sbom-tools 0.1.22

Semantic SBOM diff and analysis tool
Documentation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
//! Shared enrichment infrastructure: cache directory, HTTP client, retry
//! policy, and a generic versioned file cache.
//!
//! Every enrichment source (OSV, KEV, EOL, staleness) used to carry its own
//! copy of the platform cache-directory shim and an ad-hoc, non-atomic
//! mtime-TTL JSON file cache. This module centralizes that plumbing:
//!
//! - [`cache_dir`] / [`namespaced_cache_dir`] — one platform-aware helper.
//! - [`http_client`] — one [`reqwest::blocking::Client`] builder with a
//!   consistent `CARGO_PKG_NAME/CARGO_PKG_VERSION` User-Agent.
//! - [`get_with_retry`] — a shared retry policy honoring `429`/`Retry-After`
//!   with bounded exponential backoff.
//! - [`JsonCache`] — a generic file cache with **atomic** writes
//!   (temp-file + rename) and a `schema_version` envelope so that a version
//!   bump transparently invalidates stale entries.

use crate::error::Result;
use crate::model::Component;
use serde::Serialize;
use serde::de::DeserializeOwned;
use sha2::{Digest, Sha256};
use std::fs;
use std::path::{Path, PathBuf};
use std::sync::atomic::{AtomicBool, Ordering};
use std::time::Duration;

/// Process-global offline switch.
///
/// In air-gapped (CRA / FDA / defense) deployments the tool must serve
/// enrichment data purely from cache and never attempt a network call. This is
/// a process-wide flag rather than per-config because the HTTP choke point
/// ([`http_client`]) and the cache ([`JsonCache`]) are reached through many
/// independently-constructed source configs; threading a bool through every one
/// would be invasive and easy to miss. It is set once, early, from the global
/// `--offline` flag / `SBOM_TOOLS_OFFLINE` env.
static OFFLINE: AtomicBool = AtomicBool::new(false);

/// Enable or disable offline mode for the whole process.
pub fn set_offline(offline: bool) {
    OFFLINE.store(offline, Ordering::Relaxed);
}

/// Whether the process is running in offline mode.
#[must_use]
pub fn is_offline() -> bool {
    OFFLINE.load(Ordering::Relaxed)
}

/// Schema version embedded in every cache envelope.
///
/// Bumping this value invalidates all previously written cache entries: any
/// envelope whose `schema_version` does not match is treated as a miss (and
/// removed) so a changed payload shape can never be deserialized as the old
/// one.
pub const CACHE_SCHEMA_VERSION: u32 = 1;

// ============================================================================
// Cache directory
// ============================================================================

/// Platform-specific base cache directory.
///
/// - macOS: `$HOME/Library/Caches`
/// - Linux: `$XDG_CACHE_HOME` or `$HOME/.cache`
/// - Windows: `%LOCALAPPDATA%`
/// - other: `$HOME/.cache`
///
/// Returns `None` when the relevant environment variables are unset.
#[must_use]
pub fn cache_dir() -> Option<PathBuf> {
    #[cfg(target_os = "macos")]
    {
        std::env::var("HOME")
            .ok()
            .map(|h| PathBuf::from(h).join("Library").join("Caches"))
    }
    #[cfg(target_os = "linux")]
    {
        std::env::var("XDG_CACHE_HOME")
            .ok()
            .map(PathBuf::from)
            .or_else(|| {
                std::env::var("HOME")
                    .ok()
                    .map(|h| PathBuf::from(h).join(".cache"))
            })
    }
    #[cfg(target_os = "windows")]
    {
        std::env::var("LOCALAPPDATA").ok().map(PathBuf::from)
    }
    #[cfg(not(any(target_os = "macos", target_os = "linux", target_os = "windows")))]
    {
        std::env::var("HOME")
            .ok()
            .map(|h| PathBuf::from(h).join(".cache"))
    }
}

/// Root cache directory for all enrichment sources, i.e. `…/sbom-tools`.
///
/// This is the parent of every per-source namespace directory; the `cache`
/// subcommand uses it to enumerate, size, export, and import the cache as a
/// whole. Falls back to a `.cache`-relative path when no platform cache
/// directory is available, matching [`namespaced_cache_dir`].
#[must_use]
pub fn root_cache_dir() -> PathBuf {
    cache_dir()
        .unwrap_or_else(|| PathBuf::from(".cache"))
        .join("sbom-tools")
}

/// Cache directory for an enrichment source, e.g. `…/sbom-tools/osv`.
///
/// Falls back to a `.cache`-relative path only when no platform cache
/// directory is available, matching the previous per-source behavior.
#[must_use]
pub fn namespaced_cache_dir(namespace: &str) -> PathBuf {
    root_cache_dir().join(namespace)
}

// ============================================================================
// HTTP client + retry policy
// ============================================================================

/// Build the shared blocking HTTP client used by all enrichment sources.
///
/// All sources share the same `CARGO_PKG_NAME/CARGO_PKG_VERSION` User-Agent so
/// upstream registries see a single, identifiable client.
/// Refuse a network operation when the process is in offline mode.
///
/// Building a [`reqwest`] client makes no network call, so [`http_client`] is
/// not gated; the guard is applied at the request-dispatch layer
/// ([`get_with_retry`] and each source's direct `.send()`) so that a warm cache
/// is still served before any refusal. `what` describes the resource the caller
/// was about to fetch, for a clear "offline: not in cache (<what>)" error.
pub fn offline_guard(what: &str) -> Result<()> {
    if is_offline() {
        return Err(crate::error::SbomDiffError::enrichment(
            "offline mode",
            crate::error::EnrichmentErrorKind::Offline(what.to_string()),
        ));
    }
    Ok(())
}

#[cfg(feature = "enrichment")]
pub fn http_client(timeout: Duration) -> reqwest::Result<reqwest::blocking::Client> {
    reqwest::blocking::Client::builder()
        .timeout(timeout)
        .user_agent(concat!(
            env!("CARGO_PKG_NAME"),
            "/",
            env!("CARGO_PKG_VERSION")
        ))
        .build()
}

/// Maximum backoff applied between retries, regardless of attempt count or a
/// server-provided `Retry-After`.
const MAX_BACKOFF: Duration = Duration::from_secs(30);

/// Upper bound on a single enrichment response body, in bytes.
///
/// Enrichment responses are read fully into memory (the EPSS CSV into a
/// `HashMap`, the KEV/HuggingFace JSON into structs). Without a cap a malicious
/// or MITM'd endpoint advertising (or streaming) a huge body could OOM the
/// process. The largest legitimate payload is the full daily EPSS dataset
/// (~10-20 MB uncompressed); 256 MiB is a generous-but-finite ceiling that no
/// real source approaches.
pub const MAX_RESPONSE_BYTES: u64 = 256 * 1024 * 1024;

/// Read a response body into memory, refusing bodies larger than
/// [`MAX_RESPONSE_BYTES`].
///
/// The cap is enforced twice: first against a declared `Content-Length` (a cheap
/// up-front reject), then against the actually-buffered length (a defense against
/// a lying or absent header). The returned bytes are guaranteed `<= MAX`.
#[cfg(feature = "enrichment")]
pub fn read_bounded(response: reqwest::blocking::Response) -> Result<Vec<u8>> {
    read_bounded_with_max(response, MAX_RESPONSE_BYTES)
}

/// [`read_bounded`] with an explicit cap.
///
/// Split out so the cap behavior can be exercised against a real (small)
/// response without having to transmit a 256 MiB body in tests.
#[cfg(feature = "enrichment")]
pub(crate) fn read_bounded_with_max(
    response: reqwest::blocking::Response,
    max_bytes: u64,
) -> Result<Vec<u8>> {
    if let Some(len) = response.content_length()
        && len > max_bytes
    {
        return Err(oversized_error(len, max_bytes));
    }

    let bytes = response
        .bytes()
        .map_err(|e| network_error("reading response body", &e))?;

    if bytes.len() as u64 > max_bytes {
        return Err(oversized_error(bytes.len() as u64, max_bytes));
    }

    Ok(bytes.to_vec())
}

/// Build the "response too large" enrichment error.
#[cfg(feature = "enrichment")]
fn oversized_error(len: u64, max_bytes: u64) -> crate::error::SbomDiffError {
    crate::error::SbomDiffError::enrichment(
        "response too large",
        crate::error::EnrichmentErrorKind::NetworkError(format!(
            "response body of {len} bytes exceeds the {max_bytes}-byte limit"
        )),
    )
}

/// Compute the backoff delay before retry `attempt` (1-based).
///
/// Honors a server-provided `Retry-After` (seconds) when present, otherwise
/// applies bounded exponential backoff (1s, 2s, 4s, …) capped at
/// [`MAX_BACKOFF`].
#[must_use]
pub fn backoff_delay(attempt: u32, retry_after: Option<Duration>) -> Duration {
    if let Some(after) = retry_after {
        return after.min(MAX_BACKOFF);
    }
    let secs = 1u64
        .checked_shl(attempt.saturating_sub(1))
        .unwrap_or(u64::MAX);
    Duration::from_secs(secs).min(MAX_BACKOFF)
}

/// Parse a `Retry-After` header value expressed as a number of seconds.
///
/// The HTTP-date form of `Retry-After` is not supported (registries used here
/// only emit the delta-seconds form); unparseable values yield `None`.
#[cfg(feature = "enrichment")]
fn parse_retry_after(headers: &reqwest::header::HeaderMap) -> Option<Duration> {
    headers
        .get(reqwest::header::RETRY_AFTER)?
        .to_str()
        .ok()?
        .trim()
        .parse::<u64>()
        .ok()
        .map(Duration::from_secs)
}

/// Perform a `GET` with the shared retry policy.
///
/// Retries on transport errors and on `429`/`5xx` responses up to
/// `max_retries` times, honoring `Retry-After` on `429`. Non-retryable
/// responses (including `4xx` other than `429`) are returned to the caller on
/// the first attempt for status inspection.
///
/// In offline mode the request is refused up front with an
/// [`EnrichmentErrorKind::Offline`](crate::error::EnrichmentErrorKind::Offline)
/// error before any socket is opened.
#[cfg(feature = "enrichment")]
pub fn get_with_retry(
    client: &reqwest::blocking::Client,
    url: &str,
    max_retries: u8,
) -> Result<reqwest::blocking::Response> {
    offline_guard(url)?;

    for attempt in 0..=u32::from(max_retries) {
        if attempt > 0 {
            tracing::debug!("retry attempt {attempt} for {url}");
        }

        match client.get(url).send() {
            Ok(response) => {
                let status = response.status();
                let retryable =
                    status == reqwest::StatusCode::TOO_MANY_REQUESTS || status.is_server_error();
                if retryable && attempt < u32::from(max_retries) {
                    let retry_after = if status == reqwest::StatusCode::TOO_MANY_REQUESTS {
                        parse_retry_after(response.headers())
                    } else {
                        None
                    };
                    std::thread::sleep(backoff_delay(attempt + 1, retry_after));
                    continue;
                }
                return Ok(response);
            }
            Err(e) => {
                if attempt < u32::from(max_retries) {
                    std::thread::sleep(backoff_delay(attempt + 1, None));
                    continue;
                }
                return Err(network_error("request failed", &e));
            }
        }
    }

    // Unreachable in practice: the loop always returns on the final attempt.
    Err(network_error_msg("retry loop returned no response"))
}

/// Wrap a [`reqwest::Error`] in our enrichment network-error variant.
#[cfg(feature = "enrichment")]
fn network_error(context: &str, err: &reqwest::Error) -> crate::error::SbomDiffError {
    crate::error::SbomDiffError::enrichment(
        context,
        crate::error::EnrichmentErrorKind::NetworkError(err.to_string()),
    )
}

/// Build a network-error variant from a bare message.
#[cfg(feature = "enrichment")]
fn network_error_msg(msg: &str) -> crate::error::SbomDiffError {
    crate::error::SbomDiffError::enrichment(
        "network",
        crate::error::EnrichmentErrorKind::NetworkError(msg.to_string()),
    )
}

// ============================================================================
// Cache key
// ============================================================================

/// Cache key for vulnerability lookups.
#[derive(Debug, Clone, Hash, PartialEq, Eq)]
pub struct CacheKey {
    /// Package URL (preferred)
    pub purl: Option<String>,
    /// Component name
    pub name: String,
    /// Ecosystem (npm, pypi, etc.)
    pub ecosystem: Option<String>,
    /// Version
    pub version: Option<String>,
}

impl CacheKey {
    /// Create a cache key from component data.
    #[must_use]
    pub const fn new(
        purl: Option<String>,
        name: String,
        ecosystem: Option<String>,
        version: Option<String>,
    ) -> Self {
        Self {
            purl,
            name,
            ecosystem,
            version,
        }
    }

    /// Convert to a filesystem-safe filename using SHA256 hash.
    #[must_use]
    pub fn to_filename(&self) -> String {
        let mut hasher = Sha256::new();
        hasher.update(format!(
            "purl:{:?}|name:{}|eco:{:?}|ver:{:?}",
            self.purl, self.name, self.ecosystem, self.version
        ));
        let hash = hasher.finalize();
        let hex: String = hash.iter().map(|b| format!("{b:02x}")).collect();
        format!("{hex}.json")
    }

    /// Check if this key can be used for an OSV query.
    #[must_use]
    pub const fn is_queryable(&self) -> bool {
        // Need either a PURL or name + ecosystem + version
        self.purl.is_some() || (self.ecosystem.is_some() && self.version.is_some())
    }
}

// ============================================================================
// Generic versioned file cache
// ============================================================================

/// Envelope wrapping every cached payload with a schema version.
///
/// The version is checked on read; a mismatch is treated as a miss so a
/// changed payload shape can never be deserialized as the old one.
#[derive(Debug, Serialize, serde::Deserialize)]
struct CacheEnvelope<T> {
    /// Schema version of the embedded payload.
    schema_version: u32,
    /// The cached value.
    payload: T,
}

/// A generic file-based cache with atomic writes, TTL, and schema versioning.
///
/// Each entry is a JSON file under `cache_dir` whose name derives from the
/// entry key. Writes go to a temporary sibling file that is then renamed over
/// the target, so a reader never observes a torn write. Reads enforce both the
/// configured TTL (via file mtime) and the [`CACHE_SCHEMA_VERSION`] envelope.
pub struct JsonCache<T> {
    cache_dir: PathBuf,
    ttl: Duration,
    _marker: std::marker::PhantomData<fn() -> T>,
}

impl<T> JsonCache<T>
where
    T: Serialize + DeserializeOwned,
{
    /// Create a cache rooted at `cache_dir`, creating the directory if needed.
    pub fn new(cache_dir: PathBuf, ttl: Duration) -> Result<Self> {
        if !cache_dir.exists() {
            fs::create_dir_all(&cache_dir)?;
        }
        Ok(Self {
            cache_dir,
            ttl,
            _marker: std::marker::PhantomData,
        })
    }

    /// Path for a named entry (the name must already be filesystem-safe).
    #[must_use]
    pub fn path_for(&self, file_name: &str) -> PathBuf {
        self.cache_dir.join(file_name)
    }

    /// Cache directory root.
    #[must_use]
    pub fn dir(&self) -> &Path {
        &self.cache_dir
    }

    /// Read a cached value by file name.
    ///
    /// Returns `None` (evicting the file) when the entry is missing, older
    /// than the TTL, has a mismatched schema version, or fails to parse.
    ///
    /// One exception: in process-wide [offline](is_offline) mode a TTL-expired
    /// entry is **served** (and *not* evicted) so an air-gapped run can fall
    /// back to whatever data is on disk. A staleness warning is logged. The
    /// online path is unchanged — expired entries are still evicted on read.
    #[must_use]
    pub fn get_named(&self, file_name: &str) -> Option<T> {
        let (value, stale_by) = self.get_named_allow_stale(file_name)?;
        if let Some(age) = stale_by {
            tracing::warn!(
                "serving stale cache entry {file_name}: {} day(s) past its TTL (offline mode)",
                age.as_secs() / 86_400
            );
        }
        Some(value)
    }

    /// Read a cached value, tolerating TTL expiry when offline.
    ///
    /// Returns the payload together with a staleness signal: `Some(age)` is the
    /// amount the entry is *past* its TTL when it was served despite being
    /// expired (only possible in offline mode), or `None` when the entry was
    /// still fresh.
    ///
    /// Unlike [`get_named`](Self::get_named), this never logs; it is the
    /// building block callers use when they want to surface the staleness
    /// (e.g. as CRA evidence) rather than only warn.
    #[must_use]
    pub fn get_named_allow_stale(&self, file_name: &str) -> Option<(T, Option<Duration>)> {
        let path = self.path_for(file_name);

        let metadata = fs::metadata(&path).ok()?;
        let modified = metadata.modified().ok()?;
        let age = modified.elapsed().ok()?;
        let mut stale_by = None;
        if age > self.ttl {
            // Online: an expired entry is a miss and is evicted on read (the
            // E1 cache tests assert this). Offline: keep it and serve it so an
            // air-gapped run has a stale-if-offline fallback.
            if is_offline() {
                stale_by = Some(age - self.ttl);
            } else {
                let _ = fs::remove_file(&path);
                return None;
            }
        }

        let data = fs::read_to_string(&path).ok()?;
        let envelope: CacheEnvelope<T> = serde_json::from_str(&data).ok()?;
        if envelope.schema_version != CACHE_SCHEMA_VERSION {
            // A schema mismatch is a hard miss in every mode: the payload shape
            // changed and must never be deserialized as the old one.
            let _ = fs::remove_file(&path);
            return None;
        }
        Some((envelope.payload, stale_by))
    }

    /// Atomically write a value under `file_name`.
    pub fn set_named<V: Serialize + ?Sized>(&self, file_name: &str, value: &V) -> Result<()> {
        if !self.cache_dir.exists() {
            fs::create_dir_all(&self.cache_dir)?;
        }
        let envelope = CacheEnvelope {
            schema_version: CACHE_SCHEMA_VERSION,
            payload: value,
        };
        let data = serde_json::to_string(&envelope)?;
        write_atomic(&self.path_for(file_name), data.as_bytes())?;
        Ok(())
    }

    /// Read a cached value by [`CacheKey`].
    #[must_use]
    pub fn get(&self, key: &CacheKey) -> Option<T> {
        self.get_named(&key.to_filename())
    }

    /// Atomically write a value keyed by [`CacheKey`].
    pub fn set<V: Serialize + ?Sized>(&self, key: &CacheKey, value: &V) -> Result<()> {
        self.set_named(&key.to_filename(), value)
    }

    /// Remove a cached entry by [`CacheKey`].
    pub fn remove(&self, key: &CacheKey) -> Result<()> {
        let path = self.path_for(&key.to_filename());
        if path.exists() {
            fs::remove_file(path)?;
        }
        Ok(())
    }

    /// Remove every JSON entry from the cache directory.
    pub fn clear(&self) -> Result<()> {
        if self.cache_dir.exists() {
            for entry in fs::read_dir(&self.cache_dir)? {
                let entry = entry?;
                if entry.path().extension().is_some_and(|e| e == "json") {
                    let _ = fs::remove_file(entry.path());
                }
            }
        }
        Ok(())
    }

    /// Aggregate statistics over the cache directory.
    #[must_use]
    pub fn stats(&self) -> CacheStats {
        let mut stats = CacheStats::default();

        if let Ok(entries) = fs::read_dir(&self.cache_dir) {
            for entry in entries.flatten() {
                if entry.path().extension().is_some_and(|e| e == "json") {
                    stats.total_entries += 1;
                    if let Ok(metadata) = entry.metadata() {
                        stats.total_size += metadata.len();
                        if let Ok(modified) = metadata.modified()
                            && let Ok(age) = modified.elapsed()
                            && age > self.ttl
                        {
                            stats.expired_entries += 1;
                        }
                    }
                }
            }
        }

        stats
    }
}

/// Write `bytes` to `path` atomically via a temp file + rename.
///
/// The temp file lives in the same directory as the target so the final
/// `rename` is a same-filesystem operation and therefore atomic.
fn write_atomic(path: &Path, bytes: &[u8]) -> Result<()> {
    let parent = path.parent().unwrap_or_else(|| Path::new("."));
    let file_name = path
        .file_name()
        .map_or_else(|| "cache".to_string(), |n| n.to_string_lossy().into_owned());
    let tmp = parent.join(format!(".{file_name}.{}.tmp", std::process::id()));

    fs::write(&tmp, bytes)?;
    match fs::rename(&tmp, path) {
        Ok(()) => Ok(()),
        Err(e) => {
            let _ = fs::remove_file(&tmp);
            Err(e.into())
        }
    }
}

