refactor: address review comments and rebase

Author: AI Assistant

Dockerfile

@@ -19,10 +19,10 @@ FROM eclipse-temurin:21-jre-jammy AS runtime
 USER root
 RUN apt-get update && apt-get install -y curl wget ca-certificates
 # Install Grype
-ARG GRYPE_VERSION=0.84.0
+ARG GRYPE_VERSION=0.104.0
 RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v${GRYPE_VERSION}
 # Install Trivy
-ARG TRIVY_VERSION=0.58.1
+ARG TRIVY_VERSION=0.67.2
 RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${TRIVY_VERSION}
 # Install OSV Scanner - using install script
 RUN curl -L https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64 -o /usr/local/bin/osv-scanner && chmod +x /usr/local/bin/osv-scanner || echo "OSV Scanner installation failed, continuing without it"

api/src/main/java/org/svip/api/controller/VulnerabilityController.java

@@ -18,46 +18,90 @@
 
 @RestController
 @RequestMapping("/svip/vulnerabilities")
+/**
+ * REST Controller for managing vulnerability data and alerts
+ */
 public class VulnerabilityController {
 
     private final VulnerabilityHistoryService historyService;
     private final VulnerabilityAlertRepository alertRepository;
 
+    /**
+     * Create a new VulnerabilityController
+     *
+     * @param historyService Service for vulnerability history
+     * @param alertRepository Repository for vulnerability alerts
+     */
     public VulnerabilityController(VulnerabilityHistoryService historyService,
                                   VulnerabilityAlertRepository alertRepository) {
         this.historyService = historyService;
         this.alertRepository = alertRepository;
     }
 
     // Historical Tracking APIs
+
+    /**
+     * Get all projects with vulnerability history
+     *
+     * @return List of project names
+     */
     @GetMapping("/history/projects")
     public ResponseEntity<List<String>> getAllProjects() {
         return ResponseEntity.ok(historyService.getAllProjects());
     }
 
+    /**
+     * Get vulnerability history for a project
+     *
+     * @param projectName Name of the project
+     * @param days Number of days to retrieve
+     * @return List of vulnerability history records
+     */
     @GetMapping("/history/{projectName}")
     public ResponseEntity<List<VulnerabilityHistory>> getHistory(
             @PathVariable String projectName,
             @RequestParam(defaultValue = "30") int days) {
         return ResponseEntity.ok(historyService.getTrend(projectName, days));
     }
 
+    /**
+     * Get the latest vulnerability history for a project
+     *
+     * @param projectName Name of the project
+     * @return Latest vulnerability history record
+     */
     @GetMapping("/history/{projectName}/latest")
     public ResponseEntity<VulnerabilityHistory> getLatest(@PathVariable String projectName) {
         return ResponseEntity.ok(historyService.getLatest(projectName));
     }
 
     // Alert APIs
+
+    /**
+     * Get all vulnerability alerts
+     *
+     * @return List of all vulnerability alerts
+     */
     @GetMapping("/alerts")
     public ResponseEntity<List<VulnerabilityAlert>> getAllAlerts() {
         return ResponseEntity.ok(alertRepository.findAllByOrderByCreatedAtDesc());
     }
 
+    /**
+     * Get all unacknowledged vulnerability alerts
+     *
+     * @return List of unacknowledged vulnerability alerts
+     */
     @GetMapping("/alerts/unacknowledged")
     public ResponseEntity<List<VulnerabilityAlert>> getUnacknowledgedAlerts() {
         return ResponseEntity.ok(alertRepository.findByAcknowledgedFalseOrderByCreatedAtDesc());
     }
 
+    /**
+     * Get statistics on vulnerability alerts
+     *
+     * @return Map of alert statistics
+     */
     @GetMapping("/alerts/stats")
     public ResponseEntity<Map<String, Long>> getAlertStats() {
         Map<String, Long> stats = new HashMap<>();
@@ -67,6 +111,13 @@ public ResponseEntity<Map<String, Long>> getAlertStats() {
         return ResponseEntity.ok(stats);
     }
 
+    /**
+     * Acknowledge a vulnerability alert
+     *
+     * @param alertId ID of the alert to acknowledge
+     * @param acknowledgedBy Name of the user acknowledging the alert
+     * @return 200 OK if successful
+     */
     @PostMapping("/alerts/{alertId}/acknowledge")
     public ResponseEntity<Void> acknowledgeAlert(
             @PathVariable Long alertId,

api/src/main/java/org/svip/api/services/VulnerabilityScanService.java

@@ -401,6 +401,14 @@ else if (scanResult.has("Results") && scanResult.get("Results").isArray()) {
         }
     }
 
+    /**
+     * Normalizes an SBOM for scanning by ensuring components have PURLs and CPEs
+     * where possible, and adding properties for Syft compatibility.
+     *
+     * @param sbomContents The original SBOM JSON string
+     * @param sbomFileName The name of the SBOM file
+     * @return The normalized SBOM JSON string
+     */
     private String normalizeSbomForScanning(String sbomContents, String sbomFileName) {
         try {
             JsonNode root = objectMapper.readTree(sbomContents);
@@ -735,6 +743,13 @@ private String decodeUrl(String value) {
         }
     }
 
+    /**
+     * Converts Grype's native JSON output format to CycloneDX vulnerabilities.
+     *
+     * @param grypeOutput The Grype JSON output
+     * @param componentBomRefMap Mapping from component identifiers to bom-refs
+     * @return List of CycloneDX vulnerability nodes
+     */
     private List<JsonNode> convertGrypeMatchesToCycloneDX(JsonNode grypeOutput, Map<String, String> componentBomRefMap) {
         List<JsonNode> vulnerabilities = new ArrayList<>();
 
