CHANGELOG VINCE Coordination platform code
Version 3.0.11 2024-12-11
- Update to fix "Reply to User" button further scenarios.
Version 3.0.10 2024-12-10
- Dependabot update recommendations:
django
4.2.17 to 4.2.16 - Fixed bug preventing the "Reply to User" buttons from working in certain circumstances
- Added pk to CaseAPIView (GH-Issue #162)
Version 3.0.9 2024-10-28
- Update to fix Security issue with enumerate users in vincecomm (Internal-783 CVE-2024-10469)
- Update date format to VinceComm as per GH-Issue (GH Issue #157)
Version 3.0.8 2024-10-14
- Fixed a potential security issue with pickle DOS reported by @coldwaterq coldwaterq as CVE-2024-9953 resolved in 3.0.8
- Dependabot update recommendations:
django
4.2.14 to 4.2.16 - Fixed bug that interfered in certain circumstances with email sending functionality
Version 3.0.7 2024-09-10
- Dependabot update recommendations:
cryptography
42.0.4 to 43.0.1 - Made the activity section of the VINCE Track case page load async (Internal-767)
- Set the owner field options on the VT case and ticket search page to change dynamically with the selected teams (Internal-754)
- Resolved bug that prevented VT users from being able to reply to certain messages within VINCE Comm (Internal-700)
- Removed condition preventing display of buttons for accessing the vendor association process on certain tickets (Internal-588)
- Fixed bug that caused certain outgoing VINCE emails to contain bad links to case pages (Internal-770)
- Added code to ensure emails from
settings.IGNORE_EMAILS_TO
(donotreply@) include prominent indication that replies will not be read (Internal-771)
Version 3.0.6 2024-07-29
- Fixed bug that interfered in certain circumstances with processing of contact associations (Internal-763)
- Modified code to ensure that user verification emails only go to group admins and notification-only email addresses (Internal-765)
- Adjusted redirect process after adding vul to a case so that the user lands on the case vul tab (Internal-766)
- Amended code for autoassigning tickets from the ticket page so as to avoid redirect bug (Internal-761)
Version 3.0.5 2024-07-17
- Dependabot update recommendations:
urllib3
1.26.18 to 1.26.19,certifi
2023.7.22 to 2024.7.4,zipp
3.10.1 to 1.19.1Django
4.2.11 to 4.2.14 - Added code to make the tag, vulnote, email & CVE sections of the reports page load async to reduce loading time (Internal-662)
- Made all sections of the reports page expandable/collapsible, collapsed on load, to ease async loading (Internal-662)
- Ensured that transient bounce messages automatically get posted to the user's activity stream
- Set up automatic logging of user deactivation due to bounce issues to the user's activity stream
- Directed bounce messages for users with already open bounce tickets into a followup on original bounce ticket
- Added code to intercept emails addressed to recent bouncers before they are sent (Internal-752)
- Added field to API case view with timestamp field for most recent update (Isseu #149)
- Started improving vulnote review process with css alteration to remove need for unnecessary scrolling (Internal-755)
- Fixed bug in date processing for the vincepub search function (Internal-756)
- Added code to handle errors that arise in certain cases when resetting user MFA (Internal-757)
- Ensured that deactivated users are removed from VINCE Track and from all relevant Groups, with logging to Activity stream (Internal-759)
Version 3.0.4 2024-06-10
- Fixed bug that prevented display of "No data" message in certain circumstances on the VINCE Track case page vendor tab
- Reconfigured code for templated mail preparation to stop bug that derailed the mailer process in certain circumstances
- Fixed code that inappropriately displayed uuid instead of group name on the VINCE Track contact information page
Version 3.0.3 2024-06-04
- Added code to make the tickets section of the reports page load async to reduce loading time
- Reconfigured code for catching recently bounced users when sending templated mail
Version 3.0.2 2024-05-30
- Dependabot update recommendations:
requests
2.31.0 to 2.32.0 - Reconfigured initiate contact form so internal checkbox hides email addresses & triggers appropriate helptext in textarea
- Rerouted internal verification requests from initiate contact form so resulting tickets are assigned to (second) Authorizer
- Added ability to sort search results on the VINCE Track All Search page
Version 3.0.1 2024-04-29
- Dependabot update recommendations:
idna
3.4 to 3.7,Django
4.2 to 4.2.11,pydantic
1.10.2 to 1.10.13,sqlparse
0.4.4 to 0.5.0 - Fixed bounce tool so that it now correctly links permanent bounce tickets only to the email address producing bounces
- Adjusted dropdown menu for assigning tickets to coordinators on VINCE Track ticket page, to avoid introducing duplicates
- Made embargo end times default to noon UTC & made display of embargo end times unambiguous on VINCE Comm case page
- Added code to make the cases section of the reports page load async to reduce loading time
- Changed destination of links for further information about CVEs on Vul Note page
Version 3.0.0 2024-04-10
- Made the Vendor Association button to track and populate ticket id & (if appropriate) vendor name.
