feat: remove redis requirement and refactor tc package

Signed-off-by: Ruben Romero Montes <[email protected]>

Author: ruromero

README.md

@@ -5,9 +5,7 @@
 
 ## Dependencies
 
-- Redis cache: Allows caching Red Hat recommendations and remediations. Can be configured with the `quarkus.redis.host` parameter
-- TrustedContent: Provides Red Hat recommendations and remediations.
-- External Vulnerability providers enabled.
+- Trustify: Provides vulnerability data and recommendations [Trustify](https://github.com/guacsec/trustify)
 - Postgres Database: Stores data needed for the Model Cards functionality. See [Model Cards](#model-cards)
 
 ## Vulnerability providers

pom.xml

@@ -89,10 +89,6 @@
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-rest-jackson</artifactId>
     </dependency>
-    <dependency>
-      <groupId>io.quarkus</groupId>
-      <artifactId>quarkus-redis-client</artifactId>
-    </dependency>
     <dependency>
       <groupId>org.apache.camel.quarkus</groupId>
       <artifactId>camel-quarkus-jackson</artifactId>

src/main/java/io/github/guacsec/trustifyda/integration/Constants.java

@@ -69,7 +69,6 @@ private Constants() {}
   public static final String API_VERSION_PROPERTY = "apiVersion";
   public static final String GZIP_RESPONSE_PROPERTY = "gzipResponse";
   public static final String SBOM_ID_PROPERTY = "sbomId";
-  public static final String CACHED_RECOMMENDATIONS_PROPERTY = "missedRecommendations";
   public static final String PROVIDER_CONFIG_PROPERTY = "providerConfig";
   public static final String PROVIDERS_PROPERTY = "providers";
 

src/main/java/io/github/guacsec/trustifyda/integration/cache/CacheService.java

@@ -147,11 +147,10 @@ public void processResponseError(Exchange exchange) {
     var providerName = getProviderName(exchange);
     ProviderStatus status = new ProviderStatus().ok(false).name(providerName);
     Exception exception = (Exception) exchange.getProperty(Exchange.EXCEPTION_CAUGHT);
-    if (exception == null) {}
 
-    Throwable cause = exception.getCause();
+    Throwable cause = exception != null ? exception.getCause() : null;
 
-    while (cause instanceof RuntimeCamelException && cause != null) {
+    while (cause instanceof RuntimeCamelException) {
       cause = cause.getCause();
     }
     if (cause == null) {
@@ -327,55 +326,14 @@ private Source buildReportForSource(Map<String, PackageItem> pkgItemsData, Depen
               var packageItem = getPackageItem(packageRef, pkgItemsData);
               var directReport = new DependencyReport().ref(packageRef);
 
-              // Set issues if available
-              if (packageItem != null
-                  && packageItem.issues() != null
-                  && !packageItem.issues().isEmpty()) {
-                var issues =
-                    packageItem.issues().stream()
-                        .sorted(Comparator.comparing(Issue::getCvssScore).reversed())
-                        .collect(Collectors.toList());
-                directReport.issues(issues);
-                directReport.setHighestVulnerability(issues.stream().findFirst().orElse(null));
-              }
-
-              // Set recommendation if available (extract PackageRef from TcRecommendation)
-              if (packageItem != null
-                  && packageItem.recommendation() != null
-                  && packageItem.recommendation().packageName() != null) {
-                directReport.recommendation(packageItem.recommendation().packageName());
-              }
+              setIssues(packageItem, directReport);
+              setRecommendations(packageItem, directReport);
 
               List<TransitiveDependencyReport> transitiveReports =
                   depEntry.getValue().transitive().stream()
                       .map(
                           t -> {
-                            var transitiveItem = getPackageItem(t, pkgItemsData);
-                            List<Issue> transitiveIssues = Collections.emptyList();
-                            if (transitiveItem != null
-                                && transitiveItem.issues() != null
-                                && !transitiveItem.issues().isEmpty()) {
-                              transitiveIssues =
-                                  transitiveItem.issues().stream()
-                                      .sorted(Comparator.comparing(Issue::getCvssScore).reversed())
-                                      .collect(Collectors.toList());
-                            }
-                            var highestTransitive = transitiveIssues.stream().findFirst();
-                            if (highestTransitive.isPresent()) {
-                              if (directReport.getHighestVulnerability() == null
-                                  || directReport.getHighestVulnerability().getCvssScore()
-                                      < highestTransitive.get().getCvssScore()) {
-                                directReport.setHighestVulnerability(highestTransitive.get());
-                              }
-                            }
-                            var transitiveReport =
-                                new TransitiveDependencyReport()
-                                    .ref(t)
-                                    .issues(transitiveIssues)
-                                    .highestVulnerability(highestTransitive.orElse(null));
-                            // Note: TransitiveDependencyReport doesn't have a recommendation field
-                            // Recommendations are only set on direct dependencies
-                            return transitiveReport;
+                            return getTransitiveReport(pkgItemsData, directReport, t);
                           })
                       .filter(transitiveReport -> !transitiveReport.getIssues().isEmpty())
                       .collect(Collectors.toList());
@@ -387,39 +345,93 @@ private Source buildReportForSource(Map<String, PackageItem> pkgItemsData, Depen
               }
             });
 
