAudit) {
res.json({ message: 'Logged out successfully' }); res.json({ message: 'Logged out successfully' });
}); });
// Get current user /**
* GET /api/auth/me
*
* Returns the currently authenticated user based on the session cookie.
* Clears the cookie and returns 401 if the session is expired or the account is disabled.
*
* @returns {object} 200 - { user: { id, username, email, group } }
* @returns {object} 401 - { error: 'Not authenticated' } | { error: 'Session expired' } | { error: 'Account is disabled' }
* @returns {object} 500 - { error: 'Failed to get user' }
*/
router.get('/me', async (req, res) => { router.get('/me', async (req, res) => {
const sessionId = req.cookies?.session_id; const sessionId = req.cookies?.session_id;
@@ -181,19 +209,15 @@ function createAuthRouter(db, logAudit) {
} }
try { try {
const session = await new Promise((resolve, reject) => { const { rows } = await pool.query(
db.get( `SELECT s.*, u.id as user_id, u.username, u.email, u.user_group, u.bu_teams, u.is_active
`SELECT s.*, u.id as user_id, u.username, u.email, u.role, u.is_active FROM sessions s
FROM sessions s JOIN users u ON s.user_id = u.id
JOIN users u ON s.user_id = u.id WHERE s.session_id = $1 AND s.expires_at > NOW()`,
WHERE s.session_id = ? AND s.expires_at > datetime('now')`, [sessionId]
[sessionId], );
(err, row) => {
if (err) reject(err); const session = rows[0];
else resolve(row);
}
);
});
if (!session) { if (!session) {
res.clearCookie('session_id'); res.clearCookie('session_id');
@@ -210,7 +234,8 @@ function createAuthRouter(db, logAudit) {
id: session.user_id, id: session.user_id,
username: session.username, username: session.username,
email: session.email, email: session.email,
role: session.role group: session.user_group,
teams: session.bu_teams ? session.bu_teams.split(',').filter(Boolean) : []
} }
}); });
} catch (err) { } catch (err) {
@@ -219,23 +244,136 @@ function createAuthRouter(db, logAudit) {
} }
}); });
// Clean up expired sessions (admin only) /**
router.post('/cleanup-sessions', async (req, res) => { * GET /api/auth/profile
// Basic auth check - require a valid session to call this *
const sessionId = req.cookies?.session_id; * Returns the full profile for the currently authenticated user.
if (!sessionId) { * Queries the database for up-to-date account details including
return res.status(401).json({ error: 'Authentication required' }); * creation date and last login timestamp.
} *
* @returns {object} 200 - { id, username, email, group, created_at, last_login }
* @returns {object} 401 - { error: 'Account is disabled' } (clears session cookie)
* @returns {object} 500 - { error: 'Failed to fetch profile' }
*/
router.get('/profile', requireAuth(), async (req, res) => {
try { try {
await new Promise((resolve, reject) => { const { rows } = await pool.query(
db.run( 'SELECT id, username, email, user_group, created_at, last_login, is_active FROM users WHERE id = $1',
"DELETE FROM sessions WHERE expires_at < datetime('now')", [req.user.id]
(err) => { );
if (err) reject(err);
else resolve(); const user = rows[0];
}
); if (!user || !user.is_active) {
res.clearCookie('session_id');
return res.status(401).json({ error: 'Account is disabled' });
}
res.json({
id: user.id,
username: user.username,
email: user.email,
group: user.user_group,
created_at: user.created_at,
last_login: user.last_login
}); });
} catch (err) {
console.error('Profile fetch error:', err);
res.status(500).json({ error: 'Failed to fetch profile' });
}
});
// Rate limiter for password change — 5 attempts per 15-minute window, keyed by session cookie
const passwordChangeLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5,
standardHeaders: true,
legacyHeaders: false,
keyGenerator: (req) => req.cookies?.session_id || req.ip,
message: { error: 'Too many password change attempts. Please try again later.' }
});
/**
* POST /api/auth/change-password
*
* Allows the authenticated user to change their own password.
* Rate-limited to 5 attempts per 15-minute window per session.
*
* @body {string} currentPassword - The user's current password
* @body {string} newPassword - The desired new password (min 8 characters)
* @returns {object} 200 - { message: 'Password changed successfully' }
* @returns {object} 400 - { error: 'Current password and new password are required' } | { error: 'New password must be at least 8 characters' }
* @returns {object} 401 - { error: 'Account is disabled' } | { error: 'Current password is incorrect' }
* @returns {object} 429 - { error: 'Too many password change attempts. Please try again later.' }
* @returns {object} 500 - { error: 'Failed to change password' }
*/
router.post('/change-password', requireAuth(), passwordChangeLimiter, async (req, res) => {
const { currentPassword, newPassword } = req.body;
if (!currentPassword || !newPassword) {
return res.status(400).json({ error: 'Current password and new password are required' });
}
if (newPassword.length < 8) {
return res.status(400).json({ error: 'New password must be at least 8 characters' });
}
try {
// Fetch user's password hash and active status
const { rows } = await pool.query(
'SELECT password_hash, is_active FROM users WHERE id = $1',
[req.user.id]
);
const user = rows[0];
if (!user || !user.is_active) {
return res.status(401).json({ error: 'Account is disabled' });
}
// Verify current password
const validPassword = await bcrypt.compare(currentPassword, user.password_hash);
if (!validPassword) {
return res.status(401).json({ error: 'Current password is incorrect' });
}
// Hash new password and update
const newHash = await bcrypt.hash(newPassword, 10);
await pool.query(
'UPDATE users SET password_hash = $1 WHERE id = $2',
[newHash, req.user.id]
);
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'password_change',
entityType: 'auth',
entityId: null,
details: null,
ipAddress: req.ip
});
res.json({ message: 'Password changed successfully' });
} catch (err) {
console.error('Password change error:', err);
res.status(500).json({ error: 'Failed to change password' });
}
});
/**
* POST /api/auth/cleanup-sessions
*
* Deletes all expired sessions from the database. Requires Admin group.
*
* @returns {object} 200 - { message: 'Expired sessions cleaned up' }
* @returns {object} 401 - { error: 'Authentication required' }
* @returns {object} 403 - { error: 'Insufficient permissions', required: ['Admin'], current: '...' }
* @returns {object} 500 - { error: 'Cleanup failed' }
*/
router.post('/cleanup-sessions', requireAuth(), requireGroup('Admin'), async (req, res) => {
try {
await pool.query("DELETE FROM sessions WHERE expires_at < NOW()");
res.json({ message: 'Expired sessions cleaned up' }); res.json({ message: 'Expired sessions cleaned up' });
} catch (err) { } catch (err) {
console.error('Session cleanup error:', err); console.error('Session cleanup error:', err);

393
backend/routes/cardApi.js Normal file
View File

@@ -0,0 +1,393 @@
// CARD Asset Ownership API Routes
// Proxies CARD operations (confirm, decline, redirect, search) and orchestrates
// the two-step update_token flow for mutations.
const express = require('express');
const pool = require('../db');
const { requireAuth, requireGroup } = require('../middleware/auth');
const logAudit = require('../helpers/auditLog');
const {
isConfigured,
missingVars,
getTeams,
getTeamAssets,
getOwner,
confirmAsset,
declineAsset,
redirectAsset,
} = require('../helpers/cardApi');
// ---------------------------------------------------------------------------
// Error classification — maps CARD API / token errors to client responses
// ---------------------------------------------------------------------------
function handleCardError(err, res) {
const msg = err.message || String(err);
console.error('[card-api]', msg);
if (msg.includes('Token acquisition failed')) {
if (msg.includes('HTTP 401')) {
return res.status(401).json({ error: 'CARD authorization failed. Check service account credentials.' });
}
if (msg.includes('HTTP 403')) {
return res.status(403).json({ error: 'CARD access denied. The service account may not be onboarded with the CARD team.' });
}
if (msg.includes('HTTP 525')) {
return res.status(502).json({ error: 'CARD LDAP error. The service account may not be provisioned correctly.' });
}
}
if (msg.includes('401')) {
return res.status(401).json({ error: 'CARD token expired or invalid. The request has been retried once automatically.' });
}
if (msg.includes('403')) {
return res.status(403).json({ error: 'Insufficient CARD permissions for this operation.' });
}
return res.status(502).json({ error: 'CARD API request failed.', details: msg });
}
// ---------------------------------------------------------------------------
// Router factory
// ---------------------------------------------------------------------------
function createCardApiRouter() {
const router = express.Router();
// GET /status
router.get('/status', requireAuth(), (req, res) => {
if (!isConfigured) {
return res.status(503).json({ configured: false, error: 'CARD API is not configured.', missingVars });
}
res.json({ configured: true });
});
// GET /teams
router.get('/teams', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
if (!isConfigured) {
return res.status(503).json({ error: 'CARD API is not configured.', missingVars });
}
try {
const result = await getTeams();
if (result.ok) {
let body;
try { body = JSON.parse(result.body); } catch (_) { body = result.body; }
const teams = Array.isArray(body) ? body : (body && body.teams) || [];
return res.json(teams);
}
let errorBody;
try { errorBody = JSON.parse(result.body); } catch (_) { errorBody = { error: result.body }; }
return res.status(result.status).json(errorBody);
} catch (err) {
return handleCardError(err, res);
}
});
// GET /teams/:teamName/assets
router.get('/teams/:teamName/assets', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
if (!isConfigured) {
return res.status(503).json({ error: 'CARD API is not configured.', missingVars });
}
const { teamName } = req.params;
const { disposition, page, page_size } = req.query;
if (!disposition) {
return res.status(400).json({ error: 'disposition query parameter is required.' });
}
try {
const result = await getTeamAssets(teamName, {
disposition,
page: page ? parseInt(page, 10) : undefined,
pageSize: page_size ? parseInt(page_size, 10) : 50,
});
if (result.ok) {
let body;
try { body = JSON.parse(result.body); } catch (_) { body = result.body; }
let resultCount = 0;
if (body && typeof body === 'object' && typeof body.total === 'number') {
resultCount = body.total;
} else if (body && Array.isArray(body.assets)) {
resultCount = body.assets.length;
}
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'card_search',
entityType: 'card_asset',
entityId: teamName,
details: { disposition, resultCount },
ipAddress: req.ip,
});
return res.json(body);
}
let errorBody;
try { errorBody = JSON.parse(result.body); } catch (_) { errorBody = { error: result.body }; }
return res.status(result.status).json(errorBody);
} catch (err) {
return handleCardError(err, res);
}
});
// GET /owner/:assetId
router.get('/owner/:assetId', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
if (!isConfigured) {
return res.status(503).json({ error: 'CARD API is not configured.', missingVars });
}
const { assetId } = req.params;
try {
const result = await getOwner(assetId);
if (result.ok) {
let body;
try { body = JSON.parse(result.body); } catch (_) { body = result.body; }
return res.json(body);
}
let errorBody;
try { errorBody = JSON.parse(result.body); } catch (_) { errorBody = { error: result.body }; }
return res.status(result.status).json(errorBody);
} catch (err) {
return handleCardError(err, res);
}
});
// POST /queue/:queueItemId/confirm
router.post('/queue/:queueItemId/confirm', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
if (!isConfigured) {
return res.status(503).json({ error: 'CARD API is not configured.', missingVars });
}
const { queueItemId } = req.params;
const { teamName, assetId, comment } = req.body;
if (!teamName || typeof teamName !== 'string' || !teamName.trim()) {
return res.status(400).json({ error: 'teamName is required.' });
}
if (!assetId || typeof assetId !== 'string' || !assetId.trim()) {
return res.status(400).json({ error: 'assetId is required.' });
}
try {
const { rows } = await pool.query(
'SELECT * FROM ivanti_todo_queue WHERE id = $1 AND user_id = $2 AND workflow_type = $3',
[queueItemId, req.user.id, 'CARD']
);
const item = rows[0];
if (!item) {
return res.status(404).json({ error: 'Queue item not found.' });
}
if (item.status !== 'pending') {
return res.status(400).json({ error: 'Only pending queue items can be executed.' });
}
const ownerResult = await getOwner(assetId);
if (!ownerResult.ok) {
const errMsg = `Failed to fetch owner record: HTTP ${ownerResult.status}`;
logAudit({ userId: req.user.id, username: req.user.username, action: 'card_action_failed', entityType: 'ivanti_todo_queue', entityId: String(queueItemId), details: { actionType: 'confirm', assetId, error: errMsg, cardStatus: ownerResult.status }, ipAddress: req.ip });
let errorBody;
try { errorBody = JSON.parse(ownerResult.body); } catch (_) { errorBody = { error: ownerResult.body }; }
return res.status(ownerResult.status).json(errorBody);
}
let ownerData;
try { ownerData = JSON.parse(ownerResult.body); } catch (_) { ownerData = {}; }
const updateToken = ownerData.owner && ownerData.owner.update_token;
if (!updateToken) {
const errMsg = 'update_token not found in owner record.';
logAudit({ userId: req.user.id, username: req.user.username, action: 'card_action_failed', entityType: 'ivanti_todo_queue', entityId: String(queueItemId), details: { actionType: 'confirm', assetId, error: errMsg, cardStatus: null }, ipAddress: req.ip });
return res.status(502).json({ error: 'CARD API request failed.', details: errMsg });
}
const confirmResult = await confirmAsset(assetId, teamName.trim(), updateToken, comment || '');
if (confirmResult.ok) {
await pool.query(
"UPDATE ivanti_todo_queue SET status = 'complete', updated_at = NOW() WHERE id = $1",
[queueItemId]
);
let cardResponse;
try { cardResponse = JSON.parse(confirmResult.body); } catch (_) { cardResponse = confirmResult.body; }
logAudit({ userId: req.user.id, username: req.user.username, action: 'card_confirm', entityType: 'ivanti_todo_queue', entityId: String(queueItemId), details: { assetId, teamName: teamName.trim(), comment: comment || '', cardStatus: confirmResult.status }, ipAddress: req.ip });
return res.json({ success: true, cardResponse });
}
const errMsg = `Confirm failed: HTTP ${confirmResult.status}`;
logAudit({ userId: req.user.id, username: req.user.username, action: 'card_action_failed', entityType: 'ivanti_todo_queue', entityId: String(queueItemId), details: { actionType: 'confirm', assetId, error: errMsg, cardStatus: confirmResult.status }, ipAddress: req.ip });
let errorBody;
try { errorBody = JSON.parse(confirmResult.body); } catch (_) { errorBody = { error: confirmResult.body }; }
return res.status(confirmResult.status).json(errorBody);
} catch (err) {
logAudit({ userId: req.user.id, username: req.user.username, action: 'card_action_failed', entityType: 'ivanti_todo_queue', entityId: String(queueItemId), details: { actionType: 'confirm', assetId, error: err.message, cardStatus: null }, ipAddress: req.ip });
return handleCardError(err, res);
}
});
// POST /queue/:queueItemId/decline
router.post('/queue/:queueItemId/decline', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
if (!isConfigured) {
return res.status(503).json({ error: 'CARD API is not configured.', missingVars });
}
const { queueItemId } = req.params;
const { teamName, assetId, comment } = req.body;
if (!teamName || typeof teamName !== 'string' || !teamName.trim()) {
return res.status(400).json({ error: 'teamName is required.' });
}
if (!assetId || typeof assetId !== 'string' || !assetId.trim()) {
return res.status(400).json({ error: 'assetId is required.' });
}
try {
const { rows } = await pool.query(
'SELECT * FROM ivanti_todo_queue WHERE id = $1 AND user_id = $2 AND workflow_type = $3',
[queueItemId, req.user.id, 'CARD']
);
const item = rows[0];
if (!item) {
return res.status(404).json({ error: 'Queue item not found.' });
}
if (item.status !== 'pending') {
return res.status(400).json({ error: 'Only pending queue items can be executed.' });
}
const ownerResult = await getOwner(assetId);
if (!ownerResult.ok) {
const errMsg = `Failed to fetch owner record: HTTP ${ownerResult.status}`;
logAudit({ userId: req.user.id, username: req.user.username, action: 'card_action_failed', entityType: 'ivanti_todo_queue', entityId: String(queueItemId), details: { actionType: 'decline', assetId, error: errMsg, cardStatus: ownerResult.status }, ipAddress: req.ip });
let errorBody;
try { errorBody = JSON.parse(ownerResult.body); } catch (_) { errorBody = { error: ownerResult.body }; }
return res.status(ownerResult.status).json(errorBody);
}
let ownerData;
try { ownerData = JSON.parse(ownerResult.body); } catch (_) { ownerData = {}; }
const updateToken = ownerData.owner && ownerData.owner.update_token;
if (!updateToken) {
const errMsg = 'update_token not found in owner record.';
logAudit({ userId: req.user.id, username: req.user.username, action: 'card_action_failed', entityType: 'ivanti_todo_queue', entityId: String(queueItemId), details: { actionType: 'decline', assetId, error: errMsg, cardStatus: null }, ipAddress: req.ip });
return res.status(502).json({ error: 'CARD API request failed.', details: errMsg });
}
const declineResult = await declineAsset(assetId, teamName.trim(), updateToken, comment || '');
if (declineResult.ok) {
await pool.query(
"UPDATE ivanti_todo_queue SET status = 'complete', updated_at = NOW() WHERE id = $1",
[queueItemId]
);
let cardResponse;
try { cardResponse = JSON.parse(declineResult.body); } catch (_) { cardResponse = declineResult.body; }
logAudit({ userId: req.user.id, username: req.user.username, action: 'card_decline', entityType: 'ivanti_todo_queue', entityId: String(queueItemId), details: { assetId, teamName: teamName.trim(), comment: comment || '', cardStatus: declineResult.status }, ipAddress: req.ip });
return res.json({ success: true, cardResponse });
}
const errMsg = `Decline failed: HTTP ${declineResult.status}`;
logAudit({ userId: req.user.id, username: req.user.username, action: 'card_action_failed', entityType: 'ivanti_todo_queue', entityId: String(queueItemId), details: { actionType: 'decline', assetId, error: errMsg, cardStatus: declineResult.status }, ipAddress: req.ip });
let errorBody;
try { errorBody = JSON.parse(declineResult.body); } catch (_) { errorBody = { error: declineResult.body }; }
return res.status(declineResult.status).json(errorBody);
} catch (err) {
logAudit({ userId: req.user.id, username: req.user.username, action: 'card_action_failed', entityType: 'ivanti_todo_queue', entityId: String(queueItemId), details: { actionType: 'decline', assetId, error: err.message, cardStatus: null }, ipAddress: req.ip });
return handleCardError(err, res);
}
});
// POST /queue/:queueItemId/redirect
router.post('/queue/:queueItemId/redirect', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
if (!isConfigured) {
return res.status(503).json({ error: 'CARD API is not configured.', missingVars });
}
const { queueItemId } = req.params;
const { fromTeam, toTeam, assetId } = req.body;
if (!fromTeam || typeof fromTeam !== 'string' || !fromTeam.trim()) {
return res.status(400).json({ error: 'fromTeam is required.' });
}
if (!toTeam || typeof toTeam !== 'string' || !toTeam.trim()) {
return res.status(400).json({ error: 'toTeam is required.' });
}
if (!assetId || typeof assetId !== 'string' || !assetId.trim()) {
return res.status(400).json({ error: 'assetId is required.' });
}
try {
const { rows } = await pool.query(
'SELECT * FROM ivanti_todo_queue WHERE id = $1 AND user_id = $2 AND workflow_type = $3',
[queueItemId, req.user.id, 'CARD']
);
const item = rows[0];
if (!item) {
return res.status(404).json({ error: 'Queue item not found.' });
}
if (item.status !== 'pending') {
return res.status(400).json({ error: 'Only pending queue items can be executed.' });
}
const ownerResult = await getOwner(assetId);
if (!ownerResult.ok) {
const errMsg = `Failed to fetch owner record: HTTP ${ownerResult.status}`;
logAudit({ userId: req.user.id, username: req.user.username, action: 'card_action_failed', entityType: 'ivanti_todo_queue', entityId: String(queueItemId), details: { actionType: 'redirect', assetId, error: errMsg, cardStatus: ownerResult.status }, ipAddress: req.ip });
let errorBody;
try { errorBody = JSON.parse(ownerResult.body); } catch (_) { errorBody = { error: ownerResult.body }; }
return res.status(ownerResult.status).json(errorBody);
}
let ownerData;
try { ownerData = JSON.parse(ownerResult.body); } catch (_) { ownerData = {}; }
const updateToken = ownerData.owner && ownerData.owner.update_token;
if (!updateToken) {
const errMsg = 'update_token not found in owner record.';
logAudit({ userId: req.user.id, username: req.user.username, action: 'card_action_failed', entityType: 'ivanti_todo_queue', entityId: String(queueItemId), details: { actionType: 'redirect', assetId, error: errMsg, cardStatus: null }, ipAddress: req.ip });
return res.status(502).json({ error: 'CARD API request failed.', details: errMsg });
}
const redirectResult = await redirectAsset(assetId, fromTeam.trim(), toTeam.trim(), updateToken);
if (redirectResult.ok) {
await pool.query(
"UPDATE ivanti_todo_queue SET status = 'complete', updated_at = NOW() WHERE id = $1",
[queueItemId]
);
let cardResponse;
try { cardResponse = JSON.parse(redirectResult.body); } catch (_) { cardResponse = redirectResult.body; }
logAudit({ userId: req.user.id, username: req.user.username, action: 'card_redirect', entityType: 'ivanti_todo_queue', entityId: String(queueItemId), details: { assetId, fromTeam: fromTeam.trim(), toTeam: toTeam.trim(), cardStatus: redirectResult.status }, ipAddress: req.ip });
return res.json({ success: true, cardResponse });
}
const errMsg = `Redirect failed: HTTP ${redirectResult.status}`;
logAudit({ userId: req.user.id, username: req.user.username, action: 'card_action_failed', entityType: 'ivanti_todo_queue', entityId: String(queueItemId), details: { actionType: 'redirect', assetId, error: errMsg, cardStatus: redirectResult.status }, ipAddress: req.ip });
let errorBody;
try { errorBody = JSON.parse(redirectResult.body); } catch (_) { errorBody = { error: redirectResult.body }; }
return res.status(redirectResult.status).json(errorBody);
} catch (err) {
logAudit({ userId: req.user.id, username: req.user.username, action: 'card_action_failed', entityType: 'ivanti_todo_queue', entityId: String(queueItemId), details: { actionType: 'redirect', assetId, error: err.message, cardStatus: null }, ipAddress: req.ip });
return handleCardError(err, res);
}
});
return router;
}
module.exports = createCardApiRouter;

1490
backend/routes/compliance.js
View File

File diff suppressed because it is too large Load Diff

111
backend/routes/feedback.js Normal file
View File

@@ -0,0 +1,111 @@
// Feedback route — proxies bug reports and feature requests to GitLab Issues API
// Keeps the GitLab PAT server-side so it's never exposed to the browser.
const express = require('express');
const https = require('https');
const http = require('http');
const { requireAuth } = require('../middleware/auth');
function createFeedbackRouter() {
const router = express.Router();
const GITLAB_URL = process.env.GITLAB_URL || '';
const GITLAB_PROJECT_ID = process.env.GITLAB_PROJECT_ID || '';
const GITLAB_PAT = process.env.GITLAB_PAT || '';
router.post('/', requireAuth(), async (req, res) => {
if (!GITLAB_URL || !GITLAB_PROJECT_ID || !GITLAB_PAT) {
return res.status(503).json({ error: 'Feedback integration not configured' });
}
const { type, title, description, page } = req.body;
if (!type || !title || !description) {
return res.status(400).json({ error: 'type, title, and description are required' });
}
if (!['bug', 'feature'].includes(type)) {
return res.status(400).json({ error: 'type must be "bug" or "feature"' });
}
const labels = type === 'bug' ? 'bug' : 'enhancement';
const prefix = type === 'bug' ? '🐛 Bug' : '✨ Feature Request';
const username = req.user?.username || 'unknown';
const body = [
`**Submitted by:** ${username}`,
page ? `**Page:** ${page}` : null,
`**Type:** ${prefix}`,
'',
'---',
'',
description,
].filter(Boolean).join('\n');
const postData = JSON.stringify({
title: `[${prefix}] ${title}`,
description: body,
labels,
});
const apiUrl = `${GITLAB_URL.replace(/\/$/, '')}/api/v4/projects/${encodeURIComponent(GITLAB_PROJECT_ID)}/issues`;
try {
const result = await new Promise((resolve, reject) => {
const parsed = new URL(apiUrl);
const transport = parsed.protocol === 'https:' ? https : http;
const reqOpts = {
method: 'POST',
hostname: parsed.hostname,
port: parsed.port,
path: parsed.pathname + parsed.search,
headers: {
'Content-Type': 'application/json',
'PRIVATE-TOKEN': GITLAB_PAT,
'Content-Length': Buffer.byteLength(postData),
},
rejectAuthorized: false,
};
const apiReq = transport.request(reqOpts, (apiRes) => {
let data = '';
apiRes.on('data', chunk => data += chunk);
apiRes.on('end', () => {
try {
resolve({ status: apiRes.statusCode, body: JSON.parse(data) });
} catch {
resolve({ status: apiRes.statusCode, body: data });
}
});
});
apiReq.on('error', reject);
apiReq.write(postData);
apiReq.end();
});
if (result.status === 201) {
console.log(`[Feedback] Issue #${result.body.iid} created by ${username}: ${title}`);
res.json({
success: true,
issue: {
id: result.body.iid,
url: result.body.web_url,
title: result.body.title,
},
});
} else {
console.error(`[Feedback] GitLab API returned ${result.status}:`, result.body);
res.status(502).json({ error: 'GitLab API error', details: result.body });
}
} catch (err) {
console.error('[Feedback] Request failed:', err.message);
res.status(502).json({ error: 'Failed to connect to GitLab' });
}
});
return router;
}
module.exports = createFeedbackRouter;

255
backend/routes/ivantiArchive.js Normal file
View File

@@ -0,0 +1,255 @@
// Ivanti Archive Routes — list, stats, and transition history for archived findings
const express = require('express');
const pool = require('../db');
const { requireAuth } = require('../middleware/auth');
const VALID_STATES = ['ACTIVE', 'ARCHIVED', 'RETURNED', 'CLOSED'];
/**
* Find the most severe active finding related to an archived finding.
*/
function findRelatedActive(archive, activeFindings) {
const archiveTitle = (archive.finding_title || '').toLowerCase();
const matches = activeFindings.filter(f => {
if (f.hostName !== archive.host_name) return false;
if (f.id === archive.finding_id) return false;
const activeTitle = (f.title || '').toLowerCase();
if (!archiveTitle.includes(activeTitle) && !activeTitle.includes(archiveTitle)) return false;
return true;
});
if (matches.length === 0) return null;
const best = matches.reduce((a, b) => (b.severity > a.severity ? b : a));
return { id: best.id, title: best.title, severity: best.severity };
}
function createIvantiArchiveRouter() {
const router = express.Router();
// All routes require authentication
router.use(requireAuth());
/**
* GET /
* List archive records with optional state and teams filtering.
*
* @query {string} [state] - Filter by lifecycle state. Valid values: ACTIVE, ARCHIVED, RETURNED, CLOSED.
* When state=ACTIVE, returns live open findings from ivanti_findings instead of archives.
* When state=CLOSED, includes both CLOSED and CLOSED_GONE records.
* @query {string} [teams] - Comma-separated BU team names (e.g. 'STEAM,ACCESS-ENG').
* Filters results to findings whose bu_ownership contains one of the specified teams.
*
* @response {object} 200
* { archives: Array<{ id, finding_id, finding_title, host_name, ip_address, current_state, last_severity, first_archived_at, last_transition_at, created_at, related_active: object|null }>, total: number }
* @response {object} 400 - Invalid state parameter
* { error: string }
* @response {object} 500 - Database error
* { error: string }
*/
router.get('/', async (req, res) => {
const { state, teams } = req.query;
if (state && !VALID_STATES.includes(state)) {
return res.status(400).json({
error: 'Invalid state parameter. Valid values: ACTIVE, ARCHIVED, RETURNED, CLOSED'
});
}
// Parse teams filter into ILIKE patterns
const teamPatterns = teams
? teams.split(',').map(t => `%${t.trim()}%`).filter(p => p !== '%%')
: [];
try {
// ACTIVE state comes from ivanti_findings (live open findings), not archives
if (state === 'ACTIVE') {
let activeQuery = `SELECT id, id AS finding_id, title AS finding_title, host_name, ip_address,
'ACTIVE' AS current_state, severity AS last_severity,
synced_at AS first_archived_at, synced_at AS last_transition_at, synced_at AS created_at
FROM ivanti_findings WHERE state = 'open'`;
const activeParams = [];
let activeIdx = 1;
if (teamPatterns.length > 0) {
activeQuery += ` AND bu_ownership ILIKE ANY($${activeIdx++}::text[])`;
activeParams.push(teamPatterns);
}
activeQuery += ` ORDER BY severity DESC NULLS LAST LIMIT 200`;
const { rows: activeRows } = await pool.query(activeQuery, activeParams);
const archives = activeRows.map(r => ({ ...r, related_active: null }));
return res.json({ archives, total: archives.length });
}
// For non-ACTIVE states, query archives with optional BU join
let query, params = [], paramIndex = 1;
if (teamPatterns.length > 0) {
// JOIN with ivanti_findings to filter by bu_ownership
query = `SELECT a.* FROM ivanti_finding_archives a
INNER JOIN ivanti_findings f ON a.finding_id = f.id
WHERE f.bu_ownership ILIKE ANY($${paramIndex++}::text[])`;
params.push(teamPatterns);
if (state) {
if (state === 'CLOSED') {
query += ` AND a.current_state IN ($${paramIndex++}, $${paramIndex++})`;
params.push('CLOSED', 'CLOSED_GONE');
} else {
query += ` AND a.current_state = $${paramIndex++}`;
params.push(state);
}
}
} else {
query = 'SELECT * FROM ivanti_finding_archives';
if (state) {
if (state === 'CLOSED') {
query += ` WHERE current_state IN ($${paramIndex++}, $${paramIndex++})`;
params.push('CLOSED', 'CLOSED_GONE');
} else {
query += ` WHERE current_state = $${paramIndex++}`;
params.push(state);
}
}
}
query += teamPatterns.length > 0
? ' ORDER BY a.last_transition_at DESC'
: ' ORDER BY last_transition_at DESC';
const { rows: archives } = await pool.query(query, params);
// Fetch active findings for related-finding enrichment
// In the new schema, active findings are in ivanti_findings table
let activeFindings = [];
try {
const { rows: findingsRows } = await pool.query(
`SELECT id, title, host_name AS "hostName", severity FROM ivanti_findings WHERE state = 'open'`
);
activeFindings = findingsRows;
} catch (cacheErr) {
console.warn('Failed to load findings for related-active matching:', cacheErr);
}
// Enrich each archive record with related active finding info
const enrichedArchives = archives.map(archive => ({
...archive,
related_active: findRelatedActive(archive, activeFindings)
}));
res.json({ archives: enrichedArchives, total: enrichedArchives.length });
} catch (err) {
console.error('Archive list error:', err);
res.status(500).json({ error: 'Failed to fetch archive records' });
}
});
/**
* GET /stats
* Summary counts of archive records grouped by lifecycle state.
*
* @query {string} [teams] - Comma-separated BU team names (e.g. 'STEAM,ACCESS-ENG').
* Filters counts to findings whose bu_ownership contains one of the specified teams.
*
* @response {object} 200
* { ACTIVE: number, ARCHIVED: number, RETURNED: number, CLOSED: number, total: number }
* @response {object} 500 - Database error
* { error: string }
*/
router.get('/stats', async (req, res) => {
try {
const { teams } = req.query;
const teamPatterns = teams
? teams.split(',').map(t => `%${t.trim()}%`).filter(p => p !== '%%')
: [];
let archiveQuery, archiveParams = [];
if (teamPatterns.length > 0) {
archiveQuery = `SELECT a.current_state, COUNT(*) as count
FROM ivanti_finding_archives a
INNER JOIN ivanti_findings f ON a.finding_id = f.id
WHERE f.bu_ownership ILIKE ANY($1::text[])
GROUP BY a.current_state`;
archiveParams = [teamPatterns];
} else {
archiveQuery = `SELECT current_state, COUNT(*) as count
FROM ivanti_finding_archives
GROUP BY current_state`;
}
const { rows } = await pool.query(archiveQuery, archiveParams);
const stats = { ACTIVE: 0, ARCHIVED: 0, RETURNED: 0, CLOSED: 0 };
for (const row of rows) {
if (stats.hasOwnProperty(row.current_state)) {
stats[row.current_state] += parseInt(row.count);
} else if (row.current_state === 'CLOSED_GONE') {
stats.CLOSED += parseInt(row.count);
}
}
// ACTIVE = total live findings count (scoped by teams if provided)
let activeQuery, activeParams = [];
if (teamPatterns.length > 0) {
activeQuery = `SELECT COUNT(*) as total FROM ivanti_findings WHERE state = 'open' AND bu_ownership ILIKE ANY($1::text[])`;
activeParams = [teamPatterns];
} else {
activeQuery = `SELECT COUNT(*) as total FROM ivanti_findings WHERE state = 'open'`;
}
const countResult = await pool.query(activeQuery, activeParams);
stats.ACTIVE = parseInt(countResult.rows[0].total) || 0;
const total = stats.ACTIVE + stats.ARCHIVED + stats.RETURNED + stats.CLOSED;
res.json({ ...stats, total });
} catch (err) {
console.error('Archive stats error:', err);
res.status(500).json({ error: 'Failed to fetch archive stats' });
}
});
/**
* GET /:findingId/history
* Transition history for a specific archived finding.
*
* @param {string} findingId - The finding ID to look up in the archives.
*
* @response {object} 200
* { finding_id: string, transitions: Array<{ id, archive_id, from_state, to_state, transitioned_at, reason }> }
* @response {object} 500 - Database error
* { error: string }
*/
router.get('/:findingId/history', async (req, res) => {
const { findingId } = req.params;
try {
const { rows: archiveRows } = await pool.query(
'SELECT id FROM ivanti_finding_archives WHERE finding_id = $1',
[findingId]
);
const archive = archiveRows[0];
if (!archive) {
return res.json({ finding_id: findingId, transitions: [] });
}
const { rows: transitions } = await pool.query(
`SELECT * FROM ivanti_archive_transitions
WHERE archive_id = $1
ORDER BY transitioned_at DESC`,
[archive.id]
);
res.json({ finding_id: findingId, transitions });
} catch (err) {
console.error('Archive history error:', err);
res.status(500).json({ error: 'Failed to fetch transition history' });
}
});
return router;
}
module.exports = createIvantiArchiveRouter;

