Skip to content

zimmerman-team/devops.cve-tracker

BranchesTags

Repository files navigation

CVE Tracker

A full-stack application for monitoring Common Vulnerabilities and Exposures (CVEs) across GitHub repository dependencies.

Features

  • GitHub Repository Import: Pull all your GitHub repos in one click; dependencies are auto-parsed from package.json, yarn.lock, package-lock.json, uv.lock, pyproject.toml, requirements.txt, Dockerfile, docker-compose.yml, and more — using a priority-group system (best lockfile wins per ecosystem)
  • Automatic CVE Detection: Fetches vulnerability data from the OSV.dev API with a 24-hour cache
  • Branch Monitoring: Detects new commits on main/develop, re-parses dependency files automatically
  • Scheduled Automation: Configurable cron jobs for CVE refresh and branch checks
  • Three Views: CVE List, Projects hierarchy, and Dashboard analytics
  • Projects View: Hierarchical view of groups → repos → dependencies, with per-dependency CVE counts, severity breakdown (C/H/M/L), and safe/vulnerable status
  • Dashboard & Analytics: Severity breakdown charts, monthly CVE trend, and top-repos ranked list (powered by Recharts)
  • "New Since Last Visit": Tracks when CVE data was first fetched; highlights new CVEs and dependencies since your last session with a green "New" badge and a "New only" filter
  • Multi-Group Support: Organize repos into named ParentProject groups with per-group filtering
  • Custom Repo Responsible User: Assign the responsible person to fix the CVEs for any repo
  • Severity Classification: Visual indicators for CRITICAL, HIGH, MODERATE, and LOW severity
  • Mark as Fixed: Track which CVEs have been addressed
  • Slack Notifications: Alerts for newly discovered CVEs affecting tracked repos and unresolvable dependency versions; messages are capped at 40 lines with an overflow link
  • Dark Mode: Toggle between dark and light themes (preference saved in localStorage)
  • Modern UI: React, TypeScript, Tailwind CSS

Architecture

@cve-tracker/shared (types, parsers, version logic)
        ↓                        ↓
Frontend (React/Vite)  ←→  server (Express/Node.js)  ←→  MongoDB

The project is an npm workspace monorepo:

cve-tracker/
├── shared/   # @cve-tracker/shared
├── app/      # React SPA (cve-tracker-app)
└── server/   # Express API (cve-tracker-server)

Getting Started

Prerequisites

  • Node.js v18 or higher
  • MongoDB (local or Docker)
  • npm

Installation

# Clone and install all workspace dependencies
npm run install:all

Environment Setup

Copy .env.example to .env. Then set the server-specific variables in server/src/.env:

# Required
MONGODB_URI=mongodb://admin:changeme123@mongo:27017/cve-tracker?authSource=admin
PORT=4200

# Required: enables GitHub repo import and branch checks
GITHUB_TOKEN=ghp_your_token_here

# Optional: cron intervals in minutes (default: 60 each)
# CVE_REFRESH_INTERVAL_MINUTES=60
# REPO_CHECK_INTERVAL_MINUTES=60

# Optional: Slack webhook for CVE and version alerts
# SLACK_WEBHOOK_URL=https://hooks.slack.com/services/XXX/YYY/ZZZ

The frontend reads these from a .env file in the project root:

VITE_API_URL=http://localhost:4200/api
VITE_PROJECT_OWNER_OPTS=Unassigned,Sylvan,Stefanos

Start MongoDB

docker compose up mongo -d

Run in Development

npm run dev:all

This starts:

Docker Deployment

docker compose up

Starts the full stack (MongoDB + server + nginx-served frontend) at http://localhost.

Database Export / Import

make db-export   # Dumps cve-tracker database to ./dump/ via the cve_mongo container
make db-import   # Restores ./dump/cve-tracker into the running cve_mongo container

Both scripts read MONGODB_URI from .env. Requires cve_mongo to be running.

Usage

Adding Repositories

GitHub Import (Recommended)

  1. Set GITHUB_TOKEN in server/src/.env.
  2. Open the Manage Repositories panel (button in the header).
  3. Click Import from GitHub — all non-archived repos for the token's user are imported.
  4. Dependencies are auto-parsed when branches are first checked.

Manual Setup

Use PATCH /api/repos/:id or the Manage Repositories panel to assign dependencies.

Legacy Project Editor

The header "Edit Projects" button opens the original project editor. Saves are automatically synced to the repo model under a "General" group.

Assigning Responsible Persons

In the Manage Repositories panel, each repo row has a Responsible column. Click the dropdown, changing should auto-save. Then, you can filter CVEs and Projects by responsible.

Monitoring CVEs

  • CVE List tab: Browse, filter, and manage CVEs across all repos. New CVEs (discovered since your last session) are highlighted with a green New badge. Use the New only checkbox to narrow the list to only new items.
  • Projects tab: Hierarchical view grouped by ParentProject → Repo → Dependency. Each repo card shows a summary of active CVEs and any newly-tracked dependencies. Click a repo to expand its dependency list; click a vulnerable dependency to see the individual CVEs inline.
  • Dashboard tab: Summary stats, severity breakdown, monthly trend chart, and top repos by active CVE count.
  • Filter bar: Filter by Group (ParentProject), Repository, Owner (responsible person), Dependency, Ecosystem, and Severity. Toggles: Show fixed, Show hidden, New only, Show safe deps.
  • Refresh CVEs: Manually trigger an OSV.dev fetch.
  • Check Branches: Detect new commits and re-parse dependency files.

"New Since Last Visit"

The app records a timestamp in localStorage each time it loads. On your next visit, any dependency whose CVE records were first fetched after your previous visit — or any CVE whose published date falls after that visit — is flagged as New. The badge appears on CVE cards (CVE List), on dependency rows (Projects view), and as a count badge on repo cards. Toggle New only in the filter bar to focus exclusively on new items.

Managing Repository Groups

In the Manage Repositories panel:

  • Repos are bucketed by their ParentProject group.
  • Click the edit icon next to a group name to rename it.
  • Use the group dropdown on each repo row to reassign it.
  • Click New Group (footer) to create a group.
  • Toggle Active/Ignored on any repo to exclude it from CVE tracking.
  • Export/Import groups: Download or upload a JSON file mapping GitHub URLs to { group, owner, ignored } for bulk reassignment.

Slack Notifications

When SLACK_WEBHOOK_URL is set, the server sends:

  • A :shield: alert per new CVE that affects at least one tracked repo version.
  • A :warning: alert per repo where a dependency has a blank or unparseable version (e.g., latest, unknown).

Building for Production

npm run build

Outputs:

  • app/dist/ — frontend static files
  • server/dist/ — compiled server

Technology Stack

Layer Technology
Frontend React 18, TypeScript, Vite, Tailwind CSS
Charts Recharts
Icons Lucide React
Server Express, TypeScript, tsx
Database MongoDB, Mongoose
Scheduling node-cron
Vulnerability data OSV.dev API
Notifications Slack Incoming Webhooks

Migration from v1

If you have existing Project documents (from before the repo-based model), run the one-shot migration:

npm run migrate -w cve-tracker-server

This converts each Project into a GitHubRepo under a "General" ParentProject.

License

MIT

Development

This project was co-developed with AI to accelerate feature delivery. All code has been manually reviewed and tested for quality.

For agentic development, CLAUDE.md and AGENTS.md are included for use with Claude Code, OpenCode, Codex, and similar tools.

About

CVE Tracker using osv.dev for specified targets

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages