Rename ExploitIQ/Agent morpheus to Exploit Intelligence#255
Conversation
TamarW0
requested review from
IlonaShishov,
rhartuv,
vbelouso and
zvigrinberg
as code owners
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
/retest |
| morpheus.syft.cache.dir=${SYFT_CACHE_DIR:/work/.cache/syft} | ||
| exploit-intelligence.syft.cache.dir=${SYFT_CACHE_DIR:/work/.cache/syft} | ||
|
|
||
| # Feedback API settings |
There was a problem hiding this comment.
Revert feedback API hostname change — quarkus.rest-client.feedback-api.url was changed from http://morpheus-feedback-api:5001 to http://exploit-intelligence-feedback-api:5001, but there’s no matching ocp Service rename in this PR (and deploy/agent_morpheus_client.yaml doesn’t override it). In cluster, feedback submit/check will fail on DNS unless infra is renamed in parallel.
For a branding-only PR, keep the old hostname here; rename when the Service is actually renamed.
BUT- It’s worth aligning on this and making a sweeping decision. I’d consult with @zvigrinberg
There was a problem hiding this comment.
@zvigrinberg what do you think?
is it worth changing all ocp services names of leave it as it for now?
There was a problem hiding this comment.
Good point @rhartuv
@TamarW0 In case you goes for changing the service names here, you better do the service names changes in vulnerability-analysis PR and merge it before this one is get merged. ( in that particular case also in the user-feedback repo)..
Just to be on the safe side, it can be done in a subsequent PR after the other PRs are merged.
There was a problem hiding this comment.
I think it is better to do it in a separate PR, and you are right about the order
There was a problem hiding this comment.
@TamarW0 If you're doing already in user feedback repository and in the agent repo and they get merged first, then you can do it here.
| quarkus.rest-client.github.headers.User-Agent=exploit-iq | ||
| quarkus.rest-client.morpheus.url=https://agent-morpheus:8080/generate | ||
| %dev.quarkus.rest-client.morpheus.url=http://localhost:26466/generate | ||
| quarkus.rest-client.exploit-intelligence.url=https://exploit-intelligence:8080/generate |
There was a problem hiding this comment.
quarkus.rest-client.exploit-intelligence.url was changed from https://agent-morpheus:8080/generate to https://exploit-intelligence:8080/generate, but deploy/infra in this repo still references agent-morpheus (e.g. deploy/agent_morpheus_client.yaml). This will break report submission in cluster unless the ocp Service is renamed in the same rollout.
In my opinion, For branding-only scope, keep the old hostname and only rename the property key if needed.
BUT- It’s worth aligning on this and making a sweeping decision.
There was a problem hiding this comment.
I reverted this for now
@zvigrinberg WDTY?
There was a problem hiding this comment.
@TamarW0 Make sure it's aligned with agent service name in vulnerability-analysis' deployment base overlay variant, and then it can be merged in that order: agent App -> client App.
| %test.quarkus.log.category."io.quarkiverse.wiremock.devservice.WireMockServer".level=ERROR | ||
| # Morpheus REST client → WireMock (no real agent in @QuarkusTest); stub is mappings/morpheus-generate.json | ||
| %test.quarkus.rest-client.morpheus.url=http://localhost:${quarkus.wiremock.devservices.port}/generate | ||
| # Exploit Intelligence REST client → WireMock (no real agent in @QuarkusTest); stub is mappings/exploit-intelligence-generate.json |
There was a problem hiding this comment.
Comment references a file that doesn’t exist - test config comment says mappings/exploit-intelligence-generate.json, but the actual stub is still morpheus-generate.json. fix the comment.
There was a problem hiding this comment.
I fixed that
now the file is mappings/exploit-iq-generate.json and exists
| <modelVersion>4.0.0</modelVersion> | ||
| <groupId>com.redhat.ecosystemappeng.morpheus</groupId> | ||
| <artifactId>agent-morpheus-client</artifactId> | ||
| <groupId>com.redhat.ecosystemappeng.exploit-intelligence</groupId> |
There was a problem hiding this comment.
changes agent-morpheus-client → exploit-intelligence while Java packages, paths, image names, and deploy manifests are unchanged. This can break CI/CD, container builds, and downstream references without a coordinated migration.
