Initial open-source release, Version 1.48.0

.ebextensions/01_packages.config

@@ -0,0 +1,5 @@
+packages:
+  yum:
+    git: []
+    postgresql-devel: []
+    openssl-devel: []

.ebextensions/02_settings.config

@@ -0,0 +1,12 @@
+option_settings:
+    - namespace: aws:elasticbeanstalk:container:python
+      option_name: NumProcesses
+      value: '1'
+    - namespace: aws:elasticbeanstalk:container:python
+      option_name: NumThreads
+      value: '15'
+    - namespace: aws:elasticbeanstalk:container:python
+      option_name: WSGIPath
+      value: bigvince.wsgi:application
+
+

.ebextensions/02_settings.config.20190621-1118.bk

@@ -0,0 +1,17 @@
+option_settings:
+    - namespace: aws:elasticbeanstalk:container:python
+      option_name:  NumProcesses
+      value: '1'
+    - namespace: aws:elasticbeanstalk:container:python
+      option_name:  NumThreads
+      value: '15'
+    - namespace: aws:elasticbeanstalk:container:python
+      option_name: StaticFiles
+      value: /static/=static/
+    - namespace: aws:elasticbeanstalk:container:python
+      option_name: WSGIPath
+      value: bigvince/wsgi.py
+    - namespace: aws:elasticbeanstalk:container:python:staticfiles
+      option_name: /static/
+      value: vince/static/
+

.ebextensions/02_settings.config.bk

@@ -0,0 +1,12 @@
+option_settings:
+  "aws:elasticbeanstalk:container:python":
+    NumProcesses: '1'
+    NumThreads: '15'
+    StaticFiles: /static/=static/
+    WSGIPath: bigvince/wsgi.py
+  "aws:elasticbeanstalk:container:python:staticfiles":
+    /static/: vince/static/
+  "aws:elasticbeanstalk:application":
+    "Name": default
+    "Application Healthcheck URL": /vince
+

.ebextensions/03_python.config

@@ -0,0 +1,19 @@
+container_commands:
+  01_migrate_vincetrack:
+    command: "source /var/app/venv/*/bin/activate && python3 manage.py migrate --database=default --noinput"
+    test: '[ "X${VINCE_NAMESPACE}" == "Xvince" ]'
+  02_migrate_vincecomm:
+    command: "source /var/app/venv/*/bin/activate && python3 manage.py migrate --database=vincecomm --noinput"
+    test: '[ "X${VINCE_NAMESPACE}" != "Xvincepub" ]'
+  03_collectstatic:
+    command: "source /var/app/venv/*/bin/activate && python3 manage.py collectstatic --noinput"
+  04_createsu:
+    command: "source /var/app/venv/*/bin/activate && python3 manage.py createsu"
+    test: '[ "X${VINCE_NAMESPACE}" != "Xvincepub" ]'
+  05_migrate_vincepub:
+    command: "source /var/app/venv/*/bin/activate && python3 manage.py migrate --database=vincepub --noinput"
+    leader_only: true
+  06_loadinitialdata:
+    command: "source /var/app/venv/*/bin/activate && python3 manage.py loadinitialdata"
+    test: '[ "X${VINCE_NAMESPACE}" != "Xvincepub" ]'
+

.ebextensions/wsgi_custom.conf

@@ -0,0 +1,7 @@
+files:
+  "/etc/httpd/conf.d/wsgi_custom.conf":
+    mode: "000644"
+    owner: root
+    group: root
+    content: |
+      WSGIPassAuthorization On

.gitignore

@@ -0,0 +1,25 @@
+# Created by .ignore support plugin (hsz.mobi)
+### Python template
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+*~
+templates/vince/*~
+web/vince/migrations/*
+management/commands/*~
+media/*
+env/*
+.idea
+.aws-sam
+bigvince/.env
+app_versions/
+venv*
+.swp
+
+# Elastic Beanstalk Files
+.elasticbeanstalk/*
+!.elasticbeanstalk/*.cfg.yml
+!.elasticbeanstalk/*.global.yml
+.elasticbeanstalk/config.yml

.platform/nginx/conf.d/client_max_body_size.conf

@@ -0,0 +1 @@
+      client_max_body_size 25m;

.platform/nginx/conf.d/timeout.conf

@@ -0,0 +1,4 @@
+      proxy_connect_timeout 605;
+      proxy_send_timeout 605;
+      proxy_read_timeout 605;
+      send_timeout 605;

