Autocomplete APIs for vulnerability information (#6887)

Author: xavierdecoster

src/NuGet.Services.Entities/Cve.cs

@@ -14,6 +14,8 @@ namespace NuGet.Services.Entities
     public class Cve
         : IEntity
     {
+        public const string IdPrefix = "CVE-";
+
         public Cve()
         {
             PackageDeprecations = new HashSet<PackageDeprecation>();

src/NuGet.Services.Entities/Cwe.cs

@@ -13,6 +13,8 @@ namespace NuGet.Services.Entities
     public class Cwe
         : IEntity
     {
+        public const string IdPrefix = "CWE-";
+
         public Cwe()
         {
             PackageDeprecations = new HashSet<PackageDeprecation>();

src/NuGetGallery/App_Start/DefaultDependenciesModule.cs

@@ -680,28 +680,41 @@ private static void ConfigureAutocomplete(ContainerBuilder builder, IGalleryConf
             if (configuration.Current.ServiceDiscoveryUri != null &&
                 !string.IsNullOrEmpty(configuration.Current.AutocompleteServiceResourceType))
             {
-                builder.RegisterType<AutoCompleteServicePackageIdsQuery>()
+                builder.RegisterType<AutocompleteServicePackageIdsQuery>()
                     .AsSelf()
-                    .As<IAutoCompletePackageIdsQuery>()
+                    .As<IAutocompletePackageIdsQuery>()
                     .SingleInstance();
 
-                builder.RegisterType<AutoCompleteServicePackageVersionsQuery>()
+                builder.RegisterType<AutocompleteServicePackageVersionsQuery>()
                     .AsSelf()
-                    .As<IAutoCompletePackageVersionsQuery>()
+                    .As<IAutocompletePackageVersionsQuery>()
                     .InstancePerLifetimeScope();
             }
             else
             {
-                builder.RegisterType<AutoCompleteDatabasePackageIdsQuery>()
+                builder.RegisterType<AutocompleteDatabasePackageIdsQuery>()
                     .AsSelf()
-                    .As<IAutoCompletePackageIdsQuery>()
+                    .As<IAutocompletePackageIdsQuery>()
                     .InstancePerLifetimeScope();
 
-                builder.RegisterType<AutoCompleteDatabasePackageVersionsQuery>()
+                builder.RegisterType<AutocompleteDatabasePackageVersionsQuery>()
                     .AsSelf()
-                    .As<IAutoCompletePackageVersionsQuery>()
+                    .As<IAutocompletePackageVersionsQuery>()
                     .InstancePerLifetimeScope();
             }
+
+            // Vulnerability Autocomplete
+            builder.RegisterType<AutocompleteCveIdsQuery>()
+                .As<IAutocompleteCveIdsQuery>()
+                .InstancePerLifetimeScope();
+
+            builder.RegisterType<AutocompleteCweIdsQuery>()
+                .As<IAutocompleteCweIdsQuery>()
+                .InstancePerLifetimeScope();
+
+            builder.RegisterType<VulnerabilityAutocompleteService>()
+                .As<IVulnerabilityAutocompleteService>()
+                .InstancePerLifetimeScope();
         }
 
         private static void ConfigureForLocalFileSystem(ContainerBuilder builder, IGalleryConfigurationService configuration)

src/NuGetGallery/App_Start/Routes.cs

@@ -99,6 +99,11 @@ public static void RegisterUIRoutes(RouteCollection routes)
                 "json/{action}",
                 new { controller = "JsonApi" });
 
+            routes.MapRoute(
+                RouteName.ManageDeprecationJsonApi,
+                "json/deprecation/{action}",
+                new { controller = "ManageDeprecationJsonApi" });
+
             routes.MapRoute(
                 RouteName.Contributors,
                 "pages/contributors",
@@ -154,7 +159,7 @@ public static void RegisterUIRoutes(RouteCollection routes)
                 "packages/{id}/required-signer/{username}",
                 new { controller = "Packages", action = RouteName.SetRequiredSigner, username = UrlParameter.Optional },
                 constraints: new { httpMethod = new HttpMethodConstraint("POST") },
-                obfuscationMetadata: new RouteExtensions.ObfuscatedPathMetadata(3, Obfuscator.DefaultTelemetryUserName) );
+                obfuscationMetadata: new RouteExtensions.ObfuscatedPathMetadata(3, Obfuscator.DefaultTelemetryUserName));
 
             routes.MapRoute(
                 RouteName.PackageOwnerConfirmation,
@@ -245,7 +250,7 @@ public static void RegisterUIRoutes(RouteCollection routes)
                 RouteName.License,
                 "packages/{id}/{version}/license",
                 new { controller = "Packages", action = "License" });
-            
+
             //Redirecting v1 Confirmation Route
             routes.Redirect(
                 r => r.MapRoute(
@@ -492,7 +497,7 @@ public static void RegisterUIRoutes(RouteCollection routes)
                     new RouteExtensions.ObfuscatedPathMetadata(4, Obfuscator.DefaultTelemetryToken)
                 });
 
