initialize project structure with essential configurations and components

.deepsource.toml

@@ -0,0 +1,25 @@
+version = 1
+xclude_patterns = [  
+  "dist/**",  
+  "**/node_modules/",  
+  "js/**/*.min.js",
+  "backend/**/*"
+]
+
+[[analyzers]]
+name = "javascript"
+enabled = true
+
+[analyzers.meta]
+environment = ["mongo"]
+plugins = ["react"]
+skip_doc_coverage = ["class-expression", "method-definition"]
+dependency_file_paths = [
+  "./frontend/",
+  "./"
+]
+dialect = "typescript"
+
+[[transformers]]  
+name = "prettier"  
+enabled = false

.env.example

@@ -0,0 +1,2 @@
+CWE_MODEL_URL=https://drive.usercontent.google.com/download?id=1OtRNObv-Il2B5nDnpzMSGj_yBJAlskuS&export=download&confirm=```
+CVSS_MODEL_URL=https://drive.usercontent.google.com/download?id=1nS1lQpVVJ431wUyVSs5_Srega6QVPyc8&export=download&confirm=

.gitattributes

@@ -33,3 +33,4 @@ saved_model/**/* filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
 *tfevents* filter=lfs diff=lfs merge=lfs -text
+*.gif filter=lfs diff=lfs merge=lfs -text

.gitconfig

@@ -0,0 +1,2 @@
+[pull]
+	rebase = yes

.gitignore

@@ -0,0 +1,30 @@
+.DS_Store
+.thumbs.db
+node_modules
+/dist
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+mongo-data*
+.quasar
+.venv
+package-lock.json
+.env
+
+# Editor directories and files
+.idea
+.vscode
+*.suo
+*.ntvs*
+*.njsproj
+*.sln
+.dccache
+.sourcery.yaml
+
+# Version managers
+.tool-versions
+
+
+# modelo
+cwe_api/modelo_cwe
+cwe_api/utils

LICENSE.md

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) 2024 Camilo Vera Vidales
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

app.py

@@ -0,0 +1,7 @@
+from fastapi import FastAPI
+
+app = FastAPI()
+
+@app.get("/")
+def greet_json():
+    return {"Hello": "World!"}

backend/.dockerignore

@@ -0,0 +1,3 @@
+node_modules
+mongo-data
+mongo-data-dev

backend/.prettierrc

@@ -0,0 +1,12 @@
+{
+  "arrowParens": "avoid",
+  "singleQuote": true,
+  "overrides": [
+    {
+      "files": ".changeset/**/*",
+      "options": {
+        "singleQuote": false
+      }
+    }
+  ]
+}

backend/Dockerfile

@@ -0,0 +1,12 @@
+FROM node:lts-alpine
+
+RUN mkdir -p /app
+WORKDIR /app
+COPY package*.json ./
+RUN apk --no-cache add --virtual builds-deps build-base python3 git libreoffice ttf-liberation
+RUN npm install
+COPY . .
+EXPOSE 4242
+ENV NODE_ENV prod
+ENV NODE_ICU_DATA=node_modules/full-icu
+ENTRYPOINT ["npm", "start"]

backend/Dockerfile.dev

@@ -0,0 +1,11 @@
+FROM node:lts-alpine
+
+RUN mkdir -p /app
+WORKDIR /app
+COPY package*.json ./
+RUN apk --no-cache add --virtual builds-deps build-base python3 git libreoffice ttf-liberation
+RUN npm install
+COPY . .
+ENV NODE_ENV dev
+ENV NODE_ICU_DATA=node_modules/full-icu
+ENTRYPOINT [ "npm", "run", "dev"]

backend/Dockerfile.test

@@ -0,0 +1,12 @@
+FROM node:lts-alpine
+
+RUN mkdir -p /app
+WORKDIR /app
+COPY package*.json ./
+RUN apk --no-cache add --virtual builds-deps build-base python3 git libreoffice ttf-liberation
+RUN npm install
+COPY . .
+ENV NODE_ENV test
+ENV NODE_ICU_DATA=node_modules/full-icu
+RUN npm install
+ENTRYPOINT ["npm", "run", "test"]

backend/README.md

@@ -0,0 +1,21 @@
+# Installation for developpment environnment
+
+*Source code can be modified live and application will automatically reload on changes.*
+
+Build and run Docker containers
+```
+docker-compose -f ./docker-compose.dev.yml up -d --build
+```
+
+Display container logs
+```
+docker-compose logs -f
+```
+
+Stop/Start container
+```
+docker-compose stop
+docker-compose start
+```
+
+API is accessible through https://localhost:5252/api

backend/babel.config.js

@@ -0,0 +1,12 @@
+module.exports = {
+  presets: [
+    [
+      '@babel/preset-env',
+      {
+        targets: {
+          node: 'current',
+        },
+      },
+    ],
+  ],
+};

backend/docker-compose.dev.yml

@@ -0,0 +1,41 @@
+version: '3'
+services:
+  mongodb:
+    image: mongo:4.2.15
+    container_name: mongo-auditforge-dev
+    volumes:
+      - ./mongo-data-dev:/data/db
+    restart: always
+    ports:
+      - 127.0.0.1:27017:27017
+    environment:
+      - MONGO_DB:auditforge
+    networks:
+      - backend
+
+  auditforge-backend:
+    build:
+      context: .
+      dockerfile: Dockerfile.dev
+    image: auditforge:backend-dev
+    container_name: auditforge-backend-dev
+    volumes:
+      - ./src:/app/src
+      - ./ssl:/app/ssl
+      - ./report-templates:/app/report-templates
+    depends_on:
+      - mongodb
+    restart: always
+    ports:
+      - 5252:5252
+    links:
+      - mongodb
+    networks:
+      - backend
+
+volumes:
+  mongo-data-dev:
+
+networks:
+  backend:
+    driver: bridge

backend/docker-compose.test.yml

@@ -0,0 +1,30 @@
+version: '3'
+services:
+  mongodb-test:
+    image: mongo:4.2.15
+    container_name: mongo-auditforge-test
+    volumes:
+      - ./mongo-data-test:/data/db
+    restart: always
+    environment:
+      - MONGO_DB:auditforge
+    network_mode: host
+
+  backend-test:
+    image: auditforge:backend-test
+    build:
+      context: .
+      dockerfile: Dockerfile.test
+    container_name: auditforge-backend-test
+    volumes:
+      - ./tests:/app/tests
+      - ./src:/app/src
+      - ./jest.config.js:/app/jest.config.js
+    environment:
+      API_URL: https://localhost:4242
+    depends_on:
+      - mongodb-test
+    network_mode: host
+
+volumes:
+  mongo-data-test:

backend/jest.config.js

@@ -0,0 +1,4 @@
+module.exports = {
+  testEnvironment: 'node',
+  verbose: true,
+};

backend/report-templates/.gitignore

@@ -0,0 +1 @@
+*.docx

backend/src/app.js

@@ -0,0 +1,170 @@
+var fs = require('fs');
+var app = require('express')();
+
+var https = require('https').Server(
+  {
+    key: fs.readFileSync(__dirname + '/../ssl/server.key'),
+    cert: fs.readFileSync(__dirname + '/../ssl/server.cert'),
+
+    // TLS Versions
+    maxVersion: 'TLSv1.3',
+    minVersion: 'TLSv1.2',
+
+    // Hardened configuration
+    ciphers:
+      'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384',
+
+    honorCipherOrder: false,
+  },
+  app,
+);
+app.disable('x-powered-by');
+
+var io = require('socket.io')(https, {
+  cors: {
+    origin: '*',
+  },
+});
+var bodyParser = require('body-parser');
+var cookieParser = require('cookie-parser');
+var utils = require('./lib/utils');
+
+// Get configuration
+var env = process.env.NODE_ENV || 'dev';
+var config = require('./config/config.json')[env];
+global.__basedir = __dirname;
+
+// Database connection
+var mongoose = require('mongoose');
+// Use native promises
+mongoose.Promise = global.Promise;
+// Trim all Strings
+mongoose.Schema.Types.String.set('trim', true);
+
+mongoose.connect(
+  `mongodb://${config.database.server}:${config.database.port}/${config.database.name}`,
+  {},
+);
+
+// Models import
+require('./models/user');
+require('./models/audit');
+require('./models/client');
+require('./models/company');
+require('./models/template');
+require('./models/vulnerability');
+require('./models/vulnerability-update');
+require('./models/language');
+require('./models/audit-type');
+require('./models/vulnerability-type');
+require('./models/vulnerability-category');
+require('./models/custom-section');
+require('./models/custom-field');
+require('./models/image');
+require('./models/settings');
+
+// Socket IO configuration
+io.on('connection', socket => {
+  socket.on('join', data => {
+    console.log(
+      `user ${data.username.replace(/\n|\r/g, '')} joined room ${data.room.replace(/\n|\r/g, '')}`,
+    );
+    socket.username = data.username;
+    do {
+      socket.color =
+        '#' + (0x1000000 + Math.random() * 0xffffff).toString(16).substr(1, 6);
+    } while (socket.color === '#77c84e');
+    socket.join(data.room);
+    io.to(data.room).emit('updateUsers');
+  });
+  socket.on('leave', data => {
+    console.log(
+      `user ${data.username.replace(/\n|\r/g, '')} left room ${data.room.replace(/\n|\r/g, '')}`,
+    );
+    socket.leave(data.room);
+    io.to(data.room).emit('updateUsers');
+  });
+  socket.on('updateUsers', data => {
+    var userList = [
+      ...new Set(
+        utils.getSockets(io, data.room).map(s => {
+          var user = {};
+          user.username = s.username;
+          user.color = s.color;
+          user.menu = s.menu;
+          if (s.finding) user.finding = s.finding;
+          if (s.section) user.section = s.section;
+          return user;
+        }),
+      ),
+    ];
+    io.to(data.room).emit('roomUsers', userList);
+  });
+  socket.on('menu', data => {
+    socket.menu = data.menu;
+    data.finding ? (socket.finding = data.finding) : delete socket.finding;
+    data.section ? (socket.section = data.section) : delete socket.section;
+    io.to(data.room).emit('updateUsers');
+  });
+  socket.on('disconnect', () => {
+    socket.broadcast.emit('updateUsers');
+  });
+});
+
+// CORS
+app.use(function (req, res, next) {
+  res.header('Access-Control-Allow-Origin', req.headers.origin);
+  res.header('Access-Control-Allow-Methods', 'GET,POST,DELETE,PUT,OPTIONS');
+  res.header(
+    'Access-Control-Allow-Headers',
+    'Origin, X-Requested-With, Content-Type, Accept',
+  );
+  res.header('Access-Control-Expose-Headers', 'Content-Disposition');
+  res.header('Access-Control-Allow-Credentials', 'true');
+  next();
+});
+
+// CSP
+app.use(function (req, res, next) {
+  res.header(
+    'Content-Security-Policy',
+    "default-src 'none'; form-action 'none'; base-uri 'self'; frame-ancestors 'none'; sandbox; require-trusted-types-for 'script';",
+  );
+  next();
+});
+
+app.use(bodyParser.json({ limit: '100mb' }));
+app.use(
+  bodyParser.urlencoded({
+    limit: '10mb',
+    extended: false, // do not need to take care about images, videos -> false: only strings
+  }),
+);
+
+app.use(cookieParser());
+
+// Routes import
+require('./routes/user')(app);
+require('./routes/audit')(app, io);
+require('./routes/client')(app);
+require('./routes/company')(app);
+require('./routes/vulnerability')(app);
+require('./routes/template')(app);
+require('./routes/vulnerability')(app);
+require('./routes/data')(app);
+require('./routes/image')(app);
+require('./routes/settings')(app);
+require('./routes/cwe')(app);
+require('./routes/cvss')(app);
+require('./routes/check-cwe-update')(app);
+require('./routes/update-cwe-model')(app);
+
+app.get('*', function (req, res) {
+  res.status(404).json({ status: 'error', data: 'Route undefined' });
+});
+
+// Start server
+
+https.listen(config.port, config.host);
+
+module.exports = app;

backend/src/config/config-cwe.json

@@ -0,0 +1,12 @@
+{
+  "cwe-container": {
+    "host": "auditforge-cwe-api",
+    "port": 8000,
+    "check_timeout_ms": 30000,
+    "update_timeout_ms": 120000,
+    "endpoints": {
+      "check_update_endpoint": "check_cwe_update",
+      "update_cwe_endpoint": "update_cwe_model"
+    }
+  }
+}

backend/src/config/config.json

@@ -0,0 +1,33 @@
+{
+  "dev": {
+    "port": 5252,
+    "host": "",
+    "database": {
+      "name": "auditforge",
+      "server": "mongo-auditforge-dev",
+      "port": "27017"
+    },
+    "jwtSecret": "1a039133523dfca9cd5d0ac385c16f0f061558a96dc57384854ef90ed53e86dd",
+    "jwtRefreshSecret": "95b0c96984c301d94b41c3d2306fd041a001c58516eb5a23f83044822f42e558"
+  },
+  "prod": {
+    "port": 4242,
+    "host": "",
+    "database": {
+      "name": "auditforge",
+      "server": "mongo-auditforge",
+      "port": "27017"
+    },
+    "jwtSecret": "8565a16daedc531581393a08812af3c9043e702069216c54bd51c6613bcf9811",
+    "jwtRefreshSecret": "54f27d78990b5f4537702dbf97d9d746c7cb8172f070a1212933c877e8fc98a8"
+  },
+  "test": {
+    "port": 6262,
+    "host": "",
+    "database": {
+      "name": "auditforge",
+      "server": "127.0.0.1",
+      "port": "27017"
+    }
+  }
+}

backend/src/config/roles.json

@@ -0,0 +1,6 @@
+{
+  "report": {
+    "inherits": ["user"],
+    "allows": ["audits:read-all"]
+  }
+}

backend/src/lib/auth.js

@@ -0,0 +1,193 @@
+// Dynamic generation of JWT Secret if not exist (different for each environnment)
+var fs = require('fs');
+var env = process.env.NODE_ENV || 'dev';
+var config = require('../config/config.json');
+
+if (!config[env].jwtSecret) {
+  config[env].jwtSecret = require('crypto').randomBytes(32).toString('hex');
+  var configString = JSON.stringify(config, null, 4);
+  fs.writeFileSync(`${__basedir}/config/config.json`, configString);
+}
+if (!config[env].jwtRefreshSecret) {
+  config[env].jwtRefreshSecret = require('crypto')
+    .randomBytes(32)
+    .toString('hex');
+  var configString = JSON.stringify(config, null, 4);
+  fs.writeFileSync(`${__basedir}/config/config.json`, configString);
+}
+
+var jwtSecret = config[env].jwtSecret;
+exports.jwtSecret = jwtSecret;
+
+var jwtRefreshSecret = config[env].jwtRefreshSecret;
+exports.jwtRefreshSecret = jwtRefreshSecret;
+
+/*  ROLES LOGIC
+
+    role_name: {
+        allows: [],
+        inherits: []
+    }
+    allows: allowed permissions to access | use * for all
+    inherits: inherits other users "allows"
+*/
+
+const builtInRoles = {
+  user: {
+    allows: [
+      // Audits
+      'audits:create',
+      'audits:read',
+      'audits:update',
+      'audits:delete',
+      // Images
+      'images:create',
+      'images:read',
+      // Clients
+      'clients:create',
+      'clients:read',
+      'clients:update',
+      'clients:delete',
+      // Companies
+      'companies:create',
+      'companies:read',
+      'companies:update',
+      'companies:delete',
+      // Languages
+      'languages:read',
+      // Audit Types
+      'audit-types:read',
+      // Vulnerability Types
+      'vulnerability-types:read',
+      // Vulnerability Categories
+      'vulnerability-categories:read',
+      // Sections Data
+      'sections:read',
+      // Templates
+      'templates:read',
+      // Users
+      'users:read',
+      // Roles
+      'roles:read',
+      // Vulnerabilities
+      'vulnerabilities:read',
+      'vulnerability-updates:create',
+      // Custom Fields
+      'custom-fields:read',
+      // Settings
+      'settings:read-public',
+      // Classify
+      'classify:all',
+      // Check CWE Update
+      'check-update:all',
+      // Update CWE Model
+      'update-model:all',
+    ],
+  },
+  admin: {
+    allows: '*',
+  },
+};
+
+try {
+  var customRoles = require('../config/roles.json');
+} catch (error) {
+  var customRoles = [];
+}
+var roles = { ...customRoles, ...builtInRoles };
+
+class ACL {
+  constructor(roles) {
+    if (typeof roles !== 'object') {
+      throw new TypeError('Expected an object as input');
+    }
+    this.roles = roles;
+  }
+
+  isAllowed(role, permission) {
+    // Check if role exists
+    if (!this.roles[role] && !this.roles['user']) {
+      return false;
+    }
+
+    let $role = this.roles[role] || this.roles['user']; // Default to user role in case of inexistant role
+    // Check if role is allowed with permission
+    if (
+      $role.allows &&
+      ($role.allows === '*' || $role.allows.indexOf(permission) !== -1)
+    ) {
+      return true;
+    }
+
+    // Check if there is inheritance
+    if (!$role.inherits || $role.inherits.length < 1) {
+      return false;
+    }
+
+    // Recursive check childs until true or false
+    return $role.inherits.some(role => this.isAllowed(role, permission));
+  }
+
+  hasPermission(permission) {
+    var Response = require('./httpResponse');
+    var jwt = require('jsonwebtoken');
+
+    return (req, res, next) => {
+      if (!req.cookies['token']) {
+        Response.Unauthorized(res, 'No token provided');
+        return;
+      }
+
+      var cookie = req.cookies['token'].split(' ');
+      if (cookie.length !== 2 || cookie[0] !== 'JWT') {
+        Response.Unauthorized(res, 'Bad token type');
+        return;
+      }
+
+      var token = cookie[1];
+      jwt.verify(token, jwtSecret, (err, decoded) => {
+        if (err) {
+          if (err.name === 'TokenExpiredError')
+            Response.Unauthorized(res, 'Expired token');
+          else Response.Unauthorized(res, 'Invalid token');
+          return;
+        }
+
+        if (
+          permission === 'validtoken' ||
+          this.isAllowed(decoded.role, permission)
+        ) {
+          req.decodedToken = decoded;
+          return next();
+        } else {
+          Response.Forbidden(res, 'Insufficient privileges');
+          return;
+        }
+      });
+    };
+  }
+
+  buildRoles(role) {
+    var currentRole = this.roles[role] || this.roles['user']; // Default to user role in case of inexistant role
+
+    var result = currentRole.allows || [];
+
+    if (currentRole.inherits) {
+      currentRole.inherits.forEach(element => {
+        result = [...new Set([...result, ...this.buildRoles(element)])];
+      });
+    }
+
+    return result;
+  }
+
+  getRoles(role) {
+    var result = this.buildRoles(role);
+
+    if (result.includes('*')) return '*';
+
+    return result;
+  }
+}
+
+exports.acl = new ACL(roles);

backend/src/lib/custom-generator.js

@@ -0,0 +1,94 @@
+var expressions = require('angular-expressions');
+
+// Apply all customs functions
+function apply(data) {}
+exports.apply = apply;
+
+// *** Custom modifications of audit data for usage in word template
+
+// *** Custome Angular expressions filters ***
+
+var filters = {};
+
+// Convert input CVSS criteria into French: {input | criteriaFR}
+expressions.filters.criteriaFR = function (input) {
+  var result = 'Non défini';
+
+  if (input === 'Network') result = 'Réseau';
+  else if (input === 'Adjacent Network') result = 'Réseau Local';
+  else if (input === 'Local') result = 'Local';
+  else if (input === 'Physical') result = 'Physique';
+  else if (input === 'None') result = 'Aucun';
+  else if (input === 'Low') result = 'Faible';
+  else if (input === 'High') result = 'Haute';
+  else if (input === 'Required') result = 'Requis';
+  else if (input === 'Unchanged') result = 'Inchangé';
+  else if (input === 'Changed') result = 'Changé';
+
+  return result;
+};
+
+// Convert input date with parameter s (full,short): {input | convertDate: 's'}
+expressions.filters.convertDateFR = function (input, s) {
+  var date = new Date(input);
+  if (date !== 'Invalid Date') {
+    var monthsFull = [
+      'Janvier',
+      'Février',
+      'Mars',
+      'Avril',
+      'Mai',
+      'Juin',
+      'Juillet',
+      'Août',
+      'Septembre',
+      'Octobre',
+      'Novembre',
+      'Décembre',
+    ];
+    var monthsShort = [
+      '01',
+      '02',
+      '03',
+      '04',
+      '05',
+      '06',
+      '07',
+      '08',
+      '09',
+      '10',
+      '11',
+      '12',
+    ];
+    var days = [
+      'Dimanche',
+      'Lundi',
+      'Mardi',
+      'Mercredi',
+      'Jeudi',
+      'Vendredi',
+      'Samedi',
+    ];
+    var day = date.getUTCDate();
+    var month = date.getUTCMonth();
+    var year = date.getUTCFullYear();
+    if (s === 'full') {
+      return (
+        days[date.getUTCDay()] +
+        ' ' +
+        (day < 10 ? '0' + day : day) +
+        ' ' +
+        monthsFull[month] +
+        ' ' +
+        year
+      );
+    }
+    if (s === 'short') {
+      return (
+        (day < 10 ? '0' + day : day) + '/' + monthsShort[month] + '/' + year
+      );
+    }
+  }
+};
+
+exports.expressions = expressions;

