From cb00d98fd73f9eb33e2bc6216ffe0b490abcc583 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Tue, 24 Feb 2026 02:55:53 +0000
Subject: [PATCH 01/20] feat: Add CVE conversion triage page

This change introduces a new triage page to visualize and compare CVE
conversion data across different stages and environments.

- Added `gcp/website/triage_handlers.py` to handle triage requests and
  proxy GCS file access.
- Registered the new blueprint in `gcp/website/main.py`.
- Created the frontend template `gcp/website/frontend3/src/templates/triage.html`
  with a 3-column layout.
- Implemented frontend logic in `gcp/website/frontend3/src/triage.js` to
  fetch and display JSON data from GCS or the API.
- Added styles in `gcp/website/frontend3/src/triage.scss`.
- Updated Webpack configuration to include the new triage entry point.
- Verified with unit tests and frontend screenshots.

Co-authored-by: jess-lowe <86962800+jess-lowe@users.noreply.github.com>
---
 .../frontend3/src/templates/triage.html       |  52 +++++++
 gcp/website/frontend3/src/triage.js           | 141 ++++++++++++++++++
 gcp/website/frontend3/src/triage.scss         |  71 +++++++++
 gcp/website/frontend3/webpack.dev.js          |   9 +-
 gcp/website/frontend3/webpack.prod.js         |   9 +-
 gcp/website/main.py                           |   2 +
 gcp/website/triage_handlers.py                |  52 +++++++
 7 files changed, 334 insertions(+), 2 deletions(-)
 create mode 100644 gcp/website/frontend3/src/templates/triage.html
 create mode 100644 gcp/website/frontend3/src/triage.js
 create mode 100644 gcp/website/frontend3/src/triage.scss
 create mode 100644 gcp/website/triage_handlers.py

diff --git a/gcp/website/frontend3/src/templates/triage.html b/gcp/website/frontend3/src/templates/triage.html
new file mode 100644
index 00000000000..a4d309ff4af
--- /dev/null
+++ b/gcp/website/frontend3/src/templates/triage.html
@@ -0,0 +1,52 @@
+{% extends 'base.html' %}
+{% set active_section = 'triage' %}
+
+{% block content %}
+<div class="triage-container">
+  <h1>CVE Conversion Triager</h1>
+
+  <div class="input-section">
+    <md-textfield-with-enter label="Vulnerability ID" id="vuln-id-input" placeholder="e.g. CVE-2023-1234"></md-textfield-with-enter>
+    <button id="load-btn" class="button">Load</button>
+  </div>
+
+  <div class="triage-grid">
+    {% for i in range(1, 4) %}
+    <div class="triage-column" id="column-{{ i }}">
+      <div class="column-header">
+        <label for="source-select-{{ i }}">Source:</label>
+        <div class="select-wrapper">
+          <select id="source-select-{{ i }}" class="source-select">
+            <option value="">Select Source...</option>
+            <optgroup label="Test Instance (gs://osv-test-cve-conversion)">
+              <option value="test-nvd">NVD-OSV (JSON)</option>
+              <option value="test-cve5">CVE5 (JSON)</option>
+              <option value="test-osv">OSV Output (JSON)</option>
+              <option value="test-nvd-metrics">NVD Metrics</option>
+              <option value="test-cve5-metrics">CVE5 Metrics</option>
+            </optgroup>
+            <optgroup label="Prod Instance (gs://cve-conversion)">
+              <option value="prod-nvd">NVD-OSV (JSON)</option>
+              <option value="prod-cve5">CVE5 (JSON)</option>
+              <option value="prod-osv">OSV Output (JSON)</option>
+              <option value="prod-nvd-metrics">NVD Metrics</option>
+              <option value="prod-cve5-metrics">CVE5 Metrics</option>
+            </optgroup>
+            <optgroup label="API">
+              <option value="api-test">api.test.osv.dev</option>
+              <option value="api-prod">api.osv.dev</option>
+            </optgroup>
+          </select>
+        </div>
+      </div>
+      <div class="content-display">
+        <div class="loading-spinner hidden">
+          <md-circular-progress indeterminate></md-circular-progress>
+        </div>
+        <pre class="json-content">Select a source to view content</pre>
+      </div>
+    </div>
+    {% endfor %}
+  </div>
+</div>
+{% endblock %}
diff --git a/gcp/website/frontend3/src/triage.js b/gcp/website/frontend3/src/triage.js
new file mode 100644
index 00000000000..eb249303e28
--- /dev/null
+++ b/gcp/website/frontend3/src/triage.js
@@ -0,0 +1,141 @@
+import "./triage.scss";
+import "@material/web/textfield/filled-text-field.js";
+import "@material/web/button/filled-button.js";
+import "@material/web/progress/circular-progress.js";
+
+document.addEventListener("DOMContentLoaded", () => {
+  const vulnIdInput = document.getElementById("vuln-id-input");
+  const loadBtn = document.getElementById("load-btn");
+  const columns = document.querySelectorAll(".triage-column");
+
+  // Map selection values to their respective endpoints/paths
+  const sourceConfigMap = {
+    // Test Instance
+    "test-nvd": {
+      bucket: "osv-test-cve-osv-conversion",
+      pathTemplate: "nvd-osv/{id}.json",
+    },
+    "test-cve5": {
+      bucket: "osv-test-cve-osv-conversion",
+      pathTemplate: "cve5/{id}.json",
+    },
+    "test-osv": {
+      bucket: "osv-test-cve-osv-conversion",
+      pathTemplate: "osv-output/{id}.json",
+    },
+    "test-nvd-metrics": {
+      bucket: "osv-test-cve-osv-conversion",
+      pathTemplate: "nvd-osv/{id}.metrics.json",
+    },
+    "test-cve5-metrics": {
+      bucket: "osv-test-cve-osv-conversion",
+      pathTemplate: "cve5/{id}.metrics.json",
+    },
+    // Prod Instance
+    "prod-nvd": {
+      bucket: "cve-osv-conversion",
+      pathTemplate: "nvd-osv/{id}.json",
+    },
+    "prod-cve5": {
+      bucket: "cve-osv-conversion",
+      pathTemplate: "cve5/{id}.json",
+    },
+    "prod-osv": {
+      bucket: "cve-osv-conversion",
+      pathTemplate: "osv-output/{id}.json",
+    },
+    "prod-nvd-metrics": {
+      bucket: "cve-osv-conversion",
+      pathTemplate: "nvd-osv/{id}.metrics.json",
+    },
+    "prod-cve5-metrics": {
+      bucket: "cve-osv-conversion",
+      pathTemplate: "cve5/{id}.metrics.json",
+    },
+    // API
+    "api-test": {
+      urlTemplate: "https://api.test.osv.dev/v1/vulns/{id}",
+    },
+    "api-prod": {
+      urlTemplate: "https://api.osv.dev/v1/vulns/{id}",
+    },
+  };
+
+  async function fetchData(sourceKey, vulnId) {
+    if (!sourceKey || !vulnId) return null;
+
+    const config = sourceConfigMap[sourceKey];
+    let url;
+
+    if (config.bucket) {
+      const path = config.pathTemplate.replace("{id}", vulnId);
+      url = `/triage/proxy?bucket=${config.bucket}&path=${encodeURIComponent(path)}`;
+    } else if (config.urlTemplate) {
+      url = config.urlTemplate.replace("{id}", vulnId);
+    } else {
+        return Promise.reject("Invalid configuration");
+    }
+
+    const response = await fetch(url);
+    if (!response.ok) {
+        if (response.status === 404) {
+             throw new Error("Not Found");
+        }
+        throw new Error(`Error: ${response.statusText}`);
+    }
+    return response.json();
+  }
+
+  function updateColumn(column) {
+    const select = column.querySelector(".source-select");
+    const contentPre = column.querySelector(".json-content");
+    const spinner = column.querySelector(".loading-spinner");
+    const sourceKey = select.value;
+    const vulnId = vulnIdInput.value.trim();
+
+    if (!sourceKey) {
+        contentPre.textContent = "Select a source to view content";
+        return;
+    }
+
+    if (!vulnId) {
+      contentPre.textContent = "Please enter a Vulnerability ID";
+      return;
+    }
+
+    spinner.classList.remove("hidden");
+    contentPre.textContent = "";
+
+    fetchData(sourceKey, vulnId)
+      .then((data) => {
+        contentPre.textContent = JSON.stringify(data, null, 2);
+      })
+      .catch((error) => {
+        contentPre.textContent = error.message;
+      })
+      .finally(() => {
+        spinner.classList.add("hidden");
+      });
+  }
+
+  loadBtn.addEventListener("click", () => {
+    columns.forEach((col) => updateColumn(col));
+  });
+
+  // Also handle Enter key on the input field
+  vulnIdInput.addEventListener("keyup", (e) => {
+      if (e.key === "Enter") {
+          columns.forEach((col) => updateColumn(col));
+      }
+  });
+
+  // Individual column updates when dropdown changes
+  columns.forEach((col) => {
+    const select = col.querySelector(".source-select");
+    select.addEventListener("change", () => {
+        if (vulnIdInput.value.trim()) {
+            updateColumn(col);
+        }
+    });
+  });
+});
diff --git a/gcp/website/frontend3/src/triage.scss b/gcp/website/frontend3/src/triage.scss
new file mode 100644
index 00000000000..01bd04b14bf
--- /dev/null
+++ b/gcp/website/frontend3/src/triage.scss
@@ -0,0 +1,71 @@
+.triage-container {
+  padding: 20px;
+  max-width: 100%;
+  box-sizing: border-box;
+}
+
+.input-section {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  margin-bottom: 20px;
+}
+
+#vuln-id-input {
+  width: 300px;
+}
+
+.triage-grid {
+  display: grid;
+  grid-template-columns: repeat(3, 1fr);
+  gap: 20px;
+}
+
+.triage-column {
+  border: 1px solid #ccc;
+  border-radius: 4px;
+  display: flex;
+  flex-direction: column;
+  height: 80vh;
+}
+
+.column-header {
+  padding: 10px;
+  background-color: #f5f5f5;
+  border-bottom: 1px solid #ccc;
+}
+
+.select-wrapper {
+  margin-top: 5px;
+}
+
+.source-select {
+  width: 100%;
+  padding: 5px;
+}
+
+.content-display {
+  flex-grow: 1;
+  padding: 10px;
+  overflow: auto;
+  position: relative; /* For spinner positioning */
+}
+
+.json-content {
+  white-space: pre-wrap;
+  word-wrap: break-word;
+  font-family: monospace;
+  font-size: 12px;
+  margin: 0;
+}
+
+.loading-spinner {
+  position: absolute;
+  top: 50%;
+  left: 50%;
+  transform: translate(-50%, -50%);
+}
+
+.hidden {
+  display: none;
+}
diff --git a/gcp/website/frontend3/webpack.dev.js b/gcp/website/frontend3/webpack.dev.js
index fb148bdf3ed..b1523cbf340 100644
--- a/gcp/website/frontend3/webpack.dev.js
+++ b/gcp/website/frontend3/webpack.dev.js
@@ -9,6 +9,7 @@ module.exports = {
   entry: {
     main: './src/index.js',
     linter: './src/linter.js',
+    triage: './src/triage.js',
   },
   output: {
     path: path.resolve(__dirname, '../dist'),
@@ -35,7 +36,7 @@ module.exports = {
   plugins: [
     new CopyPlugin({
       patterns: [
-        { from: './src/templates', to: '.', globOptions: { ignore: ['**/base.html'] } },
+        { from: './src/templates', to: '.', globOptions: { ignore: ['**/base.html', '**/triage.html'] } },
         { from: './img/*', to: 'static/img/[name][ext]' },
       ],
     }),
@@ -51,6 +52,12 @@ module.exports = {
       chunks: ['linter'],
       excludeChunks: ['main'],
     }),
+    new HtmlWebpackPlugin({
+      filename: 'triage.html',
+      template: './src/templates/triage.html',
+      chunks: ['triage'],
+      excludeChunks: ['main', 'linter'],
+    }),
     new MiniCssExtractPlugin({
       filename: 'static/[name].css'
     }),
diff --git a/gcp/website/frontend3/webpack.prod.js b/gcp/website/frontend3/webpack.prod.js
index 4cf6c4779ad..8c322a558c2 100644
--- a/gcp/website/frontend3/webpack.prod.js
+++ b/gcp/website/frontend3/webpack.prod.js
@@ -9,6 +9,7 @@ module.exports = {
   entry: {
     main: './src/index.js',
     linter: './src/linter.js',
+    triage: './src/triage.js',
   },
   output: {
     path: path.resolve(__dirname, '../dist'),
@@ -35,7 +36,7 @@ module.exports = {
   plugins: [
     new CopyPlugin({
       patterns: [
-        { from: './src/templates/*.html', to: '[name].html' },
+        { from: './src/templates/*.html', to: '[name].html', globOptions: { ignore: ['**/base.html', '**/triage.html'] } },
         { from: './img/*', to: 'static/img/[name][ext]' },
       ],
     }),
@@ -51,6 +52,12 @@ module.exports = {
       chunks: ['linter'],
       excludeChunks: ['main'],
     }),
+    new HtmlWebpackPlugin({
+      filename: 'triage.html',
+      template: './src/templates/triage.html',
+      chunks: ['triage'],
+      excludeChunks: ['main', 'linter'],
+    }),
     new MiniCssExtractPlugin({
       filename: 'static/[name].[contenthash].css'
     }),
diff --git a/gcp/website/main.py b/gcp/website/main.py
index 3ae677aad5f..afea5997d73 100644
--- a/gcp/website/main.py
+++ b/gcp/website/main.py
@@ -22,6 +22,7 @@
 import frontend_handlers
 import handlers
 import linter_api
+import triage_handlers
 import osv.logs
 
