Migrate GitHub mirroring from hyades mirror-service

* Adds a new `VulnDataSource` extension to mirror contents of the GitHub Advisories database.
* Modifies `GitHubAdvisoryMirrorTask` to no longer emit Kafka events, but instead invoke the new GitHub `VulnDataSource`.

Signed-off-by: nscuro <[email protected]>

Author: nscuro

alpine/pom.xml

@@ -99,7 +99,6 @@
         <lib.swagger.version>2.2.37</lib.swagger.version>
         <!-- Unit test libraries -->
         <lib.junit-pioneer.version>2.3.0</lib.junit-pioneer.version>
-        <lib.mockito.version>5.20.0</lib.mockito.version>
         <lib.wiremock.version>2.35.2</lib.wiremock.version>
     </properties>
 
@@ -261,12 +260,6 @@
                     </exclusion>
                 </exclusions>
             </dependency>
-            <dependency>
-                <groupId>org.mockito</groupId>
-                <artifactId>mockito-core</artifactId>
-                <version>${lib.mockito.version}</version>
-                <scope>test</scope>
-            </dependency>
             <dependency>
                 <groupId>com.github.tomakehurst</groupId>
                 <artifactId>wiremock-jre8-standalone</artifactId>

apiserver/pom.xml

@@ -21,7 +21,6 @@
         <lib.awaitility.version>4.3.0</lib.awaitility.version>
         <lib.cloud-sql-postgres-socket-factory.version>1.25.3</lib.cloud-sql-postgres-socket-factory.version>
         <lib.commons-compress.version>1.28.0</lib.commons-compress.version>
-        <lib.cvss-calculator.version>1.4.3</lib.cvss-calculator.version>
         <lib.owasp-rr-calculator.version>1.0.1</lib.owasp-rr-calculator.version>
         <lib.cyclonedx-java.version>10.2.1</lib.cyclonedx-java.version>
         <lib.jaxb.runtime.version>4.0.5</lib.jaxb.runtime.version>
@@ -107,6 +106,11 @@
             <version>${project.version}</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.dependencytrack</groupId>
+            <artifactId>vuln-data-source-github</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.dependencytrack</groupId>
             <artifactId>vuln-data-source-nvd</artifactId>
@@ -167,7 +171,6 @@
         <dependency>
             <groupId>us.springett</groupId>
             <artifactId>cvss-calculator</artifactId>
-            <version>${lib.cvss-calculator.version}</version>
         </dependency>
         <dependency>
             <groupId>org.jdbi</groupId>

apiserver/src/main/java/org/dependencytrack/event/kafka/KafkaEventConverter.java

@@ -24,7 +24,6 @@
 import org.dependencytrack.event.ComponentRepositoryMetaAnalysisEvent;
 import org.dependencytrack.event.ComponentVulnerabilityAnalysisEvent;
 import org.dependencytrack.event.EpssMirrorEvent;
-import org.dependencytrack.event.GitHubAdvisoryMirrorEvent;
 import org.dependencytrack.event.OsvMirrorEvent;
 import org.dependencytrack.event.kafka.KafkaTopics.Topic;
 import org.dependencytrack.model.Vulnerability;
@@ -69,7 +68,6 @@ private KafkaEventConverter() {
         return switch (event) {
             case ComponentRepositoryMetaAnalysisEvent e -> convert(e);
             case ComponentVulnerabilityAnalysisEvent e -> convert(e);
-            case GitHubAdvisoryMirrorEvent e -> convert(e);
             case OsvMirrorEvent e -> convert(e);
             case EpssMirrorEvent e -> convert(e);
             default -> throw new IllegalArgumentException("Unable to convert event " + event);
@@ -146,11 +144,6 @@ static KafkaEvent<String, AnalysisCommand> convert(final ComponentRepositoryMeta
         return new KafkaEvent<>(KafkaTopics.REPO_META_ANALYSIS_COMMAND, event.purlCoordinates(), analysisCommand, null);
     }
 
