Add the vulnerability report

closes: #6773

Author: git-hyagi

CHANGES/6773.feature

@@ -0,0 +1 @@
+Added the vulnerability report data model.

docs/admin/reference/tech-preview.md

@@ -5,4 +5,5 @@ The following features are currently being released as part of tech preview:
 - [Support for Open Telemetry](site:pulpcore/docs/admin/learn/architecture/#telemetry-support)
 - Upstream replicas
 - Domains - Multi-Tenancy
-- [Checkpoint](site:pulpcore/docs/user/guides/checkpoint/)
+- [Checkpoint](site:pulpcore/docs/user/guides/checkpoint/)
+- [Vulnerability Report](site:pulpcore/docs/dev/learn/other/vulnerability-report/)

docs/dev/learn/other/vulnerability-report.md

@@ -0,0 +1,96 @@
+# Adding vulnerability report for plugins
+
+
+!!! warning
+    This feature is provided as a tech preview and could change in backwards incompatible
+    ways in the future.
+
+
+Pulp provides a way to store known vulnerabilities from OSV for `content units` within a specified `RepositoryVersion`.
+Each plugin will need to implement a function to construct the [package payload](https://google.github.io/osv.dev/post-v1-query/#parameters)
+that will be used to query osv.dev database.
+
+!!! note
+    As of now, querying by osv.dev `commit` is not supported (use `package` instead).
+
+The first step in writing a vulnerability report for a Pulp `content unit` is to identify the
+package [`ecosystem`](https://google.github.io/osv.dev/post-v1-query/#parameters) by checking
+[https://ossf.github.io/osv-schema/#defined-ecosystems](https://ossf.github.io/osv-schema/#defined-ecosystems).
+
+The next step is to create a function that will be run as a Pulp task. This function should add a
+dictionary (the `osv_data` created through `build_osv_data` function in the following sample) to the
+`pulpcore.app.tasks.vulnerability_report.content_queue` queue.
+
+Here is an example of a function with the above steps:
+
+```python
+from pulpcore.app.tasks.vulnerability_report import content_queue
+
+def get_content_from_repo_version(repo_version_pk: str):
+    """
+    Populate content_queue Queue with the content_units found in RepositoryVersion
+    """
+    repo_version = RepositoryVersion.objects.get(pk=repo_version_pk)
+    ecosystem = "PyPI"
+    for content_unit in repo_version.content:
+        content = content_unit.cast()
+        osv_data = build_osv_data(content.name, ecosystem, content.version)
+        content_queue.put(osv_data)
+    content_queue.put(None)  # signal that there are no more content_units
+
+def build_osv_data(name, ecosystem, version=None):
+    osv_data = {"package": {"name": name, "ecosystem": ecosystem}}
+    if version:
+        osv_data["version"] = version
+    return osv_data
+```
+
+
+Now that we have the function to populate the `content_queue` queue, we need to create a `ViewSet`
+to dispatch a task with it:
+
+```python
+from pulpcore.plugin.models import VulnerabilityReport
+from pulpcore.app.serializers.vulnerability_report import VulnerabilityReportSerializer
+from pulpcore.app.tasks.vulnerability_report import check_content
+from pulpcore.app.viewsets.vulnerability_report import VulnerabilityReport as VulnerabilityReportView
+
+class MyPluginVulnerabilityReport(VulnerabilityReportView):
+
+    endpoint_name = "vuln_report"
+    queryset = VulnerabilityReport.objects.all()
+    serializer_class = VulnerabilityReportSerializer
+
+    @extend_schema(
+        request=MyPluginContentVulnerabilityReportSerializer,
+        description="Trigger a task to generate the package vulnerability report",
+        summary="Generate vulnerability report",
+        responses={202: AsyncOperationResponseSerializer},
+    )
+    def create(self, request):
+        serializer = MyPluginContentVulnerabilityReportSerializer(data=request.data, context={"request": request})
+        serializer.is_valid(raise_exception=True)
+        shared_resources = [repo_version.repository]
+        
+        # we need to pass the function as string because dispatch() args only accepts JSON serializable content
+        content_queue_func = f"{get_content_from_repo_version.__module__}.{get_content_from_repo_version.__name__}"
+        dispatch_task, kwargs = check_content, {"func": content_queue_func, "repo_version_pk": repo_version.pk}
+        task = dispatch(dispatch_task, shared_resources=shared_resources, kwargs=kwargs)
+        return OperationPostponedResponse(task, request)
+```
+
+Here is a sample for the `MyPluginContentVulnerabilityReportSerializer` where we serialize the
+`RepositoryVersion` string into a `RepositoryVersionRelatedField` object:
+
+```python
+from rest_framework import serializers
+from pulpcore.plugin.serializers import ValidateFieldsMixin, RepositoryVersionRelatedField
+
+class MyPluginContentVulnerabilityReportSerializer(serializers.Serializer, ValidateFieldsMixin):
+
+    repo_version = RepositoryVersionRelatedField(
+        required=False,
+        allow_null=True,
+        help_text=_("RepositoryVersion HREF with the packages to be checked."),
+    )
+```