 ndb_client = ndb.Client()
@@ -46,6 +47,7 @@ def create_app():
   flask_app.register_blueprint(handlers.blueprint)
   flask_app.register_blueprint(frontend_handlers.blueprint)
   flask_app.register_blueprint(linter_api.blueprint)
+  flask_app.register_blueprint(triage_handlers.blueprint)
   flask_app.config['TEMPLATES_AUTO_RELOAD'] = True
   flask_app.config['COMPRESS_MIMETYPES'] = ['text/html']
 
diff --git a/gcp/website/triage_handlers.py b/gcp/website/triage_handlers.py
new file mode 100644
index 00000000000..94310874540
--- /dev/null
+++ b/gcp/website/triage_handlers.py
@@ -0,0 +1,52 @@
+"""Triage handlers."""
+import logging
+
+from flask import Blueprint, request, jsonify, render_template
+from google.cloud import storage
+
+blueprint = Blueprint('triage_handlers', __name__)
+
+ALLOWED_BUCKETS = {
+    'cve-osv-conversion',
+    'osv-test-cve-osv-conversion'
+}
+
+_STORAGE_CLIENT = None
+
+def get_storage_client():
+    """Get storage client."""
+    global _STORAGE_CLIENT # pylint: disable=global-statement
+    if _STORAGE_CLIENT is None:
+        _STORAGE_CLIENT = storage.Client()
+    return _STORAGE_CLIENT
+
+@blueprint.route('/triage')
+def triage_index():
+    """Triage index."""
+    return render_template('triage.html')
+
+@blueprint.route('/triage/proxy')
+def triage_proxy():
+    """Proxy to fetch files from GCS buckets securely."""
+    bucket_name = request.args.get('bucket')
+    path = request.args.get('path')
+
+    if not bucket_name or not path:
+        return jsonify({'error': 'Missing bucket or path parameters'}), 400
+
+    if bucket_name not in ALLOWED_BUCKETS:
+        return jsonify({'error': 'Invalid bucket'}), 403
+
+    try:
+        bucket = get_storage_client().bucket(bucket_name)
+        blob = bucket.blob(path)
+
+        if not blob.exists():
+            return jsonify({'error': 'File not found'}), 404
+
+        content = blob.download_as_text()
+        return content, 200, {'Content-Type': 'application/json'}
+
+    except Exception as e: # pylint: disable=broad-exception-caught
+        logging.error('Error fetching from GCS: %s', e)
+        return jsonify({'error': 'Internal server error'}), 500

From 623ea94de88db38f8205eaf2d355b12f1cd2e537 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Tue, 24 Feb 2026 02:58:10 +0000
Subject: [PATCH 02/20] feat: Add CVE conversion triage page

This change introduces a new triage page to visualize and compare CVE
conversion data across different stages and environments.

- Added `gcp/website/triage_handlers.py` to handle triage requests and
  proxy GCS file access.
- Registered the new blueprint in `gcp/website/main.py`.
- Created the frontend template `gcp/website/frontend3/src/templates/triage.html`
  with a 3-column layout.
- Implemented frontend logic in `gcp/website/frontend3/src/triage.js` to
  fetch and display JSON data from GCS or the API.
- Added styles in `gcp/website/frontend3/src/triage.scss`.
- Updated Webpack configuration to include the new triage entry point.
- Verified with unit tests and frontend screenshots.

