Vulnerability Consumer

analyzer/pom.xml

@@ -24,6 +24,7 @@
         <module>repo-cloner-plugin</module>
         <module>quality-analyzer</module>
         <module>restapi-plugin</module>
+        <module>vulnerability-consumer</module>
     </modules>
 
     <build>
@@ -59,5 +60,20 @@
             </plugin>
         </plugins>
     </build>
+<!--   Jacoco  reporting   -->
+    <reporting>
+        <plugins>
+            <plugin>
+                <groupId>org.jacoco</groupId>
+                <artifactId>jacoco-maven-plugin</artifactId>
+                <version>0.8.2</version>
+                <configuration>
+                    <excludes>
+                        <exclude>**/Main.*</exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
+        </plugins>
+    </reporting>
 
 </project>

analyzer/vulnerability-consumer/README.md

@@ -0,0 +1,39 @@
+<p align="center">
+    <img src="https://user-images.githubusercontent.com/45048351/90056609-d2c67900-dce7-11ea-9f66-3717998d861d.jpg">
+</p>
+<br/>
+<p align="center">
+    <a href="https://github.com/fasten-project/fasten/actions" alt="GitHub Workflow Status">
+        <img src="https://img.shields.io/github/workflow/status/fasten-project/fasten/Java%20CI?logo=GitHub%20Actions&logoColor=white&style=for-the-badge" /></a>
+    <!-- Here should be a link to Maven repo and version should be pulled from there. -->
+    <a href="https://github.com/fasten-project/fasten/" alt="GitHub Workflow Status">
+                <img src="https://img.shields.io/maven-central/v/fasten/vulnerability?label=version&logo=Apache%20Maven&style=for-the-badge" /></a>
+</p>
+<br/>
+
+
+The FASTEN Vulnerability Consumer is used for inserting Vulnerability Information into the [Metadata Database](https://github.com/fasten-project/fasten/wiki/Metadata-Database-Schema).  It can be used both as a standalone tool and as a part of FASTEN server.
+
+## Arguments
+- `-h` `--help` Show this help message and exit.
+- `-d` `--database` Database URL for connection
+- `-u` `--user` Database user name
+
+## Usage 
+
+#### Injecting vulnerability information into the KB
+```shell script
+FASTEN_DBPASS=pass -d jdbc:postgresql:postgres -u postgres
+```
+
+## Join the community
+
+The FASTEN software package management efficiency relies on an open community contributing to open technologies. Related research projects, R&D engineers, early users and open source contributors are welcome to join the [FASTEN community](https://www.fasten-project.eu/view/Main/Community), to try the tools, to participate in physical and remote worshops and to share our efforts using the project [community page](https://www.fasten-project.eu/view/Main/Community) and the social media buttons below.  
+<p>
+    <a href="http://www.twitter.com/FastenProject" alt="Fasten Twitter">
+        <img src="https://img.shields.io/badge/%20-Twitter-%231DA1F2?logo=Twitter&style=for-the-badge&logoColor=white" /></a>
+    <a href="http://www.slideshare.net/FastenProject" alt="GitHub Workflow Status">
+                <img src="https://img.shields.io/badge/%20-SlideShare-%230077B5?logo=slideshare&style=for-the-badge&logoColor=white" /></a>
+    <a href="http://www.linkedin.com/groups?gid=12172959" alt="Gitter">
+            <img src="https://img.shields.io/badge/%20-LinkedIn-%232867B2?logo=linkedin&style=for-the-badge&logoColor=white" /></a>
+</p>