backend/src/lib/cvsscalc31.js

@@ -0,0 +1,1091 @@
+/* Copyright (c) 2019, FIRST.ORG, INC.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
+ * following conditions are met:
+ * 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following
+ *    disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
+ *    following disclaimer in the documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote
+ *    products derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* This JavaScript contains two main functions. Both take CVSS metric values and calculate CVSS scores for Base,
+ * Temporal and Environmental metric groups, their associated severity ratings, and an overall Vector String.
+ *
+ * Use CVSS31.calculateCVSSFromMetrics if you wish to pass metric values as individual parameters.
+ * Use CVSS31.calculateCVSSFromVector if you wish to pass metric values as a single Vector String.
+ *
+ * Changelog
+ *
+ * 2019-06-01  Darius Wiles   Updates for CVSS version 3.1:
+ *
+ *                            1) The CVSS31.roundUp1 function now performs rounding using integer arithmetic to
+ *                               eliminate problems caused by tiny errors introduced during JavaScript math
+ *                               operations. Thanks to Stanislav Kontar of Red Hat for suggesting and testing
+ *                               various implementations.
+ *
+ *                            2) Environmental formulas changed to prevent the Environmental Score decreasing when
+ *                               the value of an Environmental metric is raised. The problem affected a small
+ *                               percentage of CVSS v3.0 metrics. The change is to the modifiedImpact
+ *                               formula, but only affects scores where the Modified Scope is Changed (or the
+ *                               Scope is Changed if Modified Scope is Not Defined).
+ *
+ *                            3) The JavaScript object containing everything in this file has been renamed from
+ *                               "CVSS" to "CVSS31" to allow both objects to be included without causing a
+ *                               naming conflict.
+ *
+ *                            4) Variable names and code order have changed to more closely reflect the formulas
+ *                               in the CVSS v3.1 Specification Document.
+ *
+ *                            5) A successful call to calculateCVSSFromMetrics now returns sub-formula values.
+ *
+ *                            Note that some sets of metrics will produce different scores between CVSS v3.0 and
+ *                            v3.1 as a result of changes 1 and 2. See the explanation of changes between these
+ *                            two standards in the CVSS v3.1 User Guide for more details.
+ *
+ * 2018-02-15  Darius Wiles   Added a missing pair of parentheses in the Environmental score, specifically
+ *                            in the code setting envScore in the main clause (not the else clause). It was changed
+ *                            from "min (...), 10" to "min ((...), 10)". This correction does not alter any final
+ *                            Environmental scores.
+ *
+ * 2015-08-04  Darius Wiles   Added CVSS.generateXMLFromMetrics and CVSS.generateXMLFromVector functions to return
+ *                            XML string representations of: a set of metric values; or a Vector String respectively.
+ *                            Moved all constants and functions to an object named "CVSS" to
+ *                            reduce the chance of conflicts in global variables when this file is combined with
+ *                            other JavaScript code. This will break all existing code that uses this file until
+ *                            the string "CVSS." is prepended to all references. The "Exploitability" metric has been
+ *                            renamed "Exploit Code Maturity" in the specification, so the same change has been made
+ *                            in the code in this file.
+ *
+ * 2015-04-24  Darius Wiles   Environmental formula modified to eliminate undesirable behavior caused by subtle
+ *                            differences in rounding between Temporal and Environmental formulas that often
+ *                            caused the latter to be 0.1 lower than than the former when all Environmental
+ *                            metrics are "Not defined". Also added a RoundUp1 function to simplify formulas.
+ *
+ * 2015-04-09  Darius Wiles   Added calculateCVSSFromVector function, license information, cleaned up code and improved
+ *                            comments.
+ *
+ * 2014-12-12  Darius Wiles   Initial release for CVSS 3.0 Preview 2.
+ */
+
+// Constants used in the formula. They are not declared as "const" to avoid problems in older browsers.
+
+var CVSS31 = {};
+
+CVSS31.CVSSVersionIdentifier = 'CVSS:3.1';
+CVSS31.exploitabilityCoefficient = 8.22;
+CVSS31.scopeCoefficient = 1.08;
+
+// A regular expression to validate that a CVSS 3.1 vector string is well formed. It checks metrics and metric
+// values. It does not check that a metric is specified more than once and it does not check that all base
+// metrics are present. These checks need to be performed separately.
+
+CVSS31.vectorStringRegex_31 =
+  /^CVSS:3\.[01]\/((AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])\/)*(AV:[NALP]|AC:[LH]|PR:[UNLH]|UI:[NR]|S:[UC]|[CIA]:[NLH]|E:[XUPFH]|RL:[XOTWU]|RC:[XURC]|[CIA]R:[XLMH]|MAV:[XNALP]|MAC:[XLH]|MPR:[XUNLH]|MUI:[XNR]|MS:[XUC]|M[CIA]:[XNLH])$/;
+
+// Associative arrays mapping each metric value to the constant defined in the CVSS scoring formula in the CVSS v3.1
+// specification.
+
+CVSS31.Weight = {
+  AV: { N: 0.85, A: 0.62, L: 0.55, P: 0.2 },
+  AC: { H: 0.44, L: 0.77 },
+  PR: {
+    U: { N: 0.85, L: 0.62, H: 0.27 }, // These values are used if Scope is Unchanged
+    C: { N: 0.85, L: 0.68, H: 0.5 },
+  }, // These values are used if Scope is Changed
+  UI: { N: 0.85, R: 0.62 },
+  S: { U: 6.42, C: 7.52 }, // Note: not defined as constants in specification
+  CIA: { N: 0, L: 0.22, H: 0.56 }, // C, I and A have the same weights
+
+  E: { X: 1, U: 0.91, P: 0.94, F: 0.97, H: 1 },
+  RL: { X: 1, O: 0.95, T: 0.96, W: 0.97, U: 1 },
+  RC: { X: 1, U: 0.92, R: 0.96, C: 1 },
+
+  CIAR: { X: 1, L: 0.5, M: 1, H: 1.5 }, // CR, IR and AR have the same weights
+};
+
+// Severity rating bands, as defined in the CVSS v3.1 specification.
+
+CVSS31.severityRatings = [
+  { name: 'None', bottom: 0.0, top: 0.0 },
+  { name: 'Low', bottom: 0.1, top: 3.9 },
+  { name: 'Medium', bottom: 4.0, top: 6.9 },
+  { name: 'High', bottom: 7.0, top: 8.9 },
+  { name: 'Critical', bottom: 9.0, top: 10.0 },
+];
+
+/* ** CVSS31.calculateCVSSFromMetrics **
+ *
+ * Takes Base, Temporal and Environmental metric values as individual parameters. Their values are in the short format
+ * defined in the CVSS v3.1 standard definition of the Vector String. For example, the AttackComplexity parameter
+ * should be either "H" or "L".
+ *
+ * Returns Base, Temporal and Environmental scores, severity ratings, and an overall Vector String. All Base metrics
+ * are required to generate this output. All Temporal and Environmental metric values are optional. Any that are not
+ * passed default to "X" ("Not Defined").
+ *
+ * The output is an object which always has a property named "success".
+ *
+ * If no errors are encountered, success is Boolean "true", and the following other properties are defined containing
+ * scores, severities and a vector string:
+ *   baseMetricScore, baseSeverity,
+ *   temporalMetricScore, temporalSeverity,
+ *   environmentalMetricScore, environmentalSeverity,
+ *   vectorString
+ *
+ * The following properties are also defined, and contain sub-formula values:
+ *   baseISS, baseImpact, baseExploitability,
+ *   environmentalMISS, environmentalModifiedImpact, environmentalModifiedExploitability
+ *
+ *
+ * If errors are encountered, success is Boolean "false", and the following other properties are defined:
+ *   errorType - a string indicating the error. Either:
+ *                 "MissingBaseMetric", if at least one Base metric has not been defined; or
+ *                 "UnknownMetricValue", if at least one metric value is invalid.
+ *   errorMetrics - an array of strings representing the metrics at fault. The strings are abbreviated versions of the
+ *                  metrics, as defined in the CVSS v3.1 standard definition of the Vector String.
+ */
+CVSS31.calculateCVSSFromMetrics = function (
+  AttackVector,
+  AttackComplexity,
+  PrivilegesRequired,
+  UserInteraction,
+  Scope,
+  Confidentiality,
+  Integrity,
+  Availability,
+  ExploitCodeMaturity,
+  RemediationLevel,
+  ReportConfidence,
+  ConfidentialityRequirement,
+  IntegrityRequirement,
+  AvailabilityRequirement,
+  ModifiedAttackVector,
+  ModifiedAttackComplexity,
+  ModifiedPrivilegesRequired,
+  ModifiedUserInteraction,
+  ModifiedScope,
+  ModifiedConfidentiality,
+  ModifiedIntegrity,
+  ModifiedAvailability,
+) {
+  // If input validation fails, this array is populated with strings indicating which metrics failed validation.
+  var badMetrics = [];
+
+  // ENSURE ALL BASE METRICS ARE DEFINED
+  //
+  // We need values for all Base Score metrics to calculate scores.
+  // If any Base Score parameters are undefined, create an array of missing metrics and return it with an error.
+
+  if (typeof AttackVector === 'undefined' || AttackVector === '') {
+    badMetrics.push('AV');
+  }
+  if (typeof AttackComplexity === 'undefined' || AttackComplexity === '') {
+    badMetrics.push('AC');
+  }
+  if (typeof PrivilegesRequired === 'undefined' || PrivilegesRequired === '') {
+    badMetrics.push('PR');
+  }
+  if (typeof UserInteraction === 'undefined' || UserInteraction === '') {
+    badMetrics.push('UI');
+  }
+  if (typeof Scope === 'undefined' || Scope === '') {
+    badMetrics.push('S');
+  }
+  if (typeof Confidentiality === 'undefined' || Confidentiality === '') {
+    badMetrics.push('C');
+  }
+  if (typeof Integrity === 'undefined' || Integrity === '') {
+    badMetrics.push('I');
+  }
+  if (typeof Availability === 'undefined' || Availability === '') {
+    badMetrics.push('A');
+  }
+
+  if (badMetrics.length > 0) {
+    return {
+      success: false,
+      errorType: 'MissingBaseMetric',
+      errorMetrics: badMetrics,
+    };
+  }
+
+  // STORE THE METRIC VALUES THAT WERE PASSED AS PARAMETERS
+  //
+  // Temporal and Environmental metrics are optional, so set them to "X" ("Not Defined") if no value was passed.
+
+  var AV = AttackVector;
+  var AC = AttackComplexity;
+  var PR = PrivilegesRequired;
+  var UI = UserInteraction;
+  var S = Scope;
+  var C = Confidentiality;
+  var I = Integrity;
+  var A = Availability;
+
+  var E = ExploitCodeMaturity || 'X';
+  var RL = RemediationLevel || 'X';
+  var RC = ReportConfidence || 'X';
+
+  var CR = ConfidentialityRequirement || 'X';
+  var IR = IntegrityRequirement || 'X';
+  var AR = AvailabilityRequirement || 'X';
+  var MAV = ModifiedAttackVector || 'X';
+  var MAC = ModifiedAttackComplexity || 'X';
+  var MPR = ModifiedPrivilegesRequired || 'X';
+  var MUI = ModifiedUserInteraction || 'X';
+  var MS = ModifiedScope || 'X';
+  var MC = ModifiedConfidentiality || 'X';
+  var MI = ModifiedIntegrity || 'X';
+  var MA = ModifiedAvailability || 'X';
+
+  // CHECK VALIDITY OF METRIC VALUES
+  //
+  // Use the Weight object to ensure that, for every metric, the metric value passed is valid.
+  // If any invalid values are found, create an array of their metrics and return it with an error.
+  //
+  // The Privileges Required (PR) weight depends on Scope, but when checking the validity of PR we must not assume
+  // that the given value for Scope is valid. We therefore always look at the weights for Unchanged Scope when
+  // performing this check. The same applies for validation of Modified Privileges Required (MPR).
+  //
+  // The Weights object does not contain "X" ("Not Defined") values for Environmental metrics because we replace them
+  // with their Base metric equivalents later in the function. For example, an MAV of "X" will be replaced with the
+  // value given for AV. We therefore need to explicitly allow a value of "X" for Environmental metrics.
+
+  if (!CVSS31.Weight.AV.hasOwnProperty(AV)) {
+    badMetrics.push('AV');
+  }
+  if (!CVSS31.Weight.AC.hasOwnProperty(AC)) {
+    badMetrics.push('AC');
+  }
+  if (!CVSS31.Weight.PR.U.hasOwnProperty(PR)) {
+    badMetrics.push('PR');
+  }
+  if (!CVSS31.Weight.UI.hasOwnProperty(UI)) {
+    badMetrics.push('UI');
+  }
+  if (!CVSS31.Weight.S.hasOwnProperty(S)) {
+    badMetrics.push('S');
+  }
+  if (!CVSS31.Weight.CIA.hasOwnProperty(C)) {
+    badMetrics.push('C');
+  }
+  if (!CVSS31.Weight.CIA.hasOwnProperty(I)) {
+    badMetrics.push('I');
+  }
+  if (!CVSS31.Weight.CIA.hasOwnProperty(A)) {
+    badMetrics.push('A');
+  }
+
+  if (!CVSS31.Weight.E.hasOwnProperty(E)) {
+    badMetrics.push('E');
+  }
+  if (!CVSS31.Weight.RL.hasOwnProperty(RL)) {
+    badMetrics.push('RL');
+  }
+  if (!CVSS31.Weight.RC.hasOwnProperty(RC)) {
+    badMetrics.push('RC');
+  }
+
+  if (!(CR === 'X' || CVSS31.Weight.CIAR.hasOwnProperty(CR))) {
+    badMetrics.push('CR');
+  }
+  if (!(IR === 'X' || CVSS31.Weight.CIAR.hasOwnProperty(IR))) {
+    badMetrics.push('IR');
+  }
+  if (!(AR === 'X' || CVSS31.Weight.CIAR.hasOwnProperty(AR))) {
+    badMetrics.push('AR');
+  }
+  if (!(MAV === 'X' || CVSS31.Weight.AV.hasOwnProperty(MAV))) {
+    badMetrics.push('MAV');
+  }
+  if (!(MAC === 'X' || CVSS31.Weight.AC.hasOwnProperty(MAC))) {
+    badMetrics.push('MAC');
+  }
+  if (!(MPR === 'X' || CVSS31.Weight.PR.U.hasOwnProperty(MPR))) {
+    badMetrics.push('MPR');
+  }
+  if (!(MUI === 'X' || CVSS31.Weight.UI.hasOwnProperty(MUI))) {
+    badMetrics.push('MUI');
+  }
+  if (!(MS === 'X' || CVSS31.Weight.S.hasOwnProperty(MS))) {
+    badMetrics.push('MS');
+  }
+  if (!(MC === 'X' || CVSS31.Weight.CIA.hasOwnProperty(MC))) {
+    badMetrics.push('MC');
+  }
+  if (!(MI === 'X' || CVSS31.Weight.CIA.hasOwnProperty(MI))) {
+    badMetrics.push('MI');
+  }
+  if (!(MA === 'X' || CVSS31.Weight.CIA.hasOwnProperty(MA))) {
+    badMetrics.push('MA');
+  }
+
+  if (badMetrics.length > 0) {
+    return {
+      success: false,
+      errorType: 'UnknownMetricValue',
+      errorMetrics: badMetrics,
+    };
+  }
+
+  // GATHER WEIGHTS FOR ALL METRICS
+
+  var metricWeightAV = CVSS31.Weight.AV[AV];
+  var metricWeightAC = CVSS31.Weight.AC[AC];
+  var metricWeightPR = CVSS31.Weight.PR[S][PR]; // PR depends on the value of Scope (S).
+  var metricWeightUI = CVSS31.Weight.UI[UI];
+  var metricWeightS = CVSS31.Weight.S[S];
+  var metricWeightC = CVSS31.Weight.CIA[C];
+  var metricWeightI = CVSS31.Weight.CIA[I];
+  var metricWeightA = CVSS31.Weight.CIA[A];
+
+  var metricWeightE = CVSS31.Weight.E[E];
+  var metricWeightRL = CVSS31.Weight.RL[RL];
+  var metricWeightRC = CVSS31.Weight.RC[RC];
+
+  // For metrics that are modified versions of Base Score metrics, e.g. Modified Attack Vector, use the value of
+  // the Base Score metric if the modified version value is "X" ("Not Defined").
+  var metricWeightCR = CVSS31.Weight.CIAR[CR];
+  var metricWeightIR = CVSS31.Weight.CIAR[IR];
+  var metricWeightAR = CVSS31.Weight.CIAR[AR];
+  var metricWeightMAV = CVSS31.Weight.AV[MAV !== 'X' ? MAV : AV];
+  var metricWeightMAC = CVSS31.Weight.AC[MAC !== 'X' ? MAC : AC];
+  var metricWeightMPR =
+    CVSS31.Weight.PR[MS !== 'X' ? MS : S][MPR !== 'X' ? MPR : PR]; // Depends on MS.
+  var metricWeightMUI = CVSS31.Weight.UI[MUI !== 'X' ? MUI : UI];
+  var metricWeightMS = CVSS31.Weight.S[MS !== 'X' ? MS : S];
+  var metricWeightMC = CVSS31.Weight.CIA[MC !== 'X' ? MC : C];
+  var metricWeightMI = CVSS31.Weight.CIA[MI !== 'X' ? MI : I];
+  var metricWeightMA = CVSS31.Weight.CIA[MA !== 'X' ? MA : A];
+
+  // CALCULATE THE CVSS BASE SCORE
+
+  var iss; /* Impact Sub-Score */
+  var impact;
+  var exploitability;
+  var baseScore;
+
+  iss = 1 - (1 - metricWeightC) * (1 - metricWeightI) * (1 - metricWeightA);
+
+  if (S === 'U') {
+    impact = metricWeightS * iss;
+  } else {
+    impact = metricWeightS * (iss - 0.029) - 3.25 * Math.pow(iss - 0.02, 15);
+  }
+
+  exploitability =
+    CVSS31.exploitabilityCoefficient *
+    metricWeightAV *
+    metricWeightAC *
+    metricWeightPR *
+    metricWeightUI;
+
+  if (impact <= 0) {
+    baseScore = 0;
+  } else {
+    if (S === 'U') {
+      baseScore = CVSS31.roundUp1(Math.min(exploitability + impact, 10));
+    } else {
+      baseScore = CVSS31.roundUp1(
+        Math.min(CVSS31.scopeCoefficient * (exploitability + impact), 10),
+      );
+    }
+  }
+
+  // CALCULATE THE CVSS TEMPORAL SCORE
+
+  var temporalScore = CVSS31.roundUp1(
+    baseScore * metricWeightE * metricWeightRL * metricWeightRC,
+  );
+
+  // CALCULATE THE CVSS ENVIRONMENTAL SCORE
+  //
+  // - modifiedExploitability recalculates the Base Score Exploitability sub-score using any modified values from the
+  //   Environmental metrics group in place of the values specified in the Base Score, if any have been defined.
+  // - modifiedImpact recalculates the Base Score Impact sub-score using any modified values from the
+  //   Environmental metrics group in place of the values specified in the Base Score, and any additional weightings
+  //   given in the Environmental metrics group.
+
+  var miss; /* Modified Impact Sub-Score */
+  var modifiedImpact;
+  var envScore;
+  var modifiedExploitability;
+
+  miss = Math.min(
+    1 -
+      (1 - metricWeightMC * metricWeightCR) *
+        (1 - metricWeightMI * metricWeightIR) *
+        (1 - metricWeightMA * metricWeightAR),
+    0.915,
+  );
+
+  if (MS === 'U' || (MS === 'X' && S === 'U')) {
+    modifiedImpact = metricWeightMS * miss;
+  } else {
+    modifiedImpact =
+      metricWeightMS * (miss - 0.029) -
+      3.25 * Math.pow(miss * 0.9731 - 0.02, 13);
+  }
+
+  modifiedExploitability =
+    CVSS31.exploitabilityCoefficient *
+    metricWeightMAV *
+    metricWeightMAC *
+    metricWeightMPR *
+    metricWeightMUI;
+
+  if (modifiedImpact <= 0) {
+    envScore = 0;
+  } else if (MS === 'U' || (MS === 'X' && S === 'U')) {
+    envScore = CVSS31.roundUp1(
+      CVSS31.roundUp1(Math.min(modifiedImpact + modifiedExploitability, 10)) *
+        metricWeightE *
+        metricWeightRL *
+        metricWeightRC,
+    );
+  } else {
+    envScore = CVSS31.roundUp1(
+      CVSS31.roundUp1(
+        Math.min(
+          CVSS31.scopeCoefficient * (modifiedImpact + modifiedExploitability),
+          10,
+        ),
+      ) *
+        metricWeightE *
+        metricWeightRL *
+        metricWeightRC,
+    );
+  }
+
+  // CONSTRUCT THE VECTOR STRING
+
+  var vectorString =
+    CVSS31.CVSSVersionIdentifier +
+    '/AV:' +
+    AV +
+    '/AC:' +
+    AC +
+    '/PR:' +
+    PR +
+    '/UI:' +
+    UI +
+    '/S:' +
+    S +
+    '/C:' +
+    C +
+    '/I:' +
+    I +
+    '/A:' +
+    A;
+
+  if (E !== 'X') {
+    vectorString = vectorString + '/E:' + E;
+  }
+  if (RL !== 'X') {
+    vectorString = vectorString + '/RL:' + RL;
+  }
+  if (RC !== 'X') {
+    vectorString = vectorString + '/RC:' + RC;
+  }
+
+  if (CR !== 'X') {
+    vectorString = vectorString + '/CR:' + CR;
+  }
+  if (IR !== 'X') {
+    vectorString = vectorString + '/IR:' + IR;
+  }
+  if (AR !== 'X') {
+    vectorString = vectorString + '/AR:' + AR;
+  }
+  if (MAV !== 'X') {
+    vectorString = vectorString + '/MAV:' + MAV;
+  }
+  if (MAC !== 'X') {
+    vectorString = vectorString + '/MAC:' + MAC;
+  }
+  if (MPR !== 'X') {
+    vectorString = vectorString + '/MPR:' + MPR;
+  }
+  if (MUI !== 'X') {
+    vectorString = vectorString + '/MUI:' + MUI;
+  }
+  if (MS !== 'X') {
+    vectorString = vectorString + '/MS:' + MS;
+  }
+  if (MC !== 'X') {
+    vectorString = vectorString + '/MC:' + MC;
+  }
+  if (MI !== 'X') {
+    vectorString = vectorString + '/MI:' + MI;
+  }
+  if (MA !== 'X') {
+    vectorString = vectorString + '/MA:' + MA;
+  }
+
+  // Return an object containing the scores for all three metric groups, and an overall vector string.
+  // Sub-formula values are also included.
+
+  return {
+    success: true,
+
+    baseMetricScore: baseScore.toFixed(1),
+    baseSeverity: CVSS31.severityRating(baseScore.toFixed(1)),
+    baseISS: iss,
+    baseImpact: impact,
+    baseExploitability: exploitability,
+
+    temporalMetricScore: temporalScore.toFixed(1),
+    temporalSeverity: CVSS31.severityRating(temporalScore.toFixed(1)),
+
+    environmentalMetricScore: envScore.toFixed(1),
+    environmentalSeverity: CVSS31.severityRating(envScore.toFixed(1)),
+    environmentalMISS: miss,
+    environmentalModifiedImpact: modifiedImpact,
+    environmentalModifiedExploitability: modifiedExploitability,
+
+    vectorString: vectorString,
+  };
+};
+
+/* ** CVSS31.calculateCVSSFromVector **
+ *
+ * Takes Base, Temporal and Environmental metric values as a single string in the Vector String format defined
+ * in the CVSS v3.1 standard definition of the Vector String.
+ *
+ * Returns Base, Temporal and Environmental scores, severity ratings, and an overall Vector String. All Base metrics
+ * are required to generate this output. All Temporal and Environmental metric values are optional. Any that are not
+ * passed default to "X" ("Not Defined").
+ *
+ * See the comment for the CVSS31.calculateCVSSFromMetrics function for details on the function output. In addition to
+ * the error conditions listed for that function, this function can also return:
+ *   "MalformedVectorString", if the Vector String passed does not conform to the format in the standard; or
+ *   "MultipleDefinitionsOfMetric", if the Vector String is well formed but defines the same metric (or metrics),
+ *                                  more than once.
+ */
+CVSS31.calculateCVSSFromVector = function (vectorString) {
+  var metricValues = {
+    AV: undefined,
+    AC: undefined,
+    PR: undefined,
+    UI: undefined,
+    S: undefined,
+    C: undefined,
+    I: undefined,
+    A: undefined,
+    E: undefined,
+    RL: undefined,
+    RC: undefined,
+    CR: undefined,
+    IR: undefined,
+    AR: undefined,
+    MAV: undefined,
+    MAC: undefined,
+    MPR: undefined,
+    MUI: undefined,
+    MS: undefined,
+    MC: undefined,
+    MI: undefined,
+    MA: undefined,
+  };
+
+  // If input validation fails, this array is populated with strings indicating which metrics failed validation.
+  var badMetrics = [];
+
+  if (!CVSS31.vectorStringRegex_31.test(vectorString)) {
+    return { success: false, errorType: 'MalformedVectorString' };
+  }
+
+  var metricNameValue = vectorString
+    .substring(CVSS31.CVSSVersionIdentifier.length)
+    .split('/');
+
+  for (var i in metricNameValue) {
+    if (metricNameValue.hasOwnProperty(i)) {
+      var singleMetric = metricNameValue[i].split(':');
+
+      if (typeof metricValues[singleMetric[0]] === 'undefined') {
+        metricValues[singleMetric[0]] = singleMetric[1];
+      } else {
+        badMetrics.push(singleMetric[0]);
+      }
+    }
+  }
+
+  if (badMetrics.length > 0) {
+    return {
+      success: false,
+      errorType: 'MultipleDefinitionsOfMetric',
+      errorMetrics: badMetrics,
+    };
+  }
+
+  return CVSS31.calculateCVSSFromMetrics(
+    metricValues.AV,
+    metricValues.AC,
+    metricValues.PR,
+    metricValues.UI,
+    metricValues.S,
+    metricValues.C,
+    metricValues.I,
+    metricValues.A,
+    metricValues.E,
+    metricValues.RL,
+    metricValues.RC,
+    metricValues.CR,
+    metricValues.IR,
+    metricValues.AR,
+    metricValues.MAV,
+    metricValues.MAC,
+    metricValues.MPR,
+    metricValues.MUI,
+    metricValues.MS,
+    metricValues.MC,
+    metricValues.MI,
+    metricValues.MA,
+  );
+};
+
+/* ** CVSS31.roundUp1 **
+ *
+ * Rounds up its parameter to 1 decimal place and returns the result.
+ *
+ * Standard JavaScript errors thrown when arithmetic operations are performed on non-numbers will be returned if the
+ * given input is not a number.
+ *
+ * Implementation note: Tiny representation errors in floating point numbers makes rounding complex. For example,
+ * consider calculating Math.ceil((1-0.58)*100) by hand. It can be simplified to Math.ceil(0.42*100), then
+ * Math.ceil(42), and finally 42. Most JavaScript implementations give 43. The problem is that, on many systems,
+ * 1-0.58 = 0.42000000000000004, and the tiny error is enough to push ceil up to the next integer. The implementation
+ * below avoids such problems by performing the rounding using integers. The input is first multiplied by 100,000
+ * and rounded to the nearest integer to consider 6 decimal places of accuracy, so 0.000001 results in 0.0, but
+ * 0.000009 results in 0.1.
+ *
+ * A more elegant solution may be possible, but the following gives answers consistent with results from an arbitrary
+ * precision library.
+ */
+CVSS31.roundUp1 = function Roundup(input) {
+  var int_input = Math.round(input * 100000);
+
+  if (int_input % 10000 === 0) {
+    return int_input / 100000;
+  } else {
+    return (Math.floor(int_input / 10000) + 1) / 10;
+  }
+};
+
+/* ** CVSS31.severityRating **
+ *
+ * Given a CVSS score, returns the name of the severity rating as defined in the CVSS standard.
+ * The input needs to be a number between 0.0 to 10.0, to one decimal place of precision.
+ *
+ * The following error values may be returned instead of a severity rating name:
+ *   NaN (JavaScript "Not a Number") - if the input is not a number.
+ *   undefined - if the input is a number that is not within the range of any defined severity rating.
+ */
+CVSS31.severityRating = function (score) {
+  var severityRatingLength = CVSS31.severityRatings.length;
+
+  var validatedScore = Number(score);
+
+  if (isNaN(validatedScore)) {
+    return validatedScore;
+  }
+
+  for (var i = 0; i < severityRatingLength; i++) {
+    if (
+      score >= CVSS31.severityRatings[i].bottom &&
+      score <= CVSS31.severityRatings[i].top
+    ) {
+      return CVSS31.severityRatings[i].name;
+    }
+  }
+
+  return undefined;
+};
+
+///////////////////////////////////////////////////////////////////////////
+// DATA AND FUNCTIONS FOR CREATING AN XML REPRESENTATION OF A CVSS SCORE //
+///////////////////////////////////////////////////////////////////////////
+
+// A mapping between abbreviated metric values and the string used in the XML representation.
+// For example, a Remediation Level (RL) abbreviated metric value of "W" maps to "WORKAROUND".
+// For brevity, every Base metric shares its definition with its equivalent Environmental metric. This is possible
+// because the metric values are same between these groups, except that the latter have an additional metric value
+// of "NOT_DEFINED".
+
+CVSS31.XML_MetricNames = {
+  E: {
+    X: 'NOT_DEFINED',
+    U: 'UNPROVEN',
+    P: 'PROOF_OF_CONCEPT',
+    F: 'FUNCTIONAL',
+    H: 'HIGH',
+  },
+  RL: {
+    X: 'NOT_DEFINED',
+    O: 'OFFICIAL_FIX',
+    T: 'TEMPORARY_FIX',
+    W: 'WORKAROUND',
+    U: 'UNAVAILABLE',
+  },
+  RC: { X: 'NOT_DEFINED', U: 'UNKNOWN', R: 'REASONABLE', C: 'CONFIRMED' },
+
+  CIAR: { X: 'NOT_DEFINED', L: 'LOW', M: 'MEDIUM', H: 'HIGH' }, // CR, IR and AR use the same values
+  MAV: {
+    N: 'NETWORK',
+    A: 'ADJACENT_NETWORK',
+    L: 'LOCAL',
+    P: 'PHYSICAL',
+    X: 'NOT_DEFINED',
+  },
+  MAC: { H: 'HIGH', L: 'LOW', X: 'NOT_DEFINED' },
+  MPR: { N: 'NONE', L: 'LOW', H: 'HIGH', X: 'NOT_DEFINED' },
+  MUI: { N: 'NONE', R: 'REQUIRED', X: 'NOT_DEFINED' },
+  MS: { U: 'UNCHANGED', C: 'CHANGED', X: 'NOT_DEFINED' },
+  MCIA: { N: 'NONE', L: 'LOW', H: 'HIGH', X: 'NOT_DEFINED' }, // C, I and A use the same values
+};
+
+/* ** CVSS31.generateXMLFromMetrics **
+ *
+ * Takes Base, Temporal and Environmental metric values as individual parameters. Their values are in the short format
+ * defined in the CVSS v3.1 standard definition of the Vector String. For example, the AttackComplexity parameter
+ * should be either "H" or "L".
+ *
+ * Returns a single string containing the metric values in XML form. All Base metrics are required to generate this
+ * output. All Temporal and Environmental metric values are optional. Any that are not passed will be represented in
+ * the XML as NOT_DEFINED. The function returns a string for simplicity. It is arguably better to return the XML as
+ * a DOM object, but at the time of writing this leads to complexity due to older browsers using different JavaScript
+ * interfaces to do this. Also for simplicity, all Temporal and Environmental metrics are included in the string,
+ * even though those with a value of "Not Defined" do not need to be included.
+ *
+ * The output of this function is an object which always has a property named "success".
+ *
+ * If no errors are encountered, success is Boolean "true", and the "xmlString" property contains the XML string
+ * representation.
+ *
+ * If errors are encountered, success is Boolean "false", and other properties are defined as per the
+ * CVSS31.calculateCVSSFromMetrics function. Refer to the comment for that function for more details.
+ */
+CVSS31.generateXMLFromMetrics = function (
+  AttackVector,
+  AttackComplexity,
+  PrivilegesRequired,
+  UserInteraction,
+  Scope,
+  Confidentiality,
+  Integrity,
+  Availability,
+  ExploitCodeMaturity,
+  RemediationLevel,
+  ReportConfidence,
+  ConfidentialityRequirement,
+  IntegrityRequirement,
+  AvailabilityRequirement,
+  ModifiedAttackVector,
+  ModifiedAttackComplexity,
+  ModifiedPrivilegesRequired,
+  ModifiedUserInteraction,
+  ModifiedScope,
+  ModifiedConfidentiality,
+  ModifiedIntegrity,
+  ModifiedAvailability,
+) {
+  // A string containing the XML we wish to output, with placeholders for the CVSS metrics we will substitute for
+  // their values, based on the inputs passed to this function.
+  var xmlTemplate =
+    '<?xml version="1.0" encoding="UTF-8"?>\n' +
+    '<cvssv3.1 xmlns="https://www.first.org/cvss/cvss-v3.1.xsd"\n' +
+    '  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"\n' +
+    '  xsi:schemaLocation="https://www.first.org/cvss/cvss-v3.1.xsd https://www.first.org/cvss/cvss-v3.1.xsd"\n' +
+    '  >\n' +
+    '\n' +
+    '  <base_metrics>\n' +
+    '    <attack-vector>__AttackVector__</attack-vector>\n' +
+    '    <attack-complexity>__AttackComplexity__</attack-complexity>\n' +
+    '    <privileges-required>__PrivilegesRequired__</privileges-required>\n' +
+    '    <user-interaction>__UserInteraction__</user-interaction>\n' +
+    '    <scope>__Scope__</scope>\n' +
+    '    <confidentiality-impact>__Confidentiality__</confidentiality-impact>\n' +
+    '    <integrity-impact>__Integrity__</integrity-impact>\n' +
+    '    <availability-impact>__Availability__</availability-impact>\n' +
+    '    <base-score>__BaseScore__</base-score>\n' +
+    '    <base-severity>__BaseSeverityRating__</base-severity>\n' +
+    '  </base_metrics>\n' +
+    '\n' +
+    '  <temporal_metrics>\n' +
+    '    <exploit-code-maturity>__ExploitCodeMaturity__</exploit-code-maturity>\n' +
+    '    <remediation-level>__RemediationLevel__</remediation-level>\n' +
+    '    <report-confidence>__ReportConfidence__</report-confidence>\n' +
+    '    <temporal-score>__TemporalScore__</temporal-score>\n' +
+    '    <temporal-severity>__TemporalSeverityRating__</temporal-severity>\n' +
+    '  </temporal_metrics>\n' +
+    '\n' +
+    '  <environmental_metrics>\n' +
+    '    <confidentiality-requirement>__ConfidentialityRequirement__</confidentiality-requirement>\n' +
+    '    <integrity-requirement>__IntegrityRequirement__</integrity-requirement>\n' +
+    '    <availability-requirement>__AvailabilityRequirement__</availability-requirement>\n' +
+    '    <modified-attack-vector>__ModifiedAttackVector__</modified-attack-vector>\n' +
+    '    <modified-attack-complexity>__ModifiedAttackComplexity__</modified-attack-complexity>\n' +
+    '    <modified-privileges-required>__ModifiedPrivilegesRequired__</modified-privileges-required>\n' +
+    '    <modified-user-interaction>__ModifiedUserInteraction__</modified-user-interaction>\n' +
+    '    <modified-scope>__ModifiedScope__</modified-scope>\n' +
+    '    <modified-confidentiality-impact>__ModifiedConfidentiality__</modified-confidentiality-impact>\n' +
+    '    <modified-integrity-impact>__ModifiedIntegrity__</modified-integrity-impact>\n' +
+    '    <modified-availability-impact>__ModifiedAvailability__</modified-availability-impact>\n' +
+    '    <environmental-score>__EnvironmentalScore__</environmental-score>\n' +
+    '    <environmental-severity>__EnvironmentalSeverityRating__</environmental-severity>\n' +
+    '  </environmental_metrics>\n' +
+    '\n' +
+    '</cvssv3.1>\n';
+
+  // Call CVSS31.calculateCVSSFromMetrics to validate all the parameters and generate scores and severity ratings.
+  // If that function returns an error, immediately return it to the caller of this function.
+  var result = CVSS31.calculateCVSSFromMetrics(
+    AttackVector,
+    AttackComplexity,
+    PrivilegesRequired,
+    UserInteraction,
+    Scope,
+    Confidentiality,
+    Integrity,
+    Availability,
+    ExploitCodeMaturity,
+    RemediationLevel,
+    ReportConfidence,
+    ConfidentialityRequirement,
+    IntegrityRequirement,
+    AvailabilityRequirement,
+    ModifiedAttackVector,
+    ModifiedAttackComplexity,
+    ModifiedPrivilegesRequired,
+    ModifiedUserInteraction,
+    ModifiedScope,
+    ModifiedConfidentiality,
+    ModifiedIntegrity,
+    ModifiedAvailability,
+  );
+
+  if (result.success !== true) {
+    return result;
+  }
+
+  var xmlOutput = xmlTemplate;
+  xmlOutput = xmlOutput.replace(
+    '__AttackVector__',
+    CVSS31.XML_MetricNames['MAV'][AttackVector],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__AttackComplexity__',
+    CVSS31.XML_MetricNames['MAC'][AttackComplexity],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__PrivilegesRequired__',
+    CVSS31.XML_MetricNames['MPR'][PrivilegesRequired],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__UserInteraction__',
+    CVSS31.XML_MetricNames['MUI'][UserInteraction],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__Scope__',
+    CVSS31.XML_MetricNames['MS'][Scope],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__Confidentiality__',
+    CVSS31.XML_MetricNames['MCIA'][Confidentiality],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__Integrity__',
+    CVSS31.XML_MetricNames['MCIA'][Integrity],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__Availability__',
+    CVSS31.XML_MetricNames['MCIA'][Availability],
+  );
+  xmlOutput = xmlOutput.replace('__BaseScore__', result.baseMetricScore);
+  xmlOutput = xmlOutput.replace('__BaseSeverityRating__', result.baseSeverity);
+
+  xmlOutput = xmlOutput.replace(
+    '__ExploitCodeMaturity__',
+    CVSS31.XML_MetricNames['E'][ExploitCodeMaturity || 'X'],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__RemediationLevel__',
+    CVSS31.XML_MetricNames['RL'][RemediationLevel || 'X'],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__ReportConfidence__',
+    CVSS31.XML_MetricNames['RC'][ReportConfidence || 'X'],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__TemporalScore__',
+    result.temporalMetricScore,
+  );
+  xmlOutput = xmlOutput.replace(
+    '__TemporalSeverityRating__',
+    result.temporalSeverity,
+  );
+
+  xmlOutput = xmlOutput.replace(
+    '__ConfidentialityRequirement__',
+    CVSS31.XML_MetricNames['CIAR'][ConfidentialityRequirement || 'X'],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__IntegrityRequirement__',
+    CVSS31.XML_MetricNames['CIAR'][IntegrityRequirement || 'X'],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__AvailabilityRequirement__',
+    CVSS31.XML_MetricNames['CIAR'][AvailabilityRequirement || 'X'],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__ModifiedAttackVector__',
+    CVSS31.XML_MetricNames['MAV'][ModifiedAttackVector || 'X'],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__ModifiedAttackComplexity__',
+    CVSS31.XML_MetricNames['MAC'][ModifiedAttackComplexity || 'X'],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__ModifiedPrivilegesRequired__',
+    CVSS31.XML_MetricNames['MPR'][ModifiedPrivilegesRequired || 'X'],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__ModifiedUserInteraction__',
+    CVSS31.XML_MetricNames['MUI'][ModifiedUserInteraction || 'X'],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__ModifiedScope__',
+    CVSS31.XML_MetricNames['MS'][ModifiedScope || 'X'],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__ModifiedConfidentiality__',
+    CVSS31.XML_MetricNames['MCIA'][ModifiedConfidentiality || 'X'],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__ModifiedIntegrity__',
+    CVSS31.XML_MetricNames['MCIA'][ModifiedIntegrity || 'X'],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__ModifiedAvailability__',
+    CVSS31.XML_MetricNames['MCIA'][ModifiedAvailability || 'X'],
+  );
+  xmlOutput = xmlOutput.replace(
+    '__EnvironmentalScore__',
+    result.environmentalMetricScore,
+  );
+  xmlOutput = xmlOutput.replace(
+    '__EnvironmentalSeverityRating__',
+    result.environmentalSeverity,
+  );
+
+  return { success: true, xmlString: xmlOutput };
+};
+
+/* ** CVSS31.generateXMLFromVector **
+ *
+ * Takes Base, Temporal and Environmental metric values as a single string in the Vector String format defined
+ * in the CVSS v3.1 standard definition of the Vector String.
+ *
+ * Returns an XML string representation of this input. See the comment for CVSS31.generateXMLFromMetrics for more
+ * detail on inputs, return values and errors. In addition to the error conditions listed for that function, this
+ * function can also return:
+ *   "MalformedVectorString", if the Vector String passed is does not conform to the format in the standard; or
+ *   "MultipleDefinitionsOfMetric", if the Vector String is well formed but defines the same metric (or metrics),
+ *                                  more than once.
+ */
+CVSS31.generateXMLFromVector = function (vectorString) {
+  var metricValues = {
+    AV: undefined,
+    AC: undefined,
+    PR: undefined,
+    UI: undefined,
+    S: undefined,
+    C: undefined,
+    I: undefined,
+    A: undefined,
+    E: undefined,
+    RL: undefined,
+    RC: undefined,
+    CR: undefined,
+    IR: undefined,
+    AR: undefined,
+    MAV: undefined,
+    MAC: undefined,
+    MPR: undefined,
+    MUI: undefined,
+    MS: undefined,
+    MC: undefined,
+    MI: undefined,
+    MA: undefined,
+  };
+
+  // If input validation fails, this array is populated with strings indicating which metrics failed validation.
+  var badMetrics = [];
+
+  if (!CVSS31.vectorStringRegex_31.test(vectorString)) {
+    return { success: false, errorType: 'MalformedVectorString' };
+  }
+
+  var metricNameValue = vectorString
+    .substring(CVSS31.CVSSVersionIdentifier.length)
+    .split('/');
+
+  for (var i in metricNameValue) {
+    if (metricNameValue.hasOwnProperty(i)) {
+      var singleMetric = metricNameValue[i].split(':');
+
+      if (typeof metricValues[singleMetric[0]] === 'undefined') {
+        metricValues[singleMetric[0]] = singleMetric[1];
+      } else {
+        badMetrics.push(singleMetric[0]);
+      }
+    }
+  }
+
+  if (badMetrics.length > 0) {
+    return {
+      success: false,
+      errorType: 'MultipleDefinitionsOfMetric',
+      errorMetrics: badMetrics,
+    };
+  }
+
+  return CVSS31.generateXMLFromMetrics(
+    metricValues.AV,
+    metricValues.AC,
+    metricValues.PR,
+    metricValues.UI,
+    metricValues.S,
+    metricValues.C,
+    metricValues.I,
+    metricValues.A,
+    metricValues.E,
+    metricValues.RL,
+    metricValues.RC,
+    metricValues.CR,
+    metricValues.IR,
+    metricValues.AR,
+    metricValues.MAV,
+    metricValues.MAC,
+    metricValues.MPR,
+    metricValues.MUI,
+    metricValues.MS,
+    metricValues.MC,
+    metricValues.MI,
+    metricValues.MA,
+  );
+};
+
+module.exports = CVSS31;

