General updates. Reference pull request for full details.

NSWC-Crane · Feb 19, 2024 · 87c5d90 · 87c5d90
1 parent 768e1b7
commit 87c5d90
Show file tree

Hide file tree

Showing 20 changed files with 744 additions and 138 deletions.
diff --git a/Api/Controllers/PoamExtension.js b/Api/Controllers/PoamExtension.js
@@ -0,0 +1,38 @@
+/*
+!#######################################################################
+! C-PATTM SOFTWARE
+! CRANE C-PATTM plan of action and milestones software. Use is governed by the Open Source Academic Research License Agreement contained in the file
+! crane_C_PAT.1_license.txt, which is part of this software package. BY
+! USING OR MODIFYING THIS SOFTWARE, YOU ARE AGREEING TO THE TERMS AND    
+! CONDITIONS OF THE LICENSE.  
+!########################################################################
+*/
+
+const poamExtensionService = require('../Services/mysql/poamExtensionService');
+
+module.exports.getPoamExtension = async function getPoamExtension(req, res, next) {
+    try {
+        const poamExtensions = await poamExtensionService.getPoamExtension(req.params.poamId);
+        res.status(200).json(poamExtensions);
+    } catch (error) {
+        next(error);
+    }
+};
+
+module.exports.putPoamExtension = async function putPoamExtension(req, res, next) {
+    try {
+        const updatedPoamExtension = await poamExtensionService.putPoamExtension(req.body);
+        res.status(200).json(updatedPoamExtension);
+    } catch (error) {
+        next(error);
+    }
+};
+
+module.exports.deletePoamExtension = async function deletePoamExtension(req, res, next) {
+    try {
+        await poamExtensionService.deletePoamExtension(req.params.poamId);
+        res.status(200).json({ message: "Poam extension deleted successfully" });
+    } catch (error) {
+        next(error);
+    }
+};
diff --git a/Api/Models/poam.model.js b/Api/Models/poam.model.js
@@ -14,6 +14,10 @@ module.exports = (sequelize, DataTypes) => {
             type: DataTypes.STRING(255),
             defaultValue: ''
         },
+        iavmNumber: {
+            type: DataTypes.STRING(50),
+            defaultValue: ''
+        },
         aaPackage: {
             type: DataTypes.STRING(50),
             defaultValue: ''
@@ -34,10 +38,6 @@ module.exports = (sequelize, DataTypes) => {
             type: DataTypes.STRING(10),
             defaultValue: ''
         },
-        extensionTimeAllowed: {
-            type: DataTypes.INTEGER,
-            defaultValue: 0
-        },
         scheduledCompletionDate: {
             type: DataTypes.DATEONLY,
             defaultValue: '1900-01-01'
@@ -59,13 +59,6 @@ module.exports = (sequelize, DataTypes) => {
         residualRisk: {
             type: DataTypes.TEXT
         },
-        businessImpactRating: {
-            type: DataTypes.STRING(25),
-            defaultValue: ''
-        },
-        businessImpactDescription: {
-            type: DataTypes.TEXT
-        },
         notes: {
             type: DataTypes.TEXT
         },
@@ -136,6 +129,23 @@ module.exports = (sequelize, DataTypes) => {
             allowNull: false,
             defaultValue: ''
         },
+        businessImpactRating: {
+            type: DataTypes.STRING(25),
+            defaultValue: ''
+        },
+        businessImpactDescription: {
+            type: DataTypes.TEXT
+        },
+        extensionTimeAllowed: {
+            type: DataTypes.INTEGER,
+            defaultValue: 0
+        },
+        extensionJustification: {
+            type: DataTypes.TEXT
+        },
+        extensionMilestones: {
+            type: DataTypes.TEXT
+        },
     }, {
         freezeTableName: true,
         timestamps: false,

