RPM analysis UI and API

[batzionb]

RPM package checker analysis (API, UI, reports)

Summary

Implements end-to-end RPM package checker support: users can submit standalone RPM analyses via POST /api/v1/reports/new-rpm-report, browse them on a dedicated reports experience, and open report detail UIs that branch on pipeline_mode === rpm_package_checker. The goal and behavior are specified in OpenSpec under openspec/specs/ (see Related specifications below).

Related specifications (OpenSpec)

Spec	Path (repo root)	What it covers
New RPM report API	openspec/specs/new-rpm-report-api/spec.md	POST /api/v1/reports/new-rpm-report, validation parity with upload-spdx-style field maps, Morpheus input.image (pipeline_mode, analysis_type, target_package), OpenAPI
Request Analysis — RPM fields	openspec/specs/request-analysis-modal-rpm-fields/spec.md	Modal: Package N-V-R + architecture, client parse/validate, useApi submit, 202 navigation
RPM package checker classification	openspec/specs/rpm-package-checker-report/spec.md	UI/list branching when report.input.image.pipeline_mode is rpm_package_checker
Reports inputType	openspec/specs/reports-input-type/spec.md	GET /api/v1/reports?inputType=repository|rpm; product-scoped reports excluded; pipeline mode filter
Repository / RPM reports table	openspec/specs/repository-reports-table/spec.md	RPM tab (/reports/rpm), Package / Architecture columns, rpmPackage literal substring filter, no git repo filter on RPM tab
Request Analysis shell	openspec/specs/request-analysis-modal/spec.md	Three-way mode toggle including RPM, private-repo suppressed in RPM mode

Supporting updates also appear in document-titles, reports-table, repository-report-page, and schema/template files under openspec/schemas/research-first/.

Backend

• NewRpmReportRequest, TargetPackage, PipelineMode, CveIdRules: typed request + CVE validation aligned with existing upload flows.
• RpmReportService: builds Morpheus-compatible input ( rpm_package_checker, analysis_type: source, target_package with ecosystem: rpm ), persists, and submits like POST /api/v1/reports/new.
• ReportEndpoint: new RPM route; list reports gains inputType and rpmPackage query handling per specs.
• ReportRepositoryService: list filters for standalone RPM vs repository rows; Mongo $regexMatch on concatenated N-V-R for literal rpmPackage substring (see unit tests).
• Report, Image: API model extensions (rpmPackage, rpmArchitecture, target package on image) for list/detail consumers.
• SbomReportService: small refactors where report creation paths are shared.

Frontend

• Request Analysis: RPM mode (N-V-R field, architecture select), wiring in useAnalysisRequestForm, requestAnalysisRpm, modal components.
• Reports: RPM tab / routing, inputType=rpm, Package toolbar search → rpmPackage, table columns for package NVR and arch.
• Repository report / component views: RPM-specific detail sections and artifact cards (RpmAnalysisDetailsSection, RpmTargetPackageArtifactDetails, ContainerRepositoryArtifactDetails, etc.).
• OpenAPI + regenerated client types/services for the new endpoint and report fields.

Tests & fixtures

• NewRpmReportRestTest: HTTP contract for POST .../new-rpm-report (202, stored target_package, CVE under scan).
• ReportListInputTypeRestTest: inputType + RPM tab behavior; seed row identified by rpmPackage NVR (aligned with rpm.json, not hardcoded scan UUID).
• ReportRepositoryServiceTest: regex escaping for rpmPackage filter.
• src/test/resources/devservices/reports/rpm.json: devservices seed for RPM checker UI/API tests.

Tooling

• scripts/submit-rpm-report.sh: example curl helper for the new endpoint (optional for operators).

Test plan

• Request Analysis: RPM mode — valid N-V-R + arch + CVE → 202, navigation to component report; invalid N-V-R / CVE blocked with field errors.
• Request Analysis: switching modes clears RPM fields; private repo UI hidden in RPM mode.
• Reports → RPM tab: rows are standalone RPM checker only; Package filter matches joined N-V-R substring; no repository-name filter.
• Report detail for RPM checker shows target package / RPM-specific layout vs single-repo layout.
• GET /api/v1/reports with invalid inputType → 400; inputType=repository excludes rpm_package_checker rows.
• Run ./mvnw test (or CI) with Mongo available; spot-check OpenAPI UI for new-rpm-report.

Notes for reviewers

• openspec/AGENTS.md removal and .cursor/commands/* deletions in the diff are ancillary to the RPM feature; skim if your review scope is product code only.

[batzionb]

depends on RHEcosystemAppEng/vulnerability-analysis#222

[batzionb]

/retest

[batzionb]

/re-test

[batzionb]

/retest

[zvigrinberg]

/test morpheus-client-on-pr

[zvigrinberg]

@batzionb LGTM
Just one minor comment, better coordinate the possible values of the architecture field , please coordinate with @RedTanny.
@RedTanny I Think also it's better to have an enum type of the architecture on the agent side. ( accepting also "blank" value means "all" architectures).

[zvigrinberg]

@batzionb Better have it as enum or validated using hibernate validator' regex to be one of "x86_64", "amd64", "i686","i386", "aarch64", "arm64", "ppc64le", "s390x" , and also allow it to be blank as well.

[RedTanny]

@zvigrinberg what do u mean "( accepting also "blank" value means "all" architectures)."
there can be only one Arch per test , a blank can mean we take the default arch

[zvigrinberg]

@batzionb Empty can be default arch ( x86_64/amd64) for that purpose or means that we want it without arch ( architecture agnostic , most vulnerabilities are for all architectures by nature, as relatively only small parts of code are coupled only to a specific cpu arch)...
Anyway needs to be correlated with the agent behavior and logic
@RedTanny can you remind me, are you treating a blank value as some default ( e.g. amd64) or as all arches? ( arch agnostic), this is what i'm remembering from one of the iterations of the review i've made, and also saw this to confirm it:
https://github.com/RedTanny/vulnerability-analysis/blob/1941f95bd2b7fbce18de3c0d7e69a619cfbe8620/src/vuln_analysis/utils/rpm_checker_prompts.py#L97-L103
But maybe you're doing some pre-processing and this is not the assumption on the input.

[batzionb]

Seems from here if arch is not sent it defaults to x86_64
https://github.com/redtanny/vulnerability-analysis/blob/APPENG-4467-Rpm-Checker/src/exploit_iq_commons/data_models/common.py#L71

[RedTanny]

@zvigrinberg yes what you see in prompt is related to the cve info trying to figure out if the cve is tied to a specific Arch and if not mention we assume it is vulnerable for all arch

[batzionb]

In the UI there's a dropdown to select architecture, the selected one by default is x86_64
I'll make the API force one of these values for now
We can change it later if need be

[zvigrinberg]

@batzionb OK Sounds good to me.
LGTM Approved.

[zvigrinberg]

@batzionb Just don't forget to add RegisterForReflection annotation.

[batzionb]

done

[batzionb]

@vbelouso
Can you please review the UI part?

[batzionb]

/test morpheus-client-on-pr

[vbelouso]

LGTM