internal/api: implement vulnerabilities endpoint

- Create vulnerabilities endpoint using server vuln client.

Change-Id: I234c96851f7682a13bda97aa3e5018d0439e05da
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/754866
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Ethan Lee <ethanalee@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
kokoro-CI: kokoro <noreply+kokoro@google.com>

3 files changed, 120 insertions, 0 deletions

diff --git a/internal/api/api.go b/internal/api/api.go
index 8cfe2151..60549f00 100644
--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -17,6 +17,7 @@ import (
 	"golang.org/x/pkgsite/internal/godoc"
 	"golang.org/x/pkgsite/internal/stdlib"
 	"golang.org/x/pkgsite/internal/version"
+	"golang.org/x/pkgsite/internal/vuln"
 )
 
 const (
@@ -460,6 +461,59 @@ func ServePackageImportedBy(w http.ResponseWriter, r *http.Request, ds internal.
 	return serveJSON(w, http.StatusOK, resp)
 }
 
+// ServeVulnerabilities handles requests for the v1 module vulnerabilities endpoint.
+func ServeVulnerabilities(vc *vuln.Client) func(w http.ResponseWriter, r *http.Request, ds internal.DataSource) error {
+	return func(w http.ResponseWriter, r *http.Request, ds internal.DataSource) (err error) {
+		defer derrors.Wrap(&err, "ServeVulnerabilities")
+
+		modulePath := strings.TrimPrefix(r.URL.Path, "/v1/vulns/")
+		if modulePath == "" {
+			return serveErrorJSON(w, http.StatusBadRequest, "missing module path", nil)
+		}
+
+		var params VulnParams
+		if err := ParseParams(r.URL.Query(), &params); err != nil {
+			return serveErrorJSON(w, http.StatusBadRequest, err.Error(), nil)
+		}
+
+		if vc == nil {
+			return serveErrorJSON(w, http.StatusNotImplemented, "vulnerability data not available", nil)
+		}
+
+		requestedVersion := params.Version
+		if requestedVersion == "" {
+			requestedVersion = version.Latest
+		}
+
+		// Use VulnsForPackage from internal/vuln to get vulnerabilities for the module.
+		// Passing an empty packagePath gets all vulns for the module.
+		vulns := vuln.VulnsForPackage(r.Context(), modulePath, requestedVersion, "", vc)
+
+		limit := params.Limit
+		if limit <= 0 {
+			limit = 100
+		}
+		if limit > len(vulns) {
+			limit = len(vulns)
+		}
+
+		var items []Vulnerability
+		for _, v := range vulns[:limit] {
+			items = append(items, Vulnerability{
+				ID:      v.ID,
+				Details: v.Details,
+			})
+		}
+
+		resp := PaginatedResponse[Vulnerability]{
+			Items: items,
+			Total: len(vulns),
+		}
+
+		return serveJSON(w, http.StatusOK, resp)
+	}
+}
+
 // resolveModulePath determines the correct module path for a given package path and version.
 // If the module path is not provided, it searches through potential candidate module paths
 // derived from the package path. If multiple valid modules contain the package, it returns
diff --git a/internal/api/api_test.go b/internal/api/api_test.go
index a0ded1d2..0bc409c5 100644
--- a/internal/api/api_test.go
+++ b/internal/api/api_test.go
@@ -16,8 +16,10 @@ import (
 
 	"github.com/google/go-cmp/cmp"
 	"golang.org/x/pkgsite/internal"
+	"golang.org/x/pkgsite/internal/osv"
 	"golang.org/x/pkgsite/internal/testing/fakedatasource"
 	"golang.org/x/pkgsite/internal/testing/sample"
+	"golang.org/x/pkgsite/internal/vuln"
 )
 
 func TestServePackage(t *testing.T) {
@@ -768,6 +770,69 @@ func TestServePackageImportedBy(t *testing.T) {
 	}
 }
 
+func TestServeVulnerabilities(t *testing.T) {
+	ds := fakedatasource.New()
+	vc, err := vuln.NewInMemoryClient([]*osv.Entry{
+		{
+			ID:      "VULN-1",
+			Summary: "Vulnerability 1",
+			Affected: []osv.Affected{
+				{
+					Module: osv.Module{Path: "example.com"},
+					Ranges: []osv.Range{{Type: osv.RangeTypeSemver, Events: []osv.RangeEvent{{Introduced: "0"}, {Fixed: "1.1.0"}}}},
+				},
+			},
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, test := range []struct {
+		name       string
+		url        string
+		wantStatus int
+		wantCount  int
+	}{
+		{
+			name:       "all vulns",
+			url:        "/v1/vulns/example.com?version=v1.0.0",
+			wantStatus: http.StatusOK,
+			wantCount:  1,
+		},
+		{
+			name:       "no vulns",
+			url:        "/v1/vulns/example.com?version=v1.2.0",
+			wantStatus: http.StatusOK,
+			wantCount:  0,
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			r := httptest.NewRequest("GET", test.url, nil)
+			w := httptest.NewRecorder()
+
+			err := ServeVulnerabilities(vc)(w, r, ds)
+			if err != nil && w.Code != test.wantStatus {
+				t.Fatalf("ServeVulnerabilities returned error: %v", err)
+			}
+
+			if w.Code != test.wantStatus {
+				t.Errorf("status = %d, want %d", w.Code, test.wantStatus)
+			}
+
+			if test.wantStatus == http.StatusOK {
+				var got PaginatedResponse[Vulnerability]
+				if err := json.Unmarshal(w.Body.Bytes(), &got); err != nil {
+					t.Fatalf("json.Unmarshal: %v", err)
+				}
+				if len(got.Items) != test.wantCount {
+					t.Errorf("count = %d, want %d", len(got.Items), test.wantCount)
+				}
+			}
+		})
+	}
+}
+
 // unmarshalResponse unmarshals an API response into either
 // a *T or an *Error.
 func unmarshalResponse[T any](data []byte) (any, error) {
diff --git a/internal/frontend/server.go b/internal/frontend/server.go
index d6a7fa01..34fcaab5 100644
--- a/internal/frontend/server.go
+++ b/internal/frontend/server.go
@@ -243,6 +243,7 @@ func (s *Server) Install(handle func(string, http.Handler), cacher Cacher, authV
 	handle("GET /v1/versions/", s.errorHandler(api.ServeModuleVersions))
 	handle("GET /v1/packages/", s.errorHandler(api.ServeModulePackages))
 	handle("GET /v1/search", s.errorHandler(api.ServeSearch))
+	handle("GET /v1/vulns/", s.errorHandler(api.ServeVulnerabilities(s.vulnClient)))
 	handle("/opensearch.xml", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		serveFileFS(w, r, s.staticFS, "shared/opensearch.xml")
 	}))