Failed to create note by Java-client api

[AliredDevils]

Steps to Reproduce the Problem

1.Start grafeas server
cd go/v1beta1
go run main/main.go

2.Create grafeas client api
https://github.com/grafeas/client-java/tree/master/0.1.0

3.Create grafeas client project to create note
`ApiNote noteBody = new ApiNote();

        noteBody.setName(String.format("%s/notes/%s", parent, dockerScan.getVulnerability()));

        noteBody.setShortDescription(dockerScan.getVulnerability());
        noteBody.setLongDescription(dockerScan.getDescription());

        noteBody.setKind(ApiNoteKind.fromValue("VULNERABILITY"));

        // related Url
        List<NoteRelatedUrl> noteRelatedUrlList = new LinkedList<NoteRelatedUrl>();
        NoteRelatedUrl noteRelatedUrl = new NoteRelatedUrl();
        noteRelatedUrl.setUrl(dockerScan.getLink());
        noteRelatedUrlList.add(noteRelatedUrl);
        noteBody.setRelatedUrl(noteRelatedUrlList);

        // vulnerability info
        ApiVulnerabilityType vulnerabilityType = new ApiVulnerabilityType();
        vulnerabilityType.setSeverity(VulnerabilityTypeSeverity.valueOf(dockerScan.getSeverity().toUpperCase()));

        // vulnerability details
        List<VulnerabilityTypeDetail> vulTypeDetailList = new LinkedList<VulnerabilityTypeDetail>();
        VulnerabilityTypeDetail vulTypeDetail = new VulnerabilityTypeDetail();
        vulTypeDetail.setDescription(dockerScan.getDescription());
        vulTypeDetail.setPackage(dockerScan.getFeature_name());
        vulTypeDetail.setCpeUri(dockerScan.getNamespace());
        vulTypeDetail.setSeverityName(dockerScan.getSeverity());

        //vulnerability affected
        VulnerabilityTypeVersion vulMaxVersion = new VulnerabilityTypeVersion();
        vulMaxVersion.setName(dockerScan.getFeature_version());
        vulTypeDetail.setMaxAffectedVersion(vulMaxVersion);


        //vulnerability fixed
        VulnerabilityTypeVulnerabilityLocation vulTypeVulLocation = new VulnerabilityTypeVulnerabilityLocation();
        vulTypeVulLocation.setCpeUri(dockerScan.getNamespace());
        vulTypeVulLocation.setPackage(dockerScan.getFeature_name());

        //vulnerability version
        VulnerabilityTypeVersion vulFixedVersion = new VulnerabilityTypeVersion();
        vulFixedVersion.setKind(VersionVersionKind.NORMAL);
        vulFixedVersion.setName(dockerScan.getFixedby());
        vulTypeVulLocation.setVersion(vulFixedVersion);
        vulTypeDetail.setFixedLocation(vulTypeVulLocation);

        vulTypeDetailList.add(vulTypeDetail);
        vulnerabilityType.setDetails(vulTypeDetailList);

        noteBody.setVulnerabilityType(vulnerabilityType);

        try {
            ApiNote result = apiInstance.createNote(parent, noteBody);
        } catch (ApiException ex) {
            logger.error("Exception when calling GrafeasApi#createNote");
            logger.error(ex.getResponseBody());
            ex.printStackTrace();
        }`

When i creat note,i get erros:

{"error":"a noteId must be specified","message":"a noteId must be specified","code":3,"details":[]}

But i could not find the api or method to add "noteId" or "note_id",is there something wrong with the client api of mine?

Environment, commands

1. v1beta1 server & client
2. mac os

BR

[aysylu]

@wkozlik could you please TAL?

[wkozlik]

Hi @AliredDevils, thank you for finding this issue. The library client-java has not been updated for a while so it does not match the v1beta1 API server. Also, while trying to reproduce this issue, I found some other problems with the code generated by swagger that @aysylu described in #428 (comment)

[AliredDevils]

@wkozlik Thanks for your reply.Can you give some suggestion to create client-java api for the latest source code of master branch?

And i find the Java Client for Grafeas,so if i want to know :

1. How to generate this library ?Also by Swagger Codegen?If so,where can i find the swagger json file that i can reference to?

