Prepare release 0.2.1

Cargo.toml

@@ -22,7 +22,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.2.0"
+version = "0.2.1"
 edition = "2021"
 publish = false
 license = "Apache-2.0"
@@ -96,7 +96,8 @@ packageurl = "0.3.0"
 parking_lot = "0.12"
 peak_alloc = "0.2.0"
 pem = "3"
-petgraph = { version = "0.6.5", features = ["serde-1"] }
+percent-encoding = "2.3.1"
+petgraph = { version = "0.7.1", features = ["serde-1"] }
 prometheus = "0.13.3"
 quick-xml = "0.37.0"
 rand = "0.8.5"

common/Cargo.toml

@@ -23,15 +23,19 @@ log = { workspace = true }
 native-tls = { workspace = true }
 packageurl = { workspace = true }
 pem = { workspace = true }
+percent-encoding = { workspace = true }
 postgresql_embedded = { workspace = true, features = ["blocking", "tokio"] }
 regex = { workspace = true }
 reqwest = { workspace = true, features = ["native-tls"] }
 ring = { workspace = true }
+sbom-walker = { workspace = true }
 schemars = { workspace = true }
 sea-orm = { workspace = true, features = ["sea-query-binder", "sqlx-postgres", "runtime-tokio-rustls", "macros"] }
 sea-query = { workspace = true }
 serde = { workspace = true, features = ["derive"] }
 serde_json = { workspace = true }
+spdx-expression = { workspace = true }
+spdx-rs = { workspace = true }
 sqlx = { workspace = true }
 strum = { workspace = true, features = ["derive"] }
 thiserror = { workspace = true }

common/infrastructure/Cargo.toml

@@ -23,7 +23,7 @@ mime = { workspace = true }
 openssl = { workspace = true }
 opentelemetry = { workspace = true }
 opentelemetry-otlp = { workspace = true }
-opentelemetry_sdk = { workspace = true, features = ["rt-tokio"] }
+opentelemetry_sdk = { workspace = true, features = ["rt-tokio-current-thread"] }
 parking_lot = { workspace = true }
 prometheus = { workspace = true }
 reqwest = { workspace = true }

common/infrastructure/src/tracing.rs

@@ -123,13 +123,13 @@ fn init_otlp(name: &str) {
             "service.name",
             name.to_string(),
         )]))
-        .with_batch_exporter(exporter, opentelemetry_sdk::runtime::Tokio)
+        .with_batch_exporter(exporter, opentelemetry_sdk::runtime::TokioCurrentThread)
         .with_sampler(opentelemetry_sdk::trace::Sampler::ParentBased(Box::new(
             sampler(),
         )))
         .build();
 
-    println!("Using Jaeger tracing.");
+    println!("Using OTEL Collector with Jaeger as the back-end.");
     println!("{:#?}", provider);
 
     let formatting_layer = tracing_subscriber::fmt::Layer::default();
@@ -142,6 +142,7 @@ fn init_otlp(name: &str) {
     {
         eprintln!("Error initializing tracing: {:?}", e);
     }
+    opentelemetry::global::set_tracer_provider(provider);
 }
 
 fn init_no_tracing() {

common/src/cpe.rs

@@ -2,21 +2,82 @@ use cpe::{
     cpe::Cpe as _,
     uri::{OwnedUri, Uri},
 };
-use std::fmt::{Debug, Display, Formatter};
-use std::str::FromStr;
+use serde::{
+    de::{Error, Visitor},
+    Deserialize, Deserializer, Serialize, Serializer,
+};
+use std::{
+    borrow::Cow,
+    fmt::{Debug, Display, Formatter},
+    str::FromStr,
+};
+use utoipa::{
+    openapi::{KnownFormat, ObjectBuilder, RefOr, Schema, SchemaFormat, Type},
+    PartialSchema, ToSchema,
+};
 use uuid::Uuid;
 
 #[derive(Clone, Hash, Eq, PartialEq)]
 pub struct Cpe {
     uri: OwnedUri,
 }
 
+impl ToSchema for Cpe {
+    fn name() -> Cow<'static, str> {
+        "Cpe".into()
+    }
+}
+
+impl PartialSchema for Cpe {
+    fn schema() -> RefOr<Schema> {
+        ObjectBuilder::new()
+            .schema_type(Type::String)
+            .format(Some(SchemaFormat::KnownFormat(KnownFormat::Uri)))
+            .into()
+    }
+}
+
 impl Display for Cpe {
     fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
         Display::fmt(&self.uri, f)
     }
 }
 
