feat: add osv-nvd provider

.github/workflows/stage.yml

@@ -88,13 +88,10 @@ jobs:
           else
             echo "version=$version" >> "$GITHUB_OUTPUT"
 
-            notes="${notes//$''/%27}"
-            notes="${notes//$''/%60}"
-            notes="${notes//'%'/'%25'}"
-            notes="${notes//$'\n'/'%0A'}"
-            notes="${notes//$'\r'/'%0D'}"
+            notes="${notes//$'`'/%60}"
             delimiter="$(openssl rand -hex 8)"
             echo "notes<<${delimiter}" >> "$GITHUB_OUTPUT"
+            echo "## Changelog" >> "$GITHUB_OUTPUT"
             echo "$notes" >> "$GITHUB_OUTPUT"
             echo "${delimiter}" >> "$GITHUB_OUTPUT"
           fi

CHANGELOG.md

@@ -1,4 +1,10 @@
 # Change Log
+## 0.9.3 (?)
+- enhancement - Red Hat Dependency Analytics reporting has integrated the ONGuard service by using [Open Source Vulnerability (OSV)](https://google.github.io/osv.dev/) and the [National Vulnerability Database (NVD)](https://nvd.nist.gov/) data sources for additional vulnerability information.
+- enhancement - Integrated VS Code's [Secret Storage](https://code.visualstudio.com/api/references/vscode-api#SecretStorage) feature for securing the Snyk token. See [PR689](https://github.com/fabric8-analytics/fabric8-analytics-vscode-extension/pull/689) for details.
+- fixes - Fixed an issue with displaying wrong data when the event handler for Component Analysis was triggered on a unsaved manifest file. Component Analysis is no longer triggered on unsaved manifest files. See [PR#239](https://github.com/fabric8-analytics/fabric8-analytics-lsp-server/pull/239) for details.
+- fixes - Fixed an issue where the diagnostic source name is being obscured in the View Problem panel from an inline analysis. See [PR#239](https://github.com/fabric8-analytics/fabric8-analytics-lsp-server/pull/239) for details.
+- informational - The naming convention for VS Code commands has changed from `fabric8` to `rhda`. For example, `fabric8.stackAnalysis` is now `rhda.stackAnalysis`.
 ## 0.9.2 (Feb 5th 2024)
 - informational - The `redHatDependencyAnalyticsReportFilePath` setting name has changed to `reportFilePath`. If you had a custom file path set for `redHatDependencyAnalyticsReportFilePath`, then you need to add your custom file path to the `reportFilePath` setting.
 - enhancement - Added a vulnerability severity alert level setting for the user to receive inline notifications for just errors or warnings. See [PR#674](https://github.com/fabric8-analytics/fabric8-analytics-vscode-extension/pull/674) for details.

README.md

@@ -4,9 +4,11 @@
 ![CI](https://github.com/fabric8-analytics/fabric8-analytics-vscode-extension/workflows/CI/badge.svg?branch=master)
 [![Codecov](https://codecov.io/gh/fabric8-analytics/fabric8-analytics-vscode-extension/branch/master/graph/badge.svg?token=rHIO4KNlJ0)](https://codecov.io/gh/fabric8-analytics/fabric8-analytics-vscode-extension)
 
-Red Hat's Dependency Analytics (RHDA) extension gives you awareness to security concerns within your software supply chain while you build your application.
-The Red Hat Dependency Analytics extension uses the Snyk REST API to query [Snyk's Vulnerability Database](https://snyk.io/product/vulnerability-database/) for the most up-to-date vulnerability information available.
-Snyk uses industry-leading security intelligence by pulling from many data sources to give you exact vulnerability information.
+Red Hat's Dependency Analytics (RHDA) extension gives you awareness to security concerns within your software supply chain while you code your application.
+The Red Hat Dependency Analytics extension uses the following data sources for the most up-to-date vulnerability information available:
+
+- [Snyk's Vulnerability Database](https://snyk.io/product/vulnerability-database/) is an industry-leading security intelligence service. Red Hat Dependency Analytics uses Snyk's REST API to query for the latest vulnerability information available.
+- The [ONGuard](https://github.com/RHEcosystemAppEng/ONguard) service, integrates the [Open Source Vulnerability (OSV)](https://google.github.io/osv.dev/) and the [National Vulnerability Database (NVD)](https://nvd.nist.gov/) data sources. When given a set of packages to the ONGuard service, a query to OSV retrieves the associated vulnerability information, and then a query to NVD for public Common Vulnerability and Exposures (CVE) information.
 
