nornir 0.4.28

//! SBOM + vulnerability + license producer — pure Rust, no external tools, no C
//! deps. `cargo metadata` gives the full deep dependency tree; the OSV.dev batch
//! API gives vulnerabilities; the manifests give licenses. Emits a **CycloneDX
//! 1.5** SBOM. The standards-based feed for the warehouse
//! (`sbom_components` / `vuln_findings` / `license_facts`) and the viz Security tab.

use std::collections::BTreeMap;
use std::path::{Path, PathBuf};
use std::process::Command;

use anyhow::{Context, Result};
use serde_json::{json, Value};

#[derive(Clone, Debug)]
pub struct Component {
    pub name: String,
    pub version: String,
    pub license: String,
}

#[derive(Clone)]
pub struct Vuln {
    pub crate_name: String,
    pub version: String,
    pub ids: Vec<String>,
    pub summary: String,
}

pub struct SecurityReport {
    pub repo: String,
    pub components: Vec<Component>,
    pub vulns: Vec<Vuln>,
}

fn purl(name: &str, version: &str) -> String {
    format!("pkg:cargo/{name}@{version}")
}

impl SecurityReport {
    /// License → count, most-common first.
    pub fn license_tally(&self) -> Vec<(String, usize)> {
        let mut m: BTreeMap<String, usize> = BTreeMap::new();
        for c in &self.components {
            *m.entry(c.license.clone()).or_default() += 1;
        }
        let mut v: Vec<_> = m.into_iter().collect();
        v.sort_by(|a, b| b.1.cmp(&a.1).then(a.0.cmp(&b.0)));
        v
    }

    pub fn vuln_count(&self) -> usize {
        self.vulns.iter().map(|v| v.ids.len()).sum()
    }

    /// CycloneDX 1.5 SBOM (components + vulnerabilities).
    pub fn to_cyclonedx(&self) -> Value {
        json!({
            "bomFormat": "CycloneDX",
            "specVersion": "1.5",
            "version": 1,
            "metadata": { "component": { "type": "application", "name": self.repo } },
            "components": self.components.iter().map(|c| json!({
                "type": "library",
                "name": c.name,
                "version": c.version,
                "purl": purl(&c.name, &c.version),
                "licenses": [{ "license": { "name": c.license } }],
            })).collect::<Vec<_>>(),
            "vulnerabilities": self.vulns.iter().flat_map(|v| {
                let (name, ver) = (v.crate_name.clone(), v.version.clone());
                let summary = v.summary.clone();
                v.ids.iter().map(move |id| json!({
                    "id": id,
                    "source": { "name": "OSV", "url": format!("https://osv.dev/vulnerability/{id}") },
                    "affects": [{ "ref": purl(&name, &ver) }],
                    "description": summary,
                })).collect::<Vec<_>>()
            }).collect::<Vec<_>>(),
        })
    }
}

/// The deep component list (the full transitive tree). No network. Returns the
/// repo display name + components — the SBOM half of a scan, split out so the
/// server can pair it with a warehouse `vuln_findings` cache.
///
/// Tries `cargo metadata` (rich: includes licenses); if that can't run — a
/// transient spawn failure, or a path-dep checkout whose siblings aren't cloned
/// beside it server-side — falls back to **`Cargo.lock`**, which pins every
/// resolved dep (name+version, enough for vuln matching; licenses unavailable).
pub fn components(repo: &Path) -> Result<(String, Vec<Component>)> {
    let repo_name = repo.file_name().map(|s| s.to_string_lossy().into_owned()).unwrap_or_default();
    // Guard: a missing checkout dir otherwise surfaces as a cryptic "spawn cargo
    // generate-lockfile" (Command current_dir doesn't exist). Say it plainly —
    // usually a repo-name case mismatch (e.g. `Njord` vs the `njord` checkout).
    if !repo.is_dir() {
        anyhow::bail!(
            "no checkout for `{repo_name}` at {} — is the repo name/case right and the workspace synced?",
            repo.display()
        );
    }
    // Tier 1: cargo metadata (rich — includes licenses).
    let meta_err = match cargo_metadata_components(repo) {
        Ok(c) => return Ok((repo_name, c)),
        Err(e) => e,
    };
    eprintln!("nornir-security: cargo metadata unavailable ({meta_err:#}); using Cargo.lock");
    // Tier 2: a committed Cargo.lock.
    let lock = repo.join("Cargo.lock");
    if lock.is_file() {
        return Ok((repo_name, cargo_lock_components(repo)?));
    }
    // Tier 3: no Cargo.lock in the checkout — the norm for *library* crates,
    // which gitignore it (nornir itself does). Synthesize one with
    // `cargo generate-lockfile` (resolves versions, no build), then parse it.
    if cargo_available() {
        let gen = Command::new("cargo")
            .args(["generate-lockfile"])
            .current_dir(repo)
            .output()
            .context("spawn cargo generate-lockfile")?;
        if gen.status.success() && lock.is_file() {
            return Ok((repo_name, cargo_lock_components(repo)?));
        }
        // cargo is present but couldn't resolve (offline + cold registry, a
        // path-dep whose sibling isn't checked out, …): surface WHY, clearly.
        anyhow::bail!(
            "could not resolve dependencies for `{repo_name}`: cargo metadata failed ({meta_err}) \
             and `cargo generate-lockfile` could not produce a lockfile:\n{}",
            String::from_utf8_lossy(&gen.stderr)
        );
    }
    // Tier 4: cargo is not on PATH at all (e.g. the server service user has no
    // toolchain). Without cargo AND without a committed Cargo.lock there is no
    // SBOM source — say exactly that instead of a cryptic "read …/Cargo.lock".
    anyhow::bail!(
        "no SBOM source for `{repo_name}`: `cargo` is not on PATH (so cargo metadata / \
         generate-lockfile can't run) and no Cargo.lock is committed (library crates gitignore it). \
         Install a cargo toolchain for the scan host, or commit a Cargo.lock."
    )
}

