Merge pull request #192 from SEI-gstrom/version/3.0.28

Version 3.0.28

Author: sei-vsarvepalli

.ebextensions/02_settings.config

@@ -8,5 +8,3 @@ option_settings:
     - namespace: aws:elasticbeanstalk:container:python
       option_name: WSGIPath
       value: bigvince.wsgi:application
-
-

CHANGELOG.md

@@ -7,6 +7,30 @@ VINCE Coordination platform code
 ## Description
 VINCE Coordination platform code
 
+
+Version 3.0.28 2025-11-04
+
+* added code to fix issue in creation of XLS report (Internal-804)
+
+
+Version 3.0.27 2025-11-04
+
+* updated links to CVD documentation, etc. (Internal-816)
+* modified structure of weekly XLS report in response to user request (Internal-804)
+* modified Triage view so that it also includes new tickets assigned to no-longer-active users (Internal-825)
+* disabled buggy hovering feature in VINCE Comm case page (Internal-826)
+
+
+Version 3.0.26 2025-10-02
+
+* dependabot update recommendation: `Django` 4.2.24 to 4.2.25
+* fixed bug causing discrepency between two sources of info about vendors attached to a case (Internal-822)
+
+Version 3.0.25 2025-09-10
+
+* dependabot update recommendation: `Django` 4.2.22 to 4.2.24
+
+
 Version 3.0.24 2025-08-26
 
 * adjusted code for generating spreadsheet used for detailed weekly reports (Intental-804)

bigvince/settings_.py

@@ -54,7 +54,7 @@
 ROOT_DIR = environ.Path(__file__) - 3
 
 # any change that requires database migrations is a minor release
-VERSION = "3.0.24"
+VERSION = "3.0.28"
 
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/2.1/howto/deployment/checklist/

requirements.txt

@@ -24,7 +24,7 @@ cryptography==44.0.1
 cvelib==1.3.0
 Deprecated==1.2.13
 dictdiffer==0.9.0
-Django==4.2.22
+Django==4.2.25
 django-appconf==1.0.5
 django-countries==7.4.2
 django-environ==0.9.0

vince/static/vince/css/style.css

@@ -1432,15 +1432,15 @@ div.homelink a {
     background-color: #282829;
     border-right: 1px solid #c2c2c2;
     color: #f1f1f2;
-    padding-top:130px;
+    padding-top:195px;
 
 }
 
 #offCanvasLeft {
     background-color: #f1f1f2;
     border-right: 1px solid #c2c2c2;
     color: #4d4d4f;
-    padding-top:150px;
+    padding-top:225px;
 }
 
 /*.position-left.reveal-for-medium ~ .off-canvas-content {

vince/views.py

@@ -672,7 +672,7 @@ def autocomplete_casevendors(request, pk):
     case = get_object_or_404(VulnerabilityCase, id=pk)
     page = int(request.GET.get("page", 1))
     size = int(request.GET.get("size", 0))
-    vendors = VulnerableVendor.casevendors(case).order_by("vendor")
+    vendors = VulnerableVendor.casevendors(case).select_related("contact").prefetch_related("contact__contacttag_set").order_by("vendor")
     user_filter = False
     logger.debug(f"in autocomplete_casevendors, request.GET is {request.GET}")
     for key in request.GET:
@@ -14918,7 +14918,6 @@ def get(self, request, *args, **kwargs):
             "Summary",
             "Initial Triage Actions",
             "Assigned Personnel/Team",
-            "Justification if Declined",
             "Coordinator"
         ])
 
