feat: use osv only service (#355)

Signed-off-by: Ruben Romero Montes <rromerom@redhat.com>

README.md

@@ -11,7 +11,7 @@
 
 ## Required parameters
 
-- `api.osvnvd.host` The host where the [ONGuard](https://github.com/RHEcosystemAppEng/onguard) service is deployed
+- `api.onguard.host` The host where the [ONGuard](https://github.com/RHEcosystemAppEng/onguard) service is deployed
 - `api.snyk.token` Snyk API token for default authentication when the Snyk integration is enabled
 
 ## OpenAPI and SwaggerUI

dashboards/grafana-dashboard-exhort.configmap.yaml

@@ -1021,7 +1021,7 @@ data:
                 "uid": "${datasource}"
               },
               "editorMode": "code",
-              "expr": "histogram_quantile(0.90, sum by (le) (rate(camel_route_policy_seconds_bucket{routeId=\"osvNvdRequest\"}[2m])))",
+              "expr": "histogram_quantile(0.90, sum by (le) (rate(camel_route_policy_seconds_bucket{routeId=\"osvRequest\"}[2m])))",
               "legendFormat": "0.90",
               "range": true,
               "refId": "A"
@@ -1032,7 +1032,7 @@ data:
                 "uid": "${datasource}"
               },
               "editorMode": "code",
-              "expr": "histogram_quantile(0.95, sum by (le) (rate(camel_route_policy_seconds_bucket{routeId=\"osvNvdRequest\"}[2m])))",
+              "expr": "histogram_quantile(0.95, sum by (le) (rate(camel_route_policy_seconds_bucket{routeId=\"osvRequest\"}[2m])))",
               "hide": false,
               "legendFormat": "0.95",
               "range": true,
@@ -1044,7 +1044,7 @@ data:
                 "uid": "${datasource}"
               },
               "editorMode": "code",
-              "expr": "histogram_quantile(0.99, sum by (le) (rate(camel_route_policy_seconds_bucket{routeId=\"osvNvdRequest\"}[2m])))",
+              "expr": "histogram_quantile(0.99, sum by (le) (rate(camel_route_policy_seconds_bucket{routeId=\"osvRequest\"}[2m])))",
               "hide": false,
               "legendFormat": "0.99",
               "range": true,

src/main/java/com/redhat/exhort/config/metrics/CustomMetrics.java

@@ -42,7 +42,7 @@ public class CustomMetrics {
           "snykValidateToken",
           "snykRequest",
           "getTrustedContent",
-          "osvNvdRequest",
+          "osvRequest",
           "ossValidateCredentials",
           "ossSplitReq",
           "ossIndexRequest",

src/main/java/com/redhat/exhort/integration/Constants.java

@@ -60,7 +60,7 @@ private Constants() {}
   public static final String SNYK_PROVIDER = "snyk";
   public static final String OSS_INDEX_PROVIDER = "oss-index";
   public static final String TRUSTED_CONTENT_PROVIDER = "trusted-content";
-  public static final String OSV_NVD_PROVIDER = "osv-nvd";
+  public static final String OSV_PROVIDER = "osv";
   public static final String UNKNOWN_PROVIDER = "unknown";
 
   public static final String HTTP_UNAUTHENTICATED = "Unauthenticated";
@@ -117,7 +117,7 @@ private Constants() {}
             {
               add(SNYK_PROVIDER);
               add(OSS_INDEX_PROVIDER);
-              add(OSV_NVD_PROVIDER);
+              add(OSV_PROVIDER);
             }
           });
 

src/main/java/com/redhat/exhort/integration/providers/ProviderHealthCheck.java

@@ -30,7 +30,7 @@
 public class ProviderHealthCheck extends AbstractHealthCheck {
 
   private static final List<String> ALL_PROVIDERS_HEALTH_CHECKS =
-      List.of("direct:snykHealthCheck", "direct:osvNvdHealthCheck", "direct:ossIndexHealthCheck");
+      List.of("direct:snykHealthCheck", "direct:osvHealthCheck", "direct:ossIndexHealthCheck");
 
   public ProviderHealthCheck() {
     super("External Providers Readiness Check");

src/main/java/com/redhat/exhort/integration/providers/VulnerabilityProvider.java

@@ -51,8 +51,8 @@ public class VulnerabilityProvider {
   @ConfigProperty(name = "api.ossindex.disabled", defaultValue = "false")
   boolean ossIndexDisabled;
 
-  @ConfigProperty(name = "api.osvnvd.disabled", defaultValue = "false")
-  boolean osvNvdDisabled;
+  @ConfigProperty(name = "api.onguard.disabled", defaultValue = "false")
+  boolean osvDisabled;
 
   private List<String> providers;
 
