fix: spdx relationships (#179)

Signed-off-by: Ruben Romero Montes <[email protected]>

Author: ruromero

src/main/java/com/redhat/exhort/integration/backend/ExhortIntegration.java

@@ -26,6 +26,7 @@
 import java.util.Arrays;
 
 import org.apache.camel.Exchange;
+import org.apache.camel.LoggingLevel;
 import org.apache.camel.Message;
 import org.apache.camel.builder.AggregationStrategies;
 import org.apache.camel.builder.endpoint.EndpointRouteBuilder;
@@ -51,6 +52,7 @@
 import jakarta.ws.rs.ClientErrorException;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.Response.Status;
 
 @ApplicationScoped
 public class ExhortIntegration extends EndpointRouteBuilder {
@@ -78,7 +80,7 @@ public void configure() {
     restConfiguration().contextPath("/api/")
       .clientRequestValidation(true);
 
-    errorHandler(deadLetterChannel("seda:processFailedRequests"));
+    errorHandler(deadLetterChannel("direct:processInternalError"));
 
     onException(IllegalArgumentException.class)
       .routeId("onExhortIllegalArgumentException")
@@ -174,7 +176,17 @@ public void configure() {
       .process(analytics::trackAnalysis);
 
     from(seda("processFailedRequests"))
+      .routeId("processFailedRequests")
       .process(monitoringProcessor::processServerError);
+
+    from(direct("processInternalError"))
+      .routeId("processInternalError")
+      .log(LoggingLevel.ERROR, "${exception.stacktrace}")
+      .to(seda("processFailedRequests"))
+      .setBody().simple("${exception.message}")
+      .setHeader(Exchange.HTTP_RESPONSE_CODE, constant(Status.INTERNAL_SERVER_ERROR.getStatusCode()))
+      .setHeader(Exchange.CONTENT_TYPE, constant(MediaType.TEXT_PLAIN))
+      ;
     //fmt:on
   }
 

src/main/java/com/redhat/exhort/integration/backend/sbom/SbomParser.java

@@ -46,14 +46,15 @@ protected void validate(DependencyTree tree) {
               types.add(d.ref().purl().getType());
               d.transitive().forEach(t -> types.add(t.purl().getType()));
             });
-    if (types.size() > 1) {
-      throw new IllegalArgumentException(
-          "It is not supported to submit mixed Package Manager types. Found: " + types);
-    }
+
     List<String> invalidTypes =
         types.stream().filter(Predicate.not(Constants.PKG_MANAGERS::contains)).toList();
     if (!invalidTypes.isEmpty()) {
       throw new IllegalArgumentException("Unsupported package types received: " + invalidTypes);
     }
+    if (types.size() > 1) {
+      throw new IllegalArgumentException(
+          "It is not supported to submit mixed Package Manager types. Found: " + types);
+    }
   }
 }

src/main/java/com/redhat/exhort/integration/backend/sbom/spdx/SpdxParser.java

@@ -25,22 +25,19 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
-import java.util.Optional;
 import java.util.Set;
-import java.util.function.Predicate;
 import java.util.stream.Collectors;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.spdx.jacksonstore.MultiFormatStore;
 import org.spdx.jacksonstore.MultiFormatStore.Format;
 import org.spdx.library.InvalidSPDXAnalysisException;
-import org.spdx.library.model.Relationship;
 import org.spdx.library.model.SpdxPackage;
+import org.spdx.library.model.enumerations.RelationshipType;
 import org.spdx.storage.simple.InMemSpdxStore;
 
