foreman_cve_scanner 0.0.3 → 0.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 43957c794e37f75dcba9c2d33ea26e3c293baaaec0a166781e1e06b45d529432
-  data.tar.gz: 4f2d274846b982f944412efdd8c3280cc0ab6e63c3cd7ea9876aa59a2b409c6e
+  metadata.gz: 0ef55cf85764a1394ea0e94d9cdf96520e905f49a5e479d2c7254867c6797be9
+  data.tar.gz: 874cd48378be0b12d341e06b4f15172b7ad1c45cd607ee7d0c513a38b5a172ae
 SHA512:
-  metadata.gz: 83121e7e1f8aa077d5d9cdcb6e7feeb2215202f2a07a4930001eed9c9d7f5d470f15be813ca82a536d5a1af5622f845f3f52af710db82497e125c5d865ae1338
-  data.tar.gz: 6b63ffd8df67f139b30514d5a6f9d47b253b3451ced1e44f8d48c05d04ad4c03ea6ba39c6b743b2d3792e00a17a0c98c7090caac1f5904ab42022a9dca4262b7
+  metadata.gz: 8ba5bf4caff8597578e07c110961376c6c3ae242b8f71092e023993c1514a5a0ae185fe34fc32b052fbb1d2d773ce1dfdfb5a17a0f8ec1bff955d0b69984e6c2
+  data.tar.gz: d89adc8ffb92d8075c133084815b9db47b4f17e7dcb73c9e8cb1811cf52441636d1c9b2b6bf2e781438252c3d7a041f1f616476fb0237a17dafeeef2b5fd5c37

data/README.md

@@ -1,13 +1,25 @@
 # ForemanCveScanner
 
-Plugin to 
-1. install trivy/grype CVE scanners on a host using a Foreman Remote Execution (REX) job
-2. run a CVE scan using a REX job, collect the output and generate a Config Report
-   
-   ![image](https://github.com/ATIX-AG/foreman_cve_scanner/assets/25485845/85e3b676-7d90-41e5-bea5-7e0b5f4a685c)
-
-
-*Introdction here*
+Plugin to:
+1. install Trivy/Grype on a host using Foreman Remote Execution (REX)
+2. run CVE scans via REX and parse the results
+3. store scan history per host in a dedicated table
+4. expose scan data via API
+5. show CVE findings in the Host details UI
+6. show summary status in the Hosts list
+
+![image](https://github.com/ATIX-AG/foreman_cve_scanner/assets/25485845/85e3b676-7d90-41e5-bea5-7e0b5f4a685c)
+
+## Features
+
+- REX job templates for installing and running CVE scans
+- JSON output parsing with robust handling of chunked stdout
+- Per-host scan history with totals and severity counts
+- API endpoints for scan history and latest scan
+- Host Details card with findings and modal view
+- Host Details tab “CVE scans” for full history
+- Hosts overview list column “CVE” with quick summary and modal
+- Integrated in the Host Status
 
 ## Installation
 
@@ -16,19 +28,18 @@ for how to install Foreman plugins
 
 ## Usage
 
-- Run the REX job to install trivy and/or grype
+- Run the REX job to install Trivy and/or Grype
 - Run the REX job to scan a host
-- Go to the Config Report page for a host to view the scan report
+- You can configure recurring CVE scans via `Monitor -> Jobs`
+- View results in:
+  - Hosts overview list column “CVE” (use 'Manage Columns' to enable)
+  - Host Details card and modal
+  - Host Details tab “CVE scans”
 
 ## TODO
 
-- Better possiblities to filter the Config Report (maybe an extension to ConfigReport in Foreman)
-- Have a scheduled REX Job to scan the hosts
-- Make it visible on the Host Details page or on Foreman directly, if a high priority CVE on a host occurs
-- Export a CVE scan
-- Deliver trivy / grype via Katello
-- More tests
-- API
+- Export scan results
+- Deliver Trivy/Grype via Katello
 
