Refactor code structure for improved readability and maintainability; optimize performance in key functions.

2025-12-22 19:06:31 +02:00
parent dfaa2079aa
commit 4602ccc3a3
1444 changed files with 109919 additions and 8058 deletions
--- a/src/Excititor/StellaOps.Excititor.WebService/Endpoints/ResolveEndpoint.cs
+++ b/src/Excititor/StellaOps.Excititor.WebService/Endpoints/ResolveEndpoint.cs
@@ -16,6 +16,8 @@ using StellaOps.Excititor.Attestation;
 using StellaOps.Excititor.Attestation.Dsse;
 using StellaOps.Excititor.Attestation.Signing;
 using StellaOps.Excititor.Core;
+using StellaOps.Excititor.Core.Lattice;
+using StellaOps.Excititor.Formats.OpenVEX;
 using StellaOps.Excititor.Policy;
 using StellaOps.Excititor.Core.Storage;
 using StellaOps.Excititor.WebService.Services;
@@ -35,7 +37,8 @@ internal static class ResolveEndpoint
        HttpContext httpContext,
        IVexClaimStore claimStore,
        [FromServices] IVexConsensusStore? consensusStore,
-        IVexProviderStore providerStore,
+        OpenVexStatementMerger merger,
+        IVexLatticeProvider lattice,
        IVexPolicyProvider policyProvider,
        TimeProvider timeProvider,
        ILoggerFactory loggerFactory,
@@ -93,9 +96,7 @@ internal static class ResolveEndpoint
            return Results.Empty;
        }

-        var resolver = new VexConsensusResolver(snapshot.ConsensusPolicy);
        var resolvedAt = timeProvider.GetUtcNow();
-        var providerCache = new Dictionary<string, VexProvider>(StringComparer.Ordinal);
        var results = new List<VexResolveResult>((int)pairCount);

        foreach (var productKey in productKeys)
@@ -107,23 +108,16 @@ internal static class ResolveEndpoint

                var claimArray = claims.Count == 0 ? Array.Empty<VexClaim>() : claims.ToArray();
                var signals = AggregateSignals(claimArray);
-                var providers = await LoadProvidersAsync(claimArray, providerStore, providerCache, cancellationToken)
-                    .ConfigureAwait(false);
                var product = ResolveProduct(claimArray, productKey);
-                var calculatedAt = timeProvider.GetUtcNow();
-
-                var resolution = resolver.Resolve(new VexConsensusRequest(
+                var (consensus, decisions) = BuildConsensus(
                    vulnerabilityId,
-                    product,
                    claimArray,
-                    providers,
-                    calculatedAt,
-                    snapshot.ConsensusOptions.WeightCeiling,
+                    product,
                    signals,
-                    snapshot.RevisionId,
-                    snapshot.Digest));
-
-                var consensus = resolution.Consensus;
+                    snapshot,
+                    merger,
+                    lattice,
+                    timeProvider);

                if (!string.Equals(consensus.PolicyVersion, snapshot.Version, StringComparison.Ordinal) ||
                    !string.Equals(consensus.PolicyRevisionId, snapshot.RevisionId, StringComparison.Ordinal) ||
@@ -158,10 +152,6 @@ internal static class ResolveEndpoint
                    logger,
                    cancellationToken).ConfigureAwait(false);

-                var decisions = resolution.DecisionLog.IsDefault
-                    ? Array.Empty<VexConsensusDecisionTelemetry>()
-                    : resolution.DecisionLog.ToArray();
-
                results.Add(new VexResolveResult(
                    consensus.VulnerabilityId,
                    consensus.Product.Key,
@@ -285,44 +275,6 @@ internal static class ResolveEndpoint
        return new VexSignalSnapshot(bestSeverity, kev, bestEpss);
    }

-    private static async Task<IReadOnlyDictionary<string, VexProvider>> LoadProvidersAsync(
-        IReadOnlyList<VexClaim> claims,
-        IVexProviderStore providerStore,
-        IDictionary<string, VexProvider> cache,
-        CancellationToken cancellationToken)
-    {
-        if (claims.Count == 0)
-        {
-            return ImmutableDictionary<string, VexProvider>.Empty;
-        }
-
-        var builder = ImmutableDictionary.CreateBuilder<string, VexProvider>(StringComparer.Ordinal);
-        var seen = new HashSet<string>(StringComparer.Ordinal);
-
-        foreach (var providerId in claims.Select(claim => claim.ProviderId))
-        {
-            if (!seen.Add(providerId))
-            {
-                continue;
-            }
-
-            if (cache.TryGetValue(providerId, out var cached))
-            {
-                builder[providerId] = cached;
-                continue;
-            }
-
-            var provider = await providerStore.FindAsync(providerId, cancellationToken).ConfigureAwait(false);
-            if (provider is not null)
-            {
-                cache[providerId] = provider;
-                builder[providerId] = provider;
-            }
-        }
-
-        return builder.ToImmutable();
-    }
-
    private static VexProduct ResolveProduct(IReadOnlyList<VexClaim> claims, string productKey)
    {
        if (claims.Count > 0)
@@ -334,6 +286,118 @@ internal static class ResolveEndpoint
        return new VexProduct(productKey, name: null, version: null, purl: inferredPurl);
    }

+    private static (VexConsensus Consensus, IReadOnlyList<VexConsensusDecisionTelemetry> Decisions) BuildConsensus(
+        string vulnerabilityId,
+        IReadOnlyList<VexClaim> claims,
+        VexProduct product,
+        VexSignalSnapshot? signals,
+        VexPolicySnapshot snapshot,
+        OpenVexStatementMerger merger,
+        IVexLatticeProvider lattice,
+        TimeProvider timeProvider)
+    {
+        var calculatedAt = timeProvider.GetUtcNow();
+
+        if (claims.Count == 0)
+        {
+            var emptyConsensus = new VexConsensus(
+                vulnerabilityId,
+                product,
+                VexConsensusStatus.UnderInvestigation,
+                calculatedAt,
+                Array.Empty<VexConsensusSource>(),
+                Array.Empty<VexConsensusConflict>(),
+                signals,
+                snapshot.Version,
+                "No claims available.",
+                snapshot.RevisionId,
+                snapshot.Digest);
+
+            return (emptyConsensus, Array.Empty<VexConsensusDecisionTelemetry>());
+        }
+
+        var mergeResult = merger.MergeClaims(claims);
+        var consensusStatus = MapConsensusStatus(mergeResult.ResultStatement.Status);
+        var sources = claims
+            .Select(claim => new VexConsensusSource(
+                claim.ProviderId,
+                claim.Status,
+                claim.Document.Digest,
+                (double)lattice.GetTrustWeight(claim),
+                claim.Justification,
+                claim.Detail,
+                claim.Confidence))
+            .ToArray();
+
+        var conflicts = claims
+            .Where(claim => claim.Status != mergeResult.ResultStatement.Status)
+            .Select(claim => new VexConsensusConflict(
+                claim.ProviderId,
+                claim.Status,
+                claim.Document.Digest,
+                claim.Justification,
+                claim.Detail,
+                "status_conflict"))
+            .ToArray();
+
+        var summary = MergeTraceWriter.ToExplanation(mergeResult);
+        var decisions = BuildDecisionLog(claims, lattice);
+
+        var consensus = new VexConsensus(
+            vulnerabilityId,
+            product,
+            consensusStatus,
+            calculatedAt,
+            sources,
+            conflicts,
+            signals,
+            snapshot.Version,
+            summary,
+            snapshot.RevisionId,
+            snapshot.Digest);
+
+        return (consensus, decisions);
+    }
+
+    private static VexConsensusStatus MapConsensusStatus(VexClaimStatus status)
+        => status switch
+        {
+            VexClaimStatus.Affected => VexConsensusStatus.Affected,
+            VexClaimStatus.NotAffected => VexConsensusStatus.NotAffected,
+            VexClaimStatus.Fixed => VexConsensusStatus.Fixed,
+            _ => VexConsensusStatus.UnderInvestigation,
+        };
+
+    private static IReadOnlyList<VexConsensusDecisionTelemetry> BuildDecisionLog(
+        IReadOnlyList<VexClaim> claims,
+        IVexLatticeProvider lattice)
+    {
+        if (claims.Count == 0)
+        {
+            return Array.Empty<VexConsensusDecisionTelemetry>();
+        }
+
+        var decisions = new List<VexConsensusDecisionTelemetry>(claims.Count);
+        foreach (var claim in claims)
+        {
+            var weight = lattice.GetTrustWeight(claim);
+            var included = weight > 0;
+            var reason = included ? null : "weight_not_positive";
+
+            decisions.Add(new VexConsensusDecisionTelemetry(
+                claim.ProviderId,
+                claim.Document.Digest,
+                claim.Status,
+                included,
+                (double)weight,
+                reason,
+                claim.Justification,
+                claim.Detail));
+        }
+
+        return decisions;
+    }
+
    private static ConsensusPayload PreparePayload(VexConsensus consensus)
    {
        var canonicalJson = VexCanonicalJsonSerializer.Serialize(consensus);