backend/src/lib/html2ooxml.js

@@ -0,0 +1,204 @@
+var docx = require('docx');
+var xml = require('xml');
+var htmlparser = require('htmlparser2');
+
+function html2ooxml(html, style = '') {
+  if (html === '') return html;
+  if (!html.match(/^<.+>/)) html = `<p>${html}</p>`;
+  var doc = new docx.Document({ sections: [] });
+  var paragraphs = [];
+  var cParagraph = null;
+  var cRunProperties = {};
+  var cParagraphProperties = {};
+  var list_state = [];
+  var inCodeBlock = false;
+  var parser = new htmlparser.Parser(
+    {
+      onopentag(tag, attribs) {
+        if (tag === 'h1') {
+          cParagraph = new docx.Paragraph({ heading: 'Heading1' });
+        } else if (tag === 'h2') {
+          cParagraph = new docx.Paragraph({ heading: 'Heading2' });
+        } else if (tag === 'h3') {
+          cParagraph = new docx.Paragraph({ heading: 'Heading3' });
+        } else if (tag === 'h4') {
+          cParagraph = new docx.Paragraph({ heading: 'Heading4' });
+        } else if (tag === 'h5') {
+          cParagraph = new docx.Paragraph({ heading: 'Heading5' });
+        } else if (tag === 'h6') {
+          cParagraph = new docx.Paragraph({ heading: 'Heading6' });
+        } else if (tag === 'div' || tag === 'p') {
+          if (style && typeof style === 'string')
+            cParagraphProperties.style = style;
+          cParagraph = new docx.Paragraph(cParagraphProperties);
+        } else if (tag === 'pre') {
+          inCodeBlock = true;
+          cParagraph = new docx.Paragraph({ style: 'Code' });
+        } else if (tag === 'b' || tag === 'strong') {
+          cRunProperties.bold = true;
+        } else if (tag === 'i' || tag === 'em') {
+          cRunProperties.italics = true;
+        } else if (tag === 'u') {
+          cRunProperties.underline = {};
+        } else if (tag === 'strike' || tag === 's') {
+          cRunProperties.strike = true;
+        } else if (tag === 'mark') {
+          var bgColor = attribs['data-color'] || '#ffff25';
+          cRunProperties.highlight = getHighlightColor(bgColor);
+
+          // Use text color if set (to handle white or black text depending on background color)
+          var color = attribs.style.match(/.+color:.(.+)/);
+          if (color && color[1]) cRunProperties.color = getTextColor(color[1]);
+        } else if (tag === 'br') {
+          if (inCodeBlock) {
+            paragraphs.push(cParagraph);
+            cParagraph = new docx.Paragraph({ style: 'Code' });
+          } else cParagraph.addChildElement(new docx.Run({ break: 1 }));
+        } else if (tag === 'ul') {
+          list_state.push('bullet');
+        } else if (tag === 'ol') {
+          list_state.push('number');
+        } else if (tag === 'li') {
+          var level = list_state.length - 1;
+          if (level >= 0 && list_state[level] === 'bullet')
+            cParagraphProperties.bullet = { level: level };
+          else if (level >= 0 && list_state[level] === 'number')
+            cParagraphProperties.numbering = { reference: 2, level: level };
+          else cParagraphProperties.bullet = { level: 0 };
+        } else if (tag === 'code') {
+          cRunProperties.style = 'CodeChar';
+        } else if (tag === 'legend' && attribs && attribs.alt !== 'undefined') {
+          var label = attribs.label || 'Figure';
+          cParagraph = new docx.Paragraph({
+            style: 'Caption',
+            alignment: docx.AlignmentType.CENTER,
+          });
+          cParagraph.addChildElement(new docx.TextRun(`${label} `));
+          cParagraph.addChildElement(new docx.SimpleField(`SEQ ${label}`, '1'));
+          cParagraph.addChildElement(new docx.TextRun(` - ${attribs.alt}`));
+        }
+      },
+
+      ontext(text) {
+        if (text && cParagraph) {
+          cRunProperties.text = text;
+          cParagraph.addChildElement(new docx.TextRun(cRunProperties));
+        }
+      },
+
+      onclosetag(tag) {
+        if (
+          [
+            'h1',
+            'h2',
+            'h3',
+            'h4',
+            'h5',
+            'h6',
+            'div',
+            'p',
+            'pre',
+            'img',
+            'legend',
+          ].includes(tag)
+        ) {
+          paragraphs.push(cParagraph);
+          cParagraph = null;
+          cParagraphProperties = {};
+          if (tag === 'pre') inCodeBlock = false;
+        } else if (tag === 'b' || tag === 'strong') {
+          delete cRunProperties.bold;
+        } else if (tag === 'i' || tag === 'em') {
+          delete cRunProperties.italics;
+        } else if (tag === 'u') {
+          delete cRunProperties.underline;
+        } else if (tag === 'strike' || tag === 's') {
+          delete cRunProperties.strike;
+        } else if (tag === 'mark') {
+          delete cRunProperties.highlight;
+          delete cRunProperties.color;
+        } else if (tag === 'ul' || tag === 'ol') {
+          list_state.pop();
+          if (list_state.length === 0) cParagraphProperties = {};
+        } else if (tag === 'code') {
+          delete cRunProperties.style;
+        }
+      },
+
+      onend() {
+        doc.addSection({
+          children: paragraphs,
+        });
+      },
+    },
+    { decodeEntities: true },
+  );
+
+  // For multiline code blocks
+  html = html.replace(/\n/g, '<br>');
+  parser.write(html);
+  parser.end();
+
+  var prepXml = doc.documentWrapper.document.body.prepForXml({});
+  var filteredXml = prepXml['w:body'].filter(e => {
+    return Object.keys(e)[0] === 'w:p';
+  });
+  var dataXml = xml(filteredXml);
+  dataXml = dataXml.replace(/w:numId w:val="{2-0}"/g, 'w:numId w:val="2"'); // Replace numbering to have correct value
+
+  return dataXml;
+}
+module.exports = html2ooxml;
+
+function getHighlightColor(hexColor) {
+  // <xsd:simpleType name="ST_HighlightColor">
+  //     <xsd:restriction base="xsd:string">
+  //         <xsd:enumeration value="yellow"/>
+  //         <xsd:enumeration value="green"/>
+  //         <xsd:enumeration value="cyan"/>
+  //         <xsd:enumeration value="magenta"/>
+  //         <xsd:enumeration value="blue"/>
+
+  //         <xsd:enumeration value="red"/>
+  //         <xsd:enumeration value="darkBlue"/>
+  //         <xsd:enumeration value="darkCyan"/>
+  //         <xsd:enumeration value="darkGreen"/>
+  //         <xsd:enumeration value="darkMagenta"/>
+
+  //         <xsd:enumeration value="darkRed"/>
+  //         <xsd:enumeration value="darkYellow"/>
+  //         <xsd:enumeration value="darkGray"/>
+  //         <xsd:enumeration value="lightGray"/>
+  //         <xsd:enumeration value="black"/>
+
+  //         <xsd:enumeration value="white"/>
+  //         <xsd:enumeration value="none"/>
+  //     </xsd:restriction>
+  // </xsd:simpleType>
+
+  var colors = {
+    '#ffff25': 'yellow',
+    '#00ff41': 'green',
+    '#00ffff': 'cyan',
+    '#ff00f9': 'magenta',
+    '#0005fd': 'blue',
+    '#ff0000': 'red',
+    '#000177': 'darkBlue',
+    '#00807a': 'darkCyan',
+    '#008021': 'darkGreen',
+    '#8e0075': 'darkMagenta',
+    '#8f0000': 'darkRed',
+    '#817d0c': 'darkYellow',
+    '#807d78': 'darkGray',
+    '#c4c1bb': 'lightGray',
+    '#000000': 'black',
+  };
+  return colors[hexColor] || 'yellow';
+}
+
+function getTextColor(color) {
+  var regex = /^#[0-9a-fA-F]{6}$/;
+  if (regex.test(color)) return color.substring(1, 7);
+
+  return '000000';
+}

backend/src/lib/httpResponse.js

@@ -0,0 +1,82 @@
+function Custom(res, status, code, message) {
+  res.status(code).json({ status: status, datas: message });
+}
+exports.Custom = Custom;
+
+/*
+ *** Codes 2xx ***
+ */
+
+function Ok(res, data) {
+  res.status(200).json({ status: 'success', datas: data });
+}
+exports.Ok = Ok;
+
+function Created(res, data) {
+  res.status(201).json({ status: 'success', datas: data });
+}
+exports.Created = Created;
+
+function NoContent(res, data) {
+  res.status(204).json({ status: 'success', datas: data });
+}
+exports.NoContent = NoContent;
+
+function SendFile(res, filename, file) {
+  res.set({ 'Content-Disposition': `attachment; filename="${filename}"` });
+  res.status(200).send(file);
+}
+exports.SendFile = SendFile;
+
+function SendImage(res, image) {
+  res.set({ 'Content-Type': 'image/png', 'Content-Length': image.length });
+  res.status(200).send(image);
+}
+exports.SendImage = SendImage;
+
+/*
+ *** Codes 4xx ***
+ */
+
+function BadRequest(res, error) {
+  res.status(400).json({ status: 'error', datas: error });
+}
+exports.BadRequest = BadRequest;
+
+function NotFound(res, error) {
+  res.status(404).json({ status: 'error', datas: error });
+}
+exports.NotFound = NotFound;
+
+function BadParameters(res, error) {
+  res.status(422).json({ status: 'error', datas: error });
+}
+exports.BadParameters = BadParameters;
+
+function Unauthorized(res, error) {
+  res.status(401).json({ status: 'error', datas: error });
+}
+exports.Unauthorized = Unauthorized;
+
+function Forbidden(res, error) {
+  res.status(403).json({ status: 'error', datas: error });
+}
+exports.Forbidden = Forbidden;
+
+/*
+ *** Codes 5xx ***
+ */
+
+function Internal(res, error) {
+  if (error.fn) var fn = exports[error.fn];
+  if (typeof fn === 'function') fn(res, error.message);
+  else if (error.errmsg) {
+    res.status(500).json({ status: 'error', datas: error.errmsg });
+  } else if (error.message)
+    res.status(500).json({ status: 'error', datas: error.message });
+  else {
+    console.log(error);
+    res.status(500).json({ status: 'error', datas: 'Internal Error' });
+  }
+}
+exports.Internal = Internal;

backend/src/lib/passwordpolicy.js

@@ -0,0 +1,7 @@
+// Check if user's password match password policy
+function strongPassword(password) {
+  var regExp = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,}/;
+  return regExp.test(password);
+}
+
+exports.strongPassword = strongPassword;

backend/src/lib/report-filters.js

@@ -0,0 +1,423 @@
+var expressions = require('angular-expressions');
+var html2ooxml = require('./html2ooxml');
+var translate = require('../translate');
+var _ = require('lodash');
+
+// *** Angular parser filters ***
+
+// Creates a text block or simple location bookmark:
+// - Text block: {@name | bookmarkCreate: identifier | p}
+// - Location: {@identifier | bookmarkCreate | p}
+// Identifiers are sanitized as follow:
+// - Invalid characters replaced by underscores.
+// - Identifiers longer than 40 chars are truncated (MS-Word limitation).
+expressions.filters.bookmarkCreate = function (input, refid = null) {
+  let rand_id = Math.floor(Math.random() * 1000000 + 1000);
+  let parsed_id = (refid ? refid : input)
+    .replace(/[^a-zA-Z0-9_]/g, '_')
+    .substring(0, 40);
+
+  // Accept both text and OO-XML as input.
+  if (input.indexOf('<w:r') !== 0) {
+    input = '<w:r><w:t>' + input + '</w:t></w:r>';
+  }
+
+  return (
+    '<w:bookmarkStart w:id="' +
+    rand_id +
+    '" ' +
+    'w:name="' +
+    parsed_id +
+    '"/>' +
+    (refid ? input : '') +
+    '<w:bookmarkEnd w:id="' +
+    rand_id +
+    '"/>'
+  );
+};
+
+// Creates a hyperlink to a text block or location bookmark:
+// {@input | bookmarkLink: identifier | p}
+// Identifiers are sanitized as follow:
+// - Invalid characters replaced by underscores.
+// - Identifiers longer than 40 chars are truncated (MS-Word limitation).
+expressions.filters.bookmarkLink = function (input, identifier) {
+  identifier = identifier.replace(/[^a-zA-Z0-9_]/g, '_').substring(0, 40);
+  return (
+    '<w:hyperlink w:anchor="' +
+    identifier +
+    '">' +
+    '<w:r><w:rPr><w:rStyle w:val="Hyperlink"/></w:rPr>' +
+    '<w:t>' +
+    input +
+    '</w:t>' +
+    '</w:r></w:hyperlink>'
+  );
+};
+
+// Creates a clickable dynamic field referencing a text block bookmark:
+// {@identifier | bookmarkRef | p}
+// Identifiers are sanitized as follow:
+// - Invalid characters replaced by underscores.
+// - Identifiers longer than 40 chars are truncated (MS-Word limitation).
+expressions.filters.bookmarkRef = function (input) {
+  return (
+    '<w:r><w:fldChar w:fldCharType="begin"/></w:r><w:r><w:instrText xml:space="preserve">' +
+    ' REF ' +
+    input.replace(/[^a-zA-Z0-9_]/g, '_').substring(0, 40) +
+    ' \\h </w:instrText></w:r>' +
+    '<w:r><w:fldChar w:fldCharType="separate"/></w:r><w:r><w:t>' +
+    input +
+    '</w:t></w:r><w:r><w:fldChar w:fldCharType="end"/></w:r>'
+  );
+};
+
+// Capitalizes input first letter: {input | capfirst}
+expressions.filters.capfirst = function (input) {
+  if (!input || input == 'undefined') return input;
+  return input.replace(/^\w/, c => c.toUpperCase());
+};
+
+// Convert input date with parameter s (full,short): {input | convertDate: 's'}
+expressions.filters.convertDate = function (input, s) {
+  var date = new Date(input);
+  if (date != 'Invalid Date') {
+    var monthsFull = [
+      'January',
+      'February',
+      'March',
+      'April',
+      'May',
+      'June',
+      'July',
+      'August',
+      'September',
+      'October',
+      'November',
+      'December',
+    ];
+    var monthsShort = [
+      '01',
+      '02',
+      '03',
+      '04',
+      '05',
+      '06',
+      '07',
+      '08',
+      '09',
+      '10',
+      '11',
+      '12',
+    ];
+    var days = [
+      'Sunday',
+      'Monday',
+      'Tuesday',
+      'Wednesday',
+      'Thursday',
+      'Friday',
+      'Saturday',
+    ];
+    var day = date.getUTCDate();
+    var month = date.getUTCMonth();
+    var year = date.getUTCFullYear();
+    if (s === 'full') {
+      return (
+        days[date.getUTCDay()] +
+        ', ' +
+        monthsFull[month] +
+        ' ' +
+        (day < 10 ? '0' + day : day) +
+        ', ' +
+        year
+      );
+    }
+    if (s === 'short') {
+      return (
+        monthsShort[month] + '/' + (day < 10 ? '0' + day : day) + '/' + year
+      );
+    }
+  }
+};
+
+// Convert input date with parameter s (full,short): {input | convertDateLocale: 'locale':'style'}
+expressions.filters.convertDateLocale = function (input, locale, style) {
+  var date = new Date(input);
+  if (date != 'Invalid Date') {
+    var options = { year: 'numeric', month: '2-digit', day: '2-digit' };
+
+    if (style === 'full')
+      options = {
+        weekday: 'long',
+        year: 'numeric',
+        month: 'long',
+        day: 'numeric',
+      };
+
+    return date.toLocaleDateString(locale, options);
+  }
+};
+
+// Convert identifier prefix to a user defined prefix: {identifier | changeID: 'PRJ-'}
+expressions.filters.changeID = function (input, prefix) {
+  return input.replace('IDX-', prefix);
+};
+
+// Default value: returns input if it is truthy, otherwise its parameter.
+// Example producing a comma-separated list of affected systems, falling-back on the whole audit scope: {affected | lines | d: (scope | select: 'name') | join: ', '}
+expressions.filters.d = function (input, s) {
+  return input && input != 'undefined' ? input : s;
+};
+
+// Display "From ... to ..." dates nicely, removing redundant information when the start and end date occur during the same month or year: {date_start | fromTo: date_end:'fr' | capfirst}
+// To internationalize or customize the resulting string, associate the desired output to the strings "from {0} to {1}" and "on {0}" in your Pwndoc translate file.
+expressions.filters.fromTo = function (start, end, locale) {
+  const start_date = new Date(start);
+  const end_date = new Date(end);
+  let options = {},
+    start_str = '',
+    end_str = '';
+  let str = 'from {0} to {1}';
+
+  if (start_date == 'Invalid Date' || end_date == 'Invalid Date') return start;
+
+  options = { day: '2-digit', month: '2-digit', year: 'numeric' };
+  end_str = end_date.toLocaleDateString(locale, options);
+
+  if (start_date.getYear() != end_date.getYear()) {
+    options = { day: '2-digit', month: '2-digit', year: 'numeric' };
+    start_str = start_date.toLocaleDateString(locale, options);
+  } else if (start_date.getMonth() != end_date.getMonth()) {
+    options = { day: '2-digit', month: '2-digit' };
+    start_str = start_date.toLocaleDateString(locale, options);
+  } else if (start_date.getDay() != end_date.getDay()) {
+    options = { day: '2-digit' };
+    start_str = start_date.toLocaleDateString(locale, options);
+  } else {
+    start_str = end_str;
+    str = 'on {0}';
+  }
+
+  return translate.translate(str).format(start_str, end_str);
+};
+
+// Group input elements by an attribute: {#findings | groupBy: 'severity'}{title}{/findings | groupBy: 'severity'}
+// Source: https://stackoverflow.com/a/34890276
+expressions.filters.groupBy = function (input, key) {
+  return expressions.filters.loopObject(
+    input.reduce(function (rv, x) {
+      (rv[x[key]] = rv[x[key]] || []).push(x);
+      return rv;
+    }, {}),
+  );
+};
+
+// Returns the initials from an input string (typically a firstname): {creator.firstname | initials}
+expressions.filters.initials = function (input) {
+  if (!input || input == 'undefined') return input;
+  return input.replace(/(\w)\w+/gi, '$1.');
+};
+
+// Returns a string which is a concatenation of input elements using an optional separator string: {references | join: ', '}
+// Can also be used to build raw OOXML strings.
+expressions.filters.join = function (input, sep = '') {
+  if (!input || input == 'undefined') return input;
+  return input.join(sep);
+};
+
+// Returns the length (ie. number of items for an array) of input: {input | length}
+// Can be used as a conditional to check the emptiness of a list: {#input | length}Not empty{/input | length}
+expressions.filters.length = function (input) {
+  return input.length;
+};
+
+// Takes a multilines input strings (either raw or simple HTML paragraphs) and returns each line as an ordered list: {input | lines}
+expressions.filters.lines = function (input) {
+  if (!input || input == 'undefined') return input;
+  if (input.indexOf('<p>') == 0) {
+    return input.substring(3, input.length - 4).split('</p><p>');
+  } else {
+    return input.split('\n');
+  }
+};
+
+// Creates a hyperlink: {@input | linkTo: 'https://example.com' | p}
+expressions.filters.linkTo = function (input, url) {
+  return (
+    '<w:r><w:fldChar w:fldCharType="begin"/></w:r>' +
+    '<w:r><w:instrText xml:space="preserve"> HYPERLINK "' +
+    url +
+    '" </w:instrText></w:r>' +
+    '<w:r><w:fldChar w:fldCharType="separate"/></w:r>' +
+    '<w:r><w:rPr><w:rStyle w:val="Hyperlink"/></w:rPr>' +
+    '<w:t>' +
+    input +
+    '</w:t>' +
+    '</w:r><w:r><w:fldChar w:fldCharType="end"/></w:r>'
+  );
+};
+
+// Loop over the input object, providing acccess to its keys and values: {#findings | loopObject}{key}{value.title}{/findings | loopObject}
+// Source: https://stackoverflow.com/a/60887987
+expressions.filters.loopObject = function (input) {
+  return Object.keys(input).map(function (key) {
+    return { key, value: input[key] };
+  });
+};
+
+// Lowercases input: {input | lower}
+expressions.filters.lower = function (input) {
+  if (!input || input == 'undefined') return input;
+  return input.toLowerCase();
+};
+
+// Creates a clickable "mailto:" link, assumes that input is an email address if
+// no other address has been provided as parameter:
+// {@lastname | mailto: email | p}
+expressions.filters.mailto = function (input, address = null) {
+  return expressions.filters.linkTo(
+    input,
+    'mailto:' + (address ? address : input),
+  );
+};
+
+// Applies a filter on a sequence of objects: {scope | select: 'name' | map: 'lower' | join: ', '}
+expressions.filters.map = function (input, filter) {
+  let args = Array.prototype.slice.call(arguments, 2);
+  return input.map(x => expressions.filters[filter](x, ...args));
+};
+
+// Replace newlines in office XML format: {@input | NewLines}
+expressions.filters.NewLines = function (input) {
+  var pre = '<w:p><w:r><w:t>';
+  var post = '</w:t></w:r></w:p>';
+  var lineBreak = '<w:br/>';
+  var result = '';
+
+  if (!input) return pre + post;
+
+  input = utils.escapeXMLEntities(input);
+  var inputArray = input.split(/\n\n+/g);
+  inputArray.forEach(p => {
+    result += `${pre}${p.replace(/\n/g, lineBreak)}${post}`;
+  });
+  // input = input.replace(/\n/g, lineBreak);
+  // return pre + input + post;
+  return result;
+};
+
+// Embeds input within OOXML paragraph tags, applying an optional style name to it: {@input | p: 'Some style'}
+expressions.filters.p = function (input, style = null) {
+  let result = '<w:p>';
+
+  if (style !== null) {
+    let style_parsed = style.replaceAll(' ', '');
+    result += '<w:pPr><w:pStyle w:val="' + style_parsed + '"/></w:pPr>';
+  }
+  result += input + '</w:p>';
+
+  return result;
+};
+
+// Reverses the input array: {input | reverse}
+expressions.filters.reverse = function (input) {
+  return input.reverse();
+};
+
+// Add proper XML tags to embed raw string inside a docxtemplater raw expression: {@('Vulnerability: ' | s) + title | bookmarkCreate: identifier | p}
+expressions.filters.s = function (input) {
+  return '<w:r><w:t xml:space="preserve">' + input + '</w:t></w:r>';
+};
+
+// Looks up an attribute from a sequence of objects, doted notation is supported: {findings | select: 'cvss.environmentalSeverity'}
+expressions.filters.select = function (input, attr) {
+  return input.map(function (item) {
+    return _.get(item, attr);
+  });
+};
+
+// Sorts the input array according an optional given attribute, dotted notation is supported: {#findings | sort 'cvss.environmentalSeverity'}{name}{/findings | sort 'cvss.environmentalSeverity'}
+expressions.filters.sort = function (input, key = null) {
+  if (key === null) {
+    return input.sort();
+  } else {
+    return input.sort(function (a, b) {
+      return _.get(a, key) < _.get(b, key);
+    });
+  }
+};
+
+// Sort array by supplied field: {#findings | sortArrayByField: 'identifier':1}{/}
+// order: 1 = ascending, -1 = descending
+expressions.filters.sortArrayByField = function (input, field, order) {
+  //invalid order sort ascending
+  if (order != 1 && order != -1) order = 1;
+
+  const sorted = input.sort((a, b) => {
+    //multiply by order so that if is descending (-1) will reverse the values
+    return (
+      _.get(a, field).localeCompare(_.get(b, field), undefined, {
+        numeric: true,
+      }) * order
+    );
+  });
+  return sorted;
+};
+
+// Capitalizes input first letter of each word, can be associated to 'lower' to normalize case: {creator.lastname | lower | title}
+expressions.filters.title = function (input) {
+  if (!input || input == 'undefined') return input;
+  return input.replace(/\w\S*/g, w => w.replace(/^\w/, c => c.toUpperCase()));
+};
+
+// Returns the JSON representation of the input value, useful to dump variables content while debugging a template: {input | toJSON}
+expressions.filters.toJSON = function (input) {
+  return JSON.stringify(input);
+};
+
+// Upercases input: {input | upper}
+expressions.filters.upper = function (input) {
+  if (!input || input == 'undefined') return input;
+  return input.toUpperCase();
+};
+
+// Filters input elements matching a free-form Angular statements: {#findings | where: 'cvss.severity == "Critical"'}{title}{/findings | where: 'cvss.severity == "Critical"'}
+// Source: https://docxtemplater.com/docs/angular-parse/#data-filtering
+expressions.filters.where = function (input, query) {
+  return input.filter(function (item) {
+    return expressions.compile(query)(item);
+  });
+};
+
+// Convert HTML data to Open Office XML format: {@input | convertHTML: 'customStyle'}
+expressions.filters.convertHTML = function (input, style) {
+  if (typeof input === 'undefined') var result = html2ooxml('');
+  else var result = html2ooxml(input.replace(/(<p><\/p>)+$/, ''), style);
+  return result;
+};
+
+// Count vulnerability by severity
+// Example: {findings | count: 'Critical'}
+expressions.filters.count = function (input, severity) {
+  if (!input) return input;
+  var count = 0;
+
+  for (var i = 0; i < input.length; i++) {
+    if (input[i].cvss.baseSeverity === severity) {
+      count += 1;
+    }
+  }
+
+  return count;
+};
+
+// Translate using locale from 'translate' folder
+// Example: {input | translate: 'fr'}
+expressions.filters.translate = function (input, locale) {
+  translate.setLocale(locale);
+  if (!input) return input;
+  return translate.translate(input, locale);
+};
+
+module.exports = expressions;

