nornir 0.4.12

//! SBOM + vulnerability + license producer — pure Rust, no external tools, no C
//! deps. `cargo metadata` gives the full deep dependency tree; the OSV.dev batch
//! API gives vulnerabilities; the manifests give licenses. Emits a **CycloneDX
//! 1.5** SBOM. The standards-based feed for the warehouse
//! (`sbom_components` / `vuln_findings` / `license_facts`) and the viz Security tab.

use std::collections::BTreeMap;
use std::path::{Path, PathBuf};
use std::process::Command;

use anyhow::{Context, Result};
use serde_json::{json, Value};

#[derive(Clone)]
pub struct Component {
    pub name: String,
    pub version: String,
    pub license: String,
}

#[derive(Clone)]
pub struct Vuln {
    pub crate_name: String,
    pub version: String,
    pub ids: Vec<String>,
    pub summary: String,
}

pub struct SecurityReport {
    pub repo: String,
    pub components: Vec<Component>,
    pub vulns: Vec<Vuln>,
}

fn purl(name: &str, version: &str) -> String {
    format!("pkg:cargo/{name}@{version}")
}

impl SecurityReport {
    /// License → count, most-common first.
    pub fn license_tally(&self) -> Vec<(String, usize)> {
        let mut m: BTreeMap<String, usize> = BTreeMap::new();
        for c in &self.components {
            *m.entry(c.license.clone()).or_default() += 1;
        }
        let mut v: Vec<_> = m.into_iter().collect();
        v.sort_by(|a, b| b.1.cmp(&a.1).then(a.0.cmp(&b.0)));
        v
    }

    pub fn vuln_count(&self) -> usize {
        self.vulns.iter().map(|v| v.ids.len()).sum()
    }

    /// CycloneDX 1.5 SBOM (components + vulnerabilities).
    pub fn to_cyclonedx(&self) -> Value {
        json!({
            "bomFormat": "CycloneDX",
            "specVersion": "1.5",
            "version": 1,
            "metadata": { "component": { "type": "application", "name": self.repo } },
            "components": self.components.iter().map(|c| json!({
                "type": "library",
                "name": c.name,
                "version": c.version,
                "purl": purl(&c.name, &c.version),
                "licenses": [{ "license": { "name": c.license } }],
            })).collect::<Vec<_>>(),
            "vulnerabilities": self.vulns.iter().flat_map(|v| {
                let (name, ver) = (v.crate_name.clone(), v.version.clone());
                let summary = v.summary.clone();
                v.ids.iter().map(move |id| json!({
                    "id": id,
                    "source": { "name": "OSV", "url": format!("https://osv.dev/vulnerability/{id}") },
                    "affects": [{ "ref": purl(&name, &ver) }],
                    "description": summary,
                })).collect::<Vec<_>>()
            }).collect::<Vec<_>>(),
        })
    }
}

/// The deep component list (the full transitive tree). No network. Returns the
/// repo display name + components — the SBOM half of a scan, split out so the
/// server can pair it with a warehouse `vuln_findings` cache.
///
/// Tries `cargo metadata` (rich: includes licenses); if that can't run — a
/// transient spawn failure, or a path-dep checkout whose siblings aren't cloned
/// beside it server-side — falls back to **`Cargo.lock`**, which pins every
/// resolved dep (name+version, enough for vuln matching; licenses unavailable).
pub fn components(repo: &Path) -> Result<(String, Vec<Component>)> {
    let repo_name = repo.file_name().map(|s| s.to_string_lossy().into_owned()).unwrap_or_default();
    match cargo_metadata_components(repo) {
        Ok(c) => Ok((repo_name, c)),
        Err(e) => {
            eprintln!("nornir-security: cargo metadata unavailable ({e:#}); using Cargo.lock");
            Ok((repo_name, cargo_lock_components(repo)?))
        }
    }
}

fn cargo_metadata_components(repo: &Path) -> Result<Vec<Component>> {
    let out = Command::new("cargo")
        .args(["metadata", "--format-version", "1"])
        .current_dir(repo)
        .output()
        .context("spawn cargo metadata")?;
    if !out.status.success() {
        anyhow::bail!("cargo metadata failed:\n{}", String::from_utf8_lossy(&out.stderr));
    }
    let md: Value = serde_json::from_slice(&out.stdout).context("parse cargo metadata")?;
    Ok(md["packages"]
        .as_array()
        .map(|a| {
            a.iter()
                .map(|p| Component {
                    name: p["name"].as_str().unwrap_or_default().to_string(),
                    version: p["version"].as_str().unwrap_or_default().to_string(),
                    license: p["license"].as_str().unwrap_or("NOASSERTION").to_string(),
                })
                .collect()
        })
        .unwrap_or_default())
}