@@ -14973,6 +14972,8 @@ def get(self, request, *args, **kwargs):
                 resolution = ""
                 try:
                     resolution = ticket.resolution
+                    if resolution is None:
+                        resolution = "no resolution"
                 except:
                     resolution = "no resolution"
                 try:
@@ -14991,10 +14992,9 @@ def get(self, request, *args, **kwargs):
                     [
                         f"{ticket.queue}-{ticket.id}",
                         ticket.title,
-                        resolution,
+                        resolution + justification_if_declined,
                         " ",
                         assigned_team,
-                        justification_if_declined,
                         assignee_name,
                     ]
                 )
@@ -16044,7 +16044,7 @@ def get_queryset(self):
             my_queues = get_rw_queues(self.request.user)
         return (
             Ticket.objects.filter(queue__in=my_queues, status__in=[Ticket.OPEN_STATUS, Ticket.REOPENED_STATUS])
-            .exclude(assigned_to__isnull=False)
+            .filter(Q(assigned_to__isnull=True) | Q(assigned_to__is_active=False))
             .order_by("-modified")
         )
 

vincepub/templates/vincepub/index.html

@@ -74,7 +74,7 @@ <h3>Search</h3>
     <div class="large-8 medium-8 columns">
       <h3>Want to report a vulnerability?</h3>
       <p>The CERT Coordination Center (CERT/CC) prioritizes coordination efforts on vulnerabilities that affect multiple vendors or that impact safety, critical or internet infrastructure, or national security.  We also prioritize reports that affect sectors that are new to vulnerability disclosure.  We may be able to provide assistance for reports when the coordination process breaks down.</p>
-      <p>Before reporting a vulnerability to us, we recommend reading our <a href="https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy" target="_blank" rel="noopener">vulnerability disclosure policy</a> and <a href="{% url 'vincepub:discguidance' %}">guidance.</a>
+      <p>Before reporting a vulnerability to us, we recommend reading our <a href="https://certcc.github.io/certcc_disclosure_policy/" target="_blank" rel="noopener">vulnerability disclosure policy</a> and <a href="{% url 'vincepub:discguidance' %}">guidance.</a>
       <p><a class="old-notes hollow button secondary large" href="{% url 'vincepub:initreport' %}">Report a Vulnerability</a></p>
     </div>
     <div class="large-4 medium-4 columns">

vincepub/templates/vincepub/report.html

@@ -23,7 +23,7 @@ <h2 class="subtitle"> Report a Vulnerability </h2>
 	  <!--<a href="{% url 'vincepub:vulcoordrequest' %}" class="link-cta">Request a CVE from MITRE </a>-->
 
 	  <p class="lead-body">Before reporting any vulnerabilities to the CERT Coordination Center (CERT/CC) and making them public, try contacting the vendor directly. Some vendors offer bug bounty programs.</p>
-	  <p class="lead-body">We recommend reading our <a href="https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy" target="_blank" rel="noopener">vulnerability disclosure policy</a> and <a href="{% url 'vincepub:discguidance' %}">guidance</a> before submitting a vulnerability report. We send information provided in vulnerability reports to affected vendors. </p>
+	  <p class="lead-body">We recommend reading our <a href="https://certcc.github.io/certcc_disclosure_policy/" target="_blank" rel="noopener">vulnerability disclosure policy</a> and <a href="{% url 'vincepub:discguidance' %}">guidance</a> before submitting a vulnerability report. We send information provided in vulnerability reports to affected vendors. </p>
 
 	  <p class="lead-body">CERT/CC does not accept or respond to every report. We prioritize reports that affect multiple vendors or that impact safety, critical or internet infrastructure, or national security. We also prioritize reports that affect sectors that are new to vulnerability disclosure. We may be able to provide assistance for reports when the coordination process breaks down.</p>
 	    <a href="{% url 'vincepub:vulcoordrequest' %}" class="link-cta"> Begin a Report </a>

