Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update certifier with specific package queries to keep state #2163

Merged
merged 13 commits into from
Oct 3, 2024
Merged

update certifier with specific package queries to keep state #2163

merged 13 commits into from
Oct 3, 2024

Conversation

pxp928
Copy link
Collaborator

@pxp928 pxp928 commented Oct 1, 2024
edited
Loading

Description of the PR

fixes #1849

Example:

Ingest SBOM with Vulnerability and License Scan

go run ./cmd/guacone collect files ../guac-data/docs/spdx/spdx_vuln.json --add-vuln-on-ingest=true --add-license-on-ingest=true
{"level":"info","ts":1727897921.652874,"caller":"logging/logger.go:79","msg":"Logging at info level","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897921.652958,"caller":"cli/init.go:65","msg":"Using config file: /Users/parth/Documents/pxp928/guac/guac.yaml","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897923.878842,"caller":"ingestor/ingestor.go:68","msg":"unable to create entries in collectsub server, but continuing: unable to add collect entries: rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing: dial tcp [::1]:2782: connect: connection refused\"","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897923.911496,"caller":"helpers/bulk.go:47","msg":"assembling Package: 3981","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.145139,"caller":"helpers/bulk.go:63","msg":"assembling Source: 53","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.1520991,"caller":"helpers/bulk.go:73","msg":"assembling Artifact: 3384","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.198806,"caller":"helpers/bulk.go:88","msg":"assembling Materials (Artifact): 0","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.200035,"caller":"helpers/bulk.go:97","msg":"assembling Builder: 0","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.2006688,"caller":"helpers/bulk.go:106","msg":"assembling Vulnerability: 79","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.2033222,"caller":"helpers/bulk.go:115","msg":"assembling Licenses: 70","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.2052422,"caller":"helpers/bulk.go:122","msg":"assembling CertifyScorecard: 0","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.205249,"caller":"helpers/bulk.go:128","msg":"assembling IsDependency: 7161","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.585568,"caller":"helpers/bulk.go:137","msg":"assembling IsOccurrence: 3878","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.758792,"caller":"helpers/bulk.go:146","msg":"assembling HasSLSA: 0","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.75882,"caller":"helpers/bulk.go:152","msg":"assembling CertifyVuln: 151","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.769691,"caller":"helpers/bulk.go:158","msg":"assembling VulnMetadata: 0","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.769709,"caller":"helpers/bulk.go:164","msg":"assembling VulnEqual: 39","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.772297,"caller":"helpers/bulk.go:170","msg":"assembling HasSourceAt: 66","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.776878,"caller":"helpers/bulk.go:176","msg":"assembling CertifyBad: 0","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.77689,"caller":"helpers/bulk.go:182","msg":"assembling CertifyGood: 0","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.7768939,"caller":"helpers/bulk.go:188","msg":"assembling PointOfContact: 0","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.776897,"caller":"helpers/bulk.go:194","msg":"assembling HasMetadata: 462","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.795774,"caller":"helpers/bulk.go:200","msg":"assembling HasSBOM: 1","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.95836,"caller":"helpers/bulk.go:211","msg":"assembling VEX : 0","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.9583821,"caller":"helpers/bulk.go:217","msg":"assembling HashEqual : 0","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.958386,"caller":"helpers/bulk.go:223","msg":"assembling PkgEqual : 0","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.958389,"caller":"helpers/bulk.go:229","msg":"assembling CertifyLegal : 190","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.987985,"caller":"ingestor/ingestor.go:78","msg":"[3.33056875s] completed doc {Collector:FileCollector Source:file:///../guac-data/docs/spdx/spdx_vuln.json DocumentRef:sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e}","guac-version":"v0.0.1-custom","documentHash":"sha256_bf11d727359a943f39132e92d723ce76222328790813a8ed0057c59408c8953e"}
{"level":"info","ts":1727897924.9880068,"caller":"cmd/files.go:144","msg":"collector ended gracefully","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897924.988032,"caller":"cmd/files.go:159","msg":"completed ingesting 1 documents of 1","guac-version":"v0.0.1-custom"}

Run OSV Scan with last-scan set to the last 4 hours:

go run ./cmd/guacone certifier osv --last-scan=4
{"level":"info","ts":1727897946.079475,"caller":"logging/logger.go:79","msg":"Logging at info level","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897946.0795672,"caller":"cli/init.go:65","msg":"Using config file: /Users/parth/Documents/pxp928/guac/guac.yaml","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897946.0798552,"caller":"certify/certify.go:109","msg":"Starting certifier run: 2024-10-02 19:39:06.079743 +0000 UTC","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897946.191792,"caller":"certify/certify.go:114","msg":"Certifier run completed: 2024-10-02 19:39:06.191783 +0000 UTC","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897946.191823,"caller":"cmd/osv.go:214","msg":"All certifiers completed","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897946.1918561,"caller":"cmd/osv.go:223","msg":"completed ingesting 0 documents","guac-version":"v0.0.1-custom"}

Run CD Scan with last-scan set to the last 4 hours:

This returns an ingestion as CD returns no license information for package:

curl -X GET "https://api.clearlydefined.io/definitions/deb/debian/-/libgcc-s1/10.2.1-6_arm64" -H "accept: */*"

So this is the one package that is being checked again.