/// Cache statistics.
#[derive(Debug, Default)]
pub struct CacheStats {
    /// Total number of cached entries
    pub total_entries: usize,
    /// Number of expired entries
    pub expired_entries: usize,
    /// Total size in bytes
    pub total_size: u64,
}

// ============================================================================
// EnrichmentSource trait
// ============================================================================

/// A source of external data that enriches SBOM components.
///
/// This models the shape shared by the OSV, KEV, EOL, and staleness enrichers:
/// each has a stable name, a cache namespace and TTL, and an operation that
/// applies fetched data to a slice of [`Component`]s in place, returning a
/// source-specific statistics value.
///
/// It is a thin description layer over the existing enrichers — implementing it
/// does not change what any source fetches or how results are mapped.
pub trait EnrichmentSource {
    /// Per-source statistics returned by [`enrich`](EnrichmentSource::enrich).
    type Stats;

    /// Stable, human-readable source name (e.g. `"OSV"`, `"KEV"`).
    fn name(&self) -> &'static str;

    /// Cache namespace (the directory under `…/sbom-tools/`).
    fn cache_namespace(&self) -> &'static str;

    /// Time-to-live for this source's cache entries.
    fn cache_ttl(&self) -> Duration;

    /// Apply this source's data to the given components in place.
    fn enrich(&mut self, components: &mut [Component]) -> Result<Self::Stats>;
}

#[cfg(test)]
mod tests {
    use super::*;
    use serde::Deserialize;

    #[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
    struct Payload {
        value: u32,
        label: String,
    }

    fn sample() -> Payload {
        Payload {
            value: 7,
            label: "hello".to_string(),
        }
    }

    #[test]
    fn namespaced_cache_dir_includes_namespace() {
        let dir = namespaced_cache_dir("osv");
        let s = dir.to_string_lossy();
        assert!(s.contains("sbom-tools"));
        assert!(s.ends_with("osv"));
    }

    #[test]
    fn backoff_is_exponential_and_capped() {
        assert_eq!(backoff_delay(1, None), Duration::from_secs(1));
        assert_eq!(backoff_delay(2, None), Duration::from_secs(2));
        assert_eq!(backoff_delay(3, None), Duration::from_secs(4));
        // Capped at MAX_BACKOFF regardless of attempt.
        assert_eq!(backoff_delay(20, None), MAX_BACKOFF);
    }

    #[test]
    fn backoff_honors_retry_after_but_caps_it() {
        assert_eq!(
            backoff_delay(1, Some(Duration::from_secs(3))),
            Duration::from_secs(3)
        );
        assert_eq!(
            backoff_delay(1, Some(Duration::from_secs(120))),
            MAX_BACKOFF
        );
    }

    #[test]
    fn cache_roundtrip_survives_reopen() {
        let tmp = tempfile::tempdir().unwrap();
        {
            let cache: JsonCache<Payload> =
                JsonCache::new(tmp.path().to_path_buf(), Duration::from_secs(3600)).unwrap();
            cache.set_named("entry", &sample()).unwrap();
        }
        // A freshly constructed cache reads the persisted, atomically written file.
        let cache: JsonCache<Payload> =
            JsonCache::new(tmp.path().to_path_buf(), Duration::from_secs(3600)).unwrap();
        assert_eq!(cache.get_named("entry"), Some(sample()));
    }

    #[test]
    fn atomic_write_leaves_no_temp_files() {
        let tmp = tempfile::tempdir().unwrap();
        let cache: JsonCache<Payload> =
            JsonCache::new(tmp.path().to_path_buf(), Duration::from_secs(3600)).unwrap();
        cache.set_named("entry", &sample()).unwrap();

        let tmp_files: Vec<_> = fs::read_dir(tmp.path())
            .unwrap()
            .flatten()
            .filter(|e| e.path().extension().is_some_and(|x| x == "tmp"))
            .collect();
        assert!(tmp_files.is_empty(), "temp file should be renamed away");
    }