vinny/static/vinny/js/vinny.js

@@ -30,24 +30,30 @@
 
 function initTooltipster(element, umProfileStore, displayUserCard) {
     /*replaced to use standard jquery tooltip since plugin was failing */
-    $(document).tooltip({
-	items:'.user-mention, .vendor-participant',
-        tooltipClass: 'tooltipster-default',
-	content: function(callback) {
-            var userUrl = $(this).attr('href')+"?quick=1";
-            if(umProfileStore.hasOwnProperty(userUrl)){
-		callback(umProfileStore[userUrl])
-                //displayUserCard(instance, umProfileStore[userUrl]);
-                // load from cache
-            }
-            else {
-                $.get(userUrl, function(data) {
-                    umProfileStore[userUrl] = data;
-		    callback(data);
-                });
-            }
-        }
-    });
+
+	// Temporarily commenting out this code until we can figure out why the wrong user's
+	// info is sometimes displayed when users hover over (for example) "@Fred" in posts on
+	// the case page:
+
+    // $(document).tooltip({
+	// 	items:'.user-mention, .vendor-participant',
+    //     tooltipClass: 'tooltipster-default',
+	// 	content: function(callback) {
+    //         var userUrl = $(this).attr('href')+"?quick=1";
+    //         if(umProfileStore.hasOwnProperty(userUrl)){
+	// 			callback(umProfileStore[userUrl])
+    //             //displayUserCard(instance, umProfileStore[userUrl]);
+    //             // load from cache
+    //         }
+    //         else {
+    //             $.get(userUrl, function(data) {
+    //                 umProfileStore[userUrl] = data;
+	// 	    		callback(data);
+    //             });
+    //         }
+    //     }
+    // });
+
 }
 
 function onBeforeUnload(e) {
@@ -320,50 +326,50 @@ $(document).ready(function() {
     });
 
     $(document).on("submit", "#postform", function(event) {
-	// Get some values from elements on the page:
-	event.preventDefault();
-	var content = simplemde.value();
-	console.log(content)
-	if (content == "") {
-	    return false;
-	}
-	var paginate_by =  $("#paginate_by").text();
-	$('#sendbutton').prop('disabled', true);
-	var $form = $( this );
-	var url = $(this).attr( "action" );
-	var csrftoken = getCookie('csrftoken');
-	var data = {'content': content, 'csrfmiddlewaretoken': csrftoken, 'paginate_by': paginate_by};
-	var reload_pinned = false;
-	if ($("#reply_to").length) {
-	    data["reply_to"] = $("#reply_to").val();
-	    if ($("#reply_to").attr("name") == "reply_to_pinned") {
-		reload_pinned = true;
-		data["pinned"] = 1;
-	    }
-	}
-	// Send the data using post
-	var posting = $.post( url, data );
-	
-	// Put the results in a div
-	posting.done(function( data ) {
-	    simplemde.value("");
-	    var reload_type = "#allposts";
-	    if (reload_pinned) {
-		reload_type = "#pinnedposts";
-	    }
-	    $('#sendbutton').prop('disabled', false);
-	    $(reload_type).empty().append( data );
-	    $(reload_type).foundation();
-	    /* reload plugins */
-	    $('html, body').animate({scrollTop:$(reload_type).offset().bottom}, 'slow');
-	    initTooltipster(".user-mention:not(.tooltipstered)", umProfileStore, displayUserCard);
-	    /* remove reply if present */
-	    if (document.contains(document.getElementById("reply_to"))) {
-		document.getElementById("reply_to").remove();
-	    }
-	    //$( "#post_reply" ).slideToggle( "slow", function() {
-        //});
-	});
+		// Get some values from elements on the page:
+		event.preventDefault();
+		var content = simplemde.value();
+		console.log(content)
+		if (content == "") {
+			return false;
+		}
+		var paginate_by =  $("#paginate_by").text();
+		$('#sendbutton').prop('disabled', true);
+		var $form = $( this );
+		var url = $(this).attr( "action" );
+		var csrftoken = getCookie('csrftoken');
+		var data = {'content': content, 'csrfmiddlewaretoken': csrftoken, 'paginate_by': paginate_by};
+		var reload_pinned = false;
+		if ($("#reply_to").length) {
+			data["reply_to"] = $("#reply_to").val();
+			if ($("#reply_to").attr("name") == "reply_to_pinned") {
+				reload_pinned = true;
+				data["pinned"] = 1;
+			}
+		}
+		// Send the data using post
+		var posting = $.post( url, data );
+		
+		// Put the results in a div
+		posting.done(function( data ) {
+			simplemde.value("");
+			var reload_type = "#allposts";
+			if (reload_pinned) {
+				reload_type = "#pinnedposts";
+			}
+			$('#sendbutton').prop('disabled', false);
+			$(reload_type).empty().append( data );
+			$(reload_type).foundation();
+			/* reload plugins */
+			$('html, body').animate({scrollTop:$(reload_type).offset().bottom}, 'slow');
+			initTooltipster(".user-mention:not(.tooltipstered)", umProfileStore, displayUserCard);
+			/* remove reply if present */
+			if (document.contains(document.getElementById("reply_to"))) {
+				document.getElementById("reply_to").remove();
+			}
+			//$( "#post_reply" ).slideToggle( "slow", function() {
+			//});
+		});
 
