nornir 0.4.32

Companion to cargo: dependency tracking, release gating, deploy, benchmarks, and documentation assembly. Project-agnostic.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307

//! 🛡 Security tab — **workspace-driven, server-first** SBOM/vuln/license scan.
//! Lists the workspace's configured repos (no free-text path) as buttons. When
//! connected to a server it calls `Mimir.SecurityScan` (the server scans its own
//! `git/<repo>` checkout — the viz host needs no sources); otherwise it scans
//! the local `workspace_root/<repo>` via `crate::security::scan`.
//!
//! NOTE (next): the deep-scanned dependency closure already lives in the
//! warehouse (`repo=deps`); a `sbom_components`/`vuln_findings` cache would make
//! even the server side warehouse-first instead of re-running cargo metadata.

use std::path::PathBuf;
use std::sync::{Arc, Mutex};

use eframe::egui::{self, RichText};
use serde_json::Value;

use super::facett_theme::{Theme, AMBER, GREEN, RED};
use super::ops_tabs::Server;

/// A finished scan's display data (flattened + Send).
struct Snapshot {
    repo: String,
    components: usize,
    vulns: Vec<(String, String, Vec<String>)>, // (crate, version, advisory ids)
    licenses: Vec<(String, usize)>,
    cache_hits: usize,
    cache_misses: usize,
}

type Slot = Arc<Mutex<Option<Result<Snapshot, String>>>>;

fn snap_from_report(rep: crate::security::SecurityReport) -> Snapshot {
    Snapshot {
        repo: rep.repo.clone(),
        components: rep.components.len(),
        vulns: rep
            .vulns
            .iter()
            .map(|v| (v.crate_name.clone(), v.version.clone(), v.ids.clone()))
            .collect(),
        licenses: rep.license_tally(),
        cache_hits: 0,
        cache_misses: rep.components.len(),
    }
}

/// Parse the `Mimir.SecurityScan` JSON ({repo, components, vulns[], licenses[[l,n]]}).
fn parse_report(json: &str) -> Result<Snapshot, String> {
    let v: Value = serde_json::from_str(json).map_err(|e| e.to_string())?;
    let vulns = v["vulns"]
        .as_array()
        .map(|a| {
            a.iter()
                .map(|x| {
                    (
                        x["crate"].as_str().unwrap_or_default().to_string(),
                        x["version"].as_str().unwrap_or_default().to_string(),
                        x["ids"].as_array().map(|i| i.iter().filter_map(|s| s.as_str().map(String::from)).collect()).unwrap_or_default(),
                    )
                })
                .collect()
        })
        .unwrap_or_default();
    let licenses = v["licenses"]
        .as_array()
        .map(|a| {
            a.iter()
                .filter_map(|x| {
                    let pair = x.as_array()?;
                    Some((pair.first()?.as_str()?.to_string(), pair.get(1)?.as_u64()? as usize))
                })
                .collect()
        })
        .unwrap_or_default();
    Ok(Snapshot {
        repo: v["repo"].as_str().unwrap_or_default().to_string(),
        components: v["components"].as_u64().unwrap_or(0) as usize,
        vulns,
        licenses,
        cache_hits: v["cache_hits"].as_u64().unwrap_or(0) as usize,
        cache_misses: v["cache_misses"].as_u64().unwrap_or(0) as usize,
    })
}

pub struct SecurityTab {
    workspace_root: PathBuf,
    repos: Vec<String>,
    scanning: Option<String>,
    pending: Option<Slot>,
    result: Option<Result<Snapshot, String>>,
    theme: Theme,
}

impl SecurityTab {
    pub fn new(workspace_root: PathBuf, repos: Vec<String>) -> Self {
        Self { workspace_root, repos, scanning: None, pending: None, result: None, theme: Theme::default() }
    }

    /// Re-skin this pane with a facett palette (broadcast from the picker).
    pub fn set_palette(&mut self, t: Theme) {
        self.theme = t;
    }

    /// Re-scope to a newly picked workspace: swap in its checkout root + repo
    /// set, and drop any scan from the previous workspace so the buttons (and a
    /// lingering result) don't show the old workspace's repos. Mirrors
    /// [`KnowledgeTab::set_workspace`]; called from `App::switch_workspace`.
    pub fn set_workspace(&mut self, workspace_root: PathBuf, repos: Vec<String>) {
        self.workspace_root = workspace_root;
        self.repos = repos;
        self.scanning = None;
        self.pending = None;
        self.result = None;
    }

    fn start_scan(&mut self, srv: Option<&Server>, workspace: &str, repo: &str) {
        let slot: Slot = Arc::new(Mutex::new(None));
        let sink = slot.clone();
        let repo_s = repo.to_string();
        match srv {
            // Server-first: the server scans its own checkout; no sources needed here.
            Some(s) => {
                let (ep, tok, ws) = (s.endpoint.clone(), s.token.clone(), workspace.to_string());
                std::thread::spawn(move || {
                    let r = super::remote::security_scan(&ep, &tok, &repo_s, &ws)
                        .map_err(|e| format!("{e:#}"))
                        .and_then(|j| parse_report(&j));
                    *sink.lock().unwrap() = Some(r);
                });
            }
            // Local fallback: scan workspace_root/<repo> on disk.
            None => {
                let path = self.workspace_root.join(repo);
                std::thread::spawn(move || {
                    let r = crate::security::scan(&path).map(snap_from_report).map_err(|e| format!("{e:#}"));
                    *sink.lock().unwrap() = Some(r);
                });
            }
        }
        self.scanning = Some(repo.to_string());
        self.pending = Some(slot);
        self.result = None;
    }

    pub fn draw(&mut self, ui: &mut egui::Ui, srv: Option<&Server>, workspace: &str) {
        let theme = self.theme;
        let busy = self.pending.is_some();
        ui.horizontal_wrapped(|ui| {
            ui.label("scan a workspace repo:");
            if self.repos.is_empty() {
                ui.colored_label(theme.text_dim, "(no repos for this workspace)");
            }
            for repo in self.repos.clone() {
                if ui.add_enabled(!busy, egui::Button::new(format!("🛡 {repo}"))).clicked() {
                    self.start_scan(srv, workspace, &repo);
                }
            }
            ui.weak(if srv.is_some() { "· server-side" } else { "· local" });
        });
        ui.separator();

        // Recover a poisoned lock rather than panicking the UI thread if the
        // background scan thread happened to unwind while holding it.
        let done = self
            .pending
            .as_ref()
            .and_then(|slot| slot.lock().unwrap_or_else(|p| p.into_inner()).take());
        if let Some(d) = done {
            self.result = Some(d);
            self.pending = None;
        }
        if self.pending.is_some() {
            let r = self.scanning.as_deref().unwrap_or("");
            ui.label(format!("⏳ scanning {r} — cargo metadata (deep tree) + OSV.dev …"));
            ui.ctx().request_repaint();
            return;
        }

        match &self.result {
            None => {
                ui.label("Pick a repo above to run a deep SBOM + vulnerability + license scan.");
                ui.label(
                    RichText::new(
                        "cargo metadata → full dependency tree · OSV.dev → CVEs/RUSTSEC · CycloneDX-compatible",
                    )
                    .weak(),
                );
            }
            Some(Err(e)) => {
                ui.colored_label(RED, format!("scan failed: {e}"));
            }
            Some(Ok(snap)) => {
                ui.horizontal(|ui| {
                    ui.heading(RichText::new(format!("🛡 {}", snap.repo)).color(theme.accent));
                    ui.label(format!("· {} crates (deep)", snap.components));
                    let nv: usize = snap.vulns.iter().map(|(_, _, ids)| ids.len()).sum();
                    let c = if nv == 0 { GREEN } else { RED };
                    ui.label(RichText::new(format!("· {nv} vuln(s) in {} crate(s)", snap.vulns.len())).color(c).strong());
                });
                if snap.cache_hits + snap.cache_misses > 0 {
                    let msg = if snap.cache_misses == 0 {
                        format!("warehouse cache: {} hit / 0 miss — zero network ✓", snap.cache_hits)
                    } else {
                        format!("warehouse cache: {} hit / {} miss (queried OSV)", snap.cache_hits, snap.cache_misses)
                    };
                    ui.label(RichText::new(msg).color(theme.text_dim).small());
                }
                ui.separator();
                egui::ScrollArea::vertical().auto_shrink([false, false]).show(ui, |ui| {
                    if snap.vulns.is_empty() {
                        ui.colored_label(GREEN, "✓ no known vulnerabilities");
                    } else {
                        for (name, ver, ids) in &snap.vulns {
                            ui.horizontal(|ui| {
                                let sev = if ids.iter().any(|i| i.starts_with("RUSTSEC") || i.starts_with("CVE")) {
                                    AMBER
                                } else {
                                    theme.accent
                                };
                                ui.label(RichText::new("").color(sev));
                                ui.monospace(format!("{name} {ver}"));
                                ui.colored_label(theme.text_dim, ids.join(", "));
                            });
                        }
                    }
                    ui.separator();
                    ui.label(RichText::new("licenses").strong());
                    ui.horizontal_wrapped(|ui| {
                        for (lic, n) in snap.licenses.iter().take(12) {
                            ui.label(
                                RichText::new(format!("{lic} ×{n}"))
                                    .color(theme.text_dim)
                                    .monospace(),
                            );
                            ui.separator();
                        }
                    });
                });
            }
        }
    }

    /// 🛡 Security tab's slice of `state_json` (LAW #6): the configured repos
    /// (the scan buttons), which repo (if any) is currently scanning, and the
    /// rendered scan result — component count + per-crate vuln findings +
    /// license tally + the warehouse-cache hit/miss counters.
    pub fn state_json(&self) -> serde_json::Value {
        serde_json::json!({
            "palette": self.theme.name,
            "repos": self.repos,
            "scanning": self.scanning,
            "busy": self.pending.is_some(),
            "result": match &self.result {
                None => serde_json::json!({ "ran": false }),
                Some(Err(e)) => serde_json::json!({ "ran": true, "ok": false, "error": e }),
                Some(Ok(snap)) => serde_json::json!({
                    "ran": true, "ok": true,
                    "repo": snap.repo,
                    "components": snap.components,
                    "vuln_crates": snap.vulns.len(),
                    "vulns": snap.vulns.iter().map(|(c, v, ids)| serde_json::json!({
                        "crate": c, "version": v, "ids": ids,
                    })).collect::<Vec<_>>(),
                    "licenses": snap.licenses.iter().map(|(l, n)| serde_json::json!([l, n])).collect::<Vec<_>>(),
                    "cache_hits": snap.cache_hits,
                    "cache_misses": snap.cache_misses,
                }),
            },
        })
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    /// The propagation bug (fixed): switching workspace must re-scope the
    /// Security tab's repo buttons. Inject workspace A's repos, switch to B,
    /// assert the rendered state shows ONLY B's repos and root — never A's.
    #[test]
    fn set_workspace_rescopes_repos_and_root() {
        let mut tab = SecurityTab::new(
            PathBuf::from("/ws/holger"),
            vec!["holger".into(), "holger-cli".into()],
        );
        // Sanity: it starts on workspace A's repos.
        let a = tab.state_json();
        assert_eq!(a["repos"], serde_json::json!(["holger", "holger-cli"]));

        // Pick workspace B.
        tab.set_workspace(PathBuf::from("/ws/knut"), vec!["knut".into(), "knut-pipelines".into()]);

        let b = tab.state_json();
        assert_eq!(
            b["repos"],
            serde_json::json!(["knut", "knut-pipelines"]),
            "Security repos must follow the picked workspace, not stay on the previous one"
        );
        assert_eq!(tab.workspace_root, PathBuf::from("/ws/knut"));
        // A stale scan from workspace A must be cleared, not shown under B.
        assert_eq!(b["busy"], serde_json::json!(false));
        assert_eq!(b["scanning"], serde_json::Value::Null);
        assert_eq!(b["result"], serde_json::json!({ "ran": false }));
        // None of A's repos may leak through.
        assert!(!b["repos"].to_string().contains("holger"));
    }
}