devonfw#103: refinements

Author: MattesMrzik

cli/src/main/java/com/devonfw/tools/ide/common/SystemPath.java

@@ -166,6 +166,7 @@ public Path getPath(String tool) {
    */
   public void setPath(String tool, Path path) {
 
+    this.paths.add(path);
     this.tool2pathMap.put(tool, path);
   }
 

cli/src/main/java/com/devonfw/tools/ide/tool/GlobalToolCommandlet.java

@@ -47,10 +47,8 @@ protected boolean doInstall(boolean silent) {
     String edition = getEdition();
     ToolRepository toolRepository = this.context.getDefaultToolRepository();
     VersionIdentifier configuredVersion = getConfiguredVersion();
-
     VersionIdentifier selectedVersion = securityRiskInteraction(configuredVersion);
-    System.out.println("Selected version: " + selectedVersion);
-
+    setVersion(selectedVersion, silent);
     VersionIdentifier resolvedVersion = toolRepository.resolveVersion(this.tool, edition, selectedVersion);
     // download and install the global tool
     FileAccess fileAccess = this.context.getFileAccess();

cli/src/main/java/com/devonfw/tools/ide/tool/LocalToolCommandlet.java

@@ -60,15 +60,10 @@ public Path getToolBinPath() {
   protected boolean doInstall(boolean silent) {
 
     VersionIdentifier configuredVersion = getConfiguredVersion();
-
     VersionIdentifier selectedVersion = securityRiskInteraction(configuredVersion);
-
-    System.out.println("Selected version: " + selectedVersion);
-
+    setVersion(selectedVersion, silent);
     // install configured version of our tool in the software repository if not already installed
     ToolInstallation installation = installInRepo(selectedVersion);
-
-
     // check if we already have this version installed (linked) locally in IDE_HOME/software
     VersionIdentifier installedVersion = getInstalledVersion();
     VersionIdentifier resolvedVersion = installation.resolvedVersion();

cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java

@@ -6,6 +6,7 @@
 import java.nio.file.Paths;
 import java.util.List;
 import java.util.Set;
+import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 import com.devonfw.tools.ide.cli.CliException;
@@ -20,7 +21,8 @@
 import com.devonfw.tools.ide.process.ProcessContext;
 import com.devonfw.tools.ide.process.ProcessErrorHandling;
 import com.devonfw.tools.ide.property.StringListProperty;
-import com.devonfw.tools.ide.url.model.file.json.UrlSecurityJsonFile;
+import com.devonfw.tools.ide.url.model.file.UrlSecurityJsonFile;
+import com.devonfw.tools.ide.url.model.file.UrlSecurityJsonFile.UrlSecurityWarning;
 import com.devonfw.tools.ide.util.FilenameUtil;
 import com.devonfw.tools.ide.version.VersionIdentifier;
 
@@ -173,7 +175,7 @@ public boolean install(boolean silent) {
 
   protected String securityRiskInteractionQuestion(String question, String... options) {
 
-    question += " Do you want to";
+    question += "Do you want to";
     for (int i = 0; i < options.length - 1; i++) {
       options[i] += " or";
     }
@@ -186,8 +188,8 @@ protected String securityRiskInteractionQuestion(String question, String... opti
    *
    * @param configuredVersion the {@link VersionIdentifier} to be checked.
    * @return the {@link VersionIdentifier} to be used for installation. If the configured version is safe or there are
-   * no save versions the potentially unresolved configured version is simply returned. Otherwise, a resolved version is
-   * returned.
+   *         no save versions the potentially unresolved configured version is simply returned. Otherwise, a resolved
+   *         version is returned.
    */
   protected VersionIdentifier securityRiskInteraction(VersionIdentifier configuredVersion) {
 
@@ -225,16 +227,17 @@ protected VersionIdentifier securityRiskInteraction(VersionIdentifier configured
         break;
       }
     }
-
-    String currentIsUnsafe = "Currently, version " + current + " of " + this.getName() + " is installed, "
-        + "which is has a vulnerability:\n" + " TODO list vulnerability" + "\n\n (See also " + securityFile.getPath()
-        + ")";
+    String cves = securityFile.getMatchingSecurityWarnings(current).stream().map(UrlSecurityWarning::cveName)
+        .collect(Collectors.joining(", "));
+    String currentIsUnsafe = "Currently, version " + current + " of " + this.getName() + " is selected, "
+        + "which is has one or more vulnerabilities:\n\n" + cves + "\n\n(See also " + securityFile.getPath() + ")\n\n";
 