CHANGELOG.md

@@ -0,0 +1,6 @@
+# VINCE Changelog
+
+# Version 1.48.0: 2022-05-13
+=============================
+
+Initial Open Source Release

LICENSE.txt

@@ -0,0 +1,35 @@
+VINCE
+
+Copyright 2022 Carnegie Mellon University.
+
+MIT (SEI)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+VINCE includes and/or can make use of certain third party software ("Third
+Party Software"). The Third Party Software that is used by VINCE is dependent
+upon your system configuration, but typically includes the software identified
+in the documentation and/or ReadMe files. By using VINCE, You agree to comply
+with any and all relevant Third Party Software terms and conditions contained
+in any such Third Party Software or separate license file distributed with
+such Third Party Software. The parties who own the Third Party Software
+("Third Party Licensors") are intended third party beneficiaries to this
+License with respect to the terms applicable to their Third Party Software.
+Third Party Software licenses only apply to the Third Party Software and not
+any other portion of VINCE or VINCE as a whole.
+
+This material is based upon work funded and supported by the Department of
+Homeland Security under Contract No. FA8702-15-D-0002 with Carnegie Mellon
+University for the operation of the Software Engineering Institute, a
+federally funded research and development center sponsored by the United
+States Department of Defense.
+
+DM21-1126