backend/src/lib/report-generator.js

@@ -0,0 +1,707 @@
+var fs = require('fs');
+var Docxtemplater = require('docxtemplater');
+var PizZip = require('pizzip');
+var expressions = require('./report-filters');
+var ImageModule = require('docxtemplater-image-module-pwndoc');
+var sizeOf = require('image-size');
+var customGenerator = require('./custom-generator');
+var utils = require('./utils');
+var _ = require('lodash');
+var Image = require('mongoose').model('Image');
+const libre = require('libreoffice-convert');
+const { parseAsync } = require('json2csv');
+var Settings = require('mongoose').model('Settings');
+var CVSS31 = require('./cvsscalc31.js');
+var translate = require('../translate');
+var $t;
+const muhammara = require('muhammara');
+const path = require('path');
+const os = require('os');
+const { v4: uuidv4 } = require('uuid');
+
+// Generate document with docxtemplater
+async function generateDoc(audit) {
+  var templatePath = `${__basedir}/../report-templates/${audit.template.name}.${audit.template.ext || 'docx'}`;
+  var content = fs.readFileSync(templatePath, 'binary');
+
+  var zip = new PizZip(content);
+
+  translate.setLocale(audit.language);
+  $t = translate.translate;
+
+  var settings = await Settings.getAll();
+  var preppedAudit = await prepAuditData(audit, settings);
+
+  var opts = {};
+  // opts.centered = true;
+  opts.getImage = function (tagValue, tagName) {
+    if (tagValue !== 'undefined') {
+      tagValue = tagValue.split(',')[1];
+      return Buffer.from(tagValue, 'base64');
+    }
+    // return fs.readFileSync(tagValue, {encoding: 'base64'});
+  };
+  opts.getSize = function (img, tagValue, tagName) {
+    if (img) {
+      var sizeObj = sizeOf(img);
+      var width = sizeObj.width;
+      var height = sizeObj.height;
+      if (tagName === 'company.logo_small') {
+        var divider = sizeObj.height / 37;
+        height = 37;
+        width = Math.floor(sizeObj.width / divider);
+      } else if (tagName === 'company.logo') {
+        var divider = sizeObj.height / 250;
+        height = 250;
+        width = Math.floor(sizeObj.width / divider);
+        if (width > 400) {
+          divider = sizeObj.width / 400;
+          height = Math.floor(sizeObj.height / divider);
+          width = 400;
+        }
+      } else if (sizeObj.width > 600) {
+        var divider = sizeObj.width / 600;
+        width = 600;
+        height = Math.floor(sizeObj.height / divider);
+      }
+      return [width, height];
+    }
+    return [0, 0];
+  };
+
+  if (
+    settings.report.private.imageBorder &&
+    settings.report.private.imageBorderColor
+  )
+    opts.border = settings.report.private.imageBorderColor.replace('#', '');
+
+  try {
+    var imageModule = new ImageModule(opts);
+  } catch (err) {
+    console.log(err);
+  }
+  var doc = new Docxtemplater()
+    .attachModule(imageModule)
+    .loadZip(zip)
+    .setOptions({ parser: parser, paragraphLoop: true });
+  customGenerator.apply(preppedAudit);
+  doc.setData(preppedAudit);
+  try {
+    doc.render();
+  } catch (error) {
+    if (error.properties.id === 'multi_error') {
+      error.properties.errors.forEach(function (err) {
+        console.log(err);
+      });
+    } else console.log(error);
+    if (error.properties && error.properties.errors instanceof Array) {
+      const errorMessages = error.properties.errors
+        .map(function (error) {
+          return `Explanation: ${error.properties.explanation}\nScope: ${JSON.stringify(error.properties.scope).substring(0, 142)}...`;
+        })
+        .join('\n\n');
+      // errorMessages is a humanly readable message looking like this :
+      // 'The tag beginning with "foobar" is unopened'
+      throw `Template Error:\n${errorMessages}`;
+    } else {
+      throw error;
+    }
+  }
+  var buf = doc.getZip().generate({ type: 'nodebuffer' });
+
+  return buf;
+}
+exports.generateDoc = generateDoc;
+
+// Generates a PDF from a docx using libreoffice-convert
+// libreoffice-convert leverages libreoffice to convert office documents to different formats
+// https://www.npmjs.com/package/libreoffice-convert
+async function generatePdf(audit) {
+  var docxReport = await generateDoc(audit);
+  return new Promise((resolve, reject) =>
+    libre.convert(docxReport, '.pdf', undefined, (err, pdf) => {
+      if (err) console.log(err);
+      resolve(pdf);
+    }),
+  );
+}
+exports.generatePdf = generatePdf;
+
+// Generates a encrypted PDF using libreoffice-convert
+// and muhammara to encrypt it with a given password.
+// https://www.npmjs.com/package/muhammara
+
+async function generateEncryptedPdf(audit, password) {
+  // Genera el archivo DOCX
+  var docxReport = await generateDoc(audit);
+
+  return new Promise((resolve, reject) => {
+    libre.convert(docxReport, '.pdf', undefined, (err, pdf) => {
+      if (err) {
+        console.log(err);
+        return reject(err);
+      }
+
+      const tempPdfPath = path.join(
+        os.tmpdir(),
+        `documento_sin_contraseña_${uuidv4()}.pdf`,
+      );
+      fs.writeFileSync(tempPdfPath, pdf);
+
+      const protectedPdfPath = path.join(
+        os.tmpdir(),
+        `documento_protegido_${uuidv4()}.pdf`,
+      );
+
+      try {
+        const Recipe = muhammara.Recipe;
+        const pdfDoc = new Recipe(tempPdfPath, protectedPdfPath);
+
+        pdfDoc
+          .encrypt({
+            userPassword: password,
+            ownerPassword: password,
+            userProtectionFlag: 4,
+          })
+          .endPDF();
+
+        const protectedPdf = fs.readFileSync(protectedPdfPath);
+
+        fs.unlinkSync(tempPdfPath);
+        fs.unlinkSync(protectedPdfPath);
+
+        resolve(protectedPdf);
+      } catch (error) {
+        console.error('Error protecting PDF:', error);
+        reject(error);
+      }
+    });
+  });
+}
+exports.generateEncryptedPdf = generateEncryptedPdf;
+
+// Generates a csv from the json data
+// Leverages json2csv
+// https://www.npmjs.com/package/json2csv
+async function generateCsv(audit) {
+  return parseAsync(audit._doc);
+}
+exports.generateCsv = generateCsv;
+
+// Filters helper: handles the use of preformated easilly translatable strings.
+// Source: https://www.tutorialstonight.com/javascript-string-format.php
+String.prototype.format = function () {
+  let args = arguments;
+  return this.replace(/{([0-9]+)}/g, function (match, index) {
+    return typeof args[index] == 'undefined' ? match : args[index];
+  });
+};
+
+// Compile all angular expressions
+var angularParser = function (tag) {
+  expressions = { ...expressions, ...customGenerator.expressions };
+  if (tag === '.') {
+    return {
+      get: function (s) {
+        return s;
+      },
+    };
+  }
+  const expr = expressions.compile(
+    tag.replace(/(’|‘)/g, "'").replace(/(“|”)/g, '"'),
+  );
+  return {
+    get: function (scope, context) {
+      let obj = {};
+      const scopeList = context.scopeList;
+      const num = context.num;
+      for (let i = 0, len = num + 1; i < len; i++) {
+        obj = _.merge(obj, scopeList[i]);
+      }
+      return expr(scope, obj);
+    },
+  };
+};
+
+function parser(tag) {
+  // We write an exception to handle the tag "$pageBreakExceptLast"
+  if (tag === '$pageBreakExceptLast') {
+    return {
+      get(scope, context) {
+        const totalLength =
+          context.scopePathLength[context.scopePathLength.length - 1];
+        const index = context.scopePathItem[context.scopePathItem.length - 1];
+        const isLast = index === totalLength - 1;
+        if (!isLast) {
+          return '<w:p><w:r><w:br w:type="page"/></w:r></w:p>';
+        } else {
+          return '';
+        }
+      },
+    };
+  }
+  // We use the angularParser as the default fallback
+  // If you don't wish to use the angularParser,
+  // you can use the default parser as documented here:
+  // https://docxtemplater.readthedocs.io/en/latest/configuration.html#default-parser
+  return angularParser(tag);
+}
+function cvssStrToObject(cvss) {
+  var initialState = 'Not Defined';
+  var res = {
+    AV: initialState,
+    AC: initialState,
+    PR: initialState,
+    UI: initialState,
+    S: initialState,
+    C: initialState,
+    I: initialState,
+    A: initialState,
+    E: initialState,
+    RL: initialState,
+    RC: initialState,
+    CR: initialState,
+    IR: initialState,
+    AR: initialState,
+    MAV: initialState,
+    MAC: initialState,
+    MPR: initialState,
+    MUI: initialState,
+    MS: initialState,
+    MC: initialState,
+    MI: initialState,
+    MA: initialState,
+  };
+  if (cvss) {
+    var temp = cvss.split('/');
+    for (var i = 0; i < temp.length; i++) {
+      var elt = temp[i].split(':');
+      switch (elt[0]) {
+        case 'AV':
+          if (elt[1] === 'N') res.AV = 'Network';
+          else if (elt[1] === 'A') res.AV = 'Adjacent Network';
+          else if (elt[1] === 'L') res.AV = 'Local';
+          else if (elt[1] === 'P') res.AV = 'Physical';
+          res.AV = $t(res.AV);
+          break;
+        case 'AC':
+          if (elt[1] === 'L') res.AC = 'Low';
+          else if (elt[1] === 'H') res.AC = 'High';
+          res.AC = $t(res.AC);
+          break;
+        case 'PR':
+          if (elt[1] === 'N') res.PR = 'None';
+          else if (elt[1] === 'L') res.PR = 'Low';
+          else if (elt[1] === 'H') res.PR = 'High';
+          res.PR = $t(res.PR);
+          break;
+        case 'UI':
+          if (elt[1] === 'N') res.UI = 'None';
+          else if (elt[1] === 'R') res.UI = 'Required';
+          res.UI = $t(res.UI);
+          break;
+        case 'S':
+          if (elt[1] === 'U') res.S = 'Unchanged';
+          else if (elt[1] === 'C') res.S = 'Changed';
+          res.S = $t(res.S);
+          break;
+        case 'C':
+          if (elt[1] === 'N') res.C = 'None';
+          else if (elt[1] === 'L') res.C = 'Low';
+          else if (elt[1] === 'H') res.C = 'High';
+          res.C = $t(res.C);
+          break;
+        case 'I':
+          if (elt[1] === 'N') res.I = 'None';
+          else if (elt[1] === 'L') res.I = 'Low';
+          else if (elt[1] === 'H') res.I = 'High';
+          res.I = $t(res.I);
+          break;
+        case 'A':
+          if (elt[1] === 'N') res.A = 'None';
+          else if (elt[1] === 'L') res.A = 'Low';
+          else if (elt[1] === 'H') res.A = 'High';
+          res.A = $t(res.A);
+          break;
+        case 'E':
+          if (elt[1] === 'U') res.E = 'Unproven';
+          else if (elt[1] === 'P') res.E = 'Proof-of-Concept';
+          else if (elt[1] === 'F') res.E = 'Functional';
+          else if (elt[1] === 'H') res.E = 'High';
+          res.E = $t(res.E);
+          break;
+        case 'RL':
+          if (elt[1] === 'O') res.RL = 'Official Fix';
+          else if (elt[1] === 'T') res.RL = 'Temporary Fix';
+          else if (elt[1] === 'W') res.RL = 'Workaround';
+          else if (elt[1] === 'U') res.RL = 'Unavailable';
+          res.RL = $t(res.RL);
+          break;
+        case 'RC':
+          if (elt[1] === 'U') res.RC = 'Unknown';
+          else if (elt[1] === 'R') res.RC = 'Reasonable';
+          else if (elt[1] === 'C') res.RC = 'Confirmed';
+          res.RC = $t(res.RC);
+          break;
+        case 'CR':
+          if (elt[1] === 'L') res.CR = 'Low';
+          else if (elt[1] === 'M') res.CR = 'Medium';
+          else if (elt[1] === 'H') res.CR = 'High';
+          res.CR = $t(res.CR);
+          break;
+        case 'IR':
+          if (elt[1] === 'L') res.IR = 'Low';
+          else if (elt[1] === 'M') res.IR = 'Medium';
+          else if (elt[1] === 'H') res.IR = 'High';
+          res.IR = $t(res.IR);
+          break;
+        case 'AR':
+          if (elt[1] === 'L') res.AR = 'Low';
+          else if (elt[1] === 'M') res.AR = 'Medium';
+          else if (elt[1] === 'H') res.AR = 'High';
+          res.AR = $t(res.AR);
+          break;
+        case 'MAV':
+          if (elt[1] === 'N') res.MAV = 'Network';
+          else if (elt[1] === 'A') res.MAV = 'Adjacent Network';
+          else if (elt[1] === 'L') res.MAV = 'Local';
+          else if (elt[1] === 'P') res.MAV = 'Physical';
+          res.MAV = $t(res.MAV);
+          break;
+        case 'MAC':
+          if (elt[1] === 'L') res.MAC = 'Low';
+          else if (elt[1] === 'H') res.MAC = 'High';
+          res.MAC = $t(res.MAC);
+          break;
+        case 'MPR':
+          if (elt[1] === 'N') res.MPR = 'None';
+          else if (elt[1] === 'L') res.MPR = 'Low';
+          else if (elt[1] === 'H') res.MPR = 'High';
+          res.MPR = $t(res.MPR);
+          break;
+        case 'MUI':
+          if (elt[1] === 'N') res.MUI = 'None';
+          else if (elt[1] === 'R') res.MUI = 'Required';
+          res.MUI = $t(res.MUI);
+          break;
+        case 'MS':
+          if (elt[1] === 'U') res.MS = 'Unchanged';
+          else if (elt[1] === 'C') res.MS = 'Changed';
+          res.MS = $t(res.MS);
+          break;
+        case 'MC':
+          if (elt[1] === 'N') res.MC = 'None';
+          else if (elt[1] === 'L') res.MC = 'Low';
+          else if (elt[1] === 'H') res.MC = 'High';
+          res.MC = $t(res.MC);
+          break;
+        case 'MI':
+          if (elt[1] === 'N') res.MI = 'None';
+          else if (elt[1] === 'L') res.MI = 'Low';
+          else if (elt[1] === 'H') res.MI = 'High';
+          res.MI = $t(res.MI);
+          break;
+        case 'MA':
+          if (elt[1] === 'N') res.MA = 'None';
+          else if (elt[1] === 'L') res.MA = 'Low';
+          else if (elt[1] === 'H') res.MA = 'High';
+          res.MA = $t(res.MA);
+          break;
+        default:
+          break;
+      }
+    }
+  }
+  return res;
+}
+
+async function prepAuditData(data, settings) {
+  /** CVSS Colors for table cells */
+  var noneColor = settings.report.public.cvssColors.noneColor.replace('#', ''); //default of blue ("#4A86E8")
+  var lowColor = settings.report.public.cvssColors.lowColor.replace('#', ''); //default of green ("#008000")
+  var mediumColor = settings.report.public.cvssColors.mediumColor.replace(
+    '#',
+    '',
+  ); //default of yellow ("#f9a009")
+  var highColor = settings.report.public.cvssColors.highColor.replace('#', ''); //default of red ("#fe0000")
+  var criticalColor = settings.report.public.cvssColors.criticalColor.replace(
+    '#',
+    '',
+  ); //default of black ("#212121")
+
+  var cellNoneColor =
+    '<w:tcPr><w:shd w:val="clear" w:color="auto" w:fill="' +
+    noneColor +
+    '"/></w:tcPr>';
+  var cellLowColor =
+    '<w:tcPr><w:shd w:val="clear" w:color="auto" w:fill="' +
+    lowColor +
+    '"/></w:tcPr>';
+  var cellMediumColor =
+    '<w:tcPr><w:shd w:val="clear" w:color="auto" w:fill="' +
+    mediumColor +
+    '"/></w:tcPr>';
+  var cellHighColor =
+    '<w:tcPr><w:shd w:val="clear" w:color="auto" w:fill="' +
+    highColor +
+    '"/></w:tcPr>';
+  var cellCriticalColor =
+    '<w:tcPr><w:shd w:val="clear" w:color="auto" w:fill="' +
+    criticalColor +
+    '"/></w:tcPr>';
+
+  var result = {};
+  result.name = data.name || 'undefined';
+  result.auditType = $t(data.auditType) || 'undefined';
+  result.date = data.date || 'undefined';
+  result.date_start = data.date_start || 'undefined';
+  result.date_end = data.date_end || 'undefined';
+  if (data.customFields) {
+    for (var field of data.customFields) {
+      var fieldType = field.customField.fieldType;
+      var label = field.customField.label;
+
+      if (fieldType === 'text')
+        result[_.deburr(label.toLowerCase()).replace(/\s/g, '')] =
+          await splitHTMLParagraphs(field.text);
+      else if (fieldType !== 'space')
+        result[_.deburr(label.toLowerCase()).replace(/\s/g, '')] = field.text;
+    }
+  }
+
+  result.company = {};
+  if (data.company) {
+    result.company.name = data.company.name || 'undefined';
+    result.company.shortName = data.company.shortName || result.company.name;
+    result.company.logo = data.company.logo || 'undefined';
+    result.company.logo_small = data.company.logo || 'undefined';
+  }
+
+  result.client = {};
+  if (data.client) {
+    result.client.email = data.client.email || 'undefined';
+    result.client.firstname = data.client.firstname || 'undefined';
+    result.client.lastname = data.client.lastname || 'undefined';
+    result.client.phone = data.client.phone || 'undefined';
+    result.client.cell = data.client.cell || 'undefined';
+    result.client.title = data.client.title || 'undefined';
+  }
+
+  result.collaborators = [];
+  data.collaborators.forEach(collab => {
+    result.collaborators.push({
+      username: collab.username || 'undefined',
+      firstname: collab.firstname || 'undefined',
+      lastname: collab.lastname || 'undefined',
+      email: collab.email || 'undefined',
+      phone: collab.phone || 'undefined',
+      role: collab.role || 'undefined',
+    });
+  });
+  result.language = data.language || 'undefined';
+  result.scope = data.scope.toObject() || [];
+
+  result.findings = [];
+  for (var finding of data.findings) {
+    var tmpCVSS = CVSS31.calculateCVSSFromVector(finding.cvssv3);
+    var tmpFinding = {
+      title: finding.title || '',
+      vulnType: $t(finding.vulnType) || '',
+      description: await splitHTMLParagraphs(finding.description),
+      observation: await splitHTMLParagraphs(finding.observation),
+      remediation: await splitHTMLParagraphs(finding.remediation),
+      remediationComplexity: finding.remediationComplexity || '',
+      priority: finding.priority || '',
+      references: finding.references || [],
+      cwes: finding.cwes || [],
+      poc: await splitHTMLParagraphs(finding.poc),
+      affected: finding.scope || '',
+      status: finding.status || '',
+      category: $t(finding.category) || $t('No Category'),
+      identifier: 'IDX-' + utils.lPad(finding.identifier),
+      retestStatus: finding?.retestStatus ? $t(finding.retestStatus) : '',
+      retestDescription: await splitHTMLParagraphs(finding.retestDescription),
+    };
+    // Handle CVSS
+    tmpFinding.cvss = {
+      vectorString: tmpCVSS.vectorString || '',
+      baseMetricScore: tmpCVSS.baseMetricScore || '',
+      baseSeverity: tmpCVSS.baseSeverity || '',
+      temporalMetricScore: tmpCVSS.temporalMetricScore || '',
+      temporalSeverity: tmpCVSS.temporalSeverity || '',
+      environmentalMetricScore: tmpCVSS.environmentalMetricScore || '',
+      environmentalSeverity: tmpCVSS.environmentalSeverity || '',
+    };
+    if (tmpCVSS.baseImpact)
+      tmpFinding.cvss.baseImpact = CVSS31.roundUp1(tmpCVSS.baseImpact);
+    else tmpFinding.cvss.baseImpact = '';
+    if (tmpCVSS.baseExploitability)
+      tmpFinding.cvss.baseExploitability = CVSS31.roundUp1(
+        tmpCVSS.baseExploitability,
+      );
+    else tmpFinding.cvss.baseExploitability = '';
+
+    if (tmpCVSS.environmentalModifiedImpact)
+      tmpFinding.cvss.environmentalModifiedImpact = CVSS31.roundUp1(
+        tmpCVSS.environmentalModifiedImpact,
+      );
+    else tmpFinding.cvss.environmentalModifiedImpact = '';
+    if (tmpCVSS.environmentalModifiedExploitability)
+      tmpFinding.cvss.environmentalModifiedExploitability = CVSS31.roundUp1(
+        tmpCVSS.environmentalModifiedExploitability,
+      );
+    else tmpFinding.cvss.environmentalModifiedExploitability = '';
+
+    if (tmpCVSS.baseSeverity === 'Low')
+      tmpFinding.cvss.cellColor = cellLowColor;
+    else if (tmpCVSS.baseSeverity === 'Medium')
+      tmpFinding.cvss.cellColor = cellMediumColor;
+    else if (tmpCVSS.baseSeverity === 'High')
+      tmpFinding.cvss.cellColor = cellHighColor;
+    else if (tmpCVSS.baseSeverity === 'Critical')
+      tmpFinding.cvss.cellColor = cellCriticalColor;
+    else tmpFinding.cvss.cellColor = cellNoneColor;
+
+    if (tmpCVSS.temporalSeverity === 'Low')
+      tmpFinding.cvss.temporalCellColor = cellLowColor;
+    else if (tmpCVSS.temporalSeverity === 'Medium')
+      tmpFinding.cvss.temporalCellColor = cellMediumColor;
+    else if (tmpCVSS.temporalSeverity === 'High')
+      tmpFinding.cvss.temporalCellColor = cellHighColor;
+    else if (tmpCVSS.temporalSeverity === 'Critical')
+      tmpFinding.cvss.temporalCellColor = cellCriticalColor;
+    else tmpFinding.cvss.temporalCellColor = cellNoneColor;
+
+    if (tmpCVSS.environmentalSeverity === 'Low')
+      tmpFinding.cvss.environmentalCellColor = cellLowColor;
+    else if (tmpCVSS.environmentalSeverity === 'Medium')
+      tmpFinding.cvss.environmentalCellColor = cellMediumColor;
+    else if (tmpCVSS.environmentalSeverity === 'High')
+      tmpFinding.cvss.environmentalCellColor = cellHighColor;
+    else if (tmpCVSS.environmentalSeverity === 'Critical')
+      tmpFinding.cvss.environmentalCellColor = cellCriticalColor;
+    else tmpFinding.cvss.environmentalCellColor = cellNoneColor;
+
+    tmpFinding.cvssObj = cvssStrToObject(tmpCVSS.vectorString);
+
+    if (finding.customFields) {
+      for (field of finding.customFields) {
+        // For retrocompatibility of findings with old customFields
+        // or if custom field has been deleted, last saved custom fields will be available
+        if (field.customField) {
+          var fieldType = field.customField.fieldType;
+          var label = field.customField.label;
+        } else {
+          var fieldType = field.fieldType;
+          var label = field.label;
+        }
+        if (fieldType === 'text')
+          tmpFinding[
+            _.deburr(label.toLowerCase())
+              .replace(/\s/g, '')
+              .replace(/[^\w]/g, '_')
+          ] = await splitHTMLParagraphs(field.text);
+        else if (fieldType !== 'space')
+          tmpFinding[
+            _.deburr(label.toLowerCase())
+              .replace(/\s/g, '')
+              .replace(/[^\w]/g, '_')
+          ] = field.text;
+      }
+    }
+    result.findings.push(tmpFinding);
+  }
+
+  result.categories = _.chain(result.findings)
+    .groupBy('category')
+    .map((value, key) => {
+      return { categoryName: key, categoryFindings: value };
+    })
+    .value();
+
+  result.creator = {};
+  if (data.creator) {
+    result.creator.username = data.creator.username || 'undefined';
+    result.creator.firstname = data.creator.firstname || 'undefined';
+    result.creator.lastname = data.creator.lastname || 'undefined';
+    result.creator.email = data.creator.email || 'undefined';
+    result.creator.phone = data.creator.phone || 'undefined';
+    result.creator.role = data.creator.role || 'undefined';
+  }
+
+  for (var section of data.sections) {
+    var formatSection = {
+      name: $t(section.name),
+    };
+    if (section.text)
+      // keep text for retrocompatibility
+      formatSection.text = await splitHTMLParagraphs(section.text);
+    else if (section.customFields) {
+      for (field of section.customFields) {
+        var fieldType = field.customField.fieldType;
+        var label = field.customField.label;
+        if (fieldType === 'text')
+          formatSection[
+            _.deburr(label.toLowerCase())
+              .replace(/\s/g, '')
+              .replace(/[^\w]/g, '_')
+          ] = await splitHTMLParagraphs(field.text);
+        else if (fieldType !== 'space')
+          formatSection[
+            _.deburr(label.toLowerCase())
+              .replace(/\s/g, '')
+              .replace(/[^\w]/g, '_')
+          ] = field.text;
+      }
+    }
+    result[section.field] = formatSection;
+  }
+  replaceSubTemplating(result);
+  return result;
+}
+
+async function splitHTMLParagraphs(data) {
+  var result = [];
+  if (!data) return result;
+
+  var splitted = data.split(/(<img.+?src=".*?".+?alt=".*?".*?>)/);
+
+  for (var value of splitted) {
+    if (value.startsWith('<img')) {
+      var src = value.match(/<img.+src="(.*?)"/) || '';
+      var alt = value.match(/<img.+alt="(.*?)"/) || '';
+      if (src && src.length > 1) src = src[1];
+      if (alt && alt.length > 1) alt = _.unescape(alt[1]);
+
+      if (!src.startsWith('data')) {
+        try {
+          src = (await Image.getOne(src)).value;
+        } catch (error) {
+          src = 'data:image/gif;base64,R0lGODlhAQABAAAAACwAAAAAAQABAAA=';
+        }
+      }
+      if (result.length === 0) result.push({ text: '', images: [] });
+      result[result.length - 1].images.push({ image: src, caption: alt });
+    } else if (value === '') {
+      continue;
+    } else {
+      result.push({ text: value, images: [] });
+    }
+  }
+  return result;
+}
+
+function replaceSubTemplating(o, originalData = o) {
+  var regexp = /\{_\{([a-zA-Z0-9\[\]\_\.]{1,})\}_\}/gm;
+  if (Array.isArray(o))
+    o.forEach(key => replaceSubTemplating(key, originalData));
+  else if (typeof o === 'object' && !!o) {
+    Object.keys(o).forEach(key => {
+      if (typeof o[key] === 'string')
+        o[key] = o[key].replace(regexp, (match, word) =>
+          _.get(originalData, word.trim(), ''),
+        );
+      else replaceSubTemplating(o[key], originalData);
+    });
+  }
+}