/// Parse `Cargo.lock` `[[package]]` entries → (name, version). Works with no
/// network and no sibling path-dep checkouts.
fn cargo_lock_components(repo: &Path) -> Result<Vec<Component>> {
    let path = repo.join("Cargo.lock");
    let text = std::fs::read_to_string(&path).with_context(|| format!("read {}", path.display()))?;
    let doc: toml::Value = toml::from_str(&text).context("parse Cargo.lock")?;
    Ok(doc
        .get("package")
        .and_then(|p| p.as_array())
        .map(|pkgs| {
            pkgs.iter()
                .filter_map(|p| {
                    Some(Component {
                        name: p.get("name")?.as_str()?.to_string(),
                        version: p.get("version")?.as_str()?.to_string(),
                        license: "NOASSERTION".to_string(),
                    })
                })
                .collect()
        })
        .unwrap_or_default())
}

/// Components, **warehouse-first**: if a deep-scan / metadata sweep of this
/// repo's dependency closure has already been captured (see [`warm`]), build the
/// SBOM component list from that warehouse snapshot — zero `cargo metadata`, zero
/// network. Falls back to live [`components`] (cargo metadata → Cargo.lock) when
/// the warehouse has no capture yet.
///
/// `repo_name` is taken from the directory name so it matches what [`warm`]
/// filed the components under.
pub fn components_warehouse_first(
    wh: &crate::warehouse::iceberg::IcebergWarehouse,
    repo: &Path,
) -> Result<(String, Vec<Component>)> {
    let repo_name = repo.file_name().map(|s| s.to_string_lossy().into_owned()).unwrap_or_default();
    match wh.query_sbom_components(&repo_name) {
        Ok(Some(rows)) if !rows.is_empty() => {
            let comps = rows
                .into_iter()
                .map(|r| Component { name: r.name, version: r.version, license: r.license })
                .collect();
            Ok((repo_name, comps))
        }
        // No capture (or an empty/failed read) — resolve live.
        _ => components(repo),
    }
}

/// Pre-warm the warehouse SBOM cache for `repo`: resolve the component closure
/// **once** (live `cargo metadata`, materializing path-dep siblings first so a
/// headless server-side resolve succeeds for repos like znippy/knut) and persist
/// it under the repo name. After this, [`components_warehouse_first`] serves the
/// SBOM with no cargo/network. Idempotent enough for republish — each call files
/// a fresh capture snapshot and the latest wins.
///
/// Returns the `(repo_name, components)` it captured. `scan_root`, when given, is
/// where sibling path-dep checkouts are looked for / linked (typically the `git/`
/// dir holding all monitored member checkouts).
pub fn warm(
    wh: &crate::warehouse::iceberg::IcebergWarehouse,
    repo: &Path,
    scan_root: Option<&Path>,
) -> Result<(String, Vec<Component>)> {
    if let Some(root) = scan_root {
        // Best-effort: missing siblings just degrade to the Cargo.lock fallback
        // inside `components`, they must not fail the warm.
        if let Err(e) = materialize_path_dep_siblings(repo, root) {
            eprintln!("nornir-security: path-dep sibling materialize skipped for {}: {e:#}", repo.display());
        }
    }
    let (repo_name, comps) = components(repo)?;
    let rows: Vec<crate::warehouse::iceberg::SbomComponentRow> = comps
        .iter()
        .map(|c| crate::warehouse::iceberg::SbomComponentRow {
            name: c.name.clone(),
            version: c.version.clone(),
            license: c.license.clone(),
        })
        .collect();
    wh.append_sbom_components(&repo_name, uuid::Uuid::new_v4(), &rows)
        .with_context(|| format!("persist sbom components for {repo_name}"))?;
    Ok((repo_name, comps))
}