+impl Serialize for Cpe {
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: Serializer,
+    {
+        serializer.serialize_str(self.to_string().as_str())
+    }
+}
+
+impl<'de> Deserialize<'de> for Cpe {
+    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        deserializer.deserialize_str(CpeVisitor)
+    }
+}
+
+struct CpeVisitor;
+
+impl Visitor<'_> for CpeVisitor {
+    type Value = Cpe;
+
+    fn expecting(&self, formatter: &mut Formatter) -> std::fmt::Result {
+        formatter.write_str("a CPE")
+    }
+
+    fn visit_str<E>(self, v: &str) -> Result<Self::Value, E>
+    where
+        E: Error,
+    {
+        v.try_into().map_err(Error::custom)
+    }
+}
+
 const NAMESPACE: Uuid = Uuid::from_bytes([
     0x1b, 0xf1, 0x2a, 0xd5, 0x0d, 0x67, 0x41, 0x18, 0xa1, 0x38, 0xb8, 0x9f, 0x19, 0x35, 0xe0, 0xa7,
 ]);
@@ -172,6 +233,22 @@ impl FromStr for Cpe {
     }
 }
 
+impl TryFrom<&str> for Cpe {
+    type Error = <OwnedUri as FromStr>::Err;
+    fn try_from(value: &str) -> Result<Self, Self::Error> {
+        Ok(Self {
+            uri: OwnedUri::from_str(value)?,
+        })
+    }
+}
+
+impl TryFrom<String> for Cpe {
+    type Error = <OwnedUri as FromStr>::Err;
+    fn try_from(value: String) -> Result<Self, Self::Error> {
+        value.as_str().try_into()
+    }
+}
+
 pub trait CpeCompare: cpe::cpe::Cpe {
     fn is_superset<O: CpeCompare>(&self, other: &O) -> bool {
         self.compare(other).superset()

common/src/db/query.rs

@@ -162,7 +162,7 @@ impl Query {
     }
 }
 
-#[derive(Clone, Default, Debug, Deserialize, Serialize, ToSchema, IntoParams)]
+#[derive(Clone, Default, Debug, Eq, PartialEq, Deserialize, Serialize, ToSchema, IntoParams)]
 #[serde(rename_all = "camelCase")]
 pub struct Query {
     #[serde(default)]

common/src/purl.rs

@@ -1,4 +1,5 @@
 use packageurl::PackageUrl;
+use percent_encoding::{utf8_percent_encode, AsciiSet, CONTROLS};
 use serde::{
     de::{Error, Visitor},
     Deserialize, Deserializer, Serialize, Serializer,
@@ -115,6 +116,7 @@ impl FromStr for Purl {
             .map_err(PurlErr::Package)
     }
 }
+
 impl<'de> Deserialize<'de> for Purl {
     fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
     where
@@ -141,6 +143,35 @@ impl Visitor<'_> for PurlVisitor {
     }
 }
 
+const QUERY_ENCODE_SET: &AsciiSet = &CONTROLS
+    .add(b' ') // Space must be encoded as %20 or +.
+    .add(b'"') // Double quote
+    .add(b'#') // Fragment identifier
+    .add(b'<') // Less than
+    .add(b'>') // Greater than
+    .add(b'[') // Left square bracket
+    .add(b']') // Right square bracket
+    .add(b'{') // Left curly brace
+    .add(b'}') // Right curly brace
+    .add(b'|') // Pipe
+    .add(b'\\') // Backslash
+    .add(b'^') // Caret
+    .add(b'`') // Backtick
+    .add(b'~') // Tilde
+    .add(b'@') // At sign
+    .add(b'!') // Exclamation mark
+    .add(b'$') // Dollar sign
+    .add(b'&') // Ampersand
+    .add(b'\'') // Single quote
+    .add(b'(') // Left parenthesis
+    .add(b')') // Right parenthesis
+    .add(b'*') // Asterisk
+    .add(b'+') // Plus
+    .add(b',') // Comma
+    .add(b';') // Semicolon
+    .add(b'=') // Equals
+    .add(b'%'); // Percent itself.
+
 impl Display for Purl {
     fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
         let ns = if let Some(ns) = &self.namespace {
@@ -156,7 +187,7 @@ impl Display for Purl {
                 "?{}",
                 self.qualifiers
                     .iter()
-                    .map(|(k, v)| format!("{}={}", k, v))
+                    .map(|(k, v)| format!("{}={}", k, utf8_percent_encode(v, QUERY_ENCODE_SET)))
                     .collect::<Vec<_>>()
                     .join("&")
             )

common/src/sbom/mod.rs

@@ -1,3 +1,5 @@
+pub mod spdx;
+
 use crate::cpe::Cpe;
 use crate::purl::Purl;
 use uuid::Uuid;