2.The "Java Client for Grafeas" library will be the one i could use for client-Java, is it possible that i build it myself?If so, how to do that?

BR

[wkozlik]

You can generate java client with Swagger yourself. As an example you can follow this script. However, as you noticed, the generated code is not fully working due to several known issues related to the differences in defining resources in Google API and the OpenAPI spec used by Swagger.

As an alternative to Swagger you could try protoc to generate java client code. Below is an example that creates a new note using the code generated with protoc.

package example;

import io.grafeas.v1beta1.vulnerability.Severity;
import io.grafeas.v1beta1.vulnerability.Vulnerability;
import io.grpc.*;
import io.grafeas.v1beta1.*;

class ClientExample {
  public static void main(String args[]){

    CreateNoteRequest noteRequest =
        CreateNoteRequest.newBuilder()
            .setParent("projects/myproject")
            .setNoteId("note100")
            .setNote(
                Note.newBuilder()
                    .setName("projects/myproject/notes/note100")
                    .setKind(NoteKind.VULNERABILITY)
                .setVulnerability(Vulnerability.newBuilder()
                  .setSeverity(Severity.LOW)
                  .setCvssScore(0.5f))
            )
        .build();

    final ManagedChannel channel = ManagedChannelBuilder.forTarget("localhost:8080")
        .usePlaintext()
        .build();

    GrafeasV1Beta1Grpc.GrafeasV1Beta1BlockingStub stub = GrafeasV1Beta1Grpc.newBlockingStub(channel);
    Note note = stub.createNote(noteRequest);
    System.out.println(note);
  }
}

[AliredDevils]

@wkozlik Can you some suggestion about command line to create java client api ?
Now mime is as follow:
protoc --plugin=protoc-gen-grpc-java=protoc-gen-grpc-java-1.28.0-osx-x86_64.exe --grpc-java_out=./java -I ./ -I ../../ -I ./include/ -I googleapis/ grafeas.proto

1.How to make full proto to java client?
2.How to create a jar package such as grafeas-0.24.0.jar?

Thanks

[wkozlik]

This script works for me (adjust path values):

#!/bin/sh

function protoc {
  /usr/local/bin/protoc --plugin=protoc-gen-grpc-java=/path/to/protoc-gen-grpc-java-<arch>.exe --grpc-java_out=/path/to/output -I . -I /path/to/googleapis --java_out=/path/to/output proto/v1beta1/$@
}

protoc attestation.proto
protoc build.proto
protoc common.proto
protoc cvss.proto
protoc deployment.proto
protoc discovery.proto
protoc grafeas.proto
protoc image.proto
protoc package.proto
protoc project.proto
protoc provenance.proto
protoc source.proto
protoc vulnerability.proto

In my case the command is like this (when run from within grafeas repo):

/usr/local/bin/protoc --plugin=protoc-gen-grpc-java=/<path-to-home>/protoc-gen-grpc-java-1.28.0-linux-x86_64.exe --grpc-java_out=/<path-to-home>/go/src/github.com/grafeas/grafeas/java/v1beta1 -I . -I /<path-to-home>/go/src/github.com/googleapis --java_out=java/v1beta1 proto/v1beta1/$@

In my example I did not use the jar file, but I believe you can create it with this command:

$ jar cvf grafeas-0.24.0.jar -C ./java/v1beta1 .

Once you have the library generated, it is important to have a correct version of java libraries that correspond to the version of protoc that was used to generate the code. In my case, protoc is 3.11.4, and the java libraries are:

com.google.api.grpc:proto-google-common-protos:1.17.0
com.google.guava:guava:28.1-jre
com.google.protobuf:protobuf-java-util:3.11.4
com.google.protobuf:protobuf-java:3.11.4
io.grpc:grpc-all:1.28.0
io.gsonfire:gson-fire:1.8.0
org.apache.httpcomponents:httpcore:4.4.13

[AliredDevils]

@wkozlik I have generated the java client api successfully follow your reference.
By the way, the v1beta1 version for intoto.proto model, some modifications for me:

option java_outer_classname = "IntotoBeta";
add the java_outer_classname option in the intoto.proto file to avoid compilation failed.

Thanks a lot.