Co-authored-by: jess-lowe <86962800+jess-lowe@users.noreply.github.com>

From 8025f2d0eae995da7a75bb9c2fcae9b68638af79 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Tue, 24 Feb 2026 03:06:19 +0000
Subject: [PATCH 03/20] feat: Add CVE conversion triage page

This change introduces a new triage page to visualize and compare CVE
conversion data across different stages and environments.

- Added `gcp/website/triage_handlers.py` to handle triage requests and
  proxy GCS file access.
- Registered the new blueprint in `gcp/website/main.py`.
- Created the frontend template `gcp/website/frontend3/src/templates/triage.html`
  with a 3-column layout.
- Implemented frontend logic in `gcp/website/frontend3/src/triage.js` to
  fetch and display JSON data from GCS or the API.
- Added styles in `gcp/website/frontend3/src/triage.scss`.
- Updated Webpack configuration to include the new triage entry point.
- Verified with unit tests and frontend screenshots.

Co-authored-by: jess-lowe <86962800+jess-lowe@users.noreply.github.com>
---
 gcp/website/triage_handlers.py | 56 +++++++++++++++++-----------------
 1 file changed, 28 insertions(+), 28 deletions(-)

diff --git a/gcp/website/triage_handlers.py b/gcp/website/triage_handlers.py
index 94310874540..07ac3f3b018 100644
--- a/gcp/website/triage_handlers.py
+++ b/gcp/website/triage_handlers.py
@@ -6,47 +6,47 @@
 
 blueprint = Blueprint('triage_handlers', __name__)
 
-ALLOWED_BUCKETS = {
-    'cve-osv-conversion',
-    'osv-test-cve-osv-conversion'
-}
+ALLOWED_BUCKETS = {'cve-osv-conversion', 'osv-test-cve-osv-conversion'}
 
 _STORAGE_CLIENT = None
 
+
 def get_storage_client():
-    """Get storage client."""
-    global _STORAGE_CLIENT # pylint: disable=global-statement
-    if _STORAGE_CLIENT is None:
-        _STORAGE_CLIENT = storage.Client()
-    return _STORAGE_CLIENT
+  """Get storage client."""
+  global _STORAGE_CLIENT  # pylint: disable=global-statement
+  if _STORAGE_CLIENT is None:
+    _STORAGE_CLIENT = storage.Client()
+  return _STORAGE_CLIENT
+
 
 @blueprint.route('/triage')
 def triage_index():
-    """Triage index."""
-    return render_template('triage.html')
+  """Triage index."""
+  return render_template('triage.html')
+
 
 @blueprint.route('/triage/proxy')
 def triage_proxy():
-    """Proxy to fetch files from GCS buckets securely."""
-    bucket_name = request.args.get('bucket')
-    path = request.args.get('path')
+  """Proxy to fetch files from GCS buckets securely."""
+  bucket_name = request.args.get('bucket')
+  path = request.args.get('path')
 
-    if not bucket_name or not path:
-        return jsonify({'error': 'Missing bucket or path parameters'}), 400
+  if not bucket_name or not path:
+    return jsonify({'error': 'Missing bucket or path parameters'}), 400
 
-    if bucket_name not in ALLOWED_BUCKETS:
-        return jsonify({'error': 'Invalid bucket'}), 403
+  if bucket_name not in ALLOWED_BUCKETS:
+    return jsonify({'error': 'Invalid bucket'}), 403
 
-    try:
-        bucket = get_storage_client().bucket(bucket_name)
-        blob = bucket.blob(path)
+  try:
+    bucket = get_storage_client().bucket(bucket_name)
+    blob = bucket.blob(path)
 
-        if not blob.exists():
-            return jsonify({'error': 'File not found'}), 404
+    if not blob.exists():
+      return jsonify({'error': 'File not found'}), 404
 
-        content = blob.download_as_text()
-        return content, 200, {'Content-Type': 'application/json'}
+    content = blob.download_as_text()
+    return content, 200, {'Content-Type': 'application/json'}
 
-    except Exception as e: # pylint: disable=broad-exception-caught
-        logging.error('Error fetching from GCS: %s', e)
-        return jsonify({'error': 'Internal server error'}), 500
+  except Exception as e:  # pylint: disable=broad-exception-caught
+    logging.error('Error fetching from GCS: %s', e)
+    return jsonify({'error': 'Internal server error'}), 500

From db6c42241c16748a6ef89be534480c29a1940c69 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Tue, 24 Feb 2026 03:13:08 +0000
Subject: [PATCH 04/20] feat: Add CVE conversion triage page

This change introduces a new triage page to visualize and compare CVE
conversion data across different stages and environments.

- Added `gcp/website/triage_handlers.py` to handle triage requests and
  proxy GCS file access.
- Registered the new blueprint in `gcp/website/main.py`.
- Created the frontend template `gcp/website/frontend3/src/templates/triage.html`
  with a 3-column layout.
- Implemented frontend logic in `gcp/website/frontend3/src/triage.js` to
  fetch and display JSON data from GCS or the API.
- Added styles in `gcp/website/frontend3/src/triage.scss`.
- Updated Webpack configuration to include the new triage entry point.
- Verified with unit tests and frontend screenshots.

Co-authored-by: jess-lowe <86962800+jess-lowe@users.noreply.github.com>
---
 gcp/website/frontend3/src/templates/triage.html |  2 +-
 gcp/website/frontend3/src/triage.scss           | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/gcp/website/frontend3/src/templates/triage.html b/gcp/website/frontend3/src/templates/triage.html
index a4d309ff4af..90d839d1d6d 100644
--- a/gcp/website/frontend3/src/templates/triage.html
+++ b/gcp/website/frontend3/src/templates/triage.html
@@ -6,7 +6,7 @@
   <h1>CVE Conversion Triager</h1>
 
   <div class="input-section">
-    <md-textfield-with-enter label="Vulnerability ID" id="vuln-id-input" placeholder="e.g. CVE-2023-1234"></md-textfield-with-enter>
+    <input type="text" id="vuln-id-input" placeholder="e.g. CVE-2023-1234" class="standard-input">
     <button id="load-btn" class="button">Load</button>
   </div>
 
diff --git a/gcp/website/frontend3/src/triage.scss b/gcp/website/frontend3/src/triage.scss
index 01bd04b14bf..9743747aa2a 100644
--- a/gcp/website/frontend3/src/triage.scss
+++ b/gcp/website/frontend3/src/triage.scss
@@ -11,8 +11,18 @@
   margin-bottom: 20px;
 }
 
-#vuln-id-input {
+.standard-input {
   width: 300px;
+  padding: 10px;
+  font-size: 16px;
+  border: 1px solid #ccc;
+  border-radius: 4px;
+}
+
+#load-btn {
+  padding: 10px 20px;
+  font-size: 16px;
+  cursor: pointer;
 }
 
 .triage-grid {

From 48a23bd876c5073a293a4f9c811cccbbe1b47d2b Mon Sep 17 00:00:00 2001
From: Jess Lowe <jesslowe@google.com>
Date: Wed, 25 Feb 2026 04:02:54 +0000
Subject: [PATCH 05/20] Progress

---
 .../frontend3/src/templates/triage.html       |  8 +-
 gcp/website/frontend3/src/triage.js           | 60 +++++++++++++-
 gcp/website/frontend3/src/triage.scss         | 83 +++++++++++++------
 gcp/website/triage_handlers.py                | 21 ++++-
 4 files changed, 137 insertions(+), 35 deletions(-)

diff --git a/gcp/website/frontend3/src/templates/triage.html b/gcp/website/frontend3/src/templates/triage.html
index 90d839d1d6d..b28da26f566 100644
--- a/gcp/website/frontend3/src/templates/triage.html
+++ b/gcp/website/frontend3/src/templates/triage.html
@@ -6,8 +6,8 @@
   <h1>CVE Conversion Triager</h1>
 
   <div class="input-section">
-    <input type="text" id="vuln-id-input" placeholder="e.g. CVE-2023-1234" class="standard-input">
-    <button id="load-btn" class="button">Load</button>
+    <md-filled-text-field id="vuln-id-input" label="Vulnerability ID" placeholder="e.g. CVE-2023-1234" class="standard-input"></md-filled-text-field>
+    <md-filled-button id="load-btn">Load</md-filled-button>
   </div>
 
   <div class="triage-grid">
@@ -18,6 +18,10 @@ <h1>CVE Conversion Triager</h1>
         <div class="select-wrapper">
           <select id="source-select-{{ i }}" class="source-select">
             <option value="">Select Source...</option>
+            <optgroup label="External APIs">
+              <option value="cve-org">CVE.org API</option>
+              <option value="nvd-api">NVD API 2.0</option>
+            </optgroup>
             <optgroup label="Test Instance (gs://osv-test-cve-conversion)">
               <option value="test-nvd">NVD-OSV (JSON)</option>
               <option value="test-cve5">CVE5 (JSON)</option>
diff --git a/gcp/website/frontend3/src/triage.js b/gcp/website/frontend3/src/triage.js
index eb249303e28..e60a1198689 100644
--- a/gcp/website/frontend3/src/triage.js
+++ b/gcp/website/frontend3/src/triage.js
@@ -10,6 +10,15 @@ document.addEventListener("DOMContentLoaded", () => {
 
   // Map selection values to their respective endpoints/paths
   const sourceConfigMap = {
+    // External APIs
+    "cve-org": {
+      urlTemplate: "https://cveawg.cve.org/api/cve/{id}",
+      useProxy: true,
+    },
+    "nvd-api": {
+      urlTemplate: "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId={id}",
+      useProxy: true,
+    },
     // Test Instance
     "test-nvd": {
       bucket: "osv-test-cve-osv-conversion",
@@ -61,6 +70,28 @@ document.addEventListener("DOMContentLoaded", () => {
     },
   };
 
+  function syntaxHighlight(json) {
+    if (typeof json != 'string') {
+      json = JSON.stringify(json, undefined, 2);
+    }
+    json = json.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+    return json.replace(/("(\\u[a-zA-Z0-9]{4}|\\[^u]|[^\\"])*"(\s*:)?|\b(true|false|null)\b|-?\d+(?:\.\d*)?(?:[eE][+-]?\d+)?)/g, function (match) {
+      var cls = 'json-number';
+      if (/^"/.test(match)) {
+        if (/:$/.test(match)) {
+          cls = 'json-key';
+        } else {
+          cls = 'json-string';
+        }
+      } else if (/true|false/.test(match)) {
+        cls = 'json-boolean';
+      } else if (/null/.test(match)) {
+        cls = 'json-null';
+      }
+      return '<span class="' + cls + '">' + match + '</span>';
+    });
+  }
+
   async function fetchData(sourceKey, vulnId) {
     if (!sourceKey || !vulnId) return null;
 
@@ -70,8 +101,29 @@ document.addEventListener("DOMContentLoaded", () => {
     if (config.bucket) {
       const path = config.pathTemplate.replace("{id}", vulnId);
       url = `/triage/proxy?bucket=${config.bucket}&path=${encodeURIComponent(path)}`;
-    } else if (config.urlTemplate) {
-      url = config.urlTemplate.replace("{id}", vulnId);
+    } else if (config.urlTemplate || sourceKey === 'cve-org') {
+      let targetUrl;
+      if (sourceKey === 'cve-org') {
+        // Construct GitHub raw URL for CVE data
+        // Format: https://raw.githubusercontent.com/CVEProject/cvelistV5/refs/heads/main/cves/<year>/<seq_prefix>xxx/<CVE-ID>.json
+        const match = vulnId.match(/^CVE-(\d{4})-(\d+)$/i);
+        if (match) {
+          const year = match[1];
+          const seq = match[2];
+          const seqPrefix = seq.length > 3 ? seq.slice(0, -3) : '0';
+          targetUrl = `https://raw.githubusercontent.com/CVEProject/cvelistV5/refs/heads/main/cves/${year}/${seqPrefix}xxx/${vulnId.toUpperCase()}.json`;
+        } else {
+          throw new Error("Invalid CVE ID format for GitHub source");
+        }
+      } else {
+        targetUrl = config.urlTemplate.replace("{id}", vulnId);
+      }
+
+      if (config.useProxy || sourceKey === 'cve-org') {
+        url = `/triage/proxy?url=${encodeURIComponent(targetUrl)}`;
+      } else {
+        url = targetUrl;
+      }
     } else {
         return Promise.reject("Invalid configuration");
     }
@@ -108,7 +160,7 @@ document.addEventListener("DOMContentLoaded", () => {
 
     fetchData(sourceKey, vulnId)
       .then((data) => {
-        contentPre.textContent = JSON.stringify(data, null, 2);
+        contentPre.innerHTML = syntaxHighlight(data);
       })
       .catch((error) => {
         contentPre.textContent = error.message;
@@ -123,7 +175,7 @@ document.addEventListener("DOMContentLoaded", () => {
   });
 
   // Also handle Enter key on the input field
-  vulnIdInput.addEventListener("keyup", (e) => {
+  vulnIdInput.addEventListener("keydown", (e) => {
       if (e.key === "Enter") {
           columns.forEach((col) => updateColumn(col));
       }
diff --git a/gcp/website/frontend3/src/triage.scss b/gcp/website/frontend3/src/triage.scss
index 9743747aa2a..aae986c858f 100644
--- a/gcp/website/frontend3/src/triage.scss
+++ b/gcp/website/frontend3/src/triage.scss
@@ -1,48 +1,64 @@
 .triage-container {
-  padding: 20px;
-  max-width: 100%;
+  padding: 40px;
+  width: 100%;
   box-sizing: border-box;
+
+  --md-sys-color-primary: #c5221f;
+  --md-sys-color-on-primary: #ffffff;
+  --md-filled-text-field-focus-active-indicator-color: #c5221f;
+  --md-filled-text-field-focus-label-text-color: #c5221f;
+  --md-filled-button-container-color: #c5221f;
+
+  h1 {
+    font-size: 42px;
+    margin-bottom: 24px;
+    text-align: center;
+  }
 }
 
 .input-section {
   display: flex;
   align-items: center;
-  gap: 10px;
-  margin-bottom: 20px;
+  justify-content: center;
+  gap: 16px;
+  margin-bottom: 32px;
+  max-width: 800px;
+  margin-left: auto;
+  margin-right: auto;
 }
 
 .standard-input {
-  width: 300px;
-  padding: 10px;
-  font-size: 16px;
-  border: 1px solid #ccc;
-  border-radius: 4px;
-}
-
-#load-btn {
-  padding: 10px 20px;
-  font-size: 16px;
-  cursor: pointer;
+  flex: 1;
+  max-width: 400px;
 }
 
 .triage-grid {
   display: grid;
   grid-template-columns: repeat(3, 1fr);
-  gap: 20px;
+  gap: 24px;
 }
 
 .triage-column {
-  border: 1px solid #ccc;
-  border-radius: 4px;
+  border: 1px solid #555;
+  border-radius: 8px;
   display: flex;
   flex-direction: column;
-  height: 80vh;
+  height: 75vh;
+  background-color: #333;
 }
 
 .column-header {
-  padding: 10px;
-  background-color: #f5f5f5;
-  border-bottom: 1px solid #ccc;
+  padding: 16px;
+  background-color: #3c4043;
+  border-bottom: 1px solid #555;
+  border-top-left-radius: 8px;
+  border-top-right-radius: 8px;
+
+  label {
+    font-weight: bold;
+    margin-bottom: 8px;
+    display: block;
+  }
 }
 
 .select-wrapper {
@@ -51,22 +67,34 @@
 
 .source-select {
   width: 100%;
-  padding: 5px;
+  padding: 8px;
+  background-color: #292929;
+  color: #fff;
+  border: 1px solid #555;
+  border-radius: 4px;
 }
 
 .content-display {
   flex-grow: 1;
-  padding: 10px;
+  padding: 16px;
   overflow: auto;
-  position: relative; /* For spinner positioning */
+  position: relative;
+  background-color: #1e1e1e;
 }
 
 .json-content {
   white-space: pre-wrap;
   word-wrap: break-word;
-  font-family: monospace;
-  font-size: 12px;
+  font-family: "Overpass Mono", monospace;
+  font-size: 13px;
   margin: 0;
+  color: #d4d4d4;
+
+  .json-key { color: #9cdcfe; }
+  .json-string { color: #ce9178; }
+  .json-number { color: #b5cea8; }
+  .json-boolean { color: #569cd6; }
+  .json-null { color: #569cd6; }
 }
 
 .loading-spinner {
@@ -74,6 +102,7 @@
   top: 50%;
   left: 50%;
   transform: translate(-50%, -50%);
+  --md-circular-progress-active-indicator-color: white;
 }
 
 .hidden {
diff --git a/gcp/website/triage_handlers.py b/gcp/website/triage_handlers.py
index 07ac3f3b018..046b3b5b743 100644
--- a/gcp/website/triage_handlers.py
+++ b/gcp/website/triage_handlers.py
@@ -27,12 +27,29 @@ def triage_index():
 
 @blueprint.route('/triage/proxy')
 def triage_proxy():
-  """Proxy to fetch files from GCS buckets securely."""
+  """Proxy to fetch files from GCS buckets or external APIs securely."""
   bucket_name = request.args.get('bucket')
   path = request.args.get('path')
+  url = request.args.get('url')
+
+  if url:
+    # Validate external URLs
+    if not (url.startswith('https://cveawg.cve.org/api/cve/') or
+            url.startswith('https://services.nvd.nist.gov/rest/json/cves/2.0') or
+            url.startswith('https://raw.githubusercontent.com/CVEProject/cvelistV5/')):
+      return jsonify({'error': 'Invalid external URL'}), 403
+
+    import requests
+    try:
+      response = requests.get(url, timeout=10)
+      response.raise_for_status()
+      return response.text, 200, {'Content-Type': 'application/json'}
+    except Exception as e:
+      logging.error('Error fetching from external API: %s', e)
+      return jsonify({'error': 'Error fetching from external API'}), 500
 
   if not bucket_name or not path:
-    return jsonify({'error': 'Missing bucket or path parameters'}), 400
+    return jsonify({'error': 'Missing bucket, path, or url parameters'}), 400
 
   if bucket_name not in ALLOWED_BUCKETS:
     return jsonify({'error': 'Invalid bucket'}), 403

From 2cf4f71abf0cad84457936b57c9e3aa8646a6a70 Mon Sep 17 00:00:00 2001
From: Jess Lowe <jesslowe@google.com>
Date: Wed, 25 Feb 2026 04:49:07 +0000
Subject: [PATCH 06/20] fix using path proxy and instead use source and id

---
 gcp/website/frontend3/src/triage.js |  66 ++++----------
 gcp/website/triage_handlers.py      | 131 ++++++++++++++++++++--------
 2 files changed, 112 insertions(+), 85 deletions(-)

diff --git a/gcp/website/frontend3/src/triage.js b/gcp/website/frontend3/src/triage.js
index e60a1198689..668d45e9519 100644
--- a/gcp/website/frontend3/src/triage.js
+++ b/gcp/website/frontend3/src/triage.js
@@ -12,54 +12,42 @@ document.addEventListener("DOMContentLoaded", () => {
   const sourceConfigMap = {
     // External APIs
     "cve-org": {
-      urlTemplate: "https://cveawg.cve.org/api/cve/{id}",
-      useProxy: true,
+      proxySource: "cve",
     },
     "nvd-api": {
-      urlTemplate: "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId={id}",
-      useProxy: true,
+      proxySource: "nvd",
     },
     // Test Instance
     "test-nvd": {
-      bucket: "osv-test-cve-osv-conversion",
-      pathTemplate: "nvd-osv/{id}.json",
+      proxySource: "test-nvd",
     },
     "test-cve5": {
-      bucket: "osv-test-cve-osv-conversion",
-      pathTemplate: "cve5/{id}.json",
+      proxySource: "test-cve5",
     },
     "test-osv": {
-      bucket: "osv-test-cve-osv-conversion",
-      pathTemplate: "osv-output/{id}.json",
+      proxySource: "test-osv",
     },
     "test-nvd-metrics": {
-      bucket: "osv-test-cve-osv-conversion",
-      pathTemplate: "nvd-osv/{id}.metrics.json",
+      proxySource: "test-nvd-metrics",
     },
     "test-cve5-metrics": {
-      bucket: "osv-test-cve-osv-conversion",
-      pathTemplate: "cve5/{id}.metrics.json",
+      proxySource: "test-cve5-metrics",
     },
     // Prod Instance
     "prod-nvd": {
-      bucket: "cve-osv-conversion",
-      pathTemplate: "nvd-osv/{id}.json",
+      proxySource: "prod-nvd",
     },
     "prod-cve5": {
-      bucket: "cve-osv-conversion",
-      pathTemplate: "cve5/{id}.json",
+      proxySource: "prod-cve5",
     },
     "prod-osv": {
-      bucket: "cve-osv-conversion",
-      pathTemplate: "osv-output/{id}.json",
+      proxySource: "prod-osv",
     },
     "prod-nvd-metrics": {
-      bucket: "cve-osv-conversion",
-      pathTemplate: "nvd-osv/{id}.metrics.json",
+      proxySource: "prod-nvd-metrics",
     },
     "prod-cve5-metrics": {
-      bucket: "cve-osv-conversion",
-      pathTemplate: "cve5/{id}.metrics.json",
+      proxySource: "prod-cve5-metrics",
     },
     // API
     "api-test": {
@@ -98,32 +86,10 @@ document.addEventListener("DOMContentLoaded", () => {
     const config = sourceConfigMap[sourceKey];
     let url;
 
-    if (config.bucket) {
-      const path = config.pathTemplate.replace("{id}", vulnId);
-      url = `/triage/proxy?bucket=${config.bucket}&path=${encodeURIComponent(path)}`;
-    } else if (config.urlTemplate || sourceKey === 'cve-org') {
-      let targetUrl;
-      if (sourceKey === 'cve-org') {
-        // Construct GitHub raw URL for CVE data
-        // Format: https://raw.githubusercontent.com/CVEProject/cvelistV5/refs/heads/main/cves/<year>/<seq_prefix>xxx/<CVE-ID>.json
-        const match = vulnId.match(/^CVE-(\d{4})-(\d+)$/i);
-        if (match) {
-          const year = match[1];
-          const seq = match[2];
-          const seqPrefix = seq.length > 3 ? seq.slice(0, -3) : '0';
-          targetUrl = `https://raw.githubusercontent.com/CVEProject/cvelistV5/refs/heads/main/cves/${year}/${seqPrefix}xxx/${vulnId.toUpperCase()}.json`;
-        } else {
-          throw new Error("Invalid CVE ID format for GitHub source");
-        }
-      } else {
-        targetUrl = config.urlTemplate.replace("{id}", vulnId);
-      }
-
-      if (config.useProxy || sourceKey === 'cve-org') {
-        url = `/triage/proxy?url=${encodeURIComponent(targetUrl)}`;
-      } else {
-        url = targetUrl;
-      }
+    if (config.proxySource) {
+      url = `/triage/proxy?source=${config.proxySource}&id=${vulnId}`;
+    } else if (config.urlTemplate) {
+      url = config.urlTemplate.replace("{id}", vulnId);
     } else {
         return Promise.reject("Invalid configuration");
     }
diff --git a/gcp/website/triage_handlers.py b/gcp/website/triage_handlers.py
index 046b3b5b743..aa118e9b312 100644
--- a/gcp/website/triage_handlers.py
+++ b/gcp/website/triage_handlers.py
@@ -25,45 +25,106 @@ def triage_index():
   return render_template('triage.html')
 
 
+GCS_SOURCE_CONFIG = {
+    'test-nvd': {
+        'bucket': 'osv-test-cve-osv-conversion',
+        'path_template': 'nvd-osv/{id}.json'
+    },
+    'test-cve5': {
+        'bucket': 'osv-test-cve-osv-conversion',
+        'path_template': 'cve5/{id}.json'
+    },
+    'test-osv': {
+        'bucket': 'osv-test-cve-osv-conversion',
+        'path_template': 'osv-output/{id}.json'
+    },
+    'test-nvd-metrics': {
+        'bucket': 'osv-test-cve-osv-conversion',
+        'path_template': 'nvd-osv/{id}.metrics.json'
+    },
+    'test-cve5-metrics': {
+        'bucket': 'osv-test-cve-osv-conversion',
+        'path_template': 'cve5/{id}.metrics.json'
+    },
+    'prod-nvd': {
+        'bucket': 'cve-osv-conversion',
+        'path_template': 'nvd-osv/{id}.json'
+    },
+    'prod-cve5': {
+        'bucket': 'cve-osv-conversion',
+        'path_template': 'cve5/{id}.json'
+    },
+    'prod-osv': {
+        'bucket': 'cve-osv-conversion',
+        'path_template': 'osv-output/{id}.json'
+    },
+    'prod-nvd-metrics': {
+        'bucket': 'cve-osv-conversion',
+        'path_template': 'nvd-osv/{id}.metrics.json'
+    },
+    'prod-cve5-metrics': {
+        'bucket': 'cve-osv-conversion',
+        'path_template': 'cve5/{id}.metrics.json'
+    },
+}
+
+
 @blueprint.route('/triage/proxy')
 def triage_proxy():
   """Proxy to fetch files from GCS buckets or external APIs securely."""
-  bucket_name = request.args.get('bucket')
-  path = request.args.get('path')
-  url = request.args.get('url')
-
-  if url:
-    # Validate external URLs
-    if not (url.startswith('https://cveawg.cve.org/api/cve/') or
-            url.startswith('https://services.nvd.nist.gov/rest/json/cves/2.0') or
-            url.startswith('https://raw.githubusercontent.com/CVEProject/cvelistV5/')):
-      return jsonify({'error': 'Invalid external URL'}), 403
-
-    import requests
-    try:
-      response = requests.get(url, timeout=10)
-      response.raise_for_status()
-      return response.text, 200, {'Content-Type': 'application/json'}
-    except Exception as e:
-      logging.error('Error fetching from external API: %s', e)
-      return jsonify({'error': 'Error fetching from external API'}), 500
-
-  if not bucket_name or not path:
-    return jsonify({'error': 'Missing bucket, path, or url parameters'}), 400
+  source = request.args.get('source')
+  vuln_id = request.args.get('id')
 
-  if bucket_name not in ALLOWED_BUCKETS:
-    return jsonify({'error': 'Invalid bucket'}), 403
+  if not source or not vuln_id:
+    return jsonify({'error': 'Missing source or id parameters'}), 400
 
-  try:
-    bucket = get_storage_client().bucket(bucket_name)
-    blob = bucket.blob(path)
-
-    if not blob.exists():
-      return jsonify({'error': 'File not found'}), 404
+  # Validate CVE ID format
+  import re
+  if not re.match(r'^CVE-\d{4}-\d+$', vuln_id, re.IGNORECASE):
+    return jsonify({'error': 'Invalid ID format'}), 400
 
-    content = blob.download_as_text()
-    return content, 200, {'Content-Type': 'application/json'}
+  # Handle GCS sources
+  if source in GCS_SOURCE_CONFIG:
+    config = GCS_SOURCE_CONFIG[source]
+    bucket_name = config['bucket']
+    path = config['path_template'].format(id=vuln_id.upper())
 
-  except Exception as e:  # pylint: disable=broad-exception-caught
-    logging.error('Error fetching from GCS: %s', e)
-    return jsonify({'error': 'Internal server error'}), 500
+    try:
+      bucket = get_storage_client().bucket(bucket_name)
+      blob = bucket.blob(path)
+
+      if not blob.exists():
+        return jsonify({'error': 'File not found'}), 404
+
+      content = blob.download_as_text()
+      return content, 200, {'Content-Type': 'application/json'}
+
+    except Exception as e:  # pylint: disable=broad-exception-caught
+      logging.error('Error fetching from GCS (%s): %s', source, e)
+      return jsonify({'error': 'Internal server error'}), 500
+
+  # Handle API sources
+  url = None
+  if source == 'cve':
+    # Construct GitHub raw URL for CVE data
+    match = re.match(r'^CVE-(\d{4})-(\d+)$', vuln_id, re.IGNORECASE)
+    year = match.group(1)
+    seq = match.group(2)
+    seq_prefix = seq[:-3] if len(seq) > 3 else '0'
+    url = (f'https://raw.githubusercontent.com/CVEProject/cvelistV5/'
+           f'refs/heads/main/cves/{year}/{seq_prefix}xxx/'
+           f'{vuln_id.upper()}.json')
+  elif source == 'nvd':
+    url = (f'https://services.nvd.nist.gov/rest/json/cves/2.0'
+           f'?cveId={vuln_id.upper()}')
+  else:
+    return jsonify({'error': 'Invalid source'}), 400
+
+  import requests
+  try:
+    response = requests.get(url, timeout=10)
+    response.raise_for_status()
+    return response.text, 200, {'Content-Type': 'application/json'}
+  except Exception as e:
+    logging.error('Error fetching from external API (%s): %s', source, e)
+    return jsonify({'error': 'Error fetching from external API'}), 500

From 82c8f83342fb152be83fed3d28c6e0e504fe2305 Mon Sep 17 00:00:00 2001
From: Jess Lowe <jesslowe@google.com>
Date: Wed, 25 Feb 2026 23:33:41 +0000
Subject: [PATCH 07/20] fix overflow problem

---
 gcp/website/frontend3/src/triage.scss | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gcp/website/frontend3/src/triage.scss b/gcp/website/frontend3/src/triage.scss
index aae986c858f..9865dd3c74e 100644
--- a/gcp/website/frontend3/src/triage.scss
+++ b/gcp/website/frontend3/src/triage.scss
@@ -87,6 +87,7 @@
   word-wrap: break-word;
   font-family: "Overpass Mono", monospace;
   font-size: 13px;
+  overflow-wrap: anywhere;
   margin: 0;
   color: #d4d4d4;
 

From 1f46199281cd2b9d95ebd0621e13cf3c637b1a78 Mon Sep 17 00:00:00 2001
From: Jess Lowe <jesslowe@google.com>
Date: Wed, 25 Feb 2026 23:52:16 +0000
Subject: [PATCH 08/20] put title and vuln search inline

---
 .../frontend3/src/templates/triage.html       |  3 +-
 gcp/website/frontend3/src/triage.scss         | 70 ++++++++++++-------
 2 files changed, 46 insertions(+), 27 deletions(-)

diff --git a/gcp/website/frontend3/src/templates/triage.html b/gcp/website/frontend3/src/templates/triage.html
index b28da26f566..b925586d54f 100644
--- a/gcp/website/frontend3/src/templates/triage.html
+++ b/gcp/website/frontend3/src/templates/triage.html
@@ -3,13 +3,14 @@
 
 {% block content %}
 <div class="triage-container">
+  <div class="header-container">
   <h1>CVE Conversion Triager</h1>
 
   <div class="input-section">
     <md-filled-text-field id="vuln-id-input" label="Vulnerability ID" placeholder="e.g. CVE-2023-1234" class="standard-input"></md-filled-text-field>
     <md-filled-button id="load-btn">Load</md-filled-button>
   </div>
-
+</div>
   <div class="triage-grid">
     {% for i in range(1, 4) %}
     <div class="triage-column" id="column-{{ i }}">
diff --git a/gcp/website/frontend3/src/triage.scss b/gcp/website/frontend3/src/triage.scss
index 9865dd3c74e..9f601b15ed0 100644
--- a/gcp/website/frontend3/src/triage.scss
+++ b/gcp/website/frontend3/src/triage.scss
@@ -1,5 +1,9 @@
 .triage-container {
-  padding: 40px;
+  // padding: 40px;
+    padding-bottom: 20px;
+    padding-top: 20px;
+    padding-left: 40px;
+    padding-right: 40px;
   width: 100%;
   box-sizing: border-box;
 
@@ -9,28 +13,28 @@
   --md-filled-text-field-focus-label-text-color: #c5221f;
   --md-filled-button-container-color: #c5221f;
 
+  .header-container {
+      display: flex;
+      justify-content: space-between;
+      align-items: center;
+      margin-bottom: 32px;
+    }
   h1 {
-    font-size: 42px;
-    margin-bottom: 24px;
-    text-align: center;
-  }
-}
+    margin: 0;
+    }
 
-.input-section {
-  display: flex;
-  align-items: center;
-  justify-content: center;
-  gap: 16px;
-  margin-bottom: 32px;
-  max-width: 800px;
-  margin-left: auto;
-  margin-right: auto;
-}
+    .input-section {
+      display: flex;
+      align-items: center;
+    gap: 16px;
 
-.standard-input {
-  flex: 1;
-  max-width: 400px;
-}
+
+    .standard-input {
+        flex: 1;
+        max-width: 400px;
+      }
+    }
+    }
 
 .triage-grid {
   display: grid;
@@ -91,11 +95,25 @@
   margin: 0;
   color: #d4d4d4;
 
-  .json-key { color: #9cdcfe; }
-  .json-string { color: #ce9178; }
-  .json-number { color: #b5cea8; }
-  .json-boolean { color: #569cd6; }
-  .json-null { color: #569cd6; }
+  .json-key {
+      color: #9cdcfe;
+    }
+  
+    .json-string {
+      color: #ce9178;
+    }
+  
+    .json-number {
+      color: #b5cea8;
+    }
+  
+    .json-boolean {
+      color: #569cd6;
+    }
+  
+    .json-null {
+      color: #569cd6;
+    }
 }
 
 .loading-spinner {
@@ -108,4 +126,4 @@
 
 .hidden {
   display: none;
-}
+}
\ No newline at end of file

From 71067dfc15ce0c6daf81a6d4231f609b30169da3 Mon Sep 17 00:00:00 2001
From: Jess Lowe <86962800+jess-lowe@users.noreply.github.com>
Date: Thu, 26 Feb 2026 11:06:14 +1100
Subject: [PATCH 09/20] Update gcp/website/frontend3/src/templates/triage.html

---
 gcp/website/frontend3/src/templates/triage.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gcp/website/frontend3/src/templates/triage.html b/gcp/website/frontend3/src/templates/triage.html
index b925586d54f..336e9474dcd 100644
--- a/gcp/website/frontend3/src/templates/triage.html
+++ b/gcp/website/frontend3/src/templates/triage.html
@@ -30,7 +30,7 @@ <h1>CVE Conversion Triager</h1>
               <option value="test-nvd-metrics">NVD Metrics</option>
               <option value="test-cve5-metrics">CVE5 Metrics</option>
             </optgroup>
-            <optgroup label="Prod Instance (gs://cve-conversion)">
+            <optgroup label="Prod Instance (gs://cve-osv-conversion)">
               <option value="prod-nvd">NVD-OSV (JSON)</option>
               <option value="prod-cve5">CVE5 (JSON)</option>
               <option value="prod-osv">OSV Output (JSON)</option>

From 49378ffeae2d65ada94b572a88b4ef26ce4c9d2a Mon Sep 17 00:00:00 2001
From: Jess Lowe <86962800+jess-lowe@users.noreply.github.com>
Date: Thu, 26 Feb 2026 11:06:21 +1100
Subject: [PATCH 10/20] Update gcp/website/frontend3/src/templates/triage.html

---
 gcp/website/frontend3/src/templates/triage.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gcp/website/frontend3/src/templates/triage.html b/gcp/website/frontend3/src/templates/triage.html
index 336e9474dcd..39e117cea3b 100644
--- a/gcp/website/frontend3/src/templates/triage.html
+++ b/gcp/website/frontend3/src/templates/triage.html
@@ -23,7 +23,7 @@ <h1>CVE Conversion Triager</h1>
               <option value="cve-org">CVE.org API</option>
               <option value="nvd-api">NVD API 2.0</option>
             </optgroup>
-            <optgroup label="Test Instance (gs://osv-test-cve-conversion)">
+            <optgroup label="Test Instance (gs://osv-test-cve-osv-conversion)">
               <option value="test-nvd">NVD-OSV (JSON)</option>
               <option value="test-cve5">CVE5 (JSON)</option>
               <option value="test-osv">OSV Output (JSON)</option>

From f688808697cbe667c88f54ebd805e6d671492fe3 Mon Sep 17 00:00:00 2001
From: Jess Lowe <86962800+jess-lowe@users.noreply.github.com>
Date: Thu, 26 Feb 2026 11:11:38 +1100
Subject: [PATCH 11/20] Update gcp/website/frontend3/src/triage.scss

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
---
 gcp/website/frontend3/src/triage.scss | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/gcp/website/frontend3/src/triage.scss b/gcp/website/frontend3/src/triage.scss
index 9f601b15ed0..3b0ab36ba5c 100644
--- a/gcp/website/frontend3/src/triage.scss
+++ b/gcp/website/frontend3/src/triage.scss
@@ -1,9 +1,6 @@
 .triage-container {
   // padding: 40px;
-    padding-bottom: 20px;
-    padding-top: 20px;
-    padding-left: 40px;
-    padding-right: 40px;
+    padding: 20px 40px;
   width: 100%;
   box-sizing: border-box;
 

From 2560c7ac6cde05bc16e16fc578e1c1a501318965 Mon Sep 17 00:00:00 2001
From: Jess Lowe <86962800+jess-lowe@users.noreply.github.com>
Date: Thu, 26 Feb 2026 11:12:27 +1100
Subject: [PATCH 12/20] Update gcp/website/frontend3/src/triage.js

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
---
 gcp/website/frontend3/src/triage.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gcp/website/frontend3/src/triage.js b/gcp/website/frontend3/src/triage.js
index 668d45e9519..485381b5c15 100644
--- a/gcp/website/frontend3/src/triage.js
+++ b/gcp/website/frontend3/src/triage.js
@@ -59,12 +59,12 @@ document.addEventListener("DOMContentLoaded", () => {
   };
 
   function syntaxHighlight(json) {
-    if (typeof json != 'string') {
+    if (typeof json !== 'string') {
       json = JSON.stringify(json, undefined, 2);
     }
     json = json.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
     return json.replace(/("(\\u[a-zA-Z0-9]{4}|\\[^u]|[^\\"])*"(\s*:)?|\b(true|false|null)\b|-?\d+(?:\.\d*)?(?:[eE][+-]?\d+)?)/g, function (match) {
-      var cls = 'json-number';
+      let cls = 'json-number';
       if (/^"/.test(match)) {
         if (/:$/.test(match)) {
           cls = 'json-key';

From 2e752b94f2115dda705457875b5a64c11f46cf50 Mon Sep 17 00:00:00 2001
From: Jess Lowe <86962800+jess-lowe@users.noreply.github.com>
Date: Thu, 26 Feb 2026 11:12:45 +1100
Subject: [PATCH 13/20] Update gcp/website/frontend3/src/triage.js

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
---
 gcp/website/frontend3/src/triage.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gcp/website/frontend3/src/triage.js b/gcp/website/frontend3/src/triage.js
index 485381b5c15..5ea02a9cad1 100644
--- a/gcp/website/frontend3/src/triage.js
+++ b/gcp/website/frontend3/src/triage.js
@@ -91,7 +91,7 @@ document.addEventListener("DOMContentLoaded", () => {
     } else if (config.urlTemplate) {
       url = config.urlTemplate.replace("{id}", vulnId);
     } else {
-        return Promise.reject("Invalid configuration");
+        return Promise.reject(new Error("Invalid configuration"));
     }
 
     const response = await fetch(url);

From 2fac31fb00c53ea7f19c2f318e0d43c814c66ac9 Mon Sep 17 00:00:00 2001
From: Jess Lowe <jesslowe@google.com>
Date: Thu, 26 Feb 2026 00:18:41 +0000
Subject: [PATCH 14/20] address nits

---
 gcp/website/frontend3/src/triage.js |  2 --
 gcp/website/triage_handlers.py      | 14 +++++++-------
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/gcp/website/frontend3/src/triage.js b/gcp/website/frontend3/src/triage.js
index 5ea02a9cad1..e5821870209 100644
--- a/gcp/website/frontend3/src/triage.js
+++ b/gcp/website/frontend3/src/triage.js
@@ -81,8 +81,6 @@ document.addEventListener("DOMContentLoaded", () => {
   }
 
   async function fetchData(sourceKey, vulnId) {
-    if (!sourceKey || !vulnId) return null;
-
     const config = sourceConfigMap[sourceKey];
     let url;
 
diff --git a/gcp/website/triage_handlers.py b/gcp/website/triage_handlers.py
index aa118e9b312..ff32487b0cc 100644
--- a/gcp/website/triage_handlers.py
+++ b/gcp/website/triage_handlers.py
@@ -1,16 +1,16 @@
 """Triage handlers."""
 import logging
+import re
+import requests
 
 from flask import Blueprint, request, jsonify, render_template
 from google.cloud import storage
 
 blueprint = Blueprint('triage_handlers', __name__)
 
-ALLOWED_BUCKETS = {'cve-osv-conversion', 'osv-test-cve-osv-conversion'}
-
+_CVE_ID_REGEX = re.compile(r'^CVE-\d{4}-\d+$', re.IGNORECASE)
 _STORAGE_CLIENT = None
 
-
 def get_storage_client():
   """Get storage client."""
   global _STORAGE_CLIENT  # pylint: disable=global-statement
@@ -79,8 +79,7 @@ def triage_proxy():
     return jsonify({'error': 'Missing source or id parameters'}), 400
 
   # Validate CVE ID format
-  import re
-  if not re.match(r'^CVE-\d{4}-\d+$', vuln_id, re.IGNORECASE):
+  if not re.match(_CVE_ID_REGEX, vuln_id):
     return jsonify({'error': 'Invalid ID format'}), 400
 
   # Handle GCS sources
@@ -107,7 +106,9 @@ def triage_proxy():
   url = None
   if source == 'cve':
     # Construct GitHub raw URL for CVE data
-    match = re.match(r'^CVE-(\d{4})-(\d+)$', vuln_id, re.IGNORECASE)
+    match = re.match(_CVE_ID_REGEX, vuln_id)
+    if not match:
+      return jsonify({'error': 'Invalid ID format'}), 400
     year = match.group(1)
     seq = match.group(2)
     seq_prefix = seq[:-3] if len(seq) > 3 else '0'
@@ -120,7 +121,6 @@ def triage_proxy():
   else:
     return jsonify({'error': 'Invalid source'}), 400
 
-  import requests
   try:
     response = requests.get(url, timeout=10)
     response.raise_for_status()

From 968d549fc81bfaacf53ed90c2b433e18637cd64f Mon Sep 17 00:00:00 2001
From: Jess Lowe <jesslowe@google.com>
Date: Thu, 26 Feb 2026 05:16:23 +0000
Subject: [PATCH 15/20] some improvements to reallly hopefully prevent xss

