Package com.vaadin.appsec.backend

Class AppSecService

java.lang.Object
com.vaadin.appsec.backend.AppSecService
public class AppSecService extends Object
Service that provides access to all AppSec Kit features, such as vulnerability scanning and analysis storage.

  • Method Details

    • getInstance

      public static AppSecService getInstance()
      Get the AppSecService singleton instance.
      Returns:
      singleton the singleton instance

    • init

      public void init()
      Initializes the service reading the SBOM file.

    • getSupportedFramework7Versions

      @Deprecated(forRemoval=true, since="3.1.0") public List<String> getSupportedFramework7Versions()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Gets the list of Vaadin Framework 7 versions for which the kit provides vulnerability assessments.
      Returns:
      the list of versions

    • getSupportedFramework8Versions

      @Deprecated(forRemoval=true, since="3.1.0") public List<String> getSupportedFramework8Versions()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Gets the list of Vaadin Framework 8 versions for which the kit provides vulnerability assessments.
      Returns:
      the list of versions

    • getSupportedFlow24Versions

      @Deprecated(forRemoval=true, since="3.1.0") public List<String> getSupportedFlow24Versions()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Gets the list of Vaadin Flow 24 versions for which the kit provides vulnerability assessments.
      Returns:
      the list of versions

    • getSupportedFlowVersions

      public List<String> getSupportedFlowVersions()
      Gets the list of Vaadin Flow versions for which the kit provides vulnerability assessments.
      Returns:
      the list of versions

    • getVulnerabilityAnalysis

      public VulnerabilityAnalysis getVulnerabilityAnalysis()
      Gets the Vaadin Security Team assessments about known vulnerability coming from transitive dependencies of the current maintained Vaadin versions.
      Returns:
      the vulnerability analysis
      See Also:

    • scheduleAutomaticScan

      public void scheduleAutomaticScan()
      Schedules automatic scan for vulnerabilities at a fixed rate set to the value configured with AppSecConfiguration.setAutoScanInterval(java.time.Duration).

    • addScanEventListener

      public Registration addScanEventListener(AppSecScanEventListener listener)
      Adds a listener for scan events.

      All listeners will be invoked once a scan has been performed successfully.

      Parameters:
      listener - the listener
      Returns:
      a registration object that can be used to remove the listener

    • scanForVulnerabilities

      public CompletableFuture<Void> scanForVulnerabilities()
      Scans the application dependencies for vulnerabilities. The scan is performed against the OSV database (see osv.dev).

      The scan is performed asynchronously on a thread created by the Executor set in the service configuration (the default is a single-thread executor). A custom executor can be set with AppSecConfiguration.setTaskExecutor(ScheduledExecutorService).

      Returns:
      a future completed when the scan has ended

    • getDependencies

      public List<Dependency> getDependencies()
      Gets the list of application dependencies (including transitive).
      Returns:
      the list of dependencies

    • getVulnerabilities

      public List<Vulnerability> getVulnerabilities()
      Gets the list of vulnerabilities found in application dependencies. The list is always empty before the first scan. To scan dependencies for vulnerabilities see scanForVulnerabilities().
      Returns:
      the list of vulnerabilities

    • getNewVulnerabilities

      public List<Vulnerability> getNewVulnerabilities()
      Gets the list of new vulnerabilities. A vulnerability is considered new if there is no developer assessment data for that vulnerability.
      Returns:
      the list of new vulnerabilities

    • getData

      public AppSecData getData()
      Gets the data object, reading it from the file-system if the file exists.
      Returns:
      the data object, not null

    • setData

      public void setData(AppSecData data)
      Sets the data object, writing it to the file-system.
      Parameters:
      data - the data object, not null

    • refresh

      public AppSecData refresh()
      Re-reads data from disk.
      Returns:
      the data object, not null

    • getConfiguration

      public AppSecConfiguration getConfiguration()
      Gets the current configuration. Changes to the instance returned from this method will not be applied until the instance is set with setConfiguration(AppSecConfiguration).
      Returns:
      the current configuration

    • setConfiguration

      public void setConfiguration(AppSecConfiguration configuration)
      Allows to set the configuration for this singleton instance. When a new configuration is set, the service need to be initialized again with init().
      Parameters:
      configuration - configuration to set