There was a problem hiding this comment.
pathes changed as well
| # Authentication | ||
|
|
||
| This guide covers authentication configuration for ExploitIQ Client, including OpenShift OAuth, external identity providers, and development setups. | ||
| This guide covers authentication configuration for exploit intelligence, including OpenShift OAuth, external identity providers, and development setups. |
There was a problem hiding this comment.
docs/authentication.md documents exploit-intelligence-client and exploit-intelligence-* roles, but application.properties and keycloak-realm.json still use exploit-iq-client / exploit-iq-view etc.
Either update the runtime config + realm together, or revert the doc changes to match what the app actually uses today....
It’s worth aligning on this and making a sweeping decision.
zvigrinberg
left a comment
zvigrinberg
left a comment
There was a problem hiding this comment.
Hi @TamarW0 ,
There are still a lot of things to do:
- a lot of readmes in the docs still referencing old name of morpheus.
- Dockerfiles at path src/main/docker/, still referencing old agent morpheus name in the comments explaining how to build the image - please check.
- Also i've noticed you deleted and recreated few files while refactoring, this might eliminate git history for files and that's a shame ( unless done with the git mv command).
- In the tests i've encountered some reference to morpheus , in particular at
src/test/java/com/redhat/ecosystemappeng/exploitiq/rest/RestApiTestFixture.java. - Rest of comments below addresses all others.
| # This ensures credentials survive queue wait before Agent execution | ||
|
|
||
| morpheus.credential-store.encryption-key=${CREDENTIAL_ENCRYPTION_KEY} | ||
| exploit-iq.credential-store.encryption-key=${CREDENTIAL_ENCRYPTION_KEY:build-time-placeholder-32-bytes!} |
There was a problem hiding this comment.
@TamarW0 In prod profile the property should be without default ( only for dev profile it should have).
| morpheus.syft.cache.dir=${SYFT_CACHE_DIR:/work/.cache/syft} | ||
| exploit-intelligence.syft.cache.dir=${SYFT_CACHE_DIR:/work/.cache/syft} | ||
|
|
||
| # Feedback API settings |
There was a problem hiding this comment.
Good point @rhartuv
@TamarW0 In case you goes for changing the service names here, you better do the service names changes in vulnerability-analysis PR and merge it before this one is get merged. ( in that particular case also in the user-feedback repo)..
Just to be on the safe side, it can be done in a subsequent PR after the other PRs are merged.
| %dev.quarkus.wiremock.devservices.files-mapping=src/test/resources/devservices/wiremock | ||
| #%dev.quarkus.rest-client.github.url=https://api.github.com | ||
| #%dev.quarkus.rest-client.morpheus.url=http://localhost:${quarkus.wiremock.devservices.port}/morpheus/scan | ||
| #%dev.quarkus.rest-client.exploit-iq.url=http://localhost:${quarkus.wiremock.devservices.port}/exploit-Iq/scan |
There was a problem hiding this comment.
| #%dev.quarkus.rest-client.exploit-iq.url=http://localhost:${quarkus.wiremock.devservices.port}/exploit-Iq/scan | |
| #%dev.quarkus.rest-client.exploit-iq.url=http://localhost:${quarkus.wiremock.devservices.port}/exploit-iq/scan |
There was a problem hiding this comment.
| * Builds, persists, and submits ExploitIQ report requests for the RPM package checker pipeline. |
There was a problem hiding this comment.
| /** RPM package identity for ExploitIQ Agent RPM package checker pipeline. */ |
There was a problem hiding this comment.
| "The exploit-iq.repository.reports-path must be a valid directory: " + reportsPath); |
There was a problem hiding this comment.
| * builds ExploitIQ input with {@link PipelineMode#RPM_PACKAGE_CHECKER}, persists, and submits to the queue. |
There was a problem hiding this comment.
@TamarW0 At least 3 occurences of Morpheus in this file that should be replace with ExploitIQ.
Co-authored-by: Zvi Grinberg <75700623+zvigrinberg@users.noreply.github.com>
Co-authored-by: Zvi Grinberg <75700623+zvigrinberg@users.noreply.github.com>
…AppEng/agent-morpheus-client into APPENG-5387-branding
zvigrinberg
left a comment
zvigrinberg
left a comment
There was a problem hiding this comment.
@TamarW0 This already looks better than before...
Please see my comments.
| const isProductContext = productId != null && cveId != null; | ||
|
|
||
| const { status: statusFilterValue, exploitIqStatus: exploitIqStatusApiValue } = | ||
| const { status: statusFilterValue, exploitIqStatus: ExploitIqStatusApiValue } = |
There was a problem hiding this comment.