/// Materialize sibling **path-dep** checkouts next to `repo` under `scan_root`,
/// so a headless server-side `cargo metadata` (which needs the path-dep sources
/// on disk to resolve + read their licenses) succeeds for repos that depend on
/// sibling crates by relative path (e.g. znippy → zoomies, knut → skade).
///
/// For every `dep = { path = "..." }` in the repo's `Cargo.toml`, resolve the
/// target's crate/repo directory name; if it isn't already reachable at the path
/// the manifest expects but *is* present under `scan_root`, drop a symlink so the
/// relative path resolves. Pure-filesystem, no cargo, no network. Best-effort and
/// idempotent: already-resolvable deps and already-present links are left alone.
/// Returns the number of links created.
pub fn materialize_path_dep_siblings(repo: &Path, scan_root: &Path) -> Result<usize> {
    let manifest = repo.join("Cargo.toml");
    let text = match std::fs::read_to_string(&manifest) {
        Ok(t) => t,
        Err(_) => return Ok(0), // no manifest → nothing to do
    };
    let doc: toml::Value = toml::from_str(&text).context("parse Cargo.toml")?;
    let mut linked = 0usize;
    for table_key in ["dependencies", "dev-dependencies", "build-dependencies"] {
        let Some(deps) = doc.get(table_key).and_then(|d| d.as_table()) else { continue };
        for (dep_name, spec) in deps {
            let Some(path) = spec.as_table().and_then(|t| t.get("path")).and_then(|p| p.as_str())
            else {
                continue;
            };
            // The location the manifest's relative `path` points at.
            let target = repo.join(path);
            if target.join("Cargo.toml").exists() {
                continue; // already resolvable in place
            }
            // The directory name the dep expects (last segment of its path).
            let leaf = Path::new(path)
                .file_name()
                .map(|s| s.to_string_lossy().into_owned())
                .unwrap_or_else(|| dep_name.clone());
            // Look for a sibling checkout under scan_root by that leaf name, then
            // by the dep's own name (repo dir often == crate name).
            let candidate = [leaf.as_str(), dep_name.as_str()]
                .into_iter()
                .map(|n| scan_root.join(n))
                .find(|c| c.join("Cargo.toml").exists());
            let Some(src) = candidate else { continue };
            if let Some(parent) = target.parent() {
                let _ = std::fs::create_dir_all(parent);
            }
            if symlink_dir(&src, &target).is_ok() {
                linked += 1;
            }
        }
    }
    Ok(linked)
}

/// Create a directory symlink `link → src`. No-op if `link` already exists.
#[cfg(unix)]
fn symlink_dir(src: &Path, link: &Path) -> std::io::Result<()> {
    if link.exists() {
        return Ok(());
    }
    std::os::unix::fs::symlink(src, link)
}

#[cfg(not(unix))]
fn symlink_dir(src: &Path, link: &Path) -> std::io::Result<()> {
    if link.exists() {
        return Ok(());
    }
    std::os::windows::fs::symlink_dir(src, link)
}

/// Scan `repo`: deep dependency tree (`cargo metadata`) + OSV vulnerabilities.
/// The uncached path — for the warehouse-first path see the server's
/// `Mimir.SecurityScan` (cache lookup + `osv_query` of misses only).
pub fn scan(repo: &Path) -> Result<SecurityReport> {
    let (repo_name, components) = components(repo)?;
    let vulns = query_vulns(&components)?;
    Ok(SecurityReport { repo: repo_name, components, vulns })
}

/// Look up vulnerabilities for `components`, **airgap-first**: the local
/// rustsec/advisory-db mirror (offline) when seeded, else OSV.dev.
pub fn query_vulns(components: &[Component]) -> Result<Vec<Vuln>> {
    if components.is_empty() {
        return Ok(Vec::new());
    }
    match advisory_db_path() {
        Some(db) => advisory_db_query(components, &db),
        None => osv_query(components),
    }
}

/// The local rustsec/advisory-db mirror path (`NORNIR_ADVISORY_DB`, else
/// `/opt/nornir/advisory-db`) — `Some` only once seeded (has a `crates/` dir).
pub fn advisory_db_path() -> Option<PathBuf> {
    let p = std::env::var_os("NORNIR_ADVISORY_DB")
        .map(PathBuf::from)
        .unwrap_or_else(|| PathBuf::from("/opt/nornir/advisory-db"));
    p.join("crates").is_dir().then_some(p)
}

