jasinner
commented
8 years ago API Definition should include: * Give me a normalized hash of a .jar * Give me a normalized hash of a .class * Give me normalized hashes of all .class in a .jar * Tell me which CVEs this hash maps to, with these information: Library name, version, vendor, ideally maven coords; CVE number, name, description, versions range affected, link to a fixed version; ideally * Update the local database incrementally from some online repo. * Clear the last X records from the local database (for test purposes).
All this could be in one or two interfaces and have different implementations backed by a web service, an in-mem database, file-based DB, etc. Currently IIRC it's H2DB backed, which may collide with projects like Windup which also use H2 DB internally.
While it probably works when you know what to call when, the thing that it's not marked as API, rather blended into different classes and packages mixed with implementation, may lead someone to think that the API is subject to change without prior notice.
It would be ideal if there were some interfaces which would contain only the methods supposed to be called by the integrating application.