 import com.redhat.exhort.api.PackageRef;
-import com.redhat.exhort.integration.Constants;
 import com.redhat.exhort.integration.backend.sbom.SbomParser;
 import com.redhat.exhort.model.DependencyTree;
 import com.redhat.exhort.model.DirectDependency;
@@ -57,16 +54,7 @@ protected DependencyTree buildTree(InputStream input) {
     try {
       MultiFormatStore inputStore = new MultiFormatStore(new InMemSpdxStore(), Format.JSON_PRETTY);
       SpdxWrapper wrapper = new SpdxWrapper(inputStore, input);
-      PackageRef root = wrapper.getRootRef();
       Map<PackageRef, DirectDependency> deps = buildDeps(wrapper);
-      if (root == null) {
-        Optional<PackageRef> first = deps.keySet().stream().findFirst();
-        if (first.isEmpty()) {
-          root = DependencyTree.getDefaultRoot(Constants.MAVEN_PKG_MANAGER);
-        } else {
-          root = DependencyTree.getDefaultRoot(first.get().purl().getType());
-        }
-      }
       DependencyTree tree = new DependencyTree(deps);
       return tree;
     } catch (SpdxProcessingException | InvalidSPDXAnalysisException | IOException e) {
@@ -80,21 +68,8 @@ protected DependencyTree buildTree(InputStream input) {
   private Map<PackageRef, DirectDependency> buildDeps(SpdxWrapper wrapper) {
     Collection<SpdxPackage> packages = wrapper.getPackages();
     Map<String, Set<String>> links = new HashMap<>();
-    packages.stream()
-        .filter(Predicate.not(wrapper::hasRootName))
-        .forEach(
-            p -> {
-              try {
-                String id = p.getId();
-                Set<String> rels =
-                    p.getRelationships().stream()
-                        .map(this::getRelationshipId)
-                        .collect(Collectors.toSet());
-                links.put(id, rels);
-              } catch (InvalidSPDXAnalysisException e) {
-                throw new SpdxProcessingException("Unable to retrieve relationsips", e);
-              }
-            });
+    packages.stream().forEach(p -> createPackageLinks(p, packages, links));
+
     Set<String> directDeps =
         links.keySet().stream()
             .filter(
@@ -131,6 +106,94 @@ private Map<PackageRef, DirectDependency> buildDeps(SpdxWrapper wrapper) {
     return deps;
   }
 
+  private void createPackageLinks(
+      SpdxPackage p, Collection<SpdxPackage> packages, Map<String, Set<String>> links) {
+    try {
+      String pkgId = p.getId();
+      if (packages.stream().noneMatch(pkg -> pkg.getId().equals(pkgId))) {
+        return;
+      }
+      if (p.getRelationships() == null || p.getRelationships().isEmpty()) {
+        addLink(links, pkgId, null);
+      }
+      p.getRelationships().stream()
+          .forEach(
+              rel -> {
+                try {
+                  String relatedId;
+                  if (rel.getRelatedSpdxElement().isPresent()) {
+                    relatedId = rel.getRelatedSpdxElement().get().getId();
+                  } else {
+                    relatedId = null;
+                  }
+                  boolean shouldIndexRelated =
+                      packages.stream().anyMatch(pkg -> pkg.getId().equals(relatedId));
+
+                  switch (RelationshipDirection.fromRelationshipType(rel.getRelationshipType())) {
+                    case FORWARD:
+                      if (shouldIndexRelated) {
+                        addLink(links, pkgId, relatedId);
+                      } else {
+                        addLink(links, pkgId, null);
+                      }
+                      break;
+                    case BACKWARDS:
+                      if (shouldIndexRelated) {
+                        addLink(links, relatedId, pkgId);
+                      }
+                      break;
+                    case IGNORED:
+                  }
+                } catch (InvalidSPDXAnalysisException e) {
+                  throw new SpdxProcessingException(
+                      "Unable to determine relationship for " + p.getId(), e);
+                }
+              });
+    } catch (InvalidSPDXAnalysisException e) {
+      throw new SpdxProcessingException("Unable to build package relationships", e);
+    }
+  }
+
+  private enum RelationshipDirection {
+    FORWARD,
+    BACKWARDS,
+    IGNORED;
+
+    static RelationshipDirection fromRelationshipType(RelationshipType type) {
+      switch (type) {
+        case DEPENDS_ON:
+        case CONTAINS:
+        case BUILD_DEPENDENCY_OF:
+        case OPTIONAL_COMPONENT_OF:
+        case OPTIONAL_DEPENDENCY_OF:
+        case PROVIDED_DEPENDENCY_OF:
+        case TEST_DEPENDENCY_OF:
+        case RUNTIME_DEPENDENCY_OF:
+        case DEV_DEPENDENCY_OF:
+        case ANCESTOR_OF:
+          return FORWARD;
+        case DEPENDENCY_OF:
+        case DESCENDANT_OF:
+        case PACKAGE_OF:
+        case CONTAINED_BY:
+          return BACKWARDS;
+        default:
+          return IGNORED;
+      }
+    }
+  }
+
+  private void addLink(Map<String, Set<String>> links, String fromId, String toId) {
+    Set<String> toRefs = links.get(fromId);
+    if (toRefs == null) {
+      toRefs = new HashSet<>();
+      links.put(fromId, toRefs);
+    }
+    if (toId != null) {
+      toRefs.add(toId);
+    }
+  }
+
   private Set<String> addAllTransitive(String depKey, Map<String, Set<String>> links) {
     Set<String> deps = links.get(depKey);
     if (deps == null) {
@@ -144,12 +207,4 @@ private Set<String> addAllTransitive(String depKey, Map<String, Set<String>> lin
             });
     return result;
   }
-
-  private String getRelationshipId(Relationship r) {
-    try {
-      return r.getRelatedSpdxElement().get().getId();
-    } catch (InvalidSPDXAnalysisException e) {
-      throw new SpdxProcessingException("Unable to retrieve related Spdx element", e);
-    }
-  }
 }

