#103: security warning for CVEs in file tool/edition/security

cli/src/main/java/com/devonfw/tools/ide/common/SystemPath.java

@@ -155,17 +155,18 @@ public Path findBinary(Path toolPath) {
    * @return the {@link Path} to the directory of the tool where the binaries can be found or {@code null} if the tool
    *         is not installed.
    */
-  public Path getPath(String tool) {
+  public Path retrievePath(String tool) {
 
     return this.tool2pathMap.get(tool);
   }
 
   /**
    * @param tool the name of the tool.
-   * @param path the new {@link #getPath(String) tool bin path}.
+   * @param path the new {@link #retrievePath(String) tool bin path}.
    */
-  public void setPath(String tool, Path path) {
+  public void addPath(String tool, Path path) {
 
+    this.paths.add(path);
     this.tool2pathMap.put(tool, path);
   }
 

cli/src/main/java/com/devonfw/tools/ide/tool/GlobalToolCommandlet.java

@@ -52,7 +52,9 @@ protected boolean doInstall(boolean silent) {
     String edition = getEdition();
     ToolRepository toolRepository = this.context.getDefaultToolRepository();
     VersionIdentifier configuredVersion = getConfiguredVersion();
-    VersionIdentifier resolvedVersion = toolRepository.resolveVersion(this.tool, edition, configuredVersion);
+    VersionIdentifier selectedVersion = securityRiskInteraction(configuredVersion);
+    setVersion(selectedVersion, silent);
+    VersionIdentifier resolvedVersion = toolRepository.resolveVersion(this.tool, edition, selectedVersion);
     // download and install the global tool
     FileAccess fileAccess = this.context.getFileAccess();
     Path target = toolRepository.download(this.tool, edition, resolvedVersion);

cli/src/main/java/com/devonfw/tools/ide/tool/LocalToolCommandlet.java

@@ -60,9 +60,10 @@ public Path getToolBinPath() {
   protected boolean doInstall(boolean silent) {
 
     VersionIdentifier configuredVersion = getConfiguredVersion();
+    VersionIdentifier selectedVersion = securityRiskInteraction(configuredVersion);
+    setVersion(selectedVersion, silent);
     // install configured version of our tool in the software repository if not already installed
-    ToolInstallation installation = installInRepo(configuredVersion);
-
+    ToolInstallation installation = installInRepo(selectedVersion);
     // check if we already have this version installed (linked) locally in IDE_HOME/software
     VersionIdentifier installedVersion = getInstalledVersion();
     VersionIdentifier resolvedVersion = installation.resolvedVersion();
@@ -79,7 +80,7 @@ protected boolean doInstall(boolean silent) {
       fileAccess.backup(toolPath);
     }
     fileAccess.symlink(installation.linkDir(), toolPath);
-    this.context.getPath().setPath(this.tool, installation.binDir());
+    this.context.getPath().addPath(this.tool, installation.binDir());
     if (installedVersion == null) {
       this.context.success("Successfully installed {} in version {}", this.tool, resolvedVersion);
     } else {

cli/src/main/java/com/devonfw/tools/ide/tool/SecurityRiskInteractionAnswer.java

@@ -0,0 +1,13 @@
+package com.devonfw.tools.ide.tool;
+
+public enum SecurityRiskInteractionAnswer {
+
+  STAY,
+
+  LATEST_SAFE,
+
+  SAFE_LATEST,
+
+  NEXT_SAFE,
+
+}

cli/src/main/java/com/devonfw/tools/ide/tool/ToolCommandlet.java

@@ -4,10 +4,15 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.util.Arrays;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
+import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
+import com.devonfw.tools.ide.url.model.file.json.UrlSecurityWarning;
 import com.devonfw.tools.ide.cli.CliException;
 import com.devonfw.tools.ide.commandlet.Commandlet;
 import com.devonfw.tools.ide.common.Tag;
@@ -21,9 +26,13 @@
 import com.devonfw.tools.ide.process.ProcessContext;
 import com.devonfw.tools.ide.process.ProcessErrorHandling;
 import com.devonfw.tools.ide.property.StringListProperty;
+import com.devonfw.tools.ide.url.model.file.UrlSecurityJsonFile;
 import com.devonfw.tools.ide.util.FilenameUtil;
+import com.devonfw.tools.ide.util.Pair;
 import com.devonfw.tools.ide.version.VersionIdentifier;
 
