package vulnerability

import (
	"strings"

	"github.com/google/wire"

	"github.com/aquasecurity/trivy-db/pkg/db"
	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
	"github.com/aquasecurity/trivy/pkg/log"
	"github.com/aquasecurity/trivy/pkg/types"
)

var (
	primaryURLPrefixes = map[dbTypes.SourceID][]string{
		vulnerability.Debian: {
			"http://www.debian.org",
			"https://www.debian.org",
		},
		vulnerability.Ubuntu: {
			"http://www.ubuntu.com",
			"https://usn.ubuntu.com",
		},
		vulnerability.RedHat: {"https://access.redhat.com"},
		vulnerability.SuseCVRF: {
			"http://lists.opensuse.org",
			"https://lists.opensuse.org",
		},
		vulnerability.OracleOVAL: {
			"http://linux.oracle.com/errata",
			"https://linux.oracle.com/errata",
		},
		vulnerability.NodejsSecurityWg: {
			"https://www.npmjs.com",
			"https://hackerone.com",
		},
		vulnerability.RubySec: {"https://groups.google.com"},
	}
)

// SuperSet binds the dependencies
var SuperSet = wire.NewSet(
	wire.Struct(new(db.Config)),
	wire.Bind(new(db.Operation), new(db.Config)),
	NewClient,
)

// Client manipulates vulnerabilities
type Client struct {
	dbc db.Operation
}

// NewClient is the factory method for Client
func NewClient(dbc db.Operation) Client {
	return Client{dbc: dbc}
}

// FillInfo fills extra info in vulnerability objects
func (c Client) FillInfo(vulns []types.DetectedVulnerability) {
	for i := range vulns {
		// Add the vulnerability status
		// Some vendors such as Red Hat have their own vulnerability status, and we use it.
		// Otherwise, we put "fixed" or "affected" according to the fixed version.
		if vulns[i].FixedVersion != "" {
			vulns[i].Status = dbTypes.StatusFixed
		} else if vulns[i].Status == dbTypes.StatusUnknown {
			vulns[i].Status = dbTypes.StatusAffected
		}

		// Get the vulnerability detail
		vulnID := vulns[i].VulnerabilityID
		vuln, err := c.dbc.GetVulnerability(vulnID)
		if err != nil {
			log.Warn("Unable to get vulnerability details (CVE may be rejected)", log.Err(err))
			continue
		}

		// Detect the data source
		var source dbTypes.SourceID
		if vulns[i].DataSource != nil {
			source = vulns[i].DataSource.ID
		}

		// Select the severity according to the detected source.
		severity, severitySource := c.getVendorSeverity(vulnID, &vuln, source)

		// The vendor might provide package-specific severity like Debian.
		// For example, CVE-2015-2328 in Debian has "unimportant" for mongodb and "low" for pcre3.
		// In that case, we keep the severity as is.
		if vulns[i].SeveritySource != "" {
			severity = vulns[i].Severity
			severitySource = vulns[i].SeveritySource

			// Store package-specific severity in vendor severities
			if vuln.VendorSeverity == nil {
				vuln.VendorSeverity = make(dbTypes.VendorSeverity)
			}
			s, _ := dbTypes.NewSeverity(severity) // skip error handling because `SeverityUnknown` will be returned in case of error
			vuln.VendorSeverity[severitySource] = s
		}

		// Add the vulnerability detail
		vulns[i].Vulnerability = vuln

		vulns[i].Severity = severity
		vulns[i].SeveritySource = severitySource
		vulns[i].PrimaryURL = c.getPrimaryURL(vulnID, vuln.References, source)
	}
}

func (c Client) getVendorSeverity(vulnID string, vuln *dbTypes.Vulnerability, source dbTypes.SourceID) (string, dbTypes.SourceID) {
	if vs, ok := vuln.VendorSeverity[source]; ok {
		return vs.String(), source
	}

	// use severity from GitHub for all GHSA-xxx vulnerabilities
	if strings.HasPrefix(vulnID, "GHSA-") {
		if vs, ok := vuln.VendorSeverity[vulnerability.GHSA]; ok {
			return vs.String(), vulnerability.GHSA
		}
	}

	// Try NVD as a fallback if it exists
	if vs, ok := vuln.VendorSeverity[vulnerability.NVD]; ok {
		return vs.String(), vulnerability.NVD
	}

	if vuln.Severity == "" {
		return dbTypes.SeverityUnknown.String(), ""
	}

	return vuln.Severity, ""
}

func (c Client) getPrimaryURL(vulnID string, refs []string, source dbTypes.SourceID) string {
	switch {
	case strings.HasPrefix(vulnID, "CVE-"):
		return "https://avd.aquasec.com/nvd/" + strings.ToLower(vulnID)
	case strings.HasPrefix(vulnID, "RUSTSEC-"):
		return "https://osv.dev/vulnerability/" + vulnID
	case strings.HasPrefix(vulnID, "GHSA-"):
		return "https://github.com/advisories/" + vulnID
	case strings.HasPrefix(vulnID, "TEMP-"):
		return "https://security-tracker.debian.org/tracker/" + vulnID
	}

	prefixes := primaryURLPrefixes[source]
	for _, pre := range prefixes {
		for _, ref := range refs {
			if strings.HasPrefix(ref, pre) {
				return ref
			}
		}
	}
	return ""
}