using license risk service only in component service

Author: timbastin

internal/core/component/component_service.go

@@ -172,7 +172,6 @@ func (s *service) GetAndSaveLicenseInformation(assetVersion models.AssetVersion,
 	slog.Info("getting license information for components", "amount", len(componentsWithoutLicense))
 	errGroup := utils.ErrGroup[models.Component](10)
 	for _, component := range componentsWithoutLicense {
-		component := component
 		errGroup.Go(func() (models.Component, error) {
 			return s.GetLicense(component)
 		})
@@ -189,18 +188,19 @@ func (s *service) GetAndSaveLicenseInformation(assetVersion models.AssetVersion,
 		return nil, err
 	}
 
-	// find potential license risks for the components which had no prior license
-	if len(components) > 0 {
-		err = s.licenseRiskService.FindLicenseRisksInComponents(assetVersion, components, scannerID)
-		if err != nil {
-			return nil, err
+	allComponents := components
+	// get all the components - with licenses and without
+	for _, componentDependency := range componentDependencies {
+		if !seen[componentDependency.DependencyPurl] {
+			// if the component is not in the seen map, it means it was not processed to get a new license
+			allComponents = append(allComponents, componentDependency.Dependency)
 		}
 	}
 
-	// now return all components - each one should have the best license information available
-	allComponents := components
-	for _, componentDependency := range componentDependencies {
-		allComponents = append(allComponents, componentDependency.Dependency)
+	// find potential license risks
+	err = s.licenseRiskService.FindLicenseRisksInComponents(assetVersion, allComponents, scannerID)
+	if err != nil {
+		return nil, err
 	}
 
 	return allComponents, nil

internal/core/vuln/license_risk_service.go

@@ -38,19 +38,15 @@ func (service *LicenseRiskService) FindLicenseRisksInComponents(assetVersion mod
 	}
 
 	// get all current valid licenses to compare against
-	licenses, err := GetOSILicenses()
+	licenseMap, err := GetOSILicenses()
 	if err != nil {
 		return err
 	}
-	licenseMap := make(map[string]struct{})
-	for i := range licenses {
-		licenseMap[licenses[i]] = struct{}{}
-	}
 
 	//collect all risks before saving to the database, should be more efficient
 	allLicenseRisks := []models.LicenseRisk{}
 	allVulnEvents := []models.VulnEvent{}
-	//go over every component and check if the license if the license is a valid osi license; if not we can create a license risk with the provided information
+	//go over every component and check if the license is a valid osi license; if not we can create a license risk with the provided information
 	for _, component := range components {
 		_, validLicense := licenseMap[*component.License]
 		_, exists := doesLicenseRiskAlreadyExist[component.Purl]
@@ -86,11 +82,11 @@ func (service *LicenseRiskService) FindLicenseRisksInComponents(assetVersion mod
 	return nil
 }
 
-var validOSILicenses []string = make([]string, 0)
+var validOSILicenseMap map[string]struct{} = make(map[string]struct{}) // cache for valid OSI licenses
 
-func GetOSILicenses() ([]string, error) {
-	if len(validOSILicenses) > 0 {
-		return validOSILicenses, nil
+func GetOSILicenses() (map[string]struct{}, error) {
+	if len(validOSILicenseMap) > 0 {
+		return validOSILicenseMap, nil
 	}
 
 	apiURL := os.Getenv("OSI_LICENSES_API")
@@ -129,10 +125,10 @@ func GetOSILicenses() ([]string, error) {
 
 	for _, license := range licenses {
 		if license.ID != "" {
-			validOSILicenses = append(validOSILicenses, license.ID)
+			validOSILicenseMap[license.ID] = struct{}{}
 		}
 	}
-	return validOSILicenses, nil
+	return validOSILicenseMap, nil
 }
 
 func (service *LicenseRiskService) UpdateLicenseRiskState(tx core.DB, userID string, licenseRisk *models.LicenseRisk, statusType string, justification string, mechanicalJustification models.MechanicalJustificationType) (models.VulnEvent, error) {

internal/core/vuln/license_risk_test.go

@@ -41,13 +41,12 @@ type HTTPController struct {
 	statisticsService      core.StatisticsService
 
 	dependencyVulnService core.DependencyVulnService
-	licenseRiskService    core.LicenseRiskService
 
 	// mark public to let it be overridden in tests
 	core.FireAndForgetSynchronizer
 }
 
-func NewHTTPController(db core.DB, cveRepository core.CveRepository, componentRepository core.ComponentRepository, assetRepository core.AssetRepository, assetVersionRepository core.AssetVersionRepository, assetVersionService core.AssetVersionService, statisticsService core.StatisticsService, dependencyVulnService core.DependencyVulnService, licenseRiskService core.LicenseRiskService) *HTTPController {
+func NewHTTPController(db core.DB, cveRepository core.CveRepository, componentRepository core.ComponentRepository, assetRepository core.AssetRepository, assetVersionRepository core.AssetVersionRepository, assetVersionService core.AssetVersionService, statisticsService core.StatisticsService, dependencyVulnService core.DependencyVulnService) *HTTPController {
 	cpeComparer := NewCPEComparer(db)
 	purlComparer := NewPurlComparer(db)
 
@@ -62,7 +61,6 @@ func NewHTTPController(db core.DB, cveRepository core.CveRepository, componentRe
 		assetVersionRepository:    assetVersionRepository,
 		statisticsService:         statisticsService,
 		dependencyVulnService:     dependencyVulnService,
-		licenseRiskService:        licenseRiskService,
 		FireAndForgetSynchronizer: utils.NewFireAndForgetSynchronizer(),
 	}
 }
@@ -119,14 +117,6 @@ func (s *HTTPController) DependencyVulnScan(c core.Context, bom normalize.SBOM)
 		slog.Error("could not update sbom", "err", err)
 		return scanResults, err
 	}
-
-	// check if we have any license risk in our sbom
-	sbomComponents := ConvertCDXComponentsToSimpleComponents(*normalizedBom.GetComponents())
-	err = s.licenseRiskService.FindLicenseRisksInComponents(assetVersion, sbomComponents, scannerID)
-	if err != nil {
-		return scanResults, err
-	}
-
 	return s.ScanNormalizedSBOM(org, project, asset, assetVersion, normalizedBom, scannerID, userID)
 }
 
@@ -278,27 +268,3 @@ func (s *HTTPController) ScanSbomFile(c core.Context) error {
 	return c.JSON(200, scanResults)
 
 }
-
-func ConvertCDXComponentsToSimpleComponents(cdxComponents []cdx.Component) []models.Component {
-	components := []models.Component{}
-	// only variables needed for FindLicenseRisksInComponents are converted
-	for _, cdx := range cdxComponents {
-		license := ""
-		// avoid nil pointer dereference
-		if cdx.Licenses != nil && len(*cdx.Licenses) > 0 {
-			if (*cdx.Licenses)[0].License != nil {
-				if (*cdx.Licenses)[0].License.ID != "" {
-					license = (*cdx.Licenses)[0].License.ID
-				} else {
-					license = (*cdx.Licenses)[0].License.Name
-				}
-			}
-
-		}
-		components = append(components, models.Component{
-			Purl:    cdx.PackageURL,
-			License: &license,
-		})
-	}
-	return components
-}

internal/core/vulndb/scan/scan_controller.go

@@ -8,7 +8,6 @@ import (
 	"github.com/l3montree-dev/devguard/internal/utils"
 )
 
-// TO DO move this to common interfaces?
 type Vuln interface {
 	SetState(state VulnState)
 	GetState() VulnState

internal/database/models/vulnerability_model.go

@@ -99,6 +99,5 @@ func CreateHTTPController(db core.DB, oauth2 map[string]*gitlabint.GitlabOauth2C
 		CreateAssetVersionService(db, oauth2, rbac, clientFactory, depsDevService),
 		CreateStatisticsService(db),
 		CreateDependencyVulnService(db, oauth2, rbac, clientFactory),
-		CreateLicenseRiskService(db),
 	)
 }