analyzer/vulnerability-consumer/pom.xml

@@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+    <parent>
+        <artifactId>analyzer</artifactId>
+        <groupId>eu.fasten</groupId>
+        <version>0.0.1-SNAPSHOT</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>vulnerability-consumer</artifactId>
+
+    <!--    Dependencies-->
+    <dependencies>
+        <dependency>
+            <groupId>eu.fasten</groupId>
+            <artifactId>server</artifactId>
+            <version>0.0.1-SNAPSHOT</version>
+            <scope>compile</scope>
+        </dependency>
+        <dependency>
+            <groupId>eu.fasten</groupId>
+            <artifactId>core</artifactId>
+            <version>0.0.1-SNAPSHOT</version>
+        </dependency>
+        <dependency>
+            <groupId>info.picocli</groupId>
+            <artifactId>picocli</artifactId>
+            <version>4.0.4</version>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>2.12.0</version>
+        </dependency>
+    </dependencies>
+
+    <!--    Build-->
+    <build>
+        <testSourceDirectory>${project.basedir}/src/test/java/</testSourceDirectory>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-shade-plugin</artifactId>
+                <version>3.2.1</version>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>shade</goal>
+                        </goals>
+                        <configuration>
+                            <minimizeJar>false</minimizeJar>
+                            <keepDependenciesWithProvidedScope>false</keepDependenciesWithProvidedScope>
+                            <artifactSet>
+                                <excludes>
+                                    <exclude>org.slf4j:slf4j-simple:*</exclude>
+                                    <exclude>org.slf4j:slf4j-api:*</exclude>
+                                </excludes>
+                            </artifactSet>
+                            <transformers>
+                                <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
+                                    <manifestEntries>
+                                        <Main-Class>eu.fasten.analyzer.vulnerabilityconsumer.Main</Main-Class>
+                                        <X-Compile-Source-JDK>11</X-Compile-Source-JDK>
+                                        <X-Compile-Target-JDK>11</X-Compile-Target-JDK>
+                                        <Plugin-Class>eu.fasten.analyzer.vulnerabilityconsumer.VulnerabilityConsumer</Plugin-Class>
+                                        <Plugin-Id>vulnerability-consumer</Plugin-Id>
+                                        <Plugin-Version>0.0.1</Plugin-Version>
+                                        <Plugin-Description>
+                                            Injects vulnerability information in the DB.
+                                        </Plugin-Description>
+                                        <Plugin-License>Apache License 2.0</Plugin-License>
+                                    </manifestEntries>
+                                </transformer>
+                            </transformers>
+                            <!-- Note that this works when maven is ran in the root directory of the project  -->
+                            <outputDirectory>${session.executionRootDirectory}/docker/plugins/</outputDirectory>
+                            <shadedArtifactAttached>true</shadedArtifactAttached>
+                            <shadedClassifierName>with-dependencies</shadedClassifierName>
+                        </configuration>
+                    </execution>
+                </executions>
+                <configuration>
+                    <filters>
+                        <filter>
+                            <artifact>*:*</artifact>
+                            <excludes>
+                                <exclude>module-info.class</exclude>
+                                <exclude>META-INF/*.SF</exclude>
+                                <exclude>META-INF/*.DSA</exclude>
+                                <exclude>META-INF/*.RSA</exclude>
+                                <exclude>eu/fasten/core/plugins/*</exclude>
+                            </excludes>
+                        </filter>
+                        <filter>
+                            <artifact>org.apache.kafka:*</artifact>
+                            <excludes>
+                                <exclude>org/apache/kafka/**</exclude>
+                            </excludes>
+                        </filter>
+                    </filters>
+                </configuration>
+            </plugin>
+
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.8.1</version>
+                <configuration>
+                    <annotationProcessors>
+                        <annotationProcessor>org.pf4j.processor.ExtensionAnnotationProcessor</annotationProcessor>
+                    </annotationProcessors>
+                    <source>1.11</source>
+                    <target>1.11</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+    <!--    Reporting-->
+    <reporting>
+        <plugins>
+            <plugin>
+                <groupId>org.jacoco</groupId>
+                <artifactId>jacoco-maven-plugin</artifactId>
+                <version>0.8.2</version>
+                <configuration>
+                    <excludes>
+                    </excludes>
+                </configuration>
+            </plugin>
+        </plugins>
+    </reporting>
+</project>

analyzer/vulnerability-consumer/src/main/java/eu/fasten/analyzer/vulnerabilityconsumer/Main.java

