[
https://issues.apache.org/jira/browse/CAMEL-23869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18092951#comment-18092951
]
Claus Ibsen commented on CAMEL-23869:
-------------------------------------
Some additional notes:
* The TUI vulnerability scanning should only scan *running* Camel integrations
- the classpath/dependency info is already available from the running
application via the dev console. This is not a standalone Maven project scanner
(Pilot already covers that use case).
* We could also add a reference to the Maveniverse Pilot project
(https://github.com/maveniverse/pilot) in the TUI F1 help overlay, so users who
want deeper Maven-level dependency analysis (full dependency trees, updates,
conflicts, license audit) know where to look. Pilot is built on the same
TamboUI framework and complements the Camel TUI nicely.
> camel-jbang TUI - Add vulnerability scanning panel using OSV.dev
> ----------------------------------------------------------------
>
> Key: CAMEL-23869
> URL: https://issues.apache.org/jira/browse/CAMEL-23869
> Project: Camel
> Issue Type: Improvement
> Components: camel-jbang
> Reporter: Claus Ibsen
> Priority: Major
> Labels: tui
>
> Add a vulnerability scanning panel to the Camel TUI that queries the OSV.dev
> API to check dependencies of running Camel integrations for known CVEs.
> The Maveniverse Pilot project (https://github.com/maveniverse/pilot) already
> has a clean implementation of this using the same TamboUI widget framework
> that the Camel TUI uses. The key pieces that could be adopted:
> h3. OSV.dev Client
> A lightweight HTTP client (~130 lines) that queries
> https://api.osv.dev/v1/query with Maven ecosystem coordinates
> (groupId:artifactId + version). Returns vulnerability id, summary, severity,
> published date, and aliases (GHSA/CVE cross-references). No API key required.
> h3. Interactive TUI Panel
> - Severity-coded rows: CRITICAL (red bold), HIGH (yellow), MEDIUM (white),
> LOW (dim)
> - Group vulnerabilities by CVE ID, deduplicating aliases (e.g. GHSA-xxx and
> CVE-xxx pointing to the same issue)
> - Expandable tree showing affected artifacts under each CVE group
> - Scope filtering (compile, runtime, test, provided)
> - Search and sort support
> - Detail pane with links to NVD/GHSA/OSV pages
> h3. Non-Interactive CI Mode
> Support a non-interactive mode (e.g. via camel audit or similar) with:
> - report action: plain-text vulnerability report to stdout
> - check action: fail with exit code 1 if vulnerabilities at or above a
> severity threshold are found (default: HIGH, configurable)
> h3. Optional: License Scanning
> Pilot also combines license scanning (fetching POM metadata from Maven
> Central) with vulnerability scanning in the same audit view. This could be a
> follow-up enhancement.
> h3. Reference Implementation
> See the Pilot source code:
> -
> [OsvClient.java|https://github.com/maveniverse/pilot/blob/main/pilot-core/src/main/java/eu/maveniverse/maven/pilot/OsvClient.java]
> - OSV API client
> -
> [AuditTui.java|https://github.com/maveniverse/pilot/blob/main/pilot-core/src/main/java/eu/maveniverse/maven/pilot/AuditTui.java]
> - Interactive TUI panel
> -
> [AuditReporter.java|https://github.com/maveniverse/pilot/blob/main/pilot-core/src/main/java/eu/maveniverse/maven/pilot/AuditReporter.java]
> - Non-interactive reporter
> -
> [AuditMojo.java|https://github.com/maveniverse/pilot/blob/main/pilot-plugin/src/main/java/eu/maveniverse/maven/pilot/mvn3/AuditMojo.java]
> - Maven plugin entry point
> The Camel TUI already has classpath/dependency information available from the
> running application, so the data source is there. The TamboUI rendering
> patterns from Pilot would translate directly.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)