pulpcore/app/migrations/0134_vulnerabilityreport.py

@@ -0,0 +1,31 @@
+# Generated by Django 4.2.19 on 2025-07-14 19:37
+
+from django.db import migrations, models
+import django.db.models.deletion
+import django_lifecycle.mixins
+import pulpcore.app.models.base
+import pulpcore.app.util
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0133_repositoryversion_content_ids'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='VulnerabilityReport',
+            fields=[
+                ('pulp_id', models.UUIDField(default=pulpcore.app.models.base.pulp_uuid, editable=False, primary_key=True, serialize=False)),
+                ('pulp_created', models.DateTimeField(auto_now_add=True)),
+                ('pulp_last_updated', models.DateTimeField(auto_now=True, null=True)),
+                ('vulns', models.JSONField()),
+                ('pulp_domain', models.ForeignKey(default=pulpcore.app.util.get_domain_pk, on_delete=django.db.models.deletion.CASCADE, to='core.domain')),
+            ],
+            options={
+                'default_related_name': '%(app_label)s_%(model_name)s',
+            },
+            bases=(django_lifecycle.mixins.LifecycleModelMixin, models.Model),
+        ),
+    ]

pulpcore/app/models/__init__.py

@@ -87,6 +87,8 @@
     UploadChunk,
 )
 
+from .vulnerability_report import VulnerabilityReport
+
 # Moved here to avoid a circular import with Task
 from .progress import GroupProgressReport, ProgressReport
 
@@ -170,4 +172,5 @@
     "OpenPGPSignature",
     "OpenPGPUserAttribute",
     "OpenPGPUserID",
+    "VulnerabilityReport",
 ]

pulpcore/app/models/vulnerability_report.py

@@ -0,0 +1,16 @@
+from django.db import models
+
+from pulpcore.app.models import BaseModel
+from pulpcore.plugin.util import get_domain_pk
+
+
+class VulnerabilityReport(BaseModel):
+    """
+    Model used in vulnerability report.
+    """
+
+    vulns = models.JSONField()
+    pulp_domain = models.ForeignKey("core.Domain", default=get_domain_pk, on_delete=models.CASCADE)
+
+    class Meta:
+        default_related_name = "%(app_label)s_%(model_name)s"

pulpcore/app/serializers/vulnerability_report.py

@@ -0,0 +1,17 @@
+from rest_framework import serializers
+
+from pulpcore.plugin.models import VulnerabilityReport
+from pulpcore.plugin.serializers import IdentityField, ModelSerializer
+
+
+class VulnerabilityReportSerializer(ModelSerializer):
+    """
+    A serializer for the VulnerabilityReport Model.
+    """
+
+    vulns = serializers.JSONField()
+    pulp_href = IdentityField(view_name="vuln_report-detail")
+
+    class Meta:
+        model = VulnerabilityReport
+        fields = ModelSerializer.Meta.fields + ("vulns",)