1587
backend/routes/ivantiFindings.js
View File

File diff suppressed because it is too large Load Diff

1176
backend/routes/ivantiFpWorkflow.js Normal file
View File

File diff suppressed because it is too large Load Diff

555
backend/routes/ivantiTodoQueue.js
View File

@@ -1,92 +1,252 @@
// routes/ivantiTodoQueue.js // routes/ivantiTodoQueue.js
const express = require('express'); const express = require('express');
const pool = require('../db');
const { requireAuth, requireGroup } = require('../middleware/auth');
const logAudit = require('../helpers/auditLog');
const VALID_WORKFLOW_TYPES = ['FP', 'Archer', 'CARD']; const VALID_WORKFLOW_TYPES = ['FP', 'Archer', 'CARD', 'GRANITE', 'DECOM'];
const INVENTORY_TYPES = ['CARD', 'GRANITE', 'DECOM'];
const VALID_STATUSES = ['pending', 'complete']; const VALID_STATUSES = ['pending', 'complete'];
function isValidVendor(vendor) { function isValidVendor(vendor) {
return typeof vendor === 'string' && vendor.trim().length > 0 && vendor.length <= 200; if (typeof vendor !== 'string') return false;
const trimmed = vendor.trim();
return trimmed.length > 0 && trimmed.length <= 200;
} }
function createIvantiTodoQueueRouter(db, requireAuth) { function createIvantiTodoQueueRouter() {
const router = express.Router(); const router = express.Router();
// GET /api/ivanti/todo-queue /**
// Fetch current user's queue items, ordered by vendor then created_at * GET /api/ivanti/todo-queue
router.get('/', requireAuth(db), (req, res) => { *
db.all( * Returns all todo queue items belonging to the authenticated user.
`SELECT * FROM ivanti_todo_queue *
WHERE user_id = ? * @query None
ORDER BY vendor ASC, created_at ASC`, * @returns {Array<Object>} Array of queue items with parsed `cves` array
[req.user.id], * - id {number}
(err, rows) => { * - user_id {number}
if (err) { * - finding_id {string}
console.error('Error fetching todo queue:', err); * - finding_title {string|null}
return res.status(500).json({ error: 'Internal server error.' }); * - cves {Array<string>}
} * - ip_address {string|null}
// Parse cves_json back to array for each row * - hostname {string|null}
const parsed = rows.map((r) => ({ * - vendor {string}
...r, * - workflow_type {string} One of: FP, Archer, CARD, GRANITE, DECOM
cves: r.cves_json ? JSON.parse(r.cves_json) : [], * - status {string} pending | complete
})); * - created_at {string}
res.json(parsed); * - updated_at {string}
} */
); router.get('/', requireAuth(), async (req, res) => {
try {
const { rows } = await pool.query(
`SELECT q.*
FROM ivanti_todo_queue q
WHERE q.user_id = $1
ORDER BY q.vendor ASC, q.created_at ASC`,
[req.user.id]
);
const parsed = rows.map((r) => ({
...r,
cves: r.cves_json ? JSON.parse(r.cves_json) : [],
}));
res.json(parsed);
} catch (err) {
console.error('Error fetching todo queue:', err);
res.status(500).json({ error: 'Internal server error.' });
}
}); });
// POST /api/ivanti/todo-queue /**
// Add a finding to the queue * POST /api/ivanti/todo-queue/batch
router.post('/', requireAuth(db), (req, res) => { *
const { finding_id, finding_title, cves, ip_address, vendor, workflow_type } = req.body; * Adds multiple findings to the authenticated user's todo queue in a single transaction.
* Requires Admin or Standard_User group.
*
* @body {Object}
* - findings {Array<Object>} 1200 items, each with:
* - finding_id {string} Required, non-empty
* - finding_title {string} Optional, max 500 chars
* - cves {Array<string>} Optional
* - ip_address {string} Optional, max 64 chars
* - hostname {string} Optional, max 255 chars
* - workflow_type {string} Required. One of: FP, Archer, CARD, GRANITE, DECOM
* - vendor {string} Required for FP, Archer, and DECOM workflows; max 200 chars
* @returns {Object} { items: Array<Object> } — inserted queue items with parsed `cves` array
* @error 400 Invalid input
* @error 500 Internal server error
*/
router.post('/batch', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
const { findings, workflow_type, vendor } = req.body;
if (!Array.isArray(findings) || findings.length < 1 || findings.length > 200) {
return res.status(400).json({ error: 'findings array must contain 1-200 items.' });
}
for (let i = 0; i < findings.length; i++) {
const f = findings[i];
if (!f || typeof f.finding_id !== 'string' || f.finding_id.trim().length === 0) {
return res.status(400).json({ error: 'Each finding must have a non-empty finding_id string.' });
}
}
if (!VALID_WORKFLOW_TYPES.includes(workflow_type)) {
return res.status(400).json({ error: 'workflow_type must be FP, Archer, CARD, GRANITE, or DECOM.' });
}
if (!INVENTORY_TYPES.includes(workflow_type)) {
if (!isValidVendor(vendor)) {
return res.status(400).json({ error: 'vendor is required for FP and Archer workflows.' });
}
}
if (vendor !== undefined && vendor !== '' && typeof vendor === 'string' && vendor.trim().length > 200) {
return res.status(400).json({ error: 'vendor must be under 200 chars.' });
}
const vendorVal = INVENTORY_TYPES.includes(workflow_type) ? '' : vendor.trim();
const userId = req.user.id;
const client = await pool.connect();
try {
await client.query('BEGIN');
const insertedIds = [];
for (const f of findings) {
const findingId = f.finding_id.trim();
const title = f.finding_title && typeof f.finding_title === 'string'
? f.finding_title.slice(0, 500) : null;
const cvesJson = Array.isArray(f.cves) ? JSON.stringify(f.cves) : null;
const ipVal = f.ip_address && typeof f.ip_address === 'string'
? f.ip_address.trim().slice(0, 64) : null;
const hostVal = f.hostname && typeof f.hostname === 'string'
? f.hostname.trim().slice(0, 255) : null;
const { rows } = await client.query(
`INSERT INTO ivanti_todo_queue
(user_id, finding_id, finding_title, cves_json, ip_address, hostname, vendor, workflow_type)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
RETURNING id`,
[userId, findingId, title, cvesJson, ipVal, hostVal, vendorVal, workflow_type]
);
insertedIds.push(rows[0].id);
}
await client.query('COMMIT');
// Fetch all inserted rows
const { rows: fetchedRows } = await pool.query(
`SELECT * FROM ivanti_todo_queue WHERE id = ANY($1)`,
[insertedIds]
);
const items = fetchedRows.map((r) => ({
...r,
cves: r.cves_json ? JSON.parse(r.cves_json) : [],
}));
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'batch_add_to_queue',
entityType: 'ivanti_todo_queue',
entityId: null,
details: {
count: insertedIds.length,
workflow_type: workflow_type,
finding_ids: findings.map((f) => f.finding_id.trim()),
},
ipAddress: req.ip,
});
return res.status(201).json({ items });
} catch (err) {
await client.query('ROLLBACK');
console.error('Batch insert error:', err);
return res.status(500).json({ error: 'Internal server error.' });
} finally {
client.release();
}
});
/**
* POST /api/ivanti/todo-queue
*
* Adds a single finding to the authenticated user's todo queue.
* Requires Admin or Standard_User group.
*
* @body {Object}
* - finding_id {string} Required, non-empty
* - finding_title {string} Optional, max 500 chars
* - cves {Array<string>} Optional
* - ip_address {string} Optional, max 64 chars
* - hostname {string} Optional, max 255 chars
* - vendor {string} Required for FP, Archer, and DECOM workflows; max 200 chars
* - workflow_type {string} Required. One of: FP, Archer, CARD, GRANITE, DECOM
* @returns {Object} The created queue item with parsed `cves` array
* @error 400 Invalid input
* @error 500 Internal server error
*/
router.post('/', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
const { finding_id, finding_title, cves, ip_address, hostname, vendor, workflow_type } = req.body;
if (!finding_id || typeof finding_id !== 'string' || finding_id.trim().length === 0) { if (!finding_id || typeof finding_id !== 'string' || finding_id.trim().length === 0) {
return res.status(400).json({ error: 'finding_id is required.' }); return res.status(400).json({ error: 'finding_id is required.' });
} }
if (!VALID_WORKFLOW_TYPES.includes(workflow_type)) { if (!VALID_WORKFLOW_TYPES.includes(workflow_type)) {
return res.status(400).json({ error: 'workflow_type must be FP, Archer, or CARD.' }); return res.status(400).json({ error: 'workflow_type must be FP, Archer, CARD, GRANITE, or DECOM.' });
} }
// Vendor is required for FP and Archer, optional for CARD if (!INVENTORY_TYPES.includes(workflow_type) && !isValidVendor(vendor)) {
if (workflow_type !== 'CARD' && !isValidVendor(vendor)) {
return res.status(400).json({ error: 'vendor is required for FP and Archer workflows.' }); return res.status(400).json({ error: 'vendor is required for FP and Archer workflows.' });
} }
if (vendor !== undefined && vendor !== '' && !isValidVendor(vendor)) { if (vendor !== undefined && vendor !== '' && !isValidVendor(vendor)) {
return res.status(400).json({ error: 'vendor must be under 200 chars.' }); return res.status(400).json({ error: 'vendor must be under 200 chars.' });
} }
const vendorVal = workflow_type === 'CARD' ? '' : vendor.trim(); const vendorVal = INVENTORY_TYPES.includes(workflow_type) ? '' : vendor.trim();
const cvesJson = Array.isArray(cves) ? JSON.stringify(cves) : null; const cvesJson = Array.isArray(cves) ? JSON.stringify(cves) : null;
const ipVal = ip_address && typeof ip_address === 'string' ? ip_address.trim().slice(0, 64) : null; const ipVal = ip_address && typeof ip_address === 'string' ? ip_address.trim().slice(0, 64) : null;
const hostVal = hostname && typeof hostname === 'string' ? hostname.trim().slice(0, 255) : null;
const title = finding_title && typeof finding_title === 'string' const title = finding_title && typeof finding_title === 'string'
? finding_title.slice(0, 500) ? finding_title.slice(0, 500) : null;
: null;
db.run( try {
`INSERT INTO ivanti_todo_queue const { rows } = await pool.query(
(user_id, finding_id, finding_title, cves_json, ip_address, vendor, workflow_type) `INSERT INTO ivanti_todo_queue
VALUES (?, ?, ?, ?, ?, ?, ?)`, (user_id, finding_id, finding_title, cves_json, ip_address, hostname, vendor, workflow_type)
[req.user.id, finding_id.trim(), title, cvesJson, ipVal, vendorVal, workflow_type], VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
function (err) { RETURNING *`,
if (err) { [req.user.id, finding_id.trim(), title, cvesJson, ipVal, hostVal, vendorVal, workflow_type]
console.error('Error adding to queue:', err); );
return res.status(500).json({ error: 'Internal server error.' });
} const result = {
db.get( ...rows[0],
'SELECT * FROM ivanti_todo_queue WHERE id = ?', cves: rows[0].cves_json ? JSON.parse(rows[0].cves_json) : [],
[this.lastID], };
(err2, row) => { res.status(201).json(result);
if (err2 || !row) { } catch (err) {
return res.status(201).json({ id: this.lastID, message: 'Added to queue.' }); console.error('Error adding to queue:', err);
} res.status(500).json({ error: 'Internal server error.' });
res.status(201).json({ ...row, cves: row.cves_json ? JSON.parse(row.cves_json) : [] }); }
}
);
}
);
}); });
// PUT /api/ivanti/todo-queue/:id /**
// Update vendor, workflow_type, or status — scoped to current user * PUT /api/ivanti/todo-queue/:id
router.put('/:id', requireAuth(db), (req, res) => { *
* Updates an existing queue item owned by the authenticated user.
* Requires Admin or Standard_User group.
*
* @param {string} id — Queue item ID (URL parameter)
* @body {Object} At least one field required:
* - vendor {string} Optional, non-empty, max 200 chars
* - workflow_type {string} Optional. One of: FP, Archer, CARD, GRANITE, DECOM
* - status {string} Optional. One of: pending, complete
* @returns {Object} The updated queue item with parsed `cves` array
* @error 400 Invalid input or no fields to update
* @error 404 Queue item not found
* @error 500 Internal server error
*/
router.put('/:id', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
const { id } = req.params; const { id } = req.params;
const { vendor, workflow_type, status } = req.body; const { vendor, workflow_type, status } = req.body;
@@ -94,118 +254,199 @@ function createIvantiTodoQueueRouter(db, requireAuth) {
return res.status(400).json({ error: 'vendor must be a non-empty string (max 200 chars).' }); return res.status(400).json({ error: 'vendor must be a non-empty string (max 200 chars).' });
} }
if (workflow_type !== undefined && !VALID_WORKFLOW_TYPES.includes(workflow_type)) { if (workflow_type !== undefined && !VALID_WORKFLOW_TYPES.includes(workflow_type)) {
return res.status(400).json({ error: 'workflow_type must be FP or Archer.' }); return res.status(400).json({ error: 'workflow_type must be FP, Archer, CARD, GRANITE, or DECOM.' });
} }
if (status !== undefined && !VALID_STATUSES.includes(status)) { if (status !== undefined && !VALID_STATUSES.includes(status)) {
return res.status(400).json({ error: 'status must be pending or complete.' }); return res.status(400).json({ error: 'status must be pending or complete.' });
} }
db.get( try {
'SELECT * FROM ivanti_todo_queue WHERE id = ? AND user_id = ?', const { rows: existingRows } = await pool.query(
[id, req.user.id], 'SELECT * FROM ivanti_todo_queue WHERE id = $1 AND user_id = $2',
(err, existing) => { [id, req.user.id]
if (err) { );
console.error(err); if (!existingRows[0]) {
return res.status(500).json({ error: 'Internal server error.' }); return res.status(404).json({ error: 'Queue item not found.' });
}
if (!existing) {
return res.status(404).json({ error: 'Queue item not found.' });
}
const updates = [];
const params = [];
if (vendor !== undefined) {
updates.push('vendor = ?');
params.push(vendor.trim());
}
if (workflow_type !== undefined) {
updates.push('workflow_type = ?');
params.push(workflow_type);
}
if (status !== undefined) {
updates.push('status = ?');
params.push(status);
}
if (updates.length === 0) {
return res.status(400).json({ error: 'No fields to update.' });
}
updates.push('updated_at = CURRENT_TIMESTAMP');
params.push(id, req.user.id);
db.run(
`UPDATE ivanti_todo_queue SET ${updates.join(', ')} WHERE id = ? AND user_id = ?`,
params,
function (err2) {
if (err2) {
console.error(err2);
return res.status(500).json({ error: 'Internal server error.' });
}
db.get(
'SELECT * FROM ivanti_todo_queue WHERE id = ?',
[id],
(err3, row) => {
if (err3 || !row) {
return res.json({ message: 'Queue item updated.' });
}
res.json({ ...row, cves: row.cves_json ? JSON.parse(row.cves_json) : [] });
}
);
}
);
} }
);
const updates = [];
const params = [];
let paramIndex = 1;
if (vendor !== undefined) {
updates.push(`vendor = $${paramIndex++}`);
params.push(vendor.trim());
}
if (workflow_type !== undefined) {
updates.push(`workflow_type = $${paramIndex++}`);
params.push(workflow_type);
}
if (status !== undefined) {
updates.push(`status = $${paramIndex++}`);
params.push(status);
}
if (updates.length === 0) {
return res.status(400).json({ error: 'No fields to update.' });
}
updates.push('updated_at = NOW()');
params.push(id, req.user.id);
await pool.query(
`UPDATE ivanti_todo_queue SET ${updates.join(', ')} WHERE id = $${paramIndex++} AND user_id = $${paramIndex}`,
params
);
const { rows } = await pool.query(
'SELECT * FROM ivanti_todo_queue WHERE id = $1', [id]
);
const result = {
...rows[0],
cves: rows[0].cves_json ? JSON.parse(rows[0].cves_json) : [],
};
res.json(result);
} catch (err) {
console.error(err);
res.status(500).json({ error: 'Internal server error.' });
}
}); });
// DELETE /api/ivanti/todo-queue/completed /**
// Bulk-delete all completed items for the current user * POST /api/ivanti/todo-queue/:id/redirect
// IMPORTANT: This route must be registered BEFORE DELETE /:id *
router.delete('/completed', requireAuth(db), (req, res) => { * Redirects a completed queue item to a different workflow by creating a new
db.run( * pending queue item with the same finding data but a new workflow type/vendor.
"DELETE FROM ivanti_todo_queue WHERE user_id = ? AND status = 'complete'", * Requires Admin or Standard_User group.
[req.user.id], *
function (err) { * @param {string} id — Queue item ID of the completed item (URL parameter)
if (err) { * @body {Object}
console.error('Error clearing completed queue items:', err); * - workflow_type {string} Required. One of: FP, Archer, CARD, GRANITE, DECOM
return res.status(500).json({ error: 'Internal server error.' }); * - vendor {string} Required for FP, Archer, and DECOM workflows; max 200 chars
} * @returns {Object} The newly created queue item with parsed `cves` array
res.json({ message: 'Completed items cleared.', deleted: this.changes }); * @error 400 Invalid input or item not in complete status
* @error 404 Queue item not found
* @error 500 Internal server error
*/
router.post('/:id/redirect', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
const { id } = req.params;
const { workflow_type, vendor } = req.body;
if (!VALID_WORKFLOW_TYPES.includes(workflow_type)) {
return res.status(400).json({ error: 'workflow_type must be FP, Archer, CARD, GRANITE, or DECOM.' });
}
if (!INVENTORY_TYPES.includes(workflow_type)) {
if (!isValidVendor(vendor)) {
return res.status(400).json({ error: 'vendor is required for FP and Archer workflows.' });
} }
); }
if (vendor !== undefined && vendor !== '' && typeof vendor === 'string' && vendor.trim().length > 200) {
return res.status(400).json({ error: 'vendor must be under 200 chars.' });
}
const vendorVal = INVENTORY_TYPES.includes(workflow_type) ? '' : vendor.trim();
try {
const { rows: origRows } = await pool.query(
'SELECT * FROM ivanti_todo_queue WHERE id = $1 AND user_id = $2',
[id, req.user.id]
);
const original = origRows[0];
if (!original) {
return res.status(404).json({ error: 'Queue item not found.' });
}
if (original.status !== 'complete') {
return res.status(400).json({ error: 'Only completed queue items can be redirected.' });
}
const { rows } = await pool.query(
`INSERT INTO ivanti_todo_queue
(user_id, finding_id, finding_title, cves_json, ip_address, hostname, vendor, workflow_type)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
RETURNING *`,
[req.user.id, original.finding_id, original.finding_title, original.cves_json, original.ip_address, original.hostname, vendorVal, workflow_type]
);
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'queue_item_redirected',
entityType: 'ivanti_todo_queue',
entityId: String(original.id),
details: {
original_workflow_type: original.workflow_type,
target_workflow_type: workflow_type,
new_item_id: rows[0].id,
vendor: vendorVal,
},
ipAddress: req.ip,
});
const result = {
...rows[0],
cves: rows[0].cves_json ? JSON.parse(rows[0].cves_json) : [],
};
return res.status(201).json(result);
} catch (err) {
console.error('Error redirecting queue item:', err);
res.status(500).json({ error: 'Internal server error.' });
}
}); });
// DELETE /api/ivanti/todo-queue/:id /**
// Delete a single item — scoped to current user * DELETE /api/ivanti/todo-queue/completed
router.delete('/:id', requireAuth(db), (req, res) => { *
* Deletes all completed queue items belonging to the authenticated user.
* Requires Admin or Standard_User group.
*
* @returns {Object} { message: string, deleted: number }
* @error 500 Internal server error
*/
router.delete('/completed', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
try {
const result = await pool.query(
"DELETE FROM ivanti_todo_queue WHERE user_id = $1 AND status = 'complete'",
[req.user.id]
);
res.json({ message: 'Completed items cleared.', deleted: result.rowCount });
} catch (err) {
console.error('Error clearing completed queue items:', err);
res.status(500).json({ error: 'Internal server error.' });
}
});
/**
* DELETE /api/ivanti/todo-queue/:id
*
* Deletes a single queue item owned by the authenticated user.
* Requires Admin or Standard_User group.
*
* @param {string} id — Queue item ID (URL parameter)
* @returns {Object} { message: string }
* @error 404 Queue item not found
* @error 500 Internal server error
*/
router.delete('/:id', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
const { id } = req.params; const { id } = req.params;
db.get( try {
'SELECT id FROM ivanti_todo_queue WHERE id = ? AND user_id = ?', const { rows } = await pool.query(
[id, req.user.id], 'SELECT id FROM ivanti_todo_queue WHERE id = $1 AND user_id = $2',
(err, row) => { [id, req.user.id]
if (err) { );
console.error(err); if (!rows[0]) {
return res.status(500).json({ error: 'Internal server error.' }); return res.status(404).json({ error: 'Queue item not found.' });
}
if (!row) {
return res.status(404).json({ error: 'Queue item not found.' });
}
db.run(
'DELETE FROM ivanti_todo_queue WHERE id = ? AND user_id = ?',
[id, req.user.id],
function (err2) {
if (err2) {
console.error(err2);
return res.status(500).json({ error: 'Internal server error.' });
}
res.json({ message: 'Queue item deleted.' });
}
);
} }
);
await pool.query(
'DELETE FROM ivanti_todo_queue WHERE id = $1 AND user_id = $2',
[id, req.user.id]
);
res.json({ message: 'Queue item deleted.' });
} catch (err) {
console.error(err);
res.status(500).json({ error: 'Internal server error.' });
}
}); });
return router; return router;

187
backend/routes/ivantiWorkflows.js
View File

@@ -1,83 +1,17 @@
// Ivanti / RiskSense Workflow Routes // Ivanti / RiskSense Workflow Routes
// Data is cached in SQLite and refreshed on a daily schedule or on-demand. // Data is cached in PostgreSQL and refreshed on a daily schedule or on-demand.
// Auth: x-api-key header (confirmed via platform4.risksense.com/doc/swagger.json)
// Error codes: 401 bad key, 419 insufficient privileges, 429 rate limited
const express = require('express'); const express = require('express');
const https = require('https'); const pool = require('../db');
const { requireAuth, requireGroup } = require('../middleware/auth');
const { ivantiPost } = require('../helpers/ivantiApi');
const IVANTI_URL_BASE = 'https://platform4.risksense.com/api/v1';
const SYNC_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24 hours const SYNC_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24 hours
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
// HTTP helper — uses Node's https module directly so we can toggle // Core sync — calls Ivanti API, stores result in PostgreSQL
// rejectUnauthorized for Charter's SSL inspection proxy (IVANTI_SKIP_TLS=true)
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
function ivantiPost(urlPath, body, apiKey, skipTls) { async function syncWorkflows() {
const bodyStr = JSON.stringify(body);
const fullUrl = new URL(IVANTI_URL_BASE + urlPath);
return new Promise((resolve, reject) => {
const options = {
hostname: fullUrl.hostname,
path: fullUrl.pathname + fullUrl.search,
method: 'POST',
headers: {
'accept': '*/*',
'content-type': 'application/json',
'x-api-key': apiKey,
'x-http-client-type': 'browser',
'content-length': Buffer.byteLength(bodyStr)
},
rejectUnauthorized: !skipTls,
timeout: 15000
};
const req = https.request(options, (res) => {
let data = '';
res.on('data', (chunk) => { data += chunk; });
res.on('end', () => resolve({ status: res.statusCode, body: data }));
});
req.on('timeout', () => req.destroy(new Error('Request timed out')));
req.on('error', reject);
req.write(bodyStr);
req.end();
});
}
// ---------------------------------------------------------------------------
// Ensure the sync state table exists (idempotent — safe to call on every start)
// ---------------------------------------------------------------------------
function initTable(db) {
return new Promise((resolve, reject) => {
db.serialize(() => {
db.run(`
CREATE TABLE IF NOT EXISTS ivanti_sync_state (
id INTEGER PRIMARY KEY CHECK (id = 1),
total INTEGER DEFAULT 0,
workflows_json TEXT DEFAULT '[]',
synced_at DATETIME,
sync_status TEXT DEFAULT 'never',
error_message TEXT
)
`, (err) => { if (err) return reject(err); });
db.run(`
INSERT OR IGNORE INTO ivanti_sync_state (id, total, workflows_json, sync_status)
VALUES (1, 0, '[]', 'never')
`, (err) => {
if (err) reject(err);
else resolve();
});
});
});
}
// ---------------------------------------------------------------------------
// Core sync — calls Ivanti API, stores result in SQLite
// ---------------------------------------------------------------------------
async function syncWorkflows(db) {
const apiKey = process.env.IVANTI_API_KEY; const apiKey = process.env.IVANTI_API_KEY;
const clientId = process.env.IVANTI_CLIENT_ID || '1550'; const clientId = process.env.IVANTI_CLIENT_ID || '1550';
const firstName = process.env.IVANTI_FIRST_NAME || ''; const firstName = process.env.IVANTI_FIRST_NAME || '';
@@ -87,12 +21,10 @@ async function syncWorkflows(db) {
if (!apiKey) { if (!apiKey) {
const errMsg = 'IVANTI_API_KEY not set in .env — skipping sync'; const errMsg = 'IVANTI_API_KEY not set in .env — skipping sync';
console.warn('[Ivanti]', errMsg); console.warn('[Ivanti]', errMsg);
await new Promise((resolve) => { await pool.query(
db.run( `UPDATE ivanti_sync_state SET sync_status='error', error_message=$1, synced_at=NOW() WHERE id=1`,
`UPDATE ivanti_sync_state SET sync_status='error', error_message=?, synced_at=datetime('now') WHERE id=1`, [errMsg]
[errMsg], resolve );
);
});
return; return;
} }
@@ -144,7 +76,6 @@ async function syncWorkflows(db) {
const data = JSON.parse(result.body); const data = JSON.parse(result.body);
// Spring Data REST format: { _embedded: { workflowBatches: [...] }, page: { totalElements, ... } }
let total = 0; let total = 0;
let workflows = []; let workflows = [];
@@ -164,105 +95,99 @@ async function syncWorkflows(db) {
total = data.length; total = data.length;
} }
await new Promise((resolve, reject) => { await pool.query(
db.run( `UPDATE ivanti_sync_state
`UPDATE ivanti_sync_state SET total=$1, workflows_json=$2, synced_at=NOW(), sync_status='success', error_message=NULL
SET total=?, workflows_json=?, synced_at=datetime('now'), sync_status='success', error_message=NULL WHERE id=1`,
WHERE id=1`, [total, JSON.stringify(workflows)]
[total, JSON.stringify(workflows)], );
(err) => { if (err) reject(err); else resolve(); }
);
});
console.log(`[Ivanti] Sync complete — ${total} workflows`); console.log(`[Ivanti] Sync complete — ${total} workflows`);
} catch (err) { } catch (err) {
const msg = err.message || 'Unknown error'; const msg = err.message || 'Unknown error';
console.error('[Ivanti] Sync failed:', msg); console.error('[Ivanti] Sync failed:', msg);
await new Promise((resolve) => { await pool.query(
db.run( `UPDATE ivanti_sync_state SET sync_status='error', error_message=$1, synced_at=NOW() WHERE id=1`,
`UPDATE ivanti_sync_state SET sync_status='error', error_message=?, synced_at=datetime('now') WHERE id=1`, [msg]
[msg], resolve );
);
});
} }
} }
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
// Scheduler — runs sync immediately if >24h stale, then every 24h // Scheduler — runs sync immediately if >24h stale, then every 24h
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
function scheduleSync(db) { async function scheduleSync() {
db.get('SELECT synced_at FROM ivanti_sync_state WHERE id = 1', (err, row) => { try {
if (err || !row || !row.synced_at) { const { rows } = await pool.query('SELECT synced_at FROM ivanti_sync_state WHERE id = 1');
syncWorkflows(db); const row = rows[0];
if (!row || !row.synced_at) {
syncWorkflows();
} else { } else {
const lastSync = new Date(row.synced_at.replace(' ', 'T') + 'Z'); const lastSync = new Date(row.synced_at);
const hoursSince = (Date.now() - lastSync.getTime()) / (1000 * 60 * 60); const hoursSince = (Date.now() - lastSync.getTime()) / (1000 * 60 * 60);
if (hoursSince >= 24) { if (hoursSince >= 24) {
syncWorkflows(db); syncWorkflows();
} else { } else {
const hoursUntil = (24 - hoursSince).toFixed(1); const hoursUntil = (24 - hoursSince).toFixed(1);
console.log(`[Ivanti] Last sync ${hoursSince.toFixed(1)}h ago — next auto-sync in ${hoursUntil}h`); console.log(`[Ivanti] Last sync ${hoursSince.toFixed(1)}h ago — next auto-sync in ${hoursUntil}h`);
} }
} }
}); } catch (err) {
console.error('[Ivanti] Schedule check failed:', err);
syncWorkflows();
}
setInterval(() => syncWorkflows(db), SYNC_INTERVAL_MS); setInterval(() => syncWorkflows(), SYNC_INTERVAL_MS);
} }
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
// Helper — read current state from DB and return as JSON-ready object // Helper — read current state from DB and return as JSON-ready object
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
function readState(db) { async function readState() {
return new Promise((resolve, reject) => { const { rows } = await pool.query(
db.get( 'SELECT total, workflows_json, synced_at, sync_status, error_message FROM ivanti_sync_state WHERE id = 1'
'SELECT total, workflows_json, synced_at, sync_status, error_message FROM ivanti_sync_state WHERE id = 1', );
(err, row) => { const row = rows[0];
if (err) return reject(err); if (!row) return { total: 0, workflows: [], synced_at: null, sync_status: 'never', error_message: null };
if (!row) return resolve({ total: 0, workflows: [], synced_at: null, sync_status: 'never', error_message: null });
let workflows = []; let workflows = [];
try { workflows = JSON.parse(row.workflows_json || '[]'); } catch (_) { /* leave empty */ } try { workflows = JSON.parse(row.workflows_json || '[]'); } catch (_) { /* leave empty */ }
resolve({ return {
total: row.total || 0, total: workflows.length,
workflows, workflows,
synced_at: row.synced_at, synced_at: row.synced_at,
sync_status: row.sync_status, sync_status: row.sync_status,
error_message: row.error_message error_message: row.error_message
}); };
}
);
});
} }
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
// Router // Router
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
function createIvantiWorkflowsRouter(db, requireAuth) { function createIvantiWorkflowsRouter() {
const router = express.Router(); const router = express.Router();
// Init table and kick off scheduler (fire-and-forget on startup) // Kick off scheduler (fire-and-forget on startup)
initTable(db) scheduleSync().catch((err) => console.error('[Ivanti] Init failed:', err));
.then(() => scheduleSync(db))
.catch((err) => console.error('[Ivanti] Init failed:', err));
// All routes require authentication // All routes require authentication
router.use(requireAuth(db)); router.use(requireAuth());
// GET / — return cached data (fast, no external call) // GET / — return cached data (fast, no external call)
router.get('/', async (req, res) => { router.get('/', async (req, res) => {
try { try {
res.json(await readState(db)); res.json(await readState());
} catch { } catch {
res.status(500).json({ error: 'Database error reading sync state' }); res.status(500).json({ error: 'Database error reading sync state' });
} }
}); });
// POST /sync — trigger an immediate sync, await completion, return fresh state // POST /sync — trigger an immediate sync, await completion, return fresh state
router.post('/sync', async (req, res) => { router.post('/sync', requireGroup('Admin', 'Standard_User'), async (req, res) => {
await syncWorkflows(db); await syncWorkflows();
try { try {
res.json(await readState(db)); res.json(await readState());
} catch { } catch {
res.status(500).json({ error: 'Sync ran but could not read updated state' }); res.status(500).json({ error: 'Sync ran but could not read updated state' });
} }