- Upgraded
Django
4.2 - Django 3 is end-of-life - Restructured code for preparing vendors table data on VINCE Track case page so as to reduce load time
- Refactored certain queries for the VINCE Track reports page in support of the long term goal of reducing its load time
Version 2.1.11 2024-03-14
- Dependabot update recommendations:
cryptography
41.0.6 to 42.0.4 anddjango
from 3.2.23 to 3.2.24 - Added code to ensure comments entered into comment box will be preserved when user uploads a file
- Fixed filters above vendor table in vendor tab of case page to ensure consistency with data in vendor table
- Added logging to make it easier to track user deactivation & MFA resetting processes
- Fixed case vendor status edit page to prevent inadvertent alteration of vendor share status from VINCE Track
Version 2.1.10 2024-01-31
- Dependabot update recommendations:
pycryptodome
3.15.0 to 3.19.1 - Reconfigured vendors tab on VINCE Track case page to provide more fine-tuned pagination options & fix bugs in filter fields.
- Fixed bug preventing info categorizing cases as related to AI/ML systems from displaying properly on original report tab
- Fixed bug preventing VINCE Track users from removing members from custom groups
- Added functionality for marking a case as related to AI/ML systems in the form for editing a case request
- Refactored code for generating link to VINCE Comm case request page from VINCE Track, which was failing in certain cases
Version 2.1.9 2023-12-07
- Dependabot update recommendations:
cryptography
41.0.3 to 41.0.6 - Fixed bug that prevented "Add Vulnerability" button from rerouting user to appropriate pages upon submission
- Integrated custom metrics into weekly reports on VINCE activity
Version 2.1.8 2023-11-08
- Dependabot update recommendations:
django
3.2.20 to 3.2.23 - Restructured vendors tab on VINCE Track case page so that vendors table is paginated rather than indefinitely scrollable
Version 2.1.7 2023-10-30
- Added customization of MFA
- Added code to catch and correct Vul Note Reviews with data omissions that led to page load failures in certain circumstances
Version 2.1.6 2023-10-25
- Fixed bug that interfered in certain circumstances with the operation of the vendor filter button on the VINCEComm case page
- Dependabot update recommendations:
urllib3
1.26.12 to 1.26.18 - Fixed bug that obstrcuted case assignment process for VINCETrack users with identical preferred usernames
- Adjusted code for asynchronous loading on ticket page to ensure it works on all ticket pages, including case request tickets
- Set up periodic autorefresh feature for VINCE Track ticket page
- Reformulated misleading UI labels for case transfer request process
- Resolved Issue by simpifying/correcting search code & disambiguating labels in report views
- Added AI/ML systems checkbox to public & VINCE Comm vul report form, routing of AI/ML-related tickets
Version 2.1.5 2023-09-21
- Enhanced operation of VINCEComm case discussion section, moving focus to editable div when the user chooses to edit a post
- Added dropdown menu to VINCETrack quicksearch bar, optimizing search by enabling swifter specification of advanced search settings
- Replaced certain switch-paddle checkboxes on VINCE forms with tswitch UI to make them easier to use
- Fixed bug that generated duplicates in the list of vendors on certain VINCEComm case pages
Version 2.1.4 2023-08-30
- Automated annual update to VINCE copyright date in footer
- Dependabot update recommendations:
django
3.2.19 to 3.2.20 - Replaced malfunctioning dropdown menu in original report tab on VINCETrack case page with link to case request ticket
- Added functionality to VINCE Comm status page for muting & unmuting cases, with alerts responding to selected affectedness status
- Set up periodic autorefresh feature for the VINCE Track Triage page
Version 2.1.3 2023-08-09
- More tabs on VinceTrack Case page updated for asynchronous loading.
- Dependabot update recommendations:
cryptography
41.0.0 to 41.0.3,certifi
2022.9.24 to 2023.7.22 - Enhanced printability of VINCEComm Case pages by removing unnecessary content on print and adding more detailed title to case page
- Remove duplicate settings.py to avoid confusion.
- Removed option to sort large numbers of vendors alphabetically on published vulnotes, preventing JavaScript bug
- Introduced code that automatically schedules weekly reports on VINCE statistics to be sent via email to appropriate recipients
Version 2.1.2 2023-06-09
- VinceTrack CaseView,VinceCommUserView updated for Asynchronous calls for tab-based browsing.
- Fixed GH Issue #111 PDF Links not working
- Updated Vendor approval workflow with time lapse of 2 weeks of no-response from Vendor Admin
- Fix bounce issues of creating tickets for dead/disabled users.
- Dependabot security recommendations PyPi
cryptography
39.0.1 to 41.0.0,requests
2.281 to 2.31.0,django-ses
from 3.2.2 to 3.5.0 - Fixed vincepubviews multiple choice field Years to be dynamic
Version 2.1.1 2023-05-02
- Security updates fixing a number of dependencies - sqlparse, redis (GHSA-rrm6-wvj7-cwh2,CVE-2023-28859,CVE-2023-28858)
- Updates (UAR) workflow for User joining Vendor Group GH Issue #94
- INL Code updates to perform Product/Version for CVE records GH PR #104
- INL Code updates for PDF download of VulNote GH PR #104
- Async requests for VinceTrack Contacts to reduce page wait times
- Check for Bounces before sending emails from vince/mailer.py
- Add TERMS_URL to ensure Terms & Conditions are flexible
- Fix CVSS Translator GH Issue #105
- Check for notification-only addresses and provide error on Signup
Version 2.0.7 2023-03-20
- Security updates Django to 3.2.18 CVE-2023-24580, Remove python-futures (no longer used) GH Issues #91 #90 (Dependabot)
- Support User Approve Request (UAR) new workflow for User joining Vendor Group GH Issue #94
- Allow Tracking ID's to be added to Cases when user belongs to multiple groups (CaseTracking) reported by VINCE user.
- Move from initial to instance on Form Class inits() to modify existing data in Models/Forms pair
- Move more browser UI information to async data requests, less templates.
- Remove
marquee
,command
andstyle
tags from supported markdown_helpers lib.vince.markdown_helpers - reported by VINCE user.
Version 2.0.6 2023-01-23
- Removed Edit Vulnerability button superfluous GHIssue #77
- Updates to CVE publish buttons and automatic close of CVE modal on error
- Modify CVEAffectedProduct.version_affected vince models.py for CVE5JSON
- Bug fix newcomment not new_comment in vince/views.py
- Add "Notify anyway" button routine for already notified vendor.
- Update to CVE2.1 Services Publish using CVE5 JSON
- More Async functions for vendor status views
- Added more common libraries to lib/vince/utils
- Added a mute_lib.py to support mute a Case for a user in automated way
- Fixed a number of small bugs in max length in FORM submissions and S3 sensitive filenames
- Added Filter to CaseView in VinceComm
- Addition of more Async functions for non-interactive queries
- Fixing of slow performance on allvendors view to use Django Aggregate and Filter/Q functions
- Friendly errors and fixes for logging to add IP address of remote client
- Major upgrade to Django 3.2 LTS target end byt 2024. Fixes related to Django upgrade in all libraries.
- Aded new QuerySet Paging library for performance extend chain with chainqs for QuerySet
- Asynchronous calls for most vinny/views via JSON through asyncLoad class
- Provide API Views 404 with JSON generic error
- Allow Session or API Token authentication to support API access from browser
- Provide better HTML text on access/permission violations by User.
- Fixes to CVE management API with CVE services 2.1 and CVEJSON5 support
- CSAF enchancements including TLP setup. Pending Customer engagement details publishing.
- Fix number of logging to include relevant data as part of log message
- Allow Vendor Association when Ticket is associated with a Case
- Adding Download HTML per INL request GH Issue #60
- Avoid Alert severity colors to buttons that don't do deletes/sensitive actions - UI feedback.
- Show MFA type for users in VinceTrack to support troubleshooting Users
- Catch errors on failure to email when a Post is submitted.
- Updates to settings_.py to match public GitHub
- UI tweaks for Loading div, asynchronous search via delaySearch
- Add Access-Control-Origin header to CSAF output for Secvisogram
- Fix Python Pickle Code Injection vulnerability reported by Rapid7 researcher Marcus Chang CVE-2022-40238
- Address reported failure with better error reporting from Encrypt-and-Send
- Avoid TimeZone spurious warning errors flooding logs
- UI improvements for vincetrack for search experience
- Performance tweaks for Tickets search use $queryset.count() instead len($queryset) when pagination is used
- Fix HTML injection vulnerabilities reported by Rapid7 researcher Nick Sanzotta (CVE-2022-40248,CVE-2022-40257)
- Full support for CSAF 2.0 export of vulnerability Case
- Fix for a number of Views to avoid digit parameter confusion
- Add view CSAF and VINCE JSON to support download of Case data in machine-readable format
- If upgrading, make sure you verify settings.py has new variables
CONTACT_PHONE
ORG_POLICY_URL
andORG_AUTHORITY
populated.
- Resolves issue of enumerating user_id and group_id - reported by Sharon Brizinov of Claroty Research #51
- Removed lxml library no longer in use in requirements.txt - reported by dependabot via #38
- Add [DISABLED] Keyword for users in
inactive
status in vincetrackTeams
menu view.
- BugFix for API key generation issue. The generate_key method was disabled accidentally
- New MFA reset workflow
- Allow comments when re-assigning tickets
- Sorting improvements on VINCEComm Dashboard
- Add Vul Note download button in VINCETrack
- Fixed open redirect vulnerability (CVE-2022-25799)[https://nvd.nist.gov/vuln/detail/CVE-2022-25799] reported by Jonathan Leitschuh #45
- Bug Fixes
- Contact Management Updates
- Dependency Upgrades
- Bug Fixes
- Initial Open Source Release