feat: trustify recommendations

README.md

@@ -5,9 +5,7 @@
 
 ## Dependencies
 
-- Redis cache: Allows caching Red Hat recommendations and remediations. Can be configured with the `quarkus.redis.host` parameter
-- TrustedContent: Provides Red Hat recommendations and remediations.
-- External Vulnerability providers enabled.
+- Trustify: Provides vulnerability data and recommendations [Trustify](https://github.com/guacsec/trustify)
 - Postgres Database: Stores data needed for the Model Cards functionality. See [Model Cards](#model-cards)
 
 ## Vulnerability providers

deploy/trust-da.yaml

@@ -32,16 +32,6 @@ spec:
         env:
         - name: MONITORING_ENABLED
           value: "false"
-        - name: DB_REDIS_HOST
-          valueFrom:
-            secretKeyRef:
-              name: trust-da-secret
-              key: db.host
-        - name: DB_REDIS_PORT
-          valueFrom:
-            secretKeyRef:
-              name: trust-da-secret
-              key: db.port
         - name: TRUSTIFY_HOST
           value: http://trustify:8080/api/v2/
         - name: TRUSTIFY_CLIENT_ID

pom.xml

@@ -89,10 +89,6 @@
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-rest-jackson</artifactId>
     </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-redis-client</artifactId>
-    </dependency>
     <dependency>
       <groupId>org.apache.camel.quarkus</groupId>
       <artifactId>camel-quarkus-jackson</artifactId>

src/main/java/io/github/guacsec/trustifyda/integration/Constants.java

@@ -57,7 +57,6 @@ private Constants() {}
   public static final String SPDX_MEDIATYPE_JSON = "application/vnd.spdx+json";
   public static final String CYCLONEDX_MEDIATYPE_JSON = "application/vnd.cyclonedx+json";
 
-  public static final String TRUSTED_CONTENT_PROVIDER = "trusted-content";
   public static final String OSV_PROVIDER = "osv";
 
   public static final String HTTP_UNAUTHENTICATED = "Unauthenticated";
@@ -70,15 +69,13 @@ private Constants() {}
   public static final String API_VERSION_PROPERTY = "apiVersion";
   public static final String GZIP_RESPONSE_PROPERTY = "gzipResponse";
   public static final String SBOM_ID_PROPERTY = "sbomId";
-  public static final String UNSCANNED_REFS_PROPERTY = "unscannedRefs";
-  public static final String CACHED_RECOMMENDATIONS_PROPERTY = "missedRecommendations";
   public static final String PROVIDER_CONFIG_PROPERTY = "providerConfig";
   public static final String PROVIDERS_PROPERTY = "providers";
 
   public static final String OSV_NVD_PURLS_PATH = "/purls";
   public static final String OSV_NVD_HEALTH_PATH = "/q/health";
 
-  public static final String TRUSTED_CONTENT_PATH = "/recommend";
+  public static final String TRUSTIFY_RECOMMEND_PATH = "/api/v2/purl/recommend";
   public static final String TRUSTIFY_ANALYZE_PATH = "/api/v2/vulnerability/analyze";
   public static final String TRUSTIFY_HEALTH_PATH = "/.well-known/trustify";
 

src/main/java/io/github/guacsec/trustifyda/integration/backend/ExhortIntegration.java

@@ -56,7 +56,6 @@
 import io.github.guacsec.trustifyda.integration.providers.VulnerabilityProvider;
 import io.github.guacsec.trustifyda.integration.sbom.SbomParser;
 import io.github.guacsec.trustifyda.integration.sbom.SbomParserFactory;
-import io.github.guacsec.trustifyda.integration.trustedcontent.TcResponseAggregation;
 import io.github.guacsec.trustifyda.model.DependencyTree;
 import io.github.guacsec.trustifyda.model.DirectDependency;
 import io.github.guacsec.trustifyda.monitoring.MonitoringProcessor;
@@ -82,8 +81,6 @@ public class ExhortIntegration extends EndpointRouteBuilder {
 
   @Inject MonitoringProcessor monitoringProcessor;
 
-  @Inject TcResponseAggregation tcResponseAggregation;
-
   @Inject ObjectMapper mapper;
 
   ExhortIntegration(MeterRegistry registry) {
@@ -226,7 +223,6 @@ public void configure() {
 
     from(direct("analyzeSbom"))
       .routeId("analyzeSbom")
-      .enrich(direct("getTrustedContent"), tcResponseAggregation)
       .to(direct("findVulnerabilities"))
       .transform().method(ProviderAggregationStrategy.class, "toReport");
 

src/main/java/io/github/guacsec/trustifyda/integration/providers/ProviderAggregationStrategy.java

@@ -28,7 +28,6 @@
 import io.github.guacsec.trustifyda.api.v5.Scanned;
 import io.github.guacsec.trustifyda.integration.Constants;
 import io.github.guacsec.trustifyda.model.DependencyTree;
-import io.github.guacsec.trustifyda.model.trustedcontent.TrustedContentResponse;
 import io.quarkus.runtime.annotations.RegisterForReflection;
 
 @RegisterForReflection
@@ -45,11 +44,8 @@ public Map<String, ProviderReport> aggregate(
 
   public AnalysisReport toReport(
       @Body Map<String, ProviderReport> reports,
-      @ExchangeProperty(Constants.DEPENDENCY_TREE_PROPERTY) DependencyTree tree,
-      @ExchangeProperty(Constants.TRUSTED_CONTENT_PROVIDER) TrustedContentResponse tcResponse) {
+      @ExchangeProperty(Constants.DEPENDENCY_TREE_PROPERTY) DependencyTree tree) {
 
-    reports.put(
-        Constants.TRUSTED_CONTENT_PROVIDER, new ProviderReport().status(tcResponse.status()));
     var scanned = new Scanned().direct(tree.directCount()).transitive(tree.transitiveCount());
     scanned.total(scanned.getDirect() + scanned.getTransitive());
     return new AnalysisReport().providers(reports).scanned(scanned);