go run ./cmd/guacone certifier cd --last-scan=4
{"level":"info","ts":1727897963.336666,"caller":"logging/logger.go:79","msg":"Logging at info level","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897963.3367271,"caller":"cli/init.go:65","msg":"Using config file: /Users/parth/Documents/pxp928/guac/guac.yaml","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897963.336997,"caller":"certify/certify.go:109","msg":"Starting certifier run: 2024-10-02 19:39:23.336904 +0000 UTC","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.4409978,"caller":"certify/certify.go:114","msg":"Certifier run completed: 2024-10-02 19:39:24.440983 +0000 UTC","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.4410958,"caller":"cmd/license.go:213","msg":"All certifiers completed","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.443928,"caller":"helpers/bulk.go:47","msg":"assembling Package: 1","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.453116,"caller":"helpers/bulk.go:63","msg":"assembling Source: 1","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.4566662,"caller":"helpers/bulk.go:73","msg":"assembling Artifact: 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.4587479,"caller":"helpers/bulk.go:88","msg":"assembling Materials (Artifact): 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.460907,"caller":"helpers/bulk.go:97","msg":"assembling Builder: 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.462872,"caller":"helpers/bulk.go:106","msg":"assembling Vulnerability: 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.464535,"caller":"helpers/bulk.go:115","msg":"assembling Licenses: 25","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.4703639,"caller":"helpers/bulk.go:122","msg":"assembling CertifyScorecard: 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.4703841,"caller":"helpers/bulk.go:128","msg":"assembling IsDependency: 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.470415,"caller":"helpers/bulk.go:137","msg":"assembling IsOccurrence: 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.4704452,"caller":"helpers/bulk.go:146","msg":"assembling HasSLSA: 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.470454,"caller":"helpers/bulk.go:152","msg":"assembling CertifyVuln: 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.47046,"caller":"helpers/bulk.go:158","msg":"assembling VulnMetadata: 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.4704661,"caller":"helpers/bulk.go:164","msg":"assembling VulnEqual: 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.470474,"caller":"helpers/bulk.go:170","msg":"assembling HasSourceAt: 1","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.473336,"caller":"helpers/bulk.go:176","msg":"assembling CertifyBad: 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.473359,"caller":"helpers/bulk.go:182","msg":"assembling CertifyGood: 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.4733691,"caller":"helpers/bulk.go:188","msg":"assembling PointOfContact: 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.473376,"caller":"helpers/bulk.go:194","msg":"assembling HasMetadata: 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.473384,"caller":"helpers/bulk.go:200","msg":"assembling HasSBOM: 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.47339,"caller":"helpers/bulk.go:211","msg":"assembling VEX : 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.473397,"caller":"helpers/bulk.go:217","msg":"assembling HashEqual : 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.473404,"caller":"helpers/bulk.go:223","msg":"assembling PkgEqual : 0","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.473411,"caller":"helpers/bulk.go:229","msg":"assembling CertifyLegal : 1","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.479831,"caller":"ingestor/ingestor.go:157","msg":"[38.583708ms] completed docs 2","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1727897964.479869,"caller":"cmd/license.go:222","msg":"completed ingesting 2 documents","guac-version":"v0.0.1-custom"}

PR Checklist

  • All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
  • All new changes are covered by tests
  • If GraphQL schema is changed, make generate has been run
  • If GraphQL schema is changed, GraphQL client updates/additions have been made
  • If OpenAPI spec is changed, make generate has been run
  • If ent schema is changed, make generate has been run
  • If collectsub protobuf has been changed, make proto has been run
  • All CI checks are passing (tests and formatting)
  • All dependent PRs have already been merged

@pxp928
add new QueryVulnPackagesList and implement ENT backend
a9a26ad 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
change to single query with enum
19fd320 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
combine queries to conslidate on backend
8cd7aa4 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
add last-scan flag to certifier cli and update unit tests
517176a 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
implement keyvalue backend implementation for QueryPackagesListForType
e7f4833 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
update backend unit test for TestQueryPackagesListForType
4bd4ace 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928 pxp928 marked this pull request as draft October 1, 2024 21:48
@pxp928
add check if links are not set in keyvalue backend
dd044f2 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
update ent search to get latest vuln time to compare
048d8f0 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
add license and empty tests for backend
f7edb60 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928 pxp928 force-pushed the issue-1849 branch 3 times, most recently from f7d8d70 to 237c9f9 Compare October 2, 2024 19:37
@pxp928
rename query and update comments
caa1ab5 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928 pxp928 marked this pull request as ready for review October 2, 2024 20:00
@pxp928
update graphql schema comments for QueryType
ef5722e 
Signed-off-by: pxp928 <parth.psu@gmail.com>
funnelfiasco
funnelfiasco reviewed Oct 3, 2024
View reviewed changes
guac.yaml Outdated Show resolved Hide resolved
@pxp928
default last-scan to 4 hours in gauc.yaml
e5ab021 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
change cli default to 4 hours for last-scan
61ce994 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@kodiakhq kodiakhq bot merged commit f13bed1 into main Oct 3, 2024
8 checks passed
@kodiakhq kodiakhq bot deleted the issue-1849 branch October 3, 2024 21:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@funnelfiasco funnelfiasco funnelfiasco left review comments

@jeffmendoza jeffmendoza jeffmendoza approved these changes

@mihaimaruseac mihaimaruseac mihaimaruseac approved these changes

Assignees
No one assigned
Labels
size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[feature] Certifier should use a more specific query and not get all nouns
4 participants
@pxp928 @mihaimaruseac @funnelfiasco @jeffmendoza