[ 
https://issues.apache.org/jira/browse/CAMEL-23869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18092951#comment-18092951
 ] 

Claus Ibsen commented on CAMEL-23869:
-------------------------------------

Some additional notes:

* The TUI vulnerability scanning should only scan *running* Camel integrations 
- the classpath/dependency info is already available from the running 
application via the dev console. This is not a standalone Maven project scanner 
(Pilot already covers that use case).

* We could also add a reference to the Maveniverse Pilot project 
(https://github.com/maveniverse/pilot) in the TUI F1 help overlay, so users who 
want deeper Maven-level dependency analysis (full dependency trees, updates, 
conflicts, license audit) know where to look. Pilot is built on the same 
TamboUI framework and complements the Camel TUI nicely.

> camel-jbang TUI - Add vulnerability scanning panel using OSV.dev
> ----------------------------------------------------------------
>
>                 Key: CAMEL-23869
>                 URL: https://issues.apache.org/jira/browse/CAMEL-23869
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-jbang
>            Reporter: Claus Ibsen
>            Priority: Major
>              Labels: tui
>
> Add a vulnerability scanning panel to the Camel TUI that queries the OSV.dev 
> API to check dependencies of running Camel integrations for known CVEs.
> The Maveniverse Pilot project (https://github.com/maveniverse/pilot) already 
> has a clean implementation of this using the same TamboUI widget framework 
> that the Camel TUI uses. The key pieces that could be adopted:
> h3. OSV.dev Client
> A lightweight HTTP client (~130 lines) that queries 
> https://api.osv.dev/v1/query with Maven ecosystem coordinates 
> (groupId:artifactId + version). Returns vulnerability id, summary, severity, 
> published date, and aliases (GHSA/CVE cross-references). No API key required.
> h3. Interactive TUI Panel
> - Severity-coded rows: CRITICAL (red bold), HIGH (yellow), MEDIUM (white), 
> LOW (dim)
> - Group vulnerabilities by CVE ID, deduplicating aliases (e.g. GHSA-xxx and 
> CVE-xxx pointing to the same issue)
> - Expandable tree showing affected artifacts under each CVE group
> - Scope filtering (compile, runtime, test, provided)
> - Search and sort support
> - Detail pane with links to NVD/GHSA/OSV pages
> h3. Non-Interactive CI Mode
> Support a non-interactive mode (e.g. via camel audit or similar) with:
> - report action: plain-text vulnerability report to stdout
> - check action: fail with exit code 1 if vulnerabilities at or above a 
> severity threshold are found (default: HIGH, configurable)
> h3. Optional: License Scanning
> Pilot also combines license scanning (fetching POM metadata from Maven 
> Central) with vulnerability scanning in the same audit view. This could be a 
> follow-up enhancement.
> h3. Reference Implementation
> See the Pilot source code:
> - 
> [OsvClient.java|https://github.com/maveniverse/pilot/blob/main/pilot-core/src/main/java/eu/maveniverse/maven/pilot/OsvClient.java]
>  - OSV API client
> - 
> [AuditTui.java|https://github.com/maveniverse/pilot/blob/main/pilot-core/src/main/java/eu/maveniverse/maven/pilot/AuditTui.java]
>  - Interactive TUI panel
> - 
> [AuditReporter.java|https://github.com/maveniverse/pilot/blob/main/pilot-core/src/main/java/eu/maveniverse/maven/pilot/AuditReporter.java]
>  - Non-interactive reporter
> - 
> [AuditMojo.java|https://github.com/maveniverse/pilot/blob/main/pilot-plugin/src/main/java/eu/maveniverse/maven/pilot/mvn3/AuditMojo.java]
>  - Maven plugin entry point
> The Camel TUI already has classpath/dependency information available from the 
> running application, so the data source is there. The TamboUI rendering 
> patterns from Pilot would translate directly.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to