[SP-3798] feat(proto): add download crypto ruleset endpoint

[matiasdaloia]

Summary by CodeRabbit

• New Features

  • Added endpoint to download cryptographic rulesets as tarballs (supports latest and specific versions; GET /v2/cryptography/rulesets/{ruleset_name}/{version}/download).

• Documentation

  • Added docs with HTTP examples, response format, tarball structure, manifest JSON, and extraction guidance.

• Changelog

  • Added 0.27.0 Unreleased entry dated 2025-12-18.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Adds a gRPC RPC and matching REST GET endpoint to download cryptography detection rulesets as tarball HTTP bodies; updates protobuf, OpenAPI/Swagger spec, README docs, and the changelog with version 0.27.0.

Changes

Cohort / File(s)	Summary
Changelog & Release Notes CHANGELOG.md	Added Unreleased entry for version 0.27.0 dated 2025-12-18 documenting the new DownloadRuleset capability and updated release/compare links.
Documentation protobuf/scanoss/api/cryptography/v2/README.md	Added "DownloadRuleset" section describing download as compressed tarball, supported rule types (dca, keywords), version spec (latest or specific), HTTP examples, response as raw tarball with headers, tarball layout, and embedded manifest JSON.
Protobuf Definitions protobuf/scanoss/api/cryptography/v2/scanoss-cryptography.proto	Added import google/api/httpbody.proto, new message RulesetDownloadRequest (ruleset_name, version), and RPC DownloadRuleset(RulesetDownloadRequest) returns (google.api.HttpBody) with HTTP GET mapping /v2/cryptography/rulesets/{ruleset_name}/{version}/download.
OpenAPI / Swagger Spec protobuf/scanoss/api/cryptography/v2/scanoss-cryptography.swagger.json	Added GET path /v2/cryptography/rulesets/{ruleset_name}/{version}/download (operationId Cryptography_DownloadRuleset) with 200/404/default responses using new apiHttpBody definition; added apiHttpBody schema and expanded protobufAny documentation and schema details.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify proto additions: RulesetDownloadRequest fields, import of google/api/httpbody.proto, RPC signature, and correct google.api.http GET annotation.
• Validate OpenAPI mapping: path parameters, response schema corresponds to apiHttpBody and non-JSON payload handling.
• Confirm README and CHANGELOG accurately reflect the proto/spec (HTTP method, path, tarball format, manifest layout).

Poem

🐇 I hopped to fetch a ruleset bright,
A tarball snug, a moonlit byte.
gRPC sings, GET brings delight,
I nibble metadata at night.
Rulesets bundled — a rabbit's bite!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a new gRPC DownloadRuleset endpoint and REST GET endpoint for downloading cryptographic rulesets, which aligns with all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between da36ee8 and 24ad151.

📒 Files selected for processing (1)

• CHANGELOG.md (2 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

protobuf/scanoss/api/cryptography/v2/README.md (1)

506-523: Consider adding language identifier to fenced code block.

The fenced code block showing the tarball structure would benefit from a language identifier (e.g., text or plaintext) for consistency with Markdown best practices.

Apply this diff:

 #### Tarball Structure
 
 The downloaded and extracted tarball contains:
 
-```
+```text
 dca-v1.2.3/
 ├── java/                  # Java cryptography detection rules
 │   ├── jca.yaml

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 49b124f and 7126e0d.

⛔ Files ignored due to path filters (3)

• api/cryptographyv2/scanoss-cryptography.pb.go is excluded by !**/*.pb.go
• api/cryptographyv2/scanoss-cryptography.pb.gw.go is excluded by !**/*.pb.gw.go
• api/cryptographyv2/scanoss-cryptography_grpc.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (4)

• CHANGELOG.md (2 hunks)
• protobuf/scanoss/api/cryptography/v2/README.md (1 hunks)
• protobuf/scanoss/api/cryptography/v2/scanoss-cryptography.proto (28 hunks)
• protobuf/scanoss/api/cryptography/v2/scanoss-cryptography.swagger.json (2 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

protobuf/scanoss/api/cryptography/v2/scanoss-cryptography.swagger.json

[medium] 601-608: Ensure that arrays have a maximum number of items

(CKV_OPENAPI_21)

🪛 LanguageTool

CHANGELOG.md

[style] ~12-~12: Consider a different adjective to strengthen your wording.
Context: ...cryptographic rulesets for keywords and deep code analysis. ## [0.26.0] - 2025-12-0...

(DEEP_PROFOUND)

🪛 markdownlint-cli2 (0.18.1)

protobuf/scanoss/api/cryptography/v2/README.md

510-510: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (7)

protobuf/scanoss/api/cryptography/v2/README.md (1)

438-462: LGTM! Clear documentation of the new endpoint.

The documentation clearly explains the purpose, supported ruleset types (dca and keywords), and version specification options. The curl examples are practical and easy to follow.

protobuf/scanoss/api/cryptography/v2/scanoss-cryptography.proto (3)

38-38: LGTM! Necessary import for binary response.

The google/api/httpbody.proto import is required for the DownloadRuleset RPC that returns google.api.HttpBody, which is the correct approach for returning binary content like tarballs.

