[
https://issues.apache.org/jira/browse/CAMEL-23869?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claus Ibsen resolved CAMEL-23869.
---------------------------------
Resolution: Fixed
> camel-jbang TUI - Add vulnerability scanning panel using OSV.dev
> ----------------------------------------------------------------
>
> Key: CAMEL-23869
> URL: https://issues.apache.org/jira/browse/CAMEL-23869
> Project: Camel
> Issue Type: Improvement
> Components: camel-jbang
> Reporter: Claus Ibsen
> Assignee: Claus Ibsen
> Priority: Major
> Labels: tui
> Fix For: 4.22.0
>
>
> Add a vulnerability scanning panel to the Camel TUI that queries the OSV.dev
> API to check dependencies of running Camel integrations for known CVEs.
> The Maveniverse Pilot project (https://github.com/maveniverse/pilot) already
> has a clean implementation of this using the same TamboUI widget framework
> that the Camel TUI uses. The key pieces that could be adopted:
> h3. OSV.dev Client
> A lightweight HTTP client (~130 lines) that queries
> https://api.osv.dev/v1/query with Maven ecosystem coordinates
> (groupId:artifactId + version). Returns vulnerability id, summary, severity,
> published date, and aliases (GHSA/CVE cross-references). No API key required.
> h3. Interactive TUI Panel
> - Severity-coded rows: CRITICAL (red bold), HIGH (yellow), MEDIUM (white),
> LOW (dim)
> - Group vulnerabilities by CVE ID, deduplicating aliases (e.g. GHSA-xxx and
> CVE-xxx pointing to the same issue)
> - Expandable tree showing affected artifacts under each CVE group
> - Scope filtering (compile, runtime, test, provided)
> - Search and sort support
> - Detail pane with links to NVD/GHSA/OSV pages
> h3. Non-Interactive CI Mode
> Support a non-interactive mode (e.g. via camel audit or similar) with:
> - report action: plain-text vulnerability report to stdout
> - check action: fail with exit code 1 if vulnerabilities at or above a
> severity threshold are found (default: HIGH, configurable)
> h3. Optional: License Scanning
> Pilot also combines license scanning (fetching POM metadata from Maven
> Central) with vulnerability scanning in the same audit view. This could be a
> follow-up enhancement.
> h3. Reference Implementation
> See the Pilot source code:
> -
> [OsvClient.java|https://github.com/maveniverse/pilot/blob/main/pilot-core/src/main/java/eu/maveniverse/maven/pilot/OsvClient.java]
> - OSV API client
> -
> [AuditTui.java|https://github.com/maveniverse/pilot/blob/main/pilot-core/src/main/java/eu/maveniverse/maven/pilot/AuditTui.java]
> - Interactive TUI panel
> -
> [AuditReporter.java|https://github.com/maveniverse/pilot/blob/main/pilot-core/src/main/java/eu/maveniverse/maven/pilot/AuditReporter.java]
> - Non-interactive reporter
> -
> [AuditMojo.java|https://github.com/maveniverse/pilot/blob/main/pilot-plugin/src/main/java/eu/maveniverse/maven/pilot/mvn3/AuditMojo.java]
> - Maven plugin entry point
> The Camel TUI already has classpath/dependency information available from the
> running application, so the data source is there. The TamboUI rendering
> patterns from Pilot would translate directly.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)