Adds link to security advisory to security probe and scoring display (#…

…446)

Co-authored-by: aayushRedHat <[email protected]>
Co-authored-by: Adrien Lecharpentier <[email protected]>

core/src/main/java/io/jenkins/pluginhealth/scoring/model/updatecenter/SecurityWarning.java

@@ -1,7 +1,7 @@
 /*
  * MIT License
  *
- * Copyright (c) 2023 Jenkins Infra
+ * Copyright (c) 2023-2024 Jenkins Infra
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -21,14 +21,8 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-
 package io.jenkins.pluginhealth.scoring.model.updatecenter;
 
 import java.util.List;
 
-public record SecurityWarning(
-    String id,
-    String name,
-    List<SecurityWarningVersion> versions
-) {
-}
+public record SecurityWarning(String id, String name, String url, List<SecurityWarningVersion> versions) {}

core/src/main/java/io/jenkins/pluginhealth/scoring/probes/KnownSecurityVulnerabilityProbe.java

@@ -1,7 +1,7 @@
 /*
  * MIT License
  *
- * Copyright (c) 2023 Jenkins Infra
+ * Copyright (c) 2023-2024 Jenkins Infra
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -21,7 +21,6 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-
 package io.jenkins.pluginhealth.scoring.probes;
 
 import java.util.List;
@@ -46,21 +45,19 @@ public class KnownSecurityVulnerabilityProbe extends Probe {
     protected ProbeResult doApply(Plugin plugin, ProbeContext context) {
         final List<SecurityWarning> warnings = context.getUpdateCenter().warnings();
         final String issues = warnings.stream()
-            .filter(w -> w.name().equals(plugin.getName()))
-            .filter(w -> w.versions().stream().anyMatch(securityWarningVersion -> {
-                if (securityWarningVersion.lastVersion() != null) {
-                    return plugin.getVersion().isOlderThanOrEqualTo(securityWarningVersion.lastVersion());
-                }
-                final Pattern pattern = Pattern.compile(securityWarningVersion.pattern());
-                final Matcher matcher = pattern.matcher(plugin.getVersion().toString());
-                return matcher.find();
-            }))
-            .map(SecurityWarning::id)
-            .collect(Collectors.joining(", "));
+                .filter(w -> w.name().equals(plugin.getName()))
+                .filter(w -> w.versions().stream().anyMatch(securityWarningVersion -> {
+                    if (securityWarningVersion.lastVersion() != null) {
+                        return plugin.getVersion().isOlderThanOrEqualTo(securityWarningVersion.lastVersion());
+                    }
+                    final Pattern pattern = Pattern.compile(securityWarningVersion.pattern());
+                    final Matcher matcher = pattern.matcher(plugin.getVersion().toString());
+                    return matcher.find();
+                }))
+                .map(warning -> warning.id() + "|" + warning.url())
+                .collect(Collectors.joining(", "));
 
-        return !issues.isBlank() ?
-            this.success(issues) :
-            this.success("No known security vulnerabilities.");
+        return !issues.isBlank() ? this.success(issues) : this.success("No known security vulnerabilities.");
     }
 
     @Override
@@ -75,6 +72,6 @@ public String getDescription() {
 
     @Override
     public long getVersion() {
-        return 1;
+        return 2;
     }
 }

core/src/main/java/io/jenkins/pluginhealth/scoring/scores/SecurityWarningScoring.java

@@ -1,7 +1,7 @@
 /*
  * MIT License
  *
- * Copyright (c) 2023 Jenkins Infra
+ * Copyright (c) 2023-2024 Jenkins Infra
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -21,14 +21,15 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-
 package io.jenkins.pluginhealth.scoring.scores;
 
+import java.util.Arrays;
 import java.util.List;
 import java.util.Map;
 
 import io.jenkins.pluginhealth.scoring.model.Plugin;
 import io.jenkins.pluginhealth.scoring.model.ProbeResult;
+import io.jenkins.pluginhealth.scoring.model.Resolution;
 import io.jenkins.pluginhealth.scoring.model.ScoringComponentResult;
 import io.jenkins.pluginhealth.scoring.probes.KnownSecurityVulnerabilityProbe;
 
@@ -41,31 +42,39 @@ public class SecurityWarningScoring extends Scoring {
 
     @Override
     public List<ScoringComponent> getComponents() {
-        return List.of(
-            new ScoringComponent() {
-                @Override
-                public String getDescription() {
-                    return "The plugin must not have on-going security advisory.";
-                }
+        return List.of(new ScoringComponent() {
+            @Override
+            public String getDescription() {
+                return "The plugin must not have on-going security advisory.";
+            }
 
-                @Override
-                public ScoringComponentResult getScore(Plugin $, Map<String, ProbeResult> probeResults) {
-                    final ProbeResult probeResult = probeResults.get(KnownSecurityVulnerabilityProbe.KEY);
-                    if (probeResult == null || ProbeResult.Status.ERROR.equals(probeResult.status())) {
-                        return new ScoringComponentResult(-100, 100, List.of("Cannot determine if plugin has on-going security advisory."));
-                    }
-                    if ("No known security vulnerabilities.".equals(probeResult.message())) {
-                        return new ScoringComponentResult(100, getWeight(), List.of("Plugin does not seem to have on-going security advisory."));
-                    }
-                    return new ScoringComponentResult(0, getWeight(), List.of("Plugin seem to have on-going security advisory.", probeResult.message()));
+            @Override
+            public ScoringComponentResult getScore(Plugin $, Map<String, ProbeResult> probeResults) {
+                final ProbeResult probeResult = probeResults.get(KnownSecurityVulnerabilityProbe.KEY);
+                if (probeResult == null || ProbeResult.Status.ERROR.equals(probeResult.status())) {
+                    return new ScoringComponentResult(
+                            -100, 100, List.of("Cannot determine if plugin has on-going security advisory."));
                 }
-
-                @Override
-                public int getWeight() {
-                    return 1;
+                if ("No known security vulnerabilities.".equals(probeResult.message())) {
+                    return new ScoringComponentResult(
+                            100, getWeight(), List.of("Plugin does not seem to have on-going security advisory."));
                 }
+                final List<Resolution> resolutions = Arrays.stream(
+                                probeResult.message().split(","))
+                        .map(m -> {
+                            final String[] parts = m.trim().split("\\|");
+                            return new Resolution(parts[0], parts[1]);
+                        })
+                        .toList();
+                return new ScoringComponentResult(
+                        0, getWeight(), List.of("Plugin seem to have on-going security advisory."), resolutions);
+            }
+
+            @Override
+            public int getWeight() {
+                return 1;
             }
-        );
+        });
     }
 
     @Override
@@ -85,6 +94,6 @@ public String description() {
 
     @Override
     public int version() {
-        return 1;
+        return 2;
     }
 }