diff --git a/README.md b/README.md
index 79ce240..058a54a 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# exhort-vuln-ingester
+# exhort-cve-service
This project uses Quarkus, the Supersonic Subatomic Java Framework.
@@ -43,7 +43,7 @@ Or, if you don't have GraalVM installed, you can run the native executable build
./mvnw package -Pnative -Dquarkus.native.container-build=true
```
-You can then execute your native executable with: `./target/exhort-vuln-ingester-1.0.0-SNAPSHOT-runner`
+You can then execute your native executable with: `./target/exhort-cve-service-1.0.0-SNAPSHOT-runner`
If you want to learn more about building native executables, please consult https://quarkus.io/guides/maven-tooling.
diff --git a/api-spec/v1/openapi.yaml b/api-spec/v1/openapi.yaml
deleted file mode 100644
index 2bebc6b..0000000
--- a/api-spec/v1/openapi.yaml
+++ /dev/null
@@ -1,111 +0,0 @@
-openapi: 3.0.3
-info:
- title: Exhort OSV NVD API
- description: Vulnerability provider integrating OSV and NVD datasources
- license:
- name: Apache 2.0
- url: https://www.apache.org/licenses/LICENSE-2.0.html
- version: 1.0.0
-paths:
- /cves/{cveId}:
- get:
- operationId: getCve
- summary: Retrieves the NVD Data from the given CVE id
- parameters:
- - in: path
- name: cveId
- schema:
- type: string
- required: true
- description: CVE id to retrieve the NVD data
- responses:
- '200':
- description: NVD data associated to the provided CVE
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/VulnerabilityResponse'
- '404':
- description: Data not found
- /cves:
- post:
- operationId: listCves
- summary: Takes a list of CVEs and returns the related NVD Data
- requestBody:
- required: true
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/ListRequest'
- responses:
- '200':
- description: List of the NVD data found for the provided CVEs
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/ListResponse'
- /vulnerabilities/{alias}:
- get:
- operationId: getVulnerability
- summary: Retrieves the vulnerability data from the given vulnerability alias
- parameters:
- - in: path
- name: alias
- schema:
- type: string
- required: true
- description: Vulnerability alias to retrieve the NVD data
- responses:
- '200':
- description: NVD data associated to the provided vulnerability alias
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/VulnerabilityResponse'
- '404':
- description: Data not found
- /vulnerabilities:
- post:
- operationId: listVulnerabilities
- summary: Retrieves the vulnerability data from the all the given vulnerability aliases
- requestBody:
- required: true
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/ListRequest'
- responses:
- '200':
- description: List of the NVD data found for the provided vulnerability aliases
- content:
- application/json:
- schema:
- $ref: '#/components/schemas/ListResponse'
-components:
- schemas:
- ListRequest:
- type: array
- items:
- type: string
- ListResponse:
- type: array
- items:
- $ref: '#/components/schemas/VulnerabilityResponse'
- VulnerabilityResponse:
- type: object
- properties:
- aliases:
- type: array
- items:
- type: string
- example: GHSA-23hm-7w47-xw72
- cveId:
- $ref: https://raw.githubusercontent.com/CVEProject/cve-schema/v5.0.0/schema/v5.0/CVE_JSON_5.0_schema.json#/definitions/cveId
- created:
- type: string
- format: date-time
- lastModified:
- type: string
- format: date-time
- nvdData:
- $ref: https://raw.githubusercontent.com/CVEProject/cve-schema/v5.0.0/schema/v5.0/CVE_JSON_5.0_schema.json
\ No newline at end of file
diff --git a/devfile.yaml b/devfile.yaml
new file mode 100644
index 0000000..97fe3c6
--- /dev/null
+++ b/devfile.yaml
@@ -0,0 +1,33 @@
+schemaVersion: 2.2.0
+metadata:
+ name: exhort-cve-service
+ version: 1.0.0
+ provider: Red Hat
+ supportUrl: https://github.com/RHEcosystemAppEng/exhort-cve-service/issues
+ website: https://github.com/RHEcosystemAppEng/exhort-cve-service
+ displayName: Exhort CVE Service
+ description: Exhort CVE Service that aggregates data from OSV and NVD
+ tags:
+ - Exhort
+ - RHTPA
+ - Java
+ - Quarkus
+ - NVD
+ - OSV
+ projectType: Quarkus
+ language: Java
+parent:
+ id: java-quarkus
+ registryUrl: 'https://registry.devfile.io'
+components:
+ - name: image-build
+ image:
+ imageName: exhort-cve-service:latest
+ dockerfile:
+ uri: src/main/docker/Dockerfile.multi-stage
+ buildContext: .
