Feature/add novuln bool to vulnerability filter (#1165)

* update gql to add novuln bool filter

Signed-off-by: pxp928 <parth.psu@gmail.com>

* update inmem vuln

Signed-off-by: pxp928 <parth.psu@gmail.com>

* add missing id and novuln in resolver

Signed-off-by: pxp928 <parth.psu@gmail.com>

* update examples with novuln

Signed-off-by: pxp928 <parth.psu@gmail.com>

* add test cases for novuln boolean

Signed-off-by: pxp928 <parth.psu@gmail.com>

* update description for noVuln boolean filter

Signed-off-by: pxp928 <parth.psu@gmail.com>

* update unit tests and add checks

Signed-off-by: pxp928 <parth.psu@gmail.com>

* remove constant from resolver as not allowed

Signed-off-by: pxp928 <parth.psu@gmail.com>

---------

Signed-off-by: pxp928 <parth.psu@gmail.com>

pkg/assembler/backends/inmem/certifyVuln.go

@@ -23,6 +23,7 @@ import (
 
 	"github.com/vektah/gqlparser/v2/gqlerror"
 
+	"github.com/guacsec/guac/internal/testing/ptrfrom"
 	"github.com/guacsec/guac/pkg/assembler/graphql/model"
 )
 
@@ -212,7 +213,28 @@ func (c *demoClient) CertifyVuln(ctx context.Context, filter *model.CertifyVulnS
 			foundOne = true
 		}
 	}
-	if !foundOne && filter != nil && filter.Vulnerability != nil {
+	if !foundOne && filter != nil && filter.Vulnerability != nil &&
+		filter.Vulnerability.NoVuln != nil && *filter.Vulnerability.NoVuln {
+
+		exactVuln, err := c.exactVulnerability(&model.VulnerabilitySpec{
+			Type:            ptrfrom.String(noVulnType),
+			VulnerabilityID: ptrfrom.String(""),
+		})
+		if err != nil {
+			return nil, gqlerror.Errorf("%v :: %v", funcName, err)
+		}
+		if exactVuln != nil {
+			search = append(search, exactVuln.certifyVulnLinks...)
+			foundOne = true
+		}
+	} else if !foundOne && filter != nil && filter.Vulnerability != nil {
+
+		if filter.Vulnerability.NoVuln != nil && !*filter.Vulnerability.NoVuln {
+			if filter.Vulnerability.Type != nil && *filter.Vulnerability.Type == noVulnType {
+				return []*model.CertifyVuln{}, gqlerror.Errorf("novuln boolean set to false, cannot specify vulnerability type to be novuln")
+			}
+		}
+
 		exactVuln, err := c.exactVulnerability(filter.Vulnerability)
 		if err != nil {
 			return nil, gqlerror.Errorf("%v :: %v", funcName, err)
@@ -305,6 +327,13 @@ func (c *demoClient) buildCertifyVulnerability(link *certifyVulnerabilityLink, f
 			if err != nil {
 				return nil, err
 			}
+			if filter.Vulnerability.NoVuln != nil && !*filter.Vulnerability.NoVuln {
+				if vuln != nil {
+					if vuln.Type == noVulnType {
+						vuln = nil
+					}
+				}
+			}
 		}
 	} else {
 		if link.vulnerabilityID != 0 {

pkg/assembler/backends/inmem/certifyVuln_test.go

@@ -355,6 +355,218 @@ func TestIngestCertifyVulnerability(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name:   "Query No Vuln - with novuln boolen",
+			InVuln: []*model.VulnerabilityInputSpec{noVulnInput, c1},
+			InPkg:  []*model.PkgInputSpec{p2, p1},
+			Calls: []call{
+				{
+					Pkg:  p2,
+					Vuln: noVulnInput,
+					CertifyVuln: &model.ScanMetadataInput{
+						Collector:      "test collector",
+						Origin:         "test origin",
+						ScannerVersion: "v1.0.0",
+						ScannerURI:     "test scanner uri",
+						DbVersion:      "2023.01.01",
+						DbURI:          "test db uri",
+						TimeScanned:    t1,
+					},
+				},
+				{
+					Pkg:  p1,
+					Vuln: c1,
+					CertifyVuln: &model.ScanMetadataInput{
+						Collector:      "test collector",
+						Origin:         "test origin",
+						ScannerVersion: "v1.0.0",
+						ScannerURI:     "test scanner uri",
+						DbVersion:      "2023.01.01",
+						DbURI:          "test db uri",
+						TimeScanned:    t1,
+					},
+				},
+			},
+			Query: &model.CertifyVulnSpec{
+				Vulnerability: &model.VulnerabilitySpec{
+					NoVuln: ptrfrom.Bool(true),
+				},
+			},
+			ExpVuln: []*model.CertifyVuln{
+				{
+					Package: p2out,
+					Vulnerability: &model.Vulnerability{
+						Type:             "novuln",
+						VulnerabilityIDs: []*model.VulnerabilityID{noVulnOut},
+					},
+					Metadata: vmd1,
+				},
+			},
+		},
+		{
+			Name:   "Query only cve (exclude novuln) - with novuln boolen",
+			InVuln: []*model.VulnerabilityInputSpec{noVulnInput, c1},
+			InPkg:  []*model.PkgInputSpec{p2, p1},
+			Calls: []call{
+				{
+					Pkg:  p2,
+					Vuln: noVulnInput,
+					CertifyVuln: &model.ScanMetadataInput{
+						Collector:      "test collector",
+						Origin:         "test origin",
+						ScannerVersion: "v1.0.0",
+						ScannerURI:     "test scanner uri",
+						DbVersion:      "2023.01.01",
+						DbURI:          "test db uri",
+						TimeScanned:    t1,
+					},
+				},
+				{
+					Pkg:  p1,
+					Vuln: c1,
+					CertifyVuln: &model.ScanMetadataInput{
+						Collector:      "test collector",
+						Origin:         "test origin",
+						ScannerVersion: "v1.0.0",
+						ScannerURI:     "test scanner uri",
+						DbVersion:      "2023.01.01",
+						DbURI:          "test db uri",
+						TimeScanned:    t1,
+					},
+				},
+			},
+			Query: &model.CertifyVulnSpec{
+				Vulnerability: &model.VulnerabilitySpec{
+					NoVuln: ptrfrom.Bool(false),
+				},
+			},
+			ExpVuln: []*model.CertifyVuln{
+				{
+					Package: p1out,
+					Vulnerability: &model.Vulnerability{
+						Type:             "cve",
+						VulnerabilityIDs: []*model.VulnerabilityID{c1out},
+					},
+					Metadata: vmd1,
+				},
+			},
+		},
+		{
+			Name:   "Query all vulns - with novuln boolean omitted",
+			InVuln: []*model.VulnerabilityInputSpec{noVulnInput, c1, g1},
+			InPkg:  []*model.PkgInputSpec{p2, p1, p1},
+			Calls: []call{
+				{
+					Pkg:  p2,
+					Vuln: noVulnInput,
+					CertifyVuln: &model.ScanMetadataInput{
+						Collector:      "test collector",
+						Origin:         "test origin",
+						ScannerVersion: "v1.0.0",
+						ScannerURI:     "test scanner uri",
+						DbVersion:      "2023.01.01",
+						DbURI:          "test db uri",
+						TimeScanned:    t1,
+					},
+				},
+				{
+					Pkg:  p1,
+					Vuln: c1,
+					CertifyVuln: &model.ScanMetadataInput{
+						Collector:      "test collector",
+						Origin:         "test origin",
+						ScannerVersion: "v1.0.0",
+						ScannerURI:     "test scanner uri",
+						DbVersion:      "2023.01.01",
+						DbURI:          "test db uri",
+						TimeScanned:    t1,
+					},
+				},
+				{
+					Pkg:  p1,
+					Vuln: g1,
+					CertifyVuln: &model.ScanMetadataInput{
+						Collector:      "test collector",
+						Origin:         "test origin",
+						ScannerVersion: "v1.0.0",
+						ScannerURI:     "test scanner uri",
+						DbVersion:      "2023.01.01",
+						DbURI:          "test db uri",
+						TimeScanned:    t1,
+					},
+				},
+			},
+			Query: &model.CertifyVulnSpec{
+				Vulnerability: &model.VulnerabilitySpec{},
+			},
+			ExpVuln: []*model.CertifyVuln{
+				{
+					Package: p2out,
+					Vulnerability: &model.Vulnerability{
+						Type:             "novuln",
+						VulnerabilityIDs: []*model.VulnerabilityID{noVulnOut},
+					},
+					Metadata: vmd1,
+				},
+				{
+					Package: p1out,
+					Vulnerability: &model.Vulnerability{
+						Type:             "cve",
+						VulnerabilityIDs: []*model.VulnerabilityID{c1out},
+					},
+					Metadata: vmd1,
+				},
+				{
+					Package: p1out,
+					Vulnerability: &model.Vulnerability{
+						Type:             "ghsa",
+						VulnerabilityIDs: []*model.VulnerabilityID{g1out},
+					},
+					Metadata: vmd1,
+				},
+			},
+		},
+		{
+			Name:   "Query No Vuln - with novuln boolen false but type set to novuln",
+			InVuln: []*model.VulnerabilityInputSpec{noVulnInput, c1},
+			InPkg:  []*model.PkgInputSpec{p2, p1},
+			Calls: []call{
+				{
+					Pkg:  p2,
+					Vuln: noVulnInput,
+					CertifyVuln: &model.ScanMetadataInput{
+						Collector:      "test collector",
+						Origin:         "test origin",
+						ScannerVersion: "v1.0.0",
+						ScannerURI:     "test scanner uri",
+						DbVersion:      "2023.01.01",
+						DbURI:          "test db uri",
+						TimeScanned:    t1,
+					},
+				},
+				{
+					Pkg:  p1,
+					Vuln: c1,
+					CertifyVuln: &model.ScanMetadataInput{
+						Collector:      "test collector",
+						Origin:         "test origin",
+						ScannerVersion: "v1.0.0",
+						ScannerURI:     "test scanner uri",
+						DbVersion:      "2023.01.01",
+						DbURI:          "test db uri",
+						TimeScanned:    t1,
+					},
+				},
+			},
+			Query: &model.CertifyVulnSpec{
+				Vulnerability: &model.VulnerabilitySpec{
+					NoVuln: ptrfrom.Bool(false),
+					Type:   ptrfrom.String("novuln"),
+				},
+			},
+			ExpVuln:     []*model.CertifyVuln{},
+			ExpQueryErr: true,
+		},
 		{
 			Name:  "Ingest without vuln",
 			InPkg: []*model.PkgInputSpec{p2},