@@ -0,0 +1,119 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package eu.fasten.analyzer.vulnerabilityconsumer;
+
+import eu.fasten.core.data.Constants;
+import eu.fasten.core.dbconnectors.PostgresConnector;
+import org.jooq.DSLContext;
+import org.json.JSONArray;
+import org.json.JSONTokener;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import picocli.CommandLine;
+
+import java.io.FileNotFoundException;
+import java.io.FileReader;
+import java.sql.SQLException;
+import java.util.HashMap;
+
+@CommandLine.Command(name = "Vulnerability Consumer")
+public class Main implements Runnable {
+
+    private static final Logger logger = LoggerFactory.getLogger(Main.class);
+
+    @CommandLine.Option(names = {"-f", "--file"},
+            paramLabel = "JSON_FILE",
+            description = "Path to JSON file which contains the vulnerability")
+    String jsonFile;
+
+    @CommandLine.Option(names = {"-mdb", "--mvn_database"},
+            paramLabel = "MVN_DB_URL",
+            description = "Database URL for connection to mvn DB",
+            defaultValue = "jdbc:postgresql:fasten_java")
+    String mvnDbUrl;
+
+    @CommandLine.Option(names = {"-pdb", "--pypi_database"},
+            paramLabel = "PYPI_DB_URL",
+            description = "Database URL for connection to pypi DB",
+            defaultValue = "jdbc:postgresql:fasten_pypi")
+    String pypiDbUrl;
+
+    @CommandLine.Option(names = {"-cdb", "--debian_database"},
+            paramLabel = "DEB_DB_URL",
+            description = "Database URL for connection to debian KB",
+            defaultValue = "jdbc:postgresql:fasten_c")
+    String debianDbUrl;
+
+    @CommandLine.Option(names = {"-u", "--user"},
+            paramLabel = "DB_USER",
+            description = "Database user name",
+            defaultValue = "postgres")
+    String dbUser;
+
+    @CommandLine.Option(names = {"-p", "--path_folder"},
+            paramLabel = "PATH_FOLDER",
+            description = "Path to folder to store vulnearabilities",
+            defaultValue = "/root/mnt/vulnerabilities/")
+    String pathToFolder;
+
+    @CommandLine.Option(names = {"-P", "--PURGE"},
+            paramLabel = "PURGE_OPTION",
+            description = "If set to true, all DBS will be purged from all vulnerability entries.")
+    boolean purge;
+
+    public static void main(String[] args) {
+        final int exitCode = new CommandLine(new Main()).execute(args);
+        System.exit(exitCode);
+    }
+
+    @Override
+    public void run() {
+        var vulnerabilityConsumer = new VulnerabilityConsumer.VulnerabilityConsumerExtension();
+        try {
+            var mvnContext = PostgresConnector.getDSLContext(mvnDbUrl, dbUser);
+            var pypiContext = PostgresConnector.getDSLContext(pypiDbUrl, dbUser);
+            var debianContext = PostgresConnector.getDSLContext(debianDbUrl, dbUser);
+
+            var contexts = new HashMap<String, DSLContext>();
+            contexts.put(Constants.debianForge, debianContext);
+            contexts.put(Constants.mvnForge, mvnContext);
+            contexts.put(Constants.pypiForge, pypiContext);
+
+            vulnerabilityConsumer.setDBConnection(contexts);
+
+            if (purge) {
+                vulnerabilityConsumer.purgeVulnerabilitiesFromDB();
+                return;
+            }
+        } catch (IllegalArgumentException | SQLException e) {
+            logger.error("Could not connect to the database", e);
+            return;
+        }
+        final FileReader reader;
+        try {
+            reader = new FileReader(jsonFile);
+        } catch (FileNotFoundException e) {
+            logger.error("Could not find the JSON file at " + jsonFile, e);
+            return;
+        }
+        final JSONArray vulnsJson = new JSONArray(new JSONTokener(reader));
+        vulnsJson.forEach(v -> vulnerabilityConsumer.consume(v.toString()));
+        vulnerabilityConsumer.produce().ifPresent(System.out::println);
+    }
+}