@TamarW0 Please revert to camelCase from UpperCamelCase in all places in this file
As it's variable name
| const { status: statusFilterValue, exploitIqStatus: ExploitIqStatusApiValue } = | |
| const { status: statusFilterValue, exploitIqStatus: exploitIqStatusApiValue } = |
| * Use {@link withAppTitle} so every tab includes the product name. | ||
| */ | ||
|
|
||
| export const DOCUMENT_TITLE_APP_NAME = "Exploit Intelligence"; |
| The ID column SHALL display `report.id` as a link to the report page (component route: `/reports/component/{cveId}/{report.id}`; product route: `/reports/product/{productId}/{cveId}/{report.id}`). The **Date Requested** column SHALL display `metadata.submitted_at` when present, in the format "DD Month YYYY, HH:MM:SS AM/PM"; when `metadata.submitted_at` is missing, the cell SHALL display "-". The **Date Completed** column SHALL display `report.completedAt` in the same format. All date fields SHALL use the format "DD Month YYYY, HH:MM:SS AM/PM" (e.g., "07 July 2025, 10:14:02 PM"). | ||
|
|
||
| The table SHALL display a single **Finding** column (no separate "Analysis state" or "ExploitIQ Status" column). The Finding cell SHALL show, per row: if the report's analysis state is **completed**, the ExploitIQ status (Vulnerable, Not vulnerable, or Uncertain) from the vulnerability justification; if the report's analysis state is **pending**, **queued**, or **sent**, "In progress" using the shared InProgressStatus component (grey outline label, InProgressIcon); if the report's analysis state is **expired** or **failed**, "Failed" using the shared FailedStatus component (grey filled label, ExclamationCircleIcon). Styling SHALL match the Finding column in the reports table for in-progress and failed states. | ||
| The table SHALL display a single **Finding** column (no separate "Analysis state" or "ExploitIQ Status" column). The Finding cell SHALL show, per row: if the report's analysis state is **completed**, the ExploitIQ status (Vulnerable, Not vulnerable, or Uncertain) from the vulnerability justification; if the report's analysis state is **pending**, **queued**, or **sent**, "In progress" using the shared InProgressStatus component (grey outline label, InProgressIcon); if the report's analysis state is **expired** or **failed**, "Failed" using the shared FailedStatus component (grey filled label, ExclamationCircleIcon). Styling SHALL match the Finding column in the reports table for in-progress and failed states. |
There was a problem hiding this comment.
@TamarW0 Redundant one space separator in two words "ExploitIQ Status"
| The table SHALL display a single **Finding** column (no separate "Analysis state" or "ExploitIQ Status" column). The Finding cell SHALL show, per row: if the report's analysis state is **completed**, the ExploitIQ status (Vulnerable, Not vulnerable, or Uncertain) from the vulnerability justification; if the report's analysis state is **pending**, **queued**, or **sent**, "In progress" using the shared InProgressStatus component (grey outline label, InProgressIcon); if the report's analysis state is **expired** or **failed**, "Failed" using the shared FailedStatus component (grey filled label, ExclamationCircleIcon). Styling SHALL match the Finding column in the reports table for in-progress and failed states. | |
| The table SHALL display a single **Finding** column (no separate "Analysis state" or "ExploitIQ Status" column). The Finding cell SHALL show, per row: if the report's analysis state is **completed**, the ExploitIQ status (Vulnerable, Not vulnerable, or Uncertain) from the vulnerability justification; if the report's analysis state is **pending**, **queued**, or **sent**, "In progress" using the shared InProgressStatus component (grey outline label, InProgressIcon); if the report's analysis state is **expired** or **failed**, "Failed" using the shared FailedStatus component (grey filled label, ExclamationCircleIcon). Styling SHALL match the Finding column in the reports table for in-progress and failed states. |
There was a problem hiding this comment.
nice you saw this
fixed
| morpheus.syft.cache.dir=${SYFT_CACHE_DIR:/work/.cache/syft} | ||
| exploit-intelligence.syft.cache.dir=${SYFT_CACHE_DIR:/work/.cache/syft} | ||
|
|
||
| # Feedback API settings |
There was a problem hiding this comment.