README.md

@@ -0,0 +1,162 @@
+## VINCE 
+
+### Description
+
+VINCE - The Vulnerability Information and Coordination Environment - Software
+designed for multi-party vulnerability coordination.  VINCE enables
+collaborative and efficient coordination by allowing all involved parties to
+tap into a central, web-based platform to communicate directly with one
+another about a vulnerability.  It is based on the decades of experience with
+coordinated vulnerability disclosure (CVD) at the CERT Coordination Center
+(CERT/CC) which is a part of the Software Engineering Institute at Carnegie
+Mellon University.
+
+* The CERT Guide to Coordinated Vulnerability Disclosure: [https://vuls.cert.org/confluence/display/CVD](https://vuls.cert.org/confluence/display/CVD)
+* Report a Vulnerability [https://www.kb.cert.org/vuls/report/](https://www.kb.cert.org/vuls/report/)
+* VINCE User Documentation: [https://vuls.cert.org/confluence/display/VIN/VINCE+Documentation](https://vuls.cert.org/confluence/display/VIN/VINCE+Documentation)
+* Vulnerability Note API Documentation: [https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+API](https://vuls.cert.org/confluence/display/VIN/Vulnerability+Note+API)
+* VINCE API Documentation: [https://vuls.cert.org/confluence/display/VIN/VINCE+API](https://vuls.cert.org/confluence/display/VIN/VINCE+API)
+
+### Bugs and Feature Requests
+
+You can report a bug, feature request, or other issue in this GitHub project. VINCE users can also send [feedback](https://kb.cert.org/vince/comm/sendmsg/8/) through the Private Message feature.
+
+### About
+
+VINCE, a Django application, is designed to run in Amazon Web Services (AWS)
+and is developed around many
+of AWS services such as Cognito, S3, ElasticBeanstalk, Cloudfront, SQS, SNS,
+and SES. VINCE users the python library,
+[warrant](https://github.com/capless/warrant), for AWS Cognito
+authentication.  [Warrant](https://github.com/capless/warrant) has been
+slightly modified and is included with VINCE.
+
+VINCE also uses and includes
+the [django-bakery](https://github.com/palewire/django-bakery) project to
+generate and publish flat HTML files of vulnerability notes that are served
+via an AWS S3 bucket. The
+[django-bakery](https://github.com/palewire/django-bakery) project has been
+modified to generate the flat files in memory versus using the filesystem. 
+
+
+### Local Install
+
+1. Clone the repo
+
+2. Create a virtual environment and install requirements
+```
+cd bigvince
+mkvirtualenv --python=/usr/local/bin/python3.6 bigvince  (python3 -m venv env)
+source env/bin/activate
+pip install -r requirements.txt
+```
+
+3. Create a postgres database using docker
+```
+docker run --name bv-postgres -p 5432:5432 -e POSTGRES_PASSWORD=PASSWORD -d postgres
+createdb -h localhost -U postgres bigvince
+```
+
+3. Alternate (not using docker):
+```
+psql postgres
+CREATE ROLE vince;
+ALTER ROLE vince CREATEDB;
+ALTER ROLE "vince" WITH LOGIN;
+CREATE DATABASE vincetest;
+GRANT ALL PRIVILEGES ON DATABASE vincetest TO vince;
+CREATE DATABASE vincecommtest;
+GRANT ALL PRIVILEGES ON DATABASE vincecommtest TO vince;
+CREATE DATABASE vincepubtest;
+GRANT ALL PRIVILEGES ON DATABASE vincepubtest TO vince;
+```
+
+4. Edit and copy VINCE.env to bigvince\.env with the environment variables needed to run VINCE locally - this includes the database connection string and password for the new database, AWS keys, Google reCAPTCHA keys, etc.
+```
+DATABASE_URL=postgres://[email protected]:5432/bigvince
+DATABASE_PASSWORD=PASSWORD
+```
+
+5. Create secret key
+```
+python3 -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())'
+```
+Swap out any "$" characters if they exist. $ characters mess with API key generation.  Or continue to regenerate until you get a key without a "$"
+Add it to bigvince/.env
+
+
+6. Edit bigvince/settings_.py as needed with your settings. Important settings to pay attention to:
+
+```
+EMAIL_BACKEND
+BUILD_DIR
+DEFAULT_FROM_EMAIL
+DEFAULT_REPLY_EMAIL
+DEFAULT_VISIBLE_NAME
+STANDARD_VENDOR_EMAIL
+STANDARD_PARTICIPANT_EMAIL
+DEFAULT_PHONE_NUMBER
+DEFAULT_EMAIL_SIGNATURE
+STANDARD_EMAIL_SIGNATURE
+WEB_TITLE
+ORG_NAME
+CONTACT_EMAIL
+*_BASE_TEMPLATES
+REPORT_IDENTIFIER
+CASE_IDENTIFIER
+SUPERUSER
+
+```
+
+7. Run migrations
+```
+python manage.py migrate
+python manage.py migrate --database=vincecomm
+python manage.py migrate --database=vincepub
+```
+
+8. Create a django super user. This will be used to login into the application.
+
+
+It uses the credentials defined in the settings.py SUPERUSER variable. Alternatively
+you can use Django's createsuperuser command to set your own username and password.
+
+NOTE: Skip this step if using cognito auth (the default)
+``` 
+python manage.py createsu
+```
+
+9. Load initial data:
+```
+python manage.py loadinitialdata
+```
+
+10. Start the development server. (Profit)
+```
+python manage.py runserver 
+```
+
+11. Attempt login
+12. Set "is_superuser" to "true" for your user in vincecomm and vincetrack databases, auth_user relation.
+
+## Running tests
+
+Vince test are stored in vince/tests. To run tests:
+
+```
+python3 manage.py test vince
+```
+
+This will create a new database for the tests and will delete it when the tests completes. To speed up tests, you can tell Django to not delete the test DB.
+
+```
+python3 manage.py test vince -k
+```
+
+## Fresh deployment reminders
+
+Remember to give the "vince" group access to all of the Ticket Queues in admin console.
+
+### AWS Install
+
+See docs for full AWS configuration

api_examples/README.md

@@ -0,0 +1,19 @@
+# API Examples 
+This repo contains select examples about using the [VINCE]( API to generate outputs in different vulnerability reporting formats, such as the [CSAF](https://github.com/oasis-tcs/csaf) Common Vulnerability Reporting Framework (CVRF) and [CVE JSON](https://github.com/CVEProject/automation-working-group/tree/master/cve_json_schema).
+
+First, generate your API Key in your VINCE profile. For full VINCE API documentation including instructions on generating the key, please see the [VINCE FAQ](https://vuls.cert.org/confluence/display/VIN/API).
+
+# Sample outputs
+sample_get_cases.json : Get all cases for a specific vendor, coordinator, or a participant.
+`./get_vince.py > sample_get_cases.json`
+
+vu-257161-raw.json : Get case VU#257161 in raw VINCE JSON format with all available information.
+`./get_vince.py 257161 raw > vu-257161-raw.json`  
+
+cvrf-257161.json : Get case VU#257161 in CVRF format to import into another tool.
+`./get_vince.py 257161 cvrf > cvrf-257161.json`  
+
+When prompted, please enter your API key to use the above commands.
+
+
+