backend/src/lib/utils.js

@@ -0,0 +1,58 @@
+// Filename whitelist validation for template creation
+function validFilename(filename) {
+  const regex = /^[\p{Letter}\p{Mark}0-9 \[\]'()_-]+$/iu;
+
+  return regex.test(filename);
+}
+exports.validFilename = validFilename;
+
+// Escape XML special entities when using {@RawXML} in template generation
+function escapeXMLEntities(input) {
+  var XML_CHAR_MAP = { '<': '&lt;', '>': '&gt;', '&': '&amp;' };
+  var standardEncode = input.replace(/[<>&]/g, function (ch) {
+    return XML_CHAR_MAP[ch];
+  });
+  return standardEncode;
+}
+exports.escapeXMLEntities = escapeXMLEntities;
+
+// Convert number to 3 digits format if under 100
+function lPad(number) {
+  if (number <= 99) {
+    number = ('00' + number).slice(-3);
+  }
+  return `${number}`;
+}
+exports.lPad = lPad;
+
+function escapeRegex(regex) {
+  return regex.replace(/[-\/\\^$*+?.()|[\]{}]/g, '\\$&');
+}
+exports.escapeRegex = escapeRegex;
+
+function generateUUID() {
+  return require('crypto').randomBytes(32).toString('hex');
+}
+exports.generateUUID = generateUUID;
+
+var getObjectPaths = (obj, prefix = '') =>
+  Object.keys(obj).reduce((res, el) => {
+    if (Array.isArray(obj[el])) {
+      return [...res, prefix + el];
+    } else if (typeof obj[el] === 'object' && obj[el] !== null) {
+      return [...res, ...getObjectPaths(obj[el], prefix + el + '.')];
+    }
+    return [...res, prefix + el];
+  }, []);
+exports.getObjectPaths = getObjectPaths;
+
+function getSockets(io, room) {
+  var result = [];
+  io.sockets.sockets.forEach(data => {
+    if (data.rooms.has(room)) {
+      result.push(data);
+    }
+  });
+  return result;
+}
+exports.getSockets = getSockets;

backend/src/models/audit-type.js

@@ -0,0 +1,114 @@
+var mongoose = require('mongoose');
+var Schema = mongoose.Schema;
+
+var Template = {
+  _id: false,
+  template: { type: Schema.Types.ObjectId, ref: 'Template' },
+  locale: String,
+};
+
+var AuditTypeSchema = new Schema(
+  {
+    name: { type: String, unique: true },
+    templates: [Template],
+    sections: [{ type: String, ref: 'CustomSection' }],
+    hidden: [{ type: String, enum: ['network', 'findings'] }],
+    stage: {
+      type: String,
+      enum: ['default', 'retest', 'multi'],
+      default: 'default',
+    },
+  },
+  { timestamps: true },
+);
+
+/*
+ *** Statics ***
+ */
+
+// Get all auditTypes
+AuditTypeSchema.statics.getAll = () => {
+  return new Promise((resolve, reject) => {
+    var query = AuditType.find();
+    query.select('_id name templates sections hidden stage');
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Get auditType by name
+AuditTypeSchema.statics.getByName = name => {
+  return new Promise((resolve, reject) => {
+    var query = AuditType.findOne({ name: name });
+    query.select('-_id name templates sections hidden stage');
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Create auditType
+AuditTypeSchema.statics.create = auditType => {
+  return new Promise((resolve, reject) => {
+    var query = new AuditType(auditType);
+    query
+      .save()
+      .then(row => {
+        resolve(row);
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({ fn: 'BadParameters', message: 'Audit Type already exists' });
+        else reject(err);
+      });
+  });
+};
+
+// Update Audit Types
+AuditTypeSchema.statics.updateAll = auditTypes => {
+  return new Promise((resolve, reject) => {
+    AuditType.deleteMany()
+      .then(row => {
+        AuditType.insertMany(auditTypes);
+      })
+      .then(row => {
+        resolve('Audit Types updated successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Delete auditType
+AuditTypeSchema.statics.delete = name => {
+  return new Promise((resolve, reject) => {
+    AuditType.deleteOne({ name: name })
+      .then(res => {
+        if (res.deletedCount === 1) resolve('Audit Type deleted');
+        else reject({ fn: 'NotFound', message: 'Audit Type not found' });
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+/*
+ *** Methods ***
+ */
+
+var AuditType = mongoose.model('AuditType', AuditTypeSchema);
+AuditType.syncIndexes();
+module.exports = AuditType;

backend/src/models/audit.js

@@ -0,0 +1,1195 @@
+var mongoose = require('mongoose'); //.set('debug', true);
+const CVSS31 = require('../lib/cvsscalc31');
+var Schema = mongoose.Schema;
+
+var Paragraph = {
+  text: String,
+  images: [{ image: String, caption: String }],
+};
+
+var customField = {
+  _id: false,
+  customField: { type: Schema.Types.Mixed, ref: 'CustomField' },
+  text: Schema.Types.Mixed,
+};
+
+var Finding = {
+  id: Schema.Types.ObjectId,
+  identifier: Number, //incremental ID to be shown in the report
+  title: String,
+  vulnType: String,
+  description: String,
+  observation: String,
+  remediation: String,
+  remediationComplexity: { type: Number, enum: [1, 2, 3] },
+  priority: { type: Number, enum: [1, 2, 3, 4] },
+  references: [String],
+  cwes: [String],
+  cvssv3: String,
+  paragraphs: [Paragraph],
+  poc: String,
+  scope: String,
+  status: { type: Number, enum: [0, 1], default: 1 }, // 0: done, 1: redacting
+  category: String,
+  customFields: [customField],
+  retestStatus: { type: String, enum: ['ok', 'ko', 'unknown', 'partial'] },
+  retestDescription: String,
+};
+
+var Service = {
+  port: Number,
+  protocol: { type: String, enum: ['tcp', 'udp'] },
+  name: String,
+  product: String,
+  version: String,
+};
+
+var Host = {
+  hostname: String,
+  ip: String,
+  os: String,
+  services: [Service],
+};
+
+var SortOption = {
+  _id: false,
+  category: String,
+  sortValue: String,
+  sortOrder: { type: String, enum: ['desc', 'asc'] },
+  sortAuto: Boolean,
+};
+
+var AuditSchema = new Schema(
+  {
+    name: { type: String, required: true },
+    auditType: String,
+    date: String,
+    date_start: String,
+    date_end: String,
+    summary: String,
+    company: { type: Schema.Types.ObjectId, ref: 'Company' },
+    client: { type: Schema.Types.ObjectId, ref: 'Client' },
+    collaborators: [{ type: Schema.Types.ObjectId, ref: 'User' }],
+    reviewers: [{ type: Schema.Types.ObjectId, ref: 'User' }],
+    language: { type: String, required: true },
+    scope: [{ _id: false, name: String, hosts: [Host] }],
+    findings: [Finding],
+    template: { type: Schema.Types.ObjectId, ref: 'Template' },
+    creator: { type: Schema.Types.ObjectId, ref: 'User' },
+    sections: [
+      {
+        field: String,
+        name: String,
+        text: String,
+        customFields: [customField],
+      },
+    ], // keep text for retrocompatibility
+    customFields: [customField],
+    sortFindings: [SortOption],
+    state: {
+      type: String,
+      enum: ['EDIT', 'REVIEW', 'APPROVED'],
+      default: 'EDIT',
+    },
+    approvals: [{ type: Schema.Types.ObjectId, ref: 'User' }],
+    type: {
+      type: String,
+      enum: ['default', 'multi', 'retest'],
+      default: 'default',
+    },
+    parentId: { type: Schema.Types.ObjectId, ref: 'Audit' },
+  },
+  { timestamps: true },
+);
+
+/*
+ *** Statics ***
+ */
+
+// Get all audits (admin)
+AuditSchema.statics.getAudits = (isAdmin, userId, filters) => {
+  return new Promise((resolve, reject) => {
+    var query = Audit.find(filters);
+    if (!isAdmin)
+      query.or([
+        { creator: userId },
+        { collaborators: userId },
+        { reviewers: userId },
+      ]);
+    query.populate('creator', 'username');
+    query.populate('collaborators', 'username');
+    query.populate('reviewers', 'username firstname lastname');
+    query.populate('approvals', 'username firstname lastname');
+    query.populate('company', 'name');
+    query.populate('template', '-_id ext');
+    query.select(
+      'id name auditType language creator collaborators company createdAt state type parentId template',
+    );
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Get Audit with ID to generate report
+AuditSchema.statics.getAudit = (isAdmin, auditId, userId) => {
+  return new Promise((resolve, reject) => {
+    var query = Audit.findById(auditId);
+    if (!isAdmin)
+      query.or([
+        { creator: userId },
+        { collaborators: userId },
+        { reviewers: userId },
+      ]);
+    query.populate('template');
+    query.populate('creator', 'username firstname lastname email phone role');
+    query.populate('company');
+    query.populate('client');
+    query.populate(
+      'collaborators',
+      'username firstname lastname email phone role',
+    );
+    query.populate('reviewers', 'username firstname lastname role');
+    query.populate('approvals', 'username firstname lastname role');
+    query.populate('customFields.customField', 'label fieldType text');
+    query.populate({
+      path: 'findings',
+      populate: {
+        path: 'customFields.customField',
+        select: 'label fieldType text',
+      },
+    });
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+        resolve(row);
+      })
+      .catch(err => {
+        if (err.name === 'CastError')
+          reject({ fn: 'BadParameters', message: 'Bad Audit Id' });
+        else reject(err);
+      });
+  });
+};
+
+AuditSchema.statics.getAuditChildren = (isAdmin, auditId, userId) => {
+  return new Promise((resolve, reject) => {
+    var query = Audit.find({ parentId: auditId });
+    if (!isAdmin)
+      query.or([
+        { creator: userId },
+        { collaborators: userId },
+        { reviewers: userId },
+      ]);
+    query
+      .exec()
+      .then(rows => {
+        if (!rows)
+          throw {
+            fn: 'NotFound',
+            message: 'Children not found or Insufficient Privileges',
+          };
+        resolve(rows);
+      })
+      .catch(err => {
+        if (err.name === 'CastError')
+          reject({ fn: 'BadParameters', message: 'Bad Audit Id' });
+        else reject(err);
+      });
+  });
+};
+
+// Get Audit Retest
+AuditSchema.statics.getRetest = (isAdmin, auditId, userId) => {
+  return new Promise((resolve, reject) => {
+    var query = Audit.findOne({ parentId: auditId });
+
+    if (!isAdmin)
+      query.or([
+        { creator: userId },
+        { collaborators: userId },
+        { reviewers: userId },
+      ]);
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw { fn: 'NotFound', message: 'No retest found for this audit' };
+        else {
+          resolve(row);
+        }
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Create Audit Retest
+AuditSchema.statics.createRetest = (isAdmin, auditId, userId, auditType) => {
+  return new Promise((resolve, reject) => {
+    var audit = {};
+    audit.creator = userId;
+    audit.type = 'retest';
+    audit.parentId = auditId;
+    audit.auditType = auditType;
+    audit.findings = [];
+    audit.sections = [];
+    audit.customFields = [];
+
+    var auditTypeSections = [];
+    var customSections = [];
+    var customFields = [];
+    var AuditType = mongoose.model('AuditType');
+
+    var query = Audit.findById(auditId);
+    if (!isAdmin)
+      query.or([
+        { creator: userId },
+        { collaborators: userId },
+        { reviewers: userId },
+      ]);
+    query
+      .exec()
+      .then(async row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+        else {
+          var retest = await Audit.findOne({ parentId: auditId }).exec();
+          if (retest)
+            throw {
+              fn: 'BadParameters',
+              message: 'Retest already exists for this Audit',
+            };
+          audit.name = row.name;
+          audit.company = row.company;
+          audit.client = row.client;
+          audit.collaborators = row.collaborators;
+          audit.reviewers = row.reviewers;
+          audit.language = row.language;
+          audit.scope = row.scope;
+          audit.findings = row.findings;
+          // row.findings.forEach(finding => {
+          //     var tmpFinding = {}
+          //     tmpFinding.title = finding.title
+          //     tmpFinding.identifier = finding.identifier
+          //     tmpFinding.cvssv3 = finding.cvssv3
+          //     tmpFinding.vulnType = finding.vulnType
+          //     tmpFinding.category = finding.category
+          //     audit.findings.push(tmpFinding)
+          // })
+          return AuditType.getByName(auditType);
+        }
+      })
+      .then(row => {
+        if (row) {
+          auditTypeSections = row.sections;
+          var auditTypeTemplate = row.templates.find(
+            e => e.locale === audit.language,
+          );
+          if (auditTypeTemplate) audit.template = auditTypeTemplate.template;
+          var Section = mongoose.model('CustomSection');
+          var CustomField = mongoose.model('CustomField');
+          var promises = [];
+          promises.push(Section.getAll());
+          promises.push(CustomField.getAll());
+          return Promise.all(promises);
+        } else throw { fn: 'NotFound', message: 'AuditType not found' };
+      })
+      .then(resolved => {
+        customSections = resolved[0];
+        customFields = resolved[1];
+
+        customSections.forEach(section => {
+          // Add sections with customFields (and default text) to audit
+          var tmpSection = {};
+          if (auditTypeSections.includes(section.field)) {
+            tmpSection.field = section.field;
+            tmpSection.name = section.name;
+            tmpSection.customFields = [];
+
+            customFields.forEach(field => {
+              field = field.toObject();
+              if (
+                field.display === 'section' &&
+                field.displaySub === tmpSection.name
+              ) {
+                var fieldText = field.text.find(
+                  e => e.locale === audit.language,
+                );
+                if (fieldText) fieldText = fieldText.value;
+                else fieldText = '';
+
+                delete field.text;
+                tmpSection.customFields.push({
+                  customField: field,
+                  text: fieldText,
+                });
+              }
+            });
+            audit.sections.push(tmpSection);
+          }
+        });
+
+        customFields.forEach(field => {
+          // Add customFields (and default text) to audit
+          field = field.toObject();
+          if (field.display === 'general') {
+            var fieldText = field.text.find(e => e.locale === audit.language);
+            if (fieldText) fieldText = fieldText.value;
+            else fieldText = '';
+
+            delete field.text;
+            audit.customFields.push({ customField: field, text: fieldText });
+          }
+        });
+
+        return new Audit(audit).save();
+      })
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        console.log(err);
+        if (err.name === 'ValidationError')
+          reject({ fn: 'BadParameters', message: 'Audit validation failed' });
+        else reject(err);
+      });
+  });
+};
+
+// Create audit
+AuditSchema.statics.create = (audit, userId) => {
+  return new Promise((resolve, reject) => {
+    audit.creator = userId;
+    audit.sections = [];
+    audit.customFields = [];
+
+    var auditTypeSections = [];
+    var customSections = [];
+    var customFields = [];
+    var AuditType = mongoose.model('AuditType');
+    AuditType.getByName(audit.auditType)
+      .then(row => {
+        if (row) {
+          auditTypeSections = row.sections;
+          var auditTypeTemplate = row.templates.find(
+            e => e.locale === audit.language,
+          );
+          if (auditTypeTemplate) audit.template = auditTypeTemplate.template;
+          var Section = mongoose.model('CustomSection');
+          var CustomField = mongoose.model('CustomField');
+          var promises = [];
+          promises.push(Section.getAll());
+          promises.push(CustomField.getAll());
+          return Promise.all(promises);
+        } else throw { fn: 'NotFound', message: 'AuditType not found' };
+      })
+      .then(resolved => {
+        customSections = resolved[0];
+        customFields = resolved[1];
+
+        customSections.forEach(section => {
+          // Add sections with customFields (and default text) to audit
+          var tmpSection = {};
+          if (auditTypeSections.includes(section.field)) {
+            tmpSection.field = section.field;
+            tmpSection.name = section.name;
+            tmpSection.customFields = [];
+
+            customFields.forEach(field => {
+              field = field.toObject();
+              if (
+                field.display === 'section' &&
+                field.displaySub === tmpSection.name
+              ) {
+                var fieldText = field.text.find(
+                  e => e.locale === audit.language,
+                );
+                if (fieldText) fieldText = fieldText.value;
+                else fieldText = '';
+
+                delete field.text;
+                tmpSection.customFields.push({
+                  customField: field,
+                  text: fieldText,
+                });
+              }
+            });
+            audit.sections.push(tmpSection);
+          }
+        });
+
+        customFields.forEach(field => {
+          // Add customFields (and default text) to audit
+          field = field.toObject();
+          if (field.display === 'general') {
+            var fieldText = field.text.find(e => e.locale === audit.language);
+            if (fieldText) fieldText = fieldText.value;
+            else fieldText = '';
+
+            delete field.text;
+            audit.customFields.push({ customField: field, text: fieldText });
+          }
+        });
+
+        var VulnerabilityCategory = mongoose.model('VulnerabilityCategory');
+        return VulnerabilityCategory.getAll();
+      })
+      .then(rows => {
+        // Add default sort options for each vulnerability category
+        audit.sortFindings = [];
+        rows.forEach(e => {
+          audit.sortFindings.push({
+            category: e.name,
+            sortValue: e.sortValue,
+            sortOrder: e.sortOrder,
+            sortAuto: e.sortAuto,
+          });
+        });
+
+        return new Audit(audit).save();
+      })
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        console.log(err);
+        if (err.name === 'ValidationError')
+          reject({ fn: 'BadParameters', message: 'Audit validation failed' });
+        else reject(err);
+      });
+  });
+};
+
+// Delete audit
+AuditSchema.statics.delete = (isAdmin, auditId, userId) => {
+  return new Promise((resolve, reject) => {
+    var query = Audit.findOneAndDelete({ _id: auditId });
+    if (!isAdmin) query.or([{ creator: userId }]);
+    return query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+
+        resolve(row);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Get audit general information
+AuditSchema.statics.getGeneral = (isAdmin, auditId, userId) => {
+  return new Promise((resolve, reject) => {
+    var query = Audit.findById(auditId);
+    if (!isAdmin)
+      query.or([
+        { creator: userId },
+        { collaborators: userId },
+        { reviewers: userId },
+      ]);
+    query.populate({
+      path: 'client',
+      select: 'email firstname lastname',
+      populate: {
+        path: 'company',
+        select: 'name',
+      },
+    });
+    query.populate('creator', 'username firstname lastname');
+    query.populate('collaborators', 'username firstname lastname');
+    query.populate('reviewers', 'username firstname lastname');
+    query.populate('company');
+    query.select(
+      'name auditType date date_start date_end client collaborators language scope.name template customFields',
+    );
+    query
+      .lean()
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+
+        var formatScope = row.scope.map(item => {
+          return item.name;
+        });
+        for (var i = 0; i < formatScope.length; i++) {
+          row.scope[i] = formatScope[i];
+        }
+        resolve(row);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Update audit general information
+AuditSchema.statics.updateGeneral = (isAdmin, auditId, userId, update) => {
+  return new Promise(async (resolve, reject) => {
+    if (update.company && update.company.name) {
+      var Company = mongoose.model('Company');
+      try {
+        update.company = await Company.create({ name: update.company.name });
+      } catch (error) {
+        console.log(error);
+        delete update.company;
+      }
+    }
+    var query = Audit.findByIdAndUpdate(auditId, update);
+    if (!isAdmin) query.or([{ creator: userId }, { collaborators: userId }]);
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+
+        resolve('Audit General updated successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Get audit Network information
+AuditSchema.statics.getNetwork = (isAdmin, auditId, userId) => {
+  return new Promise((resolve, reject) => {
+    var query = Audit.findById(auditId);
+    if (!isAdmin)
+      query.or([
+        { creator: userId },
+        { collaborators: userId },
+        { reviewers: userId },
+      ]);
+    query.select('scope');
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+
+        resolve(row);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Update audit Network information
+AuditSchema.statics.updateNetwork = (isAdmin, auditId, userId, scope) => {
+  return new Promise((resolve, reject) => {
+    var query = Audit.findByIdAndUpdate(auditId, scope);
+    if (!isAdmin) query.or([{ creator: userId }, { collaborators: userId }]);
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+
+        resolve('Audit Network updated successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Create finding
+AuditSchema.statics.createFinding = (isAdmin, auditId, userId, finding) => {
+  return new Promise((resolve, reject) => {
+    Audit.getLastFindingIdentifier(auditId).then(identifier => {
+      finding.identifier = ++identifier;
+
+      var query = Audit.findByIdAndUpdate(auditId, {
+        $push: { findings: finding },
+      });
+      if (!isAdmin) query.or([{ creator: userId }, { collaborators: userId }]);
+      return query
+        .exec()
+        .then(row => {
+          if (!row)
+            throw {
+              fn: 'NotFound',
+              message: 'Audit not found or Insufficient Privileges',
+            };
+          else {
+            var sortOption = row.sortFindings.find(
+              e => e.category === (finding.category || 'No Category'),
+            );
+            if ((sortOption && sortOption.sortAuto) || !sortOption)
+              // if sort is set to automatic or undefined then we sort (default sort will be applied to undefined sortOption)
+              return Audit.updateSortFindings(isAdmin, auditId, userId, null);
+            // if manual sorting then we do not sort
+            else resolve('Audit Finding created succesfully');
+          }
+        })
+        .then(() => {
+          resolve('Audit Finding created successfully');
+        })
+        .catch(err => {
+          reject(err);
+        });
+    });
+  });
+};
+
+AuditSchema.statics.getLastFindingIdentifier = auditId => {
+  return new Promise((resolve, reject) => {
+    var query = Audit.aggregate([
+      { $match: { _id: new mongoose.Types.ObjectId(auditId) } },
+    ]);
+    query.unwind('findings');
+    query.sort({ 'findings.identifier': -1 });
+    query
+      .exec()
+      .then(row => {
+        if (!row) throw { fn: 'NotFound', message: 'Audit not found' };
+        else if (row.length === 0 || !row[0].findings.identifier) resolve(0);
+        else resolve(row[0].findings.identifier);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Get finding of audit
+AuditSchema.statics.getFinding = (isAdmin, auditId, userId, findingId) => {
+  return new Promise((resolve, reject) => {
+    var query = Audit.findById(auditId);
+    if (!isAdmin)
+      query.or([
+        { creator: userId },
+        { collaborators: userId },
+        { reviewers: userId },
+      ]);
+    query.select('findings');
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+
+        var finding = row.findings.id(findingId);
+        if (finding === null)
+          throw { fn: 'NotFound', message: 'Finding not found' };
+        else resolve(finding);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Update finding of audit
+AuditSchema.statics.updateFinding = (
+  isAdmin,
+  auditId,
+  userId,
+  findingId,
+  newFinding,
+) => {
+  return new Promise((resolve, reject) => {
+    var sortAuto = true;
+
+    var query = Audit.findById(auditId);
+    if (!isAdmin) query.or([{ creator: userId }, { collaborators: userId }]);
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+
+        var finding = row.findings.id(findingId);
+        if (finding === null)
+          reject({ fn: 'NotFound', message: 'Finding not found' });
+        else {
+          var sortOption = row.sortFindings.find(
+            e => e.category === (newFinding.category || 'No Category'),
+          );
+          if (sortOption && !sortOption.sortAuto) sortAuto = false;
+
+          Object.keys(newFinding).forEach(key => {
+            finding[key] = newFinding[key];
+          });
+          return row.save({ validateBeforeSave: false }); // Disable schema validation since scope changed from Array to String
+        }
+      })
+      .then(() => {
+        if (sortAuto)
+          return Audit.updateSortFindings(isAdmin, auditId, userId, null);
+        else resolve('Audit Finding updated successfully');
+      })
+      .then(() => {
+        resolve('Audit Finding updated successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Delete finding of audit
+AuditSchema.statics.deleteFinding = (isAdmin, auditId, userId, findingId) => {
+  return new Promise((resolve, reject) => {
+    var query = Audit.findById(auditId);
+    if (!isAdmin) query.or([{ creator: userId }, { collaborators: userId }]);
+    query.select('findings');
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+
+        var finding = row.findings.id(findingId);
+        if (finding === null)
+          reject({ fn: 'NotFound', message: 'Finding not found' });
+        else {
+          row.findings.pull(findingId);
+          return row.save();
+        }
+      })
+      .then(() => {
+        resolve('Audit Finding deleted successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Create section
+AuditSchema.statics.createSection = (isAdmin, auditId, userId, section) => {
+  return new Promise((resolve, reject) => {
+    var query = Audit.findOneAndUpdate(
+      { _id: auditId, 'sections.field': { $ne: section.field } },
+      { $push: { sections: section } },
+    );
+    if (!isAdmin) query.or([{ creator: userId }, { collaborators: userId }]);
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message:
+              'Audit not found or Section already exists or Insufficient Privileges',
+          };
+
+        resolve('Audit Section created successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Get section of audit
+AuditSchema.statics.getSection = (isAdmin, auditId, userId, sectionId) => {
+  return new Promise((resolve, reject) => {
+    var query = Audit.findById(auditId);
+    if (!isAdmin)
+      query.or([
+        { creator: userId },
+        { collaborators: userId },
+        { reviewers: userId },
+      ]);
+
+    query.select('sections');
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+
+        var section = row.sections.id(sectionId);
+        if (section === null)
+          throw { fn: 'NotFound', message: 'Section id not found' };
+        else resolve(section);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Update section of audit
+AuditSchema.statics.updateSection = (
+  isAdmin,
+  auditId,
+  userId,
+  sectionId,
+  newSection,
+) => {
+  return new Promise((resolve, reject) => {
+    var query = Audit.findById(auditId);
+    if (!isAdmin) query.or([{ creator: userId }, { collaborators: userId }]);
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+
+        var section = row.sections.id(sectionId);
+        if (section === null)
+          throw { fn: 'NotFound', message: 'Section not found' };
+        else {
+          Object.keys(newSection).forEach(key => {
+            section[key] = newSection[key];
+          });
+          return row.save();
+        }
+      })
+      .then(() => {
+        resolve('Audit Section updated successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Delete section of audit
+AuditSchema.statics.deleteSection = (isAdmin, auditId, userId, sectionId) => {
+  return new Promise((resolve, reject) => {
+    var query = Audit.findById(auditId);
+    if (!isAdmin) query.or([{ creator: userId }, { collaborators: userId }]);
+    query.select('sections');
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+
+        var section = row.sections.id(sectionId);
+        if (section === null)
+          throw { fn: 'NotFound', message: 'Section not found' };
+        else {
+          row.sections.pull(sectionId);
+          return row.save();
+        }
+      })
+      .then(() => {
+        resolve('Audit Section deleted successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Update audit sort options for findings and run the sorting. If update param is null then just run sorting
+(AuditSchema.statics.updateSortFindings = (
+  isAdmin,
+  auditId,
+  userId,
+  update,
+) => {
+  return new Promise((resolve, reject) => {
+    var audit = {};
+    var query = Audit.findById(auditId);
+    if (!isAdmin) query.or([{ creator: userId }, { collaborators: userId }]);
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+        else {
+          audit = row;
+          if (update)
+            // if update is null then we only sort findings (no sort options saving)
+            audit.sortFindings = update.sortFindings; // saving sort options to audit
+
+          var VulnerabilityCategory = mongoose.model('VulnerabilityCategory');
+          return VulnerabilityCategory.getAll();
+        }
+      })
+      .then(row => {
+        var _ = require('lodash');
+        var findings = [];
+        var categoriesOrder = row.map(e => e.name);
+        categoriesOrder.push('undefined'); // Put uncategorized findings at the end
+
+        // Group findings by category
+        var findingList = _.chain(audit.findings)
+          .groupBy('category')
+          .toPairs()
+          .sort(
+            (a, b) =>
+              categoriesOrder.indexOf(a[0]) - categoriesOrder.indexOf(b[0]),
+          )
+          .fromPairs()
+          .map((value, key) => {
+            if (key === 'undefined') key = 'No Category';
+            var sortOption = audit.sortFindings.find(
+              option => option.category === key,
+            ); // Get sort option saved in audit
+            if (!sortOption)
+              // no option for category in audit
+              sortOption = row.find(e => e.name === key); // Get sort option from default in vulnerability category
+            if (!sortOption)
+              // no default option or category don't exist
+              sortOption = {
+                sortValue: 'cvssScore',
+                sortOrder: 'desc',
+                sortAuto: true,
+              }; // set a default sort option
+
+            return { category: key, findings: value, sortOption: sortOption };
+          })
+          .value();
+
+        findingList.forEach(group => {
+          var order = -1; // desc
+          if (group.sortOption.sortOrder === 'asc') order = 1;
+
+          var tmpFindings = group.findings.sort((a, b) => {
+            var cvssA = CVSS31.calculateCVSSFromVector(a.cvssv3);
+            var cvssB = CVSS31.calculateCVSSFromVector(b.cvssv3);
+
+            // Get built-in value (findings[sortValue])
+            var left = a[group.sortOption.sortValue];
+
+            // If sort value is a CVSS Score calculate it
+            if (cvssA.success && group.sortOption.sortValue === 'cvssScore')
+              left = cvssA.baseMetricScore;
+            else if (
+              cvssA.success &&
+              group.sortOption.sortValue === 'cvssTemporalScore'
+            )
+              left = cvssA.temporalMetricScore;
+            else if (
+              cvssA.success &&
+              group.sortOption.sortValue === 'cvssEnvironmentalScore'
+            )
+              left = cvssA.environmentalMetricScore;
+
+            // Not found then get customField sortValue
+            if (!left) {
+              left = a.customFields.find(
+                e => e.customField.label === group.sortOption.sortValue,
+              );
+              if (left) left = left.text;
+            }
+            // Not found then set default to 0
+            if (!left) left = 0;
+            // Convert to string in case of int value
+            left = left.toString();
+
+            // Same for right value to compare
+            var right = b[group.sortOption.sortValue];
+
+            if (cvssB.success && group.sortOption.sortValue === 'cvssScore')
+              right = cvssB.baseMetricScore;
+            else if (
+              cvssB.success &&
+              group.sortOption.sortValue === 'cvssTemporalScore'
+            )
+              right = cvssB.temporalMetricScore;
+            else if (
+              cvssB.success &&
+              group.sortOption.sortValue === 'cvssEnvironmentalScore'
+            )
+              right = cvssB.environmentalMetricScore;
+
+            if (!right) {
+              right = b.customFields.find(
+                e => e.customField.label === group.sortOption.sortValue,
+              );
+              if (right) right = right.text;
+            }
+            if (!right) right = 0;
+            right = right.toString();
+            return (
+              left.localeCompare(right, undefined, { numeric: true }) * order
+            );
+          });
+
+          findings = findings.concat(tmpFindings);
+        });
+
+        audit.findings = findings;
+
+        return audit.save();
+      })
+      .then(() => {
+        resolve('Audit findings sorted successfully');
+      })
+      .catch(err => {
+        console.log(err);
+        reject(err);
+      });
+  });
+}),
+  // Move finding from move.oldIndex to move.newIndex
+  (AuditSchema.statics.moveFindingPosition = (
+    isAdmin,
+    auditId,
+    userId,
+    move,
+  ) => {
+    return new Promise((resolve, reject) => {
+      var query = Audit.findById(auditId);
+      if (!isAdmin) query.or([{ creator: userId }, { collaborators: userId }]);
+      query
+        .exec()
+        .then(row => {
+          if (!row)
+            throw {
+              fn: 'NotFound',
+              message: 'Audit not found or Insufficient Privileges',
+            };
+
+          var tmp = row.findings[move.oldIndex];
+          row.findings.splice(move.oldIndex, 1);
+          row.findings.splice(move.newIndex, 0, tmp);
+
+          row.markModified('findings');
+          return row.save();
+        })
+        .then(msg => {
+          resolve('Audit Finding moved successfully');
+        })
+        .catch(err => {
+          reject(err);
+        });
+    });
+  });
+
+AuditSchema.statics.updateApprovals = (isAdmin, auditId, userId, update) => {
+  return new Promise(async (resolve, reject) => {
+    var Settings = mongoose.model('Settings');
+    var settings = await Settings.getAll();
+
+    if (update.approvals.length >= settings.reviews.public.minReviewers) {
+      update.state = 'APPROVED';
+    } else {
+      update.state = 'REVIEW';
+    }
+
+    var query = Audit.findByIdAndUpdate(auditId, update);
+    query.nor([{ creator: userId }, { collaborators: userId }]);
+    if (!isAdmin) query.or([{ reviewers: userId }]);
+
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+
+        resolve('Audit approvals updated successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Update audit parent
+AuditSchema.statics.updateParent = (isAdmin, auditId, userId, parentId) => {
+  return new Promise(async (resolve, reject) => {
+    var query = Audit.findByIdAndUpdate(auditId, { parentId: parentId });
+    if (!isAdmin) query.or([{ creator: userId }, { collaborators: userId }]);
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+
+        resolve('Audit Parent updated successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Delete audit parent
+AuditSchema.statics.deleteParent = (isAdmin, auditId, userId) => {
+  return new Promise(async (resolve, reject) => {
+    var query = Audit.findByIdAndUpdate(auditId, { parentId: null });
+    if (!isAdmin) query.or([{ creator: userId }, { collaborators: userId }]);
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          throw {
+            fn: 'NotFound',
+            message: 'Audit not found or Insufficient Privileges',
+          };
+
+        resolve(row);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+/*
+ *** Methods ***
+ */
+
+var Audit = mongoose.model('Audit', AuditSchema);
+// Audit.syncIndexes()
+module.exports = Audit;