-    static KafkaEvent<String, String> convert(final GitHubAdvisoryMirrorEvent ignored) {
-        final String key = Vulnerability.Source.GITHUB.name();
-        return new KafkaEvent<>(KafkaTopics.VULNERABILITY_MIRROR_COMMAND, key, null);
-    }
-
     static KafkaEvent<String, String> convert(final OsvMirrorEvent event) {
         final String key = Vulnerability.Source.OSV.name();
         final String value = event.ecosystem();

apiserver/src/main/java/org/dependencytrack/plugin/PluginManager.java

@@ -143,6 +143,19 @@ public <T extends ExtensionPoint, U extends ExtensionFactory<T>> U getFactory(fi
         return (U) factory;
     }
 
+    @SuppressWarnings("unchecked")
+    public <T extends ExtensionPoint, U extends ExtensionFactory<T>> U getFactory(final Class<T> extensionPointClass, final String name) {
+        final var extensionIdentity = new ExtensionIdentity(extensionPointClass, name);
+        final ExtensionFactory<?> factory = factoryByExtensionIdentity.get(extensionIdentity);
+        if (factory == null) {
+            throw new NoSuchExtensionException(
+                    "No factory for extension named %s exists for the extension point %s".formatted(
+                            name, extensionPointClass.getName()));
+        }
+
+        return (U) factory;
+    }
+
     @SuppressWarnings("unchecked")
     public <T extends ExtensionPoint, U extends ExtensionFactory<T>> SequencedCollection<U> getFactories(final Class<T> extensionPointClass) {
         final Set<String> extensionNames = extensionNamesByExtensionPointClass.get(extensionPointClass);

apiserver/src/main/java/org/dependencytrack/tasks/AbstractVulnDataSourceMirrorTask.java