/// Is `cargo` runnable on PATH? Distinguishes "toolchain missing" (tier 4) from
/// "cargo present but resolve failed" (tier 3) so the scan error is actionable.
fn cargo_available() -> bool {
    Command::new("cargo")
        .arg("--version")
        .output()
        .map(|o| o.status.success())
        .unwrap_or(false)
}

fn cargo_metadata_components(repo: &Path) -> Result<Vec<Component>> {
    let out = Command::new("cargo")
        .args(["metadata", "--format-version", "1"])
        .current_dir(repo)
        .output()
        .context("spawn cargo metadata")?;
    if !out.status.success() {
        anyhow::bail!("cargo metadata failed:\n{}", String::from_utf8_lossy(&out.stderr));
    }
    let md: Value = serde_json::from_slice(&out.stdout).context("parse cargo metadata")?;
    Ok(md["packages"]
        .as_array()
        .map(|a| {
            a.iter()
                .map(|p| Component {
                    name: p["name"].as_str().unwrap_or_default().to_string(),
                    version: p["version"].as_str().unwrap_or_default().to_string(),
                    license: p["license"].as_str().unwrap_or("NOASSERTION").to_string(),
                })
                .collect()
        })
        .unwrap_or_default())
}

/// Parse `Cargo.lock` `[[package]]` entries → (name, version). Works with no
/// network and no sibling path-dep checkouts.
fn cargo_lock_components(repo: &Path) -> Result<Vec<Component>> {
    let path = repo.join("Cargo.lock");
    let text = std::fs::read_to_string(&path).with_context(|| format!("read {}", path.display()))?;
    let doc: toml::Value = toml::from_str(&text).context("parse Cargo.lock")?;
    Ok(doc
        .get("package")
        .and_then(|p| p.as_array())
        .map(|pkgs| {
            pkgs.iter()
                .filter_map(|p| {
                    Some(Component {
                        name: p.get("name")?.as_str()?.to_string(),
                        version: p.get("version")?.as_str()?.to_string(),
                        license: "NOASSERTION".to_string(),
                    })
                })
                .collect()
        })
        .unwrap_or_default())
}

/// Components, **warehouse-first**: if a deep-scan / metadata sweep of this
/// repo's dependency closure has already been captured (see [`warm`]), build the
/// SBOM component list from that warehouse snapshot — zero `cargo metadata`, zero
/// network. Falls back to live [`components`] (cargo metadata → Cargo.lock) when
/// the warehouse has no capture yet.
///
/// `repo_name` is taken from the directory name so it matches what [`warm`]
/// filed the components under.
pub fn components_warehouse_first(
    wh: &crate::warehouse::iceberg::IcebergWarehouse,
    repo: &Path,
) -> Result<(String, Vec<Component>)> {
    let repo_name = repo.file_name().map(|s| s.to_string_lossy().into_owned()).unwrap_or_default();
    match wh.query_sbom_components(&repo_name) {
        Ok(Some(rows)) if !rows.is_empty() => {
            let comps = rows
                .into_iter()
                .map(|r| Component { name: r.name, version: r.version, license: r.license })
                .collect();
            Ok((repo_name, comps))
        }
        // No capture (or an empty/failed read) — resolve live.
        _ => components(repo),
    }
}