common/src/sbom/spdx.rs

@@ -0,0 +1,33 @@
+use sbom_walker::report::ReportSink;
+use serde_json::Value;
+use spdx_rs::models::SPDX;
+
+/// Parse a SPDX document, possibly replacing invalid license expressions.
+///
+/// Returns the parsed document and a flag indicating if license expressions got replaced.
+pub fn parse_spdx(report: &dyn ReportSink, json: Value) -> Result<(SPDX, bool), serde_json::Error> {
+    let (json, changed) = fix_license(report, json);
+    Ok((serde_json::from_value(json)?, changed))
+}
+
+/// Check the document for invalid SPDX license expressions and replace them with `NOASSERTION`.
+pub fn fix_license(report: &dyn ReportSink, mut json: Value) -> (Value, bool) {
+    let mut changed = false;
+    if let Some(packages) = json["packages"].as_array_mut() {
+        for package in packages {
+            if let Some(declared) = package["licenseDeclared"].as_str() {
+                if let Err(err) = spdx_expression::SpdxExpression::parse(declared) {
+                    package["licenseDeclared"] = "NOASSERTION".into();
+                    changed = true;
+
+                    let message =
+                        format!("Replacing faulty SPDX license expression with NOASSERTION: {err}");
+                    log::debug!("{message}");
+                    report.error(message);
+                }
+            }
+        }
+    }
+
+    (json, changed)
+}

docs/design/log_tracing.md

@@ -135,3 +135,26 @@ However, not all function variants might expose the same behavior. Just because
 mean it will panic. For example, the `Option::unwrap_or` function:
 
 ![Screenshot of rustdoc for Option::unwrap_or](drawings/log_tracing_2.png)
+
+## Sending traces to OpenTelemetry Collector (devmode)
+
+Jaeger and OTEL Collector:
+
+```shell
+podman compose -f etc/dev-traces/compose.yaml up
+```
+
+Database:
+
+```shell
+podman compose -f etc/deploy/compose/compose.yaml up
+```
+
+Trustify with traces:
+
+```shell
+OTEL_TRACES_SAMPLER_ARG=1 OTEL_EXPORTER_OTLP_ENDPOINT="http://localhost:4317" cargo run --bin trustd api --db-password trustify --auth-disabled --tracing enabled
+```
+
+Access Trustify at [localhost:8080](http://localhost:8080) and analyze the traces using the [Jaeger UI](http://localhost:16686/)
+

entity/src/advisory.rs

@@ -34,7 +34,7 @@ pub struct Model {
 
 #[ComplexObject]
 impl Model {
-    async fn organization<'a>(&self, ctx: &Context<'a>) -> Result<organization::Model> {
+    async fn organization(&self, ctx: &Context<'_>) -> Result<organization::Model> {
         let db = ctx.data::<Arc<db::Database>>()?;
         if let Some(found) = self
             .find_related(organization::Entity)
@@ -47,7 +47,7 @@ impl Model {
         }
     }
 
-    async fn vulnerabilities<'a>(&self, ctx: &Context<'a>) -> Result<Vec<vulnerability::Model>> {
+    async fn vulnerabilities(&self, ctx: &Context<'_>) -> Result<Vec<vulnerability::Model>> {
         let db = ctx.data::<Arc<db::Database>>()?;
         Ok(self
             .find_related(vulnerability::Entity)

etc/dev-traces/compose.yaml

@@ -0,0 +1,17 @@
+services:
+  jaeger-all-in-one:
+    hostname: jaeger-all-in-one
+    image: jaegertracing/all-in-one:1.53.0 # Using this version to align with trustify-helm-charts
+    ports:
+      - "16686:16686"
+      - "14250:14250"
+    environment:
+      - COLLECTOR_OTLP_ENABLED=true
+  collector:
+    image: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector:0.115.1 # Using this version to align with trustify-helm-charts https://github.com/TylerHelmuth/opentelemetry-helm-charts/commit/86188fea6022a6424ef6a086e928d0056fb5dfe8#diff-55020f2b796ba5770731a3b4913592732431ff180c7f7473e5f469e92ed00e74R48
+    command: ["--config=/otel-collector-config.yaml"]
+    volumes:
+      - './config.yaml:/otel-collector-config.yaml:z'
+    ports:
+      - "4317:4317"
+    depends_on: [jaeger-all-in-one]

etc/dev-traces/config.yaml

@@ -0,0 +1,23 @@
+receivers:
+  otlp:
+    protocols:
+      grpc:
+        endpoint: "0.0.0.0:4317"
+
+exporters:
+  otlp:
+    endpoint: jaeger-all-in-one:4317
+    tls:
+      insecure: true
+  debug:
+    verbosity: detailed
+
+processors:
+  batch: {}
+
+service:
+  pipelines:
+    traces:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [debug, otlp]