refactor(backend): migrate cvesearch service from Thrift to Spring Boot REST

[Shivamrut]

Change Documentation — CVE Search Service Migration

Summary

1. This PR migrates the cvesearch backend service from Thrift RPC to Spring Boot REST, wires the schedule service to call cvesearch over HTTP instead of Thrift, and adds an admin-only proxy API on resource-server.
2. Complete toThriftX ans fromThriftX for all entities added for smoother migration. Scope is to delete it after complete migration.

---

Layer 1 — Backend service (backend/cvesearch)

File	Action	Purpose
CveSearchApplication.java	new	@SpringBootApplication, SpringBootServletInitializer for WAR deploy (cvesearch.war)
CveSearchController.java	new	@RestController at /api/cvesearch — 6 REST endpoints replacing Thrift CveSearchService.Iface
CveSearchHandler.java	modified	@Service; public API uses service-api (Release, Component, Project, VulnerabilityUpdateStatus, RequestStatus); no Thrift interface
CveSearchServlet.java	deleted	Thrift servlet wrapper
web.xml	deleted	Thrift servlet registration
index.jsp	deleted	Placeholder JSP
application.yml	new	Minimal Spring Boot config
pom.xml	modified	spring-boot-starter-web, spring-boot-starter-tomcat (provided), spring-boot-maven-plugin, service-api, backend-common
VulnerabilityConnector.java	modified	Loads/releases/projects via *Converter POJO ↔ Thrift at DB handler boundary
VulnerabilityUtils.java	modified	Uses service-api UpdateType / VulnerabilityUpdateStatus
Entity translators / datasource	modified	Imports aligned to service-api component/release types
CveSearchApiImpl.java	modified	HttpURLConnection, timeouts, safer JSON parsing for CIRCL API responses
CveSearchGuesser.java, CveSearchWrapper.java, Heuristic.java	modified	Resilience when external CVE API fails

REST endpoints (deployed as http://localhost:8080/cvesearch/api/cvesearch/...)

Method	Path	Purpose	Replaces Thrift
POST	/releases/{releaseId}	Import CVEs for one release	updateForRelease
POST	/components/{componentId}	Import CVEs for all releases of a component	updateForComponent
POST	/projects/{projectId}	Import CVEs for all releases in a project	updateForProject
POST	/full-update	Full DB scan	fullUpdate
POST	/update	Scheduled sync entry point	update
POST	/cpes?vendor&product&version	CPE lookup	findCpes (stub: returns [])

Note: Backend cvesearch REST has no user-header auth (same as other internal backend WARs). Authorization is enforced on resource-server (@PreAuthorize("hasAuthority('ADMIN')")).

---

Layer 2 — Schedule integration (backend/schedule)

File	Action	Purpose
CveSearchRestClient.java	new	POST /cvesearch/api/cvesearch/update via RestClient; returns RequestStatus
ScheduleRestClientConfig.java	new	RestClient bean with ThriftClients.BACKEND_URL base URL
ScheduleHandler.java	modified	cvesearchService scheduling + manual trigger use cveSearchRestClient.update() instead of makeCvesearchClient().update()

Behavior:

• Periodic job: scheduleService?serviceName=cvesearchService → scheduler → REST update
• Manual job: triggerService?serviceName=cvesearchService → REST update
• Other scheduled services (VM, users, attachments, …) still use Thrift downstream clients

---

Layer 3 — Resource-server proxy (rest/resource-server)

File	Action	Purpose
CveSearchController.java	new	Admin API under /api/cvesearch/*; HATEOAS link cvesearch; OpenAPI annotations
Sw360CveSearchService.java	new	RestClient → POST backend /cvesearch/api/cvesearch/...

Uses shared RestClient bean from Sw360ResourceServer (backend.url).

Public API (deployed as http://localhost:8080/resource/api/cvesearch/...)

Method	Path	Auth
POST	/cvesearch/releases/{releaseId}	ADMIN
POST	/cvesearch/components/{componentId}	ADMIN
POST	/cvesearch/projects/{projectId}	ADMIN
POST	/cvesearch/full-update	ADMIN
POST	/cvesearch/update	ADMIN
POST	/cvesearch/cpes	ADMIN

---

Layer 4 — Client cleanup (libraries/datahandler)

File	Action
ThriftClients.java	Removed CVESEARCH_SERVICE_URL, makeCvesearchClient(), CveSearchService import

CVESEARCH_SERVICE string constant remains via ServiceNames.CVESEARCH_SERVICE for schedule configuration.

---

How everything connects (CVE Search)

Browser / API client (admin)
    │
    ▼
resource-server (resource.war)
    │  CveSearchController → Sw360CveSearchService
    │  RestClient → POST http://localhost:8080/cvesearch/api/cvesearch/*
    │  @PreAuthorize ADMIN
    ▼
backend/cvesearch (cvesearch.war)
    │  CveSearchController → CveSearchHandler
    │  CveSearchWrapper → external CIRCL/cve-search API
    │  VulnerabilityConnector → CouchDB (POJO ↔ Thrift via backend/common converters)
    ▼
components / releases / vulnerabilities DB

Scheduled path:
resource-server ScheduleAdminController
    │  Sw360ScheduleService → POST /schedule/api/schedule/triggerManualService
    ▼
backend/schedule (schedule.war)
    │  ScheduleHandler → CveSearchRestClient.update()
    ▼
backend/cvesearch POST /api/cvesearch/update  (full CVE sync — can run long)

---

Tests updated (backend/cvesearch)

File	Change
VulnerabilityConnectorTest.java	Adapter for converter-based connector
VulnerabilityUtilsTest.java	service-api types
CveSearchWrapperTest.java	Adjusted mocks
CveSearchDataTranslatorTest.java	Import updates
SearchLevelsTest.java	Minor import fix

---

Verification (manual)

AUTH="Basic YWRtaW5Ac3czNjAub3JnOjEyMzQ1"
BASE="http://localhost:8080/resource/api"
BACKEND="http://localhost:8080"

# Thrift removed (expect 404)
curl -s -o /dev/null -w "cvesearch/thrift → %{http_code}\n" -X POST "$BACKEND/cvesearch/thrift"

# Backend REST (entity-scoped — fast)
curl -s -X POST "$BACKEND/cvesearch/api/cvesearch/releases/{releaseId}" | python3 -m json.tool

# Schedule → cvesearch chain (slow — full update)
curl -s -X POST -H "Authorization: $AUTH" \
  "$BASE/schedule/triggerService?serviceName=cvesearchService"

# Resource proxy (admin)
curl -s -X POST -H "Authorization: $AUTH" "$BASE/cvesearch/update" | python3 -m json.tool

Expected after deploy: /cvesearch/thrift → 404; REST → 200 + requestStatus: "SUCCESS" (lists may be empty); triggerService → "SUCCESS" string (not 500).

---

[Shivamrut]

Hi @GMishx I have merged with latest base branch and resolved conflicts. Please review

[GMishx]

@Shivamrut , please rebase for review.

[Shivamrut]

Hi @GMishx , rebased. Please review

[GMishx]

@Shivamrut the ECA is failing for the branch. Please check

[Shivamrut]

Hi @GMishx fixed the ECA problem, please review

[Shivamrut]

Adding sequence number for order of migration: service-6