Skip to content

CHANGELOG.md

Latest commit

 

History

History
477 lines (302 loc) · 21.8 KB

CHANGELOG.md

File metadata and controls

477 lines (302 loc) · 21.8 KB

VINCE Changelog

CHANGELOG VINCE Coordination platform code

Description

VINCE Coordination platform

Version 3.0.33 2026-03-16

  • modified code for creating weekly report spreadsheet in response to user request (Internal-804)
  • modified code for generating data on reports page (Internal-835)
  • created flag allowing coordinators to flag users as troublesome (Internal-837)
  • fixed bug affecting user creation process in certain circumstances (Internal-838)
  • altered vulnote workflow to make it easier for reviewers to alert authors about new comments/edits (Internal-828)

Version 3.0.32 2026-02-16

  • dependabot update recommendation: Django 4.2.27 to 4.2.28
  • updated documentation links (Internal-824)
  • refactored vul note review process in response to user request (Internal-828)
  • modified code for creating weekly report spreadsheet in response to user request (Internal-804)

Version 3.0.31 2025-12-17

  • added code to trigger reminders for people assigned to Triage (Internal-827)
  • introduced modal allowing user to notify ticket submitter whenever ticket changes status (Internal-830)

Version 3.0.30 2025-12-04

  • dependabot update recommendation: Django 4.2.26 to 4.2.27
  • updated jQuery to 3.7.1 (Internal-758)
  • updated jQuery-UI to 1.14.1 (Internal-758)

Version 3.0.29 2025-11-19

  • dependabot update recommendation: Django 4.2.25 to 4.2.26
  • modified structure of weekly XLS report in response to user request (Internal-804)
  • removed banner announcing maintenance window (Internal-806)
  • updated code to work in new Python 3.11 Elastic Beanstalk environments (Internal-806)

Version 3.0.31 2025-12-17

  • added code to trigger reminders for people assigned to Triage (Internal-827)
  • introduced modal allowing user to notify ticket submitter whenever ticket changes status (Internal-830)

Version 3.0.30 2025-12-04

  • dependabot update recommendation: Django 4.2.26 to 4.2.27
  • updated jQuery to 3.7.1 (Internal-758)
  • updated jQuery-UI to 1.14.1 (Internal-758)

Version 3.0.29 2025-11-19

  • dependabot update recommendation: Django 4.2.25 to 4.2.26
  • modified structure of weekly XLS report in response to user request (Internal-804)
  • updated code to work in new Python 3.11 Elastic Beanstalk environments (Internal-806)

Version 3.0.28 2025-11-04

  • added code to fix issue in creation of XLS report (Internal-804)

Version 3.0.27 2025-11-04

  • updated links to CVD documentation, etc. (Internal-816)
  • modified structure of weekly XLS report in response to user request (Internal-804)
  • modified Triage view so that it also includes new tickets assigned to no-longer-active users (Internal-825)
  • disabled buggy hovering feature in VINCE Comm case page (Internal-826)

Version 3.0.26 2025-10-02

  • dependabot update recommendation: Django 4.2.24 to 4.2.25
  • fixed bug causing discrepency between two sources of info about vendors attached to a case (Internal-822)

Version 3.0.25 2025-09-10

  • dependabot update recommendation: Django 4.2.22 to 4.2.24

Version 3.0.24 2025-08-26

  • adjusted code for generating spreadsheet used for detailed weekly reports (Intental-804)

Version 3.0.23 2025-08-14

  • modified specifications, in response to user requests, for spreadsheet used for detailed weekly reports (Internal-804)

Version 3.0.22 2025-08-04

  • updated "Read More" link on guidance page (Internal-816)
  • modified specifications, in response to user requests, for spreadsheet used for detailed weekly reports (Internal-804)
  • fixed bug preventing the sending of private messages to coordinators with unusually long titles (GitHub issue 181)
  • removed autorefresh for activity section of the ticket page in response to user request (Internal-809)

Version 3.0.21 2025-06-30

  • updated numerous links to CVD documentation, etc. (Internal-816)
  • added logging for the authentication process (Internal-817)
  • modified specifications for spreadsheet used for detailed weekly reports to CISA (Internal-804)

Version 3.0.20 2025-06-11

  • fixed bug affecting redirect after editing case vulnerability information (Internal-810)
  • added filtering for the Edit Case form to prevent inactive users from appearing as potential case owners (Internal-811)
  • reinstated API endpoints turned off in last release; added database model for logging certain API endpoint access events (Internal-812)
  • dependabot update recommendations: django 4.2.21 to 4.2.22, requests 2.32.0 to 2.32.4

