oscerd opened a new pull request, #24573: URL: https://github.com/apache/camel/pull/24573
JIRA: https://issues.apache.org/jira/browse/CAMEL-23979 Exposes the published Apache Camel CVE security advisories (the data behind https://camel.apache.org/security/) to tooling, following the approach suggested by @davsclaus on the issue: the advisories are synced from camel-website into a JSON file shipped with `camel-catalog`, the same way the known releases are synced, and the MCP server consumes the catalog fully offline. ## Changes ### camel-tooling-model - New `SecurityAdvisoryModel` (cve, date, severity, summary, affected, fixed, mitigation, url, components) with `JsonMapper` serialization support. ### camel-package-maven-plugin - New `update-security-advisories` goal mirroring `update-camel-releases`: scans `content/security/CVE-*.md` in the camel-website repository via the GitHub contents API, parses the YAML front matter (snakeyaml-engine, already a plugin dependency), skips drafts and non-advisory pages, extracts the `camel-*` component tokens named by the advisory text, and writes `camel-security-advisories.json` into camel-catalog `src/generated`. ### camel-catalog - New `update-security-advisories` profile wiring the goal (run it like the releases sync: `mvn -Pupdate-security-advisories generate-resources` in `catalog/camel-catalog`). - Generated `advisories/camel-security-advisories.json` (currently 76 published advisories). - New `CamelCatalog.camelSecurityAdvisories()` API following the `camelReleases()` pattern. ### camel-jbang-mcp - New `camel_security_advisories` tool: lists the published advisories, optionally filtered by Camel version, component and severity. The `affected` prose is parsed best-effort (`X before Y` exclusive ranges, `X up to Y` inclusive ranges, bare versions) into an `affectsGivenVersion` verdict; advisories whose ranges cannot be parsed are kept with the verdict unset so the LLM judges from the prose. - New MCP resources `camel://security/advisories` (list) and `camel://security/advisory/{cve}` (detail). - `camel_route_harden_context` now embeds the known CVE advisories affecting the components used by the route at the given Camel version (matched via catalog artifact ids, capped at 20, failures degrade to a note without breaking the hardening analysis). - When the catalog carries no advisory data, the tools report it explicitly instead of returning an empty list, so a missing data set is never mistaken for "no known CVEs". ### Docs - `camel-jbang-mcp.adoc`: new tool row, advisory data source/freshness section, usage example. ## Data freshness semantics The advisory data is as fresh as the catalog bundled with the release (same model as the known releases data); the tool description and docs state explicitly that advisories published after the release are not included and link to the website for the latest. The TUI CVE audit tab (OSV.dev, dependency-level) remains complementary; a possible follow-up is sharing `OsvClient` and offering a dependency CVE audit tool in the MCP server too. ## Testing - `UpdateSecurityAdvisoriesMojoTest`: front-matter parsing against canned copies of two real advisories (recent + 2013-style), draft/non-advisory skipping, JsonMapper round-trip (4 tests). - `CamelCatalogTest#camelSecurityAdvisories`: validates the shipped JSON through the new API. - MCP module: `AdvisoryServiceTest`, `AdvisoryToolsTest`, `AdvisoryResourcesTest`, `HardenToolsAdvisoryTest` (20 tests) — catalog loading, both affected-range grammars, filtering, harden embedding/degradation. All fully offline. - Full module test suites green: camel-package-maven-plugin (50), camel-catalog (981), camel-jbang-mcp (300). _Claude Code on behalf of oscerd_ 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