---
 gcp/website/frontend3/src/triage.js | 52 +++++++++++++++++------------
 1 file changed, 31 insertions(+), 21 deletions(-)

diff --git a/gcp/website/frontend3/src/triage.js b/gcp/website/frontend3/src/triage.js
index e5821870209..78e1b3e852c 100644
--- a/gcp/website/frontend3/src/triage.js
+++ b/gcp/website/frontend3/src/triage.js
@@ -58,46 +58,56 @@ document.addEventListener("DOMContentLoaded", () => {
     },
   };
 
+  function escapeHtml(text) {
+    const div = document.createElement('div');
+    div.textContent = text;
+    return div.innerHTML;
+  }
+
   function syntaxHighlight(json) {
     if (typeof json !== 'string') {
       json = JSON.stringify(json, undefined, 2);
     }
-    json = json.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
-    return json.replace(/("(\\u[a-zA-Z0-9]{4}|\\[^u]|[^\\"])*"(\s*:)?|\b(true|false|null)\b|-?\d+(?:\.\d*)?(?:[eE][+-]?\d+)?)/g, function (match) {
-      let cls = 'json-number';
-      if (/^"/.test(match)) {
-        if (/:$/.test(match)) {
-          cls = 'json-key';
-        } else {
-          cls = 'json-string';
+
+    const escapedJson = escapeHtml(json);
+
+    return escapedJson.replace(
+      /("(\\u[a-zA-Z0-9]{4}|\\[^u]|[^\\"])*"(\s*:)?|\b(true|false|null)\b|-?\d+(?:\.\d*)?(?:[eE][+-]?\d+)?)/g,
+      function (match) {
+        let cls = 'json-number';
+        if (/^"/.test(match)) {
+          if (/:$/.test(match)) {
+            cls = 'json-key';
+          } else {
+            cls = 'json-string';
+          }
+        } else if (/true|false/.test(match)) {
+          cls = 'json-boolean';
+        } else if (/null/.test(match)) {
+          cls = 'json-null';
         }
-      } else if (/true|false/.test(match)) {
-        cls = 'json-boolean';
-      } else if (/null/.test(match)) {
-        cls = 'json-null';
+        return `<span class="${cls}">${match}</span>`;
       }
-      return '<span class="' + cls + '">' + match + '</span>';
-    });
+    );
   }
 
   async function fetchData(sourceKey, vulnId) {
     const config = sourceConfigMap[sourceKey];
     let url;
+    
+    const safeId = encodeURIComponent(vulnId);
 
     if (config.proxySource) {
-      url = `/triage/proxy?source=${config.proxySource}&id=${vulnId}`;
+      url = `/triage/proxy?source=${encodeURIComponent(config.proxySource)}&id=${safeId}`;
     } else if (config.urlTemplate) {
-      url = config.urlTemplate.replace("{id}", vulnId);
+      url = config.urlTemplate.replace("{id}", safeId);
     } else {
-        return Promise.reject(new Error("Invalid configuration"));
+      throw new Error("Invalid configuration");
     }
 
     const response = await fetch(url);
     if (!response.ok) {
-        if (response.status === 404) {
-             throw new Error("Not Found");
-        }
-        throw new Error(`Error: ${response.statusText}`);
+      throw new Error(response.status === 404 ? "Not Found" : `Error: ${response.statusText}`);
     }
     return response.json();
   }

From 5af65c308b66fbf274a432bb97eb79d475110da3 Mon Sep 17 00:00:00 2001
From: Jess Lowe <jesslowe@google.com>
Date: Fri, 27 Feb 2026 03:25:11 +0000
Subject: [PATCH 16/20] fix lint

---
 gcp/website/triage_handlers.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gcp/website/triage_handlers.py b/gcp/website/triage_handlers.py
index ff32487b0cc..fd5dab8004f 100644
--- a/gcp/website/triage_handlers.py
+++ b/gcp/website/triage_handlers.py
@@ -11,6 +11,7 @@
 _CVE_ID_REGEX = re.compile(r'^CVE-\d{4}-\d+$', re.IGNORECASE)
 _STORAGE_CLIENT = None
 
+
 def get_storage_client():
   """Get storage client."""
   global _STORAGE_CLIENT  # pylint: disable=global-statement

From 231e3ddb634483211a4e70cc12e6106eb0ed7abc Mon Sep 17 00:00:00 2001
From: Jess Lowe <jesslowe@google.com>
Date: Fri, 27 Feb 2026 03:36:39 +0000
Subject: [PATCH 17/20] Make sure this is only run locally for now

---
 gcp/website/triage_handlers.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/gcp/website/triage_handlers.py b/gcp/website/triage_handlers.py
index fd5dab8004f..9b51964a356 100644
--- a/gcp/website/triage_handlers.py
+++ b/gcp/website/triage_handlers.py
@@ -6,8 +6,17 @@
 from flask import Blueprint, request, jsonify, render_template
 from google.cloud import storage
 
+import utils
+
 blueprint = Blueprint('triage_handlers', __name__)
 
+@blueprint.before_request
+def restrict_to_local():
+  """Restrict triage handlers to local environment."""
+  if utils.is_cloud_run():
+    return jsonify({'error': 'This tool is only available locally.'}), 403
+
+
 _CVE_ID_REGEX = re.compile(r'^CVE-\d{4}-\d+$', re.IGNORECASE)
 _STORAGE_CLIENT = None
 

From 05a086d76507a381133bec546f6993affaf82a4c Mon Sep 17 00:00:00 2001
From: Jess Lowe <jesslowe@google.com>
Date: Fri, 27 Feb 2026 03:51:08 +0000
Subject: [PATCH 18/20] lint

---
 gcp/website/triage_handlers.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/gcp/website/triage_handlers.py b/gcp/website/triage_handlers.py
index 9b51964a356..55d54b9e2ed 100644
--- a/gcp/website/triage_handlers.py
+++ b/gcp/website/triage_handlers.py
@@ -2,19 +2,20 @@
 import logging
 import re
 import requests
+import utils
 
 from flask import Blueprint, request, jsonify, render_template
 from google.cloud import storage
 
-import utils
-
 blueprint = Blueprint('triage_handlers', __name__)
 
+
 @blueprint.before_request
 def restrict_to_local():
   """Restrict triage handlers to local environment."""
   if utils.is_cloud_run():
     return jsonify({'error': 'This tool is only available locally.'}), 403
+  return None
 
 
 _CVE_ID_REGEX = re.compile(r'^CVE-\d{4}-\d+$', re.IGNORECASE)

From 5d21790b572cd10c122b62c6dddc6e6c95c370f1 Mon Sep 17 00:00:00 2001
From: Jess Lowe <86962800+jess-lowe@users.noreply.github.com>
Date: Mon, 2 Mar 2026 15:14:49 +1100
Subject: [PATCH 19/20] Apply suggestion from @another-rex

---
 gcp/website/frontend3/src/triage.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gcp/website/frontend3/src/triage.js b/gcp/website/frontend3/src/triage.js
index 78e1b3e852c..be1df96c1ce 100644
--- a/gcp/website/frontend3/src/triage.js
+++ b/gcp/website/frontend3/src/triage.js
@@ -64,7 +64,7 @@ document.addEventListener("DOMContentLoaded", () => {
     return div.innerHTML;
   }
 
-  function syntaxHighlight(json) {
+  function syntaxHighlight(json) { // credit to https://codepen.io/absolutedevelopment/pen/EpwVzN
     if (typeof json !== 'string') {
       json = JSON.stringify(json, undefined, 2);
     }

From df6088542d0e805f47611c95ea69c1f0383b518d Mon Sep 17 00:00:00 2001
From: Jess Lowe <jesslowe@google.com>
Date: Mon, 2 Mar 2026 04:22:55 +0000
Subject: [PATCH 20/20] bring back capture groups

---
 gcp/website/triage_handlers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gcp/website/triage_handlers.py b/gcp/website/triage_handlers.py
index 55d54b9e2ed..ddde033f451 100644
--- a/gcp/website/triage_handlers.py
+++ b/gcp/website/triage_handlers.py
@@ -117,7 +117,7 @@ def triage_proxy():
   url = None
   if source == 'cve':
     # Construct GitHub raw URL for CVE data
-    match = re.match(_CVE_ID_REGEX, vuln_id)
+    match = re.match(r'^CVE-(\d{4})-(\d+)$', vuln_id, re.IGNORECASE)
     if not match:
       return jsonify({'error': 'Invalid ID format'}), 400
     year = match.group(1)