Version 3.0.19 2025-05-06

  • Turned off certain API endpoints for security review (Internal-807)
  • Updated code for CSV files in response to user requests for more fine-grained information (Internal-804)
  • Updated link to VINCE Documentation (Internal-808)

Version 3.0.18 2025-04-17

  • Updated code for CSV files in reponse to even more user requests for more fine-grained information (Internal-804)

Version 3.0.17 2025-04-17

  • Updated code for CSV files in reponse to user requests for more fine-grained information (Internal-804)

Version 3.0.16 2025-04-17

  • dependabot update recommendations: Django 4.2.17 to 4.2.20, python-jose 3.3.0 to 3.4.0
  • Fixed bug preventing certain users from changing their passwords (Internal-800)
  • Tweaked logs for Internal-791
  • Added code for CSV files to support preparation of reports for CISA (Internal-804)

Version 3.0.15 2025-03-17

  • Modified code for checking authenticity so as to include extra logs and to bypass false negatives (Internal-791)

Version 3.0.14 2025-03-17

  • Added code for checking authenticity of emails subject to new preprocessing for AWS email integration (Internal-791)
  • Added code for retrieving "To" and "From" email values correctly in light of new preprocessing (Internal-792)
  • Fixed bug that prevented case discussions from being properly hidden behind header in Comm (Internal-796)

Version 3.0.13 2025-02-20

  • dependabot update recommendations cryptography 43.0.1 to 44.0.1
  • Added logs to aid ongoing AWS mail migration effort
  • Upgraded jQuery to 3.4.1
  • Fixed pagination bug on case vendors ajax call (Internal-794)
  • Changed API Case request to enable Track users to access data about all cases more easily (Internal-795)
  • Resolved MathJax display issue reported by VINCE User #166

Version 3.0.12 2025-01-13

  • Added new feature Message Filtering see (Internal-787)

Version 3.0.11 2024-12-11

  • Update to fix "Reply to User" button further scenarios.

Version 3.0.10 2024-12-10

  • Dependabot update recommendations: django 4.2.17 to 4.2.16
  • Fixed bug preventing the "Reply to User" buttons from working in certain circumstances
  • Added pk to CaseAPIView (GH-Issue #162)

Version 3.0.9 2024-10-28

  • Update to fix Security issue with enumerate users in vincecomm (Internal-783 CVE-2024-10469)
  • Update date format to VinceComm as per GH-Issue (GH Issue #157)

Version 3.0.8 2024-10-14

  • Fixed a potential security issue with pickle DOS reported by @coldwaterq coldwaterq as CVE-2024-9953 resolved in 3.0.8
  • Dependabot update recommendations: django 4.2.14 to 4.2.16
  • Fixed bug that interfered in certain circumstances with email sending functionality

Version 3.0.7 2024-09-10

  • Dependabot update recommendations: cryptography 42.0.4 to 43.0.1
  • Made the activity section of the VINCE Track case page load async (Internal-767)
  • Set the owner field options on the VT case and ticket search page to change dynamically with the selected teams (Internal-754)
  • Resolved bug that prevented VT users from being able to reply to certain messages within VINCE Comm (Internal-700)
  • Removed condition preventing display of buttons for accessing the vendor association process on certain tickets (Internal-588)
  • Fixed bug that caused certain outgoing VINCE emails to contain bad links to case pages (Internal-770)
  • Added code to ensure emails from settings.IGNORE_EMAILS_TO (donotreply@) include prominent indication that replies will not be read (Internal-771)

Version 3.0.6 2024-07-29

  • Fixed bug that interfered in certain circumstances with processing of contact associations (Internal-763)
  • Modified code to ensure that user verification emails only go to group admins and notification-only email addresses (Internal-765)
  • Adjusted redirect process after adding vul to a case so that the user lands on the case vul tab (Internal-766)
  • Amended code for autoassigning tickets from the ticket page so as to avoid redirect bug (Internal-761)

Version 3.0.5 2024-07-17

  • Dependabot update recommendations: urllib3 1.26.18 to 1.26.19, certifi 2023.7.22 to 2024.7.4, zipp 3.10.1 to 1.19.1 Django 4.2.11 to 4.2.14
  • Added code to make the tag, vulnote, email & CVE sections of the reports page load async to reduce loading time (Internal-662)
  • Made all sections of the reports page expandable/collapsible, collapsed on load, to ease async loading (Internal-662)
  • Ensured that transient bounce messages automatically get posted to the user's activity stream
  • Set up automatic logging of user deactivation due to bounce issues to the user's activity stream
  • Directed bounce messages for users with already open bounce tickets into a followup on original bounce ticket
  • Added code to intercept emails addressed to recent bouncers before they are sent (Internal-752)
  • Added field to API case view with timestamp field for most recent update (Isseu #149)
  • Started improving vulnote review process with css alteration to remove need for unnecessary scrolling (Internal-755)
  • Fixed bug in date processing for the vincepub search function (Internal-756)
  • Added code to handle errors that arise in certain cases when resetting user MFA (Internal-757)
  • Ensured that deactivated users are removed from VINCE Track and from all relevant Groups, with logging to Activity stream (Internal-759)

Version 3.0.4 2024-06-10

  • Fixed bug that prevented display of "No data" message in certain circumstances on the VINCE Track case page vendor tab
  • Reconfigured code for templated mail preparation to stop bug that derailed the mailer process in certain circumstances
  • Fixed code that inappropriately displayed uuid instead of group name on the VINCE Track contact information page

Version 3.0.3 2024-06-04

  • Added code to make the tickets section of the reports page load async to reduce loading time
  • Reconfigured code for catching recently bounced users when sending templated mail

Version 3.0.2 2024-05-30

  • Dependabot update recommendations: requests 2.31.0 to 2.32.0
  • Reconfigured initiate contact form so internal checkbox hides email addresses & triggers appropriate helptext in textarea
  • Rerouted internal verification requests from initiate contact form so resulting tickets are assigned to (second) Authorizer
  • Added ability to sort search results on the VINCE Track All Search page

Version 3.0.1 2024-04-29

  • Dependabot update recommendations: idna 3.4 to 3.7, Django 4.2 to 4.2.11, pydantic 1.10.2 to 1.10.13, sqlparse 0.4.4 to 0.5.0
  • Fixed bounce tool so that it now correctly links permanent bounce tickets only to the email address producing bounces
  • Adjusted dropdown menu for assigning tickets to coordinators on VINCE Track ticket page, to avoid introducing duplicates
  • Made embargo end times default to noon UTC & made display of embargo end times unambiguous on VINCE Comm case page
  • Added code to make the cases section of the reports page load async to reduce loading time
  • Changed destination of links for further information about CVEs on Vul Note page

Version 3.0.0 2024-04-10

  • Made the Vendor Association button to track and populate ticket id & (if appropriate) vendor name.
  • Upgraded Django 4.2 - Django 3 is end-of-life
  • Restructured code for preparing vendors table data on VINCE Track case page so as to reduce load time
  • Refactored certain queries for the VINCE Track reports page in support of the long term goal of reducing its load time

Version 2.1.11 2024-03-14

  • Dependabot update recommendations: cryptography 41.0.6 to 42.0.4 and django from 3.2.23 to 3.2.24
  • Added code to ensure comments entered into comment box will be preserved when user uploads a file
  • Fixed filters above vendor table in vendor tab of case page to ensure consistency with data in vendor table
  • Added logging to make it easier to track user deactivation & MFA resetting processes
  • Fixed case vendor status edit page to prevent inadvertent alteration of vendor share status from VINCE Track

Version 2.1.10 2024-01-31

  • Dependabot update recommendations: pycryptodome 3.15.0 to 3.19.1
  • Reconfigured vendors tab on VINCE Track case page to provide more fine-tuned pagination options & fix bugs in filter fields.
  • Fixed bug preventing info categorizing cases as related to AI/ML systems from displaying properly on original report tab
  • Fixed bug preventing VINCE Track users from removing members from custom groups
  • Added functionality for marking a case as related to AI/ML systems in the form for editing a case request
  • Refactored code for generating link to VINCE Comm case request page from VINCE Track, which was failing in certain cases

Version 2.1.9 2023-12-07

  • Dependabot update recommendations: cryptography 41.0.3 to 41.0.6
  • Fixed bug that prevented "Add Vulnerability" button from rerouting user to appropriate pages upon submission
  • Integrated custom metrics into weekly reports on VINCE activity

Version 2.1.8 2023-11-08

  • Dependabot update recommendations: django 3.2.20 to 3.2.23
  • Restructured vendors tab on VINCE Track case page so that vendors table is paginated rather than indefinitely scrollable