    #[test]
    fn schema_version_mismatch_invalidates_entry() {
        let tmp = tempfile::tempdir().unwrap();
        let cache: JsonCache<Payload> =
            JsonCache::new(tmp.path().to_path_buf(), Duration::from_secs(3600)).unwrap();

        // Hand-write an envelope with a different schema version.
        let stale = format!(
            "{{\"schema_version\":{},\"payload\":{{\"value\":1,\"label\":\"x\"}}}}",
            CACHE_SCHEMA_VERSION + 1
        );
        let path = cache.path_for("entry");
        fs::write(&path, stale).unwrap();

        assert!(
            cache.get_named("entry").is_none(),
            "mismatched schema version must be a miss"
        );
        assert!(!path.exists(), "stale entry should be evicted");
    }

    #[test]
    fn ttl_expiry_evicts_entry() {
        let tmp = tempfile::tempdir().unwrap();
        // TTL margin must comfortably exceed the set+get round-trip (atomic
        // write + read + deserialize), which can spike on a loaded CI runner.
        let cache: JsonCache<Payload> =
            JsonCache::new(tmp.path().to_path_buf(), Duration::from_millis(200)).unwrap();
        cache.set_named("entry", &sample()).unwrap();
        assert!(cache.get_named("entry").is_some());

        std::thread::sleep(Duration::from_millis(400));
        assert!(
            cache.get_named("entry").is_none(),
            "entry past TTL must be a miss"
        );
        assert!(
            !cache.path_for("entry").exists(),
            "expired entry should be evicted"
        );
    }

    #[cfg(feature = "enrichment")]
    #[test]
    fn read_bounded_rejects_oversized_body() {
        use httpmock::prelude::*;

        let server = MockServer::start();
        // A body that comfortably exceeds the tiny test cap below.
        let body = "x".repeat(1024);
        let mock = server.mock(|when, then| {
            when.method(GET).path("/big");
            then.status(200).body(&body);
        });

        let client = http_client(Duration::from_secs(5)).unwrap();
        let resp = get_with_retry(&client, &format!("{}/big", server.base_url()), 0).unwrap();
        mock.assert();

        let err =
            read_bounded_with_max(resp, 16).expect_err("a body over the cap must be rejected");
        // The user-facing message names the size-cap; the byte-precise detail
        // ("exceeds the N-byte limit") is carried on the error's source chain.
        assert!(
            err.to_string().contains("too large"),
            "error must explain the size-cap rejection, got: {err}"
        );
        let detail = std::error::Error::source(&err)
            .map(ToString::to_string)
            .unwrap_or_default();
        assert!(
            detail.contains("exceeds"),
            "source must carry the byte-precise detail, got: {detail}"
        );
    }

    #[cfg(feature = "enrichment")]
    #[test]
    fn read_bounded_accepts_body_within_cap() {
        use httpmock::prelude::*;

        let server = MockServer::start();
        let mock = server.mock(|when, then| {
            when.method(GET).path("/ok");
            then.status(200).body("hello");
        });

        let client = http_client(Duration::from_secs(5)).unwrap();
        let resp = get_with_retry(&client, &format!("{}/ok", server.base_url()), 0).unwrap();
        mock.assert();

        let bytes = read_bounded_with_max(resp, MAX_RESPONSE_BYTES).unwrap();
        assert_eq!(bytes, b"hello");
    }

    #[test]
    fn clear_and_stats() {
        let tmp = tempfile::tempdir().unwrap();
        let cache: JsonCache<Payload> =
            JsonCache::new(tmp.path().to_path_buf(), Duration::from_secs(3600)).unwrap();
        // `stats`/`clear` operate on `.json` entries, matching how all real
        // callers name their files (CacheKey::to_filename, cache_filename, …).
        cache.set_named("a.json", &sample()).unwrap();
        cache.set_named("b.json", &sample()).unwrap();
        assert_eq!(cache.stats().total_entries, 2);
        cache.clear().unwrap();
        assert_eq!(cache.stats().total_entries, 0);
    }
}