+import static com.devonfw.tools.ide.tool.SecurityRiskInteractionAnswer.*;
+
 /**
  * {@link Commandlet} for a tool integrated into the IDE.
  */
@@ -89,7 +98,7 @@ public void run() {
    * Ensures the tool is installed and then runs this tool with the given arguments.
    *
    * @param toolVersion the explicit version (pattern) to run. Typically {@code null} to ensure the configured version
-   *        is installed and use that one. Otherwise the specified version will be installed in the software repository
+   *        is installed and use that one. Otherwise, the specified version will be installed in the software repository
    *        without touching and IDE installation and used to run.
    * @param args the commandline arguments to run the tool.
    */
@@ -171,6 +180,141 @@ public boolean install(boolean silent) {
     return doInstall(silent);
   }
 
+  /**
+   * Checks if the given {@link VersionIdentifier} has a matching security warning in the {@link UrlSecurityJsonFile}.
+   *
+   * @param configuredVersion the {@link VersionIdentifier} to be checked.
+   * @return the {@link VersionIdentifier} to be used for installation. If the configured version is safe or there are
+   *         no save versions the potentially unresolved configured version is simply returned. Otherwise, a resolved
+   *         version is returned.
+   */
+  protected VersionIdentifier securityRiskInteraction(VersionIdentifier configuredVersion) {
+
+    UrlSecurityJsonFile securityFile = this.context.getUrls().getEdition(this.tool, this.getEdition())
+        .getSecurityJsonFile();
+
+    VersionIdentifier current = this.context.getUrls().getVersion(this.tool, this.getEdition(), configuredVersion);
+
+    if (!securityFile.contains(current, true, this.context, securityFile.getParent())) {
+      return configuredVersion;
+    }
+
+    List<VersionIdentifier> allVersions = this.context.getUrls().getSortedVersions(this.tool, this.getEdition());
+    VersionIdentifier latest = allVersions.get(0);
+
+    VersionIdentifier nextSafe = getNextSafeVersion(current, securityFile, allVersions);
+    VersionIdentifier latestSafe = getLatestSafe(allVersions, securityFile);
+    String cves = securityFile.getMatchingSecurityWarnings(current).stream().map(UrlSecurityWarning::getCveName)
+        .collect(Collectors.joining(", "));
+    String currentIsUnsafe = "Currently, version " + current + " of " + this.getName() + " is selected, "
+        + "which has one or more vulnerabilities:\n\n" + cves + "\n\n(See also " + securityFile.getPath() + ")\n\n";
+
+    if (latestSafe == null) {
+      this.context.warning(currentIsUnsafe + "There is no safe version available.");
+      return configuredVersion;
+    }
+
+    return whichVersionDoYouWantToInstall(configuredVersion, current, nextSafe, latestSafe, latest, currentIsUnsafe);
+  }
+
+  /**
+   * Using all the safety information about the versions, this method asks the user which version to install.
+   *
+   * @param configuredVersion the version that was configured in the environment variables.
+   * @param current the current version that was resolved from the configured version.
+   * @param nextSafe the next safe version.
+   * @param latestSafe the latest safe version.
+   * @param latest the latest version.
+   * @param currentIsUnsafe the message that is printed if the current version is unsafe.
+   * @return the version that the user wants to install.
+   */
+  private VersionIdentifier whichVersionDoYouWantToInstall(VersionIdentifier configuredVersion,
+      VersionIdentifier current, VersionIdentifier nextSafe, VersionIdentifier latestSafe, VersionIdentifier latest,
+      String currentIsUnsafe) {
+
+    String ask = "Which version do you want to install?";
+
+    // enum id, option message, version that is returned if this option is selected
+    Map<SecurityRiskInteractionAnswer, Pair<String, VersionIdentifier>> options = new HashMap<>();
+    options.put(STAY, Pair.of("Stay with the current unsafe version (" + current + ").", configuredVersion));
+    options.put(LATEST_SAFE, Pair.of("Install the latest of all safe versions (" + latestSafe + ").", latestSafe));
+    options.put(SAFE_LATEST, Pair.of("Install the latest version (" + latest + "). This version is save.", VersionIdentifier.LATEST));
+    options.put(NEXT_SAFE, Pair.of("Install the next safe version (" + nextSafe + ").", nextSafe));
+
+    if (current.equals(latest)) {
+      return getAnswer(options, currentIsUnsafe + "There are no updates available. " + ask, STAY, LATEST_SAFE);
+    } else if (nextSafe == null) { // install an older version that is safe or stay with the current unsafe version
+      return getAnswer(options, currentIsUnsafe + "All newer versions are also not safe. " + ask, STAY, LATEST_SAFE);
+    } else if (nextSafe.equals(latest)) {
+      return getAnswer(options, currentIsUnsafe + "Of the newer versions, only the latest is safe. " + ask, STAY,
+          SAFE_LATEST);
+    } else if (nextSafe.equals(latestSafe)) {
+      return getAnswer(options, currentIsUnsafe + "Of the newer versions, only version " + nextSafe
+          + " is safe, which is however not the latest. " + ask, STAY, NEXT_SAFE);
+    } else {
+      if (latestSafe.equals(latest)) {
+        return getAnswer(options, currentIsUnsafe + ask, STAY, NEXT_SAFE, SAFE_LATEST);
+      } else {
+        return getAnswer(options, currentIsUnsafe + ask, STAY, NEXT_SAFE, LATEST_SAFE);
+      }
+    }
+  }
+
+  private VersionIdentifier getAnswer(Map<SecurityRiskInteractionAnswer, Pair<String, VersionIdentifier>> options,
+      String question, SecurityRiskInteractionAnswer... possibleAnswers) {
+
+    String[] availableOptions = Arrays.stream(possibleAnswers).map(options::get).map(Pair::getFirst)
+        .toArray(String[]::new);
+    String answer = this.context.question(question, availableOptions);
+    for (SecurityRiskInteractionAnswer possibleAnswer : possibleAnswers) {
+      if (options.get(possibleAnswer).getFirst().equals(answer)) {
+        return options.get(possibleAnswer).getSecond();
+      }
+    }
+    throw new IllegalStateException("Invalid answer " + answer);
+  }
+
+  /**
+   * Gets the latest safe version from the list of all versions.
+   *
+   * @param allVersions all versions of the tool.
+   * @param securityFile the {@link UrlSecurityJsonFile} to check if a version is safe or not.
+   * @return the latest safe version or {@code null} if there is no safe version.
+   */
+  private VersionIdentifier getLatestSafe(List<VersionIdentifier> allVersions, UrlSecurityJsonFile securityFile) {
+
+    VersionIdentifier latestSafe = null;
+    for (int i = 0; i < allVersions.size(); i++) {
+      if (!securityFile.contains(allVersions.get(i), true, this.context, securityFile.getParent())) {
+        latestSafe = allVersions.get(i);
+        break;
+      }
+    }
+    return latestSafe;
+  }
+
+  /**
+   * Gets the next safe version from the list of all versions starting from the current version.
+   *
+   * @param current the current version.
+   * @param securityFile the {@link UrlSecurityJsonFile} to check if a version is safe or not.
+   * @param allVersions all versions of the tool.
+   * @return the next safe version or {@code null} if there is no safe version.
+   */
+  private VersionIdentifier getNextSafeVersion(VersionIdentifier current, UrlSecurityJsonFile securityFile,
+      List<VersionIdentifier> allVersions) {
+
+    int currentVersionIndex = allVersions.indexOf(current);
+    VersionIdentifier nextSafe = null;
+    for (int i = currentVersionIndex - 1; i >= 0; i--) {
+      if (!securityFile.contains(allVersions.get(i), true, this.context, securityFile.getParent())) {
+        nextSafe = allVersions.get(i);
+        break;
+      }
+    }
+    return nextSafe;
+  }
+
   /**
    * Installs or updates the managed {@link #getName() tool}.
    *
@@ -181,7 +325,8 @@ public boolean install(boolean silent) {
   protected abstract boolean doInstall(boolean silent);
 
   /**
-   * This method is called after the tool has been newly installed or updated to a new version.
+   * This method is called after the tool has been newly installed or updated to a new version. Override it to add
+   * custom post installation logic.
    */
   protected void postInstall() {
 

cli/src/main/java/com/devonfw/tools/ide/tool/androidstudio/AndroidStudioUrlUpdater.java

@@ -40,6 +40,12 @@ protected String getTool() {
     return "android-studio";
   }
 
+  @Override
+  protected String getEdition() {
+
+    return getTool();
+  }
+
   @Override
   public void update(UrlRepository urlRepository) {
 

cli/src/main/java/com/devonfw/tools/ide/tool/aws/AwsUrlUpdater.java

@@ -15,6 +15,12 @@ protected String getTool() {
     return "aws";
   }
 
+  @Override
+  protected String getEdition() {
+
+    return getTool();
+  }
+
   @Override
   protected String getGithubOrganization() {
 

cli/src/main/java/com/devonfw/tools/ide/tool/az/AzureUrlUpdater.java

@@ -18,6 +18,12 @@ protected String getTool() {
     return "az";
   }
 
+  @Override
+  protected String getEdition() {
+
+    return getTool();
+  }
+
   @Override
   protected void addVersion(UrlVersion urlVersion) {
 

cli/src/main/java/com/devonfw/tools/ide/tool/cobigen/CobigenUrlUpdater.java

@@ -12,6 +12,12 @@ protected String getTool() {
     return "cobigen";
   }
 
+  @Override
+  protected String getEdition() {
+
+    return getTool();
+  }
+
   @Override
   protected String getMavenGroupIdPath() {
 

cli/src/main/java/com/devonfw/tools/ide/tool/docker/DockerDesktopUrlUpdater.java

@@ -23,6 +23,12 @@ protected String getTool() {
     return "docker";
   }
 
+  @Override
+  protected String getEdition() {
+
+    return getTool();
+  }
+
   @Override
   protected void addVersion(UrlVersion urlVersion) {
 

cli/src/main/java/com/devonfw/tools/ide/tool/dotnet/DotNetUrlUpdater.java

@@ -13,6 +13,12 @@ protected String getTool() {
     return "dotnet";
   }
 
+  @Override
+  protected String getEdition() {
+
+    return getTool();
+  }
+
   @Override
   protected String getVersionPrefixToRemove() {
 
@@ -48,10 +54,10 @@ protected String getGithubRepository() {
 
   @Override
   protected String mapVersion(String version) {
+
     if (version.matches("v\\d+\\.\\d+\\.\\d+")) {
       return super.mapVersion(version);
-    }
-    else {
+    } else {
       return null;
     }
   }

cli/src/main/java/com/devonfw/tools/ide/tool/gcloud/GCloudUrlUpdater.java

@@ -10,15 +10,23 @@
 public class GCloudUrlUpdater extends GithubUrlUpdater {
 
   private static final VersionIdentifier MIN_GCLOUD_VID = VersionIdentifier.of("299.0.0");
+
   private static final VersionIdentifier MIN_ARM_GCLOUD_VID = VersionIdentifier.of("366.0.0");
+
   private static final String BASE_URL = "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${version}-";
-  
+
   @Override
   protected String getTool() {
 
     return "gcloud";
   }
 
+  @Override
+  protected String getEdition() {
+
+    return getTool();
+  }
+
   @Override
   protected String getGithubRepository() {
 

cli/src/main/java/com/devonfw/tools/ide/tool/gcviewer/GcViewerUrlUpdater.java

@@ -13,6 +13,12 @@ protected String getTool() {
     return "gcviewer";
   }
 
+  @Override
+  protected String getEdition() {
+
+    return getTool();
+  }
+
   @Override
   protected void addVersion(UrlVersion urlVersion) {