581
backend/routes/jiraTickets.js Normal file
View File

@@ -0,0 +1,581 @@
// routes/jiraTickets.js
// Jira ticket CRUD + Jira REST API integration endpoints.
// Extracted from server.js inline endpoints and extended with live Jira
// operations (lookup, sync, create-in-jira, connection test).
//
// Charter Jira REST API compliance:
// - All GETs include explicit field lists (no /rest/api/2/field)
// - Sync uses bulk JQL search, not one-issue-at-a-time GETs
// - No /rest/api/2/issue/bulk — updates are one at a time
// - Inter-request delays enforced in jiraApi.js (1s GET, 2s write)
// - Rate limits enforced client-side (1440/day, 60/min burst)
const express = require('express');
const pool = require('../db');
const { requireAuth, requireGroup } = require('../middleware/auth');
const logAudit = require('../helpers/auditLog');
const jiraApi = require('../helpers/jiraApi');
// Validation helpers
const CVE_ID_PATTERN = /^CVE-\d{4}-\d{4,}$/;
const VALID_TICKET_STATUSES = ['Open', 'In Progress', 'Closed'];
function isValidCveId(cveId) {
return typeof cveId === 'string' && CVE_ID_PATTERN.test(cveId);
}
function isValidVendor(vendor) {
return typeof vendor === 'string' && vendor.trim().length > 0 && vendor.length <= 200;
}
function createJiraTicketsRouter() {
const router = express.Router();
// -----------------------------------------------------------------------
// Jira API integration endpoints
// -----------------------------------------------------------------------
router.get('/connection-test', requireAuth(), requireGroup('Admin'), async (req, res) => {
if (!jiraApi.isConfigured) {
return res.status(503).json({ error: 'Jira API is not configured. Set JIRA_BASE_URL and credentials in backend/.env.' });
}
try {
const result = await jiraApi.testConnection();
if (result.ok) {
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'jira_connection_test',
entityType: 'jira_integration',
entityId: null,
details: { success: true, user: result.user.name },
ipAddress: req.ip
});
return res.json({ connected: true, user: result.user });
}
return res.status(502).json({ connected: false, status: result.status, error: result.body || result.error });
} catch (err) {
return res.status(502).json({ connected: false, error: err.message });
}
});
router.get('/rate-limit', requireAuth(), requireGroup('Admin'), (req, res) => {
res.json(jiraApi.getRateLimitStatus());
});
router.get('/lookup/:issueKey', requireAuth(), async (req, res) => {
if (!jiraApi.isConfigured) {
return res.status(503).json({ error: 'Jira API is not configured.' });
}
const { issueKey } = req.params;
if (!issueKey || !/^[A-Z][A-Z0-9_]+-\d+$/.test(issueKey)) {
return res.status(400).json({ error: 'Invalid Jira issue key format. Expected PROJECT-123.' });
}
try {
const result = await jiraApi.getIssue(issueKey);
if (result.ok) {
const issue = result.data;
return res.json({
key: issue.key,
summary: issue.fields.summary,
status: issue.fields.status ? issue.fields.status.name : null,
assignee: issue.fields.assignee ? issue.fields.assignee.displayName : null,
priority: issue.fields.priority ? issue.fields.priority.name : null,
issuetype: issue.fields.issuetype ? issue.fields.issuetype.name : null,
created: issue.fields.created,
updated: issue.fields.updated,
self: issue.self
});
}
if (result.rateLimited) {
return res.status(429).json({ error: 'Jira rate limit exceeded. Try again later.' });
}
return res.status(result.status === 404 ? 404 : 502).json({
error: result.status === 404 ? 'Issue not found in Jira.' : 'Jira API error.',
details: result.body
});
} catch (err) {
return res.status(502).json({ error: err.message });
}
});
router.post('/create-in-jira', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
if (!jiraApi.isConfigured) {
return res.status(503).json({ error: 'Jira API is not configured.' });
}
const { cve_id, vendor, summary, description, project_key, issue_type } = req.body;
if (!cve_id || !isValidCveId(cve_id)) {
return res.status(400).json({ error: 'Valid CVE ID is required.' });
}
if (!vendor || !isValidVendor(vendor)) {
return res.status(400).json({ error: 'Valid vendor is required.' });
}
if (!summary || typeof summary !== 'string' || summary.trim().length === 0 || summary.length > 255) {
return res.status(400).json({ error: 'Summary is required (max 255 chars).' });
}
const projectKey = project_key || jiraApi.JIRA_PROJECT_KEY;
const issueType = issue_type || jiraApi.JIRA_ISSUE_TYPE;
if (!projectKey) {
return res.status(400).json({ error: 'Project key is required. Set JIRA_PROJECT_KEY in .env or provide project_key in request.' });
}
const fields = {
project: { key: projectKey },
summary: summary.trim(),
issuetype: { name: issueType }
};
if (description) {
fields.description = description;
}
try {
const result = await jiraApi.createIssue(fields);
if (!result.ok) {
if (result.rateLimited) {
return res.status(429).json({ error: 'Jira rate limit exceeded. Try again later.' });
}
return res.status(502).json({ error: 'Failed to create Jira issue.', details: result.body });
}
const jiraIssue = result.data;
const ticketKey = jiraIssue.key;
const jiraUrl = jiraIssue.self
? jiraIssue.self.replace(/\/rest\/api\/2\/issue\/.*/, `/browse/${ticketKey}`)
: null;
try {
const { rows } = await pool.query(
`INSERT INTO jira_tickets (cve_id, vendor, ticket_key, url, summary, status, jira_id, jira_status, last_synced_at, created_by)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, NOW(), $9)
RETURNING id`,
[cve_id, vendor, ticketKey, jiraUrl, summary.trim(), 'Open', jiraIssue.id, 'Open', req.user.id]
);
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'jira_ticket_create_via_api',
entityType: 'jira_ticket',
entityId: rows[0].id.toString(),
details: { cve_id, vendor, ticket_key: ticketKey, jira_id: jiraIssue.id, project_key: projectKey },
ipAddress: req.ip
});
res.status(201).json({
id: rows[0].id,
ticket_key: ticketKey,
jira_url: jiraUrl,
message: 'Jira issue created and linked successfully'
});
} catch (dbErr) {
console.error('Error saving local Jira ticket record:', dbErr);
return res.status(207).json({
warning: 'Issue created in Jira but local record failed to save.',
jira_key: ticketKey,
jira_url: jiraUrl,
error: dbErr.message
});
}
} catch (err) {
return res.status(502).json({ error: err.message });
}
});
router.post('/sync-all', requireAuth(), requireGroup('Admin'), async (req, res) => {
if (!jiraApi.isConfigured) {
return res.status(503).json({ error: 'Jira API is not configured.' });
}
try {
const { rows: tickets } = await pool.query(
"SELECT * FROM jira_tickets WHERE ticket_key IS NOT NULL AND ticket_key != ''"
);
if (tickets.length === 0) {
return res.json({ synced: 0, failed: 0, skipped: 0, unchanged: 0, errors: [] });
}
const results = { synced: 0, failed: 0, skipped: 0, unchanged: 0, errors: [] };
const BATCH_SIZE = 100;
const batches = [];
for (let i = 0; i < tickets.length; i += BATCH_SIZE) {
batches.push(tickets.slice(i, i + BATCH_SIZE));
}
for (const batch of batches) {
const rateStatus = jiraApi.getRateLimitStatus();
if (rateStatus.burst.remaining <= 5 || rateStatus.daily.remaining <= 10) {
const remaining = tickets.length - results.synced - results.failed - results.unchanged;
results.skipped += remaining;
results.errors.push('Rate limit approaching — stopped sync early to preserve budget.');
break;
}
const keys = batch.map(t => t.ticket_key);
try {
const result = await jiraApi.searchIssuesByKeys(keys);
if (!result.ok) {
if (result.rateLimited) {
results.skipped += batch.length;
results.errors.push('Jira rate limit hit during sync.');
break;
}
results.failed += batch.length;
results.errors.push(`Batch search failed: HTTP ${result.status}`);
continue;
}
const issueMap = {};
for (const issue of (result.data.issues || [])) {
issueMap[issue.key] = issue;
}
for (const ticket of batch) {
const issue = issueMap[ticket.ticket_key];
if (!issue) {
results.unchanged++;
continue;
}
const jiraStatus = issue.fields.status ? issue.fields.status.name : null;
const jiraSummary = issue.fields.summary || ticket.summary;
const localStatus = mapJiraStatusToLocal(jiraStatus);
try {
await pool.query(
`UPDATE jira_tickets SET summary = $1, status = $2, jira_status = $3, last_synced_at = NOW(), updated_at = NOW() WHERE id = $4`,
[jiraSummary, localStatus, jiraStatus, ticket.id]
);
results.synced++;
} catch (dbErr) {
results.failed++;
results.errors.push(`${ticket.ticket_key}: DB update failed — ${dbErr.message}`);
}
}
} catch (searchErr) {
results.failed += batch.length;
results.errors.push(`Batch search error: ${searchErr.message}`);
}
}
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'jira_sync_all',
entityType: 'jira_integration',
entityId: null,
details: results,
ipAddress: req.ip
});
res.json(results);
} catch (err) {
console.error(err);
return res.status(500).json({ error: 'Internal server error.' });
}
});
router.post('/:id/sync', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
if (!jiraApi.isConfigured) {
return res.status(503).json({ error: 'Jira API is not configured.' });
}
const { id } = req.params;
try {
const { rows } = await pool.query('SELECT * FROM jira_tickets WHERE id = $1', [id]);
const ticket = rows[0];
if (!ticket) {
return res.status(404).json({ error: 'JIRA ticket not found.' });
}
if (!ticket.ticket_key) {
return res.status(400).json({ error: 'Ticket has no Jira key to sync.' });
}
const result = await jiraApi.getIssue(ticket.ticket_key);
if (!result.ok) {
if (result.rateLimited) {
return res.status(429).json({ error: 'Jira rate limit exceeded. Try again later.' });
}
return res.status(502).json({ error: 'Failed to fetch issue from Jira.', details: result.body });
}
const issue = result.data;
const jiraStatus = issue.fields.status ? issue.fields.status.name : null;
const jiraSummary = issue.fields.summary || ticket.summary;
const localStatus = mapJiraStatusToLocal(jiraStatus);
await pool.query(
`UPDATE jira_tickets SET summary = $1, status = $2, jira_status = $3, last_synced_at = NOW(), updated_at = NOW() WHERE id = $4`,
[jiraSummary, localStatus, jiraStatus, id]
);
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'jira_ticket_sync',
entityType: 'jira_ticket',
entityId: id,
details: { ticket_key: ticket.ticket_key, jira_status: jiraStatus, local_status: localStatus },
ipAddress: req.ip
});
res.json({
message: 'Ticket synced with Jira',
ticket_key: ticket.ticket_key,
jira_status: jiraStatus,
local_status: localStatus,
summary: jiraSummary
});
} catch (err) {
console.error(err);
return res.status(500).json({ error: 'Internal server error.' });
}
});
// -----------------------------------------------------------------------
// Local CRUD endpoints
// -----------------------------------------------------------------------
router.get('/', requireAuth(), async (req, res) => {
const { cve_id, vendor, status } = req.query;
let query = 'SELECT * FROM jira_tickets WHERE 1=1';
const params = [];
let paramIndex = 1;
if (cve_id) {
query += ` AND cve_id = $${paramIndex++}`;
params.push(cve_id);
}
if (vendor) {
query += ` AND vendor = $${paramIndex++}`;
params.push(vendor);
}
if (status) {
query += ` AND status = $${paramIndex++}`;
params.push(status);
}
query += ' ORDER BY created_at DESC';
try {
const { rows } = await pool.query(query, params);
res.json(rows);
} catch (err) {
console.error('Error fetching JIRA tickets:', err);
res.status(500).json({ error: 'Internal server error.' });
}
});
router.post('/', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
const { cve_id, vendor, ticket_key, url, summary, status } = req.body;
if (!cve_id || !isValidCveId(cve_id)) {
return res.status(400).json({ error: 'Valid CVE ID is required.' });
}
if (!vendor || !isValidVendor(vendor)) {
return res.status(400).json({ error: 'Valid vendor is required.' });
}
if (!ticket_key || typeof ticket_key !== 'string' || ticket_key.trim().length === 0 || ticket_key.length > 50) {
return res.status(400).json({ error: 'Ticket key is required (max 50 chars).' });
}
if (url && (typeof url !== 'string' || url.length > 500)) {
return res.status(400).json({ error: 'URL must be under 500 characters.' });
}
if (summary && (typeof summary !== 'string' || summary.length > 500)) {
return res.status(400).json({ error: 'Summary must be under 500 characters.' });
}
if (status && !VALID_TICKET_STATUSES.includes(status)) {
return res.status(400).json({ error: `Status must be one of: ${VALID_TICKET_STATUSES.join(', ')}` });
}
const ticketStatus = status || 'Open';
try {
const { rows } = await pool.query(
`INSERT INTO jira_tickets (cve_id, vendor, ticket_key, url, summary, status, created_by)
VALUES ($1, $2, $3, $4, $5, $6, $7)
RETURNING id`,
[cve_id, vendor, ticket_key.trim(), url || null, summary || null, ticketStatus, req.user.id]
);
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'jira_ticket_create',
entityType: 'jira_ticket',
entityId: rows[0].id.toString(),
details: { cve_id, vendor, ticket_key, status: ticketStatus },
ipAddress: req.ip
});
res.status(201).json({
id: rows[0].id,
message: 'JIRA ticket created successfully'
});
} catch (err) {
console.error('Error creating JIRA ticket:', err);
res.status(500).json({ error: 'Internal server error.' });
}
});
router.put('/:id', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
const { id } = req.params;
const { ticket_key, url, summary, status } = req.body;
if (ticket_key !== undefined && (typeof ticket_key !== 'string' || ticket_key.trim().length === 0 || ticket_key.length > 50)) {
return res.status(400).json({ error: 'Ticket key must be under 50 chars.' });
}
if (url !== undefined && url !== null && (typeof url !== 'string' || url.length > 500)) {
return res.status(400).json({ error: 'URL must be under 500 characters.' });
}
if (summary !== undefined && summary !== null && (typeof summary !== 'string' || summary.length > 500)) {
return res.status(400).json({ error: 'Summary must be under 500 characters.' });
}
if (status !== undefined && !VALID_TICKET_STATUSES.includes(status)) {
return res.status(400).json({ error: `Status must be one of: ${VALID_TICKET_STATUSES.join(', ')}` });
}
const fields = [];
const values = [];
let paramIndex = 1;
if (ticket_key !== undefined) { fields.push(`ticket_key = $${paramIndex++}`); values.push(ticket_key.trim()); }
if (url !== undefined) { fields.push(`url = $${paramIndex++}`); values.push(url); }
if (summary !== undefined) { fields.push(`summary = $${paramIndex++}`); values.push(summary); }
if (status !== undefined) { fields.push(`status = $${paramIndex++}`); values.push(status); }
if (fields.length === 0) {
return res.status(400).json({ error: 'No fields to update.' });
}
fields.push('updated_at = NOW()');
values.push(id);
try {
const { rows } = await pool.query('SELECT * FROM jira_tickets WHERE id = $1', [id]);
const existing = rows[0];
if (!existing) {
return res.status(404).json({ error: 'JIRA ticket not found.' });
}
const result = await pool.query(
`UPDATE jira_tickets SET ${fields.join(', ')} WHERE id = $${paramIndex}`,
values
);
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'jira_ticket_update',
entityType: 'jira_ticket',
entityId: id,
details: { before: existing, changes: req.body },
ipAddress: req.ip
});
res.json({ message: 'JIRA ticket updated successfully', changes: result.rowCount });
} catch (err) {
console.error('Error updating JIRA ticket:', err);
res.status(500).json({ error: 'Internal server error.' });
}
});
router.delete('/:id', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
const { id } = req.params;
try {
const { rows } = await pool.query('SELECT * FROM jira_tickets WHERE id = $1', [id]);
const ticket = rows[0];
if (!ticket) {
return res.status(404).json({ error: 'JIRA ticket not found.' });
}
// Admin bypasses all delete restrictions
if (req.user.group === 'Admin') {
return performJiraDelete();
}
// Standard_User: ownership check
if (ticket.created_by && ticket.created_by !== req.user.id) {
return res.status(403).json({ error: 'You can only delete resources you created' });
}
// Standard_User: compliance linkage check
const ticketKey = ticket.ticket_key;
try {
const { rows: compLinks } = await pool.query(
`SELECT ci.id, ci.extra_json
FROM compliance_items ci
JOIN compliance_uploads cu ON ci.upload_id = cu.id
WHERE ci.status = 'active' AND ci.extra_json ILIKE $1`,
[`%${ticketKey}%`]
);
const isLinked = (compLinks || []).some(cl => {
const json = cl.extra_json || '';
return json.includes(ticketKey);
});
if (isLinked) {
return res.status(403).json({ error: 'Cannot delete ticket linked to compliance report. Contact an admin.' });
}
} catch (compErr) {
if (!compErr.message.includes('does not exist')) throw compErr;
}
return performJiraDelete();
async function performJiraDelete() {
await pool.query('DELETE FROM jira_tickets WHERE id = $1', [id]);
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'jira_ticket_delete',
entityType: 'jira_ticket',
entityId: id,
details: { ticket_key: ticket.ticket_key, cve_id: ticket.cve_id, vendor: ticket.vendor },
ipAddress: req.ip
});
res.json({ message: 'JIRA ticket deleted successfully' });
}
} catch (err) {
console.error('Error deleting JIRA ticket:', err);
res.status(500).json({ error: 'Internal server error.' });
}
});
return router;
}
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
function mapJiraStatusToLocal(jiraStatus) {
if (!jiraStatus) return 'Open';
const lower = jiraStatus.toLowerCase();
if (['closed', 'done', 'resolved', 'complete', 'completed', 'cancelled', 'canceled', "won't do", 'declined'].some(s => lower.includes(s))) {
return 'Closed';
}
if (['in progress', 'in review', 'in development', 'in testing', 'review', 'testing', 'dev', 'active', 'implementing'].some(s => lower.includes(s))) {
return 'In Progress';
}
return 'Open';
}
module.exports = createJiraTicketsRouter;

358
backend/routes/knowledgeBase.js
View File

@@ -1,10 +1,11 @@
const express = require('express'); const express = require('express');
const path = require('path'); const path = require('path');
const fs = require('fs'); const fs = require('fs');
const { requireAuth, requireRole } = require('../middleware/auth'); const pool = require('../db');
const { requireAuth, requireGroup } = require('../middleware/auth');
const logAudit = require('../helpers/auditLog'); const logAudit = require('../helpers/auditLog');
function createKnowledgeBaseRouter(db, upload) { function createKnowledgeBaseRouter(upload) {
const router = express.Router(); const router = express.Router();
// Helper to sanitize filename // Helper to sanitize filename
@@ -39,8 +40,8 @@ function createKnowledgeBaseRouter(db, upload) {
return ALLOWED_EXTENSIONS.has(ext); return ALLOWED_EXTENSIONS.has(ext);
} }
// POST /api/knowledge-base/upload - Upload new document // POST /api/knowledge-base/upload
router.post('/upload', requireAuth(db), requireRole(db, 'editor', 'admin'), (req, res, next) => { router.post('/upload', requireAuth(), requireGroup('Admin', 'Standard_User'), (req, res, next) => {
upload.single('file')(req, res, (err) => { upload.single('file')(req, res, (err) => {
if (err) { if (err) {
console.error('[KB Upload] Multer error:', err); console.error('[KB Upload] Multer error:', err);
@@ -58,7 +59,6 @@ function createKnowledgeBaseRouter(db, upload) {
const uploadedFile = req.file; const uploadedFile = req.file;
const { title, description, category } = req.body; const { title, description, category } = req.body;
// Validate required fields
if (!title || !title.trim()) { if (!title || !title.trim()) {
console.error('[KB Upload] Error: Title is missing'); console.error('[KB Upload] Error: Title is missing');
if (uploadedFile) fs.unlinkSync(uploadedFile.path); if (uploadedFile) fs.unlinkSync(uploadedFile.path);
@@ -69,7 +69,6 @@ function createKnowledgeBaseRouter(db, upload) {
return res.status(400).json({ error: 'No file uploaded' }); return res.status(400).json({ error: 'No file uploaded' });
} }
// Validate file type
if (!isValidFileType(uploadedFile.originalname)) { if (!isValidFileType(uploadedFile.originalname)) {
fs.unlinkSync(uploadedFile.path); fs.unlinkSync(uploadedFile.path);
return res.status(400).json({ error: 'File type not allowed' }); return res.status(400).json({ error: 'File type not allowed' });
@@ -80,148 +79,125 @@ function createKnowledgeBaseRouter(db, upload) {
const slug = generateSlug(title); const slug = generateSlug(title);
const kbDir = path.join(__dirname, '..', 'uploads', 'knowledge_base'); const kbDir = path.join(__dirname, '..', 'uploads', 'knowledge_base');
// Create directory if it doesn't exist
if (!fs.existsSync(kbDir)) {
fs.mkdirSync(kbDir, { recursive: true });
}
const filename = `${timestamp}_${sanitizedName}`; const filename = `${timestamp}_${sanitizedName}`;
const filePath = path.join(kbDir, filename); const filePath = path.join(kbDir, filename);
try { try {
// Move uploaded file to permanent location
fs.renameSync(uploadedFile.path, filePath);
// Check if slug already exists // Check if slug already exists
db.get('SELECT id FROM knowledge_base WHERE slug = ?', [slug], (err, row) => { const { rows: existingRows } = await pool.query(
if (err) { 'SELECT id FROM knowledge_base WHERE slug = $1', [slug]
fs.unlinkSync(filePath); );
console.error('Error checking slug:', err);
return res.status(500).json({ error: 'Database error' }); const finalSlug = existingRows.length > 0 ? `${slug}-${timestamp}` : slug;
// Insert new knowledge base entry
const { rows } = await pool.query(
`INSERT INTO knowledge_base (
title, slug, description, category, file_path, file_name,
file_type, file_size, created_by
) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
RETURNING id`,
[
title.trim(),
finalSlug,
description || null,
category || 'General',
filePath,
sanitizedName,
uploadedFile.mimetype,
uploadedFile.size,
req.user.id
]
);
// DB insert succeeded — now move file to permanent location
try {
if (!fs.existsSync(kbDir)) {
fs.mkdirSync(kbDir, { recursive: true });
} }
fs.renameSync(uploadedFile.path, filePath);
} catch (moveErr) {
console.error('Error moving file to permanent location:', moveErr);
}
// If slug exists, append timestamp to make it unique logAudit({
const finalSlug = row ? `${slug}-${timestamp}` : slug; userId: req.user.id,
username: req.user.username,
action: 'CREATE_KB_ARTICLE',
entityType: 'knowledge_base',
entityId: String(rows[0].id),
details: { title: title.trim(), filename: sanitizedName },
ipAddress: req.ip
});
// Insert new knowledge base entry res.json({
const insertSql = ` success: true,
INSERT INTO knowledge_base ( id: rows[0].id,
title, slug, description, category, file_path, file_name, title: title.trim(),
file_type, file_size, created_by slug: finalSlug,
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?) category: category || 'General'
`;
db.run(
insertSql,
[
title.trim(),
finalSlug,
description || null,
category || 'General',
filePath,
sanitizedName,
uploadedFile.mimetype,
uploadedFile.size,
req.user.id
],
function (err) {
if (err) {
fs.unlinkSync(filePath);
console.error('Error inserting knowledge base entry:', err);
return res.status(500).json({ error: 'Failed to save document metadata' });
}
// Log audit entry
logAudit(
db,
req.user.id,
req.user.username,
'CREATE_KB_ARTICLE',
'knowledge_base',
this.lastID,
JSON.stringify({ title: title.trim(), filename: sanitizedName }),
req.ip
);
res.json({
success: true,
id: this.lastID,
title: title.trim(),
slug: finalSlug,
category: category || 'General'
});
}
);
}); });
} catch (error) { } catch (error) {
// Clean up file on error if (uploadedFile && fs.existsSync(uploadedFile.path)) fs.unlinkSync(uploadedFile.path);
if (fs.existsSync(filePath)) fs.unlinkSync(filePath);
console.error('Error uploading knowledge base document:', error); console.error('Error uploading knowledge base document:', error);
res.status(500).json({ error: error.message || 'Failed to upload document' }); res.status(500).json({ error: error.message || 'Failed to upload document' });
} }
}); });
// GET /api/knowledge-base - List all articles // GET /api/knowledge-base
router.get('/', requireAuth(db), (req, res) => { router.get('/', requireAuth(), async (req, res) => {
const sql = ` try {
SELECT const { rows } = await pool.query(`
kb.id, kb.title, kb.slug, kb.description, kb.category, SELECT
kb.file_name, kb.file_type, kb.file_size, kb.created_at, kb.updated_at, kb.id, kb.title, kb.slug, kb.description, kb.category,
u.username as created_by_username kb.file_name, kb.file_type, kb.file_size, kb.created_at, kb.updated_at,
FROM knowledge_base kb u.username as created_by_username
LEFT JOIN users u ON kb.created_by = u.id FROM knowledge_base kb
ORDER BY kb.created_at DESC LEFT JOIN users u ON kb.created_by = u.id
`; ORDER BY kb.created_at DESC
`);
db.all(sql, [], (err, rows) => {
if (err) {
console.error('Error fetching knowledge base articles:', err);
return res.status(500).json({ error: 'Failed to fetch articles' });
}
res.json(rows); res.json(rows);
}); } catch (err) {
console.error('Error fetching knowledge base articles:', err);
res.status(500).json({ error: 'Failed to fetch articles' });
}
}); });
// GET /api/knowledge-base/:id - Get single article details // GET /api/knowledge-base/:id
router.get('/:id', requireAuth(db), (req, res) => { router.get('/:id', requireAuth(), async (req, res) => {
const { id } = req.params; const { id } = req.params;
const sql = ` try {
SELECT const { rows } = await pool.query(`
kb.id, kb.title, kb.slug, kb.description, kb.category, SELECT
kb.file_name, kb.file_type, kb.file_size, kb.created_at, kb.updated_at, kb.id, kb.title, kb.slug, kb.description, kb.category,
u.username as created_by_username kb.file_name, kb.file_type, kb.file_size, kb.created_at, kb.updated_at,
FROM knowledge_base kb u.username as created_by_username
LEFT JOIN users u ON kb.created_by = u.id FROM knowledge_base kb
WHERE kb.id = ? LEFT JOIN users u ON kb.created_by = u.id
`; WHERE kb.id = $1
`, [id]);
db.get(sql, [id], (err, row) => { if (!rows[0]) {
if (err) {
console.error('Error fetching article:', err);
return res.status(500).json({ error: 'Failed to fetch article' });
}
if (!row) {
return res.status(404).json({ error: 'Article not found' }); return res.status(404).json({ error: 'Article not found' });
} }
res.json(row); res.json(rows[0]);
}); } catch (err) {
console.error('Error fetching article:', err);
res.status(500).json({ error: 'Failed to fetch article' });
}
}); });
// GET /api/knowledge-base/:id/content - Get document content for display // GET /api/knowledge-base/:id/content
router.get('/:id/content', requireAuth(db), (req, res) => { router.get('/:id/content', requireAuth(), async (req, res) => {
const { id } = req.params; const { id } = req.params;
const sql = 'SELECT file_path, file_name, file_type FROM knowledge_base WHERE id = ?'; try {
const { rows } = await pool.query(
db.get(sql, [id], (err, row) => { 'SELECT file_path, file_name, file_type FROM knowledge_base WHERE id = $1', [id]
if (err) { );
console.error('Error fetching document:', err); const row = rows[0];
return res.status(500).json({ error: 'Failed to fetch document' });
}
if (!row) { if (!row) {
return res.status(404).json({ error: 'Document not found' }); return res.status(404).json({ error: 'Document not found' });
@@ -231,49 +207,45 @@ function createKnowledgeBaseRouter(db, upload) {
return res.status(404).json({ error: 'File not found on disk' }); return res.status(404).json({ error: 'File not found on disk' });
} }
// Log audit entry logAudit({
logAudit( userId: req.user.id,
db, username: req.user.username,
req.user.id, action: 'VIEW_KB_ARTICLE',
req.user.username, entityType: 'knowledge_base',
'VIEW_KB_ARTICLE', entityId: String(id),
'knowledge_base', details: { filename: row.file_name },
id, ipAddress: req.ip
JSON.stringify({ filename: row.file_name }), });
req.ip
);
// Determine content type for inline display
let contentType = row.file_type || 'application/octet-stream'; let contentType = row.file_type || 'application/octet-stream';
// For markdown files, send as plain text so frontend can parse it
if (row.file_name.endsWith('.md')) { if (row.file_name.endsWith('.md')) {
contentType = 'text/plain; charset=utf-8'; contentType = 'text/plain; charset=utf-8';
} else if (row.file_name.endsWith('.txt')) { } else if (row.file_name.endsWith('.txt')) {
contentType = 'text/plain; charset=utf-8'; contentType = 'text/plain; charset=utf-8';
} }
const safeFileName = row.file_name.replace(/["\r\n\\]/g, '');
res.setHeader('Content-Type', contentType); res.setHeader('Content-Type', contentType);
// Use inline instead of attachment to allow browser to display res.setHeader('Content-Disposition', `inline; filename="${safeFileName}"`);
res.setHeader('Content-Disposition', `inline; filename="${row.file_name}"`);
// Allow iframe embedding from frontend origin
res.removeHeader('X-Frame-Options'); res.removeHeader('X-Frame-Options');
res.setHeader('Content-Security-Policy', "frame-ancestors 'self' http://71.85.90.9:3000 http://localhost:3000"); const corsOrigins = process.env.CORS_ORIGINS ? process.env.CORS_ORIGINS.split(',').join(' ') : 'http://localhost:3000';
res.setHeader('Content-Security-Policy', `frame-ancestors 'self' ${corsOrigins}`);
res.sendFile(row.file_path); res.sendFile(row.file_path);
}); } catch (err) {
console.error('Error fetching document:', err);
res.status(500).json({ error: 'Failed to fetch document' });
}
}); });
// GET /api/knowledge-base/:id/download - Download document // GET /api/knowledge-base/:id/download
router.get('/:id/download', requireAuth(db), (req, res) => { router.get('/:id/download', requireAuth(), async (req, res) => {
const { id } = req.params; const { id } = req.params;
const sql = 'SELECT file_path, file_name, file_type FROM knowledge_base WHERE id = ?'; try {
const { rows } = await pool.query(
db.get(sql, [id], (err, row) => { 'SELECT file_path, file_name, file_type FROM knowledge_base WHERE id = $1', [id]
if (err) { );
console.error('Error fetching document:', err); const row = rows[0];
return res.status(500).json({ error: 'Failed to fetch document' });
}
if (!row) { if (!row) {
return res.status(404).json({ error: 'Document not found' }); return res.status(404).json({ error: 'Document not found' });
@@ -283,67 +255,67 @@ function createKnowledgeBaseRouter(db, upload) {
return res.status(404).json({ error: 'File not found on disk' }); return res.status(404).json({ error: 'File not found on disk' });
} }
// Log audit entry logAudit({
logAudit( userId: req.user.id,
db, username: req.user.username,
req.user.id, action: 'DOWNLOAD_KB_ARTICLE',
req.user.username, entityType: 'knowledge_base',
'DOWNLOAD_KB_ARTICLE', entityId: String(id),
'knowledge_base', details: { filename: row.file_name },
id, ipAddress: req.ip
JSON.stringify({ filename: row.file_name }), });
req.ip
);
const safeDownloadName = row.file_name.replace(/["\r\n\\]/g, '');
res.setHeader('Content-Type', row.file_type || 'application/octet-stream'); res.setHeader('Content-Type', row.file_type || 'application/octet-stream');
res.setHeader('Content-Disposition', `attachment; filename="${row.file_name}"`); res.setHeader('Content-Disposition', `attachment; filename="${safeDownloadName}"`);
res.sendFile(row.file_path); res.sendFile(row.file_path);
}); } catch (err) {
console.error('Error fetching document:', err);
res.status(500).json({ error: 'Failed to fetch document' });
}
}); });
// DELETE /api/knowledge-base/:id - Delete article // DELETE /api/knowledge-base/:id
router.delete('/:id', requireAuth(db), requireRole(db, 'editor', 'admin'), (req, res) => { router.delete('/:id', requireAuth(), requireGroup('Admin', 'Standard_User'), async (req, res) => {
const { id } = req.params; const { id } = req.params;
const sql = 'SELECT file_path, title FROM knowledge_base WHERE id = ?'; try {
const { rows } = await pool.query(
db.get(sql, [id], (err, row) => { 'SELECT file_path, title, created_by FROM knowledge_base WHERE id = $1', [id]
if (err) { );
console.error('Error fetching article for deletion:', err); const row = rows[0];
return res.status(500).json({ error: 'Failed to fetch article' });
}
if (!row) { if (!row) {
return res.status(404).json({ error: 'Article not found' }); return res.status(404).json({ error: 'Article not found' });
} }
// Delete database record // Ownership check: Standard_User can only delete articles they created
db.run('DELETE FROM knowledge_base WHERE id = ?', [id], (err) => { if (req.user.group === 'Standard_User' && row.created_by !== req.user.id) {
if (err) { return res.status(403).json({ error: 'You can only delete resources you created' });
console.error('Error deleting article:', err); }
return res.status(500).json({ error: 'Failed to delete article' });
}
// Delete file await pool.query('DELETE FROM knowledge_base WHERE id = $1', [id]);
if (fs.existsSync(row.file_path)) {
fs.unlinkSync(row.file_path);
}
// Log audit entry // Delete file
logAudit( if (fs.existsSync(row.file_path)) {
db, fs.unlinkSync(row.file_path);
req.user.id, }
req.user.username,
'DELETE_KB_ARTICLE',
'knowledge_base',
id,
JSON.stringify({ title: row.title }),
req.ip
);
res.json({ success: true }); logAudit({
userId: req.user.id,
username: req.user.username,
action: 'DELETE_KB_ARTICLE',
entityType: 'knowledge_base',
entityId: String(id),
details: { title: row.title },
ipAddress: req.ip
}); });
});
res.json({ success: true });
} catch (err) {
console.error('Error deleting article:', err);
res.status(500).json({ error: 'Failed to delete article' });
}
}); });
return router; return router;