 ## Contributing
 
@@ -50,4 +61,3 @@ GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
-

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 begin
   require 'bundler/setup'
 rescue LoadError

data/app/controllers/api/v2/cve_scans_controller.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module Api
+  module V2
+    # API controller for CVE scans per host.
+    class CveScansController < V2::BaseController
+      before_action :find_host
+
+      def resource_class
+        ::ForemanCveScanner::CveScan
+      end
+
+      api :GET, '/hosts/:host_id/cve_scans', N_('List CVE scans for a host')
+      description N_('Returns paginated CVE scan summaries for a host.')
+      param :host_id, :identifier, required: true
+      param :page, :number, desc: N_('Page number, starting at 1')
+      param :per_page, :number, desc: N_('Number of results per page')
+      def index
+        @cve_scans = cve_scans_index_scope.paginate(paginate_options)
+      end
+
+      api :GET, '/hosts/:host_id/cve_scans/latest', N_('Get latest CVE scan for a host')
+      description N_('Returns the most recent CVE scan for a host.')
+      param :host_id, :identifier, required: true
+      def latest
+        @cve_scan = cve_scans_index_scope.first
+        head :no_content if @cve_scan.nil?
+      end
+
+      api :GET, '/hosts/:host_id/cve_scans/:id', N_('Show CVE scan for a host')
+      description N_('Returns a specific CVE scan by id for a host.')
+      param :host_id, :identifier, required: true
+      param :id, :identifier, required: true
+      def show
+        @cve_scan = resource_class.for_host(@host.id).find(params[:id])
+      end
+
+      api :DELETE, '/hosts/:host_id/cve_scans/:id', N_('Delete a CVE scan')
+      description N_('Deletes a specific CVE scan by id for a host.')
+      param :host_id, :identifier, required: true
+      param :id, :identifier, required: true
+      def destroy
+        @cve_scan = resource_class.for_host(@host.id).find(params[:id])
+        process_response @cve_scan.destroy
+      end
+
+      private
+
+      def cve_scans_index_scope
+        scope = resource_class.for_host(@host.id).recent_first
+        return scope unless respond_to?(:resource_scope_for_index, true)
+        return scope unless scope.respond_to?(:search_for)
+
+        resource_scope_for_index(scope)
+      end
+
+      def find_host
+        scope = ::Host::Base.authorized(:view_hosts)
+        @host = scope.find_by(name: params[:host_id]) || scope.find_by(id: params[:host_id])
+        return if @host.present?
+
+        not_found
+      end
+    end
+  end
+end

data/app/lib/actions/foreman_cve_scanner/cve_scanner_job.rb

@@ -2,6 +2,7 @@
 
 module Actions
   module ForemanCveScanner
+    # Dynflow action that parses a CVE scan job output and stores the results.
     class CveScannerJob < Actions::EntryAction
       def self.subscribe
         Actions::RemoteExecution::RunHostJob
@@ -15,16 +16,9 @@ module Actions
 
       def finalize(*_args)
         host = Host.find(input[:host_id])
-        return if host.blank?
 
-        report = {
-          'host' => host.name,
-          'logs' => [],
-          'scan' => format_output(task.main_action.continuous_output.humanize),
-          'reported_at' => Time.now.utc.to_s,
-          'reporter' => 'cve_scan'
-        }
-        ConfigReportImporter.import(report)
+        ::ForemanCveScanner::ScanImporter.new(task.main_action.continuous_output)
+                                         .import_for_host!(host)
       end
 
       private
@@ -34,15 +28,6 @@ module Actions
                                                                     .first
                                                                     .template_id, label: feature).any?
       end
-
-      def format_output(job_output)
-        output = job_output.each_line(chomp: true)
-                           .drop_while { |l| !l.start_with? '===START' }.drop(1)
-                           .take_while { |l| !l.start_with? '===END' }
-                           .reject(&:empty?)
-                           .join('')
-        JSON.parse(output)
-      end
     end
   end
 end

data/app/models/concerns/foreman_cve_scanner/host_extensions.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module ForemanCveScanner
+  # Adds CVE scan associations to hosts.
+  module HostExtensions
+    extend ActiveSupport::Concern
+
+    included do
+      has_many :cve_scans,
+        class_name: 'ForemanCveScanner::CveScan',
+        foreign_key: :host_id,
+        dependent: :destroy,
+        inverse_of: :host
+    end
+  end
+end

