#103: security warning for CVEs in file tool/edition/security

cli/pom.xml

@@ -58,12 +58,10 @@
     <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-api</artifactId>
-      <version>2.0.3</version>
     </dependency>
     <dependency>
       <groupId>ch.qos.logback</groupId>
       <artifactId>logback-classic</artifactId>
-      <version>1.4.7</version>
     </dependency>
     <!-- Needed for WireMock test support -->
     <dependency>

cli/src/main/java/com/devonfw/tools/ide/common/SystemPath.java

@@ -67,7 +67,8 @@ public SystemPath(String envPath, Path softwarePath, char pathSeparator, IdeCont
       } else {
         Path duplicate = this.tool2pathMap.putIfAbsent(tool, path);
         if (duplicate != null) {
-          context.warning("Duplicated tool path for tool: {} at path: {} with duplicated path: {}.", tool, path, duplicate);
+          context.warning("Duplicated tool path for tool: {} at path: {} with duplicated path: {}.", tool, path,
+              duplicate);
         }
       }
     }

cli/src/main/java/com/devonfw/tools/ide/tool/GlobalToolCommandlet.java

@@ -52,7 +52,9 @@ protected boolean doInstall(boolean silent) {
     String edition = getEdition();
     ToolRepository toolRepository = this.context.getDefaultToolRepository();
     VersionIdentifier configuredVersion = getConfiguredVersion();
-    VersionIdentifier resolvedVersion = toolRepository.resolveVersion(this.tool, edition, configuredVersion);
+    VersionIdentifier selectedVersion = securityRiskInteraction(configuredVersion);
+    setVersion(selectedVersion, silent);
+    VersionIdentifier resolvedVersion = toolRepository.resolveVersion(this.tool, edition, selectedVersion);
     // download and install the global tool
     FileAccess fileAccess = this.context.getFileAccess();
     Path target = toolRepository.download(this.tool, edition, resolvedVersion);

cli/src/main/java/com/devonfw/tools/ide/tool/LocalToolCommandlet.java

@@ -62,9 +62,10 @@ protected boolean doInstall(boolean silent) {
     VersionIdentifier configuredVersion = getConfiguredVersion();
     // get installed version before installInRepo actually may install the software
     VersionIdentifier installedVersion = getInstalledVersion();
+    VersionIdentifier selectedVersion = securityRiskInteraction(configuredVersion);
+    setVersion(selectedVersion, silent);
     // install configured version of our tool in the software repository if not already installed
-    ToolInstallation installation = installInRepo(configuredVersion);
-
+    ToolInstallation installation = installInRepo(selectedVersion);
     // check if we already have this version installed (linked) locally in IDE_HOME/software
     VersionIdentifier resolvedVersion = installation.resolvedVersion();
     if (resolvedVersion.equals(installedVersion) && !installation.newInstallation()) {

cli/src/main/java/com/devonfw/tools/ide/tool/SecurityRiskInteractionAnswer.java

@@ -0,0 +1,29 @@
+package com.devonfw.tools.ide.tool;
+
+/**
+ * User interaction answers when a security risk was found and the user can f.e. choose to stay on the current unsafe
+ * version, use the latest safe version, use the latest version or use the next safe version.
+ */
+public enum SecurityRiskInteractionAnswer {
+
+  /**
+   * User answer to stay on the current unsafe version.
+   */
+  STAY,
+
+  /**
+   * User answer to install the latest of all safe versions.
+   */
+  LATEST_SAFE,
+
+  /**
+   * User answer to use the latest safe version.
+   */
+  SAFE_LATEST,
+
+  /**
+   * User answer to use the next safe version.
+   */
+  NEXT_SAFE,
+
+}

cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java

@@ -1,10 +1,19 @@
 package com.devonfw.tools.ide.tool;
 
+import static com.devonfw.tools.ide.tool.SecurityRiskInteractionAnswer.LATEST_SAFE;
+import static com.devonfw.tools.ide.tool.SecurityRiskInteractionAnswer.NEXT_SAFE;
+import static com.devonfw.tools.ide.tool.SecurityRiskInteractionAnswer.SAFE_LATEST;
+import static com.devonfw.tools.ide.tool.SecurityRiskInteractionAnswer.STAY;
+
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.util.Arrays;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
+import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 import com.devonfw.tools.ide.cli.CliException;
@@ -20,7 +29,10 @@
 import com.devonfw.tools.ide.process.ProcessContext;
 import com.devonfw.tools.ide.process.ProcessErrorHandling;
 import com.devonfw.tools.ide.property.StringListProperty;
+import com.devonfw.tools.ide.url.model.file.UrlSecurityJsonFile;
+import com.devonfw.tools.ide.url.model.file.json.UrlSecurityWarning;
 import com.devonfw.tools.ide.util.FilenameUtil;
+import com.devonfw.tools.ide.util.Pair;
 import com.devonfw.tools.ide.version.VersionIdentifier;
 