+ rootRequired: false
+commands:
+ - id: build-image
+ apply:
+ component: image-build
diff --git a/kubernetes/deploy.yaml b/kubernetes/deploy.yaml
index d4c6bb6..4ac1e6d 100644
--- a/kubernetes/deploy.yaml
+++ b/kubernetes/deploy.yaml
@@ -1,162 +1,77 @@
apiVersion: apps/v1
kind: Deployment
metadata:
- name: osv-nvd-service
+ name: exhort-cve-service
labels:
- app: osv-nvd-service
+ app: exhort-cve-service
spec:
replicas: 1
selector:
matchLabels:
- app: osv-nvd-service
+ app: exhort-cve-service
template:
metadata:
labels:
- app: osv-nvd-service
+ app: exhort-cve-service
spec:
containers:
- - name: osv-nvd-service
- image: quay.io/ruben/osv-nvd-service:latest
+ - name: exhort-cve-service
+ image: exhort-cve-service:latest
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 8080
protocol: TCP
+ - name: management
+ containerPort: 9000
+ protocol: TCP
resources:
limits:
memory: "128Mi"
cpu: "500m"
env:
- - name: QUARKUS_MONGODB_CONNECTION-STRING
- valueFrom:
- secretKeyRef:
- name: mongodb-creds
- key: mongodb-connection
- - name: QUARKUS_MONGODB_DATABASE
+ - name: DB_REDIS_ENDPOINT
valueFrom:
secretKeyRef:
- name: mongodb-creds
- key: mongodb-database
- - name: QUARKUS_MONGODB_CREDENTIALS_USERNAME
+ name: exhort-stage
+ key: db.endpoint
+ - name: DB_REDIS_PORT
valueFrom:
secretKeyRef:
- name: mongodb-creds
- key: mongodb-username
- - name: QUARKUS_MONGODB_CREDENTIALS_PASSWORD
+ name: exhort-stage
+ key: db.port
+ - name: API_NVD_APIKEY
valueFrom:
secretKeyRef:
- name: mongodb-creds
- key: mongodb-password
- - name: MIGRATION_NVD_FILE_PATH
- value: "/repo/cvelistV5/cves"
- volumeMounts:
- - name: repo
- mountPath: "/repo"
- volumes:
- - name: repo
- persistentVolumeClaim:
- claimName: nvd-data
+ name: exhort-cve-secret
+ key: nvd.apikey
+ livenessProbe:
+ httpGet:
+ path: /q/health/live
+ port: 9000
+ initialDelaySeconds: 1
+ readinessProbe:
+ httpGet:
+ path: /q/health/ready
+ port: 9000
+ initialDelaySeconds: 5
+ periodSeconds: 20
---
apiVersion: v1
kind: Service
metadata:
- name: osv-nvd-service
+ name: exhort-cve-service
labels:
- app: osv-nvd-service
+ app: exhort-cve-service
spec:
ports:
- name: http
port: 8080
protocol: TCP
targetPort: 8080
+ - name: management
+ port: 9000
+ protocol: TCP
+ targetPort: 9000
selector:
- app: osv-nvd-service
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
- name: nvd-data
-spec:
- accessModes:
- - ReadWriteOnce
- volumeMode: Filesystem
- resources:
- requests:
- storage: 8Gi
----
-apiVersion: batch/v1
-kind: CronJob
-metadata:
- name: nvd-sync
-spec:
- schedule: "0 * * * *"
- jobTemplate:
- spec:
- template:
- spec:
- containers:
- - name: git-job
- image: quay.io/ruben/ubi8-git:latest
- imagePullPolicy: IfNotPresent
- command:
- - /bin/sh
- - -c
- - /scripts/pull.sh
- - /scripts/sync.sh
- env:
- - name: REPO_PATH
- value: /repo
- - name: REPO_URL
- value: https://github.com/CVEProject/cvelistV5.git
- - name: SERVICE_ENDPOINT
- value: http://osv-nvd-service:8080/cves
- volumeMounts:
- - name: repo
- mountPath: "/repo"
- - name: scripts
- mountPath: /scripts
- restartPolicy: OnFailure
- volumes:
- - name: repo
- persistentVolumeClaim:
- claimName: nvd-data
- - name: scripts
- configMap:
- name: fetch-nvd-repo-scripts
- defaultMode: 0777
----
-apiVersion: batch/v1
-kind: Job
-metadata:
- name: nvd-clone
-spec:
- template:
- spec:
- containers:
- - name: git-job
- image: quay.io/ruben/ubi8-git:latest
- imagePullPolicy: IfNotPresent
- command:
- - /bin/sh
- - -c
- - /scripts/clone.sh
- env:
- - name: REPO_PATH
- value: /repo
- - name: REPO_URL
- value: https://github.com/CVEProject/cvelistV5.git
- volumeMounts:
- - name: repo
- mountPath: "/repo"
- - name: scripts
- mountPath: /scripts
- restartPolicy: OnFailure
- volumes:
- - name: repo
- persistentVolumeClaim:
- claimName: nvd-data
- - name: scripts
- configMap:
- name: fetch-nvd-repo-scripts
- defaultMode: 0777
- backoffLimit: 4
+ app: exhort-cve-service
diff --git a/kubernetes/mongodb.yaml b/kubernetes/mongodb.yaml
deleted file mode 100644
index 38726db..0000000
--- a/kubernetes/mongodb.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: mongodb
- labels:
- app: mongodb
-spec:
- replicas: 1
- selector:
- matchLabels:
- app: mongodb
- template:
- metadata:
- labels:
- app: mongodb
- spec:
- containers:
- - name: mongodb
- image: bitnami/mongodb:latest
- imagePullPolicy: Always
- ports:
- - name: mongo
- containerPort: 27017
- protocol: TCP
- env:
- - name: MONGODB_DATABASE
- valueFrom:
- secretKeyRef:
- name: mongodb-creds
- key: mongodb-database
- - name: MONGODB_PASSWORD
- valueFrom:
- secretKeyRef:
- name: mongodb-creds
- key: mongodb-password
- - name: MONGODB_USERNAME
- valueFrom:
- secretKeyRef:
- name: mongodb-creds
- key: mongodb-username
- - name: MONGODB_ROOT_PASSWORD
- valueFrom:
- secretKeyRef:
- name: mongodb-creds
- key: mongodb-root-password
----
-apiVersion: v1
-kind: Service
-metadata:
- name: mongodb
- labels:
- app: mongodb
-spec:
- ports:
- - name: mongo
- port: 27017
- protocol: TCP
- targetPort: 27017
- selector:
- app: mongodb
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index c9fa76b..5120c47 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
4.0.0
com.redhat.ecosystemappeng
- exhort-osv-service
+ exhort-cve-service
1.0.0-SNAPSHOT
3.11.0
@@ -14,7 +14,7 @@
UTF-8
quarkus-bom
io.quarkus.platform
- 3.6.3
+ 3.6.4
true
3.1.2
3.3.1
@@ -58,6 +58,10 @@
io.quarkus
quarkus-rest-client-reactive-jackson
+
+ io.quarkus
+ quarkus-smallrye-health
+
io.quarkus
quarkus-redis-client
@@ -66,6 +70,10 @@
io.quarkus
quarkus-resteasy-reactive-jackson
+
+ io.quarkus
+ quarkus-smallrye-openapi
+
io.quarkus
quarkus-smallrye-fault-tolerance
diff --git a/src/main/docker/Dockerfile.jvm b/src/main/docker/Dockerfile.jvm
index 06428db..861745f 100644
--- a/src/main/docker/Dockerfile.jvm
+++ b/src/main/docker/Dockerfile.jvm
@@ -7,11 +7,11 @@
#
# Then, build the image with:
#
-# docker build -f src/main/docker/Dockerfile.jvm -t quarkus/exhort-vuln-ingester-jvm .
+# docker build -f src/main/docker/Dockerfile.jvm -t quarkus/exhort-cve-service-jvm .
#
# Then run the container using:
#
-# docker run -i --rm -p 8080:8080 quarkus/exhort-vuln-ingester-jvm
+# docker run -i --rm -p 8080:8080 quarkus/exhort-cve-service-jvm
#
# If you want to include the debug port into your docker image
# you will have to expose the debug port (default 5005 being the default) like this : EXPOSE 8080 5005.
@@ -20,7 +20,7 @@
#
# Then run the container using :
#
-# docker run -i --rm -p 8080:8080 quarkus/exhort-vuln-ingester-jvm
+# docker run -i --rm -p 8080:8080 quarkus/exhort-cve-service-jvm
#
# This image uses the `run-java.sh` script to run the application.
# This scripts computes the command line to execute your Java application, and
diff --git a/src/main/docker/Dockerfile.legacy-jar b/src/main/docker/Dockerfile.legacy-jar
index 18868c0..9a60382 100644
--- a/src/main/docker/Dockerfile.legacy-jar
+++ b/src/main/docker/Dockerfile.legacy-jar
@@ -7,11 +7,11 @@
#
# Then, build the image with:
#
-# docker build -f src/main/docker/Dockerfile.legacy-jar -t quarkus/exhort-vuln-ingester-legacy-jar .
+# docker build -f src/main/docker/Dockerfile.legacy-jar -t quarkus/exhort-cve-service-legacy-jar .
#
# Then run the container using:
#
-# docker run -i --rm -p 8080:8080 quarkus/exhort-vuln-ingester-legacy-jar
+# docker run -i --rm -p 8080:8080 quarkus/exhort-cve-service-legacy-jar
#
# If you want to include the debug port into your docker image
# you will have to expose the debug port (default 5005 being the default) like this : EXPOSE 8080 5005.
@@ -20,7 +20,7 @@
#
# Then run the container using :
#
-# docker run -i --rm -p 8080:8080 quarkus/exhort-vuln-ingester-legacy-jar
+# docker run -i --rm -p 8080:8080 quarkus/exhort-cve-service-legacy-jar
#
# This image uses the `run-java.sh` script to run the application.
# This scripts computes the command line to execute your Java application, and
diff --git a/src/main/docker/Dockerfile.multi-stage b/src/main/docker/Dockerfile.multi-stage
new file mode 100644
index 0000000..43287a4
--- /dev/null
+++ b/src/main/docker/Dockerfile.multi-stage
@@ -0,0 +1,38 @@
+## Stage 1 : build with maven builder image with native capabilities
+FROM registry.redhat.io/quarkus/mandrel-23-rhel8:23.0 AS build
+
+COPY --chown=quarkus:quarkus mvnw /code/mvnw
+COPY --chown=quarkus:quarkus .mvn /code/.mvn
+COPY --chown=quarkus:quarkus pom.xml /code/
+## Maven Settings with the auth token for Github Maven Repository
+COPY --chown=quarkus:quarkus settings.xml /code/settings.xml
+
+USER quarkus
+WORKDIR /code
+RUN ./mvnw -B --settings /code/settings.xml org.apache.maven.plugins:maven-dependency-plugin:3.6.1:go-offline
+COPY --chown=quarkus:quarkus src /code/src
+RUN ./mvnw verify -B -Pnative -Dmaven.test.skip=true -Dquarkus.native.native-image-xmx=8g
+
+## Stage 2 : create the docker final image
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3
+
+LABEL description="Red Hat Trusted Profile Analyzer - Exhort CVE Service"
+LABEL io.k8s.description="Red Hat Trusted Profile Analyzer - Exhort CVE Service"
+LABEL io.k8s.display-name="RHTPA Exhort CVE Service"
+LABEL io.openshift.tags="rhtpa exhort cve service"
+LABEL summary="The RHTPA Exhort CVE exposes an API for retrieving vulnerability data \
+from OSV and NVD databases"
+
+WORKDIR /work/
+COPY --from=build /code/target/*-runner /work/application
+
+# set up permissions for user `1001`
+RUN chmod 775 /work /work/application \
+ && chown -R 1001 /work \
+ && chmod -R "g+rwX" /work \
+ && chown -R 1001:root /work
+
+EXPOSE 8080
+USER 1001
+
+CMD ["./application", "-Dquarkus.http.host=0.0.0.0"]
diff --git a/src/main/docker/Dockerfile.native b/src/main/docker/Dockerfile.native
index 5079180..1fb92b2 100644
--- a/src/main/docker/Dockerfile.native
+++ b/src/main/docker/Dockerfile.native
@@ -7,14 +7,14 @@
#
# Then, build the image with:
#
-# docker build -f src/main/docker/Dockerfile.native -t quarkus/exhort-vuln-ingester .
+# docker build -f src/main/docker/Dockerfile.native -t quarkus/exhort-cve-service .
#
# Then run the container using:
#
-# docker run -i --rm -p 8080:8080 quarkus/exhort-vuln-ingester
+# docker run -i --rm -p 8080:8080 quarkus/exhort-cve-service
#
###
-FROM registry.access.redhat.com/ubi8/ubi-minimal:8.6
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3
WORKDIR /work/
RUN chown 1001 /work \
&& chmod "g+rwX" /work \
diff --git a/src/main/docker/Dockerfile.native-micro b/src/main/docker/Dockerfile.native-micro
index d416131..bb2884d 100644
--- a/src/main/docker/Dockerfile.native-micro
+++ b/src/main/docker/Dockerfile.native-micro
@@ -10,11 +10,11 @@
#
# Then, build the image with:
#
-# docker build -f src/main/docker/Dockerfile.native-micro -t quarkus/exhort-vuln-ingester .
+# docker build -f src/main/docker/Dockerfile.native-micro -t quarkus/exhort-cve-service .
#
# Then run the container using:
#
-# docker run -i --rm -p 8080:8080 quarkus/exhort-vuln-ingester
+# docker run -i --rm -p 8080:8080 quarkus/exhort-cve-service
#
###
FROM quay.io/quarkus/quarkus-micro-image:2.0
diff --git a/src/main/java/com/redhat/ecosystemappeng/service/nvd/NvdApi.java b/src/main/java/com/redhat/ecosystemappeng/service/nvd/NvdApi.java
index 1773020..7de48e6 100644
--- a/src/main/java/com/redhat/ecosystemappeng/service/nvd/NvdApi.java
+++ b/src/main/java/com/redhat/ecosystemappeng/service/nvd/NvdApi.java
@@ -24,7 +24,7 @@ public interface NvdApi {
static final long NVD_API_WINDOW_SECS = 30;
@GET
- @ClientHeaderParam(name = "apiKey", value = "${migration.nvd.apikey}")
+ @ClientHeaderParam(name = "apiKey", value = "${api.nvd.apikey}")
@Produces(MediaType.APPLICATION_JSON)
@Fallback(value = NvdFallbackService.class, applyOn = WebApplicationException.class, skipOn = ClientWebApplicationException.class)
@CircuitBreaker(delay = NVD_API_WINDOW_SECS, delayUnit = ChronoUnit.SECONDS)
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index 0b84500..04080db 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -1,9 +1,12 @@
# quarkus.redis.hosts=redis://localhost/
+%prod.quarkus.redis.hosts=redis://${db.redis.host:localhost}:${db.redis.port:6379}/
# quarkus.log.level=DEBUG
migration.cve.file.path=/repo/cvelistV5/cves
migration.osv.pageSize=100
quarkus.rest-client.osv-api.url=https://api.osv.dev
-quarkus.rest-client.nvd-api.url=https://services.nvd.nist.gov
\ No newline at end of file
+quarkus.rest-client.nvd-api.url=https://services.nvd.nist.gov
+
+quarkus.management.enabled=true
diff --git a/src/test/java/com/redhat/ecosystemappeng/service/WireMockExtensions.java b/src/test/java/com/redhat/ecosystemappeng/service/WireMockExtensions.java
index 45d1feb..dee58b2 100644
--- a/src/test/java/com/redhat/ecosystemappeng/service/WireMockExtensions.java
+++ b/src/test/java/com/redhat/ecosystemappeng/service/WireMockExtensions.java
@@ -35,7 +35,7 @@ public Map start() {
Map props = new HashMap<>();
props.put("quarkus.rest-client.nvd-api.url", wireMockServer.baseUrl());
- props.put("migration.nvd.apikey", NVD_API_KEY);
+ props.put("api.nvd.apikey", NVD_API_KEY);
return props;
}