@TamarW0 If you're doing already in user feedback repository and in the agent repo and they get merged first, then you can do it here.
| # quarkus.log.category."io.quarkus.oidc".min-level=DEBUG | ||
|
|
||
| %dev.quarkus.log.category."com.redhat.ecosystemappeng.morpheus".level=DEBUG | ||
| %dev.quarkus.log.category."com.redhat.ecosystemappeng.exploit-iq".level=DEBUG |
There was a problem hiding this comment.
@TamarW0 This should match a java package ,but the dash in exploit-iq is invalid and won't match anything.
| %dev.quarkus.log.category."com.redhat.ecosystemappeng.exploit-iq".level=DEBUG | |
| %dev.quarkus.log.category."com.redhat.ecosystemappeng.exploitiq".level=DEBUG |
| /** | ||
| * Create analysis request for an RPM package | ||
| * Accepts RPM name, version, release, architecture, and a CVE id; builds a Morpheus input with pipeline_mode rpm_package_checker and target_package, persists the report, and always submits it for analysis (same queue path as POST /reports/new with submit=true). Validation errors use the same field-mapped JSON shape as POST /products/upload-spdx (object "errors" mapping field names to messages). | ||
| * Accepts RPM name, version, release, architecture, and a CVE id; builds a ExploitIq input with pipeline_mode rpm_package_checker and target_package, persists the report, and always submits it for analysis (same queue path as POST /reports/new with submit=true). Validation errors use the same field-mapped JSON shape as POST /products/upload-spdx (object "errors" mapping field names to messages). |
There was a problem hiding this comment.
| * Accepts RPM name, version, release, architecture, and a CVE id; builds a ExploitIq input with pipeline_mode rpm_package_checker and target_package, persists the report, and always submits it for analysis (same queue path as POST /reports/new with submit=true). Validation errors use the same field-mapped JSON shape as POST /products/upload-spdx (object "errors" mapping field names to messages). | |
| * Accepts RPM name, version, release, architecture, and a CVE id; builds an ExploitIq input with pipeline_mode rpm_package_checker and target_package, persists the report, and always submits it for analysis (same queue path as POST /reports/new with submit=true). Validation errors use the same field-mapped JSON shape as POST /products/upload-spdx (object "errors" mapping field names to messages). |
| import org.eclipse.microprofile.openapi.annotations.media.Schema; | ||
|
|
||
| @Schema(name = "PipelineMode", description = "Morpheus agent pipeline mode") | ||
| @Schema(name = "PipelineMode", description = "ExploitIq pipeline mode") |
There was a problem hiding this comment.
@TamarW0 This is built into the openapi description for the model
| @Schema(name = "PipelineMode", description = "ExploitIq pipeline mode") | |
| @Schema(name = "PipelineMode", description = "ExploitIQ pipeline mode") |
| summary = "Create analysis request for an RPM package", | ||
| description = """ | ||
| Accepts RPM name, version, release, architecture, and a CVE id; builds a Morpheus input with \ | ||
| Accepts RPM name, version, release, architecture, and a CVE id; builds a ExploitIq input with \ |
There was a problem hiding this comment.
| Accepts RPM name, version, release, architecture, and a CVE id; builds a ExploitIq input with \ | |
| Accepts RPM name, version, release, architecture, and a CVE id; builds an ExploitIQ input with \ |
| @Operation( | ||
| summary = "Receive analysis report", | ||
| description = "Receives a completed analysis report from Morpheus") | ||
| description = "Receives a completed analysis report from ExploitIq") |
There was a problem hiding this comment.
| description = "Receives a completed analysis report from ExploitIq") | |
| description = "Receives a completed analysis report from ExploitIQ") |
| } | ||
|
|
||
| /** RPM NEVRA persisted under Morpheus `input.image.target_package`. */ | ||
| /** RPM NEVRA persisted under ExploitIq `input.image.target_package`. */ |
There was a problem hiding this comment.
| /** RPM NEVRA persisted under ExploitIq `input.image.target_package`. */ | |
| /** RPM NEVRA persisted under ExploitIQ `input.image.target_package`. */ |
zvigrinberg
left a comment
zvigrinberg
left a comment
There was a problem hiding this comment.
@TamarW0 Thank you, almost there, please see my comments.
| String[] ExploitIqStatusValues = exploitIqStatus.split(","); | ||
| List<Bson> exploitIqStatusFilters = new ArrayList<>(); | ||
|
|
||
| for (String statusValue : exploitIqStatusValues) { | ||
| for (String statusValue : ExploitIqStatusValues) { |
There was a problem hiding this comment.