data/app/models/foreman_cve_scanner/cve_scan.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module ForemanCveScanner
+  # Stores a single CVE scan result for a host.
+  class CveScan < ApplicationRecord
+    self.table_name = 'foreman_cve_scanner_cve_scans'
+
+    belongs_to :host, class_name: '::Host::Managed'
+
+    validates :host_id, :scanner, :raw, :summary, :findings, presence: true
+
+    scope :for_host, ->(host_id) { where(host_id: host_id) }
+    scope :recent_first, -> { order(created_at: :desc, id: :desc) }
+  end
+end

data/app/models/host_status/cve_status.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module HostStatus
+  # Host status entry reflecting latest CVE scan severities.
+  class CveStatus < Status
+    CVE_SCANNER_STATUS_NONE = 0
+    CVE_SCANNER_STATUS_LOW = 1
+    CVE_SCANNER_STATUS_MEDIUM = 2
+    CVE_SCANNER_STATUS_CRITICAL_HIGH = 3
+
+    def self.status_name
+      N_('CVE')
+    end
+
+    def to_label(_options = {})
+      case latest_scan_severity
+      when :critical_high
+        N_('Critical or high CVEs')
+      when :medium
+        N_('Medium CVEs')
+      when :low
+        N_('Low CVEs')
+      when :none
+        N_('No CVE scans')
+      else
+        N_('No CVEs')
+      end
+    end
+
+    def to_global(_options = {})
+      case latest_scan_severity
+      when :critical_high
+        HostStatus::Global::ERROR
+      when :medium, :none
+        HostStatus::Global::WARN
+      else
+        HostStatus::Global::OK
+      end
+    end
+
+    def to_status(_options = {})
+      case latest_scan_severity
+      when :critical_high
+        CVE_SCANNER_STATUS_CRITICAL_HIGH
+      when :medium
+        CVE_SCANNER_STATUS_MEDIUM
+      when :low
+        CVE_SCANNER_STATUS_LOW
+      else
+        CVE_SCANNER_STATUS_NONE
+      end
+    end
+
+    private
+
+    def latest_scan
+      @latest_scan ||= ::ForemanCveScanner::CveScan.for_host(host_id).recent_first.first
+    end
+
+    def latest_scan_severity
+      scan = latest_scan
+      return :none if scan.nil?
+
+      return :critical_high if scan.critical.to_i.positive? || scan.high.to_i.positive?
+      return :medium if scan.medium.to_i.positive?
+      return :low if scan.low.to_i.positive?
+
+      :none
+    end
+  end
+end

data/app/services/foreman_cve_scanner/cve_report_scanner.rb

@@ -1,17 +1,10 @@
 # frozen_string_literal: true
 
 module ForemanCveScanner
-  # Scans ConfigReports after import for indicators of an CveScanner report and
-  # sets the origin of the report to 'CveScanner'
+  # Parses raw CVE scanner reports and produces unified logs/metrics.
+  # rubocop:disable Metrics/ClassLength
   class CveReportScanner
-    def self.add_reporter_data(_report, raw)
-      scanner = ForemanCveScanner::CveReportScanner.new(raw)
-      scanner.generate
-      raw['logs'] = scanner.logs
-      raw['status'] = scanner.status
-      raw['metrics'] = scanner.metrics
-      raw['report_status_calculator_options'] = { :metrics => %w[critical high medium low total] }
-    end
+    SEVERITY_ORDER = %w[CRITICAL HIGH MEDIUM LOW UNKNOWN].freeze
 
     def self.identify_origin(raw)
       'CveScanner' if cve_scanner_report?(raw)
@@ -37,9 +30,21 @@ module ForemanCveScanner
 
     attr_reader :logs, :status
 
+    def unified_vulnerabilities
+      @cve_report_data
+    end
+
+    def self.detect_scanner(scan_json)
+      return 'grype' if scan_json.is_a?(Hash) && scan_json.key?('matches')
+      return 'trivy' if scan_json.is_a?(Hash) && scan_json.key?('Results')
+
+      'unknown'
+    end
+
     def metrics
-      res = @status
-      res['total'] = @status.values.sum
+      known = %w[critical high medium low]
+      res = @status.slice(*known)
+      res['total'] = res.values.sum
       res
     end
 
