feat: added a new endpoint for creating ExploitIQ reports

Fixes: #1967

Cleaned up a bit of the download endpoint while I was in there.

Author: jcrossley3

modules/fundamental/src/error.rs

@@ -19,6 +19,8 @@ pub enum Error {
     #[error(transparent)]
     Ingestor(#[from] trustify_module_ingestor::service::Error),
     #[error(transparent)]
+    Json(#[from] serde_json::error::Error),
+    #[error(transparent)]
     Purl(#[from] PurlErr),
     #[error("Bad request: {0}")]
     BadRequest(String),

modules/fundamental/src/sbom/endpoints/mod.rs

@@ -16,12 +16,14 @@ use crate::{
     sbom::{
         model::{
             LicenseRefMapping, SbomExternalPackageReference, SbomNodeReference, SbomPackage,
-            SbomPackageRelation, SbomSummary, Which, details::SbomAdvisory,
+            SbomPackageRelation, SbomSummary, Which,
+            details::SbomAdvisory,
+            exploitiq::{ExploitIqRequest, ReportRequest, ReportResult},
         },
         service::SbomService,
     },
 };
-use actix_web::{HttpResponse, Responder, delete, get, http::header, post, web};
+use actix_web::{HttpResponse, Responder, delete, get, http::header, post, web, web::BytesMut};
 use config::Config;
 use futures_util::TryStreamExt;
 use sea_orm::{TransactionTrait, prelude::Uuid};
@@ -424,6 +426,48 @@ pub async fn related(
     Ok(HttpResponse::Ok().json(result))
 }
 
+/// Create ExploitIQ report
+#[utoipa::path(
+    tag = "sbom",
+    operation_id = "createExploitIQReport",
+    params(
+        ("id" = Id, Path),
+    ),
+    responses(
+        (status = 201, description = "Create a report", body = ReportResult),
+        (status = 400, description = "Unable to read advisory list"),
+        (status = 404, description = "The SBOM could not be found"),
+    )
+)]
+#[post("/v2/sbom/{id}/exploitiq")]
+pub async fn create_exploitiq_report(
+    ingestor: web::Data<IngestorService>,
+    db: web::Data<Database>,
+    sbom: web::Data<SbomService>,
+    id: web::Path<String>,
+    web::Json(ReportRequest { vulnerabilities }): web::Json<ReportRequest>,
+    _: Require<ReadSbom>,
+) -> Result<impl Responder, Error> {
+    let id = Id::from_str(&id).map_err(Error::IdKey)?;
+    match sbom
+        .fetch_sbom_summary(id, db.as_ref())
+        .await?
+        .and_then(|sbom| sbom.source_document)
+    {
+        Some(doc) => Ok(match ingestor.storage().retrieve(doc.try_into()?).await? {
+            Some(s) => {
+                let buf = s.try_collect::<BytesMut>().await?;
+                let sbom: serde_json::Value = serde_json::from_slice(buf.as_ref())?;
+                let _req = ExploitIqRequest::new(sbom, vulnerabilities);
+                // TODO: Invoke external service here
+                HttpResponse::Ok().json(ReportResult::default())
+            }
+            None => HttpResponse::NotFound().finish(),
+        }),
+        None => Ok(HttpResponse::NotFound().finish()),
+    }
+}
+
 #[derive(Clone, Debug, serde::Deserialize, utoipa::IntoParams)]
 struct UploadQuery {
     /// Optional labels.
@@ -500,26 +544,18 @@ pub async fn download(
     _: Require<ReadSbom>,
 ) -> Result<impl Responder, Error> {
     let id = Id::from_str(&key).map_err(Error::IdKey)?;
-
-    let Some(sbom) = sbom.fetch_sbom_summary(id, db.as_ref()).await? else {
-        return Ok(HttpResponse::NotFound().finish());
-    };
-
-    if let Some(doc) = &sbom.source_document {
-        let storage_key = doc.try_into()?;
-
-        let stream = ingestor
-            .storage()
-            .retrieve(storage_key)
-            .await
-            .map_err(Error::Storage)?
-            .map(|stream| stream.map_err(Error::Storage));
-
-        Ok(match stream {
-            Some(s) => HttpResponse::Ok().streaming(s),
-            None => HttpResponse::NotFound().finish(),
-        })
-    } else {
-        Ok(HttpResponse::NotFound().finish())
+    match sbom
+        .fetch_sbom_summary(id, db.as_ref())
+        .await?
+        .and_then(|sbom| sbom.source_document)
+    {
+        Some(doc) => {
+            let storage_key = doc.try_into()?;
+            Ok(match ingestor.storage().retrieve(storage_key).await? {
+                Some(s) => HttpResponse::Ok().streaming(s),
+                None => HttpResponse::NotFound().finish(),
+            })
+        }
+        None => Ok(HttpResponse::NotFound().finish()),
     }
 }

modules/fundamental/src/sbom/model/exploitiq.rs

@@ -0,0 +1,34 @@
+use serde::{Deserialize, Serialize};
+use serde_json::{Value, json};
+use utoipa::ToSchema;
+
+#[derive(Serialize, Deserialize, Debug, ToSchema)]
+pub struct ReportRequest {
+    pub vulnerabilities: Vec<String>,
+}
+
+#[derive(Serialize, Deserialize, Debug, ToSchema, Default)]
+#[serde(rename_all = "camelCase")]
+pub struct ReportResult {
+    pub id: String,
+    pub report_id: String,
+}
+
+#[derive(Serialize, Deserialize, Debug)]
+pub struct ExploitIqRequest {
+    pub vulnerabilities: Vec<String>,
+    pub sbom: Value,
+    pub sbom_info_type: String,
+    pub metadata: Value,
+}
+
+impl ExploitIqRequest {
+    pub fn new(sbom: Value, vulnerabilities: Vec<String>) -> Self {
+        ExploitIqRequest {
+            vulnerabilities,
+            sbom,
+            sbom_info_type: "manual".into(),
+            metadata: json!({}),
+        }
+    }
+}

modules/fundamental/src/sbom/model/mod.rs

@@ -1,4 +1,5 @@
 pub mod details;
+pub mod exploitiq;
 pub mod raw_sql;
 
 use super::service::SbomService;