diff --git a/Api/Services/mysql/poamExtensionService.js b/Api/Services/mysql/poamExtensionService.js
@@ -0,0 +1,44 @@
+/*
+!#######################################################################
+! C-PATTM SOFTWARE
+! CRANE C-PATTM plan of action and milestones software. Use is governed by the Open Source Academic Research License Agreement contained in the file
+! crane_C_PAT.1_license.txt, which is part of this software package. BY
+! USING OR MODIFYING THIS SOFTWARE, YOU ARE AGREEING TO THE TERMS AND    
+! CONDITIONS OF THE LICENSE.  
+!########################################################################
+*/
+
+'use strict';
+const dbUtils = require('./utils');
+
+exports.getPoamExtension = async function (poamId) {
+    let connection;
+    try {
+        connection = await dbUtils.pool.getConnection();
+        let sql = "SELECT poamId, extensionTimeAllowed, extensionJustification, extensionMilestones, scheduledCompletionDate FROM poamtracking.poam WHERE poamId = ?";
+        let [poamExtensions] = await connection.query(sql, [poamId]);
+
+        return poamExtensions;
+
+    } catch (error) {
+        console.error("Error in getPoamExtension:", error);
+        throw error;
+    } finally {
+        if (connection) await connection.release();
+    }
+};
+
+exports.putPoamExtension = async function (extensionData) {
+    let connection = await dbUtils.pool.getConnection();
+    let sql = "UPDATE poamtracking.poam SET extensionTimeAllowed = ?, extensionJustification = ?, extensionMilestones = ? WHERE poamId = ?";
+    await connection.query(sql, [extensionData.extensionTimeAllowed, extensionData.extensionJustification, extensionData.extensionMilestones, extensionData.poamId]);
+    await connection.release();
+    return extensionData;
+};
+
+exports.deletePoamExtension = async function ({ poamId }) {
+    let connection = await dbUtils.pool.getConnection();
+    let sql = "UPDATE poamtracking.poam SET extensionTimeAllowed = '', extensionJustification = '', extensionMilestones = '' WHERE poamId = ?";
+    await connection.query(sql, [poamId]);
+    await connection.release();
+};
diff --git a/Api/Services/mysql/poamService.js b/Api/Services/mysql/poamService.js
@@ -225,19 +225,17 @@ exports.postPoam = async function postPoam(req, res, next) {
                 req.body.submittedDate = (req.body.submittedDate == '') ? null : req.body.submittedDate;
                 req.body.scheduledCompletionDate = (req.body.scheduledCompletionDate == '') ? null : req.body.scheduledCompletionDate;
 
-                let sql_query = `INSERT INTO poamtracking.poam (collectionId, vulnerabilitySource,
-                        aaPackage, vulnerabilityId, description, rawSeverity, adjSeverity, extensionTimeAllowed,
-                        scheduledCompletionDate, ownerId, mitigations, requiredResources, milestones,
-                        residualRisk, businessImpactRating, businessImpactDescription, notes, status, poamType, vulnIdRestricted,
-                        submittedDate) 
-                        values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
-
-                await connection.query(sql_query, [req.body.collectionId, req.body.vulnerabilitySource,
+            let sql_query = `INSERT INTO poamtracking.poam (collectionId, vulnerabilitySource, iavmNumber,
+                        aaPackage, vulnerabilityId, description, rawSeverity, adjSeverity, scheduledCompletionDate,
+                        ownerId, mitigations, requiredResources, milestones, residualRisk, businessImpactRating, businessImpactDescription,
+                        notes, status, poamType, vulnIdRestricted, submittedDate) 
+                        values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+
+                  await connection.query(sql_query, [req.body.collectionId, req.body.vulnerabilitySource, req.body.iavmNumber,
                   req.body.aaPackage, req.body.vulnerabilityId, req.body.description, req.body.rawSeverity, req.body.adjSeverity,
-                  req.body.extensionTimeAllowed, req.body.scheduledCompletionDate, req.body.ownerId, req.body.mitigations,
-                  req.body.requiredResources, req.body.milestones, req.body.residualRisk, req.body.businessImpactRating, 
-                  req.body.businessImpactDescription, req.body.notes, req.body.status, req.body.poamType, req.body.vulnIdRestricted, 
-                  req.body.submittedDate])
+                  req.body.scheduledCompletionDate, req.body.ownerId, req.body.mitigations, req.body.requiredResources, req.body.milestones,
+                  req.body.residualRisk, req.body.businessImpactRating, req.body.businessImpactDescription, req.body.notes, req.body.status,
+                  req.body.poamType, req.body.vulnIdRestricted, req.body.submittedDate])
 
                 let sql = "SELECT * FROM poamtracking.poam WHERE poamId = LAST_INSERT_ID();"
                 let [rowPoam] = await connection.query(sql)
@@ -347,16 +345,16 @@ exports.putPoam = async function putPoam(req, res, next) {
                 let connection
                 connection = await dbUtils.pool.getConnection()
 
-                let sql_query = `UPDATE poamtracking.poam SET collectionId = ?, vulnerabilitySource = ?,
-                        aaPackage = ?, vulnerabilityId = ?, description = ?, rawSeverity = ?, adjSeverity = ?, extensionTimeAllowed = ?,
+            let sql_query = `UPDATE poamtracking.poam SET collectionId = ?, vulnerabilitySource = ?, iavmNumber = ?,
+                        aaPackage = ?, vulnerabilityId = ?, description = ?, rawSeverity = ?, adjSeverity = ?,
                         scheduledCompletionDate = ?, ownerId = ?, mitigations = ?, requiredResources = ?, milestones = ?,
                         residualRisk = ?, businessImpactRating = ?, businessImpactDescription = ?, notes = ?, status = ?, poamType = ?,
-                        vulnIdRestricted = ?, submittedDate = ? WHERE poamId = ?`
+                        vulnIdRestricted = ?, submittedDate = ?  WHERE poamId = ?`
 
