Describe the bug

I found a bug in the:

• API
• UI
• Elsewhere (Please specify)

There is a drop-down filter for "All checks" under the Collection review node which doesn't appear to work. "Manual checks" and "SCAP checks" are visible but nothing happens when you click them. This is not a problem when viewing a specific asset; the issue is only apparent under the collection review node.

Additionally, the free text filter has no effect here either.

• I have checked to see if there is already an existing issue that describes this bug.

To Reproduce
Steps to reproduce the behavior:

1. Go to Collections > STIGs > (some STIG) > Collection Review
2. Click on "All checks"
3. Try selecting "Manual checks" for "SCAP checks"
4. Nothing happens
5. Type something into the filter text
6. Nothing happens

Expected behavior
Filter should be selectable, free text filter should work

Actual behavior
Filter options are visible but not selectable. Free text can be entered but nothing happens.

Screenshots

Environment or Configuration:

• Docker community for Windows. STIG Manager version beta 3.
• Chrome and Microsoft Edge

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Describe the solution you'd like
In CKL import at individual asset-stig review screen, UI should provide feedback and/or provide basic vetting of the .ckl that is selected.
UI should present summary info about selected .ckl:
Check Asset included in submitted .ckl against asset the import action was selected for, indicate discrepancy.
Check STIG included in submitted .ckl against STIG the import action was selected for, indicate discrepancy.
Check included .ckl rules against current list of displayed rules. Indicate discrepancies, offer to just import rules included in the current rule display, if rules are filtered.

Describe the bug
api_1 | [INIT] Importing STIGs...
api_1 | Retreiving list of Compilation files from public.cyber.mil...
api_1 | DOWNLOADED 100.00% of 0.07 mb
api_1 | Retreiving https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SRG-STIG_Library_2020_07v2.zip
api_1 | DOWNLOADED 4.68% of 204.13 mb
api_1 | DOWNLOADED 9.35% of 204.13 mb
api_1 | DOWNLOADED 14.03% of 204.13 mb
api_1 | DOWNLOADED 18.70% of 204.13 mb
api_1 | DOWNLOADED 23.38% of 204.13 mb
api_1 | DOWNLOADED 28.05% of 204.13 mb
api_1 | DOWNLOADED 32.73% of 204.13 mb
api_1 | DOWNLOADED 37.40% of 204.13 mb
api_1 | DOWNLOADED 42.08% of 204.13 mb
api_1 | DOWNLOADED 46.75% of 204.13 mb
api_1 | DOWNLOADED 51.43% of 204.13 mb
api_1 | DOWNLOADED 56.10% of 204.13 mb
api_1 | DOWNLOADED 60.77% of 204.13 mb
api_1 | DOWNLOADED 65.45% of 204.13 mb
api_1 | DOWNLOADED 70.12% of 204.13 mb
api_1 | DOWNLOADED 74.80% of 204.13 mb
api_1 | DOWNLOADED 79.48% of 204.13 mb
api_1 | DOWNLOADED 84.16% of 204.13 mb
api_1 | DOWNLOADED 88.83% of 204.13 mb
api_1 | DOWNLOADED 93.51% of 204.13 mb
api_1 | DOWNLOADED 98.19% of 204.13 mb
api_1 | DOWNLOADED 100.00% of 204.13 mb
api_1 | Processing ZIP...
api_1 |
api_1 | [1/207] -----------------------------
api_1 | EXTRACTING: U_A10_Networks_ADC_ALG_V1R1_STIG.zip
api_1 | PROCESSING: U_A10_Networks_ADC_ALG_V1R1_STIG.zip
api_1 | PARSING : U_A10_Networks_ADC_ALG_V1R1_Manual_STIG/U_A10_Networks_ADC_ALG_STIG_V1R1_Manual-xccdf.xml
api_1 | Connection 8 STATS ENTER
api_1 | Connection 8 STATS SELECT
api_1 | Connection 8 STATS UPDATE
api_1 | Connection 8 STATS ERROR Named query contains placeholders, but parameters object is undefined
api_1 | Error: Named query contains placeholders, but parameters object is undefined
api_1 | at toArrayParams (/home/node/node_modules/named-placeholders/index.js:95:13)
api_1 | at compile (/home/node/node_modules/named-placeholders/index.js:144:12)
api_1 | at PoolConnection._resolveNamedPlaceholders (/home/node/node_modules/mysql2/lib/connection.js:486:17)
api_1 | at PoolConnection.query (/home/node/node_modules/mysql2/lib/connection.js:499:10)
api_1 | at /home/node/node_modules/mysql2/promise.js:98:11
api_1 | at new Promise ()
api_1 | at PromisePoolConnection.query (/home/node/node_modules/mysql2/promise.js:93:12)
api_1 | at Object.module.exports.updateStatsAssetStig (/home/node/service/mysql/utils.js:425:39)
api_1 | at runMicrotasks ()
api_1 | at processTicksAndRejections (internal/process/task_queues.js:93:5)
api_1 | at async Object.exports.insertManualBenchmark (/home/node/service/mysql/STIGService.js:733:5)
api_1 | at async processZip (/home/node/utils/fetchStigs.js:140:20)
api_1 | at async processZip (/home/node/utils/fetchStigs.js:153:7)
api_1 | at async Object.fetchCompilation (/home/node/utils/fetchStigs.js:80:7)
api_1 | at async startServer (/home/node/index.js:160:7)

