Currently, the page selection buttons merely return an alert that they were clicked.

• The expected functionality is that a new page of advisories is displayed depending on which page is opened and how many advisories are shown per page. Assuming each page shows 10 advisories, then clicking on the "page 3" button should show advisories 21-30. The last page may necessarily show less advisories.

• The number of pages in the page selection should adjust to the number of available advisories:

  • The page selection should not be visible if all advisories are displayed at once
  • The page selection should show all available pages at once if possible
  • If not possible, e.g. due to too many advisories, then the following pages should be visible:
    • page 1
    • the page before the current page, unless the current page is page 1
    • the current page
    • the page after the current page, unless the current page is the last page
    • the last page

• Furthermore, especially if not all pages can be shown at once, a jump function is necessary that allows opening a specific existent page by page number. This functionality could be hidden if all pages can be shown at once, but necessarily needs to exist, especially if considering cases where the page number could grow to 100 or more.

When looking at an advisory, currently, you can write a comment within the designated text area, but pressing the send button has no effect. This seems to be a bug.

Alex goes home and wants continue to write a comment.

(This is an enhancement of #36 because technically it would need storage of the intermediate values on the server.)

Max wants to focus on his tasks. Right now the keycloak token expires after a certain amount of time. We need to refresh the token automatically so Max has not to logout and in to get a new token.

Currently the setup script is one long document of step-by-step instructions.
Users might already have part of it set up, and likely would
prefer running scripts instead of doing everything by hand.

Currently, the search bar on the Documents Page has no functionality besides being a text field.

Expected: The search bar should be:

• able to be written to. (This is already functional at the point of opening this issue.)

• able to filter entries by information which has been written into the text field via pressing of the return or enter keys or via clicking on the magnifying glass located next to the search bar.

When Alex navigates to certain points in the application and reloads the page he wants to stay on the point he formerly navigated to.

• change files new with isduba to SPDX-License-Identifier: Apache-2.0
• licensing section on the front page, much like the csaf_distribution section, but give the copyright holder.
• activate reuse action to make sure we stay reuse compatible
• check third party licenses and give commands how to get the list and licenses.
• add licenses for third party code that resides inside our repositories
• check that licenses are fully compatible

Currently, the search bar on the Home Page has no functionality besides being a text field.

Expected: The search bar should be:

• able to be written to. (This is already functional at the point of opening this issue.)

• able to filter entries by information which has been written into the text field via pressing of the return or enter keys or via clicking on the magnifying glass located next to the search bar.

Once Alex is logged in he wants to stay logged in after page reload.

Alex needs to calculate the SSVC for a document to make Kays decision about priorities easier (see #6). To enable Alex to do so we will use the Dryad calculator.

To enable users to compare different versions of an advisory we need a component that visualizes a diff. For this task we want to use the library diff2html which converts different variants of diffs (e.g. git diffs) to html.

After login an overview shall display which advisories are there and with which status.

#4 starts addressing this

More:

• Need to show the SSVC (a stakeholder specific value).
• show the several CVSS values of a document in good order
• show CVEs (not all of them)

Currently, the Source-Page is empty sans the word "Sources". The functionality still needs to be implemented.

Goal: Fetch documents from backend. Display as a table.

To make debugging easier we should show some build information in the client. Therefore, we want to show a build number of the client (#19) and the backend (#20) in the client. One possible place to do so would be an "About" section in the configuration menu of the client.

Current keycloak release is https://github.com/keycloak/keycloak/releases/tag/24.0.1
but our instructions are for 23.0.5. Test and then upgrade instructions to the current stable keycloak.

Currently, the search bar on the Advisory Page has no functionality besides being a text field.

Expected: The search bar should be:

• able to be written to. (This is already functional at the point of opening this issue.)

• able to filter entries by information which has been written into the text field via pressing of the return or enter keys or via clicking on the magnifying glass located next to the search bar.

If there are many comments with a lot of text and Alex remembers just a few words from a comment it would be helpful to be able to use a search function.

Robin wants to get an overview of all sources of the system

Users need a page where their personal information can be seen or processed, like their username or which advisories they can manage.

The vulnerability-overview table can get quite lengthy in size.

For those tables that exceed the standard site-width, it seems to push the comments-field out of bounds. In that case, the arrow to phase in the comment field will be left at the same position (meaning the top right of the page if not scrolled, remaining at the same fixed location n the page even if scrolling, meaning it can be pushed to the left by scrolling right), but will only allow the edge of the comment field to be seen, which is still unusable.

Closing the overview will allow the comment-field to be displayed normally.

Zooming out the view so the entire table can be seen at once will also allow the comment field to be seen and will afix the arrow to the usual place relative to the comment section.
Also: Regardless of the page-width, zooming out will stretch the comment-field horizontally.

Since we create a Free Software in this project we should add a link to the Github repository somewhere in the application. Maybe at the bottom of the sidebar.

Alex wants to structure comments so that Kay can understand them faster.

