Skip to content
Snippets Groups Projects
Commit 025b5ef6 authored by Martin Lowe's avatar Martin Lowe :flag_ca:
Browse files

Merge branch 'zacharysabourin/master/16' into 'main'

feat: Migrate GH API to use authenticated resource for CVEs

Closes #16

See merge request !20
parents ec031a4b f0fe89ac
No related branches found
No related tags found
1 merge request!20feat: Migrate GH API to use authenticated resource for CVEs
Pipeline #12863 passed
Showing
with 162 additions and 63 deletions
...@@ -11,28 +11,26 @@ ...@@ -11,28 +11,26 @@
*/ */
package org.eclipsefoundation.cve.api; package org.eclipsefoundation.cve.api;
import javax.ws.rs.BeanParam;
import javax.ws.rs.GET; import javax.ws.rs.GET;
import javax.ws.rs.Path; import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import org.eclipse.microprofile.rest.client.inject.RegisterRestClient; import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
import org.eclipsefoundation.cve.api.models.GithubRequestParams;
@RegisterRestClient @RegisterRestClient
public interface GithubCveAPI { public interface GithubCveAPI {
/** /**
* * Queries the GitHub API to retreive a CVE json file. The year, thousands, * Queries the GitHub API to retreive a CVE json file. The year, thousands,
* and id are required. The endpoint returns a string as the body of the * and id path parameters are required. The Authorization and accept header
* response is a json string in text/plain format * parameters are also required. The endpoint returns a string as the body of
* the response is a json string in text/plain format
* *
* @param year The project year * @param params The github request params. Including path and header
* @param thousands the first digit of the second cve id number
* @param cveId the desired cve id
* @return A json string * @return A json string
*/ */
@GET @GET
@Path("/{year}/{thousands}xxx/{id}.json") @Path("/{year}/{thousands}xxx/{id}.json")
public String getCveDetails(@PathParam("year") String year, @PathParam("thousands") String thousands, public String getCveDetails(@BeanParam GithubRequestParams params);
@PathParam("id") String cveId);
} }
...@@ -13,16 +13,10 @@ package org.eclipsefoundation.cve.api; ...@@ -13,16 +13,10 @@ package org.eclipsefoundation.cve.api;
import javax.ws.rs.BeanParam; import javax.ws.rs.BeanParam;
import javax.ws.rs.GET; import javax.ws.rs.GET;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.Path; import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.QueryParam;
import org.eclipse.microprofile.rest.client.inject.RegisterRestClient; import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
import org.eclipsefoundation.cve.api.models.GitlabRequestParams;
import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder;
import com.google.auto.value.AutoValue;
@RegisterRestClient @RegisterRestClient
public interface GitlabCveAPI { public interface GitlabCveAPI {
...@@ -39,40 +33,4 @@ public interface GitlabCveAPI { ...@@ -39,40 +33,4 @@ public interface GitlabCveAPI {
@GET @GET
@Path("/projects/{id}/repository/files/{filePath}.json/raw") @Path("/projects/{id}/repository/files/{filePath}.json/raw")
public String getCveFile(@BeanParam GitlabRequestParams params); public String getCveFile(@BeanParam GitlabRequestParams params);
@AutoValue
@JsonDeserialize(builder = AutoValue_GitlabCveAPI_GitlabRequestParams.Builder.class)
public static abstract class GitlabRequestParams {
@PathParam("id")
public abstract Integer getId();
@PathParam("filePath")
public abstract String getFilePath();
@QueryParam("ref")
public abstract String getRef();
@HeaderParam("PRIVATE-TOKEN")
public abstract String getPrivateToken();
public static Builder builder() {
return new AutoValue_GitlabCveAPI_GitlabRequestParams.Builder();
}
@AutoValue.Builder
@JsonPOJOBuilder(withPrefix = "set")
public static abstract class Builder {
public abstract Builder setId(Integer id);
public abstract Builder setFilePath(String filePath);
public abstract Builder setRef(String ref);
public abstract Builder setPrivateToken(String token);
public abstract GitlabRequestParams build();
}
}
} }
/*********************************************************************
* Copyright (c) 2022 Eclipse Foundation.
*
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* Author: Zachary Sabourin <zachary.sabourin@eclipse-foundation.org>
*
* SPDX-License-Identifier: EPL-2.0
**********************************************************************/
package org.eclipsefoundation.cve.api.models;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.PathParam;
import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder;
import com.google.auto.value.AutoValue;
@AutoValue
@JsonDeserialize(builder = AutoValue_GithubRequestParams.Builder.class)
public abstract class GithubRequestParams {
@PathParam("year")
public abstract String getYear();
@PathParam("thousands")
public abstract String getThousands();
@PathParam("id")
public abstract String getCveId();
@HeaderParam("Authorization")
public abstract String getPersonalToken();
@HeaderParam("accept")
public abstract String getAcceptHeader();
public static Builder builder() {
return new AutoValue_GithubRequestParams.Builder().setAcceptHeader("application/vnd.github.VERSION.raw");
}
@AutoValue.Builder
@JsonPOJOBuilder(withPrefix = "set")
public abstract static class Builder {
public abstract Builder setYear(String year);
public abstract Builder setThousands(String thousands);
public abstract Builder setCveId(String id);
public abstract Builder setPersonalToken(String token);
public abstract Builder setAcceptHeader(String acceptType);
public abstract GithubRequestParams build();
}
}
/*********************************************************************
* Copyright (c) 2022 Eclipse Foundation.
*
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* Author: Zachary Sabourin <zachary.sabourin@eclipse-foundation.org>
*
* SPDX-License-Identifier: EPL-2.0
**********************************************************************/
package org.eclipsefoundation.cve.api.models;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.PathParam;
import javax.ws.rs.QueryParam;
import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder;
import com.google.auto.value.AutoValue;
@AutoValue
@JsonDeserialize(builder = AutoValue_GitlabRequestParams.Builder.class)
public abstract class GitlabRequestParams {
@PathParam("id")
public abstract Integer getId();
@PathParam("filePath")
public abstract String getFilePath();
@QueryParam("ref")
public abstract String getRef();
@HeaderParam("PRIVATE-TOKEN")
public abstract String getPrivateToken();
public static Builder builder() {
return new AutoValue_GitlabRequestParams.Builder();
}
@AutoValue.Builder
@JsonPOJOBuilder(withPrefix = "set")
public abstract static class Builder {
public abstract Builder setId(Integer id);
public abstract Builder setFilePath(String filePath);
public abstract Builder setRef(String ref);
public abstract Builder setPrivateToken(String token);
public abstract GitlabRequestParams build();
}
}
/*********************************************************************
* Copyright (c) 2022 Eclipse Foundation.
*
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* Author: Martin Lowe <martin.lowe@eclipse-foundation.org>
*
* SPDX-License-Identifier: EPL-2.0
**********************************************************************/
package org.eclipsefoundation.cve.config; package org.eclipsefoundation.cve.config;
import io.smallrye.config.ConfigMapping; import io.smallrye.config.ConfigMapping;
......
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
* which is available at https://www.eclipse.org/legal/epl-2.0/ * which is available at https://www.eclipse.org/legal/epl-2.0/
* *
* Author: Martin Lowe <martin.lowe@eclipse-foundation.org> * Author: Martin Lowe <martin.lowe@eclipse-foundation.org>
* * Zachary Sabourin <zachary.sabourin@eclipse-foundation.org> * Zachary Sabourin <zachary.sabourin@eclipse-foundation.org>
* *
* SPDX-License-Identifier: EPL-2.0 * SPDX-License-Identifier: EPL-2.0
*/ */
...@@ -24,11 +24,13 @@ import javax.enterprise.context.ApplicationScoped; ...@@ -24,11 +24,13 @@ import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject; import javax.inject.Inject;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.eclipse.microprofile.context.ManagedExecutor; import org.eclipse.microprofile.context.ManagedExecutor;
import org.eclipse.microprofile.rest.client.inject.RestClient; import org.eclipse.microprofile.rest.client.inject.RestClient;
import org.eclipsefoundation.cve.api.GithubCveAPI; import org.eclipsefoundation.cve.api.GithubCveAPI;
import org.eclipsefoundation.cve.api.GitlabCveAPI; import org.eclipsefoundation.cve.api.GitlabCveAPI;
import org.eclipsefoundation.cve.api.GitlabCveAPI.GitlabRequestParams; import org.eclipsefoundation.cve.api.models.GithubRequestParams;
import org.eclipsefoundation.cve.api.models.GitlabRequestParams;
import org.eclipsefoundation.cve.config.GitlabCveLoaderConfig; import org.eclipsefoundation.cve.config.GitlabCveLoaderConfig;
import org.eclipsefoundation.cve.model.CveData; import org.eclipsefoundation.cve.model.CveData;
import org.eclipsefoundation.cve.model.CveProjectData; import org.eclipsefoundation.cve.model.CveProjectData;
...@@ -43,8 +45,8 @@ import com.github.benmanes.caffeine.cache.Caffeine; ...@@ -43,8 +45,8 @@ import com.github.benmanes.caffeine.cache.Caffeine;
import io.quarkus.runtime.Startup; import io.quarkus.runtime.Startup;
/** /**
* Default implementation of the CVE Service. Uses loading caches to reduce delays from slower fetching and processing * Default implementation of the CVE Service. Uses loading caches to reduce
* of raw data from public APIs. * delays from slower fetching and processing of raw data from public APIs.