/// Clone or update the advisory-db mirror. Airgap: point `NORNIR_ADVISORY_DB_URL`
/// at holger (it serves the repo). Pure Rust (gix, no git2). Returns the path.
pub fn update_advisory_db() -> Result<PathBuf> {
    let dest = std::env::var_os("NORNIR_ADVISORY_DB")
        .map(PathBuf::from)
        .unwrap_or_else(|| PathBuf::from("/opt/nornir/advisory-db"));
    let url = std::env::var("NORNIR_ADVISORY_DB_URL")
        .unwrap_or_else(|_| "https://github.com/rustsec/advisory-db".to_string());
    crate::gitio::clone_or_fetch(&url, &dest, None)
        .with_context(|| format!("clone/fetch advisory-db from {url}"))?;
    Ok(dest)
}

fn req_matches(reqs: &[String], v: &semver::Version) -> bool {
    // Also test the pre-release-stripped version: semver excludes pre-releases
    // (`>= 0.10` won't match `0.11.0-rc.4`), which would wrongly flag an rc as
    // unpatched. Treating `0.11.0-rc.4` as `0.11.0` for the patched/unaffected
    // check matches OSV's behaviour.
    let mut bare = v.clone();
    bare.pre = semver::Prerelease::EMPTY;
    reqs.iter().any(|r| {
        semver::VersionReq::parse(r).map(|req| req.matches(v) || req.matches(&bare)).unwrap_or(false)
    })
}

/// Extract the ```toml fenced front-matter from a rustsec advisory `.md`.
fn extract_toml_front_matter(text: &str) -> Option<&str> {
    let after = &text[text.find("```toml")? + "```toml".len()..];
    let end = after.find("```")?;
    Some(after[..end].trim_matches('\n'))
}

fn string_list(v: Option<&toml::Value>) -> Vec<String> {
    v.and_then(|v| v.as_array())
        .map(|a| a.iter().filter_map(|x| x.as_str().map(String::from)).collect())
        .unwrap_or_default()
}

/// Match `components` against a local advisory-db (`crates/<crate>/*.toml`) —
/// cargo-audit's logic: a version is affected when no `patched` requirement
/// matches it and it isn't listed `unaffected`. Fully offline.
pub fn advisory_db_query(components: &[Component], db: &Path) -> Result<Vec<Vuln>> {
    let crates = db.join("crates");
    let mut out = Vec::new();
    for c in components {
        let dir = crates.join(&c.name);
        if !dir.is_dir() {
            continue;
        }
        let Ok(version) = semver::Version::parse(&c.version) else { continue };
        let mut ids = Vec::new();
        let mut summary = String::new();
        for entry in std::fs::read_dir(&dir).into_iter().flatten().flatten() {
            let p = entry.path();
            if p.extension().and_then(|e| e.to_str()) != Some("md") {
                continue;
            }
            let Ok(text) = std::fs::read_to_string(&p) else { continue };
            // Each advisory is Markdown with a ```toml front-matter block.
            let Some(front) = extract_toml_front_matter(&text) else { continue };
            let Ok(doc) = toml::from_str::<toml::Value>(front) else { continue };
            let adv = doc.get("advisory");
            let versions = doc.get("versions");
            let patched = string_list(versions.and_then(|v| v.get("patched")));
            let unaffected = string_list(versions.and_then(|v| v.get("unaffected")));
            if !req_matches(&patched, &version) && !req_matches(&unaffected, &version) {
                if summary.is_empty() {
                    summary = adv
                        .and_then(|a| a.get("title"))
                        .and_then(|v| v.as_str())
                        .unwrap_or_default()
                        .to_string();
                }
                if let Some(id) = adv.and_then(|a| a.get("id")).and_then(|v| v.as_str()) {
                    ids.push(id.to_string());
                }
            }
        }
        if !ids.is_empty() {
            out.push(Vuln { crate_name: c.name.clone(), version: c.version.clone(), ids, summary });
        }
    }
    Ok(out)
}