-            routes.MapRoute( 
+            routes.MapRoute(
                 RouteName.OrganizationMemberCancelAjax,
                 "organization/{accountName}/members/cancel",
                 new { controller = "Organizations", action = RouteName.OrganizationMemberCancelAjax },

src/NuGetGallery/Controllers/ApiController.cs

@@ -36,6 +36,8 @@ public partial class ApiController
         : AppController
     {
         private const string NuGetExeUrl = "https://dist.nuget.org/win-x86-commandline/v2.8.6/nuget.exe";
+        private readonly IAutocompletePackageIdsQuery _autocompletePackageIdsQuery;
+        private readonly IAutocompletePackageVersionsQuery _autocompletePackageVersionsQuery;
 
         public IApiScopeEvaluator ApiScopeEvaluator { get; set; }
         public IEntitiesContext EntitiesContext { get; set; }
@@ -86,7 +88,9 @@ public ApiController(
             IPackageUploadService packageUploadService,
             IPackageDeleteService packageDeleteService,
             ISymbolPackageFileService symbolPackageFileService,
-            ISymbolPackageUploadService symbolPackageUploadService)
+            ISymbolPackageUploadService symbolPackageUploadService,
+            IAutocompletePackageIdsQuery autocompletePackageIdsQuery,
+            IAutocompletePackageVersionsQuery autocompletePackageVersionsQuery)
         {
             ApiScopeEvaluator = apiScopeEvaluator;
             EntitiesContext = entitiesContext;
@@ -109,6 +113,8 @@ public ApiController(
             StatisticsService = null;
             SymbolPackageFileService = symbolPackageFileService;
             SymbolPackageUploadService = symbolPackageUploadService;
+            _autocompletePackageIdsQuery = autocompletePackageIdsQuery;
+            _autocompletePackageVersionsQuery = autocompletePackageVersionsQuery;
         }
 
         public ApiController(
@@ -133,12 +139,14 @@ public ApiController(
             IPackageUploadService packageUploadService,
             IPackageDeleteService packageDeleteService,
             ISymbolPackageFileService symbolPackageFileService,
-            ISymbolPackageUploadService symbolPackageUploadServivce)
+            ISymbolPackageUploadService symbolPackageUploadServivce,
+            IAutocompletePackageIdsQuery autocompletePackageIdsQuery,
+            IAutocompletePackageVersionsQuery autocompletePackageVersionsQuery)
             : this(apiScopeEvaluator, entitiesContext, packageService, packageFileService, userService, contentService,
                   indexingService, searchService, statusService, messageService, auditingService,
                   configurationService, telemetryService, authenticationService, credentialBuilder, securityPolicies,
                   reservedNamespaceService, packageUploadService, packageDeleteService, symbolPackageFileService,
-                  symbolPackageUploadServivce)
+                  symbolPackageUploadServivce, autocompletePackageIdsQuery, autocompletePackageVersionsQuery)
         {
             StatisticsService = statisticsService;
         }
@@ -896,10 +904,9 @@ public virtual async Task<ActionResult> GetPackageIds(
             bool? includePrerelease,
             string semVerLevel = null)
         {
-            var query = GetService<IAutoCompletePackageIdsQuery>();
             return new JsonResult
             {
-                Data = (await query.Execute(partialId, includePrerelease, semVerLevel)).ToArray(),
+                Data = (await _autocompletePackageIdsQuery.Execute(partialId, includePrerelease, semVerLevel)).ToArray(),
                 JsonRequestBehavior = JsonRequestBehavior.AllowGet
             };
         }
@@ -911,10 +918,9 @@ public virtual async Task<ActionResult> GetPackageVersions(
             bool? includePrerelease,
             string semVerLevel = null)
         {
-            var query = GetService<IAutoCompletePackageVersionsQuery>();
             return new JsonResult
             {
-                Data = (await query.Execute(id, includePrerelease, semVerLevel)).ToArray(),
+                Data = (await _autocompletePackageVersionsQuery.Execute(id, includePrerelease, semVerLevel)).ToArray(),
                 JsonRequestBehavior = JsonRequestBehavior.AllowGet
             };
         }

src/NuGetGallery/Controllers/JsonApiController.cs

@@ -13,7 +13,6 @@
 using NuGetGallery.Configuration;
 using NuGetGallery.Filters;
 using NuGetGallery.Infrastructure.Mail.Messages;
-using NuGetGallery.Security;
 
