[ 
https://issues.apache.org/jira/browse/CAMEL-23979?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Work on CAMEL-23979 started by Andrea Cosentino.
------------------------------------------------
> camel-jbang-mcp: expose CVE security advisories as MCP tool and resources
> -------------------------------------------------------------------------
>
>                 Key: CAMEL-23979
>                 URL: https://issues.apache.org/jira/browse/CAMEL-23979
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-jbang
>            Reporter: Andrea Cosentino
>            Assignee: Andrea Cosentino
>            Priority: Major
>
> The camel-jbang-mcp MCP server already exposes a security surface: the 
> camel_harden tool, the SecurityData registry of security-sensitive 
> components, and the camel://security/* resources. However it has no knowledge 
> of the published Camel CVE security advisories 
> (https://camel.apache.org/security/), so an AI agent using the server cannot 
> answer questions like "is my Camel 4.10.1 project affected by known CVEs?" or 
> flag that a route using platform-http plus bean on Camel 4.10.1 is exposed to 
> CVE-2025-27636.
> The advisories behind that page are maintained in the apache/camel-website 
> repository under content/security/CVE-*.md with structured YAML front matter 
> (cve, severity, summary, description, mitigation, credit, affected, fixed, 
> date), so the data is machine-consumable without HTML scraping.
> h3. Proposal
> # New MCP tool {{camel_security_advisories}}: optional args camelVersion, 
> component, severity; returns matching published advisories (cve, severity, 
> summary, affected, fixed, mitigation, link). Declared with openWorldHint=true 
> since it fetches remote data.
> # New MCP resources {{camel://security/advisories}} (list) and 
> {{camel://security/advisory/\{cve\}}} (detail), following the existing 
> SecurityResources pattern.
> # Integrate advisory matching into the camel_harden tool context: when route 
> analysis identifies components and a camelVersion is provided, include known 
> CVEs affecting those components at that version.
> h3. Design notes
> * Advisory data is fetched at runtime (with a local cache under the user 
> home, e.g. ~/.camel-jbang) rather than embedded at build time, because 
> embedded snapshots go stale: a server released before a CVE is published 
> would never know about it. Runtime downloads are already part of the server's 
> operating model (CatalogService resolves version-specific catalogs via Maven).
> * Offline behavior must be explicit ("advisory data unavailable"), never a 
> silently stale "no CVEs found".
> * Only published advisories from the public website/repository are used.
> * The {{affected}} field is prose (e.g. "Apache Camel 4.10.0 before 4.10.2 
> ..."); recent advisories follow a consistent pattern so a best-effort 
> affectsGivenVersion flag can be computed, with the prose always returned 
> verbatim for the LLM to reason over.
> * Component filtering starts as best-effort token matching (camel-<name>) 
> against summary/description; a structured components front-matter field could 
> be added to new advisories in camel-website as a follow-up.
> * Initial data source: the camel-website repository raw content (tree listing 
> plus cached per-advisory fetches). As a follow-up, camel-website could 
> publish a machine-readable JSON feed (e.g. /security/index.json via a Hugo 
> output format) and become the canonical endpoint for this and other tooling.
> * Tests use canned advisory fixtures so CI requires no network.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to