@@ -897,6 +912,13 @@ private void addCvssRating(ArrayNode ratingsArray, JsonNode cvss) {
         }
     }
 
+    /**
+     * Converts Trivy's JSON output to CycloneDX vulnerabilities.
+     *
+     * @param trivyOutput The Trivy JSON output
+     * @param componentBomRefMap Mapping from component identifiers to bom-refs
+     * @return List of CycloneDX vulnerability nodes
+     */
     private List<JsonNode> convertTrivyResultsToCycloneDX(JsonNode trivyOutput, Map<String, String> componentBomRefMap) {
         List<JsonNode> vulnerabilities = new ArrayList<>();
 

backend-rebase.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+git checkout -B dev origin/dev && git pull
+git checkout -B feat/descriptive-sbom-filenames origin/feat/descriptive-sbom-filenames
+
+git reset --hard HEAD~1 && git rebase -X ours dev
+git checkout -B feature/vulnerability-scanning-integration origin/feature/vulnerability-scanning-integration
+git rebase -X ours feat/descriptive-sbom-filenames
+echo "done"
+exit 0

compose.dev.yaml

@@ -15,7 +15,7 @@ services:
     ports:
       - "5000:5000"
     healthcheck:
-      test: ["CMD-SHELL", "python3 -c \"import urllib.request,sys; urllib.request.urlopen('http://localhost:5000/tools', timeout=5); sys.exit(0)\""]
+      test: ["CMD", "curl", "-f", "http://localhost:5000/healthcheck"]
       start_period: 60s   # allow validation to finish before first check
       interval: 20s
       timeout: 10s

compose.yaml

@@ -13,7 +13,7 @@ services:
     build: osi
     pull_policy: never  # use local build
     healthcheck:
-      test: ["CMD-SHELL", "python3 -c \"import urllib.request,sys; urllib.request.urlopen('http://localhost:5000/tools', timeout=5); sys.exit(0)\""]
+      test: ["CMD", "curl", "-f", "http://localhost:5000/healthcheck"]
       start_period: 60s   # allow validation to finish before first check
       interval: 20s
       timeout: 10s

core/src/main/java/org/svip/serializers/serializer/CDX14JSONSerializer.java

@@ -108,6 +108,14 @@ public void setPrettyPrinting(boolean prettyPrint) {
         this.prettyPrint = prettyPrint;
     }
 
+    /**
+     * Serializes an SBOM object to a JSON generator.
+     *
+     * @param sbom The SBOM to serialize
+     * @param jsonGenerator The JSON generator
+     * @param provider The serializer provider
+     * @throws IOException If an error occurs during serialization
+     */
     @Override
     public void serialize(SVIPSBOM sbom, JsonGenerator jsonGenerator, SerializerProvider provider) throws IOException {
         jsonGenerator.writeStartObject();
@@ -449,6 +457,13 @@ private void writeExternalRefs(JsonGenerator jsonGenerator, Set<ExternalReferenc
         jsonGenerator.writeEndArray();
     }
 
+    /**
+     * Writes a component to the JSON generator.
+     *
+     * @param jsonGenerator The JSON generator
+     * @param component The component to write
+     * @throws IOException If an error occurs during writing
+     */
     private void writeComponent(JsonGenerator jsonGenerator, SVIPComponentObject component) throws IOException {
         jsonGenerator.writeStartObject();
 

osi/Dockerfile

@@ -29,7 +29,7 @@ RUN curl -L $GRADLE -o gradle.zip
 # Install anchore tooling on debian container
 FROM debian:bookworm-slim AS anchore_install
 ARG SYFT_VERSION=1.30.0
-ARG GRYPE_VERSION=0.84.0
+ARG GRYPE_VERSION=0.104.0
 WORKDIR /tmp
 RUN apt update && apt install curl -y
 RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /tmp "v$SYFT_VERSION"
@@ -38,7 +38,7 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh |
 
 # Install vulnerability scanners
 FROM debian:bookworm-slim AS vuln_scanner_install
-ARG TRIVY_VERSION=0.58.1
+ARG TRIVY_VERSION=0.67.2
 ARG OSV_SCANNER_VERSION=1.9.2
 ARG DEPENDENCY_CHECK_VERSION=11.1.1
 WORKDIR /tmp

osi/osi/configs/tools/grype.yml

@@ -11,13 +11,5 @@ profiles:
       - "All"
     commands:
       - "grype sbom:$SBOM_OUT/merged-sbom.json -o cyclonedx-json --file $SBOM_OUT/grype-vulns-cdx14.json"
-  - schema: "cyclonedx"
-    spec_version: "1.5"
-    format: "json"
-    languages:
-      - "All"
-    package_managers:
-      - "All"
-    commands:
-      - "grype sbom:$SBOM_OUT/merged-sbom.json -o cyclonedx-json@1.5 --file $SBOM_OUT/grype-vulns-cdx15.json"
+
 

osi/osi/configs/tools/trivy.yml

@@ -11,13 +11,5 @@ profiles:
       - "All"
     commands:
       - "trivy sbom --format cyclonedx --output $SBOM_OUT/trivy-vulns-cdx14.json $SBOM_OUT/merged-sbom.json"
-  - schema: "cyclonedx"
-    spec_version: "1.5"
-    format: "json"
-    languages:
-      - "All"
-    package_managers:
-      - "All"
-    commands:
-      - "trivy sbom --format cyclonedx --scanners vuln --output $SBOM_OUT/trivy-vulns-cdx15.json $SBOM_OUT/merged-sbom.json"
+