@@ -63,7 +63,7 @@ public void initProviders() {
             Constants.PROVIDERS.stream()
                 .filter(p -> !(Constants.SNYK_PROVIDER.equals(p) && snykDisabled))
                 .filter(p -> !(Constants.OSS_INDEX_PROVIDER.equals(p) && ossIndexDisabled))
-                .filter(p -> !(Constants.OSV_NVD_PROVIDER.equals(p) && osvNvdDisabled))
+                .filter(p -> !(Constants.OSV_PROVIDER.equals(p) && osvDisabled))
                 .toList());
   }
 
@@ -79,7 +79,7 @@ public List<String> getProviderEndpoints(
                 switch (p) {
                   case Constants.SNYK_PROVIDER -> "direct:snykScan";
                   case Constants.OSS_INDEX_PROVIDER -> "direct:ossIndexScan";
-                  case Constants.OSV_NVD_PROVIDER -> "direct:osvNvdScan";
+                  case Constants.OSV_PROVIDER -> "direct:osvScan";
                   default -> throw new UnexpectedProviderException(new RuntimeException(p));
                 })
         .collect(Collectors.toList());

src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdIntegration.java → src/main/java/com/redhat/exhort/integration/providers/osv/OsvIntegration.java

@@ -16,7 +16,7 @@
  * limitations under the License.
  */
 
-package com.redhat.exhort.integration.providers.osvnvd;
+package com.redhat.exhort.integration.providers.osv;
 
 import org.apache.camel.Exchange;
 import org.apache.camel.builder.endpoint.EndpointRouteBuilder;
@@ -32,59 +32,59 @@
 import jakarta.ws.rs.core.Response;
 
 @ApplicationScoped
-public class OsvNvdIntegration extends EndpointRouteBuilder {
+public class OsvIntegration extends EndpointRouteBuilder {
 
-  @ConfigProperty(name = "api.osvnvd.timeout", defaultValue = "30s")
+  @ConfigProperty(name = "api.onguard.timeout", defaultValue = "30s")
   String timeout;
 
   @Inject VulnerabilityProvider vulnerabilityProvider;
-  @Inject OsvNvdResponseHandler responseHandler;
+  @Inject OsvResponseHandler responseHandler;
 
   @Override
   public void configure() throws Exception {
     // fmt:off
-    from(direct("osvNvdScan"))
-      .routeId("osvNvdScan")
+    from(direct("osvScan"))
+      .routeId("osvScan")
       .circuitBreaker()
         .faultToleranceConfiguration()
           .timeoutEnabled(true)
           .timeoutDuration(timeout)
         .end()
-        .transform(method(OsvNvdRequestBuilder.class, "buildRequest"))
-        .to(direct("osvNvdRequest"))
+        .transform(method(OsvRequestBuilder.class, "buildRequest"))
+        .to(direct("osvRequest"))
       .onFallback()
         .process(responseHandler::processResponseError)
       .end()
       .transform().method(responseHandler, "buildReport");
 
-    from(direct("osvNvdRequest"))
-      .routeId("osvNvdRequest")
+    from(direct("osvRequest"))
+      .routeId("osvRequest")
       .process(this::processRequest)
-      .to(vertxHttp("{{api.osvnvd.host}}"))
+      .to(vertxHttp("{{api.onguard.host}}"))
       .transform().method(responseHandler, "responseToIssues");
 
-    from(direct("osvNvdHealthCheck"))
-      .routeId("osvNvdHealthCheck")
-      .setProperty(Constants.PROVIDER_NAME, constant(Constants.OSV_NVD_PROVIDER))
+    from(direct("osvHealthCheck"))
+      .routeId("osvHealthCheck")
+      .setProperty(Constants.PROVIDER_NAME, constant(Constants.OSV_PROVIDER))
       .choice()
-         .when(method(vulnerabilityProvider, "getEnabled").contains(Constants.OSV_NVD_PROVIDER))
-            .to(direct("osvNvdHealthCheckEndpoint"))
+         .when(method(vulnerabilityProvider, "getEnabled").contains(Constants.OSV_PROVIDER))
+            .to(direct("osvHealthCheckEndpoint"))
          .otherwise()
             .to(direct("healthCheckProviderDisabled"));
 
-    from(direct("osvNvdHealthCheckEndpoint"))
-      .routeId("osvNvdHealthCheckEndpoint")
+    from(direct("osvHealthCheckEndpoint"))
+      .routeId("osvHealthCheckEndpoint")
       .process(this::processHealthRequest)
       .circuitBreaker()
          .faultToleranceConfiguration()
             .timeoutEnabled(true)
             .timeoutDuration(timeout)
          .end()
-         .to(vertxHttp("{{api.osvnvd.management.host}}"))
+         .to(vertxHttp("{{api.onguard.management.host}}"))
          .setHeader(Exchange.HTTP_RESPONSE_TEXT,constant("Service is up and running"))
          .setBody(constant("Service is up and running"))
       .onFallback()
-         .setBody(constant(Constants.OSV_NVD_PROVIDER + "Service is down"))
+         .setBody(constant(Constants.OSV_PROVIDER + "Service is down"))
          .setHeader(Exchange.HTTP_RESPONSE_CODE,constant(Response.Status.SERVICE_UNAVAILABLE))
       .end();
     // fmt:on

src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdRequestBuilder.java → src/main/java/com/redhat/exhort/integration/providers/osv/OsvRequestBuilder.java