I found a bug in the:

• API

Please include a clear and concise description of what the bug is.
When importing the Docker instance described here (https://hub.docker.com/r/nuwcdivnpt/stig-manager) it appears to fail to retrieve the STIGs from cyber.mil. After this failure the container loads and I am able to log into the localhost instance of STIG_Manager where I also tried to import them into the running STIG_Manager and that failed with the same errors as above. My instance of Docker is for windows with the WSL2 installed. STIG_Manager otherwise appears to be running. I can log in create a collection and add assets and users. Just cannot import STIGs against the assets because the benchmark data from cyber.mil was not imported. All attempts to import completed STIGs are ignored.

• [X ] I have checked to see if there is already an existing issue that describes this bug.
  I also looked over the documentation to ensure that I did not miss anything. Though I may have somewhere. I know that Node.js is required but assumed it was part of the Docker Container that was downloaded. Was not clear in the installation instructions.

To Reproduce
https://hub.docker.com/r/nuwcdivnpt/stig-manager Folow steps here.

Expected behavior
For the STIGs to import as advertised "On initial container startup, STIG Manager will connect to DoD Cyber Exchange and import the latest STIG Library Compilation and any available SCAP content."

Actual behavior
What behavior did you actually experience? Failed to import the STIGS

Screenshots

If applicable, add screenshots to help explain your problem.

Environment or Configuration:

• Docker Container installed using the Docker folder from the source code using the YML file from https://hub.docker.com/r/nuwcdivnpt/stig-manager
• Chrome browser
• Failed when running the "docker-compose up -d && docker-compose logs -f" command to initialize the containers and site.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

I have a similar project that i am about to release for production I would like to talk about your project and see how we can work together to solve this problem. My project uses Nessus scans which I then enhance with SCAP content. the application tracks the vulnerability and compliance for each SSP, allows users to set False positives, Not applicapables, severity and finding results. The applications tracks assets and scanning. It auto generates findings from approved templates. it reads the output of the nessus results and not just the finding to ensure no false positives. It tracks Test plans and associates findings to them. Users no longer have to look into SCAP files or Nessus CSVs the dashboard shows them every control that fails and which check is associated with it. We just added a STIG dashboard to track stig conpliance by finding and IP. These are just a few of the features.

Describe the bug

I found a bug in the:

• API
• UI
• [ X ] Elsewhere (Please specify) Custom keycloak image

Assessing the docker-compose up result will never load on http://serverip:54000/ because the call to keycloak is hard coded to be

http://localhost:8080/auth/realms/stigman/protocol/openid-connect/3p-cookies/step1.html

This can be seen in the keycloak.json which contains

{
  "realm": "stigman",
  "auth-server-url": "http://localhost:8080/auth",
  "ssl-required": "external",
  "resource": "stig-manager",
  "public-client": true,
  "confidential-port": 0
}

• [ X ] I have checked to see if there is already an existing issue that describes this bug.

