jramos/cve-dashboard
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Cannot edit or enter another vendor under the same CVE #1

New Issue
Closed
opened 2026-01-27 11:28:22 -07:00 by jramos · 3 comments
jramos commented 2026-01-27 11:28:22 -07:00
Owner
Copy Link

After creating a CVE and uploading a document under 1 vendor. Trying to reenter the same CVE with another vendor fails

{29343A32-69B6-4C35-BA50-894848B45720}.png 
root@cve-dashboard:/home/cve-dashboard/backend/uploads# ls -la
total 16
drwxr-xr-x 4 root root 4096 Jan 27 18:13 .
drwxr-xr-x 3 root root 4096 Jan 27 18:13 ..
drwxr-xr-x 3 root root 4096 Jan 27 18:13 CVE-2023-38408
drwxr-xr-x 2 root root 4096 Jan 27 18:13 temp
root@cve-dashboard:/home/cve-dashboard/backend/uploads# cd CVE-2023-38408/
root@cve-dashboard:/home/cve-dashboard/backend/uploads/CVE-2023-38408# ls -la
total 12
drwxr-xr-x 3 root root 4096 Jan 27 18:13 .
drwxr-xr-x 4 root root 4096 Jan 27 18:13 ..
drwxr-xr-x 2 root root 4096 Jan 27 18:13 Cisco
root@cve-dashboard:/home/cve-dashboard/backend/uploads/CVE-2023-38408# cd Cisco/
root@cve-dashboard:/home/cve-dashboard/backend/uploads/CVE-2023-38408/Cisco# ls -la
total 60
drwxr-xr-x 2 root root  4096 Jan 27 18:13 .
drwxr-xr-x 3 root root  4096 Jan 27 18:13 ..
-rw-r--r-- 1 root root 52115 Jan 27 18:13 1769537582961-262597a6-90af-4cd8-9f
After creating a CVE and uploading a document under 1 vendor. Trying to reenter the same CVE with another vendor fails <img width="991" alt="{29343A32-69B6-4C35-BA50-894848B45720}.png" src="attachments/d17cd904-38a0-4bab-8dde-2deddea7004a"> ``` root@cve-dashboard:/home/cve-dashboard/backend/uploads# ls -la total 16 drwxr-xr-x 4 root root 4096 Jan 27 18:13 . drwxr-xr-x 3 root root 4096 Jan 27 18:13 .. drwxr-xr-x 3 root root 4096 Jan 27 18:13 CVE-2023-38408 drwxr-xr-x 2 root root 4096 Jan 27 18:13 temp root@cve-dashboard:/home/cve-dashboard/backend/uploads# cd CVE-2023-38408/ root@cve-dashboard:/home/cve-dashboard/backend/uploads/CVE-2023-38408# ls -la total 12 drwxr-xr-x 3 root root 4096 Jan 27 18:13 . drwxr-xr-x 4 root root 4096 Jan 27 18:13 .. drwxr-xr-x 2 root root 4096 Jan 27 18:13 Cisco root@cve-dashboard:/home/cve-dashboard/backend/uploads/CVE-2023-38408# cd Cisco/ root@cve-dashboard:/home/cve-dashboard/backend/uploads/CVE-2023-38408/Cisco# ls -la total 60 drwxr-xr-x 2 root root 4096 Jan 27 18:13 . drwxr-xr-x 3 root root 4096 Jan 27 18:13 .. -rw-r--r-- 1 root root 52115 Jan 27 18:13 1769537582961-262597a6-90af-4cd8-9f ```
{29343A32-69B6-4C35-BA50-894848B45720}.png
181 KiB
jramos added reference master 2026-01-27 11:28:40 -07:00
jramos commented 2026-01-27 14:20:06 -07:00
Author
Owner
Copy Link

Fixing this requires edits to the following:

Database Schema
Backend API
FrontEnd display

  • Edit cve_database.db

  • Adding Multi-Vendor Support

Fixing this requires edits to the following: Database Schema Backend API FrontEnd display - Edit cve_database.db - Adding Multi-Vendor Support
jramos commented 2026-01-27 15:02:03 -07:00
Author
Owner
Copy Link
{B6D079B4-305C-48A7-8F23-309150F3B758}.png