pulpcore/app/tasks/vulnerability_report.py

@@ -0,0 +1,161 @@
+import aiohttp
+import importlib
+import json
+import re
+
+from asgiref.sync import sync_to_async
+from queue import Empty, Queue
+from threading import Thread
+
+from pulpcore.plugin.util import get_domain
+from pulpcore.plugin.models import CreatedResource, VulnerabilityReport
+from pulpcore.constants import OSV_QUERY_URL, VULNERABILITY_TASK_THREAD_TIMEOUT
+
+
+# Create a thread-safe queue to share Content units between threads
+content_queue = Queue()
+
+# CPE prefix from Red Hat packages
+cpe_prefix = re.compile(r"^cpe:\/[oa]:redhat")
+
+
+async def check_content(func, args=None):
+    """
+    Start the background_thread and make the API requests (scan) to osv.dev with the packages
+    from Queue.
+
+    Args:
+        func (callable | str): The function to populate content_queue Queue with the osv.dev
+            expected request data format.
+        args (tuple): The positional arguments to pass on to the func.
+    """
+    if not args:
+        args = ()
+
+    module_name, function_name = func.rsplit(".", 1)
+    module = importlib.import_module(module_name)
+    func = getattr(module, function_name)
+
+    background_thread = Thread(target=func, args=args)
+    await _scan_packages(background_thread)
+    background_thread.join()
+
+
+async def _scan_packages(background_thread):
+    """
+    Makes a request to the osv.dev API and store the results in VulnerabilityReport model.
+
+    Args:
+        background_thread (Thread): We need to pass the thread object used to populate the queue to
+            prevent deadlock issues.
+    """
+    scanned_packages = await _scan_packages_from_queue(
+        background_thread=background_thread,
+    )
+    await _save_vulnerability_report(scanned_packages)
+
+
+async def _scan_packages_from_queue(background_thread, http_client=None):
+    """
+    Scans packages from a queue by making HTTP requests to OSV API.
+
+    Args:
+        background_thread (Thread): Thread populating the queue
+        http_client (Optional[aiohttp.ClientSession]): HTTP client for making requests
+
+    Returns:
+        Dict[str, Any]: Dictionary mapping package names to vulnerability data
+    """
+
+    # Use provided client or create a new one
+    if http_client:
+        return await _process_queue_with_client(background_thread, http_client)
+
+    async with aiohttp.ClientSession() as session:
+        return await _process_queue_with_client(background_thread, session)
+
+
+async def _process_queue_with_client(background_thread, session):
+    """
+    Process queue items using the provided HTTP client session.
+
+    Args:
+        background_thread (Thread): Thread populating the queue
+        session (aiohttp.ClientSession): HTTP client session
+
+    Returns:
+        Dict[str, Any]: Dictionary mapping package names to vulnerability data
+    """
+    scanned_packages = {}
+    try:
+        for osv_data in iter(
+            lambda: content_queue.get(timeout=VULNERABILITY_TASK_THREAD_TIMEOUT), None
+        ):
+            if isinstance(osv_data, Exception):
+                raise RuntimeError(f"Background vuln report task failed to execute: {osv_data}")
+
+            vulnerability_data = await _query_osv_api(session, osv_data)
+            package_name = _get_package_name(osv_data)
+
+            if vulnerability_data.get("vulns"):
+                scanned_packages[package_name] = vulnerability_data["vulns"]
+
+            # Handle pagination
+            if next_page_token := vulnerability_data.get("next_page_token"):
+                osv_data["page_token"] = next_page_token
+                content_queue.put(osv_data)
+
+    except Empty:
+        if not background_thread.is_alive():
+            raise RuntimeError("Vuln report task thread died unexpectedly.")
+        else:
+            raise RuntimeError("Background vuln report thread took too long.")
+
+    return scanned_packages
+
+
+async def _query_osv_api(session, osv_data):
+    """
+    Make a single request to the OSV API.
+
+    Args:
+        session (aiohttp.ClientSession): HTTP client session
+        osv_data (Dict[str, Any]): OSV query data
+
+    Returns:
+        Dict[str, Any]: JSON response from OSV API
+    """
+    data = json.dumps(osv_data)
+    async with session.post(url=OSV_QUERY_URL, data=data) as response:
+        response_body = await response.text()
+        return json.loads(response_body)
+
+
+def _get_package_name(osv_data):
+    """
+    Extract package name from OSV data.
+
+    Args:
+        osv_data (Dict[str, Any]): OSV query data
+
+    Returns:
+        str: Formatted package name
+    """
+    osv_package_name = osv_data["package"]["name"]
+    if osv_package_version := osv_data.get("version", ""):
+        return f"{osv_package_name}-{osv_package_version}"
+    return f"{osv_package_name}"
+
+
+async def _save_vulnerability_report(scanned_packages):
+    """
+    Save vulnerability report to the database.
+
+    Args:
+        scanned_packages (Dict[str, Any]): Dictionary mapping package names to vulnerability data
+    """
+    vuln_report, created = await sync_to_async(VulnerabilityReport.objects.get_or_create)(
+        vulns=scanned_packages, pulp_domain=get_domain()
+    )
+    if created:
+        await CreatedResource.objects.acreate(content_object=vuln_report)

pulpcore/app/viewsets/vulnerability_report.py

@@ -0,0 +1,12 @@
+from rest_framework.mixins import DestroyModelMixin, ListModelMixin, RetrieveModelMixin
+
+from pulpcore.plugin.models import VulnerabilityReport as VulnReport
+from pulpcore.app.serializers.vulnerability_report import VulnerabilityReportSerializer
+from pulpcore.plugin.viewsets import NamedModelViewSet
+
+
+class VulnerabilityReport(NamedModelViewSet, ListModelMixin, RetrieveModelMixin, DestroyModelMixin):
+
+    endpoint_name = "vuln_report"
+    queryset = VulnReport.objects.all()
+    serializer_class = VulnerabilityReportSerializer

pulpcore/constants.py

@@ -127,3 +127,10 @@
 # The upper boundary represents an unsigned 32-bit integer and prevents overflow
 ORPHAN_PROTECTION_TIME_LOWER_BOUND = 0
 ORPHAN_PROTECTION_TIME_UPPER_BOUND = 4294967295  # (2^32)-1
+
+# VULNERABILITY REPORT CONSTANTS
+# OSV API URL
+OSV_QUERY_URL = "https://api.osv.dev/v1/query"
+
+# Timeout when waiting on tasks scan thread queue to avoid indefinite blocking.
+VULNERABILITY_TASK_THREAD_TIMEOUT = 60