Add endpoints for bulk requesting vulnerabilities and packages

[sbs2001]

Fixes #284

Signed-off-by: Shivam Sandbhor shivam.sandbhor@gmail.com

[tdruez]

Why not using proper filtering support instead of custom endpoints?

[sbs2001]

@tdruez

Why not using proper filtering support instead of custom endpoints?

The use case is different, since the request is going to be a POST and the request body is also slightly different hence needs some parsing.

[tdruez]

@sbs2001 The use case is different, since the request is going to be a POST and the request body is also slightly different hence needs some parsing.

What's the reason for those actions to be POST in the first place?

[sbs2001]

@tdruez re

What's the reason for those actions to be POST in the first place?

#284 (comment) . The idea is essentially to retrieve vulnerability info of multiple detected packages via a single request.

[tdruez]

@sbs2001 I get the idea, but again, why POST is your chosen solution over GET?

[sbs2001]

@tdruez typically something like ort could detect 100+ packages. If we use a GET request, then either:

1. we could make 100+ requests each retrieving a package. There is a concern about performance about this solution.
2. Or we can a make a single GET request with a request body containing each purl. IMHO that is very unusual and rarely done.

So POST request makes sense, also it's tried and tested by sonatype at https://ossindex.sonatype.org/rest

[sbs2001]

POST /api/vulnerabilities/bulk-search
For the request body :

{
            "vulnerabilities": [
                "CVE-2009-1382",
                "CVE-2014-8242",
                "RANDOM-fictional-CVE"
                ]
            }

The response would look like

{
    "CVE-2009-1382": {
        "url": "http://127.0.0.1:8000/api/vulnerabilities/2/",
        "unresolved_packages": [],
        "resolved_packages": [
            {
                "url": "http://127.0.0.1:8000/api/packages/2/",
                "purl": "pkg:deb/debian/mimetex@1.74-1?distro=jessie"
            },
            {
                "url": "http://127.0.0.1:8000/api/packages/3/",
                "purl": "pkg:deb/debian/mimetex@1.50-1.1?distro=jessie"
            }
        ]
    },
    "CVE-2014-8242": {
        "url": "http://127.0.0.1:8000/api/vulnerabilities/1/",
        "unresolved_packages": [
            {
                "url": "http://127.0.0.1:8000/api/packages/1/",
                "purl": "pkg:deb/debian/librsync@0.9.7-10?distro=jessie"
            }
        ],
        "resolved_packages": []
    },
    "RANDOM-fictional-CVE": {}
}

[sbs2001]

For POST /api/packages/bulk-search
For the request body

{
            "packages": [
                "pkg:deb/debian/librsync@0.9.7-10?distro=jessie",
                "pkg:deb/debian/mimetex@1.50-1.1?distro=jessie",
                "pkg:deb/lalaland/doesnotexist@1.50-1.1?distro=jessie"
            ]
        }

the response would look like :

{
    "pkg:deb/debian/librsync@0.9.7-10?distro=jessie": {
        "resolved_vulnerabilities": [],
        "unresolved_vulnerabilities": [
            {
                "url": "http://127.0.0.1:8000/api/vulnerabilities/1/",
                "vulnerability_id": "CVE-2014-8242"
            }
        ]
    },
    "pkg:deb/debian/mimetex@1.50-1.1?distro=jessie": {
        "resolved_vulnerabilities": [
            {
                "url": "http://127.0.0.1:8000/api/vulnerabilities/2/",
                "vulnerability_id": "CVE-2009-1382"
            },
            {
                "url": "http://127.0.0.1:8000/api/vulnerabilities/3/",
                "vulnerability_id": "CVE-2009-2459"
            }
        ],
        "unresolved_vulnerabilities": []
    },
    "pkg:deb/lalaland/doesnotexist@1.50-1.1?distro=jessie": {}
}