     String stay = "stay with the current unsafe version (" + current + ")";
     String installLatestSafe = "install the latest safe version (" + latestSafe + ")";
     String installSafeLatest = "install the (safe) latest version (" + latestSafe + ")";
     String installNextSafe = "install the next safe version (" + nextSafe + ")";
-    // I don't need to offer "install latest which is unsafe" as option since the user can set to the latest and choose "stay"
+    // I don't need to offer "install latest which is unsafe" as option since the user can set to the latest and choose
+    // "stay"
 
     if (latestSafe == null) {
       this.context.warning(currentIsUnsafe + "There is no safe version available.");
@@ -257,9 +260,8 @@ protected VersionIdentifier securityRiskInteraction(VersionIdentifier configured
       return answer.startsWith(stay) ? current : latestSafe;
 
     } else if (nextSafe.equals(latestSafe)) {
-      String answer = securityRiskInteractionQuestion(
-          currentIsUnsafe + " Of the newer versions, only the version " + nextSafe
-              + " is safe, Which is not the latest.", stay, "Install the safe version (" + nextSafe + ")");
+      String answer = securityRiskInteractionQuestion(currentIsUnsafe + " Of the newer versions, only the version "
+          + nextSafe + " is safe, Which is not the latest.", stay, "Install the safe version (" + nextSafe + ")");
       return answer.startsWith(stay) ? current : nextSafe;
 
     } else {

cli/src/main/java/com/devonfw/tools/ide/tool/helm/HelmUrlUpdater.java

@@ -29,6 +29,12 @@ protected String getGithubOrganization() {
     return "helm";
   }
 
+  @Override
+  public String mapUrlVersionToCpeVersion(String version) {
+
+    return version.substring(getVersionPrefixToRemove().length());
+  }
+
   @Override
   protected void addVersion(UrlVersion urlVersion) {
 

cli/src/main/java/com/devonfw/tools/ide/tool/java/JavaUrlUpdater.java

@@ -27,24 +27,15 @@ protected String mapVersion(String version) {
   }
 
   @Override
-  protected String getCpeVendor() {
+  public String getCpeVendor() {
 
-    //    return "vikwp";
-    return "eclipse";
+     return "eclipse";
   }
 
   @Override
-  protected String getCpeProduct() {
+  public String getCpeProduct() {
 
-    //    return "vik_booking";
-    return "temurin";
-  }
-
-  @Override
-  protected String mapUrlVersionToCpeVersion(String version) {
-
-    //    return "1.5.8";
-    return version;
+     return "temurin";
   }
 
   @Override

cli/src/main/java/com/devonfw/tools/ide/url/model/file/json/UrlSecurityJsonFile.java cli/src/main/java/com/devonfw/tools/ide/url/model/file/UrlSecurityJsonFile.java

@@ -1,4 +1,4 @@
-package com.devonfw.tools.ide.url.model.file.json;
+package com.devonfw.tools.ide.url.model.file;
 
 import java.io.BufferedWriter;
 import java.io.IOException;
@@ -14,22 +14,40 @@
 import org.slf4j.LoggerFactory;
 
 import com.devonfw.tools.ide.json.mapping.JsonMapping;
-import com.devonfw.tools.ide.url.model.file.AbstractUrlFile;
 import com.devonfw.tools.ide.url.model.folder.UrlEdition;
 import com.devonfw.tools.ide.version.VersionIdentifier;
 import com.devonfw.tools.ide.version.VersionRange;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
 
+/**
+ * {@link UrlFile} for the "security.json" file.
+ */
 public class UrlSecurityJsonFile extends AbstractUrlFile<UrlEdition> {
 
+  /***
+   * A simple container with the information about a security warning.
+   *
+   * @param versionRange the version range, specifying the versions of the tool to which the security risk applies.
+   * @param severity the severity of the security risk.
+   * @param severityVersion Indicating from which version the {@code severity} was obtained. As of December 2023, this
+   *        is either v2 or v3.
+   * @param cveName the name of the CVE (Common Vulnerabilities and Exposures).
+   * @param description the description of the CVE.
+   * @param nistUrl the url to the CVE on the NIST website.
+   * @param referenceUrl the urls where additional information about the CVE can be found.
+   */
+  public record UrlSecurityWarning(VersionRange versionRange, BigDecimal severity, String severityVersion,
+      String cveName, String description, String nistUrl, List<String> referenceUrl) {
+  };
+
   /** {@link #getName() Name} of security json file. */
   public static final String FILENAME_SECURITY = "security.json";
 
   private static final Logger LOG = LoggerFactory.getLogger(UrlSecurityJsonFile.class);
 
-  Set<UrlSecurityWarning> warnings;
+  private Set<UrlSecurityWarning> warnings;
 