 namespace NuGetGallery
 {
@@ -25,23 +24,20 @@ public partial class JsonApiController
         private readonly IPackageService _packageService;
         private readonly IUserService _userService;
         private readonly IAppConfiguration _appConfiguration;
-        private readonly ISecurityPolicyService _policyService;
         private readonly IPackageOwnershipManagementService _packageOwnershipManagementService;
 
         public JsonApiController(
             IPackageService packageService,
             IUserService userService,
             IMessageService messageService,
             IAppConfiguration appConfiguration,
-            ISecurityPolicyService policyService,
             IPackageOwnershipManagementService packageOwnershipManagementService)
         {
-            _packageService = packageService;
-            _userService = userService;
-            _messageService = messageService;
-            _appConfiguration = appConfiguration;
-            _policyService = policyService;
-            _packageOwnershipManagementService = packageOwnershipManagementService;
+            _packageService = packageService ?? throw new ArgumentNullException(nameof(packageService));
+            _userService = userService ?? throw new ArgumentNullException(nameof(userService));
+            _messageService = messageService ?? throw new ArgumentNullException(nameof(messageService));
+            _appConfiguration = appConfiguration ?? throw new ArgumentNullException(nameof(appConfiguration));
+            _packageOwnershipManagementService = packageOwnershipManagementService ?? throw new ArgumentNullException(nameof(packageOwnershipManagementService));
         }
 
         [HttpGet]

src/NuGetGallery/Controllers/ManageDeprecationJsonApiController.cs

@@ -0,0 +1,52 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Net;
+using System.Web.Mvc;
+
+namespace NuGetGallery
+{
+    public partial class ManageDeprecationJsonApiController
+        : AppController
+    {
+        private readonly IVulnerabilityAutocompleteService _vulnerabilityAutocompleteService;
+
+        public ManageDeprecationJsonApiController(
+            IVulnerabilityAutocompleteService vulnerabilityAutocompleteService)
+        {
+            _vulnerabilityAutocompleteService = vulnerabilityAutocompleteService ?? throw new ArgumentNullException(nameof(vulnerabilityAutocompleteService));
+        }
+
+        [HttpGet]
+        [ActionName("CveIds")]
+        public JsonResult GetCveIds(string query)
+        {
+            // Get CVE data.
+            // Suggestions will be CVE Id's that start with characters entered by the user.
+            var queryResult = _vulnerabilityAutocompleteService.AutocompleteCveIds(query);
+            var httpStatusCode = queryResult.Success ? HttpStatusCode.OK : HttpStatusCode.BadRequest;
+
+            return Json(
+                httpStatusCode,
+                queryResult,
+                JsonRequestBehavior.AllowGet);
+        }
+
+        [HttpGet]
+        [ActionName("CweIds")]
+        public JsonResult GetCweIds(string query)
+        {
+            // Get CWE data.
+            // Suggestions will be CWE Id's that start with characters entered by the user,
+            // or CWE Id's that have a Name containing the textual search term provided by the user.
+            var queryResult = _vulnerabilityAutocompleteService.AutocompleteCweIds(query);
+            var httpStatusCode = queryResult.Success ? HttpStatusCode.OK : HttpStatusCode.BadRequest;
+
+            return Json(
+                httpStatusCode,
+                queryResult,
+                JsonRequestBehavior.AllowGet);
+        }
+    }
+}