/// Pre-warm the warehouse SBOM cache for `repo`: resolve the component closure
/// **once** (live `cargo metadata`, materializing path-dep siblings first so a
/// headless server-side resolve succeeds for repos like znippy/knut) and persist
/// it under the repo name. After this, [`components_warehouse_first`] serves the
/// SBOM with no cargo/network. Idempotent enough for republish — each call files
/// a fresh capture snapshot and the latest wins.
///
/// Returns the `(repo_name, components)` it captured. `scan_root`, when given, is
/// where sibling path-dep checkouts are looked for / linked (typically the `git/`
/// dir holding all monitored member checkouts).
pub fn warm(
    wh: &crate::warehouse::iceberg::IcebergWarehouse,
    repo: &Path,
    scan_root: Option<&Path>,
) -> Result<(String, Vec<Component>)> {
    if let Some(root) = scan_root {
        // Best-effort: clone any missing siblings (feature `net-scan`) then link
        // present ones. A miss just degrades to the Cargo.lock fallback inside
        // `components`; prep must never fail the warm. Default codeberg/nordisk
        // URL resolution (override via `NORNIR_DEP_CLONE_BASE`).
        let (cloned, linked) = prepare_path_deps(repo, root, &|_| None);
        if cloned + linked > 0 {
            eprintln!(
                "nornir-security: prepared path-deps for {} ({cloned} cloned, {linked} linked)",
                repo.display()
            );
        }
    }
    let (repo_name, comps) = components(repo)?;
    let rows: Vec<crate::warehouse::iceberg::SbomComponentRow> = comps
        .iter()
        .map(|c| crate::warehouse::iceberg::SbomComponentRow {
            name: c.name.clone(),
            version: c.version.clone(),
            license: c.license.clone(),
        })
        .collect();
    wh.append_sbom_components(&repo_name, uuid::Uuid::new_v4(), &rows)
        .with_context(|| format!("persist sbom components for {repo_name}"))?;
    Ok((repo_name, comps))
}

/// Materialize sibling **path-dep** checkouts next to `repo` under `scan_root`,
/// so a headless server-side `cargo metadata` (which needs the path-dep sources
/// on disk to resolve + read their licenses) succeeds for repos that depend on
/// sibling crates by relative path (e.g. znippy → zoomies, knut → skade).
///
/// For every `dep = { path = "..." }` in the repo's `Cargo.toml`, resolve the
/// target's crate/repo directory name; if it isn't already reachable at the path
/// the manifest expects but *is* present under `scan_root`, drop a symlink so the
/// relative path resolves. Pure-filesystem, no cargo, no network. Best-effort and
/// idempotent: already-resolvable deps and already-present links are left alone.
/// Returns the number of links created.
pub fn materialize_path_dep_siblings(repo: &Path, scan_root: &Path) -> Result<usize> {
    let manifest = repo.join("Cargo.toml");
    let text = match std::fs::read_to_string(&manifest) {
        Ok(t) => t,
        Err(_) => return Ok(0), // no manifest → nothing to do
    };
    let doc: toml::Value = toml::from_str(&text).context("parse Cargo.toml")?;
    let mut linked = 0usize;
    for table_key in ["dependencies", "dev-dependencies", "build-dependencies"] {
        let Some(deps) = doc.get(table_key).and_then(|d| d.as_table()) else { continue };
        for (dep_name, spec) in deps {
            let Some(path) = spec.as_table().and_then(|t| t.get("path")).and_then(|p| p.as_str())
            else {
                continue;
            };
            // The location the manifest's relative `path` points at.
            let target = repo.join(path);
            if target.join("Cargo.toml").exists() {
                continue; // already resolvable in place
            }
            // The directory name the dep expects (last segment of its path).
            let leaf = Path::new(path)
                .file_name()
                .map(|s| s.to_string_lossy().into_owned())
                .unwrap_or_else(|| dep_name.clone());
            // Look for a sibling checkout under scan_root by that leaf name, then
            // by the dep's own name (repo dir often == crate name).
            let candidate = [leaf.as_str(), dep_name.as_str()]
                .into_iter()
                .map(|n| scan_root.join(n))
                .find(|c| c.join("Cargo.toml").exists());
            let Some(src) = candidate else { continue };
            if let Some(parent) = target.parent() {
                let _ = std::fs::create_dir_all(parent);
            }
            if symlink_dir(&src, &target).is_ok() {
                linked += 1;
            }
        }
    }
    Ok(linked)
}