backend/src/models/client.js

@@ -0,0 +1,128 @@
+var mongoose = require('mongoose');
+var Schema = mongoose.Schema;
+
+var ClientSchema = new Schema(
+  {
+    email: { type: String, required: true, unique: true },
+    company: { type: Schema.Types.ObjectId, ref: 'Company' },
+    lastname: String,
+    firstname: String,
+    phone: String,
+    cell: String,
+    title: String,
+  },
+  { timestamps: true },
+);
+
+/*
+ *** Statics ***
+ */
+
+// Get all clients
+ClientSchema.statics.getAll = () => {
+  return new Promise((resolve, reject) => {
+    var query = Client.find().populate('company', '-_id name');
+    query.select('email lastname firstname phone cell title');
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Create client
+ClientSchema.statics.create = (client, company) => {
+  return new Promise(async (resolve, reject) => {
+    if (company) {
+      var Company = mongoose.model('Company');
+      var query = Company.findOneAndUpdate(
+        { name: company },
+        {},
+        { upsert: true, new: true },
+      );
+      var companyRow = await query.exec();
+      if (companyRow) client.company = companyRow._id;
+    }
+    var query = new Client(client);
+    query
+      .save(company)
+      .then(row => {
+        resolve({
+          _id: row._id,
+          email: row.email,
+          firstname: row.firstname,
+          lastname: row.lastname,
+          title: row.title,
+          phone: row.phone,
+          cell: row.cell,
+          company: row.company,
+        });
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({
+            fn: 'BadParameters',
+            message: 'Client email already exists',
+          });
+        else reject(err);
+      });
+  });
+};
+
+// Update client
+ClientSchema.statics.update = (clientId, client, company) => {
+  return new Promise(async (resolve, reject) => {
+    if (company) {
+      var Company = mongoose.model('Company');
+      var query = Company.findOneAndUpdate(
+        { name: company },
+        {},
+        { upsert: true, new: true },
+      );
+      var companyRow = await query.exec();
+      if (companyRow) client.company = companyRow.id;
+    }
+    var query = Client.findOneAndUpdate({ _id: clientId }, client);
+    query
+      .exec()
+      .then(rows => {
+        if (rows) resolve(rows);
+        else reject({ fn: 'NotFound', message: 'Client Id not found' });
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({
+            fn: 'BadParameters',
+            message: 'Client email already exists',
+          });
+        else reject(err);
+      });
+  });
+};
+
+// Delete client
+ClientSchema.statics.delete = clientId => {
+  return new Promise((resolve, reject) => {
+    var query = Client.findOneAndDelete({ _id: clientId });
+    query
+      .exec()
+      .then(rows => {
+        if (rows) resolve(rows);
+        else reject({ fn: 'NotFound', message: 'Client Id not found' });
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+/*
+ *** Methods ***
+ */
+
+var Client = mongoose.model('Client', ClientSchema);
+module.exports = Client;

backend/src/models/company.js

@@ -0,0 +1,95 @@
+var mongoose = require('mongoose');
+var Schema = mongoose.Schema;
+
+var CompanySchema = new Schema(
+  {
+    name: { type: String, required: true, unique: true },
+    shortName: String,
+    logo: String,
+  },
+  { timestamps: true },
+);
+
+/*
+ *** Statics ***
+ */
+
+// Get all companies
+CompanySchema.statics.getAll = () => {
+  return new Promise((resolve, reject) => {
+    var query = Company.find();
+    query.select('name shortName logo');
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Create company
+CompanySchema.statics.create = company => {
+  return new Promise((resolve, reject) => {
+    var query = new Company(company);
+    query
+      .save(company)
+      .then(row => {
+        resolve({ _id: row._id, name: row.name });
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({
+            fn: 'BadParameters',
+            message: 'Company name already exists',
+          });
+        else reject(err);
+      });
+  });
+};
+
+// Update company
+CompanySchema.statics.update = (companyId, company) => {
+  return new Promise((resolve, reject) => {
+    var query = Company.findOneAndUpdate({ _id: companyId }, company);
+    query
+      .exec()
+      .then(rows => {
+        if (rows) resolve(rows);
+        else reject({ fn: 'NotFound', message: 'Company Id not found' });
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({
+            fn: 'BadParameters',
+            message: 'Company name already exists',
+          });
+        else reject(err);
+      });
+  });
+};
+
+// Delete company
+CompanySchema.statics.delete = companyId => {
+  return new Promise((resolve, reject) => {
+    var query = Company.findOneAndDelete({ _id: companyId });
+    query
+      .exec()
+      .then(rows => {
+        if (rows) resolve(rows);
+        else reject({ fn: 'NotFound', message: 'Company Id not found' });
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+/*
+ *** Methods ***
+ */
+
+var Company = mongoose.model('Company', CompanySchema);
+module.exports = Company;

backend/src/models/custom-field.js

@@ -0,0 +1,147 @@
+var mongoose = require('mongoose'); //.set('debug', true);
+var Schema = mongoose.Schema;
+
+var CustomFieldSchema = new Schema(
+  {
+    fieldType: String,
+    label: String,
+    display: String,
+    displaySub: { type: String, default: '' },
+    position: Number,
+    size: {
+      type: Number,
+      enum: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12],
+      default: 12,
+    },
+    offset: {
+      type: Number,
+      enum: [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12],
+      default: 0,
+    },
+    required: { type: Boolean, default: false },
+    description: { type: String, default: '' },
+    text: [{ _id: false, locale: String, value: Schema.Types.Mixed }],
+    options: [{ _id: false, locale: String, value: String }],
+  },
+  { timestamps: true },
+);
+
+CustomFieldSchema.index(
+  { label: 1, display: 1, displaySub: 1 },
+  {
+    name: 'unique_label_display',
+    unique: true,
+    partialFilterExpression: { label: { $exists: true, $gt: '' } },
+  },
+);
+
+/*
+ *** Statics ***
+ */
+
+// Get all Fields
+CustomFieldSchema.statics.getAll = () => {
+  return new Promise((resolve, reject) => {
+    var query = CustomField.find().sort('position');
+    query.select(
+      'fieldType label display displaySub size offset required description text options',
+    );
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Create Field
+CustomFieldSchema.statics.create = field => {
+  return new Promise((resolve, reject) => {
+    var query = new CustomField(field);
+    query
+      .save()
+      .then(row => {
+        resolve(row);
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({
+            fn: 'BadParameters',
+            message: 'Custom Field already exists',
+          });
+        else reject(err);
+      });
+  });
+};
+
+// Update Fields
+CustomFieldSchema.statics.updateAll = fields => {
+  return new Promise((resolve, reject) => {
+    var promises = fields.map(field => {
+      return CustomField.findByIdAndUpdate(field._id, field).exec();
+    });
+    return Promise.all(promises)
+      .then(row => {
+        resolve('Fields updated successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Delete Field
+CustomFieldSchema.statics.delete = fieldId => {
+  return new Promise((resolve, reject) => {
+    var pullCount = 0;
+    var Vulnerability = mongoose.model('Vulnerability');
+    var query = Vulnerability.find();
+    query
+      .exec()
+      .then(rows => {
+        var promises = [];
+        promises.push(CustomField.findByIdAndDelete(fieldId).exec());
+        rows.map(row => {
+          row.details.map(detail => {
+            if (
+              detail.customFields.some(
+                field => `${field.customField}` === fieldId,
+              )
+            )
+              pullCount++;
+
+            detail.customFields.pull({ customField: fieldId });
+          });
+          promises.push(row.save());
+        });
+        return Promise.all(promises);
+      })
+      .then(row => {
+        if (row && row[0])
+          resolve({
+            msg: `Custom Field deleted successfully`,
+            vulnCount: pullCount,
+          });
+        else
+          reject({
+            fn: 'NotFound',
+            message: { msg: 'Custom Field not found', vulnCount: pullCount },
+          });
+      })
+      .catch(err => {
+        console.log(err);
+        reject(err);
+      });
+  });
+};
+
+/*
+ *** Methods ***
+ */
+
+var CustomField = mongoose.model('CustomField', CustomFieldSchema);
+CustomField.syncIndexes();
+module.exports = CustomField;

backend/src/models/custom-section.js

@@ -0,0 +1,105 @@
+var mongoose = require('mongoose');
+var Schema = mongoose.Schema;
+
+var CustomSectionSchema = new Schema(
+  {
+    field: { type: String, required: true, unique: true },
+    name: { type: String, required: true, unique: true },
+    icon: String,
+  },
+  { timestamps: true },
+);
+
+/*
+ *** Statics ***
+ */
+
+// Get all Sections
+CustomSectionSchema.statics.getAll = () => {
+  return new Promise((resolve, reject) => {
+    var query = CustomSection.find();
+    query.select('-_id field name icon');
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Get all Sections by Language
+CustomSectionSchema.statics.getAllByLanguage = locale => {
+  return new Promise((resolve, reject) => {
+    var query = CustomSection.find({ locale: locale });
+    query.select('-_id field name icon');
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Create Section
+CustomSectionSchema.statics.create = section => {
+  return new Promise((resolve, reject) => {
+    var query = new CustomSection(section);
+    query
+      .save()
+      .then(row => {
+        resolve(row);
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({
+            fn: 'BadParameters',
+            message: 'Custom Section already exists',
+          });
+        else reject(err);
+      });
+  });
+};
+
+// Update Sections
+CustomSectionSchema.statics.updateAll = sections => {
+  return new Promise((resolve, reject) => {
+    CustomSection.deleteMany()
+      .then(row => {
+        CustomSection.insertMany(sections);
+      })
+      .then(row => {
+        resolve('Sections updated successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Delete Section
+CustomSectionSchema.statics.delete = (field, locale) => {
+  return new Promise((resolve, reject) => {
+    CustomSection.deleteOne({ field: field, locale: locale })
+      .then(res => {
+        if (res.deletedCount === 1) resolve('Custom Section deleted');
+        else reject({ fn: 'NotFound', message: 'Custom Section not found' });
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+/*
+ *** Methods ***
+ */
+
+var CustomSection = mongoose.model('CustomSection', CustomSectionSchema);
+CustomSection.syncIndexes();
+module.exports = CustomSection;

backend/src/models/image.js

@@ -0,0 +1,78 @@
+var mongoose = require('mongoose');
+var Schema = mongoose.Schema;
+
+var ImageSchema = new Schema(
+  {
+    auditId: { type: Schema.Types.ObjectId, ref: 'Audit' },
+    value: { type: String, required: true, unique: true },
+    name: String,
+  },
+  { timestamps: true },
+);
+
+/*
+ *** Statics ***
+ */
+
+// Get one image
+ImageSchema.statics.getOne = imageId => {
+  return new Promise((resolve, reject) => {
+    var query = Image.findById(imageId);
+
+    query.select('auditId value name');
+    query
+      .exec()
+      .then(row => {
+        if (row) resolve(row);
+        else throw { fn: 'NotFound', message: 'Image not found' };
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Create image
+ImageSchema.statics.create = image => {
+  return new Promise((resolve, reject) => {
+    var query = Image.findOne({ value: image.value });
+    query
+      .exec()
+      .then(row => {
+        if (row) return row;
+        query = new Image(image);
+        return query.save();
+      })
+      .then(row => {
+        resolve({ _id: row._id });
+      })
+      .catch(err => {
+        console.log(err);
+        reject(err);
+      });
+  });
+};
+
+// Delete image
+ImageSchema.statics.delete = imageId => {
+  return new Promise((resolve, reject) => {
+    var query = Image.findByIdAndDelete(imageId);
+    query
+      .exec()
+      .then(rows => {
+        if (rows) resolve(rows);
+        else reject({ fn: 'NotFound', message: 'Image not found' });
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+/*
+ *** Methods ***
+ */
+
+var Image = mongoose.model('Image', ImageSchema);
+Image.syncIndexes();
+module.exports = Image;

backend/src/models/language.js

@@ -0,0 +1,84 @@
+var mongoose = require('mongoose');
+var Schema = mongoose.Schema;
+
+var LanguageSchema = new Schema(
+  {
+    language: { type: String, unique: true },
+    locale: { type: String, unique: true },
+  },
+  { timestamps: true },
+);
+
+/*
+ *** Statics ***
+ */
+
+// Get all languages
+LanguageSchema.statics.getAll = () => {
+  return new Promise((resolve, reject) => {
+    var query = Language.find();
+    query.select('-_id language locale');
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Create language
+LanguageSchema.statics.create = language => {
+  return new Promise((resolve, reject) => {
+    var query = new Language(language);
+    query
+      .save()
+      .then(row => {
+        resolve(row);
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({ fn: 'BadParameters', message: 'Language already exists' });
+        else reject(err);
+      });
+  });
+};
+
+// Update languages
+LanguageSchema.statics.updateAll = languages => {
+  return new Promise((resolve, reject) => {
+    Language.deleteMany()
+      .then(row => {
+        Language.insertMany(languages);
+      })
+      .then(row => {
+        resolve('Languages updated successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Delete language
+LanguageSchema.statics.delete = locale => {
+  return new Promise((resolve, reject) => {
+    Language.deleteOne({ locale: locale })
+      .then(res => {
+        if (res.deletedCount === 1) resolve('Language deleted');
+        else reject({ fn: 'NotFound', message: 'Language not found' });
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+/*
+ *** Methods ***
+ */
+
+var Language = mongoose.model('Language', LanguageSchema);
+module.exports = Language;

backend/src/models/settings.js

@@ -0,0 +1,188 @@
+var mongoose = require('mongoose'); //.set('debug', true);
+var Schema = mongoose.Schema;
+var _ = require('lodash');
+var Utils = require('../lib/utils.js');
+
+// https://stackoverflow.com/questions/25822289/what-is-the-best-way-to-store-color-hex-values-in-mongodb-mongoose
+const colorValidator = v => /^#([0-9a-f]{3}){1,2}$/i.test(v);
+
+const SettingSchema = new Schema(
+  {
+    report: {
+      enabled: { type: Boolean, default: true },
+      public: {
+        cvssColors: {
+          noneColor: {
+            type: String,
+            default: '#4a86e8',
+            validate: [colorValidator, 'Invalid color'],
+          },
+          lowColor: {
+            type: String,
+            default: '#008000',
+            validate: [colorValidator, 'Invalid color'],
+          },
+          mediumColor: {
+            type: String,
+            default: '#f9a009',
+            validate: [colorValidator, 'Invalid color'],
+          },
+          highColor: {
+            type: String,
+            default: '#fe0000',
+            validate: [colorValidator, 'Invalid color'],
+          },
+          criticalColor: {
+            type: String,
+            default: '#212121',
+            validate: [colorValidator, 'Invalid color'],
+          },
+        },
+        captions: {
+          type: [{ type: String, unique: true }],
+          default: ['Figure'],
+        },
+        highlightWarning: { type: Boolean, default: false },
+        highlightWarningColor: {
+          type: String,
+          default: '#ffff25',
+          validate: [colorValidator, 'Invalid color'],
+        },
+        requiredFields: {
+          company: { type: Boolean, default: false },
+          client: { type: Boolean, default: false },
+          dateStart: { type: Boolean, default: false },
+          dateEnd: { type: Boolean, default: false },
+          dateReport: { type: Boolean, default: false },
+          scope: { type: Boolean, default: false },
+          findingType: { type: Boolean, default: false },
+          findingDescription: { type: Boolean, default: false },
+          findingObservation: { type: Boolean, default: false },
+          findingReferences: { type: Boolean, default: false },
+          findingProofs: { type: Boolean, default: false },
+          findingAffected: { type: Boolean, default: false },
+          findingRemediationDifficulty: { type: Boolean, default: false },
+          findingPriority: { type: Boolean, default: false },
+          findingRemediation: { type: Boolean, default: false },
+        },
+      },
+      private: {
+        imageBorder: { type: Boolean, default: false },
+        imageBorderColor: {
+          type: String,
+          default: '#000000',
+          validate: [colorValidator, 'Invalid color'],
+        },
+      },
+    },
+    reviews: {
+      enabled: { type: Boolean, default: false },
+      public: {
+        mandatoryReview: { type: Boolean, default: false },
+        minReviewers: {
+          type: Number,
+          default: 1,
+          min: 1,
+          max: 100,
+          validate: [Number.isInteger, 'Invalid integer'],
+        },
+      },
+      private: {
+        removeApprovalsUponUpdate: { type: Boolean, default: false },
+      },
+    },
+  },
+  { strict: true },
+);
+
+// Get all settings
+SettingSchema.statics.getAll = () => {
+  return new Promise((resolve, reject) => {
+    const query = Settings.findOne({});
+    query.select('-_id -__v');
+    query
+      .exec()
+      .then(settings => {
+        resolve(settings);
+      })
+      .catch(err => reject(err));
+  });
+};
+
+// Get public settings
+SettingSchema.statics.getPublic = () => {
+  return new Promise((resolve, reject) => {
+    const query = Settings.findOne({});
+    query.select(
+      '-_id report.enabled report.public reviews.enabled reviews.public',
+    );
+    query
+      .exec()
+      .then(settings => resolve(settings))
+      .catch(err => reject(err));
+  });
+};
+
+// Update Settings
+SettingSchema.statics.update = settings => {
+  return new Promise((resolve, reject) => {
+    const query = Settings.findOneAndUpdate({}, settings, {
+      new: true,
+      runValidators: true,
+    });
+    query
+      .exec()
+      .then(settings => resolve(settings))
+      .catch(err => reject(err));
+  });
+};
+
+// Restore settings to default
+SettingSchema.statics.restoreDefaults = () => {
+  return new Promise((resolve, reject) => {
+    const query = Settings.deleteMany({});
+    query
+      .exec()
+      .then(_ => {
+        const query = new Settings({});
+        query
+          .save()
+          .then(_ => resolve('Restored default settings.'))
+          .catch(err => reject(err));
+      })
+      .catch(err => reject(err));
+  });
+};
+
+const Settings = mongoose.model('Settings', SettingSchema);
+
+// Populate/update settings when server starts
+Settings.findOne()
+  .then(liveSettings => {
+    if (!liveSettings) {
+      console.log('Initializing Settings');
+      Settings.create({}).catch(err => {
+        throw 'Error creating the settings in the database : ' + err;
+      });
+    } else {
+      var needUpdate = false;
+      var liveSettingsPaths = Utils.getObjectPaths(liveSettings.toObject());
+
+      liveSettingsPaths.forEach(path => {
+        if (!SettingSchema.path(path) && !path.startsWith('_')) {
+          needUpdate = true;
+          _.set(liveSettings, path, undefined);
+        }
+      });
+
+      if (needUpdate) {
+        console.log('Removing unused fields from Settings');
+        liveSettings.save();
+      }
+    }
+  })
+  .catch(err => {
+    throw 'Error checking for initial settings in the database : ' + err;
+  });
+
+module.exports = Settings;

backend/src/models/template.js

@@ -0,0 +1,110 @@
+var mongoose = require('mongoose');
+var Schema = mongoose.Schema;
+
+var TemplateSchema = new Schema(
+  {
+    name: { type: String, required: true, unique: true },
+    ext: { type: String, required: true, unique: false },
+  },
+  { timestamps: true },
+);
+
+/*
+ *** Statics ***
+ */
+
+// Get all templates
+TemplateSchema.statics.getAll = () => {
+  return new Promise((resolve, reject) => {
+    var query = Template.find();
+    query.select('name ext');
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Get one template
+TemplateSchema.statics.getOne = templateId => {
+  return new Promise((resolve, reject) => {
+    var query = Template.findById(templateId);
+    query.select('name ext');
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Create template
+TemplateSchema.statics.create = template => {
+  return new Promise((resolve, reject) => {
+    var query = new Template(template);
+    query
+      .save()
+      .then(row => {
+        resolve({ _id: row._id, name: row.name, ext: row.ext });
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({
+            fn: 'BadParameters',
+            message: 'Template name already exists',
+          });
+        else reject(err);
+      });
+  });
+};
+
+// Update template
+TemplateSchema.statics.update = (templateId, template) => {
+  return new Promise((resolve, reject) => {
+    var query = Template.findByIdAndUpdate(templateId, template);
+    query
+      .exec()
+      .then(rows => {
+        if (rows) resolve(rows);
+        else reject({ fn: 'NotFound', message: 'Template not found' });
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({
+            fn: 'BadParameters',
+            message: 'Template name already exists',
+          });
+        else reject(err);
+      });
+  });
+};
+
+// Delete template
+TemplateSchema.statics.delete = templateId => {
+  return new Promise((resolve, reject) => {
+    var query = Template.findByIdAndDelete(templateId);
+    query
+      .exec()
+      .then(rows => {
+        if (rows) resolve(rows);
+        else reject({ fn: 'NotFound', message: 'Template not found' });
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+/*
+ *** Methods ***
+ */
+
+var Template = mongoose.model('Template', TemplateSchema);
+module.exports = Template;