To Reproduce
Steps to reproduce the behavior:

1. Copy Dockerfile to a server
2. Run docker-compose up
3. Attempt to access server at http://serverip:54000

Expected behavior

Expected behavior is the STIG manager UI loads to the interface. The example docker will be more useful if it does not require installing on a local machine only. A good fix would be additional docker ENV configurations that one that override the auth-server-url in the image at runtime.

Actual behavior

Comments are importing now.

I did notice that it didn't like the " & " character from one of our comments fields, It should have read "RDT&E" but is reading "RDT&E"

EDIT: GitHub is formatting the second one automatically. screenshot attached:

Originally posted by @sagansapien in #59 (comment)

A scope value of "" is accepted by the API

I found a bug in the:

• API
• UI
• Elsewhere (Please specify)

Middleware that validates OAuth scope does not handle empty string properly

• I have checked to see if there is already an existing issue that describes this bug.

Issue Location

I found an issue in the:

• API
• UI
• Elsewhere (Please specify)

Issue Description:

Several files in the client reference legacy .pl scripts:
collectionReview.js
poamWorkspace.js
reportTab.js
review.js
reviewTab.js
stigAdmin.js
stigmanUtils.js

candidate files for removal:
AssetAdmin.js
scanManagement.js
artifactAdmin.js

Describe the bug

I found a bug in the:

• API
• UI
• Elsewhere (Please specify)

Please include a clear and concise description of what the bug is.

Some STIG text displayed in STIGMan shows invalid/wrong characters due to improper handling of unicode in STIG source files.

• [ x] I have checked to see if there is already an existing issue that describes this bug.

To Reproduce
View rule SV-77809r3_rule in the WIN10 STIG. Manual check has line that reads:
"System type" is not "64-bit operating system�", this is a finding."

STIG Manager Classic for Docker:
Init script is a bash script; doesn't run (properly) on Windows.

Describe the bug

I found a bug in the:

• API
• [x ] UI
• Elsewhere (Please specify)

Describe the bug

I found a bug in the:

• API
• UI
• Elsewhere (Please specify)

Display the autoResult property of a Review in the checklist. Suggest using the status column.

Describe the bug

I found a bug in the:

• API
• UI
• Elsewhere (Please specify)

Please include a clear and concise description of what the bug is.
If it is in the API, please specify endpoint.
Including your actual request may be helpful as well.

• I have checked to see if there is already an existing issue that describes this bug.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Actual behavior
What behavior did you actually experience?

Screenshots
If applicable, add screenshots to help explain your problem.

Environment or Configuration:

• Container or Orchestration info
• Browser
• Other info

Additional context
Add any other context about the problem here.

For large collections, calls to:
GET collections/{collectionId}/reviews
could return very large result-set if no other parameters or filters are provided.

Possible solutions:

1. Require at least one filter in the request (Still no guarantee of manageable result-set)
2. Limit result-set to some API-documented value (10,000 reviews? 1 million reviews?)

• CVE-2020-28168 requires updating axios to 0.21.1.
• axios is in our dependency tree as a dependency of jwks-rsa.
• We need to update jwks-rsa from 1.8.1 to version 1.12.1 so the axios dependency is updated to axios 0.21.1

Describe the bug

I found a bug in the:

• API
• UI
• Elsewhere (Please specify)

Bug Description:
"Submit All" action in checklist menu on asset-stig review tab is not properly implemented.
Currently tries to call some legacy code (js/review.js line 2427 tries to call pl/submitChecks.pl).

Describe the solution you'd like
Specifically indicate version of STIGMan running in the UI version badge on the Home tab. Badge could include the portion of the git describe tag that indicates the number of commits since last release. ie "1.0.0-beta.11-2" rather than just "1.0.0-beta.11."

