feat: exploitIQ integration

client/openapi/trustd.yaml

@@ -2376,6 +2376,25 @@ paths:
                 items:
                   type: integer
                   format: int64
+  /api/v2/sbom/exploitiq/{id}:
+    get:
+      tags:
+      - sbom
+      summary: Fetch ExploitIQ report
+      operationId: fetchExploitIQReport
+      parameters:
+      - name: id
+        in: path
+        description: ExploitIQ report id
+        required: true
+        schema:
+          type: string
+      responses:
+        '200':
+          description: The proxied ExploitIQ report
+          content:
+            application/json:
+              schema: {}
   /api/v2/sbom/{id}:
     get:
       tags:
@@ -2463,6 +2482,36 @@ paths:
                   $ref: '#/components/schemas/LicenseRefMapping'
         '400':
           description: Invalid UUID format.
+  /api/v2/sbom/{id}/exploitiq:
+    post:
+      tags:
+      - sbom
+      summary: Create ExploitIQ report
+      operationId: createExploitIQReport
+      parameters:
+      - name: id
+        in: path
+        description: The id of the SBOM
+        required: true
+        schema:
+          $ref: '#/components/schemas/Id'
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ReportRequest'
+        required: true
+      responses:
+        '201':
+          description: Create a report
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ReportResult'
+        '400':
+          description: Unable to read advisory list
+        '404':
+          description: The SBOM could not be found
   /api/v2/sbom/{id}/label:
     put:
       tags:
@@ -4789,6 +4838,25 @@ components:
           type: string
           format: date-time
           description: Start of the import run
+    ReportRequest:
+      type: object
+      required:
+      - vulnerabilities
+      properties:
+        vulnerabilities:
+          type: array
+          items:
+            type: string
+    ReportResult:
+      type: object
+      required:
+      - id
+      - reportId
+      properties:
+        id:
+          type: string
+        reportId:
+          type: string
     Revisioned_Importer:
       type: object
       description: |-
@@ -5354,4 +5422,4 @@ components:
             oneOf:
             - type: 'null'
             - $ref: '#/components/schemas/Severity'
-              description: Average (arithmetic mean) severity of the vulnerability aggregated from *all* related advisories.
+              description: Average (arithmetic mean) severity of the vulnerability aggregated from *all* related advisories.

client/src/app/Routes.tsx

@@ -27,6 +27,7 @@ const SBOMList = lazy(() => import("./pages/sbom-list"));
 const SBOMUpload = lazy(() => import("./pages/sbom-upload"));
 const SBOMScan = lazy(() => import("./pages/sbom-scan"));
 const SBOMDetails = lazy(() => import("./pages/sbom-details"));
+const AnalysisDetails = lazy(() => import("./pages/analysis-details"));
 
 // Others
 const Search = lazy(() => import("./pages/search"));
@@ -37,6 +38,7 @@ export enum PathParam {
   VULNERABILITY_ID = "vulnerabilityId",
   SBOM_ID = "sbomId",
   PACKAGE_ID = "packageId",
+  ANALYSIS_ID = "analysisId",
 }
 
 export const Paths = {
@@ -49,6 +51,7 @@ export const Paths = {
   sbomUpload: "/sboms/upload",
   sbomScan: "/sboms/scan",
   sbomDetails: `/sboms/:${PathParam.SBOM_ID}`,
+  analysisDetails: `/sboms/:${PathParam.SBOM_ID}/analysis/:${PathParam.ANALYSIS_ID}`,
   packages: "/packages",
   packageDetails: `/packages/:${PathParam.PACKAGE_ID}`,
   search: "/search",
@@ -157,6 +160,15 @@ export const AppRoutes = createBrowserRouter([
           />
         ),
       },
+      {
+        path: Paths.analysisDetails,
+        element: (
+          <LazyRouteElement
+            identifier="analysis-details"
+            component={<AnalysisDetails />}
+          />
+        ),
+      },
       {
         path: Paths.importers,
         element: (

client/src/app/api/models.ts

@@ -1,5 +1,4 @@
-import type { Labels } from "@app/client";
-import type { Severity } from "@app/client";
+import type { Labels, Severity } from "@app/client";
 
 export type WithUiId<T> = T & { _ui_unique_id: string };
 