---

286-314: LGTM! Well-documented RPC definition.

The DownloadRuleset RPC is properly defined with:

• Comprehensive documentation covering purpose, supported ruleset types, version options, and response headers
• Correct use of google.api.HttpBody for binary tarball responses
• Appropriate HTTP GET mapping for idempotent download operations
• Clear reference to README documentation

---

775-795: LGTM! Clean message definition.

The RulesetDownloadRequest message is well-defined with:

• Clear field documentation explaining supported ruleset types (dca, keywords)
• Version flexibility (latest or specific version)
• Proper JSON naming for REST API compatibility
• Comprehensive comments about response headers and metadata

protobuf/scanoss/api/cryptography/v2/scanoss-cryptography.swagger.json (3)

516-562: LGTM! Complete and correct endpoint definition.

The new download endpoint is properly defined with:

• Correct HTTP GET method matching the protobuf definition
• Required path parameters (ruleset_name and version) with clear descriptions
• Appropriate response schema referencing apiHttpBody for binary content
• Comprehensive operation documentation covering supported ruleset types, versioning, and response headers

---

589-611: LGTM! Standard Google API HttpBody definition.

The apiHttpBody definition is properly structured as a standard Google API type for representing HTTP bodies with non-JSON content (raw binary or HTML). This is the correct approach for the tarball download endpoint.

---

612-622: LGTM! Enhanced protobufAny definition.

The updates to the protobufAny definition improve clarity by adding detailed descriptions of the @type property and the overall Any type semantics, plus the correct additionalProperties: {} specification that allows arbitrary fields as expected for protobuf Any messages.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

protobuf/scanoss/api/cryptography/v2/README.md (1)

510-523: Specify language for fenced code block.

The fenced code block showing the tarball structure should specify a language identifier for proper syntax highlighting and markdown compliance.

🔎 Apply this diff to add language identifier:

-```
+```text
 dca-v1.2.3/
 ├── java/                  # Java cryptography detection rules
 │   ├── jca.yaml

Based on static analysis hints.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 117c7ed and da36ee8.

⛔ Files ignored due to path filters (1)

• api/cryptographyv2/scanoss-cryptography_grpc.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (3)

• protobuf/scanoss/api/cryptography/v2/README.md (1 hunks)
• protobuf/scanoss/api/cryptography/v2/scanoss-cryptography.proto (28 hunks)
• protobuf/scanoss/api/cryptography/v2/scanoss-cryptography.swagger.json (2 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

protobuf/scanoss/api/cryptography/v2/scanoss-cryptography.swagger.json

[medium] 601-608: Ensure that arrays have a maximum number of items

(CKV_OPENAPI_21)

🪛 markdownlint-cli2 (0.18.1)

protobuf/scanoss/api/cryptography/v2/README.md

510-510: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (7)

protobuf/scanoss/api/cryptography/v2/README.md (1)

438-537: Excellent documentation for the new DownloadRuleset endpoint.

The documentation is comprehensive and well-structured, covering all essential aspects:

• Supported ruleset types and version specifications
• HTTP request examples with curl
• Response format with headers
• Tarball structure and manifest details

This will be very helpful for API consumers.

protobuf/scanoss/api/cryptography/v2/scanoss-cryptography.proto (3)

38-38: Correct import for HttpBody support.

The import of google/api/httpbody.proto is necessary and appropriate for the new DownloadRuleset RPC that returns binary tarball content.

---

286-314: Well-designed RPC for ruleset downloads.

The DownloadRuleset RPC is properly designed:

• Returns google.api.HttpBody which is the correct type for binary/non-JSON responses
• HTTP GET mapping follows RESTful conventions
• Comprehensive documentation includes supported ruleset types, version handling, and response header details
• References the README for additional documentation

---

775-795: Clean request message definition.

The RulesetDownloadRequest message is well-structured:

• Clear field names and descriptions
• Proper field numbering
• Includes examples of supported values
• Documents the version semantics ("latest" vs specific versions)

protobuf/scanoss/api/cryptography/v2/scanoss-cryptography.swagger.json (3)

516-562: Well-defined OpenAPI endpoint for ruleset downloads.

The new endpoint definition is comprehensive and correct:

• Proper HTTP GET operation with clear summary and description
• Appropriate response schemas (200 → apiHttpBody, 404 → string, default → rpcStatus)
• Path parameters are correctly defined with detailed descriptions
• Tagged appropriately under Cryptography
• Documentation URL reference included

---

589-611: Standard Google API HttpBody definition.

The apiHttpBody definition correctly represents the google.api.HttpBody type for non-JSON payloads like raw binary data. The structure matches Google's standard API conventions with:

• content_type for MIME type specification
• data as base64-encoded binary
• extensions for metadata

Note: The static analysis warning about arrays lacking maximum items is a false positive. This is a standard Google API type definition that shouldn't be constrained.

---

616-622: Enhanced protobufAny documentation.

The additions provide comprehensive documentation for the protobufAny type, including detailed explanations of the @type field and the Any message usage patterns. The additionalProperties: {} allows for the flexible schema that Any requires.

[agustingroh]

LGTM