@@ -0,0 +1,185 @@
+/*
+ * This file is part of Dependency-Track.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.dependencytrack.tasks;
+
+import alpine.event.framework.Event;
+import alpine.event.framework.Subscriber;
+import com.google.protobuf.util.Timestamps;
+import net.javacrumbs.shedlock.core.LockConfiguration;
+import net.javacrumbs.shedlock.core.LockExtender;
+import net.javacrumbs.shedlock.core.LockingTaskExecutor;
+import org.cyclonedx.proto.v1_6.Bom;
+import org.dependencytrack.model.Vulnerability;
+import org.dependencytrack.model.VulnerableSoftware;
+import org.dependencytrack.parser.dependencytrack.BovModelConverter;
+import org.dependencytrack.persistence.QueryManager;
+import org.dependencytrack.plugin.PluginManager;
+import org.dependencytrack.plugin.api.datasource.vuln.VulnDataSource;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.time.Duration;
+import java.time.Instant;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.List;
+
+import static org.datanucleus.PropertyNames.PROPERTY_PERSISTENCE_BY_REACHABILITY_AT_COMMIT;
+import static org.dependencytrack.util.LockProvider.executeWithLock;
+import static org.dependencytrack.util.LockProvider.isTaskLockToBeExtended;
+import static org.dependencytrack.util.TaskUtil.getLockConfigForTask;
+
+/**
+ * @since 5.7.0
+ */
+abstract class AbstractVulnDataSourceMirrorTask implements Subscriber {
+
+    private final PluginManager pluginManager;
+    private final Class<? extends Event> eventClass;
+    private final String vulnDataSourceExtensionName;
+    private final Vulnerability.Source source;
+    private final Logger logger;
+    private LockConfiguration lockConfig;
+    private Instant lockAcquiredAt;
+
+    AbstractVulnDataSourceMirrorTask(
+            final PluginManager pluginManager,
+            final Class<? extends Event> eventClass,
+            final String vulnDataSourceExtensionName,
+            final Vulnerability.Source source) {
+        this.pluginManager = pluginManager;
+        this.eventClass = eventClass;
+        this.vulnDataSourceExtensionName = vulnDataSourceExtensionName;
+        this.source = source;
+        this.logger = LoggerFactory.getLogger(this.getClass());
+    }
+
+    @Override
+    public void inform(final Event e) {
+        if (!eventClass.isAssignableFrom(e.getClass())) {
+            return;
+        }
+
+        lockConfig = getLockConfigForTask(getClass());
+
+        try {
+            executeWithLock(
+                    this.lockConfig,
+                    (LockingTaskExecutor.Task) this::informLocked);
+        } catch (Throwable ex) {
+            logger.error("Failed to acquire lock or execute task", ex);
+        }
+    }
+
+    private void informLocked() {
+        lockAcquiredAt = Instant.now();
+
+        try (final var dataSource = pluginManager.getExtension(VulnDataSource.class, vulnDataSourceExtensionName)) {
+            if (dataSource == null) {
+                return; // Likely disabled.
+            }
+
+            final var bovBatch = new ArrayList<Bom>(25);
+            while (dataSource.hasNext()) {
+                if (Thread.currentThread().isInterrupted()) {
+                    logger.warn("Interrupted before all BOVs could be consumed");
+                    break;
+                }
+
+                maybeExtendLock();
+
+                final Bom bov = dataSource.next();
+                if (!bov.getVulnerabilities(0).hasRejected()) {
+                    bovBatch.add(bov);
+                    if (bovBatch.size() == 25) {
+                        processBatch(dataSource, bovBatch);
+                        bovBatch.clear();
+                    }
+                } else {
+                    // TODO: Store rejection / withdrawal timestamp instead,
+                    //  and let analyzers / users decide how to deal with them.
+                    //  Ignoring withdrawn vulnerabilities is legacy behavior.
+                    logger.warn(
+                            "Skipping vulnerability {} rejected at {}",
+                            bov.getVulnerabilities(0).getId(),
+                            Timestamps.toString(bov.getVulnerabilities(0).getRejected()));
+                }
+            }
+
+            if (!bovBatch.isEmpty()) {
+                maybeExtendLock();
+                processBatch(dataSource, bovBatch);
+                bovBatch.clear();
+            }
+        }
+    }
+
+    private void processBatch(final VulnDataSource dataSource, final Collection<Bom> bovs) {
+        logger.debug("Processing batch of {} BOVs", bovs.size());
+
+        final var vulns = new ArrayList<Vulnerability>(bovs.size());
+        final var vsListByVulnId = new HashMap<String, List<VulnerableSoftware>>(bovs.size());
+
+        for (final Bom bov : bovs) {
+            if (bov.getVulnerabilitiesCount() == 0) {
+                logger.warn("BOV contains no vulnerabilities; Skipping");
+                continue;
+            }
+
+            if (bov.getVulnerabilitiesCount() > 1) {
+                logger.warn("BOV contains more than one vulnerability; Skipping");
+                continue;
+            }
+
+            final Vulnerability vuln = BovModelConverter.convert(bov, bov.getVulnerabilities(0), true);
+            final List<VulnerableSoftware> vsList = BovModelConverter.extractVulnerableSoftware(bov);
+
+            vulns.add(vuln);
+            vsListByVulnId.put(vuln.getVulnId(), vsList);
+        }
+
+        try (final var qm = new QueryManager()) {
+            qm.getPersistenceManager().setProperty(PROPERTY_PERSISTENCE_BY_REACHABILITY_AT_COMMIT, "false");
+
+            qm.runInTransaction(() -> {
+                for (final Vulnerability vuln : vulns) {
+                    logger.debug("Synchronizing vulnerability {}", vuln.getVulnId());
+                    final Vulnerability persistentVuln = qm.synchronizeVulnerability(vuln, false);
+                    final List<VulnerableSoftware> vsList = vsListByVulnId.get(persistentVuln.getVulnId());
+                    qm.synchronizeVulnerableSoftware(persistentVuln, vsList, this.source);
+                }
+            });
+        }
+
+        for (final Bom bov : bovs) {
+            dataSource.markProcessed(bov);
+        }
+    }
+
+    private void maybeExtendLock() {
+        final var lockAge = Duration.between(lockAcquiredAt, Instant.now());
+        if (isTaskLockToBeExtended(lockAge.toMillis(), getClass())) {
+            logger.warn("Extending lock by {}", lockConfig.getLockAtMostFor());
+            LockExtender.extendActiveLock(lockConfig.getLockAtMostFor(), this.lockConfig.getLockAtLeastFor());
+            lockAcquiredAt = Instant.now();
+        }
+    }
+
+}

