# fleet-vulnerability-dashboard

Report and track progress on fixing and prioritizing thousands of installed CVEs.

<img width="500" alt="screenshot of dashboard: overview" src="https://github.com/fleetdm/fleet-vulnerability-dashboard/assets/618009/738517a2-2cae-4599-96aa-f555c8e44d1a">

## How does it work?
CVEs are detected and annotated using [NVD, CVSS, EPSS, CISA KEVs, osquery, and Fleet](https://fleetdm.com/docs/using-fleet/vulnerability-processing).

<img width="1000" alt="screenshot of dashboard: list" src="https://github.com/fleetdm/fleet-vulnerability-dashboard/assets/618009/f950fb96-e20b-4b84-bdb4-4506410bd1cb">


## Why a separate repo?

Should we move this to a subdirectory of fleetdm/confidential and have it deploy from there? 

- Philosophy: [Why do we use one repo?](https://fleetdm.com/handbook/company/why-this-way#why-do-we-use-one-repo)
- See also: The "broken windows effect"
- Decision: No. On 2023-07-14, we decided to keep it here so Stephan, Finn, and all other relevant folks from Fastly can access the code and collaborate.
- Update: 2023-11-06: The best thing is to move this in the ee/ directory of fleetdm/fleet.  That achieves the goal of making it source available, but still paid.  Logistics to enable this involve changing hosted deployments to deploy from within a nested subdirectory (something we've done before)


## Cosmogony
f.k.a. "scooper"

Original raw notes and context: (private google doc since it contains competitor information: https://docs.google.com/document/d/1ByNWY6n_C-rvL75lI6jca2OniHt5FqA5_nYMf61S0pM/edit#)


## Running the vulnerability dashboard with Docker.

To run a local vulnerability dashboard with docker, you can follow these instructions.

1. Clone this repo
2. Update the following ENV variables `ee/vulnerability-dashboard/docker-compose.yml` file:

  1. `sails_custom__fleetBaseUrl`: The full URL of your Fleet instance. (e.g., https://fleet.example.com)

  2. `sails_custom__fleetApiToken`: AN API token for an API-only user on your Fleet instance.

  >You can read about how to create an API-only user and get it's token [here](https://fleetdm.com/docs/using-fleet/fleetctl-cli#create-api-only-user)

3. Open the `ee/vulnerability-dashboard/` folder in your terminal
4. Run `docker compose up --build` to build the vulnerability dashboard's Docker image.

  > The first time the vulnerability dashboard starts it will Initalize the database and run the `update-reports` script before the server starts.

5. Once the container is done building, the vulnerability dashboard will be available at http://localhost:1337

  > You can login with the default admin login:
  >
  >- Email address: `admin@example.com`
  >
  >- Password: `abc123`

## How it's made

This is a [Sails v1](https://sailsjs.com) application:
+ [Sails framework documentation](https://sailsjs.com/get-started)
+ [Version notes / upgrading](https://sailsjs.com/documentation/upgrading)
+ [Deployment tips](https://sailsjs.com/documentation/concepts/deployment)
+ [Community support options](https://sailsjs.com/support)
+ **Version info**: This app was originally generated on Sat Dec 10 2022 15:56:06 GMT-0600 (Central Standard Time) using Sails v1.5.3.  <!-- Internally, Sails used [`sails-generate@2.0.7`](https://github.com/balderdashy/sails-generate/tree/v2.0.7/lib/core-generators/new). -->
+ This project's boilerplate is based on an expanded seed app provided by the [Sails core team](https://sailsjs.com/about) to make it easier for you to build on top of ready-made features like authentication, enrollment, email verification, and billing.  <!-- Note:  Generators are usually run using the globally-installed `sails` CLI (command-line interface).  This CLI version is _environment-specific_ rather than app-specific, thus over time, as a project's dependencies are upgraded or the project is worked on by different developers on different computers using different versions of Node.js, the Sails dependency in its package.json file may differ from the globally-installed Sails CLI release it was originally generated with.  (Be sure to always check out the relevant [upgrading guides](https://sailsjs.com/upgrading) before upgrading the version of Sails used by your app.  If you're stuck, [get help here](https://sailsjs.com/support).) -->