Skip to content

Commit

Permalink
Add Legal information schema and inmem backend. (#1207)
Browse files Browse the repository at this point in the history 
* Add Legal information schema and inmem backend.

License noun node and CertifyLegal verb node added. Client operations
added. Inmem implementation added. License input verification added to
resolver. CertifyLegal input verification not added to resolver yet, as it will
be a cut and paste of others Certify verb nodes when those are moved to the
resolver soon. Other backends are not implemented yet, will be soon.

Signed-off-by: Jeff Mendoza <jlm@jlm.name>

* Update client path operations with legal trees.

Signed-off-by: Jeff Mendoza <jlm@jlm.name>

* Change legal to return IDs

Signed-off-by: Jeff Mendoza <jlm@jlm.name>

---------

Signed-off-by: Jeff Mendoza <jlm@jlm.name>
  • Loading branch information
@jeffmendoza
jeffmendoza committed Sep 1, 2023
1 parent a72cbbc commit 68e0455
Show file tree
Hide file tree
Showing 29 changed files with 8,067 additions and 321 deletions.
4 changes: 4 additions & 0 deletions .github/scripts/excluded_from_copyright
View file
Expand Up @@ -191,6 +191,7 @@
./pkg/assembler/graphql/generated/builder.generated.go
./pkg/assembler/graphql/generated/certifyBad.generated.go
./pkg/assembler/graphql/generated/certifyGood.generated.go
./pkg/assembler/graphql/generated/certifyLegal.generated.go
./pkg/assembler/graphql/generated/certifyScorecard.generated.go
./pkg/assembler/graphql/generated/certifyVEXStatement.generated.go
./pkg/assembler/graphql/generated/certifyVuln.generated.go
Expand All @@ -203,6 +204,7 @@
./pkg/assembler/graphql/generated/hashEqual.generated.go
./pkg/assembler/graphql/generated/isDependency.generated.go
./pkg/assembler/graphql/generated/isOccurrence.generated.go
./pkg/assembler/graphql/generated/license.generated.go
./pkg/assembler/graphql/generated/isVulnerability.generated.go
./pkg/assembler/graphql/generated/metadata.generated.go
./pkg/assembler/graphql/generated/osv.generated.go
Expand All @@ -221,6 +223,7 @@
./pkg/assembler/graphql/resolvers/builder.resolvers.go
./pkg/assembler/graphql/resolvers/certifyBad.resolvers.go
./pkg/assembler/graphql/resolvers/certifyGood.resolvers.go
./pkg/assembler/graphql/resolvers/certifyLegal.resolvers.go
./pkg/assembler/graphql/resolvers/certifyScorecard.resolvers.go
./pkg/assembler/graphql/resolvers/certifyVEXStatement.resolvers.go
./pkg/assembler/graphql/resolvers/certifyVuln.resolvers.go
Expand All @@ -234,6 +237,7 @@
./pkg/assembler/graphql/resolvers/isDependency.resolvers.go
./pkg/assembler/graphql/resolvers/isOccurrence.resolvers.go
./pkg/assembler/graphql/resolvers/isVulnerability.resolvers.go
./pkg/assembler/graphql/resolvers/license.resolvers.go
./pkg/assembler/graphql/resolvers/metadata.resolvers.go
./pkg/assembler/graphql/resolvers/osv.resolvers.go
./pkg/assembler/graphql/resolvers/package.resolvers.go
Expand Down
90 changes: 90 additions & 0 deletions internal/testing/mocks/backend.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 19 additions & 0 deletions pkg/assembler/backends/arangodb/backend.go
View file
Expand Up @@ -794,6 +794,25 @@ func (c *arangoClient) Path(ctx context.Context, subject string, target string,
panic(fmt.Errorf("not implemented: Path - Path"))
}

func (c *arangoClient) Licenses(ctx context.Context, licenseSpec *model.LicenseSpec) ([]*model.License, error) {
panic(fmt.Errorf("not implemented: Licenses"))
}
func (c *arangoClient) IngestLicense(ctx context.Context, license *model.LicenseInputSpec) (*model.License, error) {
panic(fmt.Errorf("not implemented: IngestLicense"))
}
func (c *arangoClient) IngestLicenses(ctx context.Context, licenses []*model.LicenseInputSpec) ([]*model.License, error) {
panic(fmt.Errorf("not implemented: IngestLicenses"))
}
func (c *arangoClient) CertifyLegal(ctx context.Context, certifyLegalSpec *model.CertifyLegalSpec) ([]*model.CertifyLegal, error) {
panic(fmt.Errorf("not implemented: CertifyLegal"))
}
func (c *arangoClient) IngestCertifyLegal(ctx context.Context, subject model.PackageOrSourceInput, declaredLicenses []*model.LicenseInputSpec, discoveredLicenses []*model.LicenseInputSpec, certifyLegal *model.CertifyLegalInputSpec) (*model.CertifyLegal, error) {
panic(fmt.Errorf("not implemented: IngestCertifyLegal"))
}
func (c *arangoClient) IngestCertifyLegals(ctx context.Context, subjects model.PackageOrSourceInputs, declaredLicensesList [][]*model.LicenseInputSpec, discoveredLicensesList [][]*model.LicenseInputSpec, certifyLegals []*model.CertifyLegalInputSpec) ([]*model.CertifyLegal, error) {
panic(fmt.Errorf("not implemented: IngestCertifyLegals"))
}

func ptrfromArangoSearchNGramStreamType(s driver.ArangoSearchNGramStreamType) *driver.ArangoSearchNGramStreamType {
return &s
}
6 changes: 6 additions & 0 deletions pkg/assembler/backends/backends.go
View file
Expand Up @@ -31,12 +31,14 @@ type Backend interface {
Vulnerabilities(ctx context.Context, vulnSpec *model.VulnerabilitySpec) ([]*model.Vulnerability, error)
Packages(ctx context.Context, pkgSpec *model.PkgSpec) ([]*model.Package, error)
Sources(ctx context.Context, sourceSpec *model.SourceSpec) ([]*model.Source, error)
Licenses(ctx context.Context, licenseSpec *model.LicenseSpec) ([]*model.License, error