Merge pull request #24 from gardenlinux/redefine-api

Specify the API in more modern ways
gardenlinux · Dec 12, 2023 · b1f5fde · b1f5fde
2 parents 507cfd3 + 92ebca5
commit b1f5fde
Show file tree

Hide file tree

Showing 5 changed files with 237 additions and 119 deletions.
diff --git a/openapi-v1.yaml b/openapi-v1.yaml
@@ -0,0 +1,67 @@
+openapi: 3.0.3
+info:
+  title: Garden Linux Vulnerability Database
+  contact:
+    email: [email protected]
+  license:
+    name: MIT
+  version: 0.1.0
+servers:
+- url: http://localhost:5000/v1
+tags:
+- name: cve
+  description: Everything about CVE
+paths:
+  /cves/findByCpe:
+    get:
+      tags:
+      - cve
+      summary: Finds CVE by CPE
+      parameters:
+      - name: cpeName
+        in: query
+        description: CPE name to search for, only Debian/Garden Linux related CPE can be used
+        required: true
+        schema:
+          type: string
+      - name: cvssV3Severity
+        in: query
+        description: Not implemented
+        schema:
+          type: string
+          enum:
+          - LOW
+          - MEDIUM
+          - HIGH
+          - CRITICAL
+      - name: debVersionEnd
+        in: query
+        schema:
+          type: string
+      responses:
+        '200':
+          description: successful operation
+          content:
+            application/json:
+              schema: {}
+        '400':
+          description: parameter is invalid
+  /cves/{cveId}:
+    get:
+      tags:
+        - cve
+      summary: Find CVE by ID
+      parameters:
+        - name: cveId
+          in: path
+          description: ID of CVE
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: successful operation
+          content:
+            application/json: {}
+        '404':
+          description: CVE not found
diff --git a/src/glvd/web/__init__.py b/src/glvd/web/__init__.py
@@ -41,7 +41,7 @@ def create_app():
 
     QuartDb(app)
 
-    from .nvd import bp as bp_nvd
-    app.register_blueprint(bp_nvd)
+    from .v1_cves import bp as bp_v1_cves
+    app.register_blueprint(bp_v1_cves)
 
     return app
diff --git a/src/glvd/web/nvd.py → src/glvd/web/v1_cves.py b/src/glvd/web/nvd.py → src/glvd/web/v1_cves.py
@@ -8,10 +8,26 @@
 
 from ..data.cpe import Cpe
 
-bp = Blueprint('nvd', __name__)
+bp = Blueprint('nvd', __name__, url_prefix='/v1/cves')
 
 
-stmt_cve_deb_cpe_version = (
+stmt_cve_id = (
+    text('''
+        SELECT
+                all_cve.data AS cve
+            FROM
+                all_cve
+            WHERE
+                cve_id = :cve_id
+            GROUP BY
+                all_cve.cve_id
+    ''')
+    .bindparams(
+        bindparam('cve_id'),
+    )
+)
+
+stmt_cpe_version = (
     text('''
         WITH data AS (
             SELECT
@@ -33,12 +49,7 @@
                     all_cve.cve_id
             )
         SELECT
-                json_build_object(
-                    'format', 'NVD_CVE',
-                    'version', '2.0+deb',
-                    'vulnerabilities', coalesce(json_agg(data), '[]'::json)
-                )::text
-            FROM data
+            coalesce(json_agg(data.cve), '[]'::json)::text FROM data
     ''')
     .bindparams(
         bindparam('cpe_vendor'),
@@ -49,7 +60,7 @@
     )
 )
 
-stmt_cve_deb_cpe_vulnerable = (
+stmt_cpe_vulnerable = (
     text('''
         WITH data AS (
             SELECT
@@ -68,12 +79,7 @@
                     all_cve.cve_id
             )
         SELECT
-                json_build_object(
-                    'format', 'NVD_CVE',
-                    'version', '2.0+deb',
-                    'vulnerabilities', coalesce(json_agg(data), '[]'::json)
-                )::text
-            FROM data
+            coalesce(json_agg(data.cve), '[]'::json)::text FROM data
     ''')
     .bindparams(
         bindparam('cpe_vendor'),
@@ -83,55 +89,43 @@
     )
 )
 
-stmt_cve_deb_cve_id = (
-    text('''
-        WITH data AS (
-            SELECT
-                    all_cve.data AS cve
-                FROM
-                    all_cve
-                WHERE
-                    cve_id = :cve_id
-                GROUP BY
-                    all_cve.cve_id
-            )
-        SELECT
-                json_build_object(
-                    'format', 'NVD_CVE',
-                    'version', '2.0+deb',
-                    'vulnerabilities', coalesce(json_agg(data), '[]'::json)
-                )::text
-            FROM data
-    ''')
-    .bindparams(
-        bindparam('cve_id'),
-    )
-)
 
+@bp.route('/<cve_id>')
+async def get_cve_id(cve_id):
+    stmt = stmt_cve_id.bindparams(cve_id=cve_id)
 
-@bp.route('/rest/json/cves/2.0+deb')
-async def nvd_cve_deb():
-    if cpe_name := request.args.get('virtualMatchString', type=str):
-        cpe = Cpe.parse(cpe_name)
-        if not cpe.is_debian:
-            return 'Not Debian related CPE', 400
-        if cpe.other.deb_source and (deb_version := request.args.get('debVersionEnd', type=str)):
-            stmt = stmt_cve_deb_cpe_version.bindparams(
-                cpe_vendor=cpe.vendor,
-                cpe_product=cpe.product,
-                cpe_version=cpe.version or '%',
-                deb_source=cpe.other.deb_source,
-                deb_version=deb_version,
-            )
+    async with current_app.db_begin() as conn:
+        data = (await conn.execute(stmt)).one_or_none()
+
+        if data:
+            return data[0], 200
         else:
-            stmt = stmt_cve_deb_cpe_vulnerable.bindparams(
-                cpe_vendor=cpe.vendor,
-                cpe_product=cpe.product,
-                cpe_version=cpe.version or '%',
-                deb_source=cpe.other.deb_source or '%',
-            )
-    elif cve_id := request.args.get('cveId', type=str):
-        stmt = stmt_cve_deb_cve_id.bindparams(cve_id=cve_id)
+            return 'Not found', 404
+
+
+@bp.route('/findByCpe')
+async def get_cpe_name():
+    cpe = Cpe.parse(request.args.get('cpeName', type=str))
+    deb_version = request.args.get('debVersionEnd', type=str)
+
+    if not cpe.is_debian:
+        return 'Not Debian related CPE', 400
+
+    if cpe.other.deb_source and deb_version:
+        stmt = stmt_cpe_version.bindparams(
+            cpe_vendor=cpe.vendor,
+            cpe_product=cpe.product,
+            cpe_version=cpe.version or '%',
+            deb_source=cpe.other.deb_source,
+            deb_version=deb_version,
+        )
+    else:
+        stmt = stmt_cpe_vulnerable.bindparams(
+            cpe_vendor=cpe.vendor,
+            cpe_product=cpe.product,
+            cpe_version=cpe.version or '%',
+            deb_source=cpe.other.deb_source or '%',
+        )
 
     async with current_app.db_begin() as conn:
         return (

diff --git a/tests/web/test_nvd_cve.py b/tests/web/test_nvd_cve.py