* *
* @author Martin Lowe, Zachary Sabourin * @author Martin Lowe, Zachary Sabourin
* *
...@@ -58,6 +60,8 @@ public class DefaultCveService implements CveService { ...@@ -58,6 +60,8 @@ public class DefaultCveService implements CveService {
@Inject @Inject
GitlabCveLoaderConfig glCveLoaderConfig; GitlabCveLoaderConfig glCveLoaderConfig;
@ConfigProperty(name = "eclipse.github.cve-project.token")
String ghToken;
@Inject @Inject
@RestClient @RestClient
...@@ -160,7 +164,14 @@ public class DefaultCveService implements CveService { ...@@ -160,7 +164,14 @@ public class DefaultCveService implements CveService {
LOGGER.info("Loading GH data for key: {}", key); LOGGER.info("Loading GH data for key: {}", key);
return om.readerFor(CveProjectData.class).readValue(githubApi.getCveDetails(matcher.group(1), matcher.group(2), key)); GithubRequestParams params = GithubRequestParams.builder()
.setYear(matcher.group(1))
.setThousands(matcher.group(2))
.setCveId(key)
.setPersonalToken(ghToken)
.build();
return om.readerFor(CveProjectData.class).readValue(githubApi.getCveDetails(params));
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException(String.format("Could not fetch CVE %s from GitHub", key), e); throw new RuntimeException(String.format("Could not fetch CVE %s from GitHub", key), e);
} }
......
quarkus.rest-client."org.eclipsefoundation.cve.api.GithubCveAPI".url=https://raw.githubusercontent.com/CVEProject/cvelist/master quarkus.rest-client."org.eclipsefoundation.cve.api.GithubCveAPI".url=https://api.github.com/repos/CVEProject/cvelist/contents
quarkus.rest-client."org.eclipsefoundation.cve.api.GitlabCveAPI".url=https://gitlab.eclipse.org/api/v4 quarkus.rest-client."org.eclipsefoundation.cve.api.GitlabCveAPI".url=https://gitlab.eclipse.org/api/v4
#eclipse.cve.provider=stubbed #eclipse.cve.provider=stubbed
...@@ -6,4 +6,5 @@ quarkus.oidc.enabled=false ...@@ -6,4 +6,5 @@ quarkus.oidc.enabled=false
quarkus.keycloak.devservices.enabled=false quarkus.keycloak.devservices.enabled=false
eclipse.gitlab.cve-project.file-path=advisories eclipse.gitlab.cve-project.file-path=advisories
eclipse.gitlab.cve-project.ref=main eclipse.gitlab.cve-project.ref=main
\ No newline at end of file
...@@ -21,6 +21,7 @@ import javax.inject.Inject; ...@@ -21,6 +21,7 @@ import javax.inject.Inject;
import org.eclipse.microprofile.rest.client.inject.RestClient; import org.eclipse.microprofile.rest.client.inject.RestClient;
import org.eclipsefoundation.cve.api.GithubCveAPI; import org.eclipsefoundation.cve.api.GithubCveAPI;
import org.eclipsefoundation.cve.api.models.GithubRequestParams;
import org.eclipsefoundation.cve.model.CveProjectData; import org.eclipsefoundation.cve.model.CveProjectData;
import org.eclipsefoundation.cve.model.CveProjectData.Description; import org.eclipsefoundation.cve.model.CveProjectData.Description;
import org.eclipsefoundation.cve.model.CveProjectData.Impact; import org.eclipsefoundation.cve.model.CveProjectData.Impact;
...@@ -82,10 +83,10 @@ public class StubbedGithubCveAPI implements GithubCveAPI { ...@@ -82,10 +83,10 @@ public class StubbedGithubCveAPI implements GithubCveAPI {
} }
@Override @Override
public String getCveDetails(String year, String thousands, String cveId) { public String getCveDetails(GithubRequestParams params) {
try { try {
return om.writeValueAsString( return om.writeValueAsString(
internal.stream().filter(cve -> cve.getMetaData().getId().equalsIgnoreCase(cveId)).findFirst()); internal.stream().filter(cve -> cve.getMetaData().getId().equalsIgnoreCase(params.getCveId())).findFirst());
} catch (JsonProcessingException e) { } catch (JsonProcessingException e) {
throw new RuntimeException("Could not fetch test GH CVE data", e); throw new RuntimeException("Could not fetch test GH CVE data", e);
} }
......
...@@ -18,6 +18,7 @@ import javax.inject.Inject; ...@@ -18,6 +18,7 @@ import javax.inject.Inject;
import org.eclipse.microprofile.rest.client.inject.RestClient; import org.eclipse.microprofile.rest.client.inject.RestClient;
import org.eclipsefoundation.cve.api.GitlabCveAPI; import org.eclipsefoundation.cve.api.GitlabCveAPI;
import org.eclipsefoundation.cve.api.models.GitlabRequestParams;
import org.eclipsefoundation.cve.model.CveData; import org.eclipsefoundation.cve.model.CveData;
import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.core.JsonProcessingException;
......
...@@ -8,4 +8,6 @@ eclipse.google.jwt-location=/tmp ...@@ -8,4 +8,6 @@ eclipse.google.jwt-location=/tmp
eclipse.gitlab.cve-project.token=sample eclipse.gitlab.cve-project.token=sample
eclipse.gitlab.cve-project.project-id=0 eclipse.gitlab.cve-project.project-id=0
eclipse.gitlab.cve-project.file-path=sample eclipse.gitlab.cve-project.file-path=sample
eclipse.gitlab.cve-project.ref=sample eclipse.gitlab.cve-project.ref=sample
\ No newline at end of file
eclipse.github.cve-project.token=sample
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment