Add HTTPS support
- Ability to configure HTTPS.
- define "npm test " for running Vulnogram in non-production mode.
diff --git a/README.md b/README.md
index a81ec72..ac3732f 100644
--- a/README.md
+++ b/README.md
@@ -12,7 +12,7 @@
## Getting started
-#### Step 1. Install required node modules
+#### Step 1. Install required Node.js modules.
$ cd vulnogram
@@ -23,13 +23,15 @@
#### Step 2. Setup monogodb to be used for persistent storage of CVE JSON and users.
See https://www.mongodb.com/
-#### Step 3. Copy /config/conf-default.js to config/conf.js and edit the file to suite your requirements
+ *Important*: Ensure mongodb authentication is enabled. It is recommended to run mongodb bound to loopback/localhost and not expose it to network.
+
+#### Step 3. Edit the config parameters in conf.js to suite your requirements.
See config/conf-default.js comments for hints
-#### Step 4 (Optional). Copy the "default" directory as "custom" and modify relevant pug templates, schemas or routes. Files from "custom" override "default".
+#### Step 4 (Optional). Copy the "default" directory as "custom" and modify relevant pug templates, schemas or routes. Files or fields from "custom" override "default".
-#### Step 5. If any pug templates were modified, regenerate client side javascript
+#### Step 5. If any pug templates were modified, regenerate client side javascript.
$ node scripts/pug2js.js
@@ -40,24 +42,21 @@
Enter Password again: ********************************************
Success New user is now registered and can log in: tester
-#### Step 7. Start the node application
+#### Step 7. Start the node application.
$ npm start
-
- Vulnogram@0.0.5 start /home/user/vulnogram
- nodemon app
-
- [nodemon] 1.11.0
- [nodemon] to restart at any time, enter `rs`
- [nodemon] watching: *.*
- [nodemon] starting `node app app.js`
- Server started on port 3555
- Connected to MongoDB ...
+ $ npm start
-Tip: Use foreverjs to run this service continuously like a daemon.
+ > Vulnogram@0.0.5 start /Users/cbn/prj/Vulnogram6
+ > NODE_ENV=production forever start --id 'vulnogram' --spinSleepTime 5000 --minUptime 2000 app.js
-#### Finish: Web application should be now accessible
- http://localhost:3555/
+ info: Forever processing file: app.js
+ info: Forever processes running
+ data: uid command script forever pid id logfile uptime
+ data: [0] v3wE /usr/bin/node app.js 11208 11210 vulnogram /home/vulnogram/.forever/v3wE.log 0:0:0:0.23
+
+#### Finish: Web application should be now accessible at:
+ http://localhost:3555/ or https://localhost:3555/ depending on configuration.
## Create the minimal standalone web page and client side scripts.
@@ -65,7 +64,7 @@
This creates standalone/index.html with minimized javascript and stylesheets can be hosted independelty on websites serving static files.
-## Dependencies
+## Dependencies:
This project uses or depends on software from
@@ -76,15 +75,16 @@
* Pug https://pugjs.org/
* ACE editor https://ace.c9.io/
* JSON Schema based editor https://github.com/jdorn/json-editor
-* yamljs https://github.com/jeremyfa/yaml.js
* tablesort v5.0.1 https://github.com/tristen/tablesort
* cvssjs https://github.com/cvssjs
* json-patch-extended
* querymen
+* linkifyjs
+* pptxGenJS
## Licence
-Copyright (c) 2017-2019 Chandan B N
+Copyright (c) 2017-2019 Chandan B N.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
diff --git a/app.js b/app.js
index 54d3b4c..6463bdc 100644
--- a/app.js
+++ b/app.js
@@ -4,6 +4,7 @@
const path = require('path');
const mongoose = require('mongoose');
const flash = require('connect-flash');
+const https = require('https');
// TODO: don't use express-session for large-scale production use
const session = require('express-session');
@@ -81,13 +82,6 @@
next();
});
-/*// make user information available
-app.get('*', function (req, res, next) {
- res.locals.user = req.user || null;
- res.locals.confOpts = app.locals.confOpts;
- next();
-});
-*/
// add this to route for authenticating before certain requests.
