first commit

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,62 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+name: "CodeQL"
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+  schedule:
+    - cron: '0 9 * * 5'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['javascript']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.gitignore

@@ -0,0 +1,12 @@
+node_modules
+npm-debug.log
+.DS_Store
+.env
+.vscode
+.jshintrc
+custom*
+package-lock.json
+*.swp
+ignore
+tmp
+standalone

.whitesource

@@ -0,0 +1,8 @@
+{
+  "checkRunSettings": {
+    "vulnerableCheckRunConclusionLevel": "failure"
+  },
+  "issueSettings": {
+    "minSeverityLevel": "LOW"
+  }
+}

LICENSE.txt

@@ -0,0 +1,9 @@
+MIT License
+
+Copyright (c) 2017-2019 Chandan B. N.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice (including the next paragraph) shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Makefile

@@ -0,0 +1,44 @@
+OUT = ./standalone
+CSS = $(OUT)/css
+JS = $(OUT)/js
+CVE = $(OUT)/cve
+CSSO = ./node_modules/.bin/csso
+UJS = ./node_modules/.bin/uglifyjs
+
+TARGETS := $(OUT)/index.html $(CSS)/sprite.svg $(CSS)/min.css $(CSS)/icns.css $(CSS)/logo.png $(CSS)/logo.gif $(JS)/util.js $(JS)/editor.js $(JS)/cvss.json $(JS)/cwe-frequent.json
+
+$(OUT)/index.html: ./scripts/standalone.js ./config/conf-standalone.js ./[cd][ue][sf]*[mt]/cve/* ./views/*
+	if [ -e "./custom/cve/conf.js" ]; then node $< custom ;  else node $< ; fi
+
+
+$(OUT)/js:
+	mkdir -p $(OUT)/js
+
+$(OUT)/css:
+	mkdir -p $(OUT)/css
+
+$(CVE):
+	mkdir -p $(CVE)
+
+$(CSS)/%.css: ./public/css/%.css
+	$(CSSO) $< -o $@
+
+$(CSS)/%.svg: ./public/css/%.svg
+	cp -f $< $@
+
+$(CSS)/%.png: ./public/css/%.png
+	cp -f $< $@
+
+$(CSS)/%.gif: ./public/css/%.gif
+	cp -f $< $@
+
+$(JS)/%.js: ./public/js/%.js
+	$(UJS) $< -c -o $@
+
+$(JS)/%.json: ./public/js/%.json
+	node -e 'console.log(JSON.stringify(require("./" + process.argv[1])))' $< > $@
+
+$(CVE)/%: ./public/js/cve/%
+	$(UJS) $< -o $@
+
+min: $(CVE) $(CSS) $(JS) $(TARGETS)

README.md

@@ -0,0 +1,111 @@
+# Vulnogram
+
+_Making the world safer one CVE ID at a time, since 2017._
+
+## Introduction
+
+Vulnogram is a tool for creating and editing CVE information in CVE JSON format, and for generating advisories.
+
+The name Vulnogram is inspired from Greek origin suffix '-gram' which is used for denoting something written or recorded especially in a certain way. Vulnerability related information when recorded in a standard format can help in aggregation, curation, dissemination, analysis and remediation. This enables automation and efficiency in response activities.
+
+Vulnogram project aims to make it easier for vendors and security researchers to accurately record vulnerability information for inclusion in the CVE List.
+
+<img src="https://raw.githubusercontent.com/Vulnogram/cvelab.github.com/Vulnogram/master/screenshots/Vulnogram-ScreenShot.jpg" width="50%">
+
+## Getting started
+
+Vulnogram can be deployed in two modes:
+
+| Browser mode                  | Server mode |
+|------------------------------|------------|
+| Frontend web UI only, as seen on [cvelab.github.com/Vulnogram](https://cvelab.github.com/Vulnogram). | A NodeJS web application serves frontend web UI for a backend Mongodb. |
+| It is a Javascript based tool to open, import, edit, preview and save JSON documents which conform to a given [JSON-Schema](https://json-schema.org). | It is a modern scalable issue tracker similar to JIRA or bugtrack but using [JSON-Schemas](https://json-schema.org) as data models and a NoSQL database as a backend. Along with customizable [plugins](https://github.com/Vulnogram/plugins) it can be used for tracking anything that can be expressed with a [JSON-Schema](https://json-schema.org). [plugins](https://github.com/Vulnogram/plugins) are available for tracking security incidents, tickets, contacts, NVD entries and CVE assignments. | 
+| Can't save CVE JSON drafts.  | JSON documents are saved to a NoSQL (Mongodb) backend. |
+| No login required.           | Users are authenticated. |
+| No workflow or tracking.     | Allows tracking, querying, searching, version control, audit trail of changes, commenting and dashboard charts and graphs on collections of JSON documents. |
+| Security considerations: <br>👍 Information entered in the tool is not transmitted anywhere out of the browser.<br>ℹ️ Download button saves the JSON document in the browser to a local file.<br>⚠️ Ensure local filesystem is secured.<br>⚠️ Avoid using the tool on a public computer (beware of browser autofill). | Security considerations:<br>ℹ️ Configure HTTPS in the config file.<br>⚠️ Ensure that MongoDB is secured and hardened. Mongodb backend is used for storing documents on the server.<br>⚠️ Keep configuration files secured.<br>⚠️ Only create accounts for trusted users. There is no RBAC or ACL feature (as of now)! |
+
+### Server mode deployment:
+
+#### Step 1. Install required Node.js modules.
+
+
+	$ cd vulnogram
+	$ npm install
+ 	... this should install required dependencies ...
+
+
+#### Step 2. Setup monogodb to be used for persistent storage of CVE JSON and users.
+	See https://www.mongodb.com/
+
+ **Important**: Ensure mongodb authentication is enabled. It is recommended to run mongodb bound to loopback/localhost and not expose it to network.
+
+#### Step 3. Edit the config parameters in conf.js to suite your requirements.
+
+	See config/conf-default.js comments for hints
+
+#### Step 4 (Optional). Copy the "default" directory as "custom" and modify relevant pug templates, schemas or routes. Files or fields from "custom" override "default".
+
+#### Step 5. If any pug templates were modified, regenerate client side javascript.
+
+	$ node scripts/pug2js.js
+
+#### Step 6. Configure a user on the CLI for logging in
+
+	$ node useradd.js tester [email protected] Tester [email protected] 1
+	Enter Password: ********************************************
+	Enter Password again: ********************************************
+	Success New user is now registered and can log in: tester
+
+#### Step 7. Start the node application.
+
+    $ npm start
+
+    > [email protected] start /home/vulnogram/
+    > forever start --id 'vulnogram' --spinSleepTime 5000 --minUptime 2000 app.js
+
+    info:    Forever processing file: app.js
+    info:    Forever processes running
+    data:        uid  command                      script forever pid   id        logfile                      uptime     
+    data:    [0] v3wE /usr/bin/node app.js 11208   11210 vulnogram /home/vulnogram/.forever/v3wE.log 0:0:0:0.23 
+
+#### Finish: Web application should be now accessible at:
+	http://localhost:3555/ or https://localhost:3555/ depending on configuration.
+
+## Browser mode deployment: 
+
+#### Configure defaults
+
+* Install required nodejs modules. See [step 1](https://github.com/Vulnogram/Vulnogram#step-1-install-required-nodejs-modules)  above.
+* Configure Vulnogram following [step 3](https://github.com/Vulnogram/Vulnogram#step-3-edit-the-config-parameters-in-confjs-to-suite-your-requirements) to 5 above.
+
+#### Generate files needed for a front-end only static website (browser mode).
+
+    $ make min
+
+This creates standalone /index.html with minimized javascript and stylesheets can be hosted independently on websites serving static files. This does not require the backend mongodb server or the nodejs server application to be running.
+
+Note: Opening the index.html as a file URL may not work since some browsers (including Chrome) will not run async requests on file:// URLs. It is recommended to serve these files from a webserver. See https://developer.mozilla.org/en-US/docs/Learn/Common_questions/set_up_a_local_testing_server for examples on how to run a simple testing webserver.
+
+## Dependencies:
+
+This project uses or depends on software from
+
+* NodeJS https://nodejs.org/
+* Express https://github.com/expressjs
+* Mongodb
+* Passportjs http://passportjs.org/
+* Pug https://pugjs.org/
+* ACE editor https://ace.c9.io/
+* JSON Schema based editor https://github.com/jdorn/json-editor
+* tablesort v5.0.1 https://github.com/tristen/tablesort
+* cvssjs https://github.com/cvssjs
+* json-patch-extended
+* querymen
+* linkifyjs
+* pptxGenJS
+
+
+Copyright (c) 2017-2019 Chandan B N.
+
+SPDX-License-Identifier: MIT