/// OSV.dev batch query (one POST, no `ureq` json feature needed: serialise +
/// parse with `serde_json` ourselves). Empty input → no network.
pub fn osv_query(components: &[Component]) -> Result<Vec<Vuln>> {
    if components.is_empty() {
        return Ok(Vec::new());
    }
    let queries: Vec<Value> = components
        .iter()
        .map(|c| json!({ "package": { "ecosystem": "crates.io", "name": c.name }, "version": c.version }))
        .collect();
    let body = serde_json::to_string(&json!({ "queries": queries }))?;
    let resp = match ureq::post("https://api.osv.dev/v1/querybatch")
        .set("Content-Type", "application/json")
        .send_string(&body)
    {
        Ok(r) => r,
        // Airgap / offline: degrade gracefully rather than failing the scan.
        // Seed NORNIR_ADVISORY_DB (a local rustsec/advisory-db mirror) for offline
        // matching instead.
        Err(e) => {
            eprintln!("nornir-security: OSV.dev unreachable ({e}); skipping vuln lookup (seed NORNIR_ADVISORY_DB for offline)");
            return Ok(Vec::new());
        }
    };
    let resp_str = resp.into_string().context("read OSV response")?;
    let resp: Value = serde_json::from_str(&resp_str).context("parse OSV response")?;
    let mut vulns = Vec::new();
    if let Some(results) = resp["results"].as_array() {
        for (i, r) in results.iter().enumerate() {
            let Some(vs) = r["vulns"].as_array() else { continue };
            if vs.is_empty() || i >= components.len() {
                continue;
            }
            let c = &components[i];
            vulns.push(Vuln {
                crate_name: c.name.clone(),
                version: c.version.clone(),
                ids: vs.iter().filter_map(|v| v["id"].as_str().map(String::from)).collect(),
                summary: vs.first().and_then(|v| v["summary"].as_str()).unwrap_or_default().to_string(),
            });
        }
    }
    Ok(vulns)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn extract_toml_front_matter_pulls_the_advisory_block() {
        let md = "```toml\n[advisory]\nid = \"RUSTSEC-2024-0001\"\n[versions]\npatched = [\">= 1.0.0\"]\n```\n\n# Title\n\nbody";
        let front = extract_toml_front_matter(md).expect("front matter");
        let doc: toml::Value = toml::from_str(front).unwrap();
        assert_eq!(doc["advisory"]["id"].as_str(), Some("RUSTSEC-2024-0001"));
        assert_eq!(string_list(doc.get("versions").and_then(|v| v.get("patched"))), vec!["\
>= 1.0.0".trim_start()]);
    }

    #[test]
    fn req_matches_handles_prerelease_versions() {
        // `>= 0.10` must consider a later pre-release patched (semver excludes it).
        let rc = semver::Version::parse("0.11.0-rc.4").unwrap();
        assert!(req_matches(&[">= 0.10.0".into()], &rc), "0.11.0-rc.4 should satisfy >= 0.10.0");
        // an earlier version is genuinely unpatched
        let old = semver::Version::parse("0.9.0").unwrap();
        assert!(!req_matches(&[">= 0.10.0".into()], &old), "0.9.0 must NOT satisfy >= 0.10.0");
    }

    #[test]
    fn components_warehouse_first_uses_capture_then_falls_back() {
        use crate::warehouse::iceberg::{IcebergWarehouse, SbomComponentRow};
        let whdir = tempfile::tempdir().unwrap();
        let wh = IcebergWarehouse::open(whdir.path()).unwrap();

        // A repo dir named "myrepo" whose Cargo.lock provides the live fallback.
        let repodir = tempfile::tempdir().unwrap();
        let repo = repodir.path().join("myrepo");
        std::fs::create_dir_all(&repo).unwrap();
        std::fs::write(
            repo.join("Cargo.lock"),
            "[[package]]\nname = \"fallbackdep\"\nversion = \"9.9.9\"\n",
        )
        .unwrap();
        // No Cargo.toml manifest → cargo metadata fails → Cargo.lock fallback.