@@ -16,7 +16,7 @@
  * limitations under the License.
  */
 
-package com.redhat.exhort.integration.providers.osvnvd;
+package com.redhat.exhort.integration.providers.osv;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -26,7 +26,7 @@
 import io.quarkus.runtime.annotations.RegisterForReflection;
 
 @RegisterForReflection
-public class OsvNvdRequestBuilder {
+public class OsvRequestBuilder {
 
   private ObjectMapper mapper = ObjectMapperProducer.newInstance();
 

src/main/java/com/redhat/exhort/integration/providers/osvnvd/OsvNvdResponseHandler.java → src/main/java/com/redhat/exhort/integration/providers/osv/OsvResponseHandler.java

@@ -16,7 +16,7 @@
  * limitations under the License.
  */
 
-package com.redhat.exhort.integration.providers.osvnvd;
+package com.redhat.exhort.integration.providers.osv;
 
 import java.io.IOException;
 import java.util.ArrayList;
@@ -51,13 +51,13 @@
 
 @ApplicationScoped
 @RegisterForReflection
-public class OsvNvdResponseHandler extends ProviderResponseHandler {
+public class OsvResponseHandler extends ProviderResponseHandler {
 
   @Inject ObjectMapper mapper;
 
   @Override
   protected String getProviderName() {
-    return Constants.OSV_NVD_PROVIDER;
+    return Constants.OSV_PROVIDER;
   }
 
   @Override
@@ -84,9 +84,9 @@ private List<Issue> toIssues(String ref, ArrayNode response) {
     List<Issue> issues = new ArrayList<>();
     response.forEach(
         data -> {
-          var issue = new Issue().source(Constants.OSV_NVD_PROVIDER);
+          var issue = new Issue().source(Constants.OSV_PROVIDER);
 
-          String cve = getTextValue(data, "cveId");
+          String cve = getTextValue(data, "id");
           if (cve == null) {
             return;
           }

src/main/resources/application.properties

@@ -12,8 +12,8 @@ api.snyk.host=https://app.snyk.io/api/v1
 # api.snyk.disabled=true
 
 api.trustedcontent.host=https://exhort.trust.rhcloud.com/api/v1/
-api.osvnvd.host=http://onguard:8080/
-api.osvnvd.management.host=http://onguard:9000/
+api.onguard.host=http://onguard:8080/
+api.onguard.management.host=http://onguard:9000/
 
 api.ossindex.host=https://ossindex.sonatype.org/api/v3
 

src/test/java/com/redhat/exhort/extensions/WiremockExtension.java

@@ -41,7 +41,7 @@ public Map<String, String> start() {
         "api.snyk.token", SNYK_TOKEN,
         "api.trustedcontent.host", server.baseUrl(),
         "api.ossindex.host", server.baseUrl(),
-        "api.osvnvd.host", server.baseUrl());
+        "api.onguard.host", server.baseUrl());
   }
 
   @Override

src/test/java/com/redhat/exhort/integration/AbstractAnalysisTest.java

@@ -216,7 +216,7 @@ protected void stubAllProviders() {
     stubSnykRequests();
     stubOssToken();
     stubTrustedContentRequests();
-    stubOsvNvdRequests();
+    stubOsvRequests();
   }
 
   protected void verifyProviders(Collection<String> providers, Map<String, String> credentials) {
@@ -229,7 +229,7 @@ protected void verifyProviders(Collection<String> providers, Map<String, String>
                 case Constants.OSS_INDEX_PROVIDER -> verifyOssRequest(
                     credentials.get(Constants.OSS_INDEX_USER_HEADER),
                     credentials.get(Constants.OSS_INDEX_TOKEN_HEADER));
-                case Constants.OSV_NVD_PROVIDER -> verifyOsvNvdRequest();
+                case Constants.OSV_PROVIDER -> verifyOsvNvdRequest();
               }
             });
     verifyTrustedContentRequest();
@@ -316,36 +316,36 @@ protected void stubTrustedContentRequests() {
                     .withBodyFile("trustedcontent/maven_report.json")));
   }
 