/// List the **path-dep siblings of `repo` that are still unresolved** — i.e. the
/// manifest declares `dep = { path = "..." }` but neither the path itself nor a
/// `scan_root` sibling carries a `Cargo.toml`, so a headless `cargo metadata`
/// would fail to load them. Call this *after* [`prepare_path_deps`] to turn the
/// opaque `MetadataCommand::exec` failure into a clear, named diagnostic (DR2).
///
/// Returns `(dep_name, declared_path)` pairs. Empty ⇒ every path-dep resolves
/// (or the repo has no manifest / no path-deps). Pure filesystem, never errors
/// on a missing/garbled manifest (those degrade to "nothing unresolved" so the
/// caller's real cargo-metadata error still surfaces).
pub fn unresolved_path_dep_siblings(repo: &Path, scan_root: &Path) -> Vec<(String, String)> {
    let Ok(text) = std::fs::read_to_string(repo.join("Cargo.toml")) else { return Vec::new() };
    let Ok(doc) = toml::from_str::<toml::Value>(&text) else { return Vec::new() };
    let mut unresolved = Vec::new();
    for table_key in ["dependencies", "dev-dependencies", "build-dependencies"] {
        let Some(deps) = doc.get(table_key).and_then(|d| d.as_table()) else { continue };
        for (dep_name, spec) in deps {
            let Some(path) = spec.as_table().and_then(|t| t.get("path")).and_then(|p| p.as_str())
            else {
                continue;
            };
            // Resolvable in place (path or, post-prep, via the symlink we dropped)?
            if repo.join(path).join("Cargo.toml").exists() {
                continue;
            }
            // Still resolvable from a scan_root sibling we could have linked?
            let leaf = Path::new(path)
                .file_name()
                .map(|s| s.to_string_lossy().into_owned())
                .unwrap_or_else(|| dep_name.clone());
            let present = [leaf.as_str(), dep_name.as_str()]
                .into_iter()
                .any(|n| scan_root.join(n).join("Cargo.toml").exists());
            if !present {
                unresolved.push((dep_name.clone(), path.to_string()));
            }
        }
    }
    unresolved
}

/// Default base URL for cloning a missing path-dep sibling whose git URL the
/// caller didn't supply. Override with `NORNIR_DEP_CLONE_BASE`.
pub fn dep_clone_base() -> String {
    std::env::var("NORNIR_DEP_CLONE_BASE")
        .unwrap_or_else(|_| "https://codeberg.org/nordisk".to_string())
}

/// The sibling **repo dir name** a relative path-dep points at: the first
/// `Normal` component of the path (`../skade/skade` → `skade`, `../zoomies` →
/// `zoomies`). `None` for a path with no normal component.
fn sibling_repo_name(path: &str) -> Option<String> {
    Path::new(path).components().find_map(|c| match c {
        std::path::Component::Normal(s) => Some(s.to_string_lossy().into_owned()),
        _ => None,
    })
}

/// Clone **missing** sibling repos that `repo`'s path-deps point at, so a
/// headless `cargo metadata` can resolve them. The complement of
/// [`materialize_path_dep_siblings`] (which only links siblings already on
/// disk): this *fetches* the ones that aren't checked out at all — the exact
/// gap that made "press Security" fail on `nornir` (its `skade`/`skade-katalog`
/// path-deps were never cloned beside it in the server's single-repo checkout).
///
/// `url_for(repo_name)` supplies the git URL for a sibling repo dir name (e.g.
/// the workspace descriptor's `git`); when it returns `None` we fall back to
/// `<NORNIR_DEP_CLONE_BASE>/<repo_name>` (default `https://codeberg.org/nordisk`).
///
/// **Network**: gated behind the `net-scan` feature. Without it this is a no-op
/// (returns `Ok(0)`) so an airgapped build never reaches out. Best-effort: a
/// clone failure is logged and skipped, never fatal — the scan then degrades to
/// the Cargo.lock fallback in [`components`]. Returns the number of repos cloned.
#[cfg(feature = "net-scan")]
pub fn clone_missing_path_dep_siblings(
    repo: &Path,
    scan_root: &Path,
    url_for: &dyn Fn(&str) -> Option<String>,
) -> Result<usize> {
    let manifest = repo.join("Cargo.toml");
    let Ok(text) = std::fs::read_to_string(&manifest) else { return Ok(0) };
    let doc: toml::Value = toml::from_str(&text).context("parse Cargo.toml")?;
    let mut cloned = 0usize;
    let mut seen: std::collections::HashSet<String> = std::collections::HashSet::new();
    for table_key in ["dependencies", "dev-dependencies", "build-dependencies"] {
        let Some(deps) = doc.get(table_key).and_then(|d| d.as_table()) else { continue };
        for (_dep_name, spec) in deps {
            let Some(path) = spec.as_table().and_then(|t| t.get("path")).and_then(|p| p.as_str())
            else {
                continue;
            };
            // Already resolvable in place → nothing to fetch.
            if repo.join(path).join("Cargo.toml").exists() {
                continue;
            }
            let Some(repo_name) = sibling_repo_name(path) else { continue };
            if !seen.insert(repo_name.clone()) {
                continue; // one clone covers every path-dep into the same sibling repo
            }
            let dest = scan_root.join(&repo_name);
            // Present already (full repo, or a virtual-manifest workspace root)?
            // Leave it for `materialize_path_dep_siblings` to link if needed.
            if dest.join("Cargo.toml").exists() {
                continue;
            }
            let url =
                url_for(&repo_name).unwrap_or_else(|| format!("{}/{}", dep_clone_base(), repo_name));
            match crate::gitio::clone_or_fetch(
                &url,
                &dest,
                crate::gitio::nornir_ssh_key_path().as_deref(),
            ) {
                Ok(sha) => {
                    eprintln!(
                        "nornir-security: cloned path-dep sibling `{repo_name}` from {url} @ {sha}"
                    );
                    cloned += 1;
                }
                Err(e) => eprintln!(
                    "nornir-security: clone path-dep sibling `{repo_name}` from {url} failed \
                     (scan will degrade to Cargo.lock): {e:#}"
                ),
            }
        }
    }
    Ok(cloned)
}