     });
 
@@ -445,30 +451,30 @@ $(document).ready(function() {
 
 
     $(document).on('click', '.reply-to-post', function() {
-	var post = $(this).parent().parent().parent().find('.post_author');
-	var lines = post.text().trim(); /*.split('\n');*/
-	var post_id = $(this).attr("post_id");
-	/*$("#post_reply").slideToggle( "slow", function() {});*/
-	$('html, body').animate({scrollTop:$(document).height()}, 'slow');
-	/*var newpost = lines.map(function(element) { return '> ' + element; });
-	  simplemde.value(newpost.join('\n'));*/
-	if ($(this).hasClass("pinned")) {
-	    $('<input>', {
-            type: 'hidden',
-            id: 'reply_to',
-            name: 'reply_to_pinned',
-            value: post_id
-        }).appendTo('#postform');
-
-	} else {
-	$('<input>', {
-	    type: 'hidden',
-	    id: 'reply_to',
-	    name: 'reply_to',
-	    value: post_id
-	}).appendTo('#postform');
-	}
-	simplemde.value('@'+lines);
+		var post = $(this).parent().parent().parent().find('.post_author');
+		var lines = post.text().trim(); /*.split('\n');*/
+		var post_id = $(this).attr("post_id");
+		/*$("#post_reply").slideToggle( "slow", function() {});*/
+		$('html, body').animate({scrollTop:$(document).height()}, 'slow');
+		/*var newpost = lines.map(function(element) { return '> ' + element; });
+		simplemde.value(newpost.join('\n'));*/
+		if ($(this).hasClass("pinned")) {
+			$('<input>', {
+				type: 'hidden',
+				id: 'reply_to',
+				name: 'reply_to_pinned',
+				value: post_id
+			}).appendTo('#postform');
+
+		} else {
+			$('<input>', {
+				type: 'hidden',
+				id: 'reply_to',
+				name: 'reply_to',
+				value: post_id
+			}).appendTo('#postform');
+		}
+		simplemde.value('@'+lines);
     });
 
 

vinny/urls.py

@@ -174,6 +174,8 @@
     path("reports/pub/", views.AdminReportsView.as_view(), name="adminreports"),
     path("reports/", views.ReportsView.as_view(), name="reports"),
     path("api/vendor/", views.VendorInfoAPIView.as_view(), name="vendor_api"),
+    # Make this endpoint go live when we complete Internal-821:
+    # path("api/vulreport/", views.VulReportAPIView.as_view(), name="vul_report_api"),
     path("api/cases/", views.CasesAPIView.as_view(), name="cases_api"),
     re_path("api/case/(?P<vuid>\d+)/$", views.CaseAPIView.as_view({"get": "retrieve"}), name="case_api"),
     re_path("api/case/posts/(?P<vuid>\d+)/$", views.CasePostAPIView.as_view(), name="case_post_api"),