As Github flavoured markdown is allowed in CSAF Documents' formatted messages, Alex wants to use it in comment, too.

Currently, we only check whether the licensing is correct via github actions.

There are many other helpful actions that can raise the quality of code, like revive, and github should also check whether the build builds etc..

As Alex wants to continue the work at the place where it was left,
this also holds for changes to values.

Alex demands this for the same webbrowser.

Examples:

• A configuration toggle should be effective once it was switched.
• Sentences already entered in a comment field, shall still be there on reload (or login)

This issue is split out of #11.

On the advisories page, the table is cut off after the initial release column. (Although the rest can be seen by scrolling inside the component)

This is independent of the table being larger than the side as well.

This should be adjusted, e.g. by abbreviating overly long titles and publishers and forcing the entire table to be displayed.

https://github.com/csaf-poc/csaf_distribution/blob/main/.github/workflows/generate-markdown.yml
uses https://github.com/dineshsonachalam/markdown-autodocs/

to automatically generate a shell script into a markdown documentation file.
Example:

• https://raw.githubusercontent.com/csaf-poc/csaf_distribution/main/docs/install-server-certificate.md

Ideally this leads to less duplication (because a technical step is only documented once in the script) and better documentation because the technical steps can actually be tested (as part of the script).

The length of any given "Title" can vary greatly, which affects the position of the Title, Tracking ID, Version and State columns. Their position seems to move depending on the length of the longest title currently shown on the site and is different even with relatively minor differences in length.

Their position should probably be fixed, and a workaround for overly long titles could be considered to be implemented so the table no longer stretches beyond a screens width.

CSAF Advisories may be assigned to a person.

Currently, the Statistics-Page is empty sans the word "Statistics". The functionality still needs to be implemented.

When idle for longer periods of time, the user will be logged out. If logged out this way, the sidebar will not reflect that. The user won't be able to access any of the tabs (since all of them will redirect them to /#/, except for about which will show the logged-out-about-page and logout, which will resolve the problem).

This could be confusing for the user (since they may mistakenly believe to be logged in due to the sidebar) or give unprivileged third parties extra information, since it's still visible who was logged in and which tabs they had access to, even if the tabs themselves are not accessible.

The following information is needed on the advisory overview:

• A list of the first 4 CVEs per shown advisory
• Max CVSS (already available via documents)
• Max SSVC (already available via documents)
• Title of the advisory (already available via documents)
• ID (already available via documents)
• Publisher (already available via documents)
• Current Releasedate (already available via documents)
• Document version (already available via documents)

Alex and Kay want to see error messages

Currently, the compare function only exists for two preset advisories. There still needs to be a way to set which advisories are to be compared.

Setting the workflow of an advisory does not persist between reloads. The console shows an internal server error on setting a workflow, e.g.

XHRPUT [http://localhost:5173/api/status/ExampleInstitution/ExampleAdvisory/read](http://localhost:5173/api/status/ExampleInstitution/ExampleAdvisory/read) [HTTP/1.1 500 Internal Server Error 50ms]

This may be related to #42

Currently, the Configuration-Page is empty sans the word "Configuration". The functionality still needs to be implemented.

https://github.com/ISDuBA/ISDuBA/blob/main/client/README.md still has general instructions which should have only the necessary ones for Isduba (or none).

I suggest we unify on yarn.

Reproduction:

Select an advisory. Click on the Advisory Version number on the top right.

Result: You're redirected to a 404-Error Page. (advisories/undefined/undefined/documents/1)

This seems to be a bug caused by:

• Version 1 not existing
• The advisory not being properly passed through (any advisory results in undefined)

There should be a way to display the user that something went wrong

The workflow state helps Kay to make his decision about the next steps ( see also #6). The application is already showing the state but it can't be changed yet. Now we first need an API endpoint to be able to change the workflow state. Then Kay should get the option to change the state for one or multiple documents. Some of the states should be set automatically.

It should be possible to set the following states:

• read (automatically by client)
• assessing (automatically by backend)
• deleted
• review
• archived

Alex wants to connect two or more advisories that are closely related to evaluate them together.

Background: it could happen that the same vulnerability is reported by different parties in separate advisories, Alex wants to record so that an evaluation can benefit from it.

Need a documented process to create software bill of materials in the formats

• CycloneDX
• SPDX

to be ready for publication with each release.
Should be an automatic generation if possible.

When viewing the Compare tab while running the production build, the css fails to load, breaking the layout.

• Backend can already save comments.
• need to see related comments
• Alex want to summarize results seen in a diff of a new document to the same advisory

Currently the About Page contains info about the Versions of the Client and Backend that are both hardcoded and visible to everyone.

They should only be visible when logged in, and to make maintenance easier, should be fetched during build time.

Currently, the there is a lot of unused space on the home page, especially at the bottom part, if only viewing 10 Advisories per page. The next-biggest option of 20 advisories per page however is already longer than the page.