src/main/java/com/redhat/exhort/integration/backend/sbom/spdx/SpdxWrapper.java

@@ -44,7 +44,6 @@ public class SpdxWrapper {
   private MultiFormatStore inputStore;
   private SpdxDocument doc;
   private String uri;
-  private SpdxPackage root;
   private Collection<SpdxPackage> packages;
 
   public SpdxWrapper(MultiFormatStore inputStore, InputStream input)
@@ -58,29 +57,6 @@ public SpdxWrapper(MultiFormatStore inputStore, InputStream input)
       throw new SpdxProcessingException("Invalid " + SUPPORTED_VERSION + " document received");
     }
     this.packages = parsePackages();
-    this.root = findRoot();
-  }
-
-  public PackageRef getRootRef() {
-    if (root != null) {
-      return toPackageRef(root);
-    }
-    return null;
-  }
-
-  private SpdxPackage findRoot() throws InvalidSPDXAnalysisException {
-    if (doc.getName().isEmpty()) {
-      return null;
-    }
-    return packages.stream().filter(p -> hasRootName(p)).findFirst().orElse(null);
-  }
-
-  public boolean hasRootName(SpdxPackage p) {
-    try {
-      return p.getName().isPresent() && p.getName().get().equals(doc.getName().get());
-    } catch (InvalidSPDXAnalysisException e) {
-      throw new SpdxProcessingException("Unable to retrieve name for package", e);
-    }
   }
 
   public PackageRef toPackageRef(SpdxPackage spdxPackage) {
@@ -107,6 +83,25 @@ public PackageRef toPackageRef(SpdxPackage spdxPackage) {
     }
   }
 
+  public boolean hasPurl(SpdxPackage pkg) {
+    try {
+      if (pkg.getExternalRefs() == null || pkg.getExternalRefs().isEmpty()) {
+        return false;
+      }
+      return pkg.getExternalRefs().stream()
+          .anyMatch(
+              ref -> {
+                try {
+                  return PURL_REFERENCE.equals(ref.getReferenceType().getIndividualURI());
+                } catch (InvalidSPDXAnalysisException e) {
+                  return false;
+                }
+              });
+    } catch (InvalidSPDXAnalysisException e) {
+      return false;
+    }
+  }
+
   public Collection<SpdxPackage> getPackages() {
     return this.packages;
   }
@@ -120,11 +115,26 @@ public SpdxPackage getPackageById(String id) {
   }
 
   private Collection<SpdxPackage> parsePackages() throws InvalidSPDXAnalysisException {
+    Optional<String> docName = doc.getName();
     return inputStore
         .getAllItems(uri, SpdxConstants.CLASS_SPDX_PACKAGE)
-        .filter(p -> root == null || !p.getId().equals(root.getId()))
         .map(TypedValue::getId)
         .map(this::getPackageById)
+        .filter(this::hasPurl)
+        .filter(p -> !packageHasName(p, docName))
         .collect(Collectors.toList());
   }
+
+  private boolean packageHasName(SpdxPackage pkg, Optional<String> expected) {
+    Optional<String> name;
+    try {
+      name = pkg.getName();
+      if (name.isPresent()) {
+        return name.get().equals(expected.orElse(null));
+      }
+      return expected.isEmpty();
+    } catch (InvalidSPDXAnalysisException e) {
+      throw new SpdxProcessingException("Unable to retrieve package name", e);
+    }
+  }
 }