backend/src/models/user.js

@@ -0,0 +1,430 @@
+var mongoose = require('mongoose');
+var Schema = mongoose.Schema;
+var bcrypt = require('bcrypt');
+var jwt = require('jsonwebtoken');
+
+var auth = require('../lib/auth.js');
+const { generateUUID } = require('../lib/utils.js');
+var _ = require('lodash');
+
+var QRCode = require('qrcode');
+var OTPAuth = require('otpauth');
+
+var UserSchema = new Schema(
+  {
+    username: { type: String, unique: true, required: true },
+    password: { type: String, required: true },
+    firstname: { type: String, required: true },
+    lastname: { type: String, required: true },
+    email: { type: String, required: false },
+    phone: { type: String, required: false },
+    role: { type: String, default: 'user' },
+    totpEnabled: { type: Boolean, default: false },
+    totpSecret: { type: String, default: '' },
+    enabled: { type: Boolean, default: true },
+    refreshTokens: [
+      { _id: false, sessionId: String, userAgent: String, token: String },
+    ],
+  },
+  { timestamps: true },
+);
+
+var totpConfig = {
+  issuer: 'AuditForge',
+  label: '',
+  algorithm: 'SHA1',
+  digits: 6,
+  period: 30,
+  secret: '',
+};
+
+//check TOTP token
+var checkTotpToken = function (token, secret) {
+  if (!token) throw { fn: 'BadParameters', message: 'TOTP token required' };
+  if (token.length !== 6)
+    throw { fn: 'BadParameters', message: 'Invalid TOTP token length' };
+  if (!secret) throw { fn: 'BadParameters', message: 'TOTP secret required' };
+
+  let newConfig = totpConfig;
+  newConfig.secret = secret;
+  let totp = new OTPAuth.TOTP(newConfig);
+  let delta = totp.validate({
+    token: token,
+    window: 5,
+  });
+  //The token is valid in 2 windows in the past and the future, current window is 0.
+  if (delta === null) {
+    throw { fn: 'Unauthorized', message: 'Wrong TOTP token.' };
+  } else if (delta < -2 || delta > 2) {
+    throw { fn: 'Unauthorized', message: 'TOTP token out of window.' };
+  }
+  return true;
+};
+
+/*
+ *** Statics ***
+ */
+
+// Create user
+UserSchema.statics.create = function (user) {
+  return new Promise((resolve, reject) => {
+    var hash = bcrypt.hashSync(user.password, 10);
+    user.password = hash;
+    new User(user)
+      .save()
+      .then(function () {
+        resolve();
+      })
+      .catch(function (err) {
+        if (err.code === 11000)
+          reject({ fn: 'BadParameters', message: 'Username already exists' });
+        else reject(err);
+      });
+  });
+};
+
+// Get all users
+UserSchema.statics.getAll = function () {
+  return new Promise((resolve, reject) => {
+    var query = this.find();
+    query.select(
+      'username firstname lastname email phone role totpEnabled enabled',
+    );
+    query
+      .exec()
+      .then(function (rows) {
+        resolve(rows);
+      })
+      .catch(function (err) {
+        reject(err);
+      });
+  });
+};
+
+// Get one user by its username
+UserSchema.statics.getByUsername = function (username) {
+  return new Promise((resolve, reject) => {
+    var query = this.findOne({ username: username });
+    query.select(
+      'username firstname lastname email phone role totpEnabled enabled',
+    );
+    query
+      .exec()
+      .then(function (row) {
+        if (row) resolve(row);
+        else throw { fn: 'NotFound', message: 'User not found' };
+      })
+      .catch(function (err) {
+        reject(err);
+      });
+  });
+};
+
+// Update user with password verification (for updating my profile)
+UserSchema.statics.updateProfile = function (username, user) {
+  return new Promise((resolve, reject) => {
+    var query = this.findOne({ username: username });
+    var payload = {};
+    query
+      .exec()
+      .then(function (row) {
+        if (!row) throw { fn: 'NotFound', message: 'User not found' };
+        else if (bcrypt.compareSync(user.password, row.password)) {
+          if (user.username) row.username = user.username;
+          if (user.firstname) row.firstname = user.firstname;
+          if (user.lastname) row.lastname = user.lastname;
+          if (!_.isNil(user.email)) row.email = user.email;
+          if (!_.isNil(user.phone)) row.phone = user.phone;
+          if (user.newPassword)
+            row.password = bcrypt.hashSync(user.newPassword, 10);
+          if (typeof user.totpEnabled == 'boolean')
+            row.totpEnabled = user.totpEnabled;
+
+          payload.id = row._id;
+          payload.username = row.username;
+          payload.role = row.role;
+          payload.firstname = row.firstname;
+          payload.lastname = row.lastname;
+          payload.email = row.email;
+          payload.phone = row.phone;
+          payload.roles = auth.acl.getRoles(payload.role);
+
+          return row.save();
+        } else
+          throw { fn: 'Unauthorized', message: 'Current password is invalid' };
+      })
+      .then(function () {
+        var token = jwt.sign(payload, auth.jwtSecret, {
+          expiresIn: '15 minutes',
+        });
+        resolve({ token: `JWT ${token}` });
+      })
+      .catch(function (err) {
+        if (err.code === 11000)
+          reject({ fn: 'BadParameters', message: 'Username already exists' });
+        else reject(err);
+      });
+  });
+};
+
+// Update user (for admin usage)
+UserSchema.statics.updateUser = function (userId, user) {
+  return new Promise((resolve, reject) => {
+    if (user.password) user.password = bcrypt.hashSync(user.password, 10);
+    var query = this.findOneAndUpdate({ _id: userId }, user);
+    query
+      .exec()
+      .then(function (row) {
+        if (row) resolve('User updated successfully');
+        else reject({ fn: 'NotFound', message: 'User not found' });
+      })
+      .catch(function (err) {
+        if (err.code === 11000)
+          reject({ fn: 'BadParameters', message: 'Username already exists' });
+        else reject(err);
+      });
+  });
+};
+
+// Update refreshtoken
+UserSchema.statics.updateRefreshToken = function (refreshToken, userAgent) {
+  return new Promise((resolve, reject) => {
+    var token = '';
+    var newRefreshToken = '';
+    try {
+      var decoded = jwt.verify(refreshToken, auth.jwtRefreshSecret);
+      var userId = decoded.userId;
+      var sessionId = decoded.sessionId;
+      var expiration = decoded.exp;
+    } catch (err) {
+      if (err.name === 'TokenExpiredError')
+        throw { fn: 'Unauthorized', message: 'Expired refreshToken' };
+      else throw { fn: 'Unauthorized', message: 'Invalid refreshToken' };
+    }
+    var query = this.findById(userId);
+    query
+      .exec()
+      .then(row => {
+        if (row && row.enabled !== false) {
+          // Check session exist and sessionId not null (if null then it is a login)
+          if (sessionId !== null) {
+            var sessionExist = row.refreshTokens.findIndex(
+              e => e.sessionId === sessionId && e.token === refreshToken,
+            );
+            if (sessionExist === -1)
+              // Not found
+              throw { fn: 'Unauthorized', message: 'Session not found' };
+          }
+
+          // Generate new token
+          var payload = {};
+          payload.id = row._id;
+          payload.username = row.username;
+          payload.role = row.role;
+          payload.firstname = row.firstname;
+          payload.lastname = row.lastname;
+          payload.email = row.email;
+          payload.phone = row.phone;
+          payload.roles = auth.acl.getRoles(payload.role);
+
+          token = jwt.sign(payload, auth.jwtSecret, {
+            expiresIn: '15 minutes',
+          });
+
+          // Remove expired sessions
+          row.refreshTokens = row.refreshTokens.filter(e => {
+            try {
+              var decoded = jwt.verify(e.token, auth.jwtRefreshSecret);
+            } catch (err) {
+              var decoded = null;
+            }
+            return decoded !== null;
+          });
+          // Update or add new refresh token
+          var foundIndex = row.refreshTokens.findIndex(
+            e => e.sessionId === sessionId,
+          );
+          if (foundIndex === -1) {
+            // Not found
+            sessionId = generateUUID();
+            newRefreshToken = jwt.sign(
+              { sessionId: sessionId, userId: userId },
+              auth.jwtRefreshSecret,
+              { expiresIn: '7 days' },
+            );
+            row.refreshTokens.push({
+              sessionId: sessionId,
+              userAgent: userAgent,
+              token: newRefreshToken,
+            });
+          } else {
+            newRefreshToken = jwt.sign(
+              { sessionId: sessionId, userId: userId, exp: expiration },
+              auth.jwtRefreshSecret,
+            );
+            row.refreshTokens[foundIndex].token = newRefreshToken;
+          }
+          return row.save();
+        } else if (row) {
+          reject({ fn: 'Unauthorized', message: 'Account disabled' });
+        } else reject({ fn: 'NotFound', message: 'Session not found' });
+      })
+      .then(() => {
+        resolve({ token: token, refreshToken: newRefreshToken });
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({ fn: 'BadParameters', message: 'Username already exists' });
+        else reject(err);
+      });
+  });
+};
+
+// Remove session
+UserSchema.statics.removeSession = function (userId, sessionId) {
+  return new Promise((resolve, reject) => {
+    var query = this.findById(userId);
+    query
+      .exec()
+      .then(row => {
+        if (row) {
+          row.refreshTokens = row.refreshTokens.filter(
+            e => e.sessionId !== sessionId,
+          );
+          return row.save();
+        } else reject({ fn: 'NotFound', message: 'User not found' });
+      })
+      .then(() => {
+        resolve('Session removed successfully');
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({ fn: 'BadParameters', message: 'Username already exists' });
+        else reject(err);
+      });
+  });
+};
+
+// gen totp QRCode url
+UserSchema.statics.getTotpQrcode = function (username) {
+  return new Promise((resolve, reject) => {
+    let newConfig = totpConfig;
+    newConfig.label = username;
+    const secret = new OTPAuth.Secret({
+      size: 10,
+    }).base32;
+    newConfig.secret = secret;
+
+    let totp = new OTPAuth.TOTP(newConfig);
+    let totpUrl = totp.toString();
+
+    QRCode.toDataURL(totpUrl, function (err, url) {
+      resolve({
+        totpQrCode: url,
+        totpSecret: secret,
+      });
+    });
+  });
+};
+
+// verify TOTP and Setup enabled status and secret code
+UserSchema.statics.setupTotp = function (token, secret, username) {
+  return new Promise((resolve, reject) => {
+    checkTotpToken(token, secret);
+
+    var query = this.findOne({ username: username });
+    query
+      .exec()
+      .then(function (row) {
+        if (!row) throw { errmsg: 'User not found' };
+        else if (row.totpEnabled === true)
+          throw { errmsg: 'TOTP already enabled by this user' };
+        else {
+          row.totpEnabled = true;
+          row.totpSecret = secret;
+          return row.save();
+        }
+      })
+      .then(function () {
+        resolve({ msg: true });
+      })
+      .catch(function (err) {
+        reject(err);
+      });
+  });
+};
+
+// verify TOTP and Cancel enabled status and secret code
+UserSchema.statics.cancelTotp = function (token, username) {
+  return new Promise((resolve, reject) => {
+    var query = this.findOne({ username: username });
+    query
+      .exec()
+      .then(function (row) {
+        if (!row) throw { errmsg: 'User not found' };
+        else if (row.totpEnabled !== true)
+          throw { errmsg: 'TOTP is not enabled yet' };
+        else {
+          checkTotpToken(token, row.totpSecret);
+          row.totpEnabled = false;
+          row.totpSecret = '';
+          return row.save();
+        }
+      })
+      .then(function () {
+        resolve({ msg: 'TOTP is canceled.' });
+      })
+      .catch(function (err) {
+        reject(err);
+      });
+  });
+};
+
+/*
+ *** Methods ***
+ */
+
+// Authenticate user with username and password, return JWT token
+UserSchema.methods.getToken = function (userAgent) {
+  return new Promise((resolve, reject) => {
+    var user = this;
+    var query = User.findOne({ username: user.username });
+    query
+      .exec()
+      .then(function (row) {
+        if (row && row.enabled === false)
+          throw { fn: 'Unauthorized', message: 'Authentication Failed.' };
+
+        if (row && bcrypt.compareSync(user.password, row.password)) {
+          if (row.totpEnabled && user.totpToken)
+            checkTotpToken(user.totpToken, row.totpSecret);
+          else if (row.totpEnabled)
+            throw { fn: 'BadParameters', message: 'Missing TOTP token' };
+          var refreshToken = jwt.sign(
+            { sessionId: null, userId: row._id },
+            auth.jwtRefreshSecret,
+          );
+          return User.updateRefreshToken(refreshToken, userAgent);
+        } else {
+          if (!row) {
+            // We compare two random strings to generate delay
+            var randomHash =
+              '$2b$10$' +
+              [...Array(53)].map(() => Math.random().toString(36)[2]).join('');
+            bcrypt.compareSync(user.password, randomHash);
+          }
+
+          throw { fn: 'Unauthorized', message: 'Authentication Failed.' };
+        }
+      })
+      .then(row => {
+        resolve({ token: row.token, refreshToken: row.refreshToken });
+      })
+      .catch(function (err) {
+        reject(err);
+      });
+  });
+};
+
+var User = mongoose.model('User', UserSchema);
+module.exports = User;

backend/src/models/vulnerability-category.js

@@ -0,0 +1,124 @@
+var mongoose = require('mongoose');
+var Schema = mongoose.Schema;
+
+var VulnerabilityCategorySchema = new Schema(
+  {
+    name: { type: String, unique: true },
+    sortValue: { type: String, default: 'cvssScore' },
+    sortOrder: { type: String, enum: ['desc', 'asc'], default: 'desc' },
+    sortAuto: { type: Boolean, default: true },
+  },
+  { timestamps: true },
+);
+
+/*
+ *** Statics ***
+ */
+
+// Get all vulnerabilityCategorys
+VulnerabilityCategorySchema.statics.getAll = () => {
+  return new Promise((resolve, reject) => {
+    var query = VulnerabilityCategory.find();
+    query.select('name sortValue sortOrder sortAuto');
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Create vulnerabilityCategory
+VulnerabilityCategorySchema.statics.create = vulnerabilityCategory => {
+  return new Promise((resolve, reject) => {
+    var query = new VulnerabilityCategory(vulnerabilityCategory);
+    query
+      .save()
+      .then(row => {
+        resolve(row);
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({
+            fn: 'BadParameters',
+            message: 'Vulnerability Category name already exists',
+          });
+        else reject(err);
+      });
+  });
+};
+
+// Update vulnerabilityCategory
+VulnerabilityCategorySchema.statics.update = (name, vulnerabilityCategory) => {
+  return new Promise((resolve, reject) => {
+    var query = VulnerabilityCategory.findOneAndUpdate(
+      { name: name },
+      vulnerabilityCategory,
+    );
+    query
+      .exec()
+      .then(row => {
+        if (row) resolve(row);
+        else
+          reject({
+            fn: 'NotFound',
+            message: 'Vulnerability category not found',
+          });
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({
+            fn: 'BadParameters',
+            message: 'Vulnerability Category already exists',
+          });
+        else reject(err);
+      });
+  });
+};
+
+// Update vulnerability Categories
+VulnerabilityCategorySchema.statics.updateAll = vulnCategories => {
+  return new Promise((resolve, reject) => {
+    VulnerabilityCategory.deleteMany()
+      .then(row => {
+        VulnerabilityCategory.insertMany(vulnCategories);
+      })
+      .then(row => {
+        resolve('Vulnerability Categories updated successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Delete vulnerabilityCategory
+VulnerabilityCategorySchema.statics.delete = name => {
+  return new Promise((resolve, reject) => {
+    VulnerabilityCategory.deleteOne({ name: name })
+      .then(res => {
+        if (res.deletedCount === 1) resolve('Vulnerability Category deleted');
+        else
+          reject({
+            fn: 'NotFound',
+            message: 'Vulnerability Category not found',
+          });
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+/*
+ *** Methods ***
+ */
+
+var VulnerabilityCategory = mongoose.model(
+  'VulnerabilityCategory',
+  VulnerabilityCategorySchema,
+);
+module.exports = VulnerabilityCategory;

backend/src/models/vulnerability-type.js

@@ -0,0 +1,96 @@
+var mongoose = require('mongoose');
+var Schema = mongoose.Schema;
+
+var VulnerabilityTypeSchema = new Schema(
+  {
+    name: String,
+    locale: String,
+  },
+  { timestamps: true },
+);
+
+VulnerabilityTypeSchema.index(
+  { name: 1, locale: 1 },
+  { name: 'unique_name_locale', unique: true },
+);
+
+/*
+ *** Statics ***
+ */
+
+// Get all vulnerabilityTypes
+VulnerabilityTypeSchema.statics.getAll = () => {
+  return new Promise((resolve, reject) => {
+    var query = VulnerabilityType.find();
+    query.select('-_id name locale');
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Create vulnerabilityType
+VulnerabilityTypeSchema.statics.create = vulnerabilityType => {
+  return new Promise((resolve, reject) => {
+    var query = new VulnerabilityType(vulnerabilityType);
+    query
+      .save()
+      .then(row => {
+        resolve(row);
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({
+            fn: 'BadParameters',
+            message: 'Vulnerability Type already exists',
+          });
+        else reject(err);
+      });
+  });
+};
+
+// Update vulnerability Types
+VulnerabilityTypeSchema.statics.updateAll = vulnerabilityTypes => {
+  return new Promise((resolve, reject) => {
+    VulnerabilityType.deleteMany()
+      .then(row => {
+        VulnerabilityType.insertMany(vulnerabilityTypes);
+      })
+      .then(row => {
+        resolve('Vulnerability Types updated successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Delete vulnerabilityType
+VulnerabilityTypeSchema.statics.delete = name => {
+  return new Promise((resolve, reject) => {
+    VulnerabilityType.deleteOne({ name: name })
+      .then(res => {
+        if (res.deletedCount === 1) resolve('Vulnerability Type deleted');
+        else
+          reject({ fn: 'NotFound', message: 'Vulnerability Type not found' });
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+/*
+ *** Methods ***
+ */
+
+var VulnerabilityType = mongoose.model(
+  'VulnerabilityType',
+  VulnerabilityTypeSchema,
+);
+module.exports = VulnerabilityType;

backend/src/models/vulnerability-update.js

@@ -0,0 +1,190 @@
+var mongoose = require('mongoose');
+var _ = require('lodash');
+
+var Schema = mongoose.Schema;
+
+var customField = {
+  _id: false,
+  customField: { type: Schema.Types.ObjectId, ref: 'CustomField' },
+  text: Schema.Types.Mixed,
+};
+
+var VulnerabilityUpdateSchema = new Schema(
+  {
+    vulnerability: {
+      type: Schema.Types.ObjectId,
+      ref: 'Vulnerability',
+      required: true,
+    },
+    creator: { type: Schema.Types.ObjectId, ref: 'User', required: true },
+    cvssv3: String,
+    priority: { type: Number, enum: [1, 2, 3, 4] },
+    remediationComplexity: { type: Number, enum: [1, 2, 3] },
+    references: [String],
+    locale: String,
+    title: String,
+    vulnType: String,
+    description: String,
+    observation: String,
+    remediation: String,
+    category: String,
+    customFields: [customField],
+  },
+  { timestamps: true },
+);
+
+/*
+ *** Statics ***
+ */
+
+// Get all vulnerabilities
+VulnerabilityUpdateSchema.statics.getAll = () => {
+  return new Promise((resolve, reject) => {
+    var query = VulnerabilityUpdate.find();
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Get all updates of vulnerability
+VulnerabilityUpdateSchema.statics.getAllByVuln = vulnId => {
+  return new Promise((resolve, reject) => {
+    var query = VulnerabilityUpdate.find({ vulnerability: vulnId });
+    query.populate('creator', '-_id username');
+    query.populate('customFields.customField', 'fieldType label');
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Create vulnerability
+VulnerabilityUpdateSchema.statics.create = (username, vulnerability) => {
+  return new Promise((resolve, reject) => {
+    var created = true;
+    var User = mongoose.model('User');
+    var creator = '';
+    var Vulnerability = mongoose.model('Vulnerability');
+    var query = User.findOne({ username: username });
+    query
+      .exec()
+      .then(row => {
+        if (row) {
+          creator = row._id;
+          var query = Vulnerability.findOne({
+            'details.title': vulnerability.title,
+          });
+          return query.exec();
+        } else throw { fn: 'NotFound', message: 'User not found' };
+      })
+      .then(row => {
+        if (row) {
+          if (row.status === 1)
+            throw {
+              fn: 'Forbidden',
+              message: 'Vulnerability not approved yet',
+            };
+          else {
+            // Check if there are any changes from the original vulnerability
+            var detail = row.details.find(
+              d => d.locale === vulnerability.locale,
+            );
+            // console.log(vulnerability.customFields)
+            // console.log(detail.customFields)
+            if (
+              typeof detail !== 'undefined' &&
+              (row.cvssv3 || '').includes(vulnerability.cvssv3) &&
+              vulnerability.priority === (row.priority || null) &&
+              vulnerability.remediationComplexity ===
+                (row.remediationComplexity || null) &&
+              _.isEqual(vulnerability.references, detail.references || []) &&
+              vulnerability.category === (row.category || null) &&
+              vulnerability.vulnType === (detail.vulnType || null) &&
+              vulnerability.description === (detail.description || null) &&
+              vulnerability.observation === (detail.observation || null) &&
+              vulnerability.remediation === (detail.remediation || null) &&
+              vulnerability.customFields.length ===
+                detail.customFields.length &&
+              vulnerability.customFields.every((e, idx) => {
+                return (
+                  e.customField._id == detail.customFields[idx].customField &&
+                  e.text === detail.customFields[idx].text
+                );
+              })
+            ) {
+              throw {
+                fn: 'BadParameters',
+                message: 'No changes from the original vulnerability',
+              };
+            }
+            vulnerability.vulnerability = row._id;
+            vulnerability.creator = creator;
+            var query = new VulnerabilityUpdate(vulnerability);
+            created = false;
+            return query.save();
+          }
+        } else {
+          var vuln = {};
+          vuln.cvssv3 = vulnerability.cvssv3 || null;
+          vuln.priority = vulnerability.priority || null;
+          vuln.remediationComplexity =
+            vulnerability.remediationComplexity || null;
+          vuln.category = vulnerability.category || null;
+          vuln.creator = creator;
+          var details = {};
+          details.locale = vulnerability.locale || null;
+          details.title = vulnerability.title || null;
+          details.vulnType = vulnerability.vulnType || null;
+          details.description = vulnerability.description || null;
+          details.observation = vulnerability.observation || null;
+          details.remediation = vulnerability.remediation || null;
+          details.references = vulnerability.references || null;
+          details.customFields = vulnerability.customFields || [];
+          vuln.details = [details];
+          var query = new Vulnerability(vuln);
+          return query.save();
+        }
+      })
+      .then(row => {
+        if (created) resolve('Finding created as new Vulnerability');
+        else {
+          var query = Vulnerability.findOneAndUpdate(
+            { 'details.title': vulnerability.title },
+            { status: 2 },
+          );
+          return query.exec();
+        }
+      })
+      .then(row => {
+        resolve('Update proposed for existing vulnerability');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+VulnerabilityUpdateSchema.statics.deleteAllByVuln = async vulnId => {
+  return await VulnerabilityUpdate.deleteMany({ vulnerability: vulnId });
+};
+
+/*
+ *** Methods ***
+ */
+
+var VulnerabilityUpdate = mongoose.model(
+  'VulnerabilityUpdate',
+  VulnerabilityUpdateSchema,
+);
+module.exports = VulnerabilityUpdate;

backend/src/models/vulnerability.js

@@ -0,0 +1,272 @@
+var mongoose = require('mongoose');
+var Schema = mongoose.Schema;
+
+var customField = {
+  _id: false,
+  customField: { type: Schema.Types.ObjectId, ref: 'CustomField' },
+  text: Schema.Types.Mixed,
+};
+
+var VulnerabilityDetails = {
+  _id: false,
+  locale: String,
+  // language:       String,
+  title: { type: String, unique: true, sparse: true },
+  vulnType: String,
+  description: String,
+  observation: String,
+  remediation: String,
+  cwes: [String],
+  references: [String],
+  customFields: [customField],
+};
+
+var VulnerabilitySchema = new Schema(
+  {
+    cvssv3: String,
+    priority: { type: Number, enum: [1, 2, 3, 4] },
+    remediationComplexity: { type: Number, enum: [1, 2, 3] },
+    details: [VulnerabilityDetails],
+    status: { type: Number, enum: [0, 1, 2], default: 1 }, // 0: validated, 1: created, 2: updated,
+    category: String,
+    creator: { type: Schema.Types.ObjectId, ref: 'User' },
+  },
+  { timestamps: true },
+);
+
+/*
+ *** Statics ***
+ */
+
+// Get all vulnerabilities
+VulnerabilitySchema.statics.getAll = () => {
+  return new Promise((resolve, reject) => {
+    var query = Vulnerability.find();
+    query.populate('creator', '-_id username');
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Get all vulnerabilities for download
+VulnerabilitySchema.statics.export = () => {
+  return new Promise((resolve, reject) => {
+    var query = Vulnerability.find();
+    query.select(
+      'details cvssv3 priority remediationComplexity cwes references category -_id',
+    );
+    query
+      .exec()
+      .then(rows => {
+        resolve(rows);
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Create vulnerability
+VulnerabilitySchema.statics.create = vulnerabilities => {
+  return new Promise((resolve, reject) => {
+    Vulnerability.insertMany(vulnerabilities, { ordered: false })
+      .then(rows => {
+        resolve({ created: rows.length, duplicates: 0 });
+      })
+      .catch(err => {
+        if (err.code === 11000) {
+          if (err.result.nInserted === 0)
+            reject({
+              fn: 'BadParameters',
+              message: 'Vulnerability title already exists',
+            });
+          else {
+            var errorMessages = [];
+            err.writeErrors.forEach(e =>
+              errorMessages.push(e.errmsg || 'no errmsg'),
+            );
+            resolve({
+              created: err.result.nInserted,
+              duplicates: errorMessages,
+            });
+          }
+        } else reject(err);
+      });
+  });
+};
+
+// Update vulnerability
+VulnerabilitySchema.statics.update = (vulnerabilityId, vulnerability) => {
+  return new Promise((resolve, reject) => {
+    var VulnerabilityUpdate = mongoose.model('VulnerabilityUpdate');
+    var query = Vulnerability.findByIdAndUpdate(vulnerabilityId, vulnerability);
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          reject({ fn: 'NotFound', message: 'Vulnerability not found' });
+        else {
+          var query = VulnerabilityUpdate.deleteMany({
+            vulnerability: vulnerabilityId,
+          });
+          return query.exec();
+        }
+      })
+      .then(row => {
+        resolve('Vulnerability updated successfully');
+      })
+      .catch(err => {
+        if (err.code === 11000)
+          reject({
+            fn: 'BadParameters',
+            message: 'Vulnerability title already exists',
+          });
+        else reject(err);
+      });
+  });
+};
+
+// Delete all vulnerabilities
+VulnerabilitySchema.statics.deleteAll = () => {
+  return new Promise((resolve, reject) => {
+    var query = Vulnerability.deleteMany();
+    query
+      .exec()
+      .then(() => {
+        resolve('All vulnerabilities deleted successfully');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Delete vulnerability
+VulnerabilitySchema.statics.delete = vulnerabilityId => {
+  return new Promise((resolve, reject) => {
+    var query = Vulnerability.findByIdAndDelete(vulnerabilityId);
+    query
+      .exec()
+      .then(rows => {
+        if (rows) resolve(rows);
+        else reject({ fn: 'NotFound', message: 'Vulnerability not found' });
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+// Get vulnerabilities by language
+VulnerabilitySchema.statics.getAllByLanguage = locale => {
+  return new Promise((resolve, reject) => {
+    var query = Vulnerability.find({ 'details.locale': locale });
+    query.select('details cvssv3 priority remediationComplexity category');
+    query
+      .exec()
+      .then(rows => {
+        if (rows) {
+          var result = [];
+          rows.forEach(row => {
+            row.details.forEach(detail => {
+              if (detail.locale === locale && detail.title) {
+                var temp = {};
+                temp.cvssv3 = row.cvssv3;
+                temp.priority = row.priority;
+                temp.remediationComplexity = row.remediationComplexity;
+                temp.category = row.category;
+                temp.detail = detail;
+                temp._id = row._id;
+                result.push(temp);
+              }
+            });
+          });
+          resolve(result);
+        } else
+          reject({
+            fn: 'NotFound',
+            message: 'Locale with existing title not found',
+          });
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+VulnerabilitySchema.statics.Merge = (vulnIdPrime, vulnIdMerge, locale) => {
+  return new Promise((resolve, reject) => {
+    var mergeDetail = null;
+    var mergeVuln = null;
+    var primeVuln = null;
+    var query = Vulnerability.findById(vulnIdMerge);
+    query
+      .exec()
+      .then(row => {
+        if (!row)
+          reject({ fn: 'NotFound', message: 'Vulnerability not found' });
+        else {
+          mergeVuln = row;
+          mergeDetail = row.details.find(d => d.locale === locale);
+          var query = Vulnerability.findById(vulnIdPrime);
+          return query.exec();
+        }
+      })
+      .then(row => {
+        if (!row)
+          reject({ fn: 'NotFound', message: 'Vulnerability not found' });
+        else {
+          if (row.details.findIndex(d => d.locale === locale && d.title) !== -1)
+            reject({
+              fn: 'BadParameters',
+              message: 'Language already exists in this vulnerability',
+            });
+          else {
+            primeVuln = row;
+            var removeIndex = mergeVuln.details
+              .map(d => d.title)
+              .indexOf(mergeDetail.title);
+            mergeVuln.details.splice(removeIndex, 1);
+            if (mergeVuln.details.length === 0)
+              return Vulnerability.findByIdAndDelete(mergeVuln._id);
+            else return mergeVuln.save();
+          }
+        }
+      })
+      .then(() => {
+        var detail = {};
+        detail.locale = mergeDetail.locale;
+        detail.title = mergeDetail.title;
+        if (mergeDetail.vulnType) detail.vulnType = mergeDetail.vulnType;
+        if (mergeDetail.description)
+          detail.description = mergeDetail.description;
+        if (mergeDetail.observation)
+          detail.observation = mergeDetail.observation;
+        if (mergeDetail.remediation)
+          detail.remediation = mergeDetail.remediation;
+        if (mergeDetail.customFields)
+          detail.customFields = mergeDetail.customFields;
+        primeVuln.details.push(detail);
+        return primeVuln.save();
+      })
+      .then(() => {
+        resolve('Vulnerability merge successfull');
+      })
+      .catch(err => {
+        reject(err);
+      });
+  });
+};
+
+/*
+ *** Methods ***
+ */
+
+var Vulnerability = mongoose.model('Vulnerability', VulnerabilitySchema);
+module.exports = Vulnerability;