apiserver/src/main/java/org/dependencytrack/tasks/GitHubAdvisoryMirrorTask.java

@@ -18,45 +18,22 @@
  */
 package org.dependencytrack.tasks;
 
-import alpine.common.logging.Logger;
-import alpine.event.framework.Event;
-import alpine.event.framework.LoggableSubscriber;
-import alpine.model.ConfigProperty;
 import org.dependencytrack.event.GitHubAdvisoryMirrorEvent;
-import org.dependencytrack.event.kafka.KafkaEventDispatcher;
-import org.dependencytrack.persistence.QueryManager;
+import org.dependencytrack.model.Vulnerability;
+import org.dependencytrack.plugin.PluginManager;
 
-import static org.dependencytrack.model.ConfigPropertyConstants.VULNERABILITY_SOURCE_GITHUB_ADVISORIES_ACCESS_TOKEN;
-import static org.dependencytrack.model.ConfigPropertyConstants.VULNERABILITY_SOURCE_GITHUB_ADVISORIES_ENABLED;
-
-public class GitHubAdvisoryMirrorTask implements LoggableSubscriber {
+/**
+ * Task for mirroring vulnerability data from the GitHub Advisory database.
+ */
+public class GitHubAdvisoryMirrorTask extends AbstractVulnDataSourceMirrorTask {
 
-    private static final Logger LOGGER = Logger.getLogger(GitHubAdvisoryMirrorTask.class);
-    private final boolean isEnabled;
-    private String accessToken;
+    GitHubAdvisoryMirrorTask(final PluginManager pluginManager) {
+        super(pluginManager, GitHubAdvisoryMirrorEvent.class, "github", Vulnerability.Source.GITHUB);
+    }
 
+    @SuppressWarnings("unused")
     public GitHubAdvisoryMirrorTask() {
-        try (final QueryManager qm = new QueryManager()) {
-            final ConfigProperty enabled = qm.getConfigProperty(VULNERABILITY_SOURCE_GITHUB_ADVISORIES_ENABLED.getGroupName(), VULNERABILITY_SOURCE_GITHUB_ADVISORIES_ENABLED.getPropertyName());
-            this.isEnabled = enabled != null && Boolean.valueOf(enabled.getPropertyValue());
-            final ConfigProperty accessToken = qm.getConfigProperty(VULNERABILITY_SOURCE_GITHUB_ADVISORIES_ACCESS_TOKEN.getGroupName(), VULNERABILITY_SOURCE_GITHUB_ADVISORIES_ACCESS_TOKEN.getPropertyName());
-            if (accessToken != null) {
-                this.accessToken = accessToken.getPropertyValue();
-            }
-        }
+        this(PluginManager.getInstance());
     }
 
-    /**
-     * {@inheritDoc}
-     */
-    public void inform(final Event e) {
-        if (e instanceof GitHubAdvisoryMirrorEvent && this.isEnabled) {
-            if (this.accessToken != null) {
-                LOGGER.info("Starting GitHub Advisory mirroring task");
-                new KafkaEventDispatcher().dispatchEvent(new GitHubAdvisoryMirrorEvent()).join();
-            } else {
-                LOGGER.warn("GitHub Advisory mirroring is enabled, but no personal access token is configured. Skipping.");
-            }
-        }
-    }
 }