@TamarW0 Convert var reference to camelCase
| String[] ExploitIqStatusValues = exploitIqStatus.split(","); | |
| List<Bson> exploitIqStatusFilters = new ArrayList<>(); | |
| for (String statusValue : exploitIqStatusValues) { | |
| for (String statusValue : ExploitIqStatusValues) { | |
| String[] exploitIqStatusValues = exploitIqStatus.split(","); | |
| List<Bson> exploitIqStatusFilters = new ArrayList<>(); | |
| for (String statusValue : exploitIqStatusValues) { |
| }, | ||
| "PipelineMode": { | ||
| "description": "Morpheus agent pipeline mode", | ||
| "description": "ExploitIq pipeline mode", |
There was a problem hiding this comment.
| "description": "ExploitIq pipeline mode", | |
| "description": "ExploitIQ pipeline mode", |
| "post": { | ||
| "summary": "Receive analysis report", | ||
| "description": "Receives a completed analysis report from Morpheus", | ||
| "description": "Receives a completed analysis report from ExploitIq", |
There was a problem hiding this comment.
| "description": "Receives a completed analysis report from ExploitIq", | |
| "description": "Receives a completed analysis report from ExploitIQ", |
| "post": { | ||
| "summary": "Create analysis request for an RPM package", | ||
| "description": "Accepts RPM name, version, release, architecture, and a CVE id; builds a Morpheus input with pipeline_mode rpm_package_checker and target_package, persists the report, and always submits it for analysis (same queue path as POST /reports/new with submit=true). Validation errors use the same field-mapped JSON shape as POST /products/upload-spdx (object \"errors\" mapping field names to messages).", | ||
| "description": "Accepts RPM name, version, release, architecture, and a CVE id; builds a ExploitIq input with pipeline_mode rpm_package_checker and target_package, persists the report, and always submits it for analysis (same queue path as POST /reports/new with submit=true). Validation errors use the same field-mapped JSON shape as POST /products/upload-spdx (object \"errors\" mapping field names to messages).", |
There was a problem hiding this comment.
| "description": "Accepts RPM name, version, release, architecture, and a CVE id; builds a ExploitIq input with pipeline_mode rpm_package_checker and target_package, persists the report, and always submits it for analysis (same queue path as POST /reports/new with submit=true). Validation errors use the same field-mapped JSON shape as POST /products/upload-spdx (object \"errors\" mapping field names to messages).", | |
| "description": "Accepts RPM name, version, release, architecture, and a CVE id; builds an ExploitIQ input with pipeline_mode rpm_package_checker and target_package, persists the report, and always submits it for analysis (same queue path as POST /reports/new with submit=true). Validation errors use the same field-mapped JSON shape as POST /products/upload-spdx (object \"errors\" mapping field names to messages).", |
| # Default timeout for async SPDX processing wait in REST tests. | ||
| %test.morpheus.rest-test.spdx-timeout=10m | ||
| # Default timeout for async SPDX processing wait in REST tests (test-only config, not part of exploit-iq namespace). | ||
| %test.test.rest.spdx-timeout=10m |
There was a problem hiding this comment.
@TamarW0 Should be aligned with the rename you have made:
| %test.test.rest.spdx-timeout=10m | |
| %test.exploit-iq.rest-test.spdx-timeout=10m |
There was a problem hiding this comment.
@zvigrinberg why "rest-test"?
Should be aligned with usages in the tests.
There was a problem hiding this comment.
There was a problem hiding this comment.
actually changing that is failing the tests, it expect test.rest.spdx-timeout=10m
| "specversion": "1.0", | ||
| "id": "", | ||
| "source": "agent.morpheus.client", | ||
| "source": "exploit-iq.client", |
There was a problem hiding this comment.
| public static final String CONFIG_KEY_EXTERNAL_BASE_URL = "morpheus.rest-test.external-base-url"; | ||
| public static final String CONFIG_KEY_SPDX_TIMEOUT = "morpheus.rest-test.spdx-timeout"; | ||
| public static final String CONFIG_KEY_EXTERNAL_BASE_URL = "exploit-iq.rest-test.external-base-url"; | ||
| public static final String CONFIG_KEY_SPDX_TIMEOUT = "exploit-iq.rest-test.spdx-timeout"; |
There was a problem hiding this comment.
here I didnt add the suffix "-test" but I guess it was missing .
fixed that
4 participants
No description provided.