/// Airgapped build (`net-scan` off): never fetch. The scan resolves only what's
/// already on disk, then falls back to the committed Cargo.lock.
#[cfg(not(feature = "net-scan"))]
pub fn clone_missing_path_dep_siblings(
    _repo: &Path,
    _scan_root: &Path,
    _url_for: &dyn Fn(&str) -> Option<String>,
) -> Result<usize> {
    Ok(0)
}

/// Make `repo`'s sibling path-deps resolvable for a headless `cargo metadata`:
/// **clone** the missing ones (feature `net-scan`), then **symlink** any
/// present-but-misplaced ones. Best-effort and idempotent; errors are logged,
/// not propagated (a failed prep just degrades the scan to the Cargo.lock
/// fallback). Returns `(cloned, linked)`. This is the single entry point both
/// [`warm`] and the server's `Mimir.SecurityScan` handler call before
/// [`components`].
pub fn prepare_path_deps(
    repo: &Path,
    scan_root: &Path,
    url_for: &dyn Fn(&str) -> Option<String>,
) -> (usize, usize) {
    let cloned = clone_missing_path_dep_siblings(repo, scan_root, url_for).unwrap_or_else(|e| {
        eprintln!("nornir-security: clone path-dep siblings for {} skipped: {e:#}", repo.display());
        0
    });
    let linked = materialize_path_dep_siblings(repo, scan_root).unwrap_or_else(|e| {
        eprintln!("nornir-security: link path-dep siblings for {} skipped: {e:#}", repo.display());
        0
    });
    (cloned, linked)
}

/// Create a directory symlink `link → src`. No-op if `link` already exists.
#[cfg(unix)]
fn symlink_dir(src: &Path, link: &Path) -> std::io::Result<()> {
    if link.exists() {
        return Ok(());
    }
    std::os::unix::fs::symlink(src, link)
}

#[cfg(not(unix))]
fn symlink_dir(src: &Path, link: &Path) -> std::io::Result<()> {
    if link.exists() {
        return Ok(());
    }
    std::os::windows::fs::symlink_dir(src, link)
}

/// Scan `repo`: deep dependency tree (`cargo metadata`) + OSV vulnerabilities.
/// The uncached path — for the warehouse-first path see the server's
/// `Mimir.SecurityScan` (cache lookup + `osv_query` of misses only).
pub fn scan(repo: &Path) -> Result<SecurityReport> {
    let (repo_name, components) = components(repo)?;
    let vulns = query_vulns(&components)?;
    Ok(SecurityReport { repo: repo_name, components, vulns })
}

/// Look up vulnerabilities for `components`, **airgap-first**: the local
/// rustsec/advisory-db mirror (offline) when seeded, else OSV.dev.
pub fn query_vulns(components: &[Component]) -> Result<Vec<Vuln>> {
    if components.is_empty() {
        return Ok(Vec::new());
    }
    match advisory_db_path() {
        Some(db) => advisory_db_query(components, &db),
        None => osv_query(components),
    }
}

/// The local rustsec/advisory-db mirror path (`NORNIR_ADVISORY_DB`, else
/// `/opt/nornir/advisory-db`) — `Some` only once seeded (has a `crates/` dir).
pub fn advisory_db_path() -> Option<PathBuf> {
    let p = std::env::var_os("NORNIR_ADVISORY_DB")
        .map(PathBuf::from)
        .unwrap_or_else(|| PathBuf::from("/opt/nornir/advisory-db"));
    p.join("crates").is_dir().then_some(p)
}

/// Clone or update the advisory-db mirror. Airgap: point `NORNIR_ADVISORY_DB_URL`
/// at holger (it serves the repo). Pure Rust (gix, no git2). Returns the path.
pub fn update_advisory_db() -> Result<PathBuf> {
    let dest = std::env::var_os("NORNIR_ADVISORY_DB")
        .map(PathBuf::from)
        .unwrap_or_else(|| PathBuf::from("/opt/nornir/advisory-db"));
    let url = std::env::var("NORNIR_ADVISORY_DB_URL")
        .unwrap_or_else(|_| "https://github.com/rustsec/advisory-db".to_string());
    crate::gitio::clone_or_fetch(&url, &dest, None)
        .with_context(|| format!("clone/fetch advisory-db from {url}"))?;
    Ok(dest)
}

fn req_matches(reqs: &[String], v: &semver::Version) -> bool {
    // Also test the pre-release-stripped version: semver excludes pre-releases
    // (`>= 0.10` won't match `0.11.0-rc.4`), which would wrongly flag an rc as
    // unpatched. Treating `0.11.0-rc.4` as `0.11.0` for the patched/unaffected
    // check matches OSV's behaviour.
    let mut bare = v.clone();
    bare.pre = semver::Prerelease::EMPTY;
    reqs.iter().any(|r| {
        semver::VersionReq::parse(r).map(|req| req.matches(v) || req.matches(&bare)).unwrap_or(false)
    })
}