        // No warehouse capture yet → warehouse_first delegates to live components,
        // which (no manifest) lands on the Cargo.lock fallback.
        let (name, comps) = components_warehouse_first(&wh, &repo).unwrap();
        assert_eq!(name, "myrepo");
        assert!(comps.iter().any(|c| c.name == "fallbackdep" && c.version == "9.9.9"));

        // After a warehouse capture, warehouse_first serves THAT (not the lock).
        wh.append_sbom_components(
            "myrepo",
            uuid::Uuid::new_v4(),
            &[SbomComponentRow { name: "cached".into(), version: "1.2.3".into(), license: "MIT".into() }],
        )
        .unwrap();
        let (name, comps) = components_warehouse_first(&wh, &repo).unwrap();
        assert_eq!(name, "myrepo");
        assert_eq!(comps.len(), 1);
        assert_eq!(comps[0].name, "cached");
        assert_eq!(comps[0].license, "MIT");
    }

    #[test]
    fn materialize_path_dep_siblings_links_missing_sibling() {
        // repo `znippy` depends on `../zoomies` by path, but that relative path
        // doesn't exist next to znippy in the headless scan layout — the sibling
        // checkout instead lives flat under scan_root. We should link it in.
        let tmp = tempfile::tempdir().unwrap();
        let root = tmp.path();
        // scan_root/znippy/Cargo.toml with a path dep `../zoomies`
        let znippy = root.join("znippy");
        std::fs::create_dir_all(&znippy).unwrap();
        std::fs::write(
            znippy.join("Cargo.toml"),
            "[package]\nname=\"znippy\"\nversion=\"0.1.0\"\n\n[dependencies]\nzoomies = { path = \"../zoomies\" }\n",
        )
        .unwrap();
        // scan_root/zoomies exists (a sibling), but ../zoomies relative to znippy
        // is scan_root/zoomies too here — so to actually exercise the link path,
        // point the dep one level deeper where it is NOT present.
        std::fs::write(
            znippy.join("Cargo.toml"),
            "[package]\nname=\"znippy\"\nversion=\"0.1.0\"\n\n[dependencies]\nzoomies = { path = \"vendor/zoomies\" }\n",
        )
        .unwrap();
        let zoomies = root.join("zoomies");
        std::fs::create_dir_all(&zoomies).unwrap();
        std::fs::write(zoomies.join("Cargo.toml"), "[package]\nname=\"zoomies\"\nversion=\"0.1.0\"\n").unwrap();

        // Before: vendor/zoomies/Cargo.toml is absent.
        assert!(!znippy.join("vendor/zoomies/Cargo.toml").exists());
        let n = materialize_path_dep_siblings(&znippy, root).unwrap();
        assert_eq!(n, 1, "one sibling link created");
        // After: the path dep resolves (through the symlink) to the sibling.
        assert!(znippy.join("vendor/zoomies/Cargo.toml").exists());

        // Idempotent: a second run links nothing new.
        let n2 = materialize_path_dep_siblings(&znippy, root).unwrap();
        assert_eq!(n2, 0, "already-linked sibling is not re-linked");
    }

    #[test]
    fn materialize_is_noop_when_path_dep_already_resolves() {
        let tmp = tempfile::tempdir().unwrap();
        let root = tmp.path();
        let a = root.join("a");
        std::fs::create_dir_all(&a).unwrap();
        let b = root.join("b");
        std::fs::create_dir_all(&b).unwrap();
        std::fs::write(b.join("Cargo.toml"), "[package]\nname=\"b\"\nversion=\"0.1.0\"\n").unwrap();
        std::fs::write(
            a.join("Cargo.toml"),
            "[package]\nname=\"a\"\nversion=\"0.1.0\"\n\n[dependencies]\nb = { path = \"../b\" }\n",
        )
        .unwrap();
        // `../b` already resolves → nothing to link.
        let n = materialize_path_dep_siblings(&a, root).unwrap();
        assert_eq!(n, 0);
    }

    #[test]
    fn affected_logic_unpatched_between_ranges() {
        // patched >= 0.39, unaffected < 0.15 → 0.20 is affected (the RUSTSEC aws-lc case)
        let v = semver::Version::parse("0.20.0").unwrap();
        let patched = vec![">= 0.39.0".to_string()];
        let unaffected = vec!["< 0.15.0".to_string()];
        let is_affected = !req_matches(&patched, &v) && !req_matches(&unaffected, &v);
        assert!(is_affected);
        // a patched version is not affected
        let v2 = semver::Version::parse("0.40.0").unwrap();
        assert!(req_matches(&patched, &v2));
    }
}