5
backend/routes/nvdLookup.js
View File

@@ -1,13 +1,14 @@
// NVD CVE Lookup Routes // NVD CVE Lookup Routes
const express = require('express'); const express = require('express');
const { requireAuth } = require('../middleware/auth');
const CVE_ID_PATTERN = /^CVE-\d{4}-\d{4,}$/; const CVE_ID_PATTERN = /^CVE-\d{4}-\d{4,}$/;
function createNvdLookupRouter(db, requireAuth) { function createNvdLookupRouter() {
const router = express.Router(); const router = express.Router();
// All routes require authentication // All routes require authentication
router.use(requireAuth(db)); router.use(requireAuth());
// Lookup CVE details from NVD API 2.0 // Lookup CVE details from NVD API 2.0
router.get('/lookup/:cveId', async (req, res) => { router.get('/lookup/:cveId', async (req, res) => {

246
backend/routes/users.js
View File

@@ -1,27 +1,28 @@
// User Management Routes (Admin only) // User Management Routes (Admin only)
const express = require('express'); const express = require('express');
const bcrypt = require('bcryptjs'); const bcrypt = require('bcryptjs');
const pool = require('../db');
const { validateTeams } = require('../helpers/teams');
function createUsersRouter(db, requireAuth, requireRole, logAudit) { function createUsersRouter(requireAuth, requireGroup, logAudit) {
const router = express.Router(); const router = express.Router();
// All routes require admin role // All routes require Admin group
router.use(requireAuth(db), requireRole('admin')); router.use(requireAuth(), requireGroup('Admin'));
// Get all users // Get all users
router.get('/', async (req, res) => { router.get('/', async (req, res) => {
try { try {
const users = await new Promise((resolve, reject) => { const { rows: users } = await pool.query(
db.all( `SELECT id, username, email, user_group AS "group", bu_teams, is_active, created_at, last_login
`SELECT id, username, email, role, is_active, created_at, last_login FROM users ORDER BY created_at DESC`
FROM users ORDER BY created_at DESC`, );
(err, rows) => { // Parse bu_teams into teams array for each user
if (err) reject(err); const usersWithTeams = users.map(u => ({
else resolve(rows); ...u,
} teams: u.bu_teams ? u.bu_teams.split(',').filter(Boolean) : []
); }));
}); res.json(usersWithTeams);
res.json(users);
} catch (err) { } catch (err) {
console.error('Get users error:', err); console.error('Get users error:', err);
res.status(500).json({ error: 'Failed to fetch users' }); res.status(500).json({ error: 'Failed to fetch users' });
@@ -31,23 +32,22 @@ function createUsersRouter(db, requireAuth, requireRole, logAudit) {
// Get single user // Get single user
router.get('/:id', async (req, res) => { router.get('/:id', async (req, res) => {
try { try {
const user = await new Promise((resolve, reject) => { const { rows } = await pool.query(
db.get( `SELECT id, username, email, user_group AS "group", bu_teams, is_active, created_at, last_login
`SELECT id, username, email, role, is_active, created_at, last_login FROM users WHERE id = $1`,
FROM users WHERE id = ?`, [req.params.id]
[req.params.id], );
(err, row) => {
if (err) reject(err); const user = rows[0];
else resolve(row);
}
);
});
if (!user) { if (!user) {
return res.status(404).json({ error: 'User not found' }); return res.status(404).json({ error: 'User not found' });
} }
res.json(user); res.json({
...user,
teams: user.bu_teams ? user.bu_teams.split(',').filter(Boolean) : []
});
} catch (err) { } catch (err) {
console.error('Get user error:', err); console.error('Get user error:', err);
res.status(500).json({ error: 'Failed to fetch user' }); res.status(500).json({ error: 'Failed to fetch user' });
@@ -56,38 +56,47 @@ function createUsersRouter(db, requireAuth, requireRole, logAudit) {
// Create new user // Create new user
router.post('/', async (req, res) => { router.post('/', async (req, res) => {
const { username, email, password, role } = req.body; const { username, email, password, group, bu_teams } = req.body;
const VALID_GROUPS = ['Admin', 'Standard_User', 'Leadership', 'Read_Only'];
if (!username || !email || !password) { if (!username || !email || !password) {
return res.status(400).json({ error: 'Username, email, and password are required' }); return res.status(400).json({ error: 'Username, email, and password are required' });
} }
if (role && !['admin', 'editor', 'viewer'].includes(role)) { const userGroup = group || 'Read_Only';
return res.status(400).json({ error: 'Invalid role. Must be admin, editor, or viewer' });
if (!VALID_GROUPS.includes(userGroup)) {
return res.status(400).json({ error: 'Invalid group. Must be one of: Admin, Standard_User, Leadership, Read_Only' });
}
// Validate bu_teams if provided
const teamsStr = bu_teams || '';
if (teamsStr) {
const teamsResult = validateTeams(teamsStr);
if (!teamsResult.valid) {
return res.status(400).json({ error: `Invalid team(s): ${teamsResult.invalid.join(', ')}. Must be one of: STEAM, ACCESS-ENG, ACCESS-OPS, INTELDEV` });
}
} }
try { try {
const passwordHash = await bcrypt.hash(password, 10); const passwordHash = await bcrypt.hash(password, 10);
const result = await new Promise((resolve, reject) => { const { rows } = await pool.query(
db.run( `INSERT INTO users (username, email, password_hash, user_group, bu_teams)
`INSERT INTO users (username, email, password_hash, role) VALUES ($1, $2, $3, $4, $5)
VALUES (?, ?, ?, ?)`, RETURNING id`,
[username, email, passwordHash, role || 'viewer'], [username, email, passwordHash, userGroup, teamsStr]
function(err) { );
if (err) reject(err);
else resolve({ id: this.lastID });
}
);
});
logAudit(db, { const result = rows[0];
logAudit({
userId: req.user.id, userId: req.user.id,
username: req.user.username, username: req.user.username,
action: 'user_create', action: 'user_create',
entityType: 'user', entityType: 'user',
entityId: String(result.id), entityId: String(result.id),
details: { created_username: username, role: role || 'viewer' }, details: { created_username: username, group: userGroup, bu_teams: teamsStr },
ipAddress: req.ip ipAddress: req.ip
}); });
@@ -97,12 +106,14 @@ function createUsersRouter(db, requireAuth, requireRole, logAudit) {
id: result.id, id: result.id,
username, username,
email, email,
role: role || 'viewer' group: userGroup,
bu_teams: teamsStr,
teams: teamsStr ? teamsStr.split(',').filter(Boolean) : []
} }
}); });
} catch (err) { } catch (err) {
console.error('Create user error:', err); console.error('Create user error:', err);
if (err.message.includes('UNIQUE constraint failed')) { if (err.code === '23505') { // Postgres unique violation
return res.status(409).json({ error: 'Username or email already exists' }); return res.status(409).json({ error: 'Username or email already exists' });
} }
res.status(500).json({ error: 'Failed to create user' }); res.status(500).json({ error: 'Failed to create user' });
@@ -111,46 +122,76 @@ function createUsersRouter(db, requireAuth, requireRole, logAudit) {
// Update user // Update user
router.patch('/:id', async (req, res) => { router.patch('/:id', async (req, res) => {
const { username, email, password, role, is_active } = req.body; const { username, email, password, group, is_active, bu_teams } = req.body;
const VALID_GROUPS = ['Admin', 'Standard_User', 'Leadership', 'Read_Only'];
const userId = req.params.id; const userId = req.params.id;
// Prevent self-demotion from admin // Validate group if provided
if (userId == req.user.id && role && role !== 'admin') { if (group && !VALID_GROUPS.includes(group)) {
return res.status(400).json({ error: 'Cannot remove your own admin role' }); return res.status(400).json({ error: 'Invalid group. Must be one of: Admin, Standard_User, Leadership, Read_Only' });
}
// Prevent admin self-demotion
if (String(userId) === String(req.user.id) && group && group !== 'Admin') {
return res.status(400).json({ error: 'Cannot remove your own admin group' });
} }
// Prevent self-deactivation // Prevent self-deactivation
if (userId == req.user.id && is_active === false) { if (String(userId) === String(req.user.id) && is_active === false) {
return res.status(400).json({ error: 'Cannot deactivate your own account' }); return res.status(400).json({ error: 'Cannot deactivate your own account' });
} }
// Validate bu_teams if provided
if (typeof bu_teams === 'string') {
if (bu_teams !== '') {
const teamsResult = validateTeams(bu_teams);
if (!teamsResult.valid) {
return res.status(400).json({ error: `Invalid team(s): ${teamsResult.invalid.join(', ')}. Must be one of: STEAM, ACCESS-ENG, ACCESS-OPS, INTELDEV` });
}
}
}
try { try {
// Fetch current user record before update (needed for group change audit)
const { rows: currentRows } = await pool.query(
'SELECT user_group, bu_teams FROM users WHERE id = $1',
[userId]
);
const currentUser = currentRows[0];
if (!currentUser) {
return res.status(404).json({ error: 'User not found' });
}
const updates = []; const updates = [];
const values = []; const values = [];
let paramIndex = 1;
if (username) { if (username) {
updates.push('username = ?'); updates.push(`username = $${paramIndex++}`);
values.push(username); values.push(username);
} }
if (email) { if (email) {
updates.push('email = ?'); updates.push(`email = $${paramIndex++}`);
values.push(email); values.push(email);
} }
if (password) { if (password) {
const passwordHash = await bcrypt.hash(password, 10); const passwordHash = await bcrypt.hash(password, 10);
updates.push('password_hash = ?'); updates.push(`password_hash = $${paramIndex++}`);
values.push(passwordHash); values.push(passwordHash);
} }
if (role) { if (group) {
if (!['admin', 'editor', 'viewer'].includes(role)) { updates.push(`user_group = $${paramIndex++}`);
return res.status(400).json({ error: 'Invalid role' }); values.push(group);
}
updates.push('role = ?');
values.push(role);
} }
if (typeof is_active === 'boolean') { if (typeof is_active === 'boolean') {
updates.push('is_active = ?'); updates.push(`is_active = $${paramIndex++}`);
values.push(is_active ? 1 : 0); values.push(is_active);
}
if (typeof bu_teams === 'string') {
updates.push(`bu_teams = $${paramIndex++}`);
values.push(bu_teams);
} }
if (updates.length === 0) { if (updates.length === 0) {
@@ -159,25 +200,20 @@ function createUsersRouter(db, requireAuth, requireRole, logAudit) {
values.push(userId); values.push(userId);
await new Promise((resolve, reject) => { await pool.query(
db.run( `UPDATE users SET ${updates.join(', ')} WHERE id = $${paramIndex}`,
`UPDATE users SET ${updates.join(', ')} WHERE id = ?`, values
values, );
function(err) {
if (err) reject(err);
else resolve({ changes: this.changes });
}
);
});
const updatedFields = {}; const updatedFields = {};
if (username) updatedFields.username = username; if (username) updatedFields.username = username;
if (email) updatedFields.email = email; if (email) updatedFields.email = email;
if (role) updatedFields.role = role; if (group) updatedFields.group = group;
if (typeof is_active === 'boolean') updatedFields.is_active = is_active; if (typeof is_active === 'boolean') updatedFields.is_active = is_active;
if (password) updatedFields.password_changed = true; if (password) updatedFields.password_changed = true;
if (typeof bu_teams === 'string') updatedFields.bu_teams = bu_teams;
logAudit(db, { logAudit({
userId: req.user.id, userId: req.user.id,
username: req.user.username, username: req.user.username,
action: 'user_update', action: 'user_update',
@@ -187,17 +223,47 @@ function createUsersRouter(db, requireAuth, requireRole, logAudit) {
ipAddress: req.ip ipAddress: req.ip
}); });
// Log specific audit entry for group changes
if (group && group !== currentUser.user_group) {
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'user_group_change',
entityType: 'user',
entityId: String(userId),
details: {
previous_group: currentUser.user_group,
new_group: group
},
ipAddress: req.ip
});
}
// Log specific audit entry for bu_teams changes
if (typeof bu_teams === 'string' && bu_teams !== (currentUser.bu_teams || '')) {
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'user_teams_change',
entityType: 'user',
entityId: String(userId),
details: {
previous_teams: currentUser.bu_teams || '',
new_teams: bu_teams
},
ipAddress: req.ip
});
}
// If user was deactivated, delete their sessions // If user was deactivated, delete their sessions
if (is_active === false) { if (is_active === false) {
await new Promise((resolve) => { await pool.query('DELETE FROM sessions WHERE user_id = $1', [userId]);
db.run('DELETE FROM sessions WHERE user_id = ?', [userId], () => resolve());
});
} }
res.json({ message: 'User updated successfully' }); res.json({ message: 'User updated successfully' });
} catch (err) { } catch (err) {
console.error('Update user error:', err); console.error('Update user error:', err);
if (err.message.includes('UNIQUE constraint failed')) { if (err.code === '23505') { // Postgres unique violation
return res.status(409).json({ error: 'Username or email already exists' }); return res.status(409).json({ error: 'Username or email already exists' });
} }
res.status(500).json({ error: 'Failed to update user' }); res.status(500).json({ error: 'Failed to update user' });
@@ -209,37 +275,29 @@ function createUsersRouter(db, requireAuth, requireRole, logAudit) {
const userId = req.params.id; const userId = req.params.id;
// Prevent self-deletion // Prevent self-deletion
if (userId == req.user.id) { if (String(userId) === String(req.user.id)) {
return res.status(400).json({ error: 'Cannot delete your own account' }); return res.status(400).json({ error: 'Cannot delete your own account' });
} }
try { try {
// Look up the user before deleting // Look up the user before deleting
const targetUser = await new Promise((resolve, reject) => { const { rows: userRows } = await pool.query(
db.get('SELECT username FROM users WHERE id = ?', [userId], (err, row) => { 'SELECT username FROM users WHERE id = $1',
if (err) reject(err); [userId]
else resolve(row); );
}); const targetUser = userRows[0];
});
// Delete sessions first (foreign key) // Delete sessions first (foreign key)
await new Promise((resolve) => { await pool.query('DELETE FROM sessions WHERE user_id = $1', [userId]);
db.run('DELETE FROM sessions WHERE user_id = ?', [userId], () => resolve());
});
// Delete user // Delete user
const result = await new Promise((resolve, reject) => { const result = await pool.query('DELETE FROM users WHERE id = $1', [userId]);
db.run('DELETE FROM users WHERE id = ?', [userId], function(err) {
if (err) reject(err);
else resolve({ changes: this.changes });
});
});
if (result.changes === 0) { if (result.rowCount === 0) {
return res.status(404).json({ error: 'User not found' }); return res.status(404).json({ error: 'User not found' });
} }
logAudit(db, { logAudit({
userId: req.user.id, userId: req.user.id,
username: req.user.username, username: req.user.username,
action: 'user_delete', action: 'user_delete',

