Re-design Vulnerability details page

backend/src/api/app.ts

@@ -5,6 +5,8 @@ import * as cors from 'cors';
 import * as helmet from 'helmet';
 import { handler as healthcheck } from './healthcheck';
 import * as auth from './auth';
+import * as cpes from './cpes';
+import * as cves from './cves';
 import * as domains from './domains';
 import * as search from './search';
 import * as vulnerabilities from './vulnerabilities';
@@ -287,6 +289,12 @@ authenticatedRoute.delete('/api-keys/:keyId', handlerToExpress(apiKeys.del));
 
 authenticatedRoute.post('/search', handlerToExpress(search.search));
 authenticatedRoute.post('/search/export', handlerToExpress(search.export_));
+authenticatedRoute.get('/cpes/:id', handlerToExpress(cpes.get));
+authenticatedRoute.get('/cves/:cve_uid', handlerToExpress(cves.get));
+authenticatedRoute.get(
+  '/cves/name/:cve_name',
+  handlerToExpress(cves.getByName)
+);
 authenticatedRoute.post('/domain/search', handlerToExpress(domains.list));
 authenticatedRoute.post('/domain/export', handlerToExpress(domains.export_));
 authenticatedRoute.get('/domain/:domainId', handlerToExpress(domains.get));

backend/src/api/cpes.ts

@@ -0,0 +1,39 @@
+import { ProductInfo, connectToDatabase } from '../models';
+import { wrapHandler, NotFound } from './helpers';
+
+// TODO: Join cves to cpe get method
+// TODO: Create CpeFilters and CpeSearch classes to handle filtering and pagination of additional fields
+
+/**
+ * @swagger
+ * /cpes/{id}:
+ *   get:
+ *     description: Retrieve a CPE by ID
+ *     tags:
+ *       - CPEs
+ *     parameters:
+ *       - in: path
+ *         name: id
+ *         required: true
+ *         schema:
+ *           type: string
+ */
+export const get = wrapHandler(async (event) => {
+  const connection = await connectToDatabase();
+  const repository = connection.getRepository(ProductInfo);
+
+  const id = event.pathParameters?.id;
+  if (!id) {
+    return NotFound;
+  }
+
+  const productInfo = await repository.findOne(id);
+  if (!productInfo) {
+    return NotFound;
+  }
+
+  return {
+    statusCode: 200,
+    body: JSON.stringify(productInfo)
+  };
+});

backend/src/api/cves.ts

@@ -0,0 +1,79 @@
+import { Cve, connectToDatabase } from '../models';
+import { wrapHandler } from './helpers';
+
+// TODO: Add test for joining product_info
+// TODO: Create CveFilters and CveSearch classes to handle filtering and pagination of additional fields
+
+/**
+ * @swagger
+ * /cves/{cve_uid}:
+ *   get:
+ *     description: Retrieve a CVE by ID.
+ *     tags:
+ *       - CVEs
+ *     parameters:
+ *       - in: path
+ *         name: cve_uid
+ *         required: true
+ *         schema:
+ *           type: string
+ */
+export const get = wrapHandler(async (event) => {
+  await connectToDatabase();
+  const cve_uid = event.pathParameters?.cve_uid;
+
+  const cve = await Cve.createQueryBuilder('cve')
+    .leftJoinAndSelect('cve.product_info', 'product_info')
+    .where('cve.cve_uid = :cve_uid', { cve_uid: cve_uid })
+    .getOne();
+
+  if (!cve) {
+    return {
+      statusCode: 404,
+      body: JSON.stringify(Error)
+    };
+  }
+
+  return {
+    statusCode: 200,
+    body: JSON.stringify(cve)
+  };
+});
+
+//TODO: Remove getByName endpoint once a one-to-one relationship is established between vulnerability.cve and cve.cve_id
+/**
+ * @swagger
+ *
+ * /cves/name/{cve_name}:
+ *  get:
+ *    description: Retrieve a single CVE record by its name.
+ *    tags:
+ *    - CVE
+ *    parameters:
+ *    - name: cve_name
+ *      in: path
+ *      required: true
+ *      schema:
+ *        type: string
+ */
+export const getByName = wrapHandler(async (event) => {
+  await connectToDatabase();
+  const cve_name = event.pathParameters?.cve_name;
+
+  const cve = await Cve.createQueryBuilder('cve')
+    .leftJoinAndSelect('cve.product_info', 'product_info')
+    .where('cve.cve_name = :cve_name', { cve_name })
+    .getOne();
+
+  if (!cve) {
+    return {
+      statusCode: 404,
+      body: JSON.stringify(Error)
+    };
+  }
+
+  return {
+    statusCode: 200,
+    body: JSON.stringify(cve)
+  };
+});

backend/src/api/vulnerabilities.ts

@@ -170,7 +170,8 @@ class VulnerabilitySearch {
         : `vulnerability.${this.sort}`;
     let qs = Vulnerability.createQueryBuilder('vulnerability')
       .leftJoinAndSelect('vulnerability.domain', 'domain')
-      .leftJoinAndSelect('domain.organization', 'organization');
+      .leftJoinAndSelect('domain.organization', 'organization')
+      .leftJoinAndSelect('vulnerability.service', 'service');
 
     if (groupBy) {
       qs = qs
@@ -185,9 +186,7 @@ class VulnerabilitySearch {
         ])
         .orderBy('cnt', 'DESC');
     } else {
-      qs = qs
-        .leftJoinAndSelect('vulnerability.service', 'service')
-        .orderBy(sort, this.order);
+      qs = qs.orderBy(sort, this.order);
     }
 
     if (pageSize !== -1) {

backend/src/models/cve.ts

@@ -11,11 +11,12 @@ import {
 } from 'typeorm';
 import { ProductInfo } from './product-info';
 
+//TODO: Refactor column names to camelCase to match the rest of the codebase?
 @Entity()
 @Unique(['cve_name'])
 export class Cve extends BaseEntity {
   @PrimaryGeneratedColumn('uuid')
-  cve_uid: string;
+  cve_uid: string; //TODO: Refactor to id to match other UUIDs?
 