Version 2.1.7 2023-10-30

  • Added customization of MFA
  • Added code to catch and correct Vul Note Reviews with data omissions that led to page load failures in certain circumstances

Version 2.1.6 2023-10-25

  • Fixed bug that interfered in certain circumstances with the operation of the vendor filter button on the VINCEComm case page
  • Dependabot update recommendations: urllib3 1.26.12 to 1.26.18
  • Fixed bug that obstrcuted case assignment process for VINCETrack users with identical preferred usernames
  • Adjusted code for asynchronous loading on ticket page to ensure it works on all ticket pages, including case request tickets
  • Set up periodic autorefresh feature for VINCE Track ticket page
  • Reformulated misleading UI labels for case transfer request process
  • Resolved Issue by simpifying/correcting search code & disambiguating labels in report views
  • Added AI/ML systems checkbox to public & VINCE Comm vul report form, routing of AI/ML-related tickets

Version 2.1.5 2023-09-21

  • Enhanced operation of VINCEComm case discussion section, moving focus to editable div when the user chooses to edit a post
  • Added dropdown menu to VINCETrack quicksearch bar, optimizing search by enabling swifter specification of advanced search settings
  • Replaced certain switch-paddle checkboxes on VINCE forms with tswitch UI to make them easier to use
  • Fixed bug that generated duplicates in the list of vendors on certain VINCEComm case pages

Version 2.1.4 2023-08-30

  • Automated annual update to VINCE copyright date in footer
  • Dependabot update recommendations: django 3.2.19 to 3.2.20
  • Replaced malfunctioning dropdown menu in original report tab on VINCETrack case page with link to case request ticket
  • Added functionality to VINCE Comm status page for muting & unmuting cases, with alerts responding to selected affectedness status
  • Set up periodic autorefresh feature for the VINCE Track Triage page

Version 2.1.3 2023-08-09

  • More tabs on VinceTrack Case page updated for asynchronous loading.
  • Dependabot update recommendations: cryptography 41.0.0 to 41.0.3, certifi 2022.9.24 to 2023.7.22
  • Enhanced printability of VINCEComm Case pages by removing unnecessary content on print and adding more detailed title to case page
  • Remove duplicate settings.py to avoid confusion.
  • Removed option to sort large numbers of vendors alphabetically on published vulnotes, preventing JavaScript bug
  • Introduced code that automatically schedules weekly reports on VINCE statistics to be sent via email to appropriate recipients

Version 2.1.2 2023-06-09

  • VinceTrack CaseView,VinceCommUserView updated for Asynchronous calls for tab-based browsing.
  • Fixed GH Issue #111 PDF Links not working
  • Updated Vendor approval workflow with time lapse of 2 weeks of no-response from Vendor Admin
  • Fix bounce issues of creating tickets for dead/disabled users.
  • Dependabot security recommendations PyPi cryptography 39.0.1 to 41.0.0, requests 2.281 to 2.31.0, django-ses from 3.2.2 to 3.5.0
  • Fixed vincepubviews multiple choice field Years to be dynamic

Version 2.1.1 2023-05-02

  • Security updates fixing a number of dependencies - sqlparse, redis (GHSA-rrm6-wvj7-cwh2,CVE-2023-28859,CVE-2023-28858)
  • Updates (UAR) workflow for User joining Vendor Group GH Issue #94
  • INL Code updates to perform Product/Version for CVE records GH PR #104
  • INL Code updates for PDF download of VulNote GH PR #104
  • Async requests for VinceTrack Contacts to reduce page wait times
  • Check for Bounces before sending emails from vince/mailer.py
  • Add TERMS_URL to ensure Terms & Conditions are flexible
  • Fix CVSS Translator GH Issue #105
  • Check for notification-only addresses and provide error on Signup

Version 2.0.7 2023-03-20

  • Security updates Django to 3.2.18 CVE-2023-24580, Remove python-futures (no longer used) GH Issues #91 #90 (Dependabot)
  • Support User Approve Request (UAR) new workflow for User joining Vendor Group GH Issue #94
  • Allow Tracking ID's to be added to Cases when user belongs to multiple groups (CaseTracking) reported by VINCE user.
  • Move from initial to instance on Form Class inits() to modify existing data in Models/Forms pair
  • Move more browser UI information to async data requests, less templates.
  • Remove marquee, command and style tags from supported markdown_helpers lib.vince.markdown_helpers - reported by VINCE user.