/// Extract the ```toml fenced front-matter from a rustsec advisory `.md`.
fn extract_toml_front_matter(text: &str) -> Option<&str> {
    let after = &text[text.find("```toml")? + "```toml".len()..];
    let end = after.find("```")?;
    Some(after[..end].trim_matches('\n'))
}

fn string_list(v: Option<&toml::Value>) -> Vec<String> {
    v.and_then(|v| v.as_array())
        .map(|a| a.iter().filter_map(|x| x.as_str().map(String::from)).collect())
        .unwrap_or_default()
}

/// Match `components` against a local advisory-db (`crates/<crate>/*.toml`) —
/// cargo-audit's logic: a version is affected when no `patched` requirement
/// matches it and it isn't listed `unaffected`. Fully offline.
pub fn advisory_db_query(components: &[Component], db: &Path) -> Result<Vec<Vuln>> {
    let crates = db.join("crates");
    let mut out = Vec::new();
    for c in components {
        let dir = crates.join(&c.name);
        if !dir.is_dir() {
            continue;
        }
        let Ok(version) = semver::Version::parse(&c.version) else { continue };
        let mut ids = Vec::new();
        let mut summary = String::new();
        for entry in std::fs::read_dir(&dir).into_iter().flatten().flatten() {
            let p = entry.path();
            if p.extension().and_then(|e| e.to_str()) != Some("md") {
                continue;
            }
            let Ok(text) = std::fs::read_to_string(&p) else { continue };
            // Each advisory is Markdown with a ```toml front-matter block.
            let Some(front) = extract_toml_front_matter(&text) else { continue };
            let Ok(doc) = toml::from_str::<toml::Value>(front) else { continue };
            let adv = doc.get("advisory");
            let versions = doc.get("versions");
            let patched = string_list(versions.and_then(|v| v.get("patched")));
            let unaffected = string_list(versions.and_then(|v| v.get("unaffected")));
            if !req_matches(&patched, &version) && !req_matches(&unaffected, &version) {
                if summary.is_empty() {
                    summary = adv
                        .and_then(|a| a.get("title"))
                        .and_then(|v| v.as_str())
                        .unwrap_or_default()
                        .to_string();
                }
                if let Some(id) = adv.and_then(|a| a.get("id")).and_then(|v| v.as_str()) {
                    ids.push(id.to_string());
                }
            }
        }
        if !ids.is_empty() {
            out.push(Vuln { crate_name: c.name.clone(), version: c.version.clone(), ids, summary });
        }
    }
    Ok(out)
}

/// OSV.dev batch query (one POST, no `ureq` json feature needed: serialise +
/// parse with `serde_json` ourselves). Empty input → no network.
pub fn osv_query(components: &[Component]) -> Result<Vec<Vuln>> {
    if components.is_empty() {
        return Ok(Vec::new());
    }
    let queries: Vec<Value> = components
        .iter()
        .map(|c| json!({ "package": { "ecosystem": "crates.io", "name": c.name }, "version": c.version }))
        .collect();
    let body = serde_json::to_string(&json!({ "queries": queries }))?;
    let resp = match ureq::post("https://api.osv.dev/v1/querybatch")
        .set("Content-Type", "application/json")
        .send_string(&body)
    {
        Ok(r) => r,
        // Airgap / offline: degrade gracefully rather than failing the scan.
        // Seed NORNIR_ADVISORY_DB (a local rustsec/advisory-db mirror) for offline
        // matching instead.
        Err(e) => {
            eprintln!("nornir-security: OSV.dev unreachable ({e}); skipping vuln lookup (seed NORNIR_ADVISORY_DB for offline)");
            return Ok(Vec::new());
        }
    };
    let resp_str = resp.into_string().context("read OSV response")?;
    let resp: Value = serde_json::from_str(&resp_str).context("parse OSV response")?;
    let mut vulns = Vec::new();
    if let Some(results) = resp["results"].as_array() {
        for (i, r) in results.iter().enumerate() {
            let Some(vs) = r["vulns"].as_array() else { continue };
            if vs.is_empty() || i >= components.len() {
                continue;
            }
            let c = &components[i];
            vulns.push(Vuln {
                crate_name: c.name.clone(),
                version: c.version.clone(),
                ids: vs.iter().filter_map(|v| v["id"].as_str().map(String::from)).collect(),
                summary: vs.first().and_then(|v| v["summary"].as_str()).unwrap_or_default().to_string(),
            });
        }
    }
    Ok(vulns)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn extract_toml_front_matter_pulls_the_advisory_block() {
        let md = "```toml\n[advisory]\nid = \"RUSTSEC-2024-0001\"\n[versions]\npatched = [\">= 1.0.0\"]\n```\n\n# Title\n\nbody";
        let front = extract_toml_front_matter(md).expect("front matter");
        let doc: toml::Value = toml::from_str(front).unwrap();
        assert_eq!(doc["advisory"]["id"].as_str(), Some("RUSTSEC-2024-0001"));
        assert_eq!(string_list(doc.get("versions").and_then(|v| v.get("patched"))), vec!["\
>= 1.0.0".trim_start()]);
    }

