oscerd opened a new pull request, #24573:
URL: https://github.com/apache/camel/pull/24573

   JIRA: https://issues.apache.org/jira/browse/CAMEL-23979
   
   Exposes the published Apache Camel CVE security advisories (the data behind 
https://camel.apache.org/security/) to tooling, following the approach 
suggested by @davsclaus on the issue: the advisories are synced from 
camel-website into a JSON file shipped with `camel-catalog`, the same way the 
known releases are synced, and the MCP server consumes the catalog fully 
offline.
   
   ## Changes
   
   ### camel-tooling-model
   - New `SecurityAdvisoryModel` (cve, date, severity, summary, affected, 
fixed, mitigation, url, components) with `JsonMapper` serialization support.
   
   ### camel-package-maven-plugin
   - New `update-security-advisories` goal mirroring `update-camel-releases`: 
scans `content/security/CVE-*.md` in the camel-website repository via the 
GitHub contents API, parses the YAML front matter (snakeyaml-engine, already a 
plugin dependency), skips drafts and non-advisory pages, extracts the `camel-*` 
component tokens named by the advisory text, and writes 
`camel-security-advisories.json` into camel-catalog `src/generated`.
   
   ### camel-catalog
   - New `update-security-advisories` profile wiring the goal (run it like the 
releases sync: `mvn -Pupdate-security-advisories generate-resources` in 
`catalog/camel-catalog`).
   - Generated `advisories/camel-security-advisories.json` (currently 76 
published advisories).
   - New `CamelCatalog.camelSecurityAdvisories()` API following the 
`camelReleases()` pattern.
   
   ### camel-jbang-mcp
   - New `camel_security_advisories` tool: lists the published advisories, 
optionally filtered by Camel version, component and severity. The `affected` 
prose is parsed best-effort (`X before Y` exclusive ranges, `X up to Y` 
inclusive ranges, bare versions) into an `affectsGivenVersion` verdict; 
advisories whose ranges cannot be parsed are kept with the verdict unset so the 
LLM judges from the prose.
   - New MCP resources `camel://security/advisories` (list) and 
`camel://security/advisory/{cve}` (detail).
   - `camel_route_harden_context` now embeds the known CVE advisories affecting 
the components used by the route at the given Camel version (matched via 
catalog artifact ids, capped at 20, failures degrade to a note without breaking 
the hardening analysis).
   - When the catalog carries no advisory data, the tools report it explicitly 
instead of returning an empty list, so a missing data set is never mistaken for 
"no known CVEs".
   
   ### Docs
   - `camel-jbang-mcp.adoc`: new tool row, advisory data source/freshness 
section, usage example.
   
   ## Data freshness semantics
   
   The advisory data is as fresh as the catalog bundled with the release (same 
model as the known releases data); the tool description and docs state 
explicitly that advisories published after the release are not included and 
link to the website for the latest. The TUI CVE audit tab (OSV.dev, 
dependency-level) remains complementary; a possible follow-up is sharing 
`OsvClient` and offering a dependency CVE audit tool in the MCP server too.
   
   ## Testing
   - `UpdateSecurityAdvisoriesMojoTest`: front-matter parsing against canned 
copies of two real advisories (recent + 2013-style), draft/non-advisory 
skipping, JsonMapper round-trip (4 tests).
   - `CamelCatalogTest#camelSecurityAdvisories`: validates the shipped JSON 
through the new API.
   - MCP module: `AdvisoryServiceTest`, `AdvisoryToolsTest`, 
`AdvisoryResourcesTest`, `HardenToolsAdvisoryTest` (20 tests) — catalog 
loading, both affected-range grammars, filtering, harden embedding/degradation. 
All fully offline.
   - Full module test suites green: camel-package-maven-plugin (50), 
camel-catalog (981), camel-jbang-mcp (300).
   
   _Claude Code on behalf of oscerd_
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to