feat: add trustification-exhort integration

src/main/java/com/redhat/exhort/integration/Constants.java

@@ -52,6 +52,7 @@ private Constants() {}
 
   public static final String SNYK_PROVIDER = "snyk";
   public static final String OSS_INDEX_PROVIDER = "oss-index";
+  public static final String TRUSTIFICATION_PROVIDER = "trustification";
   public static final String UNKNOWN_PROVIDER = "unknown";
 
   public static final String MAVEN_PKG_MANAGER = "maven";
@@ -73,6 +74,7 @@ private Constants() {}
   public static final String SNYK_DEP_GRAPH_API_PATH = "/test/dep-graph";
   public static final String SNYK_TOKEN_API_PATH = "/user/me";
   public static final String OSS_INDEX_AUTH_COMPONENT_API_PATH = "/authorized/component-report";
+  public static final String TRUSTIFICATION_ANALYZE_API_PATH = "/analyze";
 
   public static final String DEFAULT_ACCEPT_MEDIA_TYPE = MediaType.APPLICATION_JSON;
   public static final boolean DEFAULT_VERBOSE_MODE = false;
@@ -83,6 +85,7 @@ private Constants() {}
             {
               add(SNYK_PROVIDER);
               add(OSS_INDEX_PROVIDER);
+              add(TRUSTIFICATION_PROVIDER);
             }
           });
 

src/main/java/com/redhat/exhort/integration/backend/ExhortIntegration.java

@@ -35,9 +35,9 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.redhat.exhort.analytics.AnalyticsService;
 import com.redhat.exhort.integration.Constants;
-import com.redhat.exhort.integration.VulnerabilityProvider;
 import com.redhat.exhort.integration.backend.sbom.SbomParserFactory;
 import com.redhat.exhort.integration.providers.ProviderAggregationStrategy;
+import com.redhat.exhort.integration.providers.VulnerabilityProvider;
 import com.redhat.exhort.monitoring.MonitoringProcessor;
 
 import io.micrometer.core.instrument.MeterRegistry;

src/main/java/com/redhat/exhort/integration/providers/VulnerabilityProvider.java

@@ -50,6 +50,9 @@ public class VulnerabilityProvider {
   @ConfigProperty(name = "api.ossindex.disabled", defaultValue = "false")
   boolean ossIndexDisabled;
 
+  @ConfigProperty(name = "api.trustification.disabled", defaultValue = "false")
+  boolean trustificationDisabled;
+
   private List<String> providers;
 
   @PostConstruct
@@ -59,6 +62,8 @@ public void initProviders() {
             Constants.PROVIDERS.stream()
                 .filter(p -> !(Constants.SNYK_PROVIDER.equals(p) && snykDisabled))
                 .filter(p -> !(Constants.OSS_INDEX_PROVIDER.equals(p) && ossIndexDisabled))
+                .filter(
+                    p -> !(Constants.TRUSTIFICATION_PROVIDER.equals(p) && trustificationDisabled))
                 .toList());
   }
 
@@ -74,6 +79,7 @@ public List<String> getProviderEndpoints(
                 switch (p) {
                   case Constants.SNYK_PROVIDER -> "direct:snykDepGraph";
                   case Constants.OSS_INDEX_PROVIDER -> "direct:ossIndexScan";
+                  case Constants.TRUSTIFICATION_PROVIDER -> "direct:trustificationAnalysis";
                   default -> throw new IllegalArgumentException("Unexpected provider: " + p);
                 })
         .collect(Collectors.toList());

src/main/java/com/redhat/exhort/integration/providers/ossindex/OssIndexIntegration.java

@@ -29,7 +29,7 @@
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 
 import com.redhat.exhort.integration.Constants;
-import com.redhat.exhort.integration.VulnerabilityProvider;
+import com.redhat.exhort.integration.providers.VulnerabilityProvider;
 import com.redhat.exhort.model.DependencyTree;
 import com.redhat.exhort.monitoring.MonitoringProcessor;
 

src/main/java/com/redhat/exhort/integration/providers/trustification/MockTrustificationService.java