880
backend/routes/vclMultiVertical.js Normal file
View File

@@ -0,0 +1,880 @@
// VCL Multi-Vertical Routes — Cross-organizational compliance reporting
// Handles multi-file per-vertical xlsx upload, scoped resolution, and executive reporting.
const express = require('express');
const path = require('path');
const fs = require('fs');
const { spawn } = require('child_process');
const pool = require('../db');
const { requireAuth, requireGroup } = require('../middleware/auth');
const { parseVerticalFilename, computeVerticalBurndown, isValidDateString, categorizeNonCompliant } = require('../helpers/vclHelpers');
const logAudit = require('../helpers/auditLog');
const PARSER_SCRIPT = path.join(__dirname, '../scripts/parse_compliance_xlsx.py');
const PYTHON_BIN = process.env.PYTHON_BIN || 'python3';
const TEMP_DIR = path.join(process.cwd(), 'uploads', 'temp');
const VCL_TARGET_PCT = parseInt(process.env.VCL_TARGET_PCT, 10) || 95;
// ---------------------------------------------------------------------------
// Run Python parser, return parsed object
// ---------------------------------------------------------------------------
function parseXlsx(filePath) {
return new Promise((resolve, reject) => {
const py = spawn(PYTHON_BIN, [PARSER_SCRIPT, filePath]);
let out = '';
let err = '';
py.stdout.on('data', d => { out += d; });
py.stderr.on('data', d => { err += d; });
py.on('close', code => {
if (code !== 0) return reject(new Error(err || `Parser exited with code ${code}`));
try { resolve(JSON.parse(out)); }
catch (e) { reject(new Error('Parser returned invalid JSON')); }
});
py.on('error', reject);
});
}
// ---------------------------------------------------------------------------
// Compute scoped diff: only considers items within the same vertical
// ---------------------------------------------------------------------------
async function computeScopedDiff(incomingItems, vertical) {
const { rows: activeRows } = await pool.query(
`SELECT hostname, metric_id FROM compliance_items WHERE status = 'active' AND vertical = $1`,
[vertical]
);
const activeKeys = new Set(activeRows.map(r => `${r.hostname}|||${r.metric_id}`));
const newKeys = new Set(incomingItems.map(i => `${i.hostname}|||${i.metric_id}`));
let newCount = 0, recurringCount = 0, resolvedCount = 0;
for (const k of newKeys) { if (activeKeys.has(k)) recurringCount++; else newCount++; }
for (const k of activeKeys) { if (!newKeys.has(k)) resolvedCount++; }
return { newCount, recurringCount, resolvedCount };
}
// ---------------------------------------------------------------------------
// Persist a single vertical's upload with scoped resolution
// ---------------------------------------------------------------------------
async function persistMultiVerticalUpload({ items, summary, reportDate, filename, vertical, userId }, client) {
// Get active items for THIS vertical only
const { rows: activeRows } = await client.query(
`SELECT id, hostname, metric_id, seen_count, first_seen_upload_id FROM compliance_items
WHERE status = 'active' AND vertical = $1`,
[vertical]
);
const activeMap = {};
activeRows.forEach(r => { activeMap[`${r.hostname}|||${r.metric_id}`] = r; });
const newKeys = new Set(items.map(i => `${i.hostname}|||${i.metric_id}`));
// 1. Insert the upload record
const uploadResult = await client.query(
`INSERT INTO compliance_uploads (filename, report_date, uploaded_by, uploaded_at, vertical, summary_json)
VALUES ($1, $2, $3, NOW(), $4, $5)
RETURNING id`,
[filename, reportDate || null, userId || null, vertical, JSON.stringify(summary)]
);
const uploadId = uploadResult.rows[0].id;
let newCount = 0, recurringCount = 0, resolvedCount = 0;
// 2. Upsert each incoming non-compliant item
for (const item of items) {
const key = `${item.hostname}|||${item.metric_id}`;
const existing = activeMap[key];
const extraStr = JSON.stringify(item.extra_json || {});
if (existing) {
await client.query(
`UPDATE compliance_items
SET upload_id = $1, seen_count = $2, ip_address = $3, device_type = $4, extra_json = $5,
metric_desc = $6, category = $7, team = $8
WHERE id = $9`,
[uploadId, existing.seen_count + 1, item.ip_address, item.device_type, extraStr,
item.metric_desc, item.category, item.team, existing.id]
);
recurringCount++;
} else {
await client.query(
`INSERT INTO compliance_items
(upload_id, hostname, ip_address, device_type, team, metric_id, metric_desc,
category, extra_json, status, first_seen_upload_id, seen_count, vertical)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, 'active', $10, 1, $11)`,
[uploadId, item.hostname, item.ip_address, item.device_type, item.team,
item.metric_id, item.metric_desc, item.category, extraStr, uploadId, vertical]
);
newCount++;
}
}
// 3. Resolve items NOT present in this upload — SCOPED to this vertical only
for (const [key, row] of Object.entries(activeMap)) {
if (!newKeys.has(key)) {
await client.query(
`UPDATE compliance_items SET status = 'resolved', resolved_upload_id = $1 WHERE id = $2`,
[uploadId, row.id]
);
resolvedCount++;
}
}
// 4. Update upload with final counts
await client.query(
`UPDATE compliance_uploads SET new_count = $1, resolved_count = $2, recurring_count = $3 WHERE id = $4`,
[newCount, resolvedCount, recurringCount, uploadId]
);
// 5. Store summary entries in vcl_multi_vertical_summary
if (summary && summary.entries && summary.entries.length > 0) {
for (const entry of summary.entries) {
await client.query(
`INSERT INTO vcl_multi_vertical_summary
(upload_id, vertical, metric_id, metric_desc, category, team, priority,
non_compliant, compliant, total, compliance_pct, target, status)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13)`,
[uploadId, vertical, entry.metric_id, entry.description || entry.metric_desc || '',
entry.category || 'Other', entry.team || '', entry.priority || '',
entry.non_compliant || 0, entry.compliant || 0, entry.total || 0,
entry.compliance_pct || 0, entry.target || 0, entry.status || '']
);
}
}
// 6. Create/update compliance_snapshots for this vertical
const currentMonth = new Date().toISOString().slice(0, 7);
const { rows: verticalStats } = await client.query(
`SELECT
COUNT(DISTINCT hostname)::int AS total_devices,
COUNT(DISTINCT CASE WHEN status = 'active' THEN hostname END)::int AS non_compliant
FROM compliance_items
WHERE vertical = $1`,
[vertical]
);
const vs = verticalStats[0] || { total_devices: 0, non_compliant: 0 };
const totalDevices = vs.total_devices;
const compliant = totalDevices - vs.non_compliant;
const compPct = totalDevices > 0 ? Math.round((compliant / totalDevices) * 100 * 100) / 100 : 0;
await client.query(
`INSERT INTO compliance_snapshots (snapshot_month, vertical, total_devices, compliant, non_compliant, compliance_pct)
VALUES ($1, $2, $3, $4, $5, $6)
ON CONFLICT (snapshot_month, vertical)
DO UPDATE SET total_devices = $3, compliant = $4, non_compliant = $5, compliance_pct = $6`,
[currentMonth, vertical, totalDevices, compliant, vs.non_compliant, compPct]
);
return { uploadId, newCount, recurringCount, resolvedCount };
}
// ---------------------------------------------------------------------------
// Safe temp path check
// ---------------------------------------------------------------------------
function isSafeTempPath(filePath) {
const resolved = path.resolve(filePath);
return resolved.startsWith(path.resolve(TEMP_DIR) + path.sep) && path.extname(resolved) === '.json';
}
// ---------------------------------------------------------------------------
// Router factory
// ---------------------------------------------------------------------------
function createVCLMultiVerticalRouter(upload) {
const router = express.Router();
// All routes require authentication
router.use(requireAuth());
/**
* POST /preview
* Accepts multiple xlsx files, parses each, extracts vertical from filename,
* computes per-vertical scoped diffs, and stores parsed data in temp files.
*
* @method POST
* @route /preview
* @group Admin, Standard_User
*
* @body multipart/form-data
* - files: File[] — 114 xlsx files with naming convention <VERTICAL>_YYYY_MM_DD.xlsx
*
* @response 200
* {
* files: Array<{
* filename: string,
* vertical: string,
* report_date: string,
* total_items: number,
* summary_entries: number,
* diff: { new_count: number, recurring_count: number, resolved_count: number },
* tempFile: string
* }>,
* unrecognized: Array<{ filename: string, error: string }>
* }
* @response 400 { error: string } — upload error or no files provided
*/
router.post('/preview', requireGroup('Admin', 'Standard_User'), (req, res) => {
upload.array('files', 14)(req, res, async (uploadErr) => {
if (uploadErr) return res.status(400).json({ error: uploadErr.message });
if (!req.files || req.files.length === 0) return res.status(400).json({ error: 'No files uploaded' });
const results = [];
const unrecognized = [];
const seenVerticals = new Set();
if (!fs.existsSync(TEMP_DIR)) fs.mkdirSync(TEMP_DIR, { recursive: true });
for (const file of req.files) {
const ext = path.extname(file.originalname).toLowerCase();
if (ext !== '.xlsx') {
unrecognized.push({ filename: file.originalname, error: 'Not an xlsx file' });
fs.unlink(file.path, () => {});
continue;
}
// Extract vertical from filename
const parsed = parseVerticalFilename(file.originalname);
if (!parsed) {
unrecognized.push({ filename: file.originalname, error: 'Filename does not match pattern <VERTICAL>_YYYY_MM_DD.xlsx' });
fs.unlink(file.path, () => {});
continue;
}
// Check for duplicate verticals in the same batch
if (seenVerticals.has(parsed.vertical)) {
unrecognized.push({ filename: file.originalname, error: `Duplicate vertical "${parsed.vertical}" in batch` });
fs.unlink(file.path, () => {});
continue;
}
seenVerticals.add(parsed.vertical);
try {
const xlsxData = await parseXlsx(file.path);
if (xlsxData.error) {
unrecognized.push({ filename: file.originalname, error: xlsxData.error });
fs.unlink(file.path, () => {});
continue;
}
// Compute scoped diff for this vertical
const diff = await computeScopedDiff(xlsxData.items, parsed.vertical);
// Store parsed data in temp file
const tempFilename = `vcl_multi_${parsed.vertical}_${Date.now()}_${Math.random().toString(36).slice(2)}.json`;
const tempFilePath = path.join(TEMP_DIR, tempFilename);
fs.writeFileSync(tempFilePath, JSON.stringify({
items: xlsxData.items,
summary: xlsxData.summary,
report_date: parsed.date,
vertical: parsed.vertical,
filename: file.originalname.replace(/[^\w.\-() ]/g, '_'),
}));
results.push({
filename: file.originalname,
vertical: parsed.vertical,
report_date: parsed.date,
total_items: xlsxData.total || xlsxData.items.length,
summary_entries: (xlsxData.summary && xlsxData.summary.entries) ? xlsxData.summary.entries.length : 0,
diff: { new_count: diff.newCount, recurring_count: diff.recurringCount, resolved_count: diff.resolvedCount },
tempFile: tempFilePath,
});
} catch (parseErr) {
unrecognized.push({ filename: file.originalname, error: parseErr.message });
} finally {
fs.unlink(file.path, () => {});
}
}
res.json({ files: results, unrecognized });
});
});
/**
* POST /commit
* Commits all previewed files in a single transaction with vertical-scoped resolution.
*
* @method POST
* @route /commit
* @group Admin, Standard_User
*
* @body application/json
* {
* files: Array<{
* tempFile: string,
* vertical?: string,
* report_date?: string,
* filename?: string
* }>
* }
*
* @response 200
* {
* committed: Array<{
* vertical: string,
* upload_id: number,
* new_count: number,
* recurring_count: number,
* resolved_count: number
* }>,
* total_new: number,
* total_resolved: number
* }
* @response 400 { error: string } — invalid/missing tempFile or expired preview session
* @response 500 { error: string } — transaction failure
*/
router.post('/commit', requireGroup('Admin', 'Standard_User'), async (req, res) => {
const { files } = req.body;
if (!files || !Array.isArray(files) || files.length === 0) {
return res.status(400).json({ error: 'files array is required' });
}
// Validate all temp files exist before starting transaction
for (const file of files) {
if (!file.tempFile || !isSafeTempPath(file.tempFile)) {
return res.status(400).json({ error: `Invalid tempFile path for ${file.vertical || 'unknown'}` });
}
if (!fs.existsSync(file.tempFile)) {
return res.status(400).json({ error: `Preview session expired for ${file.vertical || 'unknown'} — please upload again` });
}
}
const client = await pool.connect();
try {
await client.query('BEGIN');
const committed = [];
for (const file of files) {
let parsed;
try { parsed = JSON.parse(fs.readFileSync(file.tempFile, 'utf8')); }
catch { throw new Error(`Could not read preview data for ${file.vertical}`); }
const result = await persistMultiVerticalUpload({
items: parsed.items,
summary: parsed.summary,
reportDate: file.report_date || parsed.report_date,
filename: file.filename || parsed.filename,
vertical: file.vertical || parsed.vertical,
userId: req.user?.id || null,
}, client);
committed.push({
vertical: file.vertical || parsed.vertical,
upload_id: result.uploadId,
new_count: result.newCount,
recurring_count: result.recurringCount,
resolved_count: result.resolvedCount,
});
}
await client.query('COMMIT');
// Clean up temp files
for (const file of files) {
fs.unlink(file.tempFile, () => {});
}
// Audit log
logAudit({
userId: req.user.id,
username: req.user.username,
action: 'vcl_multi_vertical_upload',
entityType: 'compliance_uploads',
entityId: null,
details: {
verticals: committed.map(c => c.vertical),
total_new: committed.reduce((s, c) => s + c.new_count, 0),
total_resolved: committed.reduce((s, c) => s + c.resolved_count, 0),
},
ipAddress: req.ip,
});
res.json({
committed,
total_new: committed.reduce((s, c) => s + c.new_count, 0),
total_resolved: committed.reduce((s, c) => s + c.resolved_count, 0),
});
} catch (err) {
await client.query('ROLLBACK');
// Clean up temp files on failure too
for (const file of files) {
if (file.tempFile) fs.unlink(file.tempFile, () => {});
}
console.error('[VCL Multi] Commit error:', err.message);
res.status(500).json({ error: 'Failed to commit batch: ' + err.message });
} finally {
client.release();
}
});
/**
* GET /stats
* Returns aggregated cross-vertical executive summary statistics.
*
* @method GET
* @route /stats
*
* @response 200
* {
* stats: {
* total_devices: number,
* compliant: number,
* non_compliant: number,
* compliance_pct: number,
* target_pct: number
* },
* donut: { blocked: number, in_progress: number },
* vertical_breakdown: Array<{
* vertical: string,
* total_devices: number,
* compliant: number,
* non_compliant: number,
* compliance_pct: number,
* blockers: number,
* forecast_burndown: Array<{ month: string, projected_remaining: number }>,
* last_upload: string|null
* }>,
* last_upload_date: string|null
* }
* @response 500 { error: string }
*/
router.get('/stats', async (req, res) => {
try {
// Aggregate device-level stats across all multi-vertical items
const { rows: statsRows } = await pool.query(`
SELECT
COUNT(DISTINCT hostname)::int AS total_devices,
COUNT(DISTINCT CASE WHEN status = 'active' THEN hostname END)::int AS non_compliant
FROM compliance_items
WHERE vertical IS NOT NULL
`);
const raw = statsRows[0] || { total_devices: 0, non_compliant: 0 };
const total_devices = raw.total_devices;
const non_compliant = raw.non_compliant;
const compliant = total_devices - non_compliant;
const compliance_pct = total_devices > 0 ? Math.round((compliant / total_devices) * 100) : 0;
// Donut: blocked vs in-progress across all verticals
const { rows: donutRows } = await pool.query(`
SELECT hostname, MAX(resolution_date) AS resolution_date
FROM compliance_items
WHERE vertical IS NOT NULL AND status = 'active'
GROUP BY hostname
`);
const donutItems = donutRows.map(r => ({ resolution_date: r.resolution_date }));
const donut = categorizeNonCompliant(donutItems);
// Per-vertical breakdown
const { rows: verticalRows } = await pool.query(`
SELECT
vertical,
COUNT(DISTINCT hostname)::int AS total_devices,
COUNT(DISTINCT CASE WHEN status = 'active' THEN hostname END)::int AS non_compliant
FROM compliance_items
WHERE vertical IS NOT NULL
GROUP BY vertical
ORDER BY vertical
`);
// Get last upload date per vertical
const { rows: uploadDates } = await pool.query(`
SELECT vertical, MAX(report_date) AS last_upload
FROM compliance_uploads
WHERE vertical IS NOT NULL
GROUP BY vertical
`);
const uploadDateMap = {};
uploadDates.forEach(r => { uploadDateMap[r.vertical] = r.last_upload; });
// Get burndown data per vertical
const { rows: burndownRows } = await pool.query(`
SELECT vertical, hostname, resolution_date
FROM compliance_items
WHERE vertical IS NOT NULL AND status = 'active'
`);
// Group by vertical for burndown computation
const burndownByVertical = {};
for (const row of burndownRows) {
if (!burndownByVertical[row.vertical]) burndownByVertical[row.vertical] = [];
burndownByVertical[row.vertical].push(row);
}
const vertical_breakdown = verticalRows.map(v => {
const totalDev = v.total_devices;
const comp = totalDev - v.non_compliant;
const pct = totalDev > 0 ? Math.round((comp / totalDev) * 100) : 0;
const items = burndownByVertical[v.vertical] || [];
const burndown = computeVerticalBurndown(items);
return {
vertical: v.vertical,
total_devices: totalDev,
compliant: comp,
non_compliant: v.non_compliant,
compliance_pct: pct,
blockers: burndown.blockers,
forecast_burndown: burndown.monthly,
last_upload: uploadDateMap[v.vertical] || null,
};
});
res.json({
stats: {
total_devices,
compliant,
non_compliant,
compliance_pct,
target_pct: VCL_TARGET_PCT,
},
donut,
vertical_breakdown,
last_upload_date: uploadDates.length > 0 ? uploadDates.reduce((max, r) => r.last_upload > max ? r.last_upload : max, '') : null,
});
} catch (err) {
console.error('[VCL Multi] GET /stats error:', err.message);
res.status(500).json({ error: 'Database error' });
}
});
/**
* GET /trend
* Returns monthly compliance trend data aggregated across all verticals.
* Includes linear regression forecast when 3+ months of data exist.
*
* @method GET
* @route /trend
*
* @response 200
* {
* months: Array<{
* month: string,
* compliant_count: number|null,
* compliance_pct: number|null,
* forecast_pct: number|null,
* target_pct: number
* }>
* }
* @response 500 { error: string }
*/
router.get('/trend', async (req, res) => {
try {
// Get snapshots for multi-vertical data (vertical IS NOT NULL)
const { rows: snapshots } = await pool.query(`
SELECT snapshot_month, SUM(total_devices)::int AS total_devices,
SUM(compliant)::int AS compliant, SUM(non_compliant)::int AS non_compliant
FROM compliance_snapshots
WHERE vertical IS NOT NULL AND vertical != ''
GROUP BY snapshot_month
ORDER BY snapshot_month ASC
`);
if (snapshots.length === 0) return res.json({ months: [] });
const months = snapshots.map(s => {
const total = s.total_devices;
const pct = total > 0 ? Math.round((s.compliant / total) * 100 * 10) / 10 : 0;
return {
month: s.snapshot_month,
compliant_count: s.compliant,
compliance_pct: pct,
forecast_pct: null,
target_pct: VCL_TARGET_PCT,
};
});
// Compute forecast using linear regression if we have 3+ months
if (months.length >= 3) {
const n = months.length;
let sumX = 0, sumY = 0, sumXY = 0, sumX2 = 0;
for (let i = 0; i < n; i++) {
sumX += i;
sumY += months[i].compliance_pct;
sumXY += i * months[i].compliance_pct;
sumX2 += i * i;
}
const slope = (n * sumXY - sumX * sumY) / (n * sumX2 - sumX * sumX);
const intercept = (sumY - slope * sumX) / n;
// Project forward 3 months
for (let i = 0; i < 3; i++) {
const futureIdx = n + i;
const forecastPct = Math.min(100, Math.max(0, Math.round((slope * futureIdx + intercept) * 10) / 10));
const lastMonth = months[months.length - 1].month;
const [year, mon] = lastMonth.split('-').map(Number);
const futureDate = new Date(year, mon - 1 + i + 1, 1);
const futureMonth = `${futureDate.getFullYear()}-${String(futureDate.getMonth() + 1).padStart(2, '0')}`;
months.push({
month: futureMonth,
compliant_count: null,
compliance_pct: null,
forecast_pct: forecastPct,
target_pct: VCL_TARGET_PCT,
});
}
// Add forecast_pct to last actual month as starting point
if (n > 0) {
months[n - 1].forecast_pct = months[n - 1].compliance_pct;
}
}
res.json({ months });
} catch (err) {
console.error('[VCL Multi] GET /trend error:', err.message);
res.status(500).json({ error: 'Database error' });
}
});
/**
* GET /vertical/:code/metrics
* Returns per-metric breakdown for a specific vertical from the latest upload's summary data.
*
* @method GET
* @route /vertical/:code/metrics
* @param {string} code — vertical code (e.g., "NTS_AEO", "SDIT_CISO")
*
* @response 200
* {
* vertical: string,
* metrics: Array<{
* metric_id: string,
* metric_desc: string,
* category: string,
* team: string,
* priority: string,
* non_compliant: number,
* compliant: number,
* total: number,
* compliance_pct: number,
* target: number,
* status: string
* }>,
* categories: Array<{
* category: string,
* non_compliant: number,
* compliant: number,
* total: number,
* compliance_pct: number
* }>
* }
* @response 400 { error: string } — invalid vertical code
* @response 500 { error: string }
*/
router.get('/vertical/:code/metrics', async (req, res) => {
const vertical = req.params.code;
if (!vertical || vertical.length > 100) return res.status(400).json({ error: 'Invalid vertical code' });
try {
// Get the latest upload for this vertical
const { rows: latestUpload } = await pool.query(
`SELECT id FROM compliance_uploads WHERE vertical = $1 ORDER BY id DESC LIMIT 1`,
[vertical]
);
if (latestUpload.length === 0) return res.json({ vertical, metrics: [], categories: [] });
const uploadId = latestUpload[0].id;
// Get per-metric summary data
const { rows: metrics } = await pool.query(
`SELECT metric_id, metric_desc, category, team, priority,
non_compliant, compliant, total, compliance_pct, target, status
FROM vcl_multi_vertical_summary
WHERE upload_id = $1 AND vertical = $2
ORDER BY category, metric_id`,
[uploadId, vertical]
);
// Aggregate by category
const categoryMap = {};
for (const m of metrics) {
const cat = m.category || 'Other';
if (!categoryMap[cat]) categoryMap[cat] = { category: cat, non_compliant: 0, compliant: 0, total: 0 };
categoryMap[cat].non_compliant += m.non_compliant;
categoryMap[cat].compliant += m.compliant;
categoryMap[cat].total += m.total;
}
const categories = Object.values(categoryMap).map(c => ({
...c,
compliance_pct: c.total > 0 ? Math.round((c.compliant / c.total) * 100 * 10) / 10 : 0,
}));
res.json({ vertical, metrics, categories });
} catch (err) {
console.error('[VCL Multi] GET /vertical/:code/metrics error:', err.message);
res.status(500).json({ error: 'Database error' });
}
});
/**
* GET /vertical/:code/metric/:metricId/devices
* Returns the list of non-compliant devices for a specific vertical + metric.
*
* @method GET
* @route /vertical/:code/metric/:metricId/devices
* @param {string} code — vertical code (e.g., "NTS_AEO")
* @param {string} metricId — metric identifier (e.g., "VM-001")
*
* @response 200
* {
* vertical: string,
* metric_id: string,
* devices: Array<{
* hostname: string,
* ip_address: string,
* device_type: string,
* team: string,
* seen_count: number,
* resolution_date: string|null,
* remediation_plan: string|null,
* first_seen: string|null,
* last_seen: string|null
* }>
* }
* @response 400 { error: string } — invalid vertical code or metric ID
* @response 500 { error: string }
*/
router.get('/vertical/:code/metric/:metricId/devices', async (req, res) => {
const vertical = req.params.code;
const metricId = req.params.metricId;
if (!vertical || vertical.length > 100) return res.status(400).json({ error: 'Invalid vertical code' });
if (!metricId || metricId.length > 50) return res.status(400).json({ error: 'Invalid metric ID' });
try {
const { rows } = await pool.query(
`SELECT ci.hostname, ci.ip_address, ci.device_type, ci.team, ci.seen_count,
ci.resolution_date, ci.remediation_plan,
fu.report_date AS first_seen, lu.report_date AS last_seen
FROM compliance_items ci
LEFT JOIN compliance_uploads fu ON ci.first_seen_upload_id = fu.id
LEFT JOIN compliance_uploads lu ON ci.upload_id = lu.id
WHERE ci.vertical = $1 AND ci.metric_id = $2 AND ci.status = 'active'
ORDER BY ci.hostname`,
[vertical, metricId]
);
res.json({ vertical, metric_id: metricId, devices: rows });
} catch (err) {
console.error('[VCL Multi] GET /vertical/:code/metric/:metricId/devices error:', err.message);
res.status(500).json({ error: 'Database error' });
}
});
/**
* GET /vertical/:code/burndown
* Returns burndown forecast for a specific vertical.
* Deduplicates devices by hostname and computes monthly projected resolution.
*
* @method GET
* @route /vertical/:code/burndown
* @param {string} code — vertical code (e.g., "TSI")
*
* @response 200
* {
* vertical: string,
* blockers: number,
* in_progress: number,
* monthly: Array<{ month: string, projected_remaining: number }>
* }
* @response 400 { error: string } — invalid vertical code
* @response 500 { error: string }
*/
router.get('/vertical/:code/burndown', async (req, res) => {
const vertical = req.params.code;
if (!vertical || vertical.length > 100) return res.status(400).json({ error: 'Invalid vertical code' });
try {
const { rows } = await pool.query(
`SELECT hostname, resolution_date
FROM compliance_items
WHERE vertical = $1 AND status = 'active'`,
[vertical]
);
// Deduplicate by hostname (a device may have multiple failing metrics)
const deviceMap = {};
for (const row of rows) {
if (!deviceMap[row.hostname]) {
deviceMap[row.hostname] = { hostname: row.hostname, resolution_date: row.resolution_date };
} else if (row.resolution_date && !deviceMap[row.hostname].resolution_date) {
// If any metric has a resolution date, the device counts as "in progress"
deviceMap[row.hostname].resolution_date = row.resolution_date;
}
}
const devices = Object.values(deviceMap);
const burndown = computeVerticalBurndown(devices);
res.json({ vertical, ...burndown });
} catch (err) {
console.error('[VCL Multi] GET /vertical/:code/burndown error:', err.message);
res.status(500).json({ error: 'Database error' });
}
});
/**
* GET /uploads
* Returns upload history for multi-vertical uploads (most recent 100).
*
* @method GET
* @route /uploads
*
* @response 200
* {
* uploads: Array<{
* id: number,
* filename: string,
* report_date: string|null,
* uploaded_at: string,
* vertical: string,
* new_count: number,
* resolved_count: number,
* recurring_count: number
* }>
* }
* @response 500 { error: string }
*/
router.get('/uploads', async (req, res) => {
try {
const { rows } = await pool.query(
`SELECT id, filename, report_date, uploaded_at, vertical, new_count, resolved_count, recurring_count
FROM compliance_uploads
WHERE vertical IS NOT NULL
ORDER BY id DESC
LIMIT 100`
);
res.json({ uploads: rows });
} catch (err) {
console.error('[VCL Multi] GET /uploads error:', err.message);
res.status(500).json({ error: 'Database error' });
}
});
/**
* GET /verticals
* Returns the list of known verticals derived from compliance_items records.
*
* @method GET
* @route /verticals
*
* @response 200
* {
* verticals: string[]
* }
* @response 500 { error: string }
*/
router.get('/verticals', async (req, res) => {
try {
const { rows } = await pool.query(
`SELECT DISTINCT vertical FROM compliance_items WHERE vertical IS NOT NULL ORDER BY vertical`
);
res.json({ verticals: rows.map(r => r.vertical) });
} catch (err) {
console.error('[VCL Multi] GET /verticals error:', err.message);
res.status(500).json({ error: 'Database error' });
}
});
return router;
}
module.exports = { createVCLMultiVerticalRouter };

388
backend/scripts/card-granite-lookup.js Normal file
View File

@@ -0,0 +1,388 @@
#!/usr/bin/env node
// ==========================================================================
// CARD → Granite Lookup Script (v2)
// ==========================================================================
// Queries CARD team assets endpoint (which returns full enriched records
// including ncim_discovery with EQUIP_INST_ID) for the 109 reassigned IPs
// from the findings-count investigation Appendix C.
//
// Generates:
// docs/card-lookup-results.csv — full CARD data for review
// docs/granite-reassignment-upload.csv — Team_Device Loader format
//
// Usage:
// cd backend
// node scripts/card-granite-lookup.js
// ==========================================================================
require('dotenv').config({ path: require('path').join(__dirname, '..', '.env') });
const cardApi = require('../helpers/cardApi');
const fs = require('fs');
const path = require('path');
// ---------------------------------------------------------------------------
// IP → hostname mapping from Appendix C
// ---------------------------------------------------------------------------
const REASSIGNED = {
// With approved FP workflows (58)
'98.120.0.78': 'syn-098-120-000-078', '98.120.32.185': 'syn-098-120-032-185',
'10.240.78.177': 'mon15-agg-sw', '10.240.78.176': 'mon16-agg-sw',
'10.240.78.133': 'mon15-sw14', '10.240.78.130': 'mon15-sw11',
'10.240.78.150': 'mon19-sw3', '10.240.78.107': 'mon16-sw2',
'10.240.78.110': 'mon16-sw5', '10.240.78.106': 'mon16-sw1',
'10.240.78.149': 'mon19-sw2', '10.240.78.154': 'mon19-sw7',
'10.240.78.111': 'mon16-sw6', '10.240.78.153': 'mon19-sw6',
'10.240.78.132': 'mon15-sw13', '10.240.78.115': 'mon16-sw10',
'10.240.78.109': 'mon16-sw4', '10.240.78.112': 'mon16-sw7',
'10.240.78.119': 'mon16-sw14', '10.240.78.114': 'mon16-sw9',
'10.240.78.118': 'mon16-sw13', '10.240.78.117': 'mon16-sw12',
'10.240.78.108': 'mon16-sw3', '10.240.78.155': 'mon19-sw8',
'10.240.78.157': 'mon19-sw10', '10.240.78.151': 'mon19-sw4',
'10.240.78.116': 'mon16-sw11', '10.240.78.152': 'mon19-sw5',
'10.240.78.161': 'mon19-sw14', '10.240.78.160': 'mon19-sw13',
'10.240.78.159': 'mon19-sw12', '10.240.78.158': 'mon19-sw11',
'10.240.78.123': 'mon15-sw4', '10.240.78.137': 'mon20-sw4',
'10.240.78.148': 'mon19-sw1', '10.240.78.125': 'mon15-sw6',
'10.240.78.156': 'mon19-sw9', '10.241.0.63': '',
'10.244.11.51': 'apc01se1shcc-n01-bmc', '172.27.72.1': '',
'96.37.185.145': '', '10.240.78.170': 'mon17-sw9',
'10.240.78.172': 'mon17-sw11', '10.240.78.169': 'mon17-sw8',
'10.240.78.166': 'mon17-sw5', '10.240.78.174': 'mon17-sw13',
'10.240.78.173': 'mon17-sw12', '10.240.78.167': 'mon17-sw6',
'10.240.78.175': 'mon17-sw14', '10.240.78.168': 'mon17-sw7',
'10.240.78.171': 'mon17-sw10', '66.61.128.10': 'syn-066-061-128-010',
'66.61.128.233': 'apa01se1shcc-bvi101-secondary',
'66.61.128.49': 'syn-066-061-128-049', '66.61.128.18': 'syn-066-061-128-018',
'10.244.4.26': '', '10.244.11.5': '', '10.244.11.6': '',
// With rejected FP workflows (8)
'10.244.4.55': 'apc15se1shcc-n03', '10.244.11.53': 'apc01se1shcc-n03-bmc',
'10.244.4.30': '', '10.244.11.63': 'apc04se1shcc-n01-cimc',
'24.28.208.125': '', '24.28.210.101': 'syn-024-028-210-101',
'10.244.11.27': '', '10.240.1.203': '',
// Without FP workflows (43)
'10.240.78.20': '', '172.16.1.229': '',
'10.244.11.96': '', '10.244.11.54': 'apc02se1shcc-n01-cimc',
'10.244.4.51': 'apc14se1shcc-n02', '10.244.11.86': '',
'10.244.11.55': 'apc02se1shcc-n02-cimc', '24.28.208.105': 'syn-024-028-208-105',
'10.244.4.50': 'apc14se1shcc-n01', '10.244.4.53': 'apc15se1shcc-n01',
'10.244.11.73': 'apc07se1shcc-n02-cimc', '10.244.11.64': 'apc04se1shcc-n02-cimc',
'10.244.4.54': 'apc15se1shcc-n02', '10.244.4.28': '',
'10.244.11.94': '', '10.241.0.43': 'c220-wzp27340ss5',
'10.244.11.56': 'apc02se1shcc-n03-cimc', '10.244.11.66': 'apc05se1shcc-n01-bmc',
'10.244.4.47': 'apc13se1shcc-n01', '10.244.4.49': 'apc13se1shcc-n03',
'10.244.4.52': 'apc14se1shcc-n03', '10.244.11.72': 'apc07se1shcc-n01-cimc',
'10.244.4.25': 'apc02ctsbcom7-n03-cimc', '10.244.4.29': '',
'10.244.11.74': 'apc07se1shcc-n03-cimc', '10.244.4.48': 'apc13se1shcc-n02',
'10.244.11.65': 'apc04se1shcc-n03-cimc', '10.244.4.24': 'apc02ctsbcom7-n02-cimc',
'10.244.11.87': '', '10.244.11.68': 'apc05se1shcc-n03-bmc',
'10.244.11.67': 'apc05se1shcc-n02-bmc', '10.244.4.23': 'apc02ctsbcom7-n01-cimc',
'10.244.11.57': '', '10.244.11.95': '',
'98.120.32.145': 'syn-098-120-032-145', '98.120.0.129': 'syn-098-120-000-129',
'68.114.184.84': 'rphy-runner-vecima',
};
const TARGET_IPS = new Set(Object.keys(REASSIGNED));
// ---------------------------------------------------------------------------
// Fetch all assets for both teams, then match against our IP list
// ---------------------------------------------------------------------------
async function fetchTeamAssets(teamName) {
const allAssets = [];
let page = 1;
const pageSize = 200;
while (true) {
// Fetch confirmed assets (these have the richest data)
const result = await cardApi.getTeamAssets(teamName, {
disposition: 'confirmed',
page,
pageSize,
});
if (!result.ok) {
console.error(` Failed to fetch ${teamName} page ${page}: HTTP ${result.status}`);
break;
}
let data;
try { data = JSON.parse(result.body); } catch (_) { break; }
const assets = Array.isArray(data) ? data : (data.assets || data.results || []);
allAssets.push(...assets);
const total = data.total || assets.length;
console.log(` ${teamName} page ${page}: ${assets.length} assets (total: ${total})`);
if (allAssets.length >= total || assets.length === 0) break;
page++;
}
return allAssets;
}
function extractIPFromAssetId(assetId) {
// Asset IDs are like "10.240.78.110-CTEC" — strip the suffix
if (!assetId) return null;
const parts = assetId.split('-');
// Rejoin all but the last part (the suffix like CTEC, NATL, etc.)
// But only if the last part looks like a suffix (not a number)
const last = parts[parts.length - 1];
if (/^\d+$/.test(last)) return assetId; // All numeric, probably just an IP
return parts.slice(0, -1).join('-');
}
function extractGraniteData(asset) {
const id = asset._id || '';
const ip = extractIPFromAssetId(id);
const flags = (asset.card_flags && asset.card_flags[0]) || {};
const ncim = asset.ncim_discovery || [];
const qualys = asset.qualys_hosts || [];
const ivanti = asset.ivanti_assets || [];
const granite = asset.netops_granite_allips || null;
const iseGranite = asset.ise_granite_equipment || null;
// Extract EQUIP_INST_ID from ncim_discovery (primary source)
let equipInstId = null;
let graniteTeam = null;
let entityId = null;
let sysLocation = null;
let ncimHostname = null;
if (ncim.length > 0) {
equipInstId = ncim[0].EQUIP_INST_ID || null;
graniteTeam = ncim[0].GRANITE_RESP_TEAM || ncim[0].RESPONSIBLE_TEAM || null;
entityId = ncim[0].ENTITYID || null;
sysLocation = ncim[0].SYSLOCATION || null;
ncimHostname = ncim[0].HOSTNAME || null;
}
// Fallback: check netops_granite_allips
if (!equipInstId && granite && Array.isArray(granite) && granite.length > 0) {
equipInstId = granite[0].EQUIP_INST_ID || null;
}
// Fallback: check ise_granite_equipment
if (!equipInstId && iseGranite && Array.isArray(iseGranite) && iseGranite.length > 0) {
equipInstId = iseGranite[0].EQUIP_INST_ID || null;
}
const hostname = ncimHostname
|| (flags.CARD_HOSTNAME && flags.CARD_HOSTNAME[0])
|| (qualys.length > 0 && qualys[0].HOSTNAME)
|| (ivanti.length > 0 && ivanti[0].hostName)
|| '';
const confirmedTeam = asset.owner && asset.owner.confirmed
? asset.owner.confirmed.name : null;
return {
ip,
assetId: id,
hostname,
equipInstId,
graniteTeam,
entityId,
sysLocation,
confirmedTeam,
deviceId: flags.CARD_DEVICE_ID || null,
asn: flags.CARD_ASN || null,
vendorModel: (flags.CARD_VENDOR_MODEL || []).map(v => v.vendor_model || v).join(', '),
status: flags.status || null,
};
}
// ---------------------------------------------------------------------------
// Main
// ---------------------------------------------------------------------------
async function main() {
console.log('=== CARD → Granite Lookup (v2 — team assets endpoint) ===');
console.log(`Target IPs: ${TARGET_IPS.size}`);
console.log(`CARD_API_URL: ${process.env.CARD_API_URL}`);
console.log('');
if (!cardApi.isConfigured) {
console.error('CARD API is not configured.');
process.exit(1);
}
// Fetch assets from both teams
const teams = ['NTS-AEO-STEAM', 'NTS-AEO-ACCESS-ENG'];
const allAssets = [];
for (const team of teams) {
console.log(`Fetching ${team}...`);
const assets = await fetchTeamAssets(team);
allAssets.push(...assets);
console.log(` Total: ${assets.length} assets\n`);
}
// Also fetch candidate/unconfirmed in case some were reassigned
for (const team of teams) {
for (const disp of ['candidate', 'unconfirmed']) {
console.log(`Fetching ${team} (${disp})...`);
try {
const result = await cardApi.getTeamAssets(team, { disposition: disp, pageSize: 200 });
if (result.ok) {
const data = JSON.parse(result.body);
const assets = Array.isArray(data) ? data : (data.assets || data.results || []);
allAssets.push(...assets);
console.log(` ${assets.length} assets`);
}
} catch (_) { /* skip */ }
}
}
console.log(`\nTotal assets fetched: ${allAssets.length}`);
// Build IP → asset map
const ipMap = new Map();
for (const asset of allAssets) {
const id = asset._id || '';
const ip = extractIPFromAssetId(id);
if (ip && !ipMap.has(ip)) {
ipMap.set(ip, asset);
}
}
console.log(`Unique IPs in CARD: ${ipMap.size}`);
// Match against our target IPs
const matched = [];
const notFound = [];
for (const ip of TARGET_IPS) {
const asset = ipMap.get(ip);
if (asset) {
matched.push(extractGraniteData(asset));
} else {
notFound.push(ip);
}
}
// For IPs not found in team assets, fall back to individual owner lookup
if (notFound.length > 0) {
console.log(`\n${notFound.length} IPs not in team assets — trying individual owner lookups...`);
const SUFFIXES = ['CTEC', 'NATL', 'TWC', 'BHN', 'CHTR'];
const stillNotFound = [];
for (const ip of notFound) {
let found = false;
for (const suffix of SUFFIXES) {
try {
const result = await cardApi.getOwner(`${ip}-${suffix}`);
if (result.ok) {
const data = JSON.parse(result.body);
// Owner endpoint is slim — extract what we can
const ncim = data.ncim_discovery || [];
matched.push({
ip,
assetId: data._id || `${ip}-${suffix}`,
hostname: REASSIGNED[ip] || '',
equipInstId: ncim.length > 0 ? (ncim[0].EQUIP_INST_ID || null) : null,
graniteTeam: ncim.length > 0 ? (ncim[0].GRANITE_RESP_TEAM || null) : null,
entityId: ncim.length > 0 ? (ncim[0].ENTITYID || null) : null,
sysLocation: ncim.length > 0 ? (ncim[0].SYSLOCATION || null) : null,
confirmedTeam: data.owner && data.owner.confirmed ? data.owner.confirmed.name : null,
deviceId: null,
asn: null,
vendorModel: '',
status: null,
});
found = true;
break;
}
} catch (_) { /* continue */ }
}
if (!found) stillNotFound.push(ip);
}
if (stillNotFound.length > 0) {
console.log(`\n${stillNotFound.length} IPs not found anywhere in CARD:`);
stillNotFound.forEach(ip => console.log(` ${ip} (${REASSIGNED[ip] || 'no hostname'})`));
}
}
// Sort by IP
matched.sort((a, b) => {
const aParts = a.ip.split('.').map(Number);
const bParts = b.ip.split('.').map(Number);
for (let i = 0; i < 4; i++) {
if (aParts[i] !== bParts[i]) return aParts[i] - bParts[i];
}
return 0;
});
// Summary
const withEquipId = matched.filter(r => r.equipInstId);
const withoutEquipId = matched.filter(r => !r.equipInstId);
console.log('\n=== Summary ===');
console.log(`Matched in CARD: ${matched.length}`);
console.log(`With EQUIP_INST_ID: ${withEquipId.length}`);
console.log(`Without EQUIP_INST_ID: ${withoutEquipId.length}`);
// Print results
console.log('\n=== Results with EQUIP_INST_ID ===');
console.log('IP Address | EQUIP_INST_ID | Hostname | Granite Team');
console.log('-'.repeat(100));
for (const r of withEquipId) {
console.log(`${r.ip.padEnd(20)} | ${String(r.equipInstId).padEnd(13)} | ${(r.hostname || '').padEnd(30)} | ${r.graniteTeam || '-'}`);
}
if (withoutEquipId.length > 0) {
console.log('\n=== Results WITHOUT EQUIP_INST_ID ===');
for (const r of withoutEquipId) {
console.log(` ${r.ip.padEnd(20)} ${(r.hostname || REASSIGNED[r.ip] || '').padEnd(30)} confirmed: ${r.confirmedTeam || '-'}`);
}
}
// Write full CSV
const csvPath = path.join(__dirname, '..', '..', 'docs', 'card-lookup-results.csv');
const csvHeader = 'IP Address,CARD Asset ID,Hostname,EQUIP_INST_ID,Granite Team,Entity ID,SysLocation,Confirmed Team,Device ID,ASN,Vendor Model,Status';
const csvRows = matched.map(r =>
[r.ip, r.assetId, r.hostname, r.equipInstId, r.graniteTeam, r.entityId, r.sysLocation, r.confirmedTeam, r.deviceId, r.asn, r.vendorModel, r.status]
.map(v => v === null || v === undefined ? '' : `"${String(v).replace(/"/g, '""')}"`)
.join(',')
);
fs.writeFileSync(csvPath, csvHeader + '\n' + csvRows.join('\n') + '\n', 'utf8');
console.log(`\nFull CSV: ${csvPath}`);
// Write Granite Team_Device Loader CSV
const graniteHeaders = [
'DELETE', 'SET_CONFIRMED', 'EQUIPMENT CLASS', 'EQUIP_INST_ID', 'SITE_NAME',
'EQUIP_NAME', 'EQUIP_TEMPLATE', 'EQUIP_STATUS',
'UDA#RESPONSIBLE ORGANIZATION#RESPONSIBLE TEAM',
'UDA#IP_ADDRESSING#IPV4_ADDRESS',
'UDA#IP_ADDRESSING#MAC ADDRESS', 'UDA#IP_ADDRESSING#MGMT_IP_ASN', 'SERIALNUMBER',
];
const graniteRows = withEquipId.map(r => [
'', // DELETE
'', // SET_CONFIRMED
'S', // EQUIPMENT CLASS (Shelf)
r.equipInstId, // EQUIP_INST_ID
'', // SITE_NAME
r.hostname || REASSIGNED[r.ip] || '', // EQUIP_NAME
'', // EQUIP_TEMPLATE
'', // EQUIP_STATUS
'NTS-AEO-STEAM', // RESPONSIBLE TEAM
r.ip, // IPV4_ADDRESS
'', // MAC ADDRESS
r.asn || '', // MGMT_IP_ASN
r.deviceId || '', // SERIALNUMBER
]);
const granitePath = path.join(__dirname, '..', '..', 'docs', 'granite-reassignment-upload.csv');
const graniteContent = [
graniteHeaders.join(','),
...graniteRows.map(r => r.map(v => `"${String(v).replace(/"/g, '""')}"`).join(','))
].join('\n');
fs.writeFileSync(granitePath, graniteContent + '\n', 'utf8');
console.log(`Granite upload CSV (${withEquipId.length} rows): ${granitePath}`);
}
main().catch(err => {
console.error('Unhandled error:', err);
process.exit(1);
});

44
backend/scripts/compliance_config.json Normal file
View File

@@ -0,0 +1,44 @@
{
"metric_categories": {
"1.1.1": "Logging & Monitoring",
"1.1.3": "Logging & Monitoring",
"1.4.1": "Logging & Monitoring",
"2.3.4i": "Vulnerability Management",
"2.3.6i": "Vulnerability Management",
"2.3.8i": "Vulnerability Management",
"5.2.4": "Access & MFA",
"5.2.5": "Access & MFA",
"5.2.6": "Access & MFA",
"5.2.7": "Access & MFA",
"5.2.8": "Access & MFA",
"5.3.4": "Endpoint Protection",
"5.5.4i": "Vulnerability Management",
"5.5.5": "Decommissioned Assets",
"5.8.1": "Application Security",
"7.1.1": "Logging & Monitoring",
"7.1.4": "Logging & Monitoring",
"7.6.13": "Disaster Recovery",
"7.6.16": "Disaster Recovery",
"Missing_AppID": "Asset Data Quality",
"Missing_DF": "Asset Data Quality",
"Missing_OS": "Asset Data Quality",
"5.5.2": "Other"
},
"core_cols": [
"Preferred - Hostname",
"GRANITE - IPv4_Address",
"GRANITE - Type",
"Team",
"Compliant",
"Source_Network",
"Vertical",
"GRANITE - Equip_Inst_ID",
"GRANITE - RESPONSIBLE_TEAM"
],
"skip_sheets": [
"Summary",
"CMDB_9box",
"Vulns",
"Aging Dashboard"
]
}

84
backend/scripts/dump_xlsx_schema.py Normal file
View File

@@ -0,0 +1,84 @@
#!/usr/bin/env python3
"""
Dump the structural schema of a compliance xlsx file as JSON.
Usage: python3 dump_xlsx_schema.py <path_to_xlsx>
Output:
{
"sheets": [
{
"name": "SheetName",
"columns": ["Col A", "Col B", ...],
"row_count": 150,
"metric_values": ["2.3.4i", "5.2.4", ...] // only if a Metric column exists
},
...
]
}
Dependencies: openpyxl (already in requirements.txt)
"""
import sys
import json
from openpyxl import load_workbook
def main():
if len(sys.argv) < 2:
print(json.dumps({'error': 'No file path provided'}))
sys.exit(1)
filepath = sys.argv[1]
try:
wb = load_workbook(filepath, read_only=True, data_only=True)
except Exception as e:
print(json.dumps({'error': f'Cannot open file: {str(e)}'}))
sys.exit(1)
sheets = []
for sheet_name in wb.sheetnames:
ws = wb[sheet_name]
rows = list(ws.iter_rows(max_row=1, values_only=True))
columns = [str(c).strip() for c in rows[0] if c is not None] if rows else []
# Count data rows (excluding header)
row_count = 0
for _ in ws.iter_rows(min_row=2, values_only=True):
row_count += 1
# Extract metric values if a Metric column exists in the Summary sheet
metric_values = []
if sheet_name == 'Summary':
# Summary has header at row 4 (0-indexed row 3), read from row 5 onward
header_rows = list(ws.iter_rows(min_row=4, max_row=4, values_only=True))
if header_rows:
summary_cols = [str(c).strip() if c else '' for c in header_rows[0]]
metric_idx = None
for i, col in enumerate(summary_cols):
if col == 'Metric':
metric_idx = i
break
if metric_idx is not None:
for row in ws.iter_rows(min_row=5, values_only=True):
if row[metric_idx] is not None:
val = str(row[metric_idx]).strip()
if val and val != 'Metric':
metric_values.append(val)
entry = {
'name': sheet_name,
'columns': columns,
'row_count': row_count,
}
if metric_values:
entry['metric_values'] = sorted(set(metric_values))
sheets.append(entry)
wb.close()
print(json.dumps({'sheets': sheets}, indent=2))
if __name__ == '__main__':
main()

91
backend/scripts/extract_xlsx_schema.py Normal file
View File

@@ -0,0 +1,91 @@
#!/usr/bin/env python3
"""
Extract the structural schema of a compliance xlsx file as JSON.
Usage: python3 extract_xlsx_schema.py <path_to_xlsx>
Output:
{
"sheets": [
{
"name": "Summary",
"columns": ["Metric", "Non-Compliant", "..."],
"metric_values": ["2.3.4i", "5.2.4", "..."]
},
{
"name": "2.3.4i",
"columns": ["Preferred - Hostname", "GRANITE - IPv4_Address", "..."]
}
]
}
- Uses openpyxl in read-only mode.
- Extracts sheet names, first-row column headers per sheet, and unique metric
values from the Summary sheet (header at row 4, data from row 5 onward).
- On error, returns { "error": "..." } on stdout and exits with non-zero code.
Dependencies: openpyxl (already in requirements.txt)
"""
import sys
import json
from openpyxl import load_workbook
def main():
if len(sys.argv) < 2:
print(json.dumps({"error": "No file path provided"}))
sys.exit(1)
filepath = sys.argv[1]
try:
wb = load_workbook(filepath, read_only=True, data_only=True)
except Exception as e:
print(json.dumps({"error": f"Cannot open file: {str(e)}"}))
sys.exit(1)
if not wb.sheetnames:
print(json.dumps({"error": "Workbook contains no sheets"}))
wb.close()
sys.exit(1)
sheets = []
for sheet_name in wb.sheetnames:
ws = wb[sheet_name]
# Extract first-row column headers
rows = list(ws.iter_rows(max_row=1, values_only=True))
columns = [str(c).strip() for c in rows[0] if c is not None] if rows else []
entry = {
"name": sheet_name,
"columns": columns,
}
# Extract metric values from the Summary sheet
# Summary has header at row 4, data from row 5 onward
if sheet_name == "Summary":
metric_values = []
header_rows = list(ws.iter_rows(min_row=4, max_row=4, values_only=True))
if header_rows:
summary_cols = [str(c).strip() if c else "" for c in header_rows[0]]
metric_idx = None
for i, col in enumerate(summary_cols):
if col == "Metric":
metric_idx = i
break
if metric_idx is not None:
for row in ws.iter_rows(min_row=5, values_only=True):
if row[metric_idx] is not None:
val = str(row[metric_idx]).strip()
if val and val != "Metric":
metric_values.append(val)
entry["metric_values"] = sorted(set(metric_values))
sheets.append(entry)
wb.close()
print(json.dumps({"sheets": sheets}))
if __name__ == "__main__":
main()

928
backend/scripts/migrate-to-postgres.js Normal file
View File

@@ -0,0 +1,928 @@
#!/usr/bin/env node
/**
* migrate-to-postgres.js — Data Migration Script
*
* Copies all data from the SQLite database (cve_database.db) to PostgreSQL.
* The SQLite file is opened READ-ONLY and is never modified.
*
* Special handling:
* - ivanti_findings_cache.findings_json → individual rows in ivanti_findings
* - ivanti_finding_notes → merged into ivanti_findings.note column
* - ivanti_finding_overrides → merged into ivanti_findings.override_host_name / override_dns
* - ivanti_sync_state and ivanti_counts_cache → populated from ivanti_findings_cache metadata
*
* Type conversions:
* - SQLite 0/1 integers → Postgres boolean
* - SQLite DATETIME strings → Postgres TIMESTAMPTZ (passed as-is)
* - SQLite NULL → Postgres NULL
*
* Uses ON CONFLICT DO NOTHING for idempotency (safe to re-run).
*
* Usage:
* node backend/scripts/migrate-to-postgres.js
*
* Requires:
* - DATABASE_URL env var (or .env file in backend/)
* - SQLite database at backend/cve_database.db
*/
const path = require('path');
require('dotenv').config({ path: path.join(__dirname, '..', '.env') });
const fs = require('fs');
const sqlite3 = require('sqlite3').verbose();
const { Pool } = require('pg');
// ---------------------------------------------------------------------------
// Configuration
// ---------------------------------------------------------------------------
const SQLITE_PATH = path.join(__dirname, '..', 'cve_database.db');
const SCHEMA_PATH = path.join(__dirname, '..', 'db-schema.sql');
const DATABASE_URL = process.env.DATABASE_URL;
if (!DATABASE_URL) {
console.error('ERROR: DATABASE_URL environment variable is not set.');
console.error('Expected format: postgresql://user:password@host:port/database');
process.exit(1);
}
if (!fs.existsSync(SQLITE_PATH)) {
console.error(`ERROR: SQLite database not found at ${SQLITE_PATH}`);
process.exit(1);
}
// ---------------------------------------------------------------------------
// SQLite helpers
// ---------------------------------------------------------------------------
function sqliteAll(db, sql, params = []) {
return new Promise((resolve, reject) => {
db.all(sql, params, (err, rows) => {
if (err) reject(err);
else resolve(rows || []);
});
});
}
function sqliteGet(db, sql, params = []) {
return new Promise((resolve, reject) => {
db.get(sql, params, (err, row) => {
if (err) reject(err);
else resolve(row);
});
});
}
// ---------------------------------------------------------------------------
// Extract finding fields from raw JSON object (mirrors ivantiFindings.js)
// ---------------------------------------------------------------------------
function extractFinding(f) {
const rawDueDate = f.statusEmbedded?.dueDate || f.dueDate || '';
const dueDate = rawDueDate ? rawDueDate.split('T')[0] : null;
const buOwnership = f.assetCustomAttributes?.['1550_host_1']?.[0]
|| f.buOwnership || f.bu_ownership || '';
const cves = Array.isArray(f.cves)
? f.cves
: (f.vulnerabilities?.vulnInfoList || []).map(v => v.cve).filter(Boolean);
// Workflow extraction
let workflow = null;
if (f.workflow && typeof f.workflow === 'object') {
workflow = {
id: f.workflow.id || '',
state: f.workflow.state || '',
type: f.workflow.type || 'FP',
};
} else if (f.workflowDistribution) {
const wfDist = f.workflowDistribution || {};
const fpBuckets = [
...(wfDist.actionableWorkflows || []),
...(wfDist.requestedWorkflows || []),
...(wfDist.reworkedWorkflows || []),
...(wfDist.rejectedWorkflows || []),
...(wfDist.expiredWorkflows || []),
...(wfDist.approvedWorkflows || []),
].filter(w => (w.generatedId || '').startsWith('FP#'));
const fpEntry = fpBuckets[0] || null;
if (fpEntry) {
workflow = {
id: fpEntry.generatedId || '',
state: fpEntry.state || '',
type: 'FP',
};
}
}
return {
id: String(f.id),
hostId: f.hostId || f.host?.hostId || null,
title: f.title || '',
severity: typeof f.severity === 'number' ? f.severity : parseFloat(f.severity) || 0,
vrrGroup: f.vrrGroup || f.severityGroup || f.vrr_group || '',
hostName: f.hostName || f.host?.hostName || f.host_name || '',
ipAddress: f.ipAddress || f.host?.ipAddress || f.ip_address || '',
dns: f.dns || f.host?.fqdn || '',
status: f.status || '',
slaStatus: f.slaStatus || f.sla_status || '',
dueDate: dueDate,
lastFoundOn: f.lastFoundOn || f.last_found_on || null,
buOwnership,
cves,
workflow,
};
}
// ---------------------------------------------------------------------------
// Batch insert helper for Postgres
// ---------------------------------------------------------------------------
async function batchInsert(pool, tableName, columns, rows, conflictClause = 'DO NOTHING') {
if (rows.length === 0) return 0;
const BATCH_SIZE = 100;
let inserted = 0;
for (let i = 0; i < rows.length; i += BATCH_SIZE) {
const batch = rows.slice(i, i + BATCH_SIZE);
const values = [];
const placeholders = [];
batch.forEach((row, idx) => {
const offset = idx * columns.length;
const rowPlaceholders = columns.map((_, colIdx) => `$${offset + colIdx + 1}`);
placeholders.push(`(${rowPlaceholders.join(', ')})`);
values.push(...row);
});
const sql = `INSERT INTO ${tableName} (${columns.join(', ')})
VALUES ${placeholders.join(', ')}
ON CONFLICT ${conflictClause}`;
await pool.query(sql, values);
inserted += batch.length;
}
return inserted;
}
// ---------------------------------------------------------------------------
// Table migration definitions
// ---------------------------------------------------------------------------
/**
* Each entry defines how to copy a SQLite table to Postgres.
* - sqliteTable: source table name
* - pgTable: destination table name (defaults to sqliteTable)
* - columns: array of { src, dest, transform } objects
* - conflict: ON CONFLICT clause (default: DO NOTHING)
* - selectSql: optional custom SELECT (defaults to SELECT * FROM sqliteTable)
*/
function getTableMigrations() {
return [
{
sqliteTable: 'users',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'username', dest: 'username' },
{ src: 'email', dest: 'email' },
{ src: 'password_hash', dest: 'password_hash' },
{ src: 'role', dest: 'role' },
{ src: 'is_active', dest: 'is_active', transform: v => v === 1 || v === true },
{ src: 'created_at', dest: 'created_at' },
{ src: 'last_login', dest: 'last_login' },
{ src: 'user_group', dest: 'user_group', transform: v => v || 'Read_Only' },
{ src: 'bu_teams', dest: 'bu_teams', transform: v => v || '' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'sessions',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'session_id', dest: 'session_id' },
{ src: 'user_id', dest: 'user_id' },
{ src: 'expires_at', dest: 'expires_at' },
{ src: 'created_at', dest: 'created_at' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'cves',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'cve_id', dest: 'cve_id' },
{ src: 'vendor', dest: 'vendor' },
{ src: 'severity', dest: 'severity' },
{ src: 'description', dest: 'description' },
{ src: 'published_date', dest: 'published_date' },
{ src: 'status', dest: 'status' },
{ src: 'created_at', dest: 'created_at' },
{ src: 'updated_at', dest: 'updated_at' },
{ src: 'created_by', dest: 'created_by' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'documents',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'cve_id', dest: 'cve_id' },
{ src: 'vendor', dest: 'vendor' },
{ src: 'name', dest: 'name' },
{ src: 'type', dest: 'type' },
{ src: 'file_path', dest: 'file_path' },
{ src: 'file_size', dest: 'file_size' },
{ src: 'mime_type', dest: 'mime_type' },
{ src: 'uploaded_at', dest: 'uploaded_at' },
{ src: 'notes', dest: 'notes' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'required_documents',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'vendor', dest: 'vendor' },
{ src: 'document_type', dest: 'document_type' },
{ src: 'is_mandatory', dest: 'is_mandatory', transform: v => v === 1 || v === true },
{ src: 'description', dest: 'description' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'jira_tickets',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'cve_id', dest: 'cve_id' },
{ src: 'vendor', dest: 'vendor' },
{ src: 'ticket_key', dest: 'ticket_key' },
{ src: 'url', dest: 'url' },
{ src: 'summary', dest: 'summary' },
{ src: 'status', dest: 'status' },
{ src: 'created_at', dest: 'created_at' },
{ src: 'updated_at', dest: 'updated_at' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'archer_tickets',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'exc_number', dest: 'exc_number' },
{ src: 'archer_url', dest: 'archer_url' },
{ src: 'status', dest: 'status' },
{ src: 'cve_id', dest: 'cve_id' },
{ src: 'vendor', dest: 'vendor' },
{ src: 'created_at', dest: 'created_at' },
{ src: 'updated_at', dest: 'updated_at' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'knowledge_base',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'title', dest: 'title' },
{ src: 'slug', dest: 'slug' },
{ src: 'description', dest: 'description' },
{ src: 'category', dest: 'category' },
{ src: 'file_path', dest: 'file_path' },
{ src: 'file_name', dest: 'file_name' },
{ src: 'file_type', dest: 'file_type' },
{ src: 'file_size', dest: 'file_size' },
{ src: 'created_at', dest: 'created_at' },
{ src: 'updated_at', dest: 'updated_at' },
{ src: 'created_by', dest: 'created_by' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'audit_logs',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'user_id', dest: 'user_id' },
{ src: 'username', dest: 'username' },
{ src: 'action', dest: 'action' },
{ src: 'entity_type', dest: 'entity_type' },
{ src: 'entity_id', dest: 'entity_id' },
{ src: 'details', dest: 'details' },
{ src: 'ip_address', dest: 'ip_address' },
{ src: 'created_at', dest: 'created_at' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'compliance_uploads',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'filename', dest: 'filename' },
{ src: 'report_date', dest: 'report_date' },
{ src: 'uploaded_by', dest: 'uploaded_by' },
{ src: 'uploaded_at', dest: 'uploaded_at' },
{ src: 'new_count', dest: 'new_count' },
{ src: 'resolved_count', dest: 'resolved_count' },
{ src: 'recurring_count', dest: 'recurring_count' },
{ src: 'summary_json', dest: 'summary_json' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'compliance_items',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'upload_id', dest: 'upload_id' },
{ src: 'hostname', dest: 'hostname' },
{ src: 'ip_address', dest: 'ip_address' },
{ src: 'device_type', dest: 'device_type' },
{ src: 'team', dest: 'team' },
{ src: 'metric_id', dest: 'metric_id' },
{ src: 'metric_desc', dest: 'metric_desc' },
{ src: 'category', dest: 'category' },
{ src: 'extra_json', dest: 'extra_json' },
{ src: 'status', dest: 'status' },
{ src: 'first_seen_upload_id', dest: 'first_seen_upload_id' },
{ src: 'resolved_upload_id', dest: 'resolved_upload_id' },
{ src: 'seen_count', dest: 'seen_count' },
{ src: 'created_at', dest: 'created_at' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'compliance_notes',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'hostname', dest: 'hostname' },
{ src: 'metric_id', dest: 'metric_id' },
{ src: 'note', dest: 'note' },
{ src: 'group_id', dest: 'group_id' },
{ src: 'created_by', dest: 'created_by' },
{ src: 'created_at', dest: 'created_at' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'ivanti_counts_history',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'open_count', dest: 'open_count' },
{ src: 'closed_count', dest: 'closed_count' },
{ src: 'recorded_at', dest: 'recorded_at' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'ivanti_finding_archives',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'finding_id', dest: 'finding_id' },
{ src: 'finding_title', dest: 'finding_title' },
{ src: 'host_name', dest: 'host_name' },
{ src: 'ip_address', dest: 'ip_address' },
{ src: 'current_state', dest: 'current_state' },
{ src: 'last_severity', dest: 'last_severity' },
{ src: 'first_archived_at', dest: 'first_archived_at' },
{ src: 'last_transition_at', dest: 'last_transition_at' },
{ src: 'created_at', dest: 'created_at' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'ivanti_archive_transitions',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'archive_id', dest: 'archive_id' },
{ src: 'from_state', dest: 'from_state' },
{ src: 'to_state', dest: 'to_state' },
{ src: 'severity_at_transition', dest: 'severity_at_transition' },
{ src: 'reason', dest: 'reason' },
{ src: 'transitioned_at', dest: 'transitioned_at' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'ivanti_sync_anomaly_log',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'sync_timestamp', dest: 'sync_timestamp' },
{ src: 'open_count_delta', dest: 'open_count_delta' },
{ src: 'closed_count_delta', dest: 'closed_count_delta' },
{ src: 'newly_archived_count', dest: 'newly_archived_count' },
{ src: 'returned_count', dest: 'returned_count' },
{ src: 'classification_json', dest: 'classification_json' },
{ src: 'return_classification_json', dest: 'return_classification_json' },
{ src: 'is_significant', dest: 'is_significant', transform: v => v === 1 || v === true },
{ src: 'created_at', dest: 'created_at' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'ivanti_finding_bu_history',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'finding_id', dest: 'finding_id' },
{ src: 'finding_title', dest: 'finding_title' },
{ src: 'host_name', dest: 'host_name' },
{ src: 'previous_bu', dest: 'previous_bu' },
{ src: 'new_bu', dest: 'new_bu' },
{ src: 'detected_at', dest: 'detected_at' },
{ src: 'created_at', dest: 'created_at' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'atlas_action_plans_cache',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'host_id', dest: 'host_id' },
{ src: 'has_action_plan', dest: 'has_action_plan', transform: v => v === 1 || v === true },
{ src: 'plan_count', dest: 'plan_count' },
{ src: 'plans_json', dest: 'plans_json' },
{ src: 'synced_at', dest: 'synced_at' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'ivanti_fp_submissions',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'user_id', dest: 'user_id' },
{ src: 'username', dest: 'username' },
{ src: 'ivanti_workflow_batch_id', dest: 'ivanti_workflow_batch_id' },
{ src: 'ivanti_generated_id', dest: 'ivanti_generated_id' },
{ src: 'ivanti_workflow_batch_uuid', dest: 'ivanti_workflow_batch_uuid' },
{ src: 'workflow_name', dest: 'workflow_name' },
{ src: 'reason', dest: 'reason' },
{ src: 'description', dest: 'description' },
{ src: 'expiration_date', dest: 'expiration_date' },
{ src: 'scope_override', dest: 'scope_override' },
{ src: 'finding_ids_json', dest: 'finding_ids_json' },
{ src: 'queue_item_ids_json', dest: 'queue_item_ids_json' },
{ src: 'attachment_count', dest: 'attachment_count' },
{ src: 'attachment_results_json', dest: 'attachment_results_json' },
{ src: 'status', dest: 'status' },
{ src: 'lifecycle_status', dest: 'lifecycle_status' },
{ src: 'error_message', dest: 'error_message' },
{ src: 'created_at', dest: 'created_at' },
{ src: 'updated_at', dest: 'updated_at' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'ivanti_fp_submission_history',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'submission_id', dest: 'submission_id' },
{ src: 'user_id', dest: 'user_id' },
{ src: 'username', dest: 'username' },
{ src: 'change_type', dest: 'change_type' },
{ src: 'change_details_json', dest: 'change_details_json' },
{ src: 'created_at', dest: 'created_at' },
],
conflict: '(id) DO NOTHING',
},
{
sqliteTable: 'ivanti_todo_queue',
columns: [
{ src: 'id', dest: 'id' },
{ src: 'user_id', dest: 'user_id' },
{ src: 'finding_id', dest: 'finding_id' },
{ src: 'finding_title', dest: 'finding_title' },
{ src: 'cves_json', dest: 'cves_json' },
{ src: 'ip_address', dest: 'ip_address' },
{ src: 'hostname', dest: 'hostname' },
{ src: 'vendor', dest: 'vendor' },
{ src: 'workflow_type', dest: 'workflow_type' },
{ src: 'status', dest: 'status' },
{ src: 'created_at', dest: 'created_at' },
{ src: 'updated_at', dest: 'updated_at' },
],
conflict: '(id) DO NOTHING',
},
];
}
// ---------------------------------------------------------------------------
// Main migration logic
// ---------------------------------------------------------------------------
async function migrate() {
console.log('╔════════════════════════════════════════════════════════╗');
console.log('║ CVE Dashboard — SQLite → PostgreSQL Migration ║');
console.log('╚════════════════════════════════════════════════════════╝\n');
// Open SQLite in READ-ONLY mode
const sqliteDb = new sqlite3.Database(SQLITE_PATH, sqlite3.OPEN_READONLY, (err) => {
if (err) {
console.error('ERROR: Failed to open SQLite database:', err.message);
process.exit(1);
}
});
console.log(`✓ Opened SQLite database (read-only): ${SQLITE_PATH}`);
// Connect to Postgres
const pool = new Pool({
connectionString: DATABASE_URL,
max: 5,
idleTimeoutMillis: 30000,
connectionTimeoutMillis: 10000,
});
try {
await pool.query('SELECT NOW()');
console.log('✓ Connected to PostgreSQL');
} catch (err) {
console.error('ERROR: Failed to connect to PostgreSQL:', err.message);
sqliteDb.close();
process.exit(1);
}
// Step 1: Run schema DDL
console.log('\n── Step 1: Creating schema (idempotent) ──');
try {
const schemaSql = fs.readFileSync(SCHEMA_PATH, 'utf8');
await pool.query(schemaSql);
console.log('✓ Schema created/verified');
} catch (err) {
console.error('ERROR: Schema creation failed:', err.message);
await cleanup(sqliteDb, pool);
process.exit(1);
}
// Step 2: Copy simple tables
console.log('\n── Step 2: Copying tables ──');
const migrations = getTableMigrations();
const migrationResults = {};
for (const migration of migrations) {
const tableName = migration.pgTable || migration.sqliteTable;
try {
// Check if table exists in SQLite
const tableCheck = await sqliteGet(
sqliteDb,
`SELECT name FROM sqlite_master WHERE type='table' AND name=?`,
[migration.sqliteTable]
);
if (!tableCheck) {
console.log(`${migration.sqliteTable} — table not found in SQLite, skipping`);
migrationResults[tableName] = { source: 0, dest: 0, skipped: true };
continue;
}
// Read all rows from SQLite
const selectSql = migration.selectSql || `SELECT * FROM ${migration.sqliteTable}`;
const sourceRows = await sqliteAll(sqliteDb, selectSql);
if (sourceRows.length === 0) {
console.log(`${tableName} — 0 rows (empty table)`);
migrationResults[tableName] = { source: 0, dest: 0 };
continue;
}
// Transform rows
const destColumns = migration.columns.map(c => c.dest);
const transformedRows = sourceRows.map(row => {
return migration.columns.map(col => {
let value = row[col.src];
if (value === undefined) value = null;
if (col.transform) {
value = col.transform(value);
}
return value;
});
});
// Insert into Postgres
const inserted = await batchInsert(
pool,
tableName,
destColumns,
transformedRows,
migration.conflict
);
console.log(`${tableName}${inserted} rows copied`);
migrationResults[tableName] = { source: sourceRows.length, dest: inserted };
} catch (err) {
console.error(`${tableName} — ERROR: ${err.message}`);
migrationResults[tableName] = { source: 0, dest: 0, error: err.message };
}
}
// Reset sequences for SERIAL columns after bulk insert with explicit IDs
console.log('\n── Step 2b: Resetting sequences ──');
const serialTables = [
'users', 'sessions', 'cves', 'documents', 'required_documents',
'jira_tickets', 'archer_tickets', 'knowledge_base', 'audit_logs',
'compliance_uploads', 'compliance_items', 'compliance_notes',
'ivanti_counts_history', 'ivanti_finding_archives',
'ivanti_archive_transitions', 'ivanti_sync_anomaly_log',
'ivanti_finding_bu_history', 'atlas_action_plans_cache',
'ivanti_fp_submissions', 'ivanti_fp_submission_history',
'ivanti_todo_queue',
];
for (const table of serialTables) {
try {
await pool.query(`
SELECT setval(pg_get_serial_sequence('${table}', 'id'),
COALESCE((SELECT MAX(id) FROM ${table}), 0) + 1, false)
`);
} catch (err) {
// Non-fatal — sequence may not exist for some tables
console.log(` ⚠ Could not reset sequence for ${table}: ${err.message}`);
}
}
console.log('✓ Sequences reset');
// Step 3: Migrate findings from JSON blob
console.log('\n── Step 3: Migrating findings from JSON blob ──');
try {
const cacheRow = await sqliteGet(sqliteDb, 'SELECT * FROM ivanti_findings_cache WHERE id = 1');
if (!cacheRow || !cacheRow.findings_json) {
console.log(' ⚠ No findings_json data found in ivanti_findings_cache');
} else {
let findings;
try {
findings = JSON.parse(cacheRow.findings_json);
} catch (parseErr) {
console.error(' ✗ Failed to parse findings_json:', parseErr.message);
findings = [];
}
if (Array.isArray(findings) && findings.length > 0) {
console.log(` Parsing ${findings.length} findings from JSON blob...`);
// Extract and insert findings
const BATCH_SIZE = 100;
let insertedCount = 0;
for (let i = 0; i < findings.length; i += BATCH_SIZE) {
const batch = findings.slice(i, i + BATCH_SIZE);
const values = [];
const placeholders = [];
batch.forEach((rawFinding, idx) => {
const f = extractFinding(rawFinding);
const offset = idx * 18;
values.push(
f.id,
f.hostId,
f.title,
f.severity,
f.vrrGroup,
f.hostName,
f.ipAddress,
f.dns,
f.status,
f.slaStatus,
f.dueDate,
f.lastFoundOn,
f.buOwnership,
f.cves,
f.workflow ? f.workflow.id : null,
f.workflow ? f.workflow.state : null,
f.workflow ? f.workflow.type : null,
'open' // state = open for all findings from cache
);
placeholders.push(
`($${offset+1}, $${offset+2}, $${offset+3}, $${offset+4}, $${offset+5}, ` +
`$${offset+6}, $${offset+7}, $${offset+8}, $${offset+9}, $${offset+10}, ` +
`$${offset+11}, $${offset+12}, $${offset+13}, $${offset+14}, $${offset+15}, ` +
`$${offset+16}, $${offset+17}, $${offset+18})`
);
});
await pool.query(`
INSERT INTO ivanti_findings (
id, host_id, title, severity, vrr_group,
host_name, ip_address, dns, status, sla_status,
due_date, last_found_on, bu_ownership, cves,
workflow_id, workflow_state, workflow_type, state
)
VALUES ${placeholders.join(', ')}
ON CONFLICT (id) DO NOTHING
`, values);
insertedCount += batch.length;
}
console.log(` ✓ ivanti_findings — ${insertedCount} findings inserted (state='open')`);
migrationResults['ivanti_findings'] = { source: findings.length, dest: insertedCount };
} else {
console.log(' ○ findings_json is empty or not an array');
migrationResults['ivanti_findings'] = { source: 0, dest: 0 };
}
}
} catch (err) {
console.error(` ✗ Findings migration ERROR: ${err.message}`);
migrationResults['ivanti_findings'] = { source: 0, dest: 0, error: err.message };
}
// Step 4: Merge notes into ivanti_findings.note
console.log('\n── Step 4: Merging finding notes ──');
try {
const notes = await sqliteAll(sqliteDb, 'SELECT finding_id, note FROM ivanti_finding_notes');
if (notes.length === 0) {
console.log(' ○ No finding notes to merge');
} else {
let mergedCount = 0;
for (const { finding_id, note } of notes) {
if (!finding_id || !note) continue;
const result = await pool.query(
`UPDATE ivanti_findings SET note = $1 WHERE id = $2`,
[note, finding_id]
);
if (result.rowCount > 0) mergedCount++;
}
console.log(` ✓ Merged ${mergedCount}/${notes.length} notes into ivanti_findings.note`);
}
} catch (err) {
console.error(` ✗ Notes merge ERROR: ${err.message}`);
}
// Step 5: Merge overrides into ivanti_findings.override_host_name / override_dns
console.log('\n── Step 5: Merging finding overrides ──');
try {
const overrides = await sqliteAll(
sqliteDb,
'SELECT finding_id, field, value FROM ivanti_finding_overrides'
);
if (overrides.length === 0) {
console.log(' ○ No finding overrides to merge');
} else {
let mergedCount = 0;
for (const { finding_id, field, value } of overrides) {
if (!finding_id || !field) continue;
let pgColumn;
if (field === 'host_name' || field === 'hostName' || field === 'override_host_name') {
pgColumn = 'override_host_name';
} else if (field === 'dns' || field === 'override_dns') {
pgColumn = 'override_dns';
} else {
// Unknown field — skip
continue;
}
const result = await pool.query(
`UPDATE ivanti_findings SET ${pgColumn} = $1 WHERE id = $2`,
[value, finding_id]
);
if (result.rowCount > 0) mergedCount++;
}
console.log(` ✓ Merged ${mergedCount}/${overrides.length} overrides into ivanti_findings`);
}
} catch (err) {
console.error(` ✗ Overrides merge ERROR: ${err.message}`);
}
// Step 6: Populate ivanti_sync_state from ivanti_findings_cache metadata
console.log('\n── Step 6: Populating sync state and counts cache ──');
try {
const cacheRow = await sqliteGet(sqliteDb, 'SELECT * FROM ivanti_findings_cache WHERE id = 1');
if (cacheRow) {
await pool.query(`
UPDATE ivanti_sync_state SET
total = $1,
synced_at = $2,
sync_status = $3,
error_message = $4
WHERE id = 1
`, [
cacheRow.total || 0,
cacheRow.synced_at || null,
cacheRow.sync_status || 'never',
cacheRow.error_message || null,
]);
console.log(' ✓ ivanti_sync_state updated from ivanti_findings_cache metadata');
}
// Populate ivanti_counts_cache
const countsRow = await sqliteGet(sqliteDb, 'SELECT * FROM ivanti_counts_cache WHERE id = 1');
if (countsRow) {
await pool.query(`
UPDATE ivanti_counts_cache SET
open_count = $1,
closed_count = $2,
synced_at = $3,
fp_workflow_counts_json = $4,
fp_id_counts_json = $5
WHERE id = 1
`, [
countsRow.open_count || 0,
countsRow.closed_count || 0,
countsRow.synced_at || null,
countsRow.fp_workflow_counts_json || '{}',
countsRow.fp_id_counts_json || '{}',
]);
console.log(' ✓ ivanti_counts_cache updated');
}
} catch (err) {
console.error(` ✗ Sync state/counts migration ERROR: ${err.message}`);
}
// Step 7: Verification — compare row counts
console.log('\n── Step 7: Verification ──');
console.log('');
console.log('┌─────────────────────────────────┬──────────┬──────────┬────────┐');
console.log('│ Table │ SQLite │ Postgres │ Status │');
console.log('├─────────────────────────────────┼──────────┼──────────┼────────┤');
let hasDiscrepancy = false;
const verificationTables = [
...migrations.map(m => ({ sqlite: m.sqliteTable, pg: m.pgTable || m.sqliteTable })),
{ sqlite: null, pg: 'ivanti_findings', special: true },
];
for (const { sqlite: sqliteTable, pg: pgTable, special } of verificationTables) {
let sqliteCount = 0;
let pgCount = 0;
try {
if (special && pgTable === 'ivanti_findings') {
// For findings, source count is from the JSON blob
const cacheRow = await sqliteGet(sqliteDb, 'SELECT findings_json FROM ivanti_findings_cache WHERE id = 1');
if (cacheRow && cacheRow.findings_json) {
try {
const parsed = JSON.parse(cacheRow.findings_json);
sqliteCount = Array.isArray(parsed) ? parsed.length : 0;
} catch (e) {
sqliteCount = 0;
}
}
} else if (sqliteTable) {
const tableExists = await sqliteGet(
sqliteDb,
`SELECT name FROM sqlite_master WHERE type='table' AND name=?`,
[sqliteTable]
);
if (tableExists) {
const countRow = await sqliteGet(sqliteDb, `SELECT COUNT(*) as cnt FROM ${sqliteTable}`);
sqliteCount = countRow ? countRow.cnt : 0;
}
}
const pgCountRow = await pool.query(`SELECT COUNT(*) as cnt FROM ${pgTable}`);
pgCount = parseInt(pgCountRow.rows[0].cnt, 10);
} catch (err) {
// Table might not exist in one or both
}
const status = pgCount >= sqliteCount ? ' OK ' : ' WARN ';
if (pgCount < sqliteCount) hasDiscrepancy = true;
const tableDisplay = (pgTable || '').padEnd(31);
const srcDisplay = String(sqliteCount).padStart(6);
const destDisplay = String(pgCount).padStart(6);
console.log(`${tableDisplay}${srcDisplay}${destDisplay}${status}`);
}
console.log('└─────────────────────────────────┴──────────┴──────────┴────────┘');
if (hasDiscrepancy) {
console.log('\n⚠ WARNING: Some tables have fewer rows in Postgres than SQLite.');
console.log(' This may be due to ON CONFLICT DO NOTHING skipping existing rows,');
console.log(' or foreign key constraints preventing insertion.');
}
// Cleanup
await cleanup(sqliteDb, pool);
console.log('\n════════════════════════════════════════════════════════');
if (hasDiscrepancy) {
console.log('Migration completed with warnings. Review discrepancies above.');
} else {
console.log('✓ Migration completed successfully!');
}
console.log('════════════════════════════════════════════════════════\n');
process.exit(hasDiscrepancy ? 0 : 0); // Exit 0 even with warnings (data is safe)
}
// ---------------------------------------------------------------------------
// Cleanup helper
// ---------------------------------------------------------------------------
function cleanup(sqliteDb, pool) {
return new Promise((resolve) => {
sqliteDb.close((err) => {
if (err) console.error('Warning: Error closing SQLite:', err.message);
pool.end()
.then(() => resolve())
.catch(() => resolve());
});
});
}
// ---------------------------------------------------------------------------
// Entry point
// ---------------------------------------------------------------------------
migrate().catch((err) => {
console.error('\n✗ FATAL ERROR:', err.message);
console.error(err.stack);
process.exit(1);
});