@@ -47,43 +52,38 @@ module ForemanCveScanner
 
     def generate_log_from_unified(id, entry)
       {
-        'log': {
-          'level': consume_severity_level(entry['severity']),
-          'messages': {
-            message: "#{id}: #{entry['title']} # url: #{entry['url']}"
+        log: {
+          level: consume_severity_level(entry['severity']),
+          messages: {
+            message: "#{id}: #{entry['title']} # url: #{entry['url']}",
           },
           sources: {
-            source: "#{entry['name']} @ #{entry['version']}"
-          }
-        }
+            source: "#{entry['name']} @ #{entry['version']}",
+          },
+        },
       }.deep_stringify_keys
     end
 
     def consume_severity_level(severity)
+      severity = severity.to_s.strip.upcase
       @status[severity.downcase] = 0 unless @status.key?(severity.downcase)
       @status[severity.downcase] += 1
 
-      case severity
-      when 'CRITICAL'
-        'err'
-      when 'HIGH'
-        'warning'
-      when 'MEDIUM'
-        'info'
-      when 'LOW'
-        'debug'
-      else
-        'info'
-      end
+      {
+        'CRITICAL' => 'err',
+        'HIGH' => 'warning',
+        'MEDIUM' => 'info',
+        'LOW' => 'debug',
+      }.fetch(severity, 'info')
     end
 
     def generate_grype_entry(entry)
       {
         'name' => entry['artifact']['name'],
         'version' => entry['artifact']['version'],
-        'title' => entry['vulnerability']['description'].gsub(/[\[\]"\\]/, ''),
+        'title' => entry['vulnerability']['description'].to_s.gsub(/[\[\]"\\]/, ''),
         'severity' => entry['vulnerability']['severity'],
-        'url' => entry['vulnerability']['dataSource']
+        'url' => entry['vulnerability']['dataSource'],
       }
     end
 
@@ -91,17 +91,17 @@ module ForemanCveScanner
       unified = {
         'name' => entry['PkgName'],
         'version' => entry['InstalledVersion'],
-        'title' => entry['Title'].gsub(/[\[\]"\\]/, ''),
+        'title' => entry['Title'].to_s.gsub(/[\[\]"\\]/, ''),
         'severity' => entry['Severity'],
         'url' => entry['PrimaryURL'],
         'status' => entry['Status'],
-        'fixed' => entry['FixedVersion'] || 'open'
+        'fixed' => entry['FixedVersion'] || 'open',
       }
       unified['published'] = entry['PublishedDate'] if entry.key?('PublishedDate')
       unified
     end
 
-    # rubocop:disable Metrics/AbcSize
+    # rubocop:disable Metrics/AbcSize, Metrics/MethodLength, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
     def generate_unified_vuls
       raise ::Foreman::Exception, _('Invalid CVE scanner report') unless @raw_data.key?('scan')
 
@@ -114,6 +114,7 @@ module ForemanCveScanner
       elsif j.key?('Results') # Trivy
         j['Results'].each do |r|
           next unless r.key? 'Vulnerabilities'
+
           r['Vulnerabilities'].each do |vul|
             vuls[vul['VulnerabilityID']] = generate_trivy_entry(vul)
           end
@@ -125,6 +126,7 @@ module ForemanCveScanner
 
       vuls
     end
-    # rubocop:enable Metrics/AbcSize
+    # rubocop:enable Metrics/AbcSize, Metrics/MethodLength, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
   end
+  # rubocop:enable Metrics/ClassLength
 end