Version 2.0.6 2023-01-23

  • Removed Edit Vulnerability button superfluous GHIssue #77
  • Updates to CVE publish buttons and automatic close of CVE modal on error
  • Modify CVEAffectedProduct.version_affected vince models.py for CVE5JSON
  • Bug fix newcomment not new_comment in vince/views.py
  • Add "Notify anyway" button routine for already notified vendor.

Version 2.0.5 2023-01-04

  • Update to CVE2.1 Services Publish using CVE5 JSON
  • More Async functions for vendor status views
  • Added more common libraries to lib/vince/utils
  • Added a mute_lib.py to support mute a Case for a user in automated way
  • Fixed a number of small bugs in max length in FORM submissions and S3 sensitive filenames

Version 2.0.4: 2022-12-20

  • Added Filter to CaseView in VinceComm
  • Addition of more Async functions for non-interactive queries
  • Fixing of slow performance on allvendors view to use Django Aggregate and Filter/Q functions
  • Friendly errors and fixes for logging to add IP address of remote client

Version 2.0.3: 2022-12-14

  • Major upgrade to Django 3.2 LTS target end byt 2024. Fixes related to Django upgrade in all libraries.
  • Aded new QuerySet Paging library for performance extend chain with chainqs for QuerySet
  • Asynchronous calls for most vinny/views via JSON through asyncLoad class
  • Provide API Views 404 with JSON generic error
  • Allow Session or API Token authentication to support API access from browser
  • Provide better HTML text on access/permission violations by User.
  • Fixes to CVE management API with CVE services 2.1 and CVEJSON5 support
  • CSAF enchancements including TLP setup. Pending Customer engagement details publishing.
  • Fix number of logging to include relevant data as part of log message

Version 1.50.6: 2022-11-04

  • Allow Vendor Association when Ticket is associated with a Case
  • Adding Download HTML per INL request GH Issue #60
  • Avoid Alert severity colors to buttons that don't do deletes/sensitive actions - UI feedback.
  • Show MFA type for users in VinceTrack to support troubleshooting Users
  • Catch errors on failure to email when a Post is submitted.

Version 1.50.5: 2022-10-25

  • Updates to settings_.py to match public GitHub
  • UI tweaks for Loading div, asynchronous search via delaySearch
  • Add Access-Control-Origin header to CSAF output for Secvisogram
  • Fix Python Pickle Code Injection vulnerability reported by Rapid7 researcher Marcus Chang CVE-2022-40238
  • Address reported failure with better error reporting from Encrypt-and-Send
  • Avoid TimeZone spurious warning errors flooding logs

Version 1.50.4: 2022-10-05

  • UI improvements for vincetrack for search experience
  • Performance tweaks for Tickets search use $queryset.count() instead len($queryset) when pagination is used
  • Fix HTML injection vulnerabilities reported by Rapid7 researcher Nick Sanzotta (CVE-2022-40248,CVE-2022-40257)

Version 1.50.3: 2022-09-16

  • Full support for CSAF 2.0 export of vulnerability Case
  • Fix for a number of Views to avoid digit parameter confusion
  • Add view CSAF and VINCE JSON to support download of Case data in machine-readable format
  • If upgrading, make sure you verify settings.py has new variables CONTACT_PHONE ORG_POLICY_URL and ORG_AUTHORITY populated.

Version 1.50.2: 2022-08-29

  • Resolves issue of enumerating user_id and group_id - reported by Sharon Brizinov of Claroty Research #51
  • Removed lxml library no longer in use in requirements.txt - reported by dependabot via #38
  • Add [DISABLED] Keyword for users in inactive status in vincetrack Teams menu view.

Version 1.50.1: 2022-08-08

  • BugFix for API key generation issue. The generate_key method was disabled accidentally

Version 1.50.0: 2022-07-19

  • New MFA reset workflow
  • Allow comments when re-assigning tickets
  • Sorting improvements on VINCEComm Dashboard
  • Add Vul Note download button in VINCETrack
  • Fixed open redirect vulnerability (CVE-2022-25799)[https://nvd.nist.gov/vuln/detail/CVE-2022-25799] reported by Jonathan Leitschuh #45
  • Bug Fixes

Version 1.49.0: 2022-07-19

  • Contact Management Updates
  • Dependency Upgrades
  • Bug Fixes

Version 1.48.0: 2022-05-13

  • Initial Open Source Release