Claus Ibsen created CAMEL-23869:
-----------------------------------
Summary: camel-jbang TUI - Add vulnerability scanning panel using
OSV.dev
Key: CAMEL-23869
URL: https://issues.apache.org/jira/browse/CAMEL-23869
Project: Camel
Issue Type: Improvement
Components: camel-jbang
Reporter: Claus Ibsen
Add a vulnerability scanning panel to the Camel TUI that queries the OSV.dev
API to check dependencies of running Camel integrations for known CVEs.
The Maveniverse Pilot project (https://github.com/maveniverse/pilot) already
has a clean implementation of this using the same TamboUI widget framework that
the Camel TUI uses. The key pieces that could be adopted:
h3. OSV.dev Client
A lightweight HTTP client (~130 lines) that queries
https://api.osv.dev/v1/query with Maven ecosystem coordinates
(groupId:artifactId + version). Returns vulnerability id, summary, severity,
published date, and aliases (GHSA/CVE cross-references). No API key required.
h3. Interactive TUI Panel
- Severity-coded rows: CRITICAL (red bold), HIGH (yellow), MEDIUM (white), LOW
(dim)
- Group vulnerabilities by CVE ID, deduplicating aliases (e.g. GHSA-xxx and
CVE-xxx pointing to the same issue)
- Expandable tree showing affected artifacts under each CVE group
- Scope filtering (compile, runtime, test, provided)
- Search and sort support
- Detail pane with links to NVD/GHSA/OSV pages
h3. Non-Interactive CI Mode
Support a non-interactive mode (e.g. via camel audit or similar) with:
- report action: plain-text vulnerability report to stdout
- check action: fail with exit code 1 if vulnerabilities at or above a severity
threshold are found (default: HIGH, configurable)
h3. Optional: License Scanning
Pilot also combines license scanning (fetching POM metadata from Maven Central)
with vulnerability scanning in the same audit view. This could be a follow-up
enhancement.
h3. Reference Implementation
See the Pilot source code:
-
[OsvClient.java|https://github.com/maveniverse/pilot/blob/main/pilot-core/src/main/java/eu/maveniverse/maven/pilot/OsvClient.java]
- OSV API client
-
[AuditTui.java|https://github.com/maveniverse/pilot/blob/main/pilot-core/src/main/java/eu/maveniverse/maven/pilot/AuditTui.java]
- Interactive TUI panel
-
[AuditReporter.java|https://github.com/maveniverse/pilot/blob/main/pilot-core/src/main/java/eu/maveniverse/maven/pilot/AuditReporter.java]
- Non-interactive reporter
-
[AuditMojo.java|https://github.com/maveniverse/pilot/blob/main/pilot-plugin/src/main/java/eu/maveniverse/maven/pilot/mvn3/AuditMojo.java]
- Maven plugin entry point
The Camel TUI already has classpath/dependency information available from the
running application, so the data source is there. The TamboUI rendering
patterns from Pilot would translate directly.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)