# Vulnerability Tracker
A web-based vulnerability tracking application built with Node.js, Express, and AWS services.
## Features
- **Role-based Access Control**: Manager and member roles with different permissions
- **Ticket Management**: Create, assign, edit, and track vulnerability tickets
- **Team Management**: Add and remove team members (manager only)
- **File Upload**: Screenshot upload to S3 for visual documentation
- **Secure Authentication**: JWT-based authentication with bcrypt password hashing
- **Cloud Integration**: DynamoDB for data storage, S3 for file storage
## Architecture
- **Frontend**: Vanilla HTML/CSS/JavaScript
- **Backend**: Node.js with Express
- **Database**: AWS DynamoDB
- **File Storage**: AWS S3
- **Deployment**: EC2 with Application Load Balancer
## Prerequisites
- Node.js 16+ installed
- AWS account with configured credentials
- DynamoDB tables created:
- VulnTrackerUsers
- VulnTrackerTickets
- VulnTrackerActivity
- S3 bucket for screenshot storage
## Local Development
1. Clone the repository:
git clone <your-repo-url>
cd vuln-tracker
2. Install dependencies:
npm install
3. Set up environment variables:
cp .env.example .env
\# Edit .env with your actual values
4. Start the development server:
npm start
5. Open your browser to http://localhost:3000
## Production Deployment
### AWS Infrastructure Required
- EC2 instances in private subnets
- Application Load Balancer in public subnets
- NAT Gateway for outbound internet access
- Security groups configured properly
- IAM roles with necessary AWS permissions
### Deployment Steps
1. Clone repository on EC2:
git clone <your-repo-url>
cd vuln-tracker
2. Install dependencies:
npm install
3. Configure environment:
cp .env.example .env
\# Edit .env with production values
4. Start with PM2:
npm install -g pm2
pm2 start server.js --name "vuln-tracker"
pm2 startup
pm2 save
## Environment Variables
| Variable | Description | Required |
|----------|-------------|----------|
| PORT | Server port (default: 3000) | No |
| NODE\_ENV | Environment (development/production) | Yes |
| AWS\_REGION | AWS region | Yes |
| AWS\_ACCESS\_KEY\_ID | AWS access key | Yes |
| AWS\_SECRET\_ACCESS\_KEY | AWS secret key | Yes |
| USERS\_TABLE | DynamoDB users table name | Yes |
| TICKETS\_TABLE | DynamoDB tickets table name | Yes |
| ACTIVITY\_TABLE | DynamoDB activity table name | Yes |
| S3\_BUCKET | S3 bucket for screenshots | Yes |
| JWT\_SECRET | Secret for JWT signing | Yes |
| ALLOWED\_ORIGINS | CORS allowed origins | Yes |
## API Endpoints
### Authentication
- POST /api/auth/login - User login
- POST /api/auth/register - User registration
### Users (Manager only)
- GET /api/users - List team members
- POST /api/users - Add team member
- DELETE /api/users/:email - Remove team member
### Tickets
- GET /api/tickets - Get tickets (filtered by role)
- POST /api/tickets - Create ticket (manager only)
- PATCH /api/tickets/:id - Update ticket
- DELETE /api/tickets/:id - Delete ticket (manager only)
### File Upload
- POST /api/upload/presign - Get presigned S3 URL
## User Roles
### Manager
- Create and manage tickets
- Add/remove team members
- Assign tickets to members
- View all tickets
- Upload screenshots
### Member
- View assigned tickets
- Update ticket status
- Cannot create or delete tickets
## Security Features
- Password hashing with bcrypt
- JWT token authentication
- CORS protection
- Input validation
- Role-based access control
## Contributing
1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Test thoroughly
5. Submit a pull request
## License
This project is licensed under the ISC License.