-  protected void stubOsvNvdRequests() {
+  protected void stubOsvRequests() {
     server.stubFor(
         post(Constants.OSV_NVD_PURLS_PATH)
             .withHeader(Exchange.CONTENT_TYPE, equalTo(MediaType.APPLICATION_JSON))
             .willReturn(
                 aResponse()
                     .withStatus(200)
                     .withHeader(Exchange.CONTENT_TYPE, MediaType.APPLICATION_JSON)
-                    .withBodyFile("osvnvd/empty_report.json")));
+                    .withBodyFile("onguard/empty_report.json")));
 
     server.stubFor(
         post(Constants.OSV_NVD_PURLS_PATH)
             .withHeader(Exchange.CONTENT_TYPE, equalTo(MediaType.APPLICATION_JSON))
             .withRequestBody(
-                equalToJson(loadFileAsString("__files/osvnvd/maven_request.json"), true, false))
+                equalToJson(loadFileAsString("__files/onguard/maven_request.json"), true, false))
             .willReturn(
                 aResponse()
                     .withStatus(200)
                     .withHeader(Exchange.CONTENT_TYPE, MediaType.APPLICATION_JSON)
-                    .withBodyFile("osvnvd/maven_report.json")));
+                    .withBodyFile("onguard/maven_report.json")));
     server.stubFor(
         post(Constants.OSV_NVD_PURLS_PATH)
             .withHeader(Exchange.CONTENT_TYPE, equalTo(MediaType.APPLICATION_JSON))
             .withRequestBody(
-                equalToJson(loadFileAsString("__files/osvnvd/batch_request.json"), true, false))
+                equalToJson(loadFileAsString("__files/onguard/batch_request.json"), true, false))
             .willReturn(
                 aResponse()
                     .withStatus(200)
                     .withHeader(Exchange.CONTENT_TYPE, MediaType.APPLICATION_JSON)
-                    .withBodyFile("osvnvd/maven_report.json")));
+                    .withBodyFile("onguard/maven_report.json")));
   }
 
   protected void verifyTrustedContentRequest() {

src/test/java/com/redhat/exhort/integration/AnalysisTest.java

@@ -232,7 +232,7 @@ public void testEmptySbom(Map<String, Integer> providers, Map<String, String> au
 
     verifyNoInteractionsWithSnyk();
     verifyNoInteractionsWithOSS();
-    if (providers.containsKey(Constants.OSV_NVD_PROVIDER)) {
+    if (providers.containsKey(Constants.OSV_PROVIDER)) {
       verifyOsvNvdRequest();
     } else {
       verifyNoInteractionsWithOsvNvd();
@@ -244,7 +244,7 @@ private static Stream<Arguments> emptySbomArguments() {
     return Stream.of(
         Arguments.of(Map.of(Constants.SNYK_PROVIDER, 200), Collections.emptyMap()),
         Arguments.of(Map.of(Constants.OSS_INDEX_PROVIDER, 401), Collections.emptyMap()),
-        Arguments.of(Map.of(Constants.OSV_NVD_PROVIDER, 200), Collections.emptyMap()),
+        Arguments.of(Map.of(Constants.OSV_PROVIDER, 200), Collections.emptyMap()),
         Arguments.of(
             Map.of(Constants.SNYK_PROVIDER, 200, Constants.OSS_INDEX_PROVIDER, 401),
             Collections.emptyMap()),
@@ -273,7 +273,7 @@ private static Stream<Arguments> emptySbomArguments() {
                 200,
                 Constants.OSS_INDEX_PROVIDER,
                 200,
-                Constants.OSV_NVD_PROVIDER,
+                Constants.OSV_PROVIDER,
                 200),
             Map.of(
                 Constants.SNYK_TOKEN_HEADER,
@@ -373,7 +373,7 @@ public void testUnauthorizedRequest() {
     assertFalse(status.getOk());
     assertEquals(Constants.SNYK_PROVIDER, status.getName());
     assertEquals(Response.Status.UNAUTHORIZED.getStatusCode(), status.getCode());
-    assertEquals(200, report.getProviders().get(Constants.OSV_NVD_PROVIDER).getStatus().getCode());
+    assertEquals(200, report.getProviders().get(Constants.OSV_PROVIDER).getStatus().getCode());
 
     verifySnykRequest(INVALID_TOKEN);
     verifyOsvNvdRequest();
@@ -411,7 +411,7 @@ public void testForbiddenRequest() {
     assertEquals(Constants.SNYK_PROVIDER, status.getName());
     assertEquals(Response.Status.FORBIDDEN.getStatusCode(), status.getCode());
 
-    assertEquals(200, report.getProviders().get(Constants.OSV_NVD_PROVIDER).getStatus().getCode());
+    assertEquals(200, report.getProviders().get(Constants.OSV_PROVIDER).getStatus().getCode());
 
     verifySnykRequest(UNAUTH_TOKEN);
     verifyOsvNvdRequest();