48
backend/scripts/parse_compliance_xlsx.py
View File

@@ -12,39 +12,35 @@ Output:
} }
""" """
import sys import sys
import os
import json import json
import re import re
import pandas as pd import pandas as pd
from pathlib import Path from pathlib import Path
METRIC_CATEGORIES = {
'2.3.4i': 'Vulnerability Management',
'2.3.6i': 'Vulnerability Management',
'2.3.8i': 'Vulnerability Management',
'5.2.4': 'Access & MFA',
'5.2.5': 'Access & MFA',
'5.2.6': 'Access & MFA',
'5.3.4': 'Endpoint Protection',
'5.5.2': 'End-of-Life OS',
'5.5.4i': 'Vulnerability Management',
'5.5.5': 'Decommissioned Assets',
'5.8.1': 'Application Security',
'7.1.1': 'Logging & Monitoring',
'7.6.13': 'Disaster Recovery',
'7.6.16': 'Disaster Recovery',
'Missing_AppID': 'Asset Data Quality',
'Missing_DF': 'Asset Data Quality',
'Missing_OS': 'Asset Data Quality',
}
# Columns that go into the main item fields — everything else becomes extra_json def load_config():
CORE_COLS = { """Load parser configuration from compliance_config.json."""
'Preferred - Hostname', 'GRANITE - IPv4_Address', 'GRANITE - Type', script_dir = os.path.dirname(os.path.abspath(__file__))
'Team', 'Compliant', 'Source_Network', 'Vertical', config_path = os.path.join(script_dir, 'compliance_config.json')
'GRANITE - Equip_Inst_ID', 'GRANITE - RESPONSIBLE_TEAM',
}
SKIP_SHEETS = {'Summary', 'CMDB_9box'} try:
with open(config_path, 'r') as f:
config = json.load(f)
except FileNotFoundError:
print(f"Error: Configuration file not found: {config_path}", file=sys.stderr)
sys.exit(1)
except json.JSONDecodeError as e:
print(f"Error: Invalid JSON in configuration file {config_path}: {e}", file=sys.stderr)
sys.exit(1)
return config
_config = load_config()
METRIC_CATEGORIES = _config['metric_categories']
CORE_COLS = set(_config['core_cols'])
SKIP_SHEETS = set(_config['skip_sheets'])
def safe_str(val): def safe_str(val):

1278
backend/server.js
View File

File diff suppressed because it is too large Load Diff

49
backend/setup-postgres.js Normal file
View File

@@ -0,0 +1,49 @@
// Setup Script for CVE Dashboard — PostgreSQL
// Runs the db-schema.sql DDL against the Postgres instance configured in DATABASE_URL.
// Idempotent — safe to run multiple times.
//
// Usage: node backend/setup-postgres.js
//
// Requires DATABASE_URL in .env or environment.
require('dotenv').config({ path: require('path').join(__dirname, '.env') });
const fs = require('fs');
const path = require('path');
const pool = require('./db');
const SCHEMA_FILE = path.join(__dirname, 'db-schema.sql');
async function main() {
console.log('🚀 CVE Dashboard — PostgreSQL Schema Setup\n');
console.log('════════════════════════════════════════\n');
try {
// Verify connection
const { rows } = await pool.query('SELECT version()');
console.log(`✓ Connected to: ${rows[0].version.split(',')[0]}`);
console.log(` Database URL: ${process.env.DATABASE_URL.replace(/:[^:@]+@/, ':***@')}\n`);
// Read and execute schema
const schema = fs.readFileSync(SCHEMA_FILE, 'utf8');
await pool.query(schema);
console.log('✓ Schema created/verified (all tables and indexes)\n');
// Verify table count
const { rows: tables } = await pool.query(
"SELECT COUNT(*) as count FROM information_schema.tables WHERE table_schema = 'public'"
);
console.log(`${tables[0].count} tables in database\n`);
console.log('╔════════════════════════════════════════════════════════╗');
console.log('║ POSTGRESQL SCHEMA SETUP COMPLETE ║');
console.log('╚════════════════════════════════════════════════════════╝\n');
} catch (err) {
console.error('❌ Setup failed:', err.message);
process.exit(1);
} finally {
await pool.end();
}
}
main();

883
backend/setup.js
View File

@@ -1,333 +1,642 @@
// Setup Script for CVE Database // Setup Script for CVE Dashboard v1.0.0
// This creates a fresh database with multi-vendor support built-in // Creates a fresh database with the complete schema including all tables,
// indexes, triggers, and views needed for a new deployment.
//
// Usage: node backend/setup.js
//
// This consolidates the original schema plus all migration scripts into a
// single idempotent setup. Migration scripts in backend/migrations/ are
// retained for reference but are NOT needed on fresh deployments.
const sqlite3 = require('sqlite3').verbose(); const sqlite3 = require('sqlite3').verbose();
const bcrypt = require('bcryptjs'); const bcrypt = require('bcryptjs');
const crypto = require('crypto');
const fs = require('fs'); const fs = require('fs');
const path = require('path'); const path = require('path');
const DB_FILE = './cve_database.db'; const DB_FILE = path.join(__dirname, 'cve_database.db');
const UPLOADS_DIR = './uploads'; const UPLOADS_DIR = path.join(__dirname, 'uploads');
// Initialize database with schema // ---------------------------------------------------------------------------
function initializeDatabase() { // Database helpers
// ---------------------------------------------------------------------------
function dbRun(db, sql, params = []) {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
const db = new sqlite3.Database(DB_FILE, (err) => { db.run(sql, params, function (err) {
if (err) reject(err); if (err) reject(err);
}); else resolve(this);
const schema = `
CREATE TABLE IF NOT EXISTS cves (
id INTEGER PRIMARY KEY AUTOINCREMENT,
cve_id VARCHAR(20) NOT NULL,
vendor VARCHAR(100) NOT NULL,
severity VARCHAR(20) NOT NULL,
description TEXT,
published_date DATE,
status VARCHAR(50) DEFAULT 'Open',
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
UNIQUE(cve_id, vendor)
);
CREATE TABLE IF NOT EXISTS documents (
id INTEGER PRIMARY KEY AUTOINCREMENT,
cve_id VARCHAR(20) NOT NULL,
vendor VARCHAR(100) NOT NULL,
name VARCHAR(255) NOT NULL,
type VARCHAR(50) NOT NULL,
file_path VARCHAR(500) NOT NULL,
file_size VARCHAR(20),
mime_type VARCHAR(100),
uploaded_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
notes TEXT,
FOREIGN KEY (cve_id) REFERENCES cves(cve_id) ON DELETE CASCADE
);
CREATE TABLE IF NOT EXISTS required_documents (
id INTEGER PRIMARY KEY AUTOINCREMENT,
vendor VARCHAR(100) NOT NULL,
document_type VARCHAR(50) NOT NULL,
is_mandatory BOOLEAN DEFAULT 1,
description TEXT
);
CREATE INDEX IF NOT EXISTS idx_cve_id ON cves(cve_id);
CREATE INDEX IF NOT EXISTS idx_vendor ON cves(vendor);
CREATE INDEX IF NOT EXISTS idx_severity ON cves(severity);
CREATE INDEX IF NOT EXISTS idx_status ON cves(status);
CREATE INDEX IF NOT EXISTS idx_doc_cve_id ON documents(cve_id);
CREATE INDEX IF NOT EXISTS idx_doc_vendor ON documents(vendor);
CREATE INDEX IF NOT EXISTS idx_doc_type ON documents(type);
-- Users table for authentication
CREATE TABLE IF NOT EXISTS users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
username VARCHAR(50) UNIQUE NOT NULL,
email VARCHAR(255) UNIQUE NOT NULL,
password_hash VARCHAR(255) NOT NULL,
role VARCHAR(20) NOT NULL DEFAULT 'viewer',
is_active BOOLEAN DEFAULT 1,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
last_login TIMESTAMP,
CHECK (role IN ('admin', 'editor', 'viewer'))
);
-- Sessions table for session management
CREATE TABLE IF NOT EXISTS sessions (
id INTEGER PRIMARY KEY AUTOINCREMENT,
session_id VARCHAR(255) UNIQUE NOT NULL,
user_id INTEGER NOT NULL,
expires_at TIMESTAMP NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_sessions_session_id ON sessions(session_id);
CREATE INDEX IF NOT EXISTS idx_sessions_user_id ON sessions(user_id);
CREATE INDEX IF NOT EXISTS idx_sessions_expires ON sessions(expires_at);
CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
-- Audit log table for tracking user actions
CREATE TABLE IF NOT EXISTS audit_logs (
id INTEGER PRIMARY KEY AUTOINCREMENT,
user_id INTEGER,
username VARCHAR(50) NOT NULL,
action VARCHAR(50) NOT NULL,
entity_type VARCHAR(50) NOT NULL,
entity_id VARCHAR(100),
details TEXT,
ip_address VARCHAR(45),
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
CREATE INDEX IF NOT EXISTS idx_audit_user_id ON audit_logs(user_id);
CREATE INDEX IF NOT EXISTS idx_audit_action ON audit_logs(action);
CREATE INDEX IF NOT EXISTS idx_audit_entity_type ON audit_logs(entity_type);
CREATE INDEX IF NOT EXISTS idx_audit_created_at ON audit_logs(created_at);
INSERT OR IGNORE INTO required_documents (vendor, document_type, is_mandatory, description) VALUES
('Microsoft', 'advisory', 1, 'Official Microsoft Security Advisory'),
('Microsoft', 'screenshot', 0, 'Proof of patch application'),
('Cisco', 'advisory', 1, 'Cisco Security Advisory'),
('Oracle', 'advisory', 1, 'Oracle Security Alert'),
('VMware', 'advisory', 1, 'VMware Security Advisory'),
('Adobe', 'advisory', 1, 'Adobe Security Bulletin');
CREATE VIEW IF NOT EXISTS cve_document_status AS
SELECT
c.id as record_id,
c.cve_id,
c.vendor,
c.severity,
c.status,
COUNT(DISTINCT d.id) as total_documents,
COUNT(DISTINCT CASE WHEN d.type = 'advisory' THEN d.id END) as advisory_count,
COUNT(DISTINCT CASE WHEN d.type = 'email' THEN d.id END) as email_count,
COUNT(DISTINCT CASE WHEN d.type = 'screenshot' THEN d.id END) as screenshot_count,
CASE
WHEN COUNT(DISTINCT CASE WHEN d.type = 'advisory' THEN d.id END) > 0
THEN 'Complete'
ELSE 'Missing Required Docs'
END as compliance_status
FROM cves c
LEFT JOIN documents d ON c.cve_id = d.cve_id AND c.vendor = d.vendor
GROUP BY c.id, c.cve_id, c.vendor, c.severity, c.status;
`;
db.exec(schema, (err) => {
if (err) {
reject(err);
} else {
console.log('✓ Database initialized successfully');
resolve(db);
}
}); });
}); });
} }
// Create uploads directory structure function dbGet(db, sql, params = []) {
function createUploadsDirectory() {
if (!fs.existsSync(UPLOADS_DIR)) {
fs.mkdirSync(UPLOADS_DIR, { recursive: true });
console.log('✓ Created uploads directory');
} else {
console.log('✓ Uploads directory already exists');
}
}
// Create default admin user
async function createDefaultAdmin(db) {
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
// Check if admin already exists db.get(sql, params, (err, row) => {
db.get('SELECT id FROM users WHERE username = ?', ['admin'], async (err, row) => { if (err) reject(err);
if (err) { else resolve(row);
reject(err);
return;
}
if (row) {
console.log('✓ Default admin user already exists');
resolve();
return;
}
// Create admin user with password 'admin123'
const passwordHash = await bcrypt.hash('admin123', 10);
db.run(
`INSERT INTO users (username, email, password_hash, role, is_active)
VALUES (?, ?, ?, ?, ?)`,
['admin', 'admin@localhost', passwordHash, 'admin', 1],
(err) => {
if (err) {
reject(err);
} else {
console.log('✓ Created default admin user (admin/admin123)');
resolve();
}
}
);
}); });
}); });
} }
// Add sample CVE data (optional - for testing) function dbExec(db, sql) {
async function addSampleData(db) { return new Promise((resolve, reject) => {
console.log('\n📝 Adding sample CVE data for testing...'); db.exec(sql, (err) => {
if (err) reject(err);
const sampleCVEs = [ else resolve();
{ });
cve_id: 'CVE-2024-SAMPLE-1', });
vendor: 'Microsoft', }
severity: 'Critical',
description: 'Sample remote code execution vulnerability', // ---------------------------------------------------------------------------
published_date: '2024-01-15' // Schema — complete v1.0.0 database structure
}, // ---------------------------------------------------------------------------
{ async function initializeDatabase(db) {
cve_id: 'CVE-2024-SAMPLE-1', await dbExec(db, `
vendor: 'Cisco',
severity: 'High', -- =================================================================
description: 'Sample remote code execution vulnerability', -- Core CVE tracking tables
published_date: '2024-01-15' -- =================================================================
}
CREATE TABLE IF NOT EXISTS cves (
id INTEGER PRIMARY KEY AUTOINCREMENT,
cve_id VARCHAR(20) NOT NULL,
vendor VARCHAR(100) NOT NULL,
severity VARCHAR(20) NOT NULL,
description TEXT,
published_date DATE,
status VARCHAR(50) DEFAULT 'Open',
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
UNIQUE(cve_id, vendor)
);
CREATE TABLE IF NOT EXISTS documents (
id INTEGER PRIMARY KEY AUTOINCREMENT,
cve_id VARCHAR(20) NOT NULL,
vendor VARCHAR(100) NOT NULL,
name VARCHAR(255) NOT NULL,
type VARCHAR(50) NOT NULL,
file_path VARCHAR(500) NOT NULL,
file_size VARCHAR(20),
mime_type VARCHAR(100),
uploaded_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
notes TEXT,
FOREIGN KEY (cve_id) REFERENCES cves(cve_id) ON DELETE CASCADE
);
CREATE TABLE IF NOT EXISTS required_documents (
id INTEGER PRIMARY KEY AUTOINCREMENT,
vendor VARCHAR(100) NOT NULL,
document_type VARCHAR(50) NOT NULL,
is_mandatory BOOLEAN DEFAULT 1,
description TEXT
);
CREATE INDEX IF NOT EXISTS idx_cve_id ON cves(cve_id);
CREATE INDEX IF NOT EXISTS idx_vendor ON cves(vendor);
CREATE INDEX IF NOT EXISTS idx_severity ON cves(severity);
CREATE INDEX IF NOT EXISTS idx_status ON cves(status);
CREATE INDEX IF NOT EXISTS idx_doc_cve_id ON documents(cve_id);
CREATE INDEX IF NOT EXISTS idx_doc_vendor ON documents(vendor);
CREATE INDEX IF NOT EXISTS idx_doc_type ON documents(type);
-- =================================================================
-- Authentication and session management
-- =================================================================
CREATE TABLE IF NOT EXISTS users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
username VARCHAR(50) UNIQUE NOT NULL,
email VARCHAR(255) UNIQUE NOT NULL,
password_hash VARCHAR(255) NOT NULL,
role VARCHAR(20) NOT NULL DEFAULT 'viewer',
is_active BOOLEAN DEFAULT 1,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
last_login TIMESTAMP,
user_group VARCHAR(20) NOT NULL DEFAULT 'Read_Only',
bu_teams TEXT NOT NULL DEFAULT '',
CHECK (role IN ('admin', 'editor', 'viewer'))
);
CREATE TABLE IF NOT EXISTS sessions (
id INTEGER PRIMARY KEY AUTOINCREMENT,
session_id VARCHAR(255) UNIQUE NOT NULL,
user_id INTEGER NOT NULL,
expires_at TIMESTAMP NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_sessions_session_id ON sessions(session_id);
CREATE INDEX IF NOT EXISTS idx_sessions_user_id ON sessions(user_id);
CREATE INDEX IF NOT EXISTS idx_sessions_expires ON sessions(expires_at);
CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
CREATE INDEX IF NOT EXISTS idx_users_user_group ON users(user_group);
-- =================================================================
-- Audit logging
-- =================================================================
CREATE TABLE IF NOT EXISTS audit_logs (
id INTEGER PRIMARY KEY AUTOINCREMENT,
user_id INTEGER,
username VARCHAR(50) NOT NULL,
action VARCHAR(50) NOT NULL,
entity_type VARCHAR(50) NOT NULL,
entity_id VARCHAR(100),
details TEXT,
ip_address VARCHAR(45),
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
CREATE INDEX IF NOT EXISTS idx_audit_user_id ON audit_logs(user_id);
CREATE INDEX IF NOT EXISTS idx_audit_action ON audit_logs(action);
CREATE INDEX IF NOT EXISTS idx_audit_entity_type ON audit_logs(entity_type);
CREATE INDEX IF NOT EXISTS idx_audit_created_at ON audit_logs(created_at);
-- =================================================================
-- Jira integration
-- =================================================================
CREATE TABLE IF NOT EXISTS jira_tickets (
id INTEGER PRIMARY KEY AUTOINCREMENT,
cve_id TEXT NOT NULL,
vendor TEXT NOT NULL,
ticket_key TEXT NOT NULL,
url TEXT,
summary TEXT,
status TEXT DEFAULT 'Open' CHECK(status IN ('Open', 'In Progress', 'Closed')),
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (cve_id, vendor) REFERENCES cves(cve_id, vendor) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_jira_tickets_cve ON jira_tickets(cve_id, vendor);
CREATE INDEX IF NOT EXISTS idx_jira_tickets_status ON jira_tickets(status);
-- =================================================================
-- Archer integration
-- =================================================================
CREATE TABLE IF NOT EXISTS archer_tickets (
id INTEGER PRIMARY KEY AUTOINCREMENT,
exc_number TEXT NOT NULL UNIQUE,
archer_url TEXT,
status TEXT DEFAULT 'Draft' CHECK(status IN ('Draft', 'Open', 'Under Review', 'Accepted')),
cve_id TEXT NOT NULL,
vendor TEXT NOT NULL,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (cve_id, vendor) REFERENCES cves(cve_id, vendor) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_archer_tickets_cve ON archer_tickets(cve_id, vendor);
CREATE INDEX IF NOT EXISTS idx_archer_tickets_status ON archer_tickets(status);
CREATE INDEX IF NOT EXISTS idx_archer_tickets_exc ON archer_tickets(exc_number);
-- =================================================================
-- Knowledge base
-- =================================================================
CREATE TABLE IF NOT EXISTS knowledge_base (
id INTEGER PRIMARY KEY AUTOINCREMENT,
title VARCHAR(255) NOT NULL,
slug VARCHAR(255) UNIQUE NOT NULL,
description TEXT,
category VARCHAR(100),
file_path VARCHAR(500),
file_name VARCHAR(255),
file_type VARCHAR(50),
file_size INTEGER,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
created_by INTEGER,
FOREIGN KEY (created_by) REFERENCES users(id)
);
CREATE INDEX IF NOT EXISTS idx_knowledge_base_slug ON knowledge_base(slug);
CREATE INDEX IF NOT EXISTS idx_knowledge_base_category ON knowledge_base(category);
CREATE INDEX IF NOT EXISTS idx_knowledge_base_created_at ON knowledge_base(created_at DESC);
-- =================================================================
-- Ivanti findings sync and cache
-- =================================================================
CREATE TABLE IF NOT EXISTS ivanti_sync_state (
id INTEGER PRIMARY KEY CHECK (id = 1),
total INTEGER DEFAULT 0,
workflows_json TEXT DEFAULT '[]',
synced_at DATETIME,
sync_status TEXT DEFAULT 'never',
error_message TEXT
);
CREATE TABLE IF NOT EXISTS ivanti_findings_cache (
id INTEGER PRIMARY KEY CHECK (id = 1),
total INTEGER DEFAULT 0,
findings_json TEXT DEFAULT '[]',
synced_at DATETIME,
sync_status TEXT DEFAULT 'never',
error_message TEXT
);
CREATE TABLE IF NOT EXISTS ivanti_finding_notes (
id INTEGER PRIMARY KEY AUTOINCREMENT,
finding_id TEXT NOT NULL UNIQUE,
note TEXT NOT NULL DEFAULT '',
updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
);
CREATE INDEX IF NOT EXISTS idx_finding_notes_finding_id ON ivanti_finding_notes(finding_id);
CREATE TABLE IF NOT EXISTS ivanti_counts_cache (
id INTEGER PRIMARY KEY CHECK (id = 1),
open_count INTEGER DEFAULT 0,
closed_count INTEGER DEFAULT 0,
synced_at DATETIME,
fp_workflow_counts_json TEXT DEFAULT '{}',
fp_id_counts_json TEXT DEFAULT '{}'
);
CREATE TABLE IF NOT EXISTS ivanti_finding_overrides (
id INTEGER PRIMARY KEY AUTOINCREMENT,
finding_id TEXT NOT NULL,
field TEXT NOT NULL,
value TEXT NOT NULL DEFAULT '',
updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
UNIQUE(finding_id, field)
);
CREATE INDEX IF NOT EXISTS idx_finding_overrides_finding_id ON ivanti_finding_overrides(finding_id);
CREATE TABLE IF NOT EXISTS ivanti_counts_history (
id INTEGER PRIMARY KEY AUTOINCREMENT,
open_count INTEGER NOT NULL,
closed_count INTEGER NOT NULL,
recorded_at DATETIME DEFAULT CURRENT_TIMESTAMP
);
-- =================================================================
-- Ivanti FP (False Positive) submissions
-- =================================================================
CREATE TABLE IF NOT EXISTS ivanti_fp_submissions (
id INTEGER PRIMARY KEY AUTOINCREMENT,
user_id INTEGER NOT NULL,
username TEXT NOT NULL,
ivanti_workflow_batch_id INTEGER,
ivanti_generated_id TEXT,
ivanti_workflow_batch_uuid TEXT,
workflow_name TEXT NOT NULL,
reason TEXT NOT NULL,
description TEXT,
expiration_date TEXT NOT NULL,
scope_override TEXT NOT NULL DEFAULT 'Authorized',
finding_ids_json TEXT NOT NULL,
queue_item_ids_json TEXT NOT NULL,
attachment_count INTEGER DEFAULT 0,
attachment_results_json TEXT,
status TEXT NOT NULL DEFAULT 'success' CHECK(status IN ('success', 'partial', 'failed')),
lifecycle_status TEXT NOT NULL DEFAULT 'submitted' CHECK(lifecycle_status IN ('submitted', 'approved', 'rejected', 'rework', 'resubmitted')),
error_message TEXT,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
updated_at DATETIME DEFAULT NULL
);
CREATE INDEX IF NOT EXISTS idx_fp_submissions_user ON ivanti_fp_submissions(user_id);
CREATE INDEX IF NOT EXISTS idx_fp_submissions_ivanti_id ON ivanti_fp_submissions(ivanti_generated_id);
CREATE TABLE IF NOT EXISTS ivanti_fp_submission_history (
id INTEGER PRIMARY KEY AUTOINCREMENT,
submission_id INTEGER NOT NULL,
user_id INTEGER NOT NULL,
username TEXT NOT NULL,
change_type TEXT NOT NULL CHECK(change_type IN (
'created', 'fields_updated', 'findings_added',
'attachments_added', 'status_changed'
)),
change_details_json TEXT,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (submission_id) REFERENCES ivanti_fp_submissions(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_fp_history_submission ON ivanti_fp_submission_history(submission_id);
-- =================================================================
-- Ivanti todo queue (FP, Archer, CARD, GRANITE workflows)
-- =================================================================
CREATE TABLE IF NOT EXISTS ivanti_todo_queue (
id INTEGER PRIMARY KEY AUTOINCREMENT,
user_id INTEGER NOT NULL,
finding_id TEXT NOT NULL,
finding_title TEXT,
cves_json TEXT,
ip_address TEXT,
hostname TEXT,
vendor TEXT NOT NULL,
workflow_type TEXT NOT NULL CHECK(workflow_type IN ('FP', 'Archer', 'CARD', 'GRANITE')),
status TEXT NOT NULL DEFAULT 'pending' CHECK(status IN ('pending', 'complete')),
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
);
CREATE INDEX IF NOT EXISTS idx_todo_queue_user ON ivanti_todo_queue(user_id, status);
-- =================================================================
-- Ivanti archive detection and anomaly tracking
-- =================================================================
CREATE TABLE IF NOT EXISTS ivanti_finding_archives (
id INTEGER PRIMARY KEY AUTOINCREMENT,
finding_id TEXT NOT NULL UNIQUE,
finding_title TEXT NOT NULL DEFAULT '',
host_name TEXT NOT NULL DEFAULT '',
ip_address TEXT NOT NULL DEFAULT '',
current_state TEXT NOT NULL CHECK(current_state IN ('ARCHIVED','RETURNED','CLOSED','CLOSED_GONE')),
last_severity REAL NOT NULL DEFAULT 0,
first_archived_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
last_transition_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP
);
CREATE INDEX IF NOT EXISTS idx_archive_finding_id ON ivanti_finding_archives(finding_id);
CREATE INDEX IF NOT EXISTS idx_archive_current_state ON ivanti_finding_archives(current_state);
CREATE TABLE IF NOT EXISTS ivanti_archive_transitions (
id INTEGER PRIMARY KEY AUTOINCREMENT,
archive_id INTEGER NOT NULL,
from_state TEXT NOT NULL,
to_state TEXT NOT NULL,
severity_at_transition REAL NOT NULL DEFAULT 0,
reason TEXT NOT NULL DEFAULT '',
transitioned_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (archive_id) REFERENCES ivanti_finding_archives(id)
);
CREATE INDEX IF NOT EXISTS idx_transition_archive_id ON ivanti_archive_transitions(archive_id);
CREATE TABLE IF NOT EXISTS ivanti_sync_anomaly_log (
id INTEGER PRIMARY KEY AUTOINCREMENT,
sync_timestamp DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
open_count_delta INTEGER NOT NULL DEFAULT 0,
closed_count_delta INTEGER NOT NULL DEFAULT 0,
newly_archived_count INTEGER NOT NULL DEFAULT 0,
returned_count INTEGER NOT NULL DEFAULT 0,
classification_json TEXT NOT NULL DEFAULT '{}',
return_classification_json TEXT NOT NULL DEFAULT '{}',
is_significant INTEGER NOT NULL DEFAULT 0,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP
);
CREATE INDEX IF NOT EXISTS idx_anomaly_sync_timestamp ON ivanti_sync_anomaly_log(sync_timestamp);
CREATE TABLE IF NOT EXISTS ivanti_finding_bu_history (
id INTEGER PRIMARY KEY AUTOINCREMENT,
finding_id TEXT NOT NULL,
finding_title TEXT NOT NULL DEFAULT '',
host_name TEXT NOT NULL DEFAULT '',
previous_bu TEXT NOT NULL,
new_bu TEXT NOT NULL,
detected_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP
);
CREATE INDEX IF NOT EXISTS idx_bu_history_finding_id ON ivanti_finding_bu_history(finding_id);
CREATE INDEX IF NOT EXISTS idx_bu_history_detected_at ON ivanti_finding_bu_history(detected_at);
-- =================================================================
-- Atlas action plans cache
-- =================================================================
CREATE TABLE IF NOT EXISTS atlas_action_plans_cache (
id INTEGER PRIMARY KEY AUTOINCREMENT,
host_id INTEGER NOT NULL UNIQUE,
has_action_plan INTEGER NOT NULL DEFAULT 0,
plan_count INTEGER NOT NULL DEFAULT 0,
plans_json TEXT NOT NULL DEFAULT '[]',
synced_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
);
CREATE INDEX IF NOT EXISTS idx_atlas_cache_host_id ON atlas_action_plans_cache(host_id);
-- =================================================================
-- Compliance (NTS AEO) tracking
-- =================================================================
CREATE TABLE IF NOT EXISTS compliance_uploads (
id INTEGER PRIMARY KEY AUTOINCREMENT,
filename TEXT NOT NULL,
report_date TEXT,
uploaded_by INTEGER,
uploaded_at DATETIME DEFAULT CURRENT_TIMESTAMP,
new_count INTEGER DEFAULT 0,
resolved_count INTEGER DEFAULT 0,
recurring_count INTEGER DEFAULT 0,
summary_json TEXT,
FOREIGN KEY (uploaded_by) REFERENCES users(id) ON DELETE SET NULL
);
CREATE TABLE IF NOT EXISTS compliance_items (
id INTEGER PRIMARY KEY AUTOINCREMENT,
upload_id INTEGER NOT NULL,
hostname TEXT NOT NULL,
ip_address TEXT,
device_type TEXT,
team TEXT,
metric_id TEXT NOT NULL,
metric_desc TEXT,
category TEXT,
extra_json TEXT,
status TEXT NOT NULL DEFAULT 'active' CHECK(status IN ('active', 'resolved')),
first_seen_upload_id INTEGER,
resolved_upload_id INTEGER,
seen_count INTEGER DEFAULT 1,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (upload_id) REFERENCES compliance_uploads(id) ON DELETE CASCADE,
FOREIGN KEY (first_seen_upload_id) REFERENCES compliance_uploads(id) ON DELETE SET NULL,
FOREIGN KEY (resolved_upload_id) REFERENCES compliance_uploads(id) ON DELETE SET NULL
);
CREATE INDEX IF NOT EXISTS idx_compliance_items_upload ON compliance_items(upload_id);
CREATE INDEX IF NOT EXISTS idx_compliance_items_identity ON compliance_items(hostname, metric_id);
CREATE INDEX IF NOT EXISTS idx_compliance_items_team_status ON compliance_items(team, status);
CREATE TABLE IF NOT EXISTS compliance_notes (
id INTEGER PRIMARY KEY AUTOINCREMENT,
hostname TEXT NOT NULL,
metric_id TEXT NOT NULL,
note TEXT NOT NULL,
group_id TEXT,
created_by INTEGER,
created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY (created_by) REFERENCES users(id) ON DELETE SET NULL
);
CREATE INDEX IF NOT EXISTS idx_compliance_notes_identity ON compliance_notes(hostname, metric_id);
CREATE INDEX IF NOT EXISTS idx_compliance_notes_group ON compliance_notes(group_id);
-- =================================================================
-- Document compliance view
-- =================================================================
CREATE VIEW IF NOT EXISTS cve_document_status AS
SELECT
c.id as record_id,
c.cve_id,
c.vendor,
c.severity,
c.status,
COUNT(DISTINCT d.id) as total_documents,
COUNT(DISTINCT CASE WHEN d.type = 'advisory' THEN d.id END) as advisory_count,
COUNT(DISTINCT CASE WHEN d.type = 'email' THEN d.id END) as email_count,
COUNT(DISTINCT CASE WHEN d.type = 'screenshot' THEN d.id END) as screenshot_count,
CASE
WHEN COUNT(DISTINCT CASE WHEN d.type = 'advisory' THEN d.id END) > 0
THEN 'Complete'
ELSE 'Missing Required Docs'
END as compliance_status
FROM cves c
LEFT JOIN documents d ON c.cve_id = d.cve_id AND c.vendor = d.vendor
GROUP BY c.id, c.cve_id, c.vendor, c.severity, c.status;
-- =================================================================
-- Seed data
-- =================================================================
INSERT OR IGNORE INTO required_documents (vendor, document_type, is_mandatory, description) VALUES
('Microsoft', 'advisory', 1, 'Official Microsoft Security Advisory'),
('Microsoft', 'screenshot', 0, 'Proof of patch application'),
('Cisco', 'advisory', 1, 'Cisco Security Advisory'),
('Oracle', 'advisory', 1, 'Oracle Security Alert'),
('VMware', 'advisory', 1, 'VMware Security Advisory'),
('Adobe', 'advisory', 1, 'Adobe Security Bulletin');
`);
console.log('✓ Database schema initialized');
// User group validation triggers (cannot be in db.exec multi-statement)
await dbRun(db, `
CREATE TRIGGER IF NOT EXISTS check_user_group_insert
BEFORE INSERT ON users
FOR EACH ROW
WHEN NEW.user_group NOT IN ('Admin', 'Standard_User', 'Leadership', 'Read_Only')
BEGIN
SELECT RAISE(ABORT, 'Invalid user_group value. Must be Admin, Standard_User, Leadership, or Read_Only');
END
`);
await dbRun(db, `
CREATE TRIGGER IF NOT EXISTS check_user_group_update
BEFORE UPDATE OF user_group ON users
FOR EACH ROW
WHEN NEW.user_group NOT IN ('Admin', 'Standard_User', 'Leadership', 'Read_Only')
BEGIN
SELECT RAISE(ABORT, 'Invalid user_group value. Must be Admin, Standard_User, Leadership, or Read_Only');
END
`);
console.log('✓ Triggers created');
}
// ---------------------------------------------------------------------------
// Directory setup
// ---------------------------------------------------------------------------
function createDirectories() {
const dirs = [
UPLOADS_DIR,
path.join(UPLOADS_DIR, 'temp'),
path.join(UPLOADS_DIR, 'knowledge_base'),
]; ];
for (const dir of dirs) {
for (const cve of sampleCVEs) { if (!fs.existsSync(dir)) {
await new Promise((resolve, reject) => { fs.mkdirSync(dir, { recursive: true });
db.run( console.log(`✓ Created directory: ${path.relative(__dirname, dir)}`);
`INSERT OR IGNORE INTO cves (cve_id, vendor, severity, description, published_date) }
VALUES (?, ?, ?, ?, ?)`,
[cve.cve_id, cve.vendor, cve.severity, cve.description, cve.published_date],
(err) => {
if (err) reject(err);
else {
console.log(` ✓ Added sample: ${cve.cve_id} / ${cve.vendor}`);
resolve();
}
}
);
});
} }
console.log(' Sample data added - demonstrates multi-vendor support');
} }
// Verify database structure // ---------------------------------------------------------------------------
async function verifySetup(db) { // Default admin user
return new Promise((resolve) => { // ---------------------------------------------------------------------------
db.get('SELECT sql FROM sqlite_master WHERE type="table" AND name="cves"', (err, row) => { async function createDefaultAdmin(db) {
if (err) { const existing = await dbGet(db, 'SELECT id FROM users WHERE username = ?', ['admin']);
console.error('Warning: Could not verify setup:', err); if (existing) {
} else { console.log('✓ Default admin user already exists');
console.log('\n📋 CVEs table structure:'); return;
console.log(row.sql); }
// Check if UNIQUE constraint is correct const generatedPassword = crypto.randomBytes(12).toString('base64url');
if (row.sql.includes('UNIQUE(cve_id, vendor)')) { const passwordHash = await bcrypt.hash(generatedPassword, 10);
console.log('\n✅ Multi-vendor support: ENABLED');
} else { await dbRun(db,
console.log('\n⚠ Warning: Multi-vendor constraint may not be set correctly'); `INSERT INTO users (username, email, password_hash, role, user_group, is_active)
} VALUES (?, ?, ?, ?, ?, ?)`,
} ['admin', 'admin@localhost', passwordHash, 'admin', 'Admin', 1]
resolve(); );
});
}); console.log('✓ Created default admin user');
console.log(`\n ╔══════════════════════════════════════════╗`);
console.log(` ║ Admin credentials (save these now!) ║`);
console.log(` ║ Username: admin ║`);
console.log(` ║ Password: ${generatedPassword.padEnd(29)}`);
console.log(` ╚══════════════════════════════════════════╝\n`);
} }
// Display setup summary // ---------------------------------------------------------------------------
// Setup summary
// ---------------------------------------------------------------------------
function displaySummary() { function displaySummary() {
console.log('\n╔════════════════════════════════════════════════════════╗'); console.log('\n╔════════════════════════════════════════════════════════╗');
console.log('║ CVE DATABASE SETUP COMPLETE! ║'); console.log('║ CVE DASHBOARD v1.0.0 — SETUP COMPLETE ║');
console.log('╚════════════════════════════════════════════════════════╝'); console.log('╚════════════════════════════════════════════════════════╝');
console.log('\n📊 What was created:'); console.log('\n📊 Tables created:');
console.log(' ✓ SQLite database (cve_database.db)'); console.log(' Core: cves, documents, required_documents');
console.log(' ✓ Tables: cves, documents, required_documents, users, sessions, audit_logs'); console.log(' Auth: users, sessions');
console.log(' ✓ Multi-vendor support with UNIQUE(cve_id, vendor)'); console.log(' Audit: audit_logs');
console.log(' ✓ Vendor column in documents table'); console.log(' Jira: jira_tickets');
console.log(' ✓ User authentication with session-based auth'); console.log(' Archer: archer_tickets');
console.log(' ✓ Indexes for fast queries'); console.log(' KB: knowledge_base');
console.log(' ✓ Document compliance view'); console.log(' Ivanti: ivanti_sync_state, ivanti_findings_cache,');
console.log(' ✓ Uploads directory for file storage'); console.log(' ivanti_finding_notes, ivanti_counts_cache,');
console.log(' ✓ Default admin user (admin/admin123)'); console.log(' ivanti_finding_overrides, ivanti_counts_history,');
console.log('\n📁 File structure will be:'); console.log(' ivanti_fp_submissions, ivanti_fp_submission_history,');
console.log(' uploads/'); console.log(' ivanti_todo_queue');
console.log(' └── CVE-XXXX-XXXX/'); console.log(' Archives: ivanti_finding_archives, ivanti_archive_transitions,');
console.log(' ├── Vendor1/'); console.log(' ivanti_sync_anomaly_log, ivanti_finding_bu_history');
console.log(' │ ├── advisory.pdf'); console.log(' Atlas: atlas_action_plans_cache');
console.log(' │ └── screenshot.png'); console.log(' Compliance: compliance_uploads, compliance_items, compliance_notes');
console.log(' └── Vendor2/');
console.log(' └── advisory.pdf');
console.log('\n🚀 Next steps:'); console.log('\n🚀 Next steps:');
console.log(' 1. Start the backend API:'); console.log(' 1. Copy .env.example to .env and configure API keys');
console.log(' → cd backend && node server.js'); console.log(' 2. Start the backend: node backend/server.js');
console.log(' 2. Start the frontend:'); console.log(' 3. Build the frontend: cd frontend && npm run build');
console.log(' → cd frontend && npm start'); console.log(' 4. Open the dashboard and log in with the admin credentials above\n');
console.log(' 3. Open http://localhost:3000');
console.log(' 4. Start adding CVEs with multiple vendors!');
console.log('\n💡 Key Features:');
console.log(' • Add same CVE-ID with different vendors');
console.log(' • Each vendor has separate document storage');
console.log(' • Quick Check shows all vendors for a CVE');
console.log(' • Document compliance tracking per vendor');
console.log(' • Required docs: Advisory (mandatory for most vendors)\n');
} }
// Main execution // ---------------------------------------------------------------------------
// Main
// ---------------------------------------------------------------------------
async function main() { async function main() {
console.log('🚀 CVE Database Setup (Multi-Vendor Support)\n'); console.log('🚀 CVE Dashboard v1.0.0 — Database Setup\n');
console.log('════════════════════════════════════════\n'); console.log('════════════════════════════════════════\n');
try {
// Create uploads directory
createUploadsDirectory();
// Initialize database
const db = await initializeDatabase();
// Create default admin user try {
createDirectories();
const db = new sqlite3.Database(DB_FILE);
await initializeDatabase(db);
await createDefaultAdmin(db); await createDefaultAdmin(db);
// Add sample data
await addSampleData(db);
// Verify setup
await verifySetup(db);
// Close database connection
db.close((err) => { db.close((err) => {
if (err) console.error('Error closing database:', err); if (err) console.error('Error closing database:', err);
else console.log('\n✓ Database connection closed'); else console.log('✓ Database connection closed');
// Display summary
displaySummary(); displaySummary();
}); });
} catch (error) { } catch (error) {
console.error('❌ Setup Error:', error); console.error('❌ Setup Error:', error);
process.exit(1); process.exit(1);
} }
} }
// Run the setup
main(); main();