    #[test]
    fn req_matches_handles_prerelease_versions() {
        // `>= 0.10` must consider a later pre-release patched (semver excludes it).
        let rc = semver::Version::parse("0.11.0-rc.4").unwrap();
        assert!(req_matches(&[">= 0.10.0".into()], &rc), "0.11.0-rc.4 should satisfy >= 0.10.0");
        // an earlier version is genuinely unpatched
        let old = semver::Version::parse("0.9.0").unwrap();
        assert!(!req_matches(&[">= 0.10.0".into()], &old), "0.9.0 must NOT satisfy >= 0.10.0");
    }

    #[test]
    fn components_warehouse_first_uses_capture_then_falls_back() {
        use crate::warehouse::iceberg::{IcebergWarehouse, SbomComponentRow};
        let whdir = tempfile::tempdir().unwrap();
        let wh = IcebergWarehouse::open(whdir.path()).unwrap();

        // A repo dir named "myrepo" whose Cargo.lock provides the live fallback.
        let repodir = tempfile::tempdir().unwrap();
        let repo = repodir.path().join("myrepo");
        std::fs::create_dir_all(&repo).unwrap();
        std::fs::write(
            repo.join("Cargo.lock"),
            "[[package]]\nname = \"fallbackdep\"\nversion = \"9.9.9\"\n",
        )
        .unwrap();
        // No Cargo.toml manifest → cargo metadata fails → Cargo.lock fallback.

        // No warehouse capture yet → warehouse_first delegates to live components,
        // which (no manifest) lands on the Cargo.lock fallback.
        let (name, comps) = components_warehouse_first(&wh, &repo).unwrap();
        assert_eq!(name, "myrepo");
        assert!(comps.iter().any(|c| c.name == "fallbackdep" && c.version == "9.9.9"));

        // After a warehouse capture, warehouse_first serves THAT (not the lock).
        wh.append_sbom_components(
            "myrepo",
            uuid::Uuid::new_v4(),
            &[SbomComponentRow { name: "cached".into(), version: "1.2.3".into(), license: "MIT".into() }],
        )
        .unwrap();
        let (name, comps) = components_warehouse_first(&wh, &repo).unwrap();
        assert_eq!(name, "myrepo");
        assert_eq!(comps.len(), 1);
        assert_eq!(comps[0].name, "cached");
        assert_eq!(comps[0].license, "MIT");
    }

    #[test]
    fn materialize_path_dep_siblings_links_missing_sibling() {
        // repo `znippy` depends on `../zoomies` by path, but that relative path
        // doesn't exist next to znippy in the headless scan layout — the sibling
        // checkout instead lives flat under scan_root. We should link it in.
        let tmp = tempfile::tempdir().unwrap();
        let root = tmp.path();
        // scan_root/znippy/Cargo.toml with a path dep `../zoomies`
        let znippy = root.join("znippy");
        std::fs::create_dir_all(&znippy).unwrap();
        std::fs::write(
            znippy.join("Cargo.toml"),
            "[package]\nname=\"znippy\"\nversion=\"0.1.0\"\n\n[dependencies]\nzoomies = { path = \"../zoomies\" }\n",
        )
        .unwrap();
        // scan_root/zoomies exists (a sibling), but ../zoomies relative to znippy
        // is scan_root/zoomies too here — so to actually exercise the link path,
        // point the dep one level deeper where it is NOT present.
        std::fs::write(
            znippy.join("Cargo.toml"),
            "[package]\nname=\"znippy\"\nversion=\"0.1.0\"\n\n[dependencies]\nzoomies = { path = \"vendor/zoomies\" }\n",
        )
        .unwrap();
        let zoomies = root.join("zoomies");
        std::fs::create_dir_all(&zoomies).unwrap();
        std::fs::write(zoomies.join("Cargo.toml"), "[package]\nname=\"zoomies\"\nversion=\"0.1.0\"\n").unwrap();

        // Before: vendor/zoomies/Cargo.toml is absent.
        assert!(!znippy.join("vendor/zoomies/Cargo.toml").exists());
        let n = materialize_path_dep_siblings(&znippy, root).unwrap();
        assert_eq!(n, 1, "one sibling link created");
        // After: the path dep resolves (through the symlink) to the sibling.
        assert!(znippy.join("vendor/zoomies/Cargo.toml").exists());