-                await connection.query(sql_query, [req.body.collectionId, req.body.vulnerabilitySource,
+                  await connection.query(sql_query, [req.body.collectionId, req.body.vulnerabilitySource, req.body.iavmNumber,
                   req.body.aaPackage, req.body.vulnerabilityId, req.body.description, req.body.rawSeverity,
-                  req.body.adjSeverity, req.body.extensionTimeAllowed, req.body.scheduledCompletionDate, req.body.ownerId,
-                  req.body.mitigations, req.body.requiredResources, req.body.milestones, req.body.residualRisk, req.body.businessImpactRating,
+                  req.body.adjSeverity, req.body.scheduledCompletionDate, req.body.ownerId, req.body.mitigations,
+                  req.body.requiredResources, req.body.milestones, req.body.residualRisk, req.body.businessImpactRating,
                   req.body.businessImpactDescription, req.body.notes, req.body.status, req.body.poamType, req.body.vulnIdRestricted, 
                   req.body.submittedDate, req.body.poamId])
 

diff --git a/Api/specification/poam-manager.yaml b/Api/specification/poam-manager.yaml
@@ -1931,6 +1931,104 @@ paths:
         - oauth:
             - 'c-pat:read'
 
+  /poamExtension:
+    put:
+      summary: Add or update POAM extension
+      operationId: putPoamExtension
+      tags:
+        - PoamExtension
+      security:
+        - oauth:
+          - 'c-pat:read' 
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/poamExtensionObject'
+      responses:
+        '200':
+          description: POAM extension updated
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/poamExtensionObject'
+        '403':
+          $ref: '#/components/responses/forbidden'
+        default:
+          description: unexpected error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/error'
+
+  /poamExtension/{poamId}:
+    get:
+      summary: Return POAM extension by POAM ID
+      operationId: getPoamExtension
+      tags:
+        - PoamExtension
+      security:
+        - oauth:
+          - 'c-pat:read'
+      parameters:
+        - in: path
+          name: poamId
+          schema:
+            type: integer
+          required: true
+          description: The ID of the POAM
+      responses:
+        '200':
+          description: POAM extension details
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/poamExtensionObject'
+        '403':
+          $ref: '#/components/responses/forbidden'
+        default:
+          description: unexpected error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/error'
+    delete:
+      summary: Delete POAM extension by POAM ID
+      operationId: deletePoamExtension
+      tags:
+        - PoamExtension
+      security:
+        - oauth:
+          - 'c-pat:read' 
+      parameters:
+        - in: path
+          name: poamId
+          schema:
+            type: integer
+          required: true
+          description: The ID of the POAM
+      responses:
+        '200':
+          description: Success message
+          content:
+            application/json:
+              schema:
+                type: object
+                properties: 
+                  message:
+                    type: string
+                    example: "POAM extension deleted successfully"
+        '403':
+          $ref: '#/components/responses/forbidden'
+        default:
+          description: unexpected error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/error'
+
   '/poams':
     get:
       summary: Return all poams
@@ -2550,7 +2648,6 @@ components:
         poamCount:
           type: integer 
 
-
     label:
       type: object
       required:
@@ -2608,8 +2705,6 @@ components:
           type: string
         approvedDate:
           type: string
-          #format: date
-          # pattern: '^\d{4}-(0[1-9]|1[012])-(0[1-9][12][0-9]|3[0-1])$'
         comments:
           type: string
         firstName:
@@ -2641,7 +2736,22 @@ components:
         poamId:
           type: integer
         assetId:
-          type: integer      
+          type: integer
+
+    poamExtensionObject:
+      type: object
+      required:
+        - poamId
+      additionalProperties: true
+      properties:
+        poamId:
+          type: integer
+        extensionTimeAllowed:
+          type: integer
+        extensionJustification:
+          type: string
+        extensionMilestones:
+          type: string
 
     poam_Object:
       type: object
@@ -2662,6 +2772,8 @@ components:
           type: integer
         vulnerabilitySource:
           type: string
+        iavmNumber:
+          type: string
         aaPackage:
           type: string
         vulnerabilityId:
@@ -2672,8 +2784,6 @@ components:
           type: string
         adjSeverity:
           type: string
-        extensionTimeAllowed:
-          type: integer
         scheduledCompletionDate:
           type: string
         ownerId:
@@ -2700,8 +2810,6 @@ components:
           type: string
         submittedDate:
           type: string
-          #format: date
-          #pattern: '(^[0-9]{1,2}-[0-9]{1,2}-[0-9]{4}$|^$)'
         assets:
           type: array
           items: