Claus Ibsen created CAMEL-23869:
-----------------------------------

             Summary: camel-jbang TUI - Add vulnerability scanning panel using 
OSV.dev
                 Key: CAMEL-23869
                 URL: https://issues.apache.org/jira/browse/CAMEL-23869
             Project: Camel
          Issue Type: Improvement
          Components: camel-jbang
            Reporter: Claus Ibsen


Add a vulnerability scanning panel to the Camel TUI that queries the OSV.dev 
API to check dependencies of running Camel integrations for known CVEs.

The Maveniverse Pilot project (https://github.com/maveniverse/pilot) already 
has a clean implementation of this using the same TamboUI widget framework that 
the Camel TUI uses. The key pieces that could be adopted:

h3. OSV.dev Client
A lightweight HTTP client (~130 lines) that queries 
https://api.osv.dev/v1/query with Maven ecosystem coordinates 
(groupId:artifactId + version). Returns vulnerability id, summary, severity, 
published date, and aliases (GHSA/CVE cross-references). No API key required.

h3. Interactive TUI Panel
- Severity-coded rows: CRITICAL (red bold), HIGH (yellow), MEDIUM (white), LOW 
(dim)
- Group vulnerabilities by CVE ID, deduplicating aliases (e.g. GHSA-xxx and 
CVE-xxx pointing to the same issue)
- Expandable tree showing affected artifacts under each CVE group
- Scope filtering (compile, runtime, test, provided)
- Search and sort support
- Detail pane with links to NVD/GHSA/OSV pages

h3. Non-Interactive CI Mode
Support a non-interactive mode (e.g. via camel audit or similar) with:
- report action: plain-text vulnerability report to stdout
- check action: fail with exit code 1 if vulnerabilities at or above a severity 
threshold are found (default: HIGH, configurable)

h3. Optional: License Scanning
Pilot also combines license scanning (fetching POM metadata from Maven Central) 
with vulnerability scanning in the same audit view. This could be a follow-up 
enhancement.

h3. Reference Implementation
See the Pilot source code:
- 
[OsvClient.java|https://github.com/maveniverse/pilot/blob/main/pilot-core/src/main/java/eu/maveniverse/maven/pilot/OsvClient.java]
 - OSV API client
- 
[AuditTui.java|https://github.com/maveniverse/pilot/blob/main/pilot-core/src/main/java/eu/maveniverse/maven/pilot/AuditTui.java]
 - Interactive TUI panel
- 
[AuditReporter.java|https://github.com/maveniverse/pilot/blob/main/pilot-core/src/main/java/eu/maveniverse/maven/pilot/AuditReporter.java]
 - Non-interactive reporter
- 
[AuditMojo.java|https://github.com/maveniverse/pilot/blob/main/pilot-plugin/src/main/java/eu/maveniverse/maven/pilot/mvn3/AuditMojo.java]
 - Maven plugin entry point

The Camel TUI already has classpath/dependency information available from the 
running application, so the data source is there. The TamboUI rendering 
patterns from Pilot would translate directly.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to