Describe alternatives you've considered
The above info is currently shown in pop-up when hovering over the version badge, and includes a piece of the sha.

Bug Location

I found a bug in the:

• API
• UI
• Elsewhere (Please specify)

Bug Description:

request to DEL collections/{collectionId}/reviews/{assetId}/{ruleId}
always returns a 204 even if review exists, and does not delete the review (Except in case of test user collectionCreator, which has no permissions on the collection. Properly returns a 403 to that user.)

sample request:

curl --location --request DELETE 'localhost:64001/api/collections/21/reviews/42/SV-106179r1_rule?elevate=false&projection=rule&projection=history&projection=stigs' --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGSjg2R2NGM2pUYk5MT2NvNE52WmtVQ0lVbWZZQ3FvcXRPUWVNZmJoTmxFIn0.eyJleHAiOjE2NzAzOTQzNDcsImlhdCI6MTYwNTYzMTQxMiwiYXV0aF90aW1lIjoxNjA1NTk0MzQ3LCJqdGkiOiJkYWY4Yjc0MS03M2QxLTRlYmEtOTZhZi1mODU1YWIwYmQyMjYiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvc3RpZ21hbiIsImF1ZCI6WyJyZWFsbS1tYW5hZ2VtZW50IiwiYWNjb3VudCJdLCJzdWIiOiJlYjk2NWQxNS1hYTc4LTQzZmMtYTJhNi0zZDg2MjU4YzFlZWMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzdGlnLW1hbmFnZXIiLCJub25jZSI6IjczOTM3YmUzLTRjY2MtNGZhNy04MjAyLTQ1Njg1NTIzZGQyYyIsInNlc3Npb25fc3RhdGUiOiI1YWMyYTkzOC0xMDc0LTRlNmEtOGM0Yi1lODNlNGU3ZDc2M2IiLCJhY3IiOiIwIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImNyZWF0ZV9jb2xsZWN0aW9uIiwiYWRtaW4iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXVzZXJzIiwicXVlcnktZ3JvdXBzIiwicXVlcnktdXNlcnMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIHN0aWctbWFuYWdlcjpjb2xsZWN0aW9uIHN0aWctbWFuYWdlcjpzdGlnOnJlYWQgc3RpZy1tYW5hZ2VyOnVzZXI6cmVhZCBzdGlnLW1hbmFnZXI6b3Agc3RpZy1tYW5hZ2VyOnVzZXIgc3RpZy1tYW5hZ2VyOnN0aWciLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InN0aWdtYW5hZG1pbiJ9.IOk6RLhBwX8o29dmAC7QeSzr86B5w8C8gkyetn5uOhhgh-aEjWJSqLk74WvLjwfKnYgonfAMm-gbdiACFwMd7u7O5wNUNV5EQO8-6JKSUYyTvujS5NMY7rO-QtgskvKWvB8Vyrm33DvcUon-Kh_6LeSujcNczadN6oDbe-j1A1w'

Expected behavior
If user has proper grants, return code 200 and JSON representation of deleted review.
OR, remove API endpoint to delete reviews.

TEST NOTE:
Test for proper behavior currently in collection, but commented out starting with note:
"//START AZDO #154"

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Steps to reproduce the behavior:

1. Open a Collection Status report
2. Delete the Collection
3. Tab stays open

Expected behavior
Tab for deleted Collection closes

Describe the solution you'd like
In CKL import at individual asset-stig review screen, UI should provide feedback and/or provide basic vetting of the .ckl that is selected.
UI should present summary info about selected .ckl:
Check Asset included in submitted .ckl against asset the import action was selected for, indicate discrepancy.
Check STIG included in submitted .ckl against STIG the import action was selected for, indicate discrepancy.
Check included .ckl rules against current list of displayed rules. Indicate discrepancies, offer to just import rules included in the current rule display, if rules are filtered.

api : boolean handling in db utils bindObject

• This issue originally logged in AzureDevOps

Discussion from AZDO item: 158:
Research what a lightweight event-stream should look like

Follow NDJSON approach established for clone collection feature

expected: Validator should only allow properly formed revision strings or "latest."
seen: request with rev string of "current" was passed on to api service, which returned error

Collection > Assets > hostname > STIG name > "Checklist" drop down > Import Results...

This CKL import still shows the verbose output, which is probably fine from a performance perspective because you're only importing a single file here anyways.

However, the "Importing file" dialogue appears to be stuck on "Initializing". The results appear to be importing, but it never says "Finished > Done" and remains "Initializing".

Thanks

Greetings,

The STIG collection title filter doesn't appear to be functional after immediately navigating to a collection review node. Initially, typing text into this field clears all rules from the list, as if there were no matches. I had to switch Checklist > Displayed Title > "Rule ID and title" to "Group ID and title" then back to "Rule ID and title". Afterwards the text filter worked as expected and the same text returns some matching rule titles.

This doesn't appear to be an issue with the title filter when browsing a stig > asset, just in the collection review.

Thanks!

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
I'd like to be able to look at the contents of a STIG without assigning it to an Asset

Describe alternatives you've considered
Make a dummy asset, assign a STIG just to look at it. But then it shows up in reports! etc.

Additional context
Add any other context or screenshots about the feature request here.

Mac/cl hard-coded as 5 on create, updates with mac/cl specified fail

In tables that contain multiple assets, a hyperlink from the asset name " Asset-A" which takes you to the specific STIG checklist shown in that context would be nice. These links could open a new tab.

For instance:

Reports > Findings > Individual Findings table > --- this could link to the STIG details page for that particular asset / stig checklist.

Similarly with Reports > Status > --- this could link to the STIG details page for that particular asset / stig checklist.

This kind of linking would be useful in drilling down to specific problems so corrective action can be taken.

Thanks!

The final wizard panel should

• output better descriptions of the job progress (the definition of 'better' can be discussed in this issue)
• a summary line about the batch (statistics, etc.) would be helpful
• allow saving the output to a file, which is consistent with other widgets.

Describe the bug

I found a bug in the:

• API
• UI
• Elsewhere (Please specify)

Please include a clear and concise description of what the bug is.
If it is in the API, please specify endpoint.
Including your actual request may be helpful as well.

• I have checked to see if there is already an existing issue that describes this bug.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Actual behavior
What behavior did you actually experience?

Screenshots
If applicable, add screenshots to help explain your problem.

Environment or Configuration:

• Container or Orchestration info
• Browser
• Other info

Additional context
Add any other context about the problem here.

Describe the bug

I found a bug in the:

• API
• UI
• Elsewhere (Please specify)

Bug Description:
Status report lists a "Checklist: (None)" when grouped by STIG
When grouped by Asset, STIGs that are assigned to an Asset but have no reviews at all are not listed.
Ultimately, this is because the API is not returning sensible statistics (as far as the extjs grid is concerned) for STIG Assignments that have no reviews.

To Reproduce
Steps to reproduce the behavior:

1. Assign a STIG to an asset, but perform no reviews on it.
2. Go to Status Report

Expected behavior
Status report should have row for each stig assigned to an asset
Return 0s rather than nulls

Screenshots

Additional context
The fix for this may require revisiting the current approach to STIG Completion statistics.
(at the very least, calculating them when a new STIG assignment is made, or revisiting the need for pre-calculating them at all vs. on demand)

• This issue originally recorded in AZDO item 155:

POST of ckl file to /collections/{collectionId}/reviews/{assetId}
is not performing strict asset check or benchmark check

CKL imports should (optionally?) check that they:

1. contain results that match the asset specified in the endpoint
2. contain results that match rules associated with that assets assigned STIGs.
3. if level 1 user is performing import, that user has grants that allow modifications to included ruleset.

When trying to upload the windows 10 STIG CKL file for one of our systems is fails with the attached message. Post request is too large. I assume its referring to the size of the file being imported. The smaller CKL's seem to be importing fine but the 1.5mb Windows 10 CKL files are failing. They are so large because of all the test data generated by Evaluate-STIG (Tool that generates the CKL's for us) there is a lot of text in the comments and finding details that we do not want to lose.