@@ -0,0 +1,49 @@
+/*
+ * Copyright 2023 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.redhat.exhort.integration.providers.trustification;
+
+import java.io.IOException;
+
+import org.apache.camel.Exchange;
+import org.apache.camel.builder.endpoint.EndpointRouteBuilder;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+
+@ApplicationScoped
+public class MockTrustificationService extends EndpointRouteBuilder {
+
+  @Inject ObjectMapper mapper;
+
+  @Override
+  public void configure() throws Exception {
+    rest("/v1").post("/analyze").routeId("mockTrustification").to("direct:mockresponse");
+
+    from(direct("mockresponse")).process(this::setBodyFromFile);
+  }
+
+  private void setBodyFromFile(Exchange exchange) throws IOException {
+    JsonNode json =
+        mapper.readTree(this.getClass().getClassLoader().getResourceAsStream("tc-response.json"));
+    exchange.getIn().setBody(json);
+  }
+}

src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationIntegration.java

@@ -0,0 +1,78 @@
+/*
+ * Copyright 2023 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.redhat.exhort.integration.providers.trustification;
+
+import static com.redhat.exhort.integration.Constants.TRUSTIFICATION_ANALYZE_API_PATH;
+
+import org.apache.camel.Exchange;
+import org.apache.camel.Message;
+import org.apache.camel.builder.endpoint.EndpointRouteBuilder;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.HttpMethod;
+import jakarta.ws.rs.core.MediaType;
+
+@ApplicationScoped
+public class TrustificationIntegration extends EndpointRouteBuilder {
+
+  @ConfigProperty(name = "api.trustification.timeout", defaultValue = "60s")
+  String timeout;
+
+  @Inject TrustificationResponseHandler responseHandler;
+
+  @Override
+  public void configure() {
+
+    // fmt:off
+    from(direct("trustificationAnalysis"))
+        .routeId("trustificationAnalysis")
+          .circuitBreaker()
+          .faultToleranceConfiguration()
+            .timeoutEnabled(true)
+            .timeoutDuration(timeout)
+          .end()
+        .to(direct("trustificationRequest"))
+        .onFallback()
+          .process(responseHandler::processResponseError);
+
+    from(direct("trustificationRequest"))
+        .routeId("trustificationRequest")
+        .transform().method(TrustificationRequestBuilder.class, "build")
+        .process(this::processRequest)
+        .to(vertxHttp("{{api.trustification.host}}"))
+        .transform().method(TrustificationResponseHandler.class, "responseToIssues")
+        .transform().method(TrustificationResponseHandler.class, "buildReport");
+    // fmt:on
+  }
+
+  private void processRequest(Exchange exchange) {
+    Message message = exchange.getMessage();
+
+    message.removeHeader(Exchange.HTTP_PATH);
+    message.removeHeader(Exchange.HTTP_QUERY);
+    message.removeHeader(Exchange.HTTP_URI);
+    message.removeHeader("Accept-Encoding");
+
+    message.setHeader(Exchange.CONTENT_TYPE, MediaType.APPLICATION_JSON);
+    message.setHeader(Exchange.HTTP_PATH, TRUSTIFICATION_ANALYZE_API_PATH);
+    message.setHeader(Exchange.HTTP_METHOD, HttpMethod.POST);
+  }
+}

src/main/java/com/redhat/exhort/integration/providers/trustification/TrustificationRequestBuilder.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright 2023 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.redhat.exhort.integration.providers.trustification;
+
+import org.apache.camel.Body;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ArrayNode;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import com.redhat.exhort.config.ObjectMapperProducer;
+import com.redhat.exhort.model.DependencyTree;
+
+import io.quarkus.runtime.annotations.RegisterForReflection;
+
+@RegisterForReflection
+public class TrustificationRequestBuilder {
+
+  private final ObjectMapper mapper = ObjectMapperProducer.newInstance();
+
+  public String build(@Body DependencyTree tree) throws JsonProcessingException {
+    ArrayNode purls = mapper.createArrayNode();
+    tree.getAll().stream().map(p -> p.purl().getCoordinates()).forEach(purl -> purls.add(purl));
+    ObjectNode obj = mapper.createObjectNode().set("purls", purls);
+    return mapper.writeValueAsString(obj);
+  }
+}