1482
configure.js Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
cve_database.db Normal file
View File

Binary file not shown.

0
cve_database.db.backup Normal file
View File

0
database.db Normal file
View File

16
deploy/cve-backend-production.service Normal file
View File

@@ -0,0 +1,16 @@
[Unit]
Description=CVE Dashboard Backend (Express API)
After=network.target
[Service]
Type=simple
WorkingDirectory=/home/cve-dashboard/backend
ExecStart=/usr/bin/node server.js
Restart=on-failure
RestartSec=5
EnvironmentFile=/home/cve-dashboard/backend/.env
StandardOutput=append:/home/cve-dashboard/backend/backend.log
StandardError=append:/home/cve-dashboard/backend/backend.log
[Install]
WantedBy=multi-user.target

17
deploy/cve-backend-staging.service Normal file
View File

@@ -0,0 +1,17 @@
[Unit]
Description=CVE Dashboard Backend - Staging (Express API on port 3100)
After=network.target
[Service]
Type=simple
WorkingDirectory=/home/cve-dashboard-staging/backend
ExecStart=/usr/bin/node server.js
Restart=on-failure
RestartSec=5
EnvironmentFile=/home/cve-dashboard-staging/backend/.env
Environment=PORT=3100
StandardOutput=append:/home/cve-dashboard-staging/backend/backend-staging.log
StandardError=append:/home/cve-dashboard-staging/backend/backend-staging.log
[Install]
WantedBy=multi-user.target

50
deploy/setup-staging.sh Executable file
View File

@@ -0,0 +1,50 @@
#!/bin/bash
# =============================================================================
# One-time setup for the staging environment
# Run this once on dashboard-dev to prepare the staging deployment target.
# =============================================================================
set -e
STAGING_DIR="/home/cve-dashboard-staging"
SERVICE_FILE="deploy/cve-backend-staging.service"
echo "Setting up staging environment..."
# Create staging directory if it doesn't exist
if [ ! -d "$STAGING_DIR" ]; then
echo "Creating $STAGING_DIR..."
mkdir -p "$STAGING_DIR"
fi
# Copy the staging systemd service
echo "Installing staging systemd service..."
sudo cp "$SERVICE_FILE" /etc/systemd/system/cve-backend-staging.service
sudo systemctl daemon-reload
sudo systemctl enable cve-backend-staging
# Create staging .env from production template (adjust port)
if [ ! -f "$STAGING_DIR/backend/.env" ]; then
echo "Creating staging .env..."
mkdir -p "$STAGING_DIR/backend"
if [ -f "/home/cve-dashboard/backend/.env" ]; then
cp /home/cve-dashboard/backend/.env "$STAGING_DIR/backend/.env"
# Override port for staging
sed -i 's/^PORT=.*/PORT=3100/' "$STAGING_DIR/backend/.env"
# If PORT line doesn't exist, add it
grep -q "^PORT=" "$STAGING_DIR/backend/.env" || echo "PORT=3100" >> "$STAGING_DIR/backend/.env"
else
echo "PORT=3100" > "$STAGING_DIR/backend/.env"
echo "WARNING: No production .env found. You'll need to configure $STAGING_DIR/backend/.env manually."
fi
fi
echo ""
echo "Staging setup complete."
echo " Directory: $STAGING_DIR"
echo " Service: cve-backend-staging"
echo " Port: 3100"
echo ""
echo "Next steps:"
echo " 1. Verify $STAGING_DIR/backend/.env has correct DATABASE_URL (use a separate staging DB if possible)"
echo " 2. Run a pipeline on main/master to trigger the first staging deploy"

26
docker-compose.yml Normal file
View File

@@ -0,0 +1,26 @@
# Docker Compose for CVE Dashboard PostgreSQL
# Run: docker compose up -d
# Stop: docker compose down
# View logs: docker compose logs -f postgres
services:
postgres:
image: postgres:16-alpine
container_name: steam-postgres
restart: unless-stopped
environment:
POSTGRES_DB: cve_dashboard
POSTGRES_USER: steam
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-sV4xmC9xAUCFop0ypxMVS056QgPqGrX}
ports:
- "5433:5432"
volumes:
- steam-pgdata:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U steam -d cve_dashboard"]
interval: 10s
timeout: 5s
retries: 5
volumes:
steam-pgdata:

1316
docs/api/atlasinfosec-api-spec.json Normal file
View File

File diff suppressed because it is too large Load Diff

0
ivantiAPI.py → docs/api/ivanti-api-python-wrapper.py
View File

195
docs/api/ivanti-api-reference.md Normal file
View File

@@ -0,0 +1,195 @@
# Ivanti / RiskSense API Reference
Base URL: `https://platform4.risksense.com/api/v1`
Swagger: `https://platform4.risksense.com/doc/swagger.json`
Auth: `x-api-key` header. Error codes: 401 bad key, 419 insufficient privileges, 429 rate limited.
## Endpoints Used
### Search Workflow Batches
```
POST /client/{clientId}/workflowBatch/search
Content-Type: application/json
```
Standard JSON body with filters, projection, sort, page, size. Used by `ivantiWorkflows.js` for the daily sync.
### Create False Positive Workflow
```
POST /client/{clientId}/workflowBatch/falsePositive/request
Content-Type: multipart/form-data
```
This endpoint does NOT accept JSON. It requires `multipart/form-data` with the following fields:
| Field | Type | Required | Notes |
|-------|------|----------|-------|
| `name` | string | yes | Workflow batch name (max 255) |
| `reason` | string | yes | Reason for the FP determination |
| `description` | string | yes | Description (can be empty string but field must be present) |
| `expirationDate` | string | yes | ISO-8601 date, e.g. `2026-06-01` |
| `overrideControl` | string | yes | `AUTHORIZED`, `NONE`, or `AUTOMATED`. Use `AUTHORIZED` for standard FP workflows. `NONE` with `isEmptyWorkflow=true` is rejected (400). |
| `isEmptyWorkflow` | boolean | yes | `true` if no findings attached, `false` otherwise |
| `subjectFilterRequest` | string | yes | Stringified JSON (see format below) |
| `files` | file | no | Attachments sent inline in the same request |
#### subjectFilterRequest format
This is the critical field. It must be a stringified JSON object with this exact structure:
```json
{
"subject": "hostFinding",
"filterRequest": {
"filters": [
{
"field": "id",
"exclusive": false,
"operator": "IN",
"value": "2283734550,2283734551"
}
]
}
}
```
Key details:
- `subject` must be `"hostFinding"` — without this, the API returns 500
- `filters` is nested inside `filterRequest`, NOT at the top level — `{"filters":[]}` at the top level returns 500
- `value` for multiple IDs is comma-separated as a single string, not an array
- `operator` values: `EXACT`, `IN`, `LIKE`, `WILDCARD`, `RANGE`, `CIDR`
- For empty workflows, use `{"subject":"hostFinding","filterRequest":{"filters":[]}}` with `isEmptyWorkflow=true`
#### Response (200/202)
```json
{
"id": 33418832,
"created": "2026-04-08T18:16:08"
}
```
Returns HTTP 200 or 202 (Accepted — async job creation). Response contains a numeric `id` (the workflow batch job ID) and `created` timestamp. No `generatedId` or `uuid` in this response.
### Map Findings to Existing Workflow (tested 2026-04-13)
```
POST /client/{clientId}/workflowBatch/falsePositive/{workflowBatchUuid}/map
Content-Type: application/json
```
Maps additional host findings to an existing FP workflow batch. Used by the FP submission editing feature to add findings after initial creation.
**Critical: one finding per call.** The map endpoint only reliably maps one finding per request. Sending multiple finding IDs via the `IN` operator or comma-separated values results in only the first finding being mapped. The multipart/form-data format (used by the create endpoint) returns 500 on this endpoint.
#### Request body
```json
{
"subject": "hostFinding",
"filterRequest": {
"filters": [
{
"field": "id",
"exclusive": false,
"operator": "EXACT",
"value": "2283734550"
}
]
}
}
```
Key details:
- Must be `application/json` (NOT multipart/form-data — returns 500)
- Use `EXACT` operator with a single finding ID per call
- `IN` operator with comma-separated IDs only maps the first finding
- Loop through findings and make one API call per finding
- The `workflowBatchUuid` in the URL is the UUID from the search endpoint (not the numeric batch ID from create)
#### Response (200)
Returns the updated workflow batch object on success.
#### UUID resolution
The `workflowBatchUuid` required in the URL is NOT returned by the create endpoint. To obtain it:
1. Search via `POST /client/{clientId}/workflowBatch/search` with `{ field: 'name', operator: 'EXACT', value: '<workflow_name>' }`
2. Use `projection: 'internal'` to get full batch objects
3. The UUID is in the `uuid` field of the returned batch object
4. Cache the UUID locally after first resolution (stored in `ivanti_fp_submissions.ivanti_workflow_batch_uuid`)
#### Implementation in dashboard
The `resolveWorkflowBatchUuid()` helper in `backend/routes/ivantiFpWorkflow.js` handles UUID resolution:
- Returns cached UUID if available in the local submission record
- Otherwise searches Ivanti by workflow name, extracts `batch.uuid`, and caches it for future use
The findings map loop in the `POST /submissions/:id/findings` endpoint:
- Iterates through each finding ID individually
- Makes one JSON POST per finding with `EXACT` operator
- Tracks which findings succeeded vs failed
- Only marks queue items as complete for successfully mapped findings
- Returns both `addedFindings` and `failedFindings` arrays in the response
### Other Workflow Endpoints (from Swagger)
These are available but not all are currently used by the dashboard:
| Endpoint | Purpose | Status |
|----------|---------|--------|
| `/workflowBatch/acceptance/request` | Risk acceptance workflow | Not used |
| `/workflowBatch/remediation/request` | Remediation workflow | Not used |
| `/workflowBatch/severityChange/request` | Severity change workflow | Not used |
| `/workflowBatch/{workflowType}/approve` | Approve a workflow (needs `workflowBatchUuid`) | Not used |
| `/workflowBatch/{workflowType}/reject` | Reject a workflow | Not used |
| `/workflowBatch/{workflowType}/rework` | Send back for rework | Not used |
| `/workflowBatch/{workflowType}/update` | Update a workflow | Not used |
| `/workflowBatch/{workflowType}/{workflowBatchUuid}/map` | Map findings to workflow | Used (FP editing) |
| `/workflowBatch/{workflowType}/{workflowBatchUuid}/unmap` | Unmap findings | Not used |
| `/workflowBatch/{workflowType}/{workflowBatchUuid}/attach` | Attach file to existing workflow | **Broken — see note** |
| `/workflowBatch/{workflowType}/{workflowBatchUuid}/detach` | Detach file | Not used |
| `/workflowBatch/model` | Get model/schema | Not used |
| `/workflowBatch/filter` | Get available filter fields | Not used |
| `/workflowBatch/suggest` | Get suggested values for a filter field | Not used |
### Known Limitations
#### Attach endpoint does not work (tested 2026-04-13)
The `/workflowBatch/{workflowType}/{workflowBatchUuid}/attach` endpoint is listed in the Swagger spec but returns HTTP 400 (Bad Request) for all tested request formats:
- `multipart/form-data` with field name `file` (singular) — 400
- `multipart/form-data` with field name `files` (plural) — 400
- Tested with `Content-Type: application/octet-stream` and `image/png` — both 400
- Tested with both `ivantiMultipartPost` and `ivantiFormPost` helpers — both 400
The Ivanti response is a generic Spring Boot error with no detail message:
```json
{"timestamp":"...","status":400,"error":"Bad Request","path":"/api/v1/client/1550/workflowBatch/falsePositive/{uuid}/attach"}
```
**Workaround:** File attachments can only be uploaded during the initial workflow creation (sent inline with the `/workflowBatch/falsePositive/request` endpoint). To add attachments to an existing workflow, users must upload them directly in the Ivanti platform UI.
#### Search by numeric batch ID does not work
The `/workflowBatch/search` endpoint does not support filtering by the numeric `id` returned from the create endpoint. Searching with `{ field: 'id', operator: 'EXACT', value: '33432541' }` returns 0 results. Searching by `name` field works and returns the workflow batch object including the `uuid` field needed for map/attach operations.
#### UUID not returned by create endpoint
The `/workflowBatch/falsePositive/request` create endpoint returns only `{ id: <number>, created: <timestamp> }`. The `uuid` needed for map/attach/approve/reject operations must be obtained separately via the search endpoint.
## Environment Variables
| Variable | Default | Description |
|----------|---------|-------------|
| `IVANTI_API_KEY` | — | Required. API key for authentication |
| `IVANTI_CLIENT_ID` | `1550` | Client ID in the Ivanti platform |
| `IVANTI_SKIP_TLS` | `false` | Set `true` to skip TLS verification |
| `IVANTI_FIRST_NAME` | — | Used for workflow search filter (sync) |
| `IVANTI_LAST_NAME` | — | Used for workflow search filter (sync) |
| `IVANTI_MANAGED_BUS` | `NTS-AEO-ACCESS-ENG,NTS-AEO-STEAM` | Comma-separated list of BUs considered "managed" for archive drift classification. Findings leaving these BUs are classified as bu_reassignment. |

0
Ivanti_config_template.ini → docs/api/ivanti-config-template.ini
View File

53228
docs/api/ivanti-neurons-swagger.json Normal file
View File

File diff suppressed because one or more lines are too long

171
docs/api/jira-api-use-cases.md Normal file
View File

@@ -0,0 +1,171 @@
# Jira REST API Use Cases — STEAM Security Dashboard
## Overview
The STEAM Security Dashboard is a self-hosted vulnerability management tool used by the NTS-AEO-STEAM and NTS-AEO-ACCESS-ENG teams. It integrates with Jira Data Center to create, track, and sync vulnerability remediation tickets linked to CVE records.
All API calls are made from a single Node.js backend process. The integration uses Basic Auth with a service account and enforces Charter's posted rate limits client-side.
---
## Charter Compliance Summary
| Requirement | Implementation |
|---|---|
| Authentication | Basic Auth with service account (`JIRA_API_USER` + `JIRA_API_TOKEN`) |
| Rate limit — daily | Client-side enforced: 1 440 requests/day max |
| Rate limit — burst | Client-side enforced: 60 requests/minute max |
| Inter-request delay — GETs | 1 second minimum between GET requests |
| Inter-request delay — writes | 2 seconds minimum between PUT/POST/DELETE requests |
| Explicit field lists | Every GET includes `?fields=` parameter; `/rest/api/2/field` is blocked |
| No bulk updates | Issues are updated one at a time; `/rest/api/2/issue/bulk` is blocked |
| Bulk reads via JQL | Multi-ticket sync uses a single `GET /rest/api/2/search` with predefined key-based JQL query parameters, not per-issue GETs; no arbitrary JQL passthrough |
| Single-issue fetch via JQL | `GET /rest/api/2/search?jql=key="KEY" AND project=<KEY>&fields=...&maxResults=1` |
| JQL scoping | All recurring JQL queries use predefined scoped patterns with `updated >= -72h` clause and `project = <KEY>` scoping; no arbitrary JQL passthrough |
| `maxResults` cap | Search queries capped at 1 000 results per page |
---
## Use Cases
### 1. Connection Test
| | |
|---|---|
| **Endpoint** | `GET /rest/api/2/myself` |
| **Trigger** | Admin clicks "Test Connection" on the Jira settings panel |
| **Frequency** | Manual, infrequent (a few times per day at most) |
| **Purpose** | Verify service account credentials and connectivity |
| **Fields requested** | Default (myself endpoint returns user profile) |
### 2. Create Issue
| | |
|---|---|
| **Endpoint** | `POST /rest/api/2/issue` |
| **Trigger** | User clicks "Create in Jira" from a CVE detail panel |
| **Frequency** | Manual, estimated 520 per day |
| **Purpose** | Create a vulnerability remediation ticket linked to a CVE/vendor pair |
| **Fields sent** | `project.key`, `summary`, `issuetype.name`, `description` |
| **Notes** | A local record is also created in the dashboard database linking the Jira key to the CVE |
### 3. Get Single Issue
| | |
|---|---|
| **Endpoint** | `GET /rest/api/2/search?jql=key="ISSUE-KEY" AND project=<KEY>&fields=summary,status,assignee,created,updated,priority,issuetype,project,resolution&maxResults=1` |
| **Trigger** | User clicks "Sync" on a single Jira ticket row |
| **Frequency** | Manual, estimated 1030 per day |
| **Purpose** | Refresh a single ticket's status and summary from Jira via JQL search |
| **Notes** | Uses JQL-based lookup instead of single-issue GET per Charter compliance. Fields are always specified explicitly. |
### 4. Update Issue
| | |
|---|---|
| **Endpoint** | `PUT /rest/api/2/issue/{issueKey}` |
| **Trigger** | Future feature — local edits synced back to Jira |
| **Frequency** | Manual, estimated 510 per day when enabled |
| **Purpose** | Update issue summary or other fields from the dashboard |
| **Notes** | Issues are updated one at a time; bulk PUT is not used |
### 5. Add Comment
| | |
|---|---|
| **Endpoint** | `POST /rest/api/2/issue/{issueKey}/comment` |
| **Trigger** | Dashboard adds audit trail comments to linked tickets |
| **Frequency** | Automated on certain actions, estimated 515 per day |
| **Purpose** | Maintain an audit trail on the Jira ticket for compliance visibility |
### 6. Get Transitions
| | |
|---|---|
| **Endpoint** | `GET /rest/api/2/issue/{issueKey}/transitions` |
| **Trigger** | Dashboard checks available workflow transitions before moving a ticket |
| **Frequency** | Manual, paired with transition calls, estimated 510 per day |
| **Purpose** | Discover valid status transitions for the issue's current workflow state |
### 7. Transition Issue
| | |
|---|---|
| **Endpoint** | `POST /rest/api/2/issue/{issueKey}/transitions` |
| **Trigger** | User moves a ticket to a new status from the dashboard |
| **Frequency** | Manual, estimated 510 per day |
| **Purpose** | Move ticket through workflow states (e.g., Open to In Progress to Closed) |
### 8. Scoped Bulk Sync via JQL
| | |
|---|---|
| **Endpoint** | `GET /rest/api/2/search?jql=...&fields=...&maxResults=...&startAt=...` |
| **Trigger** | Admin clicks "Sync All" on the Jira tickets panel |
| **Frequency** | Manual, estimated 13 times per day |
| **Purpose** | Bulk-refresh all tracked tickets in a single request instead of per-issue GETs |
| **JQL pattern** | `key in ("KEY-1", "KEY-2", ...) AND updated >= -72h AND project = <KEY>` |
| **Fields requested** | `summary, status, assignee, created, updated, priority, issuetype, project, resolution` |
| **Batch size** | 100 keys per JQL query; multiple batches if needed |
| **Notes** | Uses GET with URL-encoded query parameters per Charter compliance. JQL is predefined and scoped — constructed from known tracked issue keys, a fixed 72-hour window, and the configured project key. No arbitrary JQL is accepted from the frontend. Stops early if rate limit budget is running low (burst remaining <= 5 or daily remaining <= 10) |
### 9. Issue Lookup
| | |
|---|---|
| **Endpoint** | `GET /rest/api/2/search?jql=key="ISSUE-KEY" AND project=<KEY>&fields=...&maxResults=1` |
| **Trigger** | User looks up a Jira issue by key from the dashboard search |
| **Frequency** | Manual, estimated 515 per day |
| **Purpose** | Quick lookup of any Jira issue to view its current state via JQL search |
---
## Estimated Daily API Usage
| Operation | Estimated calls/day | Method | Delay enforced |
|---|---|---|---|
| Connection test | 25 | GET | 1s |
| Create issue | 520 | POST | 2s |
| Get single issue | 1030 | GET | 1s |
| Update issue | 510 | PUT | 2s |
| Add comment | 515 | POST | 2s |
| Get transitions | 510 | GET | 1s |
| Transition issue | 510 | POST | 2s |
| Scoped bulk sync | 15 | GET | 1s |
| Issue lookup | 515 | GET | 1s |
| **Total estimated** | **43120** | | |
Well within the 1 440/day limit. Burst usage stays under 60/minute due to enforced inter-request delays.
---
## Blocked Endpoints
The integration explicitly blocks these endpoints to comply with Charter policy:
- `/rest/api/2/field` — field metadata is never queried; fields are specified in code
- `/rest/api/2/issue/bulk` — bulk updates are not used; issues are updated individually
- `POST /rest/api/2/search` — arbitrary JQL search via POST is not used; all searches use `GET /rest/api/2/search` with URL-encoded query parameters and predefined scoped JQL patterns
---
## Error Handling
- **429 responses**: Surfaced to the user as "Rate limit exceeded. Try again later." No automatic retry.
- **5xx responses**: Surfaced as "Jira API error" with the response body for debugging.
- **Network failures**: Caught and surfaced with the error message.
- **Timeout**: 15 second timeout per request; surfaced as a timeout error.
---
## UAT Test Evidence
The UAT test script (`backend/scripts/jira-uat-test.js`) exercises all use cases listed above and produces a log file at `backend/scripts/jira-uat-test.log`. This log can be attached to or referenced in the ATLSUP approval ticket.
To run:
```bash
cd backend
node scripts/jira-uat-test.js
```

0
docs/MOP-workflow-color-codes.md → docs/design/MOP-workflow-color-codes.md
View File

Some files were not shown because too many files have changed in this diff Show More