pkg/assembler/backends/inmem/vulnerability.go

@@ -24,35 +24,11 @@ import (
 
 	"github.com/vektah/gqlparser/v2/gqlerror"
 
+	"github.com/guacsec/guac/internal/testing/ptrfrom"
 	"github.com/guacsec/guac/pkg/assembler/graphql/model"
 )
 
-// func registerAllCVE(client *demoClient) {
-// 	ctx := context.Background()
-
-// 	inputs := []model.CVEInputSpec{{
-// 		Year:  2019,
-// 		CveID: "CVE-2019-13110",
-// 	}, {
-// 		Year:  2014,
-// 		CveID: "CVE-2014-8139",
-// 	}, {
-// 		Year:  2014,
-// 		CveID: "CVE-2014-8140",
-// 	}, {
-// 		Year:  2022,
-// 		CveID: "CVE-2022-26499",
-// 	}, {
-// 		Year:  2014,
-// 		CveID: "CVE-2014-8140",
-// 	}}
-// 	for _, input := range inputs {
-// 		_, err := client.IngestCve(ctx, &input)
-// 		if err != nil {
-// 			log.Printf("Error in ingesting: %v\n", err)
-// 		}
-// 	}
-// }
+const noVulnType string = "novuln"
 
 // Internal data: Vulnerability
 type vulnTypeMap map[string]*vulnTypeStruct
@@ -115,7 +91,7 @@ func (n *vulnIDNode) setVulnEqualLinks(id uint32) { n.vulnEqualLinks = append(n.
 // certifyVexStatement back edges
 func (n *vulnIDNode) setVexLinks(id uint32) { n.vexLinks = append(n.vexLinks, id) }
 
-// Ingest CVE
+// Ingest Vulnerabilities
 
 func (c *demoClient) IngestVulnerabilities(ctx context.Context, vulns []*model.VulnerabilityInputSpec) ([]*model.Vulnerability, error) {
 	var modelVulnerabilities []*model.Vulnerability
@@ -188,7 +164,7 @@ func duplicateVulnID(vulnIDs vulnIDList, input model.VulnerabilityInputSpec) (bo
 	return false, nil
 }
 
-// Query CVE
+// Query Vulnerabilities
 func (c *demoClient) Vulnerabilities(ctx context.Context, filter *model.VulnerabilitySpec) ([]*model.Vulnerability, error) {
 	c.m.RLock()
 	defer c.m.RUnlock()
@@ -208,7 +184,19 @@ func (c *demoClient) Vulnerabilities(ctx context.Context, filter *model.Vulnerab
 		return []*model.Vulnerability{v}, nil
 	}
 
+	if filter.NoVuln != nil && !*filter.NoVuln {
+		if filter.Type != nil && *filter.Type == noVulnType {
+			return []*model.Vulnerability{}, gqlerror.Errorf("novuln boolean set to false, cannot specify vulnerability type to be novuln")
+		}
+	}
+
 	out := []*model.Vulnerability{}
+	// if novuln is specified, retrieve all "novuln" type nodes
+	if filter != nil && filter.NoVuln != nil && *filter.NoVuln {
+		filter.Type = ptrfrom.String(noVulnType)
+		filter.VulnerabilityID = ptrfrom.String("")
+	}
+
 	if filter != nil && filter.Type != nil {
 		typeStruct, ok := c.vulnerabilities[strings.ToLower(*filter.Type)]
 		if ok {

pkg/assembler/backends/inmem/vulnerability_test.go

@@ -205,6 +205,19 @@ func TestVulnerability(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name:    "Query by type - noVuln with boolean",
+			Ingests: []*model.VulnerabilityInputSpec{noVulnInput},
+			Query: &model.VulnerabilitySpec{
+				NoVuln: ptrfrom.Bool(true),
+			},
+			Exp: []*model.Vulnerability{
+				&model.Vulnerability{
+					Type:             "novuln",
+					VulnerabilityIDs: []*model.VulnerabilityID{noVulnOut},
+				},
+			},
+		},
 		{
 			Name:    "Query by vulnID",
 			Ingests: []*model.VulnerabilityInputSpec{c1, c2, c3},