@@ -74,3 +73,202 @@ export interface Label {
   key: string;
   value?: string;
 }
+
+// ExploitIQ
+
+export interface ExploitIQAnalysis {
+  _id: { $oid: string };
+  input: {
+    scan: {
+      id: string;
+      type: string | null;
+      started_at: string;
+      completed_at: string;
+      vulns: Array<{
+        vuln_id: string;
+        description: string | null;
+        score: number | null;
+        severity: string | null;
+        published_date: string | null;
+        last_modified_date: string | null;
+        url: string | null;
+        feed_group: string | null;
+        package: string | null;
+        package_version: string | null;
+        package_name: string | null;
+        package_type: string | null;
+      }>;
+    };
+    image: {
+      name: string;
+      tag: string;
+      source_info: Array<{
+        type: string;
+        source_type: string;
+        git_repo: string;
+        ref: string;
+        include: string[];
+        exclude: string[];
+      }>;
+      sbom_info: {
+        _type: string;
+        packages: unknown[];
+      };
+    };
+  };
+  metadata: {
+    submitted_at: { $date: string };
+    user: string;
+    sent_at: { $date: string };
+  };
+  info: {
+    vdb: {
+      code_vdb_path: string | null;
+      doc_vdb_path: string;
+    };
+    intel: Array<{
+      vuln_id: string;
+      ghsa: {
+        ghsa_id: string;
+        cve_id: string;
+        summary: string;
+        description: string;
+        severity: string;
+        vulnerabilities: Array<{
+          package: {
+            ecosystem: string;
+            name: string;
+          };
+          vulnerable_version_range: string;
+          first_patched_version: string;
+          vulnerable_functions: string[];
+        }>;
+        cvss: {
+          score: number;
+          vector_string: string;
+        };
+        cwes: Array<{
+          cwe_id: string;
+          name: string;
+        }>;
+        published_at: string;
+        updated_at: string;
+        url: string;
+        html_url: string;
+        type: string;
+        repository_advisory_url: string | null;
+        source_code_location: string;
+        identifiers: Array<{ value: string; type: string }>;
+        references: string[];
+        github_reviewed_at: string;
+        nvd_published_at: string;
+        withdrawn_at: string | null;
+        cvss_severities: {
+          cvss_v3: { vector_string: string; score: number };
+          cvss_v4: { vector_string: string | null; score: number };
+        };
+        credits: unknown[];
+        epss: { percentage: number; percentile: number };
+      };
+      nvd: {
+        cve_id: string;
+        cve_description: string;
+        cvss_vector: string;
+        cvss_base_score: number;
+        cvss_severity: string;
+        cwe_name: string;
+        cwe_description: string;
+        cwe_extended_description: string;
+        configurations: Array<{
+          package: string;
+          system: string | null;
+          versionStartExcluding: string | null;
+          versionEndExcluding: string | null;
+          versionStartIncluding: string | null;
+          versionEndIncluding: string | null;
+        }>;
+        vendor_names: string | null;
+        references: string[];
+        disputed: boolean;
+        published_at: string;
+        updated_at: string;
+      };
+      rhsa: {
+        bugzilla: { description: string; id: string; url: string };
+        details: string[];
+        statement: string | null;
+        package_state: Array<{
+          product_name: string;
+          fix_state: string;
+          package_name: string;
+          cpe: string;
+        }>;
+        upstream_fix: string | null;
+        cvss3: {
+          cvss3_base_score: number;
+          cvss3_scoring_vector: string;
+          status: string;
+        };
+        threat_severity: string;
+        public_date: string;
+        acknowledgement: string;
+        affected_release: Array<{
+          product_name: string;
+          release_date: string;
+          advisory: string;
+          cpe: string;
+          package?: string;
+        }>;
+        references: string[];
+        name: string;
+        mitigation: { value: string; lang: string };
+        csaw: boolean;
+      };
+      ubuntu: {
+        description: string | null;
+        notes: string | null;
+        notices: string | null;
+        priority: string | null;
+        ubuntu_description: string | null;
+        impact: string | null;
+      };
+      epss: {
+        epss: number;
+        percentile: number;
+        date: string;
+        cve: string;
+      };
+      plugin_data: Array<{
+        label: string;
+        description: string;
+      }>;
+      intel_score: number;
+      has_sufficient_intel_for_agent: boolean;
+    }>;
+    sbom: { packages: unknown[] };
+    vulnerable_dependencies: Array<{
+      vuln_id: string;
+      vuln_package_intel_sources: unknown[];
+      vulnerable_sbom_packages: unknown[];
+    }>;
+  };
+  output?: Array<{
+    vuln_id: string;
+    checklist: Array<{
+      input: string;
+      response: string;
+      intermediate_steps: string | null;
+    }>;
+    summary: string;
+    justification: {
+      label: string;
+      reason: string;
+      status: "UNKNOWN" | "TRUE" | "FALSE";
+    };
+    cvss?: {
+      score: string;
+      vector_string: string;
+    };
+    intel_score: number;
+  }>;
+}