API for List of impacted package(s) by a CVE (#30)

Fixes [#88](gardenlinux/glvd#88)

api-examples/Get CVEs by Distro Codename Packages.bru

@@ -5,7 +5,7 @@ meta {
 }
 
 get {
-  url: http://{{hostname}}:{{port}}/v1/cves/gardenlinux/1592/packages/vim,bash,python3,curl
+  url: http://{{hostname}}:{{port}}/v1/cves/gardenlinux/1592.0/packages/vim,bash,python3,curl
   body: none
   auth: none
 }

api-examples/Get CVEs by Distro Codename.bru

@@ -5,7 +5,7 @@ meta {
 }
 
 get {
-  url: http://{{hostname}}:{{port}}/v1/cves/gardenlinux/1592
+  url: http://{{hostname}}:{{port}}/v1/cves/gardenlinux/1592.0
   body: none
   auth: none
 }

api-examples/Get Packages by Vulnerability.bru

@@ -0,0 +1,11 @@
+meta {
+  name: Get Packages by Vulnerability
+  type: http
+  seq: 8
+}
+
+get {
+  url: http://{{hostname}}:{{port}}/v1/packages/distro/gardenlinux/1443.0/CVE-2023-50387
+  body: none
+  auth: none
+}

api-examples/List Packages in Distro.bru

@@ -5,7 +5,7 @@ meta {
 }
 
 get {
-  url: http://{{hostname}}:{{port}}/v1/packages/distro/gardenlinux/1592
+  url: http://{{hostname}}:{{port}}/v1/packages/distro/gardenlinux/1592.0
   body: none
   auth: none
 }

src/docs/asciidoc/index.adoc

@@ -88,3 +88,13 @@ include::{snippets}/getPackageWithVulnerabilities/curl-request.adoc[]
 The expected response looks like this:
 
 include::{snippets}/getPackageWithVulnerabilities/http-response.adoc[]
+
+=== Get Packages By Vulnerabilities
+
+Give a list of affected packages by vulnerability
+
+include::{snippets}/getPackagesByVulnerability/curl-request.adoc[]
+
+The expected response looks like this:
+
+include::{snippets}/getPackagesByVulnerability/http-response.adoc[]

src/main/java/io/gardenlinux/glvd/GlvdService.java

@@ -78,4 +78,8 @@ public List<PackageEntity> getPackageWithVulnerabilities(String sourcePackage) {
     public List<PackageEntity> getPackageWithVulnerabilitiesByVersion(String sourcePackage, String sourcePackageVersion) {
         return packagesRepository.packageWithVulnerabilitiesByVersion(sourcePackage, sourcePackageVersion);
     }
+
+    public List<PackageEntity> getPackagesByVulnerability(String distro, String distroVersion, String cveId) {
+        return packagesRepository.packagesByVulnerability(distro, distroVersion, cveId);
+    }
 }

src/main/java/io/gardenlinux/glvd/PackageController.java

@@ -36,4 +36,9 @@ ResponseEntity<List<PackageEntity>> packageWithVulnerabilities(@PathVariable fin
     ResponseEntity<List<PackageEntity>> packageWithVulnerabilitiesByVersion(@PathVariable final String sourcePackage, @PathVariable final String sourcePackageVersion) {
         return ResponseEntity.ok(glvdService.getPackageWithVulnerabilitiesByVersion(sourcePackage, sourcePackageVersion));
     }
+
+    @GetMapping("/distro/{distro}/{distroVersion}/{cveId}")
+    ResponseEntity<List<PackageEntity>> packagesByVulnerability(@PathVariable final String distro, @PathVariable final String distroVersion, @PathVariable final String cveId) {
+        return ResponseEntity.ok(glvdService.getPackagesByVulnerability(distro, distroVersion, cveId));
+    }
 }

src/main/java/io/gardenlinux/glvd/db/PackagesRepository.java

@@ -39,4 +39,18 @@ INNER JOIN dist_cpe ON (deb_cve.dist_id = dist_cpe.id)
             """, nativeQuery = true)
     List<PackageEntity> packageWithVulnerabilitiesByVersion(@Param("sourcePackage") String sourcePackage, @Param("sourcePackageVersion") String sourcePackageVersion);
 
+    @Query(value = """
+            SELECT
+                all_cve.cve_id , deb_cve.deb_source , deb_cve.deb_version  , deb_cve.debsec_vulnerable
+            FROM
+                all_cve
+                INNER JOIN deb_cve USING (cve_id)
+                INNER JOIN dist_cpe ON (deb_cve.dist_id = dist_cpe.id)
+            WHERE
+                dist_cpe.cpe_product = :distro
+                AND dist_cpe.cpe_version = :distroVersion
+                AND all_cve.cve_id = :cveId
+            """, nativeQuery = true)
+    List<PackageEntity> packagesByVulnerability(@Param("distro") String distro, @Param("distroVersion") String distroVersion, @Param("cveId") String cvdId);
+
 }

src/test/java/io/gardenlinux/glvd/GlvdControllerTest.java

@@ -27,6 +27,7 @@
 
 import static io.restassured.RestAssured.given;
 import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.equalTo;
 import static org.springframework.restdocs.operation.preprocess.Preprocessors.*;
 import static org.springframework.restdocs.restassured.RestAssuredRestDocumentation.document;
 import static org.springframework.restdocs.restassured.RestAssuredRestDocumentation.documentationConfiguration;
@@ -131,7 +132,7 @@ public void shouldGetPackagesForDistro() {
                 .filter(document("getPackages",
                         preprocessRequest(modifyUris().scheme("https").host("glvd.gardenlinux.io").removePort()),
                         preprocessResponse(prettyPrint())))
-                .when().port(this.port).get("/v1/packages/distro/gardenlinux/1592")
+                .when().port(this.port).get("/v1/packages/distro/gardenlinux/1592.0")
                 .then().statusCode(200);
     }
 
@@ -155,4 +156,14 @@ public void shouldPackageWithVulnerabilitiesByVersion() {
                 .then().statusCode(200);
     }
 
+    @Test
+    public void shouldGetPackagesByVulnerability() {
+        given(this.spec).accept("application/json")
+                .filter(document("getPackagesByVulnerability",
+                        preprocessRequest(modifyUris().scheme("https").host("glvd.gardenlinux.io").removePort()),
+                        preprocessResponse(prettyPrint())))
+                .when().port(this.port).get("/v1/packages/distro/gardenlinux/1592.0/CVE-2023-50387")
+                .then().statusCode(200).body("[0].cveId", equalTo("CVE-2023-50387"));
+    }
+
 }