 **NOTE:**
 <br >The Red Hat Dependency Analytics extension is an online service hosted and maintained by Red Hat.
@@ -59,10 +61,9 @@ Click the **Workspace** tab, search for the word _executable_, and specify the a
 7. (OPTIONAL) You can link your Snyk account to Red Hat Dependency Analytics by doing the following:
    1. Log into your [Snyk account](https://app.snyk.io/login?utm_campaign=Code-Ready-Analytics-2020&utm_source=code_ready&code_ready=FF1B53D9-57BE-4613-96D7-1D06066C38C9).
    2. On the account landing page, you can find your Snyk Token, copy the token.
-   3. Open the Red Hat Dependency Analytics extension settings.
-   4. Click the **Workspace** tab.
-   5. Paste the Snyk token in the **Exhort Snyk Token** field.
-   6. After adding your Snyk token, the vulnerability report gives you detailed information about security vulnerabilities unique to Snyk, and vulnerabilities that have publicly known exploits.
+   3. From VS Code's Command Palette, enter `RHDA: Set Snyk Token`.
+   4. Paste the Snyk token into the input field.
+   4. After adding your Snyk token, the vulnerability report gives you detailed information about security vulnerabilities unique to Snyk, and vulnerabilities that have publicly known exploits.
 
 ## Configuration
 
@@ -79,15 +80,20 @@ The Red Hat Dependency Analytics extension has some configurable parameters that
 
 ### Configurable parameters
 
-**Exhort Snyk Token** :
+**Snyk Token Storage** :
 <br >The Snyk token allows Exhort to authenticate with the Snyk Vulnerability Database.
 If a Snyk token is not provided, Snyk vulnerability information is not displayed.
 
-If you leave this field blank, the following informational message is displayed.
-<br >![ Screenshot of the empty token dialog box ](images/screenshots/empty-token.png)
+To securely store your Snyk token, RHDA uses VS Code's [Secret Storage](https://code.visualstudio.com/api/references/vscode-api#SecretStorage) feature.
+From VS Code's Command Palette, enter `RHDA: Set Snyk Token`.
+Next, enter your Snyk token.
+<br >![ Screenshot of the Snyk token dialog box](images/screenshots/RHDA_Snyk_Token_dialog_box.png)
+
+If you enter a invalid Snyk token, the dialog box alerts you that your Snyk token is not valid.
+<br >![ Screenshot of the invalid Snyk token dialog box ](images/screenshots/RHDA_Invalid_Snyk_Token.png)
 
-If you enter a invalid Snyk token, a pop-up message alerts you that your Snyk token is not valid.
-<br >![ Screenshot of the invalid token dialog box ](images/screenshots/invalid-token.png)
+In the extension settings, you can set RHDA to always use VS Code's Secret Storage.
+<br >![ Screenshot of the RHDA Snyk token storage setting](images/screenshots/RHDA_Snyk_Token_Storage_Setting.png)
 
 If you need a new Snyk token, you can generate a new token [here](https://app.snyk.io/login?utm_campaign=Code-Ready-Analytics-2020&utm_source=code_ready&code_ready=FF1B53D9-57BE-4613-96D7-1D06066C38C9).
 
@@ -106,7 +112,7 @@ The default path is `/tmp/redhatDependencyAnalyticsReport.html`.
 - **Component analysis**
 	<br >Upon opening a manifest file, such as a `pom.xml`, `package.json`, `go.mod` or `requirements.txt` file, a scan starts the analysis process.
 	The scan provides immediate inline feedback on detected security vulnerabilities for your application's dependencies.
-	Such dependencies are appropriately underlined in red, and hovering over it gives you a short summary of the security concern from Snyk.
+	Such dependencies are appropriately underlined in red, and hovering over it gives you a short summary of the security concern from the available data sources.
 	The summary has the full package name, version number, the amount of known security vulnerabilities, and the highest severity status of said vulnerabilities.
 
 	**NOTE:** Add the `target` folder to your `.gitignore` file to exclude it from Git monitoring.
@@ -122,7 +128,7 @@ The default path is `/tmp/redhatDependencyAnalyticsReport.html`.
 	<br >**IMPORTANT:** For Maven projects only, when analyzing a `pom.xml` file.
 	You must configure Red Hat's generally available (GA) repository to use the recommendations or remediations.
 	Add this repository, `https://maven.repository.redhat.com/ga/`, to your project's configuration.
-  
+
 - **Excluding dependencies with `exhortignore`**
 	<br >You can exclude a package from analysis by marking the package for exclusion.
 	If you wish to ignore vulnerabilities for a dependency in a `pom.xml` file, you must add `exhortignore` as a comment against the dependency, group id, artifact id, or version scopes of that particular dependency in the manifest file.