   @Column({ nullable: true })
   cve_name: string;

backend/src/models/product-info.ts

@@ -1,21 +1,20 @@
-import { mapping } from 'src/tasks/censys/mapping';
 import {
   Entity,
   PrimaryGeneratedColumn,
   Column,
-  CreateDateColumn,
-  UpdateDateColumn,
   ManyToMany,
   BaseEntity,
   Unique
 } from 'typeorm';
 import { Cve } from './cve';
 
+//TODO: Refactor column names to camelCase to match the rest of the codebase?
+//TODO: Refactor table name to product or cpe for brevity?
 @Entity()
 @Unique(['cpe_product_name', 'version_number', 'vender'])
 export class ProductInfo extends BaseEntity {
   @PrimaryGeneratedColumn('uuid')
-  id: string; //TODO: change this to something else??
+  id: string;
 
   @Column()
   cpe_product_name: string;

backend/test/cpes.test.ts

@@ -0,0 +1,51 @@
+import * as request from 'supertest';
+import app from '../src/api/app';
+import { Organization, ProductInfo, connectToDatabase } from '../src/models';
+import { createUserToken } from './util';
+
+describe('cpes', () => {
+  let connection;
+  let organization: Organization;
+  let productInfo: ProductInfo;
+  beforeAll(async () => {
+    connection = await connectToDatabase();
+    productInfo = ProductInfo.create({
+      last_seen: new Date(),
+      cpe_product_name: 'Test Product',
+      version_number: '1.0.0',
+      vender: 'Test Vender'
+    });
+    await productInfo.save();
+    organization = Organization.create({
+      name: 'test-' + Math.random(),
+      rootDomains: ['test-' + Math.random()],
+      ipBlocks: [],
+      isPassive: false
+    });
+    await organization.save();
+  });
+
+  afterAll(async () => {
+    await ProductInfo.delete(productInfo.id);
+    await connection.close();
+  });
+
+  describe('CPE API', () => {
+    it('should return a single CPE by id', async () => {
+      const response = await request(app)
+        .get(`/cpes/${productInfo.id}`)
+        .set(
+          'Authorization',
+          createUserToken({
+            roles: [{ org: organization.id, role: 'user' }]
+          })
+        )
+        .send({})
+        .expect(200);
+      expect(response.body.id).toEqual(productInfo.id);
+      expect(response.body.cpe_product_name).toEqual(
+        productInfo.cpe_product_name
+      );
+    });
+  });
+});

backend/test/cves.test.ts

@@ -0,0 +1,63 @@
+import * as request from 'supertest';
+import app from '../src/api/app';
+import { Cve, Organization, connectToDatabase } from '../src/models';
+import { createUserToken } from './util';
+
+// TODO: Add test for joining product_info
+describe('cves', () => {
+  let connection;
+  let cve: Cve;
+  let organization: Organization;
+  beforeAll(async () => {
+    connection = await connectToDatabase();
+    cve = Cve.create({
+      cve_name: 'CVE-0001-0001'
+    });
+    await cve.save();
+    organization = Organization.create({
+      name: 'test-' + Math.random(),
+      rootDomains: ['test-' + Math.random()],
+      ipBlocks: [],
+      isPassive: false
+    });
+    await organization.save();
+  });
+
+  afterAll(async () => {
+    await Cve.delete(cve.cve_uid);
+    await Organization.delete(organization.id);
+    await connection.close();
+  });
+  describe('CVE API', () => {
+    it('should return a single CVE by cve_name', async () => {
+      const response = await request(app)
+        .get(`/cves/name/${cve.cve_name}`)
+        .set(
+          'Authorization',
+          createUserToken({
+            roles: [{ org: organization.id, role: 'user' }]
+          })
+        )
+        .send({})
+        .expect(200);
+      expect(response.body.cve_uid).toEqual(cve.cve_uid);
+      expect(response.body.cve_name).toEqual(cve.cve_name);
+    });
+  });
+  describe('CVE API', () => {
+    it('should return a single CVE by cve_uid', async () => {
+      const response = await request(app)
+        .get(`/cves/${cve.cve_uid}`)
+        .set(
+          'Authorization',
+          createUserToken({
+            roles: [{ org: organization.id, role: 'user' }]
+          })
+        )
+        .send({})
+        .expect(200);
+      expect(response.body.cve_uid).toEqual(cve.cve_uid);
+      expect(response.body.cve_name).toEqual(cve.cve_name);
+    });
+  });
+});

frontend/src/pages/Risk/utils.ts

@@ -11,6 +11,14 @@ export const getSeverityColor = ({ id }: { id: string }) => {
   else if (id === 'High') return '#B51D09';
   else return '#540C03';
 };
+export const getCVSSColor = (score: number) => {
+  if (!score || score === 0) return ['#EFF1F5', 'NONE'];
+  else if (0.1 <= score && score <= 3.9) return ['#99cc33', 'LOW'];
+  else if (4 <= score && score <= 6.9) return ['#ffcc00', 'MEDIUM'];
+  else if (7 <= score && score <= 8.9) return ['#ff9966', 'HIGH'];
+  else if (9 <= score && score <= 10) return ['#ff6254', 'CRITICAL'];
+  else return '#540C03';
+};
 export const offsets: any = {
   Vermont: [50, -8],
   'New Hampshire': [34, 2],