 /**
@@ -104,7 +116,8 @@ public void runTool(boolean runInBackground, VersionIdentifier toolVersion, Stri
     } else {
       throw new UnsupportedOperationException("Not yet implemented!");
     }
-    ProcessContext pc = this.context.newProcess().errorHandling(ProcessErrorHandling.WARNING).executable(binaryPath).addArgs(args);
+    ProcessContext pc = this.context.newProcess().errorHandling(ProcessErrorHandling.WARNING).executable(binaryPath)
+        .addArgs(args);
 
     pc.run(false, runInBackground);
   }
@@ -182,6 +195,142 @@ public boolean install(boolean silent) {
     return doInstall(silent);
   }
 
+  /**
+   * Checks if the given {@link VersionIdentifier} has a matching security warning in the {@link UrlSecurityJsonFile}.
+   *
+   * @param configuredVersion the {@link VersionIdentifier} to be checked.
+   * @return the {@link VersionIdentifier} to be used for installation. If the configured version is safe or there are
+   *         no save versions the potentially unresolved configured version is simply returned. Otherwise, a resolved
+   *         version is returned.
+   */
+  protected VersionIdentifier securityRiskInteraction(VersionIdentifier configuredVersion) {
+
+    UrlSecurityJsonFile securityFile = this.context.getUrls().getEdition(this.tool, this.getEdition())
+        .getSecurityJsonFile();
+
+    VersionIdentifier current = this.context.getUrls().getVersion(this.tool, this.getEdition(), configuredVersion);
+
+    if (!securityFile.contains(current, true, this.context, securityFile.getParent())) {
+      return configuredVersion;
+    }
+
+    List<VersionIdentifier> allVersions = this.context.getUrls().getSortedVersions(this.tool, this.getEdition());
+    VersionIdentifier latest = allVersions.get(0);
+
+    VersionIdentifier nextSafe = getNextSafeVersion(current, securityFile, allVersions);
+    VersionIdentifier latestSafe = getLatestSafe(allVersions, securityFile);
+    String cves = securityFile.getMatchingSecurityWarnings(current).stream().map(UrlSecurityWarning::getCveName)
+        .collect(Collectors.joining(", "));
+    String currentIsUnsafe = "Currently, version " + current + " of " + this.getName() + " is selected, "
+        + "which has one or more vulnerabilities:\n\n" + cves + "\n\n(See also " + securityFile.getPath() + ")\n\n";
+
+    if (latestSafe == null) {
+      this.context.warning(currentIsUnsafe + "There is no safe version available.");
+      return configuredVersion;
+    }
+
+    return whichVersionDoYouWantToInstall(configuredVersion, current, nextSafe, latestSafe, latest, currentIsUnsafe);
+  }
+
+  /**
+   * Using all the safety information about the versions, this method asks the user which version to install.
+   *
+   * @param configuredVersion the version that was configured in the environment variables.
+   * @param current the current version that was resolved from the configured version.
+   * @param nextSafe the next safe version.
+   * @param latestSafe the latest safe version.
+   * @param latest the latest version.
+   * @param currentIsUnsafe the message that is printed if the current version is unsafe.
+   * @return the version that the user wants to install.
+   */
+  private VersionIdentifier whichVersionDoYouWantToInstall(VersionIdentifier configuredVersion,
+      VersionIdentifier current, VersionIdentifier nextSafe, VersionIdentifier latestSafe, VersionIdentifier latest,
+      String currentIsUnsafe) {
+
+    String ask = "Which version do you want to install?";
+
+    // enum id, option message, version that is returned if this option is selected
+    Map<SecurityRiskInteractionAnswer, Pair<String, VersionIdentifier>> options = new HashMap<>();
+    options.put(STAY, Pair.of("Stay with the current unsafe version (" + current + ").", configuredVersion));
+    options.put(LATEST_SAFE, Pair.of("Install the latest of all safe versions (" + latestSafe + ").", latestSafe));
+    options.put(SAFE_LATEST,
+        Pair.of("Install the latest version (" + latest + "). This version is save.", VersionIdentifier.LATEST));
+    options.put(NEXT_SAFE, Pair.of("Install the next safe version (" + nextSafe + ").", nextSafe));
+
+    if (current.equals(latest)) {
+      return getAnswer(options, currentIsUnsafe + "There are no updates available. " + ask, STAY, LATEST_SAFE);
+    } else if (nextSafe == null) { // install an older version that is safe or stay with the current unsafe version
+      return getAnswer(options, currentIsUnsafe + "All newer versions are also not safe. " + ask, STAY, LATEST_SAFE);
+    } else if (nextSafe.equals(latest)) {
+      return getAnswer(options, currentIsUnsafe + "Of the newer versions, only the latest is safe. " + ask, STAY,
+          SAFE_LATEST);
+    } else if (nextSafe.equals(latestSafe)) {
+      return getAnswer(options, currentIsUnsafe + "Of the newer versions, only version " + nextSafe
+          + " is safe, which is however not the latest. " + ask, STAY, NEXT_SAFE);
+    } else {
+      if (latestSafe.equals(latest)) {
+        return getAnswer(options, currentIsUnsafe + ask, STAY, NEXT_SAFE, SAFE_LATEST);
+      } else {
+        return getAnswer(options, currentIsUnsafe + ask, STAY, NEXT_SAFE, LATEST_SAFE);
+      }
+    }
+  }
+
+  private VersionIdentifier getAnswer(Map<SecurityRiskInteractionAnswer, Pair<String, VersionIdentifier>> options,
+      String question, SecurityRiskInteractionAnswer... possibleAnswers) {
+
+    String[] availableOptions = Arrays.stream(possibleAnswers).map(options::get).map(Pair::getFirst)
+        .toArray(String[]::new);
+    String answer = this.context.question(question, availableOptions);
+    for (SecurityRiskInteractionAnswer possibleAnswer : possibleAnswers) {
+      if (options.get(possibleAnswer).getFirst().equals(answer)) {
+        return options.get(possibleAnswer).getSecond();
+      }
+    }
+    throw new IllegalStateException("Invalid answer " + answer);
+  }
+
+  /**
+   * Gets the latest safe version from the list of all versions.
+   *
+   * @param allVersions all versions of the tool.
+   * @param securityFile the {@link UrlSecurityJsonFile} to check if a version is safe or not.
+   * @return the latest safe version or {@code null} if there is no safe version.
+   */
+  private VersionIdentifier getLatestSafe(List<VersionIdentifier> allVersions, UrlSecurityJsonFile securityFile) {
+
+    VersionIdentifier latestSafe = null;
+    for (int i = 0; i < allVersions.size(); i++) {
+      if (!securityFile.contains(allVersions.get(i), true, this.context, securityFile.getParent())) {
+        latestSafe = allVersions.get(i);
+        break;
+      }
+    }
+    return latestSafe;
+  }
+
+  /**
+   * Gets the next safe version from the list of all versions starting from the current version.
+   *
+   * @param current the current version.
+   * @param securityFile the {@link UrlSecurityJsonFile} to check if a version is safe or not.
+   * @param allVersions all versions of the tool.
+   * @return the next safe version or {@code null} if there is no safe version.
+   */
+  private VersionIdentifier getNextSafeVersion(VersionIdentifier current, UrlSecurityJsonFile securityFile,
+      List<VersionIdentifier> allVersions) {
+
+    int currentVersionIndex = allVersions.indexOf(current);
+    VersionIdentifier nextSafe = null;
+    for (int i = currentVersionIndex - 1; i >= 0; i--) {
+      if (!securityFile.contains(allVersions.get(i), true, this.context, securityFile.getParent())) {
+        nextSafe = allVersions.get(i);
+        break;
+      }
+    }
+    return nextSafe;
+  }
+
   /**
    * Installs or updates the managed {@link #getName() tool}.
    *
@@ -192,7 +341,8 @@ public boolean install(boolean silent) {
   protected abstract boolean doInstall(boolean silent);
 
   /**
-   * This method is called after the tool has been newly installed or updated to a new version.
+   * This method is called after the tool has been newly installed or updated to a new version. Override it to add
+   * custom post installation logic.
    */
   protected void postInstall() {
 
@@ -210,11 +360,12 @@ private Path getProperInstallationSubDirOf(Path path) {
     try (Stream<Path> stream = Files.list(path)) {
       Path[] subFiles = stream.toArray(Path[]::new);
       if (subFiles.length == 0) {
-        throw new CliException("The downloaded package for the tool " + this.tool + " seems to be empty as you can check in the extracted folder " + path);
+        throw new CliException("The downloaded package for the tool " + this.tool
+            + " seems to be empty as you can check in the extracted folder " + path);
       } else if (subFiles.length == 1) {
         String filename = subFiles[0].getFileName().toString();
-        if (!filename.equals(IdeContext.FOLDER_BIN) && !filename.equals(IdeContext.FOLDER_CONTENTS) && !filename.endsWith(".app")
-            && Files.isDirectory(subFiles[0])) {
+        if (!filename.equals(IdeContext.FOLDER_BIN) && !filename.equals(IdeContext.FOLDER_CONTENTS)
+            && !filename.endsWith(".app") && Files.isDirectory(subFiles[0])) {
           return getProperInstallationSubDirOf(subFiles[0]);
         }
       }
@@ -384,8 +535,10 @@ public String getInstalledEdition(Path toolPath) {
       }
       return edition;
     } catch (IOException e) {
-      throw new IllegalStateException("Couldn't determine the edition of " + getName() + " from the directory structure of its software path " + toolPath
-          + ", assuming the name of the parent directory of the real path of the software path to be the edition " + "of the tool.", e);
+      throw new IllegalStateException("Couldn't determine the edition of " + getName()
+          + " from the directory structure of its software path " + toolPath
+          + ", assuming the name of the parent directory of the real path of the software path to be the edition "
+          + "of the tool.", e);
     }
 
   }
@@ -450,8 +603,9 @@ public void setVersion(VersionIdentifier version, boolean hint) {
     this.context.info("{}={} has been set in {}", name, version, settingsVariables.getSource());
     EnvironmentVariables declaringVariables = variables.findVariable(name);
     if ((declaringVariables != null) && (declaringVariables != settingsVariables)) {
-      this.context.warning("The variable {} is overridden in {}. Please remove the overridden declaration in order to make the change affect.", name,
-          declaringVariables.getSource());
+      this.context.warning(
+          "The variable {} is overridden in {}. Please remove the overridden declaration in order to make the change affect.",
+          name, declaringVariables.getSource());
     }
     if (hint) {
       this.context.info("To install that version call the following command:");
@@ -494,8 +648,9 @@ public void setEdition(String edition, boolean hint) {
     this.context.info("{}={} has been set in {}", name, edition, settingsVariables.getSource());
     EnvironmentVariables declaringVariables = variables.findVariable(name);
     if ((declaringVariables != null) && (declaringVariables != settingsVariables)) {
-      this.context.warning("The variable {} is overridden in {}. Please remove the overridden declaration in order to make the change affect.", name,
-          declaringVariables.getSource());
+      this.context.warning(
+          "The variable {} is overridden in {}. Please remove the overridden declaration in order to make the change affect.",
+          name, declaringVariables.getSource());
     }
     if (hint) {
       this.context.info("To install that edition call the following command:");

cli/src/main/java/com/devonfw/tools/ide/tool/androidstudio/AndroidStudioUrlUpdater.java

@@ -1,17 +1,18 @@
 package com.devonfw.tools.ide.tool.androidstudio;
 
+import java.util.Collection;
+import java.util.List;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import com.devonfw.tools.ide.json.mapping.JsonMapping;
 import com.devonfw.tools.ide.url.model.folder.UrlEdition;
 import com.devonfw.tools.ide.url.model.folder.UrlRepository;
 import com.devonfw.tools.ide.url.model.folder.UrlTool;
 import com.devonfw.tools.ide.url.model.folder.UrlVersion;
 import com.devonfw.tools.ide.url.updater.JsonUrlUpdater;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.util.Collection;
-import java.util.List;
 
 /**
  * {@link JsonUrlUpdater} for Android Studio.

cli/src/main/java/com/devonfw/tools/ide/tool/dotnet/DotNetUrlUpdater.java

@@ -48,10 +48,10 @@ protected String getGithubRepository() {
 
   @Override
   protected String mapVersion(String version) {
+
     if (version.matches("v\\d+\\.\\d+\\.\\d+")) {
       return super.mapVersion(version);
-    }
-    else {
+    } else {
       return null;
     }
   }

cli/src/main/java/com/devonfw/tools/ide/tool/gcloud/GCloudUrlUpdater.java

@@ -10,7 +10,9 @@
 public class GCloudUrlUpdater extends GithubUrlUpdater {
 
   private static final VersionIdentifier MIN_GCLOUD_VID = VersionIdentifier.of("299.0.0");
+
   private static final VersionIdentifier MIN_ARM_GCLOUD_VID = VersionIdentifier.of("366.0.0");
+
   private static final String BASE_URL = "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${version}-";
 
   @Override