Partial fix to DB, however, documents are not split between vendors

{1873D1EA-EFA5-4BF1-BFB6-1223296AFBCB}.png
<img width="585" alt="{B6D079B4-305C-48A7-8F23-309150F3B758}.png" src="attachments/374991a8-d474-42d2-8c45-02a223f9700f"> Partial fix to DB, however, documents are not split between vendors <img width="406" alt="{1873D1EA-EFA5-4BF1-BFB6-1223296AFBCB}.png" src="attachments/a0a11dac-eec4-4eca-912e-62d624dd3315">
{B6D079B4-305C-48A7-8F23-309150F3B758}.png
92 KiB
{1873D1EA-EFA5-4BF1-BFB6-1223296AFBCB}.png
76 KiB
jramos commented 2026-01-27 20:30:49 -07:00
Author
Owner
Copy Link

Issue Resolution: Cannot edit or enter another vendor under the same CVE

Root Cause

The database schema had a UNIQUE constraint on cve_id alone, preventing multiple vendors from being added to the same CVE-ID.

Fix Applied

1. Database Schema Migration

Changed constraint from UNIQUE(cve_id) to UNIQUE(cve_id, vendor):

-- Old (incorrect)
CREATE TABLE cves (
    cve_id VARCHAR(20) UNIQUE NOT NULL,
    vendor VARCHAR(100) NOT NULL,
    ...
)

-- New (correct)
CREATE TABLE cves (
    cve_id VARCHAR(20) NOT NULL,
    vendor VARCHAR(100) NOT NULL,
    ...
    UNIQUE(cve_id, vendor)
)

What this does: Allows the same CVE-ID with different vendors while preventing duplicate CVE-ID + Vendor combinations.

2. Documents Table Schema

Added vendor column to associate documents with specific vendors:

ALTER TABLE documents ADD COLUMN vendor VARCHAR(100);

What this does: Each document is now tied to a specific vendor, allowing proper organization under CVE-ID/Vendor/documents.

3. Backend API - CVE Creation

Fixed INSERT statement to include all required fields:

// server.js - POST /api/cves
const query = `
    INSERT INTO cves (cve_id, vendor, severity, description, published_date)
    VALUES (?, ?, ?, ?, ?)
`;

db.run(query, [cve_id, vendor, severity, description, published_date], function(err) {
    if (err) {
        if (err.message.includes('UNIQUE constraint failed')) {
            return res.status(409).json({
                error: 'This CVE already exists for this vendor. Choose a different vendor or update the existing entry.'
            });
        }
        return res.status(500).json({ error: err.message });
    }
    // ...
});

What this does: Properly inserts vendor field and provides clear error message for duplicate CVE-ID + Vendor combinations.

4. Backend API - Document Upload

Fixed INSERT statement to include vendor field:

// server.js - POST /api/cves/:cveId/documents
const { type, notes, vendor } = req.body;

if (!vendor) {
    return res.status(400).json({ error: 'Vendor is required' });
}

const query = `
    INSERT INTO documents (cve_id, vendor, name, type, file_path, file_size, mime_type, notes)
    VALUES (?, ?, ?, ?, ?, ?, ?, ?)
`;

db.run(query, [
    cveId,
    vendor,
    file.originalname,
    type,
    finalPath,
    fileSizeKB,
    file.mimetype,
    notes
], function(err) {
    // ...
});

What this does: Associates uploaded documents with the correct vendor, enabling proper file organization and filtering.

5. Document Retrieval - Vendor Filtering

Updated document fetch endpoint to filter by vendor:

// server.js - GET /api/cves/:cveId/documents
app.get('/api/cves/:cveId/documents', (req, res) => {
    const { cveId } = req.params;
    const { vendor } = req.query;

    let query = `SELECT * FROM documents WHERE cve_id = ?`;
    let params = [cveId];

    if (vendor) {
        query += ` AND vendor = ?`;
        params.push(vendor);
    }

    query += ` ORDER BY uploaded_at DESC`;
    // ...
});

What this does: Returns only documents for the selected vendor when viewing a specific vendor's documents.

Migration Script

File: fix_multivendor_constraint.js

Key operations:

  1. Rename old cves table to cves_old
  2. Create new cves table with UNIQUE(cve_id, vendor) constraint
  3. Copy all existing data
  4. Drop old table
  5. Recreate indexes

Testing

  • Can add same CVE-ID with multiple different vendors
  • Each vendor entry has separate document storage
  • Documents properly organized: uploads/CVE-ID/Vendor/files
  • Quick Check displays all vendors for a CVE
  • Cannot create duplicate CVE-ID + Vendor combination (returns 409 error)

Result

System now fully supports multiple vendors per CVE-ID, each with their own document storage and compliance tracking.