data/app/services/foreman_cve_scanner/scan_importer.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+module ForemanCveScanner
+  # Import CVE scan results from REX job output and persist them.
+  class ScanImporter
+    def initialize(job_output)
+      @job_output = job_output
+    end
+
+    def import_for_host!(host)
+      scan_json = format_output(@job_output)
+      return nil if scan_json.nil?
+
+      scanner_name = ::ForemanCveScanner::CveReportScanner.detect_scanner(scan_json)
+      persist_scan!(host, scanner_name, scan_json)
+    end
+
+    private
+
+    def format_output(job_output)
+      output_source = normalize_job_output(job_output)
+      json_text = extract_json(output_source)
+      if json_text.blank? && output_source.to_s.strip.present?
+        Rails.logger.warn('CVE scan output did not contain markers or JSON content')
+      end
+      return nil if json_text.blank?
+
+      JSON.parse(json_text)
+    rescue JSON::ParserError => e
+      Rails.logger.error("CVE scan output parse failed: #{e}")
+      nil
+    end
+
+    def extract_json(output_source)
+      output = output_source.to_s.each_line(chomp: true)
+                            .drop_while { |line| !line.start_with?('===START') }
+                            .drop(1)
+                            .take_while { |line| !line.start_with?('===END') }
+                            .reject(&:empty?)
+                            .join
+      output.strip
+    end
+
+    def normalize_job_output(job_output)
+      return concat_proxy_output(job_output) if job_output.is_a?(Hash) && job_output.key?('proxy_output')
+
+      output_source = job_output
+      output_source = job_output.humanize if job_output.respond_to?(:humanize) && !job_output.is_a?(String)
+      output_source.to_s
+    end
+
+    def concat_proxy_output(job_output)
+      result = job_output.dig('proxy_output', 'result') || []
+      result.filter_map { |item| item['output'] if item['output_type'] == 'stdout' }.join
+    end
+
+    def persist_scan!(host, scanner_name, scan_json)
+      scanner = ::ForemanCveScanner::CveReportScanner.new('scan' => scan_json)
+      scanner.generate
+
+      metrics = scanner.metrics
+      scan = ::ForemanCveScanner::CveScan.create!(
+        build_scan_attributes(host, scanner_name, scan_json, metrics, scanner)
+      )
+      refresh_host_status(host)
+      scan
+    end
+
+    def refresh_host_status(host)
+      status = ::HostStatus::CveStatus.find_or_initialize_by(host: host)
+      status.refresh!
+    rescue StandardError => e
+      Rails.logger.error("CVE status refresh failed for host_id=#{host.id}: #{e}")
+    end
+
+    def worst_severity(metrics)
+      %w[critical high medium low].each do |severity|
+        return severity if metrics[severity].to_i.positive?
+      end
+      'none'
+    end
+
+    def build_scan_attributes(host, scanner_name, scan_json, metrics, scanner)
+      summary = metrics.merge('worst' => worst_severity(metrics))
+      {
+        host: host,
+        scanner: scanner_name,
+        raw: scan_json,
+        summary: summary,
+        findings: build_findings(scanner),
+        total: metrics['total'].to_i,
+        critical: metrics['critical'].to_i,
+        high: metrics['high'].to_i,
+        medium: metrics['medium'].to_i,
+        low: metrics['low'].to_i,
+      }
+    end
+
+    def build_findings(scanner)
+      scanner.unified_vulnerabilities.map do |id, entry|
+        entry.merge('id' => id)
+      end
+    end
+  end
+end

data/app/views/api/v2/cve_scans/base.json.rabl

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+object @cve_scan
+
+attributes :id, :host_id, :scanner, :created_at, :total, :critical, :high, :medium, :low, :summary

data/app/views/api/v2/cve_scans/index.json.rabl

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+collection @cve_scans
+
+extends 'api/v2/cve_scans/base'

data/app/views/api/v2/cve_scans/latest.json.rabl

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+object @cve_scan
+
+extends 'api/v2/cve_scans/main'

data/app/views/api/v2/cve_scans/main.json.rabl

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+object @cve_scan
+
+extends 'api/v2/cve_scans/base'
+
+attributes :findings, :created_at, :updated_at

data/app/views/api/v2/cve_scans/show.json.rabl

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+object @cve_scan
+
+extends 'api/v2/cve_scans/main'