   /**
    * The constructor.
@@ -45,21 +63,21 @@ public UrlSecurityJsonFile(UrlEdition parent) {
   /***
    * Adds a new security warning to the security json file.
    *
-   * @param versionRange the version range, specifying the versions of the tool to which the security risk applies
+   * @param versionRange the version range, specifying the versions of the tool to which the security risk applies.
    * @param severity the severity of the security risk.
    * @param severityVersion Indicating from which version the {@code severity} was obtained. As of December 2023, this
-   * is either v2 or v3.
+   *        is either v2 or v3.
    * @param cveName the name of the CVE (Common Vulnerabilities and Exposures).
    * @param description the description of the CVE.
    * @param nistUrl the url to the CVE on the NIST website.
    * @param referenceUrl the urls where additional information about the CVE can be found.
    * @return {@code true} if the security match was added, {@code false} if it was already present.
    */
-  public boolean addSecurityWarning(VersionRange versionRange, BigDecimal severity, String severityVersion, String cveName,
-      String description, String nistUrl, List<String> referenceUrl) {
+  public boolean addSecurityWarning(VersionRange versionRange, BigDecimal severity, String severityVersion,
+      String cveName, String description, String nistUrl, List<String> referenceUrl) {
 
-    UrlSecurityWarning newWarning = new UrlSecurityWarning(versionRange, severity, severityVersion, cveName, description, nistUrl,
-        referenceUrl);
+    UrlSecurityWarning newWarning = new UrlSecurityWarning(versionRange, severity, severityVersion, cveName,
+        description, nistUrl, referenceUrl);
     boolean added = warnings.add(newWarning);
     this.modified = this.modified || added;
     return added;
@@ -136,8 +154,4 @@ protected void doSave() {
       throw new IllegalStateException("Failed to save file " + path, e);
     }
   }
-}
-
-record UrlSecurityWarning(VersionRange versionRange, BigDecimal severity, String severityVersion, String cveName, String description, String nistUrl,
-    List<String> referenceUrl) {
-};
+}

cli/src/main/java/com/devonfw/tools/ide/url/model/folder/UrlEdition.java

@@ -2,7 +2,7 @@
 
 import com.devonfw.tools.ide.url.model.AbstractUrlFolderWithParent;
 import com.devonfw.tools.ide.url.model.file.UrlSecurityFile;
-import com.devonfw.tools.ide.url.model.file.json.UrlSecurityJsonFile;
+import com.devonfw.tools.ide.url.model.file.UrlSecurityJsonFile;
 
 /**
  * An {@link UrlFolder} representing the actual edition of a {@link UrlTool}. The default edition may have the same

cli/src/test/java/com/devonfw/tools/ide/tool/ToolCommandletTest.java

@@ -1,16 +1,16 @@
 package com.devonfw.tools.ide.tool;
 
-import com.devonfw.tools.ide.context.IdeTestContext;
-import com.devonfw.tools.ide.url.model.file.json.UrlSecurityJsonFile;
-import com.devonfw.tools.ide.version.VersionRange;
+import java.nio.file.Path;
+
 import org.junit.jupiter.api.Test;
 
 import com.devonfw.tools.ide.context.AbstractIdeContextTest;
 import com.devonfw.tools.ide.context.IdeContext;
+import com.devonfw.tools.ide.context.IdeTestContext;
 import com.devonfw.tools.ide.tool.az.Azure;
+import com.devonfw.tools.ide.url.model.file.UrlSecurityJsonFile;
 import com.devonfw.tools.ide.version.VersionIdentifier;
-
-import java.nio.file.Path;
+import com.devonfw.tools.ide.version.VersionRange;
 
 /***
  * Test of {@link ToolCommandlet}.
@@ -215,9 +215,11 @@ public void testSecurityRiskInteractionNoSafeVersionFound() {
   /***
    * Creates the context and data for the tests of {@link ToolCommandlet#securityRiskInteraction(VersionIdentifier)}.
    *
-   * @param dummyTool the dummy tool to be used for the tests. The {@link com.devonfw.tools.ide.url.model.folder.UrlVersion folders}
-   * representing the versions of the dummy tool are created here.
-   * @param answers the answers to be used for the interaction in  {@link ToolCommandlet#securityRiskInteraction(VersionIdentifier)}.
+   * @param dummyTool the dummy tool to be used for the tests. The
+   *        {@link com.devonfw.tools.ide.url.model.folder.UrlVersion folders} representing the versions of the dummy
+   *        tool are created here.
+   * @param answers the answers to be used for the interaction in
+   *        {@link ToolCommandlet#securityRiskInteraction(VersionIdentifier)}.
    * @return the {@link IdeTestContext} to be used for the tests.
    */
   private IdeContext getContextForSecurityJsonTests(Class<? extends ToolCommandlet> dummyTool, String... answers) {
@@ -234,5 +236,3 @@ private IdeContext getContextForSecurityJsonTests(Class<? extends ToolCommandlet
     return context;
   }
 }
-
-