backend/src/routes/audit.js

@@ -0,0 +1,1168 @@
+module.exports = function (app, io) {
+  var Response = require('../lib/httpResponse');
+  var Audit = require('mongoose').model('Audit');
+  var acl = require('../lib/auth').acl;
+  var reportGenerator = require('../lib/report-generator');
+  var _ = require('lodash');
+  var utils = require('../lib/utils');
+  var Settings = require('mongoose').model('Settings');
+
+  /* ### AUDITS LIST ### */
+
+  // Get audits list of user (all for admin) with regex filter on findings
+  app.get('/api/audits', acl.hasPermission('audits:read'), function (req, res) {
+    var getUsersRoom = function (room) {
+      return utils.getSockets(io, room).map(s => s.username);
+    };
+    var filters = {};
+    if (req.query.findingTitle)
+      filters['findings.title'] = new RegExp(
+        utils.escapeRegex(req.query.findingTitle),
+        'i',
+      );
+    if (req.query.type && req.query.type === 'default')
+      filters.$or = [{ type: 'default' }, { type: { $exists: false } }];
+    if (req.query.type && ['multi', 'retest'].includes(req.query.type))
+      filters.type = req.query.type;
+
+    Audit.getAudits(
+      acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+      req.decodedToken.id,
+      filters,
+    )
+      .then(msg => {
+        var result = [];
+        msg.forEach(audit => {
+          var a = {};
+          a._id = audit._id;
+          a.name = audit.name;
+          a.language = audit.language;
+          a.auditType = audit.auditType;
+          a.creator = audit.creator;
+          a.collaborators = audit.collaborators;
+          a.company = audit.company;
+          a.createdAt = audit.createdAt;
+          a.ext =
+            !!audit.template && !!audit.template.ext
+              ? audit.template.ext
+              : 'Template error';
+          a.reviewers = audit.reviewers;
+          a.approvals = audit.approvals;
+          a.state = audit.state;
+          a.type = audit.type;
+          a.parentId = audit.parentId;
+          if (acl.isAllowed(req.decodedToken.role, 'audits:users-connected')) {
+            a.connected = getUsersRoom(audit._id.toString());
+          }
+          result.push(a);
+        });
+        Response.Ok(res, result);
+      })
+      .catch(err => Response.Internal(res, err));
+  });
+
+  // Create audit (default or multi) with name, auditType, language provided
+  // parentId can be set only if type is default
+  app.post(
+    '/api/audits',
+    acl.hasPermission('audits:create'),
+    function (req, res) {
+      if (!req.body.name || !req.body.language || !req.body.auditType) {
+        Response.BadParameters(
+          res,
+          'Missing some required parameters: name, language, auditType',
+        );
+        return;
+      }
+
+      if (!utils.validFilename(req.body.language)) {
+        Response.BadParameters(res, 'Invalid characters for language');
+        return;
+      }
+
+      var audit = {};
+      // Required params
+      audit.name = req.body.name;
+      audit.language = req.body.language;
+      audit.auditType = req.body.auditType;
+      audit.type = 'default';
+
+      // Optional params
+      if (req.body.type && req.body.type === 'multi')
+        audit.type = req.body.type;
+      if (audit.type === 'default' && req.body.parentId)
+        audit.parentId = req.body.parentId;
+
+      Audit.create(audit, req.decodedToken.id)
+        .then(inserted =>
+          Response.Created(res, {
+            message: 'Audit created successfully',
+            audit: inserted,
+          }),
+        )
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Get audits children
+  app.get(
+    '/api/audits/:auditId/children',
+    acl.hasPermission('audits:read'),
+    function (req, res) {
+      var getUsersRoom = function (room) {
+        return utils.getSockets(io, room).map(s => s.username);
+      };
+      Audit.getAuditChildren(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      )
+        .then(msg => {
+          var result = [];
+          msg.forEach(audit => {
+            var a = {};
+            a._id = audit._id;
+            a.name = audit.name;
+            a.auditType = audit.auditType;
+            a.approvals = audit.approvals;
+            a.state = audit.state;
+            if (
+              acl.isAllowed(req.decodedToken.role, 'audits:users-connected')
+            ) {
+              a.connected = getUsersRoom(audit._id.toString());
+            }
+            result.push(a);
+          });
+          Response.Ok(res, result);
+        })
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Get audit retest with auditId
+  app.get(
+    '/api/audits/:auditId/retest',
+    acl.hasPermission('audits:read'),
+    function (req, res) {
+      Audit.getRetest(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      )
+        .then(msg => Response.Ok(res, msg))
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Create audit retest with auditId
+  app.post(
+    '/api/audits/:auditId/retest',
+    acl.hasPermission('audits:create'),
+    function (req, res) {
+      if (!req.body.auditType) {
+        Response.BadParameters(
+          res,
+          'Missing some required parameters: auditType',
+        );
+        return;
+      }
+      Audit.createRetest(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+        req.body.auditType,
+      )
+        .then(inserted =>
+          Response.Created(res, {
+            message: 'Audit Retest created successfully',
+            audit: inserted,
+          }),
+        )
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Delete audit if creator or admin
+  app.delete(
+    '/api/audits/:auditId',
+    acl.hasPermission('audits:delete'),
+    function (req, res) {
+      Audit.delete(
+        acl.isAllowed(req.decodedToken.role, 'audits:delete-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      )
+        .then(msg => Response.Ok(res, msg))
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  /* ### AUDITS EDIT ### */
+
+  // Get Audit with ID
+  app.get(
+    '/api/audits/:auditId',
+    acl.hasPermission('audits:read'),
+    function (req, res) {
+      Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      )
+        .then(msg => Response.Ok(res, msg))
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Get audit general information
+  app.get(
+    '/api/audits/:auditId/general',
+    acl.hasPermission('audits:read'),
+    function (req, res) {
+      Audit.getGeneral(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      )
+        .then(msg => Response.Ok(res, msg))
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Update audit general information
+  app.put(
+    '/api/audits/:auditId/general',
+    acl.hasPermission('audits:update'),
+    async function (req, res) {
+      var update = {};
+
+      var settings = await Settings.getAll();
+      var audit = await Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      );
+      if (settings.reviews.enabled && audit.state !== 'EDIT') {
+        Response.Forbidden(
+          res,
+          'The audit is not in the EDIT state and therefore cannot be edited.',
+        );
+        return;
+      }
+
+      if (req.body.reviewers) {
+        if (req.body.reviewers.some(element => !element._id)) {
+          Response.BadParameters(res, 'One or more reviewer is missing an _id');
+          return;
+        }
+
+        // Is the new reviewer the creator of the audit?
+        if (
+          req.body.reviewers.some(element => element._id === audit.creator._id)
+        ) {
+          Response.BadParameters(
+            res,
+            'A user cannot simultaneously be a reviewer and a collaborator/creator',
+          );
+          return;
+        }
+
+        // Is the new reviewer one of the new collaborators that will override current collaborators?
+        if (req.body.collaborators) {
+          req.body.reviewers.forEach(reviewer => {
+            if (
+              req.body.collaborators.some(
+                element => !element._id || element._id === reviewer._id,
+              )
+            ) {
+              Response.BadParameters(
+                res,
+                'A user cannot simultaneously be a reviewer and a collaborator/creator',
+              );
+              return;
+            }
+          });
+        }
+
+        // If no new collaborators are being set, is the new reviewer one of the current collaborators?
+        else if (audit.collaborators) {
+          req.body.reviewers.forEach(reviewer => {
+            if (
+              audit.collaborators.some(element => element._id === reviewer._id)
+            ) {
+              Response.BadParameters(
+                res,
+                'A user cannot simultaneously be a reviewer and a collaborator/creator',
+              );
+              return;
+            }
+          });
+        }
+      }
+
+      if (req.body.collaborators) {
+        if (req.body.collaborators.some(element => !element._id)) {
+          Response.BadParameters(
+            res,
+            'One or more collaborator is missing an _id',
+          );
+          return;
+        }
+
+        // Are the new collaborators part of the current reviewers?
+        req.body.collaborators.forEach(collaborator => {
+          if (
+            audit.reviewers.some(element => element._id === collaborator._id)
+          ) {
+            Response.BadParameters(
+              res,
+              'A user cannot simultaneously be a reviewer and a collaborator/creator',
+            );
+            return;
+          }
+        });
+
+        // If the new collaborator already gave a review, remove said review, accept collaborator
+        if (audit.approvals) {
+          var newApprovals = audit.approvals.filter(
+            approval =>
+              !req.body.collaborators.some(
+                collaborator => approval.toString() === collaborator._id,
+              ),
+          );
+          update.approvals = newApprovals;
+        }
+      }
+
+      // Optional parameters
+      if (req.body.name) update.name = req.body.name;
+      if (req.body.date) update.date = req.body.date;
+      if (req.body.date_start) update.date_start = req.body.date_start;
+      if (req.body.date_end) update.date_end = req.body.date_end;
+      if (req.body.client !== undefined) update.client = req.body.client;
+      if (req.body.company !== undefined) {
+        update.company = {};
+        if (req.body.company && req.body.company._id)
+          update.company._id = req.body.company._id;
+        else if (req.body.company && req.body.company.name)
+          update.company.name = req.body.company.name;
+        else update.company = null;
+      }
+      if (req.body.collaborators) update.collaborators = req.body.collaborators;
+      if (req.body.reviewers) update.reviewers = req.body.reviewers;
+      if (req.body.language && utils.validFilename(req.body.language))
+        update.language = req.body.language;
+      if (req.body.scope && typeof (req.body.scope === 'array')) {
+        update.scope = req.body.scope.map(item => {
+          return { name: item };
+        });
+      }
+      if (req.body.template) update.template = req.body.template;
+      if (req.body.customFields) update.customFields = req.body.customFields;
+      if (
+        settings.reviews.enabled &&
+        settings.reviews.private.removeApprovalsUponUpdate
+      )
+        update.approvals = [];
+
+      Audit.updateGeneral(
+        acl.isAllowed(req.decodedToken.role, 'audits:update-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+        update,
+      )
+        .then(msg => {
+          io.to(req.params.auditId).emit('updateAudit');
+          Response.Ok(res, msg);
+        })
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Get audit network information
+  app.get(
+    '/api/audits/:auditId/network',
+    acl.hasPermission('audits:read'),
+    function (req, res) {
+      Audit.getNetwork(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      )
+        .then(msg => Response.Ok(res, msg))
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Update audit network information
+  app.put(
+    '/api/audits/:auditId/network',
+    acl.hasPermission('audits:update'),
+    async function (req, res) {
+      var settings = await Settings.getAll();
+
+      var audit = await Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      );
+      if (settings.reviews.enabled && audit.state !== 'EDIT') {
+        Response.Forbidden(
+          res,
+          'The audit is not in the EDIT state and therefore cannot be edited.',
+        );
+        return;
+      }
+
+      var update = {};
+      // Optional parameters
+      if (req.body.scope) update.scope = req.body.scope;
+      if (
+        settings.reviews.enabled &&
+        settings.reviews.private.removeApprovalsUponUpdate
+      )
+        update.approvals = [];
+
+      Audit.updateNetwork(
+        acl.isAllowed(req.decodedToken.role, 'audits:update-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+        update,
+      )
+        .then(msg => Response.Ok(res, msg))
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // POST to export an encrypted PDF.
+  app.post(
+    '/api/audits/:auditId/generate/pdf',
+    acl.hasPermission('audits:read'),
+    function (req, res) {
+      Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      )
+        .then(async audit => {
+          if (
+            ['ppt', 'pptx', 'doc', 'docx', 'docm'].includes(audit.template.ext)
+          ) {
+            let reportPdf;
+            if (req.body.password) {
+              reportPdf = await reportGenerator.generateEncryptedPdf(
+                audit,
+                req.body.password,
+              );
+            } else {
+              Response.BadParameters(res, 'No password included');
+            }
+
+            if (reportPdf) {
+              res.setHeader(
+                'Content-Disposition',
+                `attachment; filename=${audit.name}.pdf`,
+              );
+              res.setHeader('Content-Type', 'application/pdf');
+              res.send(reportPdf);
+            } else {
+              console.error('Error generating PDF');
+              Response.Internal(res, 'Error generating PDF');
+            }
+          } else {
+            Response.BadParameters(
+              res,
+              'Template not in a Microsoft Word/Powerpoint format',
+            );
+          }
+        })
+        .catch(err => {
+          console.log(err);
+          if (err.code === 'ENOENT')
+            Response.BadParameters(res, 'Template File not found');
+          else Response.Internal(res, err);
+        });
+    },
+  );
+
+  // Generate report as PDF
+  app.get(
+    '/api/audits/:auditId/generate/pdf',
+    acl.hasPermission('audits:read'),
+    function (req, res) {
+      Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      )
+        .then(async audit => {
+          if (
+            ['ppt', 'pptx', 'doc', 'docx', 'docm'].find(
+              ext => ext === audit.template.ext,
+            )
+          ) {
+            var reportPdf = await reportGenerator.generatePdf(audit);
+            Response.SendFile(res, `${audit.name}.pdf`, reportPdf);
+          } else {
+            Response.BadParameters(
+              res,
+              'Template not in a Microsoft Word/Powerpoint format',
+            );
+          }
+        })
+        .catch(err => {
+          console.log(err);
+          if (err.code === 'ENOENT')
+            Response.BadParameters(res, 'Template File not found');
+          else Response.Internal(res, err);
+        });
+    },
+  );
+
+  // Generate Report as csv
+  app.get(
+    '/api/audits/:auditId/generate/csv',
+    acl.hasPermission('audits:read'),
+    function (req, res) {
+      Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      )
+        .then(async audit => {
+          var reportCsv = await reportGenerator.generateCsv(audit);
+          Response.SendFile(res, `${audit.name}.csv`, reportCsv);
+        })
+        .catch(err => {
+          console.log(err);
+          Response.Internal(res, err);
+        });
+    },
+  );
+
+  // Generate Report as json
+  app.get(
+    '/api/audits/:auditId/generate/json',
+    acl.hasPermission('audits:read'),
+    function (req, res) {
+      Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      )
+        .then(async audit => {
+          Response.SendFile(res, `${audit.name}.json`, audit);
+        })
+        .catch(err => {
+          console.log(err);
+          Response.Internal(res, err);
+        });
+    },
+  );
+
+  // Add finding to audit
+  app.post(
+    '/api/audits/:auditId/findings',
+    acl.hasPermission('audits:update'),
+    async function (req, res) {
+      var settings = await Settings.getAll();
+      var audit = await Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      );
+      if (settings.reviews.enabled && audit.state !== 'EDIT') {
+        Response.Forbidden(
+          res,
+          'The audit is not in the EDIT state and therefore cannot be edited.',
+        );
+        return;
+      }
+      if (!req.body.title) {
+        Response.BadParameters(res, 'Missing some required parameters: title');
+        return;
+      }
+
+      var finding = {};
+      // Required parameters
+      finding.title = req.body.title;
+
+      // Optional parameters
+      if (req.body.vulnType) finding.vulnType = req.body.vulnType;
+      if (req.body.description) finding.description = req.body.description;
+      if (req.body.observation) finding.observation = req.body.observation;
+      if (req.body.remediation) finding.remediation = req.body.remediation;
+      if (req.body.remediationComplexity)
+        finding.remediationComplexity = req.body.remediationComplexity;
+      if (req.body.priority) finding.priority = req.body.priority;
+      if (req.body.references) finding.references = req.body.references;
+      if (req.body.cwes) finding.cwes = req.body.cwes;
+      if (req.body.cvssv3) finding.cvssv3 = req.body.cvssv3;
+      if (req.body.poc) finding.poc = req.body.poc;
+      if (req.body.scope) finding.scope = req.body.scope;
+      if (req.body.status !== undefined) finding.status = req.body.status;
+      if (req.body.category) finding.category = req.body.category;
+      if (req.body.customFields) finding.customFields = req.body.customFields;
+
+      if (
+        settings.reviews.enabled &&
+        settings.reviews.private.removeApprovalsUponUpdate
+      ) {
+        Audit.updateGeneral(
+          acl.isAllowed(req.decodedToken.role, 'audits:update-all'),
+          req.params.auditId,
+          req.decodedToken.id,
+          { approvals: [] },
+        );
+      }
+
+      Audit.createFinding(
+        acl.isAllowed(req.decodedToken.role, 'audits:update-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+        finding,
+      )
+        .then(msg => {
+          io.to(req.params.auditId).emit('updateAudit');
+          Response.Ok(res, msg);
+        })
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Get finding of audit
+  app.get(
+    '/api/audits/:auditId/findings/:findingId',
+    acl.hasPermission('audits:read'),
+    function (req, res) {
+      Audit.getFinding(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+        req.params.findingId,
+      )
+        .then(msg => Response.Ok(res, msg))
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Update finding of audit
+  app.put(
+    '/api/audits/:auditId/findings/:findingId',
+    acl.hasPermission('audits:update'),
+    async function (req, res) {
+      var settings = await Settings.getAll();
+      var audit = await Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      );
+      if (settings.reviews.enabled && audit.state !== 'EDIT') {
+        Response.Forbidden(
+          res,
+          'The audit is not in the EDIT state and therefore cannot be edited.',
+        );
+        return;
+      }
+
+      var finding = {};
+      // Optional parameters
+      if (req.body.title) finding.title = req.body.title;
+      if (req.body.vulnType) finding.vulnType = req.body.vulnType;
+      if (!_.isNil(req.body.description))
+        finding.description = req.body.description;
+      if (!_.isNil(req.body.observation))
+        finding.observation = req.body.observation;
+      if (!_.isNil(req.body.remediation))
+        finding.remediation = req.body.remediation;
+      if (req.body.remediationComplexity)
+        finding.remediationComplexity = req.body.remediationComplexity;
+      if (req.body.priority) finding.priority = req.body.priority;
+      if (req.body.references) finding.references = req.body.references;
+      if (req.body.cwes) finding.cwes = req.body.cwes;
+      if (req.body.cvssv3) finding.cvssv3 = req.body.cvssv3;
+      if (!_.isNil(req.body.poc)) finding.poc = req.body.poc;
+      if (!_.isNil(req.body.scope)) finding.scope = req.body.scope;
+      if (req.body.status !== undefined) finding.status = req.body.status;
+      if (req.body.category) finding.category = req.body.category;
+      if (req.body.customFields) finding.customFields = req.body.customFields;
+      if (req.body.retestDescription)
+        finding.retestDescription = req.body.retestDescription;
+      if (req.body.retestStatus) finding.retestStatus = req.body.retestStatus;
+
+      if (
+        settings.reviews.enabled &&
+        settings.reviews.private.removeApprovalsUponUpdate
+      ) {
+        Audit.updateGeneral(
+          acl.isAllowed(req.decodedToken.role, 'audits:update-all'),
+          req.params.auditId,
+          req.decodedToken.id,
+          { approvals: [] },
+        );
+      }
+
+      Audit.updateFinding(
+        acl.isAllowed(req.decodedToken.role, 'audits:update-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+        req.params.findingId,
+        finding,
+      )
+        .then(msg => {
+          io.to(req.params.auditId).emit('updateAudit');
+          Response.Ok(res, msg);
+        })
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Delete finding of audit
+  app.delete(
+    '/api/audits/:auditId/findings/:findingId',
+    acl.hasPermission('audits:update'),
+    async function (req, res) {
+      var settings = await Settings.getAll();
+      var audit = await Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      );
+      if (settings.reviews.enabled && audit.state !== 'EDIT') {
+        Response.Forbidden(
+          res,
+          'The audit is not in the EDIT state and therefore cannot be edited.',
+        );
+        return;
+      }
+      Audit.deleteFinding(
+        acl.isAllowed(req.decodedToken.role, 'audits:update-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+        req.params.findingId,
+      )
+        .then(msg => {
+          io.to(req.params.auditId).emit('updateAudit');
+          Response.Ok(res, msg);
+        })
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Get section of audit
+  app.get(
+    '/api/audits/:auditId/sections/:sectionId',
+    acl.hasPermission('audits:read'),
+    function (req, res) {
+      Audit.getSection(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+        req.params.sectionId,
+      )
+        .then(msg => Response.Ok(res, msg))
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Update section of audit
+  app.put(
+    '/api/audits/:auditId/sections/:sectionId',
+    acl.hasPermission('audits:update'),
+    async function (req, res) {
+      var settings = await Settings.getAll();
+      var audit = await Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      );
+      if (settings.reviews.enabled && audit.state !== 'EDIT') {
+        Response.Forbidden(
+          res,
+          'The audit is not in the EDIT state and therefore cannot be edited.',
+        );
+        return;
+      }
+      if (typeof req.body.customFields === 'undefined') {
+        Response.BadParameters(
+          res,
+          'Missing some required parameters: customFields',
+        );
+        return;
+      }
+      var section = {};
+      // Mandatory parameters
+      section.customFields = req.body.customFields;
+
+      // For retrocompatibility with old section.text usage
+      if (req.body.text) section.text = req.body.text;
+
+      if (
+        settings.reviews.enabled &&
+        settings.reviews.private.removeApprovalsUponUpdate
+      ) {
+        Audit.updateGeneral(
+          acl.isAllowed(req.decodedToken.role, 'audits:update-all'),
+          req.params.auditId,
+          req.decodedToken.id,
+          { approvals: [] },
+        );
+      }
+
+      Audit.updateSection(
+        acl.isAllowed(req.decodedToken.role, 'audits:update-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+        req.params.sectionId,
+        section,
+      )
+        .then(msg => {
+          Response.Ok(res, msg);
+        })
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Generate Report for specific audit
+  app.get(
+    '/api/audits/:auditId/generate',
+    acl.hasPermission('audits:read'),
+    function (req, res) {
+      Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      )
+        .then(async audit => {
+          var settings = await Settings.getAll();
+
+          if (
+            settings.reviews.enabled &&
+            settings.reviews.public.mandatoryReview &&
+            audit.state !== 'APPROVED'
+          ) {
+            Response.Forbidden(
+              res,
+              'Audit was not approved therefore cannot be exported.',
+            );
+            return;
+          }
+
+          if (!audit.template)
+            throw { fn: 'BadParameters', message: 'Template not defined' };
+
+          var reportDoc = await reportGenerator.generateDoc(audit);
+          Response.SendFile(
+            res,
+            `${audit.name.replace(/[\\\/:*?"<>|]/g, '')}.${audit.template.ext || 'docx'}`,
+            reportDoc,
+          );
+        })
+        .catch(err => {
+          if (err.code === 'ENOENT')
+            Response.BadParameters(res, 'Template File not found');
+          else Response.Internal(res, err);
+        });
+    },
+  );
+
+  // Update sort options of an audit
+  app.put(
+    '/api/audits/:auditId/sortfindings',
+    acl.hasPermission('audits:update'),
+    async function (req, res) {
+      var settings = await Settings.getAll();
+      var audit = await Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      );
+      if (settings.reviews.enabled && audit.state !== 'EDIT') {
+        Response.Forbidden(
+          res,
+          'The audit is not in the EDIT state and therefore cannot be edited.',
+        );
+        return;
+      }
+      var update = {};
+      // Optional parameters
+      if (req.body.sortFindings) update.sortFindings = req.body.sortFindings;
+      if (
+        settings.reviews.enabled &&
+        settings.reviews.private.removeApprovalsUponUpdate
+      )
+        update.approvals = [];
+
+      Audit.updateSortFindings(
+        acl.isAllowed(req.decodedToken.role, 'audits:update-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+        update,
+      )
+        .then(msg => {
+          io.to(req.params.auditId).emit('updateAudit');
+          Response.Ok(res, msg);
+        })
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Update finding position (oldIndex -> newIndex)
+  app.put(
+    '/api/audits/:auditId/movefinding',
+    acl.hasPermission('audits:update'),
+    async function (req, res) {
+      var settings = await Settings.getAll();
+      var audit = await Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      );
+      if (settings.reviews.enabled && audit.state !== 'EDIT') {
+        Response.Forbidden(
+          res,
+          'The audit is not in the EDIT state and therefore cannot be edited.',
+        );
+        return;
+      }
+      if (
+        typeof req.body.oldIndex === 'undefined' ||
+        typeof req.body.newIndex === 'undefined'
+      ) {
+        Response.BadParameters(
+          res,
+          'Missing some required parameters: oldIndex, newIndex',
+        );
+        return;
+      }
+
+      var move = {};
+      // Required parameters
+      move.oldIndex = req.body.oldIndex;
+      move.newIndex = req.body.newIndex;
+
+      if (
+        settings.reviews.enabled &&
+        settings.reviews.private.removeApprovalsUponUpdate
+      ) {
+        Audit.updateGeneral(
+          acl.isAllowed(req.decodedToken.role, 'audits:update-all'),
+          req.params.auditId,
+          req.decodedToken.id,
+          { approvals: [] },
+        );
+      }
+
+      Audit.moveFindingPosition(
+        acl.isAllowed(req.decodedToken.role, 'audits:update-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+        move,
+      )
+        .then(msg => {
+          io.to(req.params.auditId).emit('updateAudit');
+          Response.Ok(res, msg);
+        })
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Give or remove a reviewer's approval to an audit
+  app.put(
+    '/api/audits/:auditId/toggleApproval',
+    acl.hasPermission('audits:review'),
+    async function (req, res) {
+      const settings = await Settings.getAll();
+
+      if (!settings.reviews.enabled) {
+        Response.Forbidden(res, 'Audit reviews are not enabled.');
+        return;
+      }
+
+      Audit.findById(req.params.auditId)
+        .then(audit => {
+          if (audit.state !== 'REVIEW' && audit.state !== 'APPROVED') {
+            Response.Forbidden(
+              res,
+              'The audit is not approvable in the current state.',
+            );
+            return;
+          }
+
+          var hasApprovedBefore = false;
+          var newApprovalsArray = [];
+          if (audit.approvals) {
+            audit.approvals.forEach(approval => {
+              if (approval._id.toString() === req.decodedToken.id) {
+                hasApprovedBefore = true;
+              } else {
+                newApprovalsArray.push(approval);
+              }
+            });
+          }
+
+          if (!hasApprovedBefore) {
+            newApprovalsArray.push({
+              _id: req.decodedToken.id,
+              role: req.decodedToken.role,
+              username: req.decodedToken.username,
+              firstname: req.decodedToken.firstname,
+              lastname: req.decodedToken.lastname,
+            });
+          }
+
+          var update = { approvals: newApprovalsArray };
+          Audit.updateApprovals(
+            acl.isAllowed(req.decodedToken.role, 'audits:review-all'),
+            req.params.auditId,
+            req.decodedToken.id,
+            update,
+          )
+            .then(() => {
+              io.to(req.params.auditId).emit('updateAudit');
+              Response.Ok(res, 'Approval updated successfully.');
+            })
+            .catch(err => {
+              Response.Internal(res, err);
+            });
+        })
+        .catch(err => {
+          Response.Internal(res, err);
+        });
+    },
+  );
+
+  // Sets the audit state to EDIT or REVIEW
+  app.put(
+    '/api/audits/:auditId/updateReadyForReview',
+    acl.hasPermission('audits:update'),
+    async function (req, res) {
+      const settings = await Settings.getAll();
+
+      if (!settings.reviews.enabled) {
+        Response.Forbidden(res, 'Audit reviews are not enabled.');
+        return;
+      }
+
+      var update = {};
+      var audit = await Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      );
+
+      if (audit.state !== 'EDIT' && audit.state !== 'REVIEW') {
+        Response.Forbidden(
+          res,
+          'The audit is not in the proper state for this action.',
+        );
+        return;
+      }
+
+      if (
+        req.body.state != undefined &&
+        (req.body.state === 'EDIT' || req.body.state === 'REVIEW')
+      )
+        update.state = req.body.state;
+
+      if (update.state === 'EDIT') {
+        var newApprovalsArray = [];
+        if (audit.approvals) {
+          audit.approvals.forEach(approval => {
+            if (approval._id.toString() !== req.decodedToken.id) {
+              newApprovalsArray.push(approval);
+            }
+          });
+          update.approvals = newApprovalsArray;
+        }
+      }
+
+      Audit.updateGeneral(
+        acl.isAllowed(req.decodedToken.role, 'audits:update-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+        update,
+      )
+        .then(msg => {
+          io.to(req.params.auditId).emit('updateAudit');
+          Response.Ok(res, msg);
+        })
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Update parentId of Audit
+  app.put(
+    '/api/audits/:auditId/updateParent',
+    acl.hasPermission('audits:create'),
+    async function (req, res) {
+      var settings = await Settings.getAll();
+      var audit = await Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.body.parentId,
+        req.decodedToken.id,
+      );
+      if (settings.reviews.enabled && audit.state !== 'EDIT') {
+        Response.Forbidden(
+          res,
+          'The audit is not in the EDIT state and therefore cannot be edited.',
+        );
+        return;
+      }
+      if (!req.body.parentId) {
+        Response.BadParameters(
+          res,
+          'Missing some required parameters: parentId',
+        );
+        return;
+      }
+      Audit.updateParent(
+        acl.isAllowed(req.decodedToken.role, 'audits:update-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+        req.body.parentId,
+      )
+        .then(msg => {
+          io.to(req.body.parentId).emit('updateAudit');
+          Response.Ok(res, msg);
+        })
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Delete parentId of Audit
+  app.delete(
+    '/api/audits/:auditId/deleteParent',
+    acl.hasPermission('audits:delete'),
+    async function (req, res) {
+      var settings = await Settings.getAll();
+      var audit = await Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      );
+      var parentAudit = await Audit.getAudit(
+        acl.isAllowed(req.decodedToken.role, 'audits:read-all'),
+        audit.parentId,
+        req.decodedToken.id,
+      );
+      if (settings.reviews.enabled && parentAudit.state !== 'EDIT') {
+        Response.Forbidden(
+          res,
+          'The audit is not in the EDIT state and therefore cannot be edited.',
+        );
+        return;
+      }
+      Audit.deleteParent(
+        acl.isAllowed(req.decodedToken.role, 'audits:delete-all'),
+        req.params.auditId,
+        req.decodedToken.id,
+      )
+        .then(msg => {
+          if (msg.parentId) io.to(msg.parentId.toString()).emit('updateAudit');
+          Response.Ok(res, msg);
+        })
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+};

backend/src/routes/check-cwe-update.js

@@ -0,0 +1,60 @@
+module.exports = function (app) {
+  const Response = require('../lib/httpResponse.js');
+  const acl = require('../lib/auth').acl;
+  const networkError = new Error(
+    'Error checking CWE model update: Network response was not ok',
+  );
+  const timeoutError = new Error(
+    'Error checking CWE mode update: Request timed out',
+  );
+  const cweConfig = require('../config/config-cwe.json')['cwe-container'];
+  const TIMEOUT_MS = cweConfig.check_timeout_ms || 30000;
+
+  app.get(
+    '/api/check-cwe-update',
+    acl.hasPermission('check-update:all'),
+    async function (req, res) {
+      const controller = new AbortController();
+      const timeout = setTimeout(() => controller.abort(), TIMEOUT_MS);
+
+      try {
+        //TODO: Change workaround to a proper solution for self-signed certificates
+        if (!cweConfig.host || !cweConfig.port) {
+          return Response.BadRequest(
+            res,
+            new Error('Configuración del servicio incompleta'),
+          );
+        }
+        process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+        const response = await fetch(
+          `https://${cweConfig.host}:${cweConfig.port}/${cweConfig.endpoints.check_update_endpoint}`,
+          {
+            method: 'GET',
+            headers: { 'Content-Type': 'application/json' },
+            signal: controller.signal,
+          },
+        );
+        clearTimeout(timeout);
+
+        if (!response.ok) {
+          const errorBody = await response.text();
+          throw new Error(
+            `Error del servidor CWE (${response.status}): ${errorBody}`,
+          );
+        }
+
+        const data = await response.json();
+        res.json(data);
+      } catch (error) {
+        console.error('Error en check-cwe-update:', {
+          name: error.name,
+          message: error.message,
+          stack: error.stack,
+        });
+        error.name === 'AbortError'
+          ? Response.Internal(res, { ...timeoutError, details: error.message })
+          : Response.Internal(res, { ...networkError, details: error.message });
+      }
+    },
+  );
+};

backend/src/routes/client.js

@@ -0,0 +1,80 @@
+module.exports = function (app) {
+  var Response = require('../lib/httpResponse.js');
+  var Client = require('mongoose').model('Client');
+  var acl = require('../lib/auth').acl;
+
+  // Get clients list
+  app.get(
+    '/api/clients',
+    acl.hasPermission('clients:read'),
+    function (req, res) {
+      Client.getAll()
+        .then(msg => Response.Ok(res, msg))
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Create client
+  app.post(
+    '/api/clients',
+    acl.hasPermission('clients:create'),
+    function (req, res) {
+      if (!req.body.email) {
+        Response.BadParameters(res, 'Required parameters: email');
+        return;
+      }
+
+      var client = {};
+      // Required parameters
+      client.email = req.body.email;
+
+      // Optional parameters
+      if (req.body.lastname) client.lastname = req.body.lastname;
+      if (req.body.firstname) client.firstname = req.body.firstname;
+      if (req.body.phone) client.phone = req.body.phone;
+      if (req.body.cell) client.cell = req.body.cell;
+      if (req.body.title) client.title = req.body.title;
+      var company = null;
+      if (req.body.company && req.body.company.name)
+        company = req.body.company.name;
+
+      Client.create(client, company)
+        .then(msg => Response.Created(res, msg))
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Update client
+  app.put(
+    '/api/clients/:id',
+    acl.hasPermission('clients:update'),
+    function (req, res) {
+      var client = {};
+      // Optional parameters
+      if (req.body.email) client.email = req.body.email;
+      client.lastname = req.body.lastname || null;
+      client.firstname = req.body.firstname || null;
+      client.phone = req.body.phone || null;
+      client.cell = req.body.cell || null;
+      client.title = req.body.title || null;
+      var company = null;
+      if (req.body.company && req.body.company.name)
+        company = req.body.company.name;
+
+      Client.update(req.params.id, client, company)
+        .then(msg => Response.Ok(res, 'Client updated successfully'))
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+
+  // Delete client
+  app.delete(
+    '/api/clients/:id',
+    acl.hasPermission('clients:delete'),
+    function (req, res) {
+      Client.delete(req.params.id)
+        .then(msg => Response.Ok(res, 'Client deleted successfully'))
+        .catch(err => Response.Internal(res, err));
+    },
+  );
+};