        // Idempotent: a second run links nothing new.
        let n2 = materialize_path_dep_siblings(&znippy, root).unwrap();
        assert_eq!(n2, 0, "already-linked sibling is not re-linked");
    }

    #[test]
    fn materialize_is_noop_when_path_dep_already_resolves() {
        let tmp = tempfile::tempdir().unwrap();
        let root = tmp.path();
        let a = root.join("a");
        std::fs::create_dir_all(&a).unwrap();
        let b = root.join("b");
        std::fs::create_dir_all(&b).unwrap();
        std::fs::write(b.join("Cargo.toml"), "[package]\nname=\"b\"\nversion=\"0.1.0\"\n").unwrap();
        std::fs::write(
            a.join("Cargo.toml"),
            "[package]\nname=\"a\"\nversion=\"0.1.0\"\n\n[dependencies]\nb = { path = \"../b\" }\n",
        )
        .unwrap();
        // `../b` already resolves → nothing to link.
        let n = materialize_path_dep_siblings(&a, root).unwrap();
        assert_eq!(n, 0);
    }

    /// The live "press Security on nornir" fix: a repo whose path-dep siblings
    /// are MISSING from the scan root must have them CLONED in, so `cargo
    /// metadata` can then resolve. Uses a local git repo as the "remote" (a
    /// `file://` URL via the `url_for` closure) — real clone, no network.
    #[cfg(feature = "net-scan")]
    #[test]
    fn clone_missing_sibling_makes_path_dep_resolve() {
        let tmp = tempfile::tempdir().unwrap();
        // The "remote": a git repo named `skade` that mirrors nornir's real
        // layout — a repo root crate (`../skade`) PLUS a `skade/` member crate
        // (`../skade/skade`), so both of nornir's path-deps are satisfiable.
        let remote = tmp.path().join("remote");
        let skade_src = remote.join("skade");
        std::fs::create_dir_all(skade_src.join("skade")).unwrap();
        std::fs::write(
            skade_src.join("Cargo.toml"),
            "[package]\nname=\"skade-katalog\"\nversion=\"0.1.0\"\nedition=\"2021\"\n",
        )
        .unwrap();
        std::fs::write(
            skade_src.join("skade").join("Cargo.toml"),
            "[package]\nname=\"skade\"\nversion=\"0.4.0\"\nedition=\"2021\"\n",
        )
        .unwrap();
        crate::gitio::init(&skade_src).unwrap();
        crate::gitio::commit_all(&skade_src, "seed skade").unwrap();

        // The scan root: only `nornir` is checked out, with the two path-deps
        // pointing at siblings that are NOT present.
        let scan_root = tmp.path().join("git");
        let nornir = scan_root.join("nornir");
        std::fs::create_dir_all(&nornir).unwrap();
        std::fs::write(
            nornir.join("Cargo.toml"),
            "[package]\nname=\"nornir\"\nversion=\"0.4.0\"\nedition=\"2021\"\n\n\
             [dependencies]\n\
             skade = { path = \"../skade/skade\" }\n\
             skade-katalog = { path = \"../skade\" }\n",
        )
        .unwrap();

        // BEFORE: neither path-dep resolves.
        assert!(!nornir.join("../skade/skade/Cargo.toml").exists());

        // `url_for` hands back the local `file://` remote for the `skade` repo.
        let remote_str = remote.to_string_lossy().into_owned();
        let url_for = move |name: &str| Some(format!("file://{remote_str}/{name}"));
        let cloned = clone_missing_path_dep_siblings(&nornir, &scan_root, &url_for).unwrap();
        assert_eq!(cloned, 1, "the single missing `skade` repo is cloned once");

        // AFTER: BOTH path-deps now resolve to real manifests.
        assert!(
            nornir.join("../skade/skade").join("Cargo.toml").exists(),
            "`../skade/skade` (the skade crate) resolves after clone"
        );
        assert!(
            nornir.join("../skade").join("Cargo.toml").exists(),
            "`../skade` (the skade-katalog root crate) resolves after clone"
        );

        // Idempotent: a second prep clones nothing (sibling already present).
        let again = clone_missing_path_dep_siblings(&nornir, &scan_root, &url_for).unwrap();
        assert_eq!(again, 0, "already-present sibling is not re-cloned");
    }

    #[test]
    fn affected_logic_unpatched_between_ranges() {
        // patched >= 0.39, unaffected < 0.15 → 0.20 is affected (the RUSTSEC aws-lc case)
        let v = semver::Version::parse("0.20.0").unwrap();
        let patched = vec![">= 0.39.0".to_string()];
        let unaffected = vec!["< 0.15.0".to_string()];
        let is_affected = !req_matches(&patched, &v) && !req_matches(&unaffected, &v);
        assert!(is_affected);
        // a patched version is not affected
        let v2 = semver::Version::parse("0.40.0").unwrap();
        assert!(req_matches(&patched, &v2));
    }
}