Files Modified

  • backend/server.js - CVE and document endpoints
  • backend/cve_database.db - Database schema
  • backend/fix_multivendor_constraint.js - Migration script (new)
  • backend/add_vendor_to_documents.js - Documents table migration (new)
# Issue Resolution: Cannot edit or enter another vendor under the same CVE ## Root Cause The database schema had a `UNIQUE` constraint on `cve_id` alone, preventing multiple vendors from being added to the same CVE-ID. ## Fix Applied ### 1. Database Schema Migration Changed constraint from `UNIQUE(cve_id)` to `UNIQUE(cve_id, vendor)`: ```sql -- Old (incorrect) CREATE TABLE cves ( cve_id VARCHAR(20) UNIQUE NOT NULL, vendor VARCHAR(100) NOT NULL, ... ) -- New (correct) CREATE TABLE cves ( cve_id VARCHAR(20) NOT NULL, vendor VARCHAR(100) NOT NULL, ... UNIQUE(cve_id, vendor) ) ``` **What this does:** Allows the same CVE-ID with different vendors while preventing duplicate CVE-ID + Vendor combinations. ### 2. Documents Table Schema Added `vendor` column to associate documents with specific vendors: ```sql ALTER TABLE documents ADD COLUMN vendor VARCHAR(100); ``` **What this does:** Each document is now tied to a specific vendor, allowing proper organization under `CVE-ID/Vendor/documents`. ### 3. Backend API - CVE Creation Fixed INSERT statement to include all required fields: ```javascript // server.js - POST /api/cves const query = ` INSERT INTO cves (cve_id, vendor, severity, description, published_date) VALUES (?, ?, ?, ?, ?) `; db.run(query, [cve_id, vendor, severity, description, published_date], function(err) { if (err) { if (err.message.includes('UNIQUE constraint failed')) { return res.status(409).json({ error: 'This CVE already exists for this vendor. Choose a different vendor or update the existing entry.' }); } return res.status(500).json({ error: err.message }); } // ... }); ``` **What this does:** Properly inserts vendor field and provides clear error message for duplicate CVE-ID + Vendor combinations. ### 4. Backend API - Document Upload Fixed INSERT statement to include vendor field: ```javascript // server.js - POST /api/cves/:cveId/documents const { type, notes, vendor } = req.body; if (!vendor) { return res.status(400).json({ error: 'Vendor is required' }); } const query = ` INSERT INTO documents (cve_id, vendor, name, type, file_path, file_size, mime_type, notes) VALUES (?, ?, ?, ?, ?, ?, ?, ?) `; db.run(query, [ cveId, vendor, file.originalname, type, finalPath, fileSizeKB, file.mimetype, notes ], function(err) { // ... }); ``` **What this does:** Associates uploaded documents with the correct vendor, enabling proper file organization and filtering. ### 5. Document Retrieval - Vendor Filtering Updated document fetch endpoint to filter by vendor: ```javascript // server.js - GET /api/cves/:cveId/documents app.get('/api/cves/:cveId/documents', (req, res) => { const { cveId } = req.params; const { vendor } = req.query; let query = `SELECT * FROM documents WHERE cve_id = ?`; let params = [cveId]; if (vendor) { query += ` AND vendor = ?`; params.push(vendor); } query += ` ORDER BY uploaded_at DESC`; // ... }); ``` **What this does:** Returns only documents for the selected vendor when viewing a specific vendor's documents. ## Migration Script **File:** `fix_multivendor_constraint.js` Key operations: 1. Rename old `cves` table to `cves_old` 2. Create new `cves` table with `UNIQUE(cve_id, vendor)` constraint 3. Copy all existing data 4. Drop old table 5. Recreate indexes ## Testing - ✅ Can add same CVE-ID with multiple different vendors - ✅ Each vendor entry has separate document storage - ✅ Documents properly organized: `uploads/CVE-ID/Vendor/files` - ✅ Quick Check displays all vendors for a CVE - ✅ Cannot create duplicate CVE-ID + Vendor combination (returns 409 error) ## Result ✅ System now fully supports multiple vendors per CVE-ID, each with their own document storage and compliance tracking. ## Files Modified - `backend/server.js` - CVE and document endpoints - `backend/cve_database.db` - Database schema - `backend/fix_multivendor_constraint.js` - Migration script (new) - `backend/add_vendor_to_documents.js` - Documents table migration (new)
Sign in to join this conversation.
master
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
jramos
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: jramos/cve-dashboard#1
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?