src/NuGetGallery/NuGetGallery.csproj

@@ -222,6 +222,27 @@
     <Compile Include="Authentication\Providers\AzureActiveDirectoryV2\AzureActiveDirectoryV2AuthenticatorConfiguration.cs" />
     <Compile Include="Authentication\Providers\AzureActiveDirectory\AzureActiveDirectoryAuthenticator.cs" />
     <Compile Include="Authentication\Providers\AzureActiveDirectory\AzureActiveDirectoryAuthenticatorConfiguration.cs" />
+    <Compile Include="Controllers\ManageDeprecationJsonApiController.cs" />
+    <Compile Include="Queries\AutocompleteCveIdQueryResults.cs" />
+    <Compile Include="Queries\AutocompleteCweIdQueryResults.cs" />
+    <Compile Include="Queries\AutocompleteCveIdQueryResult.cs" />
+    <Compile Include="Queries\AutocompleteCweIdQueryResult.cs" />
+    <Compile Include="Services\IVulnerabilityAutocompleteService.cs" />
+    <Compile Include="Queries\AutocompleteDatabasePackageIdsQuery.cs" />
+    <Compile Include="Queries\AutocompleteDatabasePackageVersionsQuery.cs" />
+    <Compile Include="Queries\AutocompleteDatabaseQuery.cs" />
+    <Compile Include="Queries\AutocompleteServicePackageIdsQuery.cs" />
+    <Compile Include="Queries\AutocompleteServicePackageVersionsQuery.cs" />
+    <Compile Include="Queries\AutocompleteServiceQuery.cs" />
+    <Compile Include="Queries\IAutocompletePackageVersionsQuery.cs" />
+    <Compile Include="Queries\IAutocompletePackageIdsQuery.cs" />
+    <Compile Include="Queries\IAutocompleteCweIdsQuery.cs" />
+    <Compile Include="Queries\CweIdHelper.cs" />
+    <Compile Include="Queries\CweQueryStringValidator.cs" />
+    <Compile Include="Queries\CweQueryMethod.cs" />
+    <Compile Include="Queries\AutocompleteCveIdsQuery.cs" />
+    <Compile Include="Queries\AutocompleteCweIdsQuery.cs" />
+    <Compile Include="Queries\IAutocompleteCveIdsQuery.cs" />
     <Compile Include="Diagnostics\TraceDiagnosticsSourceScope.cs" />
     <Compile Include="Extensions\ClaimsExtensions.cs" />
     <Compile Include="Configuration\IGalleryConfigurationService.cs" />
@@ -717,6 +738,7 @@
     <Compile Include="ViewModels\ListPackageItemRequiredSignerViewModel.cs" />
     <Compile Include="ViewModels\ManagePackageViewModel.cs" />
     <Compile Include="ViewModels\SignerViewModel.cs" />
+    <Compile Include="Services\VulnerabilityAutocompleteService.cs" />
     <Compile Include="WebRole.cs" />
     <Compile Include="Areas\Admin\AdminAreaRegistration.cs" />
     <Compile Include="Areas\Admin\Controllers\AdminControllerBase.cs" />
@@ -1249,14 +1271,6 @@
     <Compile Include="OData\Serializers\NuGetEntityTypeSerializer.cs" />
     <Compile Include="OData\Serializers\CustomSerializerProvider.cs" />
     <Compile Include="Infrastructure\Lucene\NuGetQueryParser.cs" />
-    <Compile Include="Queries\AutoCompleteDatabaseQuery.cs" />
-    <Compile Include="Queries\AutoCompleteServiceQuery.cs" />
-    <Compile Include="Queries\AutoCompleteServicePackageIdsQuery.cs" />
-    <Compile Include="Queries\AutoCompleteServicePackageVersionsQuery.cs" />
-    <Compile Include="Queries\IAutoCompletePackageIdsQuery.cs" />
-    <Compile Include="Queries\IAutoCompletePackageVersionsQuery.cs" />
-    <Compile Include="Queries\AutoCompleteDatabasePackageVersionsQuery.cs" />
-    <Compile Include="Queries\AutoCompleteDatabasePackageIdsQuery.cs" />
     <Compile Include="RequestModels\DeletePackagesRequest.cs" />
     <Compile Include="RequestModels\EditPackageVersionRequest.cs" />
     <Compile Include="RequestModels\VerifyPackageRequest.cs" />

src/NuGetGallery/Queries/AutocompleteCveIdQueryResult.cs

@@ -0,0 +1,23 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+
+namespace NuGetGallery
+{
+    public class AutocompleteCveIdQueryResult
+    {
+        public AutocompleteCveIdQueryResult(string cveId, string description, decimal? cvssRating)
+        {
+            CveId = cveId ?? throw new ArgumentNullException(nameof(cveId));
+            Description = description ?? throw new ArgumentNullException(nameof(description));
+            CvssRating = cvssRating;
+        }
+
+        public string CveId { get; }
+
+        public string Description { get; }
+
+        public decimal? CvssRating { get; set; }
+    }
+}

src/NuGetGallery/Queries/AutocompleteCveIdQueryResults.cs

@@ -0,0 +1,29 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+
+namespace NuGetGallery
+{
+    public class AutocompleteCveIdQueryResults
+    {
+        public AutocompleteCveIdQueryResults(string errorMessage)
+        {
+            ErrorMessage = errorMessage ?? throw new ArgumentNullException(errorMessage);
+            Success = false;
+        }
+
+        public AutocompleteCveIdQueryResults(IReadOnlyCollection<AutocompleteCveIdQueryResult> results)
+        {
+            Results = results ?? throw new ArgumentNullException(nameof(results));
+            Success = true;
+        }
+
+        public bool Success { get; }
+
+        public string ErrorMessage { get; set; }
+
+        public IReadOnlyCollection<AutocompleteCveIdQueryResult> Results { get; }
+    }
+}