function ensureAuthenticated(req, res, next) {
if (req.isAuthenticated()) {
@@ -172,23 +166,7 @@
res.locals.confOpts = app.locals.confOpts;
next();
});
-
-/*app.post('*', function (req, res, next) {
- res.locals.user = req.user || null;
- res.locals.confOpts = app.locals.confOpts;
- next();
-});
-*/
-/*
-let cveRoute = docs('cve');
-app.use('/cve', ensureAuthenticated, cveRoute.router);
-let saRoute = docs('sa');
-app.use('/sa', ensureAuthenticated, saRoute.router);
-
-let cnaRoute = docs('cna');
-app.use('/cna', ensureAuthenticated, cnaRoute.router);
-*/
//Configuring a reviewToken in conf file allows sharing drafts with 'people who have a link containing the configurable token'
let review = require('./routes/review');
@@ -203,6 +181,12 @@
res.redirect('/cve/?state=DRAFT,READY,REVIEW');
});
-app.listen(conf.serverPort, function () {
- console.log('Server started on port ' + conf.serverPort);
-});
\ No newline at end of file
+if(conf.httpsOptions) {
+ https.createServer(conf.httpsOptions, app).listen(conf.serverPort, conf.serverHost, function () {
+ console.log('Server started at https://' + conf.serverHost + ':' + conf.serverPort);
+ });
+} else {
+ app.listen(conf.serverPort, conf.serverHost, function () {
+ console.log('Server started at http://' + conf.serverHost + ':' + conf.serverPort);
+ });
+}
\ No newline at end of file
diff --git a/config/conf-default.js b/config/conf-default.js
index 5ff0733..12a431a 100644
--- a/config/conf-default.js
+++ b/config/conf-default.js
@@ -1,7 +1,9 @@
+const fs = require("fs");
+
module.exports = {
// The Mongodb URL where CVE entries and users are stored.
- database: 'mongodb://vulnogram:Use a long & strong Password@127.0.0.1:27017/vulnogram',
+ database: 'mongodb://127.0.0.1:27017/vulnogram',
// Name of the organization that should be used in page titles etc.,
orgName: 'Example Org',
@@ -19,22 +21,37 @@
// This may be useful to share a link to the draft for internal reviews and only those with the link have access to the drafts.
//reviewToken: 'randomtoken',
- appName: 'Vulnogram',
// port where this tool is running
+ serverHost: 'localhost',
serverPort: 3555,
basedir: '/',
+
+ //Uncomment this block to enable HTTPs. Configure paths for valid SSL certificates.
+ // Either get them from your favorite Certificate Authority or generate self signed:
+ // $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem
+/*
+ httpsOptions: {
+ key: fs.readFileSync("./config/key.pem"),
+ cert: fs.readFileSync("./config/cert.pem"),
+ minVersion: 'TLS1.2'
+ },
+*/
+
mitreURL: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=',
defectURL: 'https://example.net/internal/bugs/',
publicDefectURL: 'https://example.net/bugs/',
+
// ACE editor
- //ace: '/js/ace.js',
ace: 'https://cdnjs.cloudflare.com/ajax/libs/ace/1.4.3/ace.js',
aceHash: "sha384-rP/6HzF4Ap08EuRS9yaQsEPDqb8xS5WVTAzL7/LKTnUmJawbKoeSNyqHnNaiXY5X",
+ // if you want this served locally, download ace editor to /public/js/ directory and point to that:
+ //ace: '/js/ace.js',
// JSON Editor
- //jsoneditor: '/js/jsoneditor.js',
jsoneditor: 'https://cdn.jsdelivr.net/npm/@json-editor/json-editor@1.2.1/dist/jsoneditor.min.js',
jsoneditorHash: 'sha384-iSUg2WRV2cauD+nwMuv7ITxwSe+2heHjWFIOjiWk5/Yve5ovwg/t7qp3ht6VlQBL',
+ // if you want this served locally, download above jsoneditor editor to /public/js/ directory and point to that:
+ //jsoneditor: '/js/jsoneditor.min.js',
usernameRegex: '[a-zA-Z0-9]{3,}',
sections: [
@@ -45,13 +62,13 @@
charts: [
{
href: "/cve/agg?state=DRAFT,REVIEW,READY&sort=ym&f=ym&f=owner",
- key: "owner",
- list: "/cve/?state=DRAFT,REVIEW,READY&sort=ym",
+ key: "ym", // X-axis
+ list: "/cve/?state=DRAFT,REVIEW,READY&sort=ym", //link prefix
title: "Active CVE Pipeline"
},
{
href: "/cve/agg?sort=ym&f=ym&f=owner",
- key: "owner",
+ key: "ym",
list: "/cve/?sort=ym",
title: "CVEs over time"
},
@@ -61,6 +78,17 @@
list: "/cve/?state=DRAFT,REVIEW,READY,PUBLIC",
title: "Active CVEs by Product",
type: "pie"
+ },
+ {
+ href: "/cve/agg?f=severity",
+ key: "severity",
+ list: "/cve/?",
+ title: "All CVEs by Severity",
+ type: "pie",
+ color: {
+ domain: ["CRITICAL", "HIGH", "MEDIUM", "LOW", "NONE", "", null],
+ range: ["orangered","salmon","orange","gold","green", "lightgray", "lightgray"]
+ }
}
]
};
diff --git a/config/conf.js b/config/conf.js
index d9b4678..39b74dc 100644
--- a/config/conf.js
+++ b/config/conf.js
@@ -1,3 +1,5 @@
+const fs = require("fs");
+
module.exports = {
// The Mongodb URL where CVE entries and users are stored.
@@ -20,20 +22,37 @@
//reviewToken: 'randomtoken',
// port where this tool is running
+ serverHost: 'localhost',
serverPort: 3555,
basedir: '/',
+
+ //Uncomment this block to enable HTTPs. Configure paths for valid SSL certificates.
+ // Either get them from your favorite Certificate Authority or generate self signed:
+ // $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem
+ // Keep these safe and secured and readable only by account running vulnogram process!
+/*
+ httpsOptions: {
+ key: fs.readFileSync("./config/key.pem"),
+ cert: fs.readFileSync("./config/cert.pem"),
+ minVersion: 'TLS1.2'
+ },
+*/
+
mitreURL: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=',
defectURL: 'https://example.net/internal/bugs/',
publicDefectURL: 'https://example.net/bugs/',
+
// ACE editor
- //ace: '/js/ace.js',
ace: 'https://cdnjs.cloudflare.com/ajax/libs/ace/1.4.3/ace.js',
aceHash: "sha384-rP/6HzF4Ap08EuRS9yaQsEPDqb8xS5WVTAzL7/LKTnUmJawbKoeSNyqHnNaiXY5X",
+ // if you want this served locally, download ace editor to /public/js/ directory and point to that:
+ //ace: '/js/ace.js',
// JSON Editor
- //jsoneditor: '/js/jsoneditor.js',
jsoneditor: 'https://cdn.jsdelivr.net/npm/@json-editor/json-editor@1.2.1/dist/jsoneditor.min.js',
jsoneditorHash: 'sha384-iSUg2WRV2cauD+nwMuv7ITxwSe+2heHjWFIOjiWk5/Yve5ovwg/t7qp3ht6VlQBL',
+ // if you want this served locally, download above jsoneditor editor to /public/js/ directory and point to that:
+ //jsoneditor: '/js/jsoneditor.min.js',
usernameRegex: '[a-zA-Z0-9]{3,}',
sections: [
diff --git a/package.json b/package.json
index 367fc29..cb0f1d5 100644
--- a/package.json
+++ b/package.json
@@ -4,7 +4,10 @@
"description": "Making the world safer one CVE at a time, since 2017. Tool for creating Security Advisories and CVE ID information.",
"main": "app.js",
"scripts": {
- "start": "NODE_ENV=production forever start app.js"
+ "test": "NODE_ENV=developement nodemon app",
+ "start": "NODE_ENV=production forever start --id 'vulnogram' --spinSleepTime 5000 --minUptime 2000 app.js;forever list",
+ "stop": "NODE_ENV=production forever stop app.js",
+ "restart": "NODE_ENV=production forever restart app.js"
},
"author": "Chandan B N.",
"license": "SEE LICENSE IN README.md",