data/app/views/foreman_cve_scanner/job_templates/install_cve_scanners.erb

@@ -59,13 +59,26 @@ grype_url = "https://github.com/anchore/grype/releases/download/v#{grype_version
 
 case @host.operatingsystem.family
 when 'Debian'
-  trivy_install_cmd = "wget -o /tmp/outfile.deb #{trivy_url} && dpkg -i /tmp/outfile.deb; rm -f /tmp/outfile.deb"
-  grype_install_cmd = "wget -o /tmp/outfile.deb #{grype_url} && dpkg -i /tmp/outfile.deb; rm -f /tmp/outfile.deb"
+  trivy_download_cmd = "wget -O /tmp/trivy.deb \"#{trivy_url}\""
+  grype_download_cmd = "wget -O /tmp/grype.deb \"#{grype_url}\""
+  trivy_install_cmd = "dpkg -i /tmp/trivy.deb"
+  grype_install_cmd = "dpkg -i /tmp/grype.deb"
+  trivy_cleanup_cmd = "rm -f /tmp/trivy.deb"
+  grype_cleanup_cmd = "rm -f /tmp/grype.deb"
 when 'Redhat', 'Suse'
-  trivy_install_cmd = "rpm -ivh #{trivy_url}"
-  grype_install_cmd = "rpm -ivh #{grype_url}"
+  trivy_install_cmd = "rpm -ivh \"#{trivy_url}\""
+  grype_install_cmd = "rpm -ivh \"#{grype_url}\""
 end
 -%>
 
-<%= trivy_install_cmd if input('scanner_to_install') == 'both' || input('scanner_to_install') == 'trivy' %>
-<%= grype_install_cmd if input('scanner_to_install') == 'both' || input('scanner_to_install') == 'grype' %>
+<% if input('scanner_to_install') == 'both' || input('scanner_to_install') == 'trivy' -%>
+<%= trivy_download_cmd unless trivy_install_cmd.nil? %>
+<%= trivy_install_cmd %>
+<%= trivy_cleanup_cmd unless trivy_cleanup_cmd.nil? %>
+<% end -%>
+
+<% if input('scanner_to_install') == 'both' || input('scanner_to_install') == 'grype' -%>
+<%= grype_download_cmd unless grype_download_cmd.nil? %>
+<%= grype_install_cmd %>
+<%= grype_cleanup_cmd unless grype_cleanup_cmd.nil? %>
+<% end %>

data/app/views/foreman_cve_scanner/job_templates/run_cve_scanner.erb

@@ -13,6 +13,7 @@ template_inputs:
   options: "filesystem\r\ndocker"
   advanced: false
   value_type: plain
+  default: filesystem
   hidden_value: false
 - name: options
   required: false
@@ -25,6 +26,7 @@ template_inputs:
   input_type: user
   advanced: false
   value_type: plain
+  default: /
   hidden_value: false
 - name: scanner
   required: true
@@ -39,7 +41,7 @@ template_inputs:
 scanner = input('scanner')
 target = input('target').to_sym
 path = input('path')
-options = input('options')
+options = input('options').to_s
 
 scanners = {
     trivy: {
@@ -57,7 +59,7 @@ if scanner == 'trivy'
     options += " --exit-code 0 --scanners vuln --quiet --format json"
 elsif scanner == 'grype'
     cmd = "#{scanners[:grype][target]}:#{path}"
-    options += " --quiet --quiet --output json"
+    options += " --quiet --output json"
 end
 exec_command = "#{scanner} #{cmd} #{options}"
 -%>

data/config/routes.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+Rails.application.routes.draw do
+  namespace :api, defaults: { format: 'json' } do
+    scope '(:apiv)', module: :v2,
+                     defaults: { apiv: 'v2' },
+                     apiv: /v1|v2/,
+                     constraints: ApiConstraints.new(version: 2, default: true) do
+      constraints(host_id: %r{[^/]+}) do
+        resources :hosts, only: [] do
+          resources :cve_scans, only: %i[index show] do
+            collection do
+              get :latest
+            end
+          end
+        end
+      end
+    end
+  end
+end