-    // Process packages with recommendations-only that are not in the tree
-    // (these are recommendations for packages that might not be direct dependencies)
     if (pkgItemsData != null) {
-      pkgItemsData.entrySet().stream()
-          .filter(
-              entry -> {
-                var packageItem = entry.getValue();
-                // Include if it has a recommendation but no issues and wasn't already processed
-                return !processedRefs.contains(entry.getKey())
-                    && (packageItem.issues() == null || packageItem.issues().isEmpty())
-                    && packageItem.recommendation() != null
-                    && packageItem.recommendation().packageName() != null;
-              })
-          .forEach(
-              entry -> {
-                try {
-                  var packageRef = new PackageRef(entry.getKey());
-                  var packageItem = entry.getValue();
-                  var directReport = new DependencyReport().ref(packageRef);
-                  directReport.recommendation(packageItem.recommendation().packageName());
-                  sourceReport.add(directReport);
-                } catch (Exception e) {
-                  // Skip if packageRef cannot be created from the string
-                  // This shouldn't happen but handle gracefully
-                }
-              });
+      addRecommendationsWithoutIssues(pkgItemsData, sourceReport, processedRefs);
     }
 
     sourceReport.sort(Collections.reverseOrder(new DependencyScoreComparator()));
     var summary = buildSummary(pkgItemsData, tree, sourceReport);
     return new Source().summary(summary).dependencies(sourceReport);
   }
 
+  private void addRecommendationsWithoutIssues(
+      Map<String, PackageItem> pkgItemsData,
+      List<DependencyReport> sourceReport,
+      Set<String> processedRefs) {
+    pkgItemsData.entrySet().stream()
+        .filter(
+            entry -> {
+              var packageItem = entry.getValue();
+              // Include if it has a recommendation but no issues and wasn't already processed
+              return !processedRefs.contains(entry.getKey())
+                  && (packageItem.issues() == null || packageItem.issues().isEmpty())
+                  && packageItem.recommendation() != null
+                  && packageItem.recommendation().packageName() != null;
+            })
+        .forEach(
+            entry -> {
+              try {
+                var packageRef = new PackageRef(entry.getKey());
+                var packageItem = entry.getValue();
+                var directReport = new DependencyReport().ref(packageRef);
+                directReport.recommendation(packageItem.recommendation().packageName());
+                sourceReport.add(directReport);
+              } catch (Exception e) {
+                // Skip if packageRef cannot be created from the string
+                // This shouldn't happen but handle gracefully
+              }
+            });
+  }
+
+  private TransitiveDependencyReport getTransitiveReport(
+      Map<String, PackageItem> pkgItemsData, DependencyReport directReport, PackageRef t) {
+    var transitiveItem = getPackageItem(t, pkgItemsData);
+    List<Issue> transitiveIssues = Collections.emptyList();
+    if (transitiveItem != null
+        && transitiveItem.issues() != null
+        && !transitiveItem.issues().isEmpty()) {
+      transitiveIssues =
+          transitiveItem.issues().stream()
+              .sorted(Comparator.comparing(Issue::getCvssScore).reversed())
+              .collect(Collectors.toList());
+    }
+    var highestTransitive = transitiveIssues.stream().findFirst();
+    if (highestTransitive.isPresent()) {
+      if (directReport.getHighestVulnerability() == null
+          || directReport.getHighestVulnerability().getCvssScore()
+              < highestTransitive.get().getCvssScore()) {
+        directReport.setHighestVulnerability(highestTransitive.get());
+      }
+    }
+    var transitiveReport =
+        new TransitiveDependencyReport()
+            .ref(t)
+            .issues(transitiveIssues)
+            .highestVulnerability(highestTransitive.orElse(null));
+    // Note: TransitiveDependencyReport doesn't have a recommendation field
+    // Recommendations are only set on direct dependencies
+    return transitiveReport;
+  }
+
+  private void setRecommendations(PackageItem packageItem, DependencyReport directReport) {
+    if (packageItem != null
+        && packageItem.recommendation() != null
+        && packageItem.recommendation().packageName() != null) {
+      directReport.recommendation(packageItem.recommendation().packageName());
+    }
+  }
+
+  private void setIssues(PackageItem packageItem, DependencyReport directReport) {
+    if (packageItem != null && packageItem.issues() != null && !packageItem.issues().isEmpty()) {
+      var issues =
+          packageItem.issues().stream()
+              .sorted(Comparator.comparing(Issue::getCvssScore).reversed())
+              .collect(Collectors.toList());
+      directReport.issues(issues);
+      directReport.setHighestVulnerability(issues.stream().findFirst().orElse(null));
+    }
+  }
+
   private PackageItem getPackageItem(PackageRef ref, Map<String, PackageItem> pkgItemsData) {
     return pkgItemsData.get(ref.ref());
   }
@@ -452,8 +464,9 @@ private void incrementCounter(PackageItem item, VulnerabilityCounter counter, bo
         .forEach(
             i -> {
               var vulnerabilities = countVulnerabilities(i);
-              if (i.getSeverity() != null) {
-                switch (i.getSeverity()) {
+              var severity = i.getSeverity();
+              if (severity != null) {
+                switch (severity) {
                   case CRITICAL -> counter.critical.addAndGet(vulnerabilities);
                   case HIGH -> counter.high.addAndGet(vulnerabilities);
                   case MEDIUM -> counter.medium.addAndGet(vulnerabilities);