Please let me know if further information is needed to recreate this issue.

Not really sure if this is a bug or feature request.

Collections > Assets > asset name > STIG name > "Review on asset name" > "Evaluation" section.

The "Comment" box is pulling text from the CKL "Finding Details" node. As user, this is misleading. Shouldn't this text box be labeled "Finding Details"?

The actual "Comments" node from the CKL is not visible in this area of STIG Manager. For open findings, I need to verify the CKL comments field is populated with a mitigation statement. I would prefer to be able to collapse the "Review Resources" box and have both the CKL Comments and Finding Details boxes available for review/edit.

Thanks!

Greetings,

I attempted to import approximately 1500 CKLs into a collection last night. It parsed very quickly but the "Importing data" step ran for several hours and did not appear to complete. When I checked again this morning, my session had timed out. There are lots of new Assets but not all of them.

Now attempting to import the same 1500 CKLs again. I got the same warning about the same 3 duplicates from the initial load. Since this is the second import of this batch, I expected it to detect many more (several hundred) duplicates that had been successfully imported from the first attempt and skip them. It appears to be starting over and importing the same CKLs again.

Is there a timeout issue during large imports?

Can the status of previous import operations be found in the logs somewhere? For example, "on this date, 600 files were successfully imported, 35 new assets were created, 500 files failed to import".

What is the expected behavior of the duplicate detection function?

Can the total number of CKLs added to a collection be viewed?

Thank you!

I'm reviewing open findings for a bunch of systems using the Collection Review node. So, I have X number of systems with the same finding. Imagine I have a script that I can use to remediate this finding but I need to get a list of the hostnames or IPs.

In the "Reviews of " pane, it would be super if I could sort/filter by status, then have some ability to copy a the column of asset names. Or, a function to export this view to CSV where I could filter, sort, select-down all relevant asset names. This would help in finding open issues and then remediating them. Or, just for reporting. I might need to send a list of systems with X Open STIG finding to the respective administrators.

Thanks!

Is your feature request related to a problem? Please describe.
I found the 45-character limit on asset names somewhat limiting.
Some users may always use fqdn for asset names, rather than a shorter name.
(I think)Host name fields from STIG Viewer checklists are not limited to 45 characters.

Describe the solution you'd like
Asset name column/field could be the same length as the FQDN (255 characters)

Describe alternatives you've considered
Manually enforcing shorter host names before import, but that may require editing every checklist before import.

Describe the solution you'd like
I'd like a way to import HBSS SCAP evaluations directly into STIG Manager. Thanks, Developers!

Describe alternatives you've considered
Exporting from HBSS every day into ckls and then importing into STIG Manager is very cumbersome.

Additional context
Add any other context or screenshots about the feature request here.

Lots of various columns would be more useful if there were a filter option, similar to Excel.

Potential locations for filters:

Collections > Collection A > STIGs > STIG A > Collection Review > "Reviews of " > Status, Result columns

Collections > Collection A > Reports > Findings > Aggregated Findings > CAT, STIGs columns

This would help in reviewing large quantities of CKLs and looking for specific attributes, such as NR, Open, etc. findings.

Thanks!

Greetings,

CKLs that have Not Reviewed items but do have Finding Details written for those items do not import the Finding Details to stigman.

Expected to import this item as NR but show any Finding Details or Comments from the CKL for that item.

Thanks!

I found a bug in the:

• [x ] API
• UI
• Elsewhere (Please specify)

GET /collections/{collectionId}/reviews/{assetId}
and
GET /collections/{collectionId}/reviews/

returning reviews for STIGs the user does not have a grant for.

Issue can be replicated thusly:
Create package with no assets assigned.
Refresh reviews nav tree.
Package displayed in nav tree, but STIGs node can, unintuitively, still be expanded (to empty stig symbol).

GET /assets and GET /assets/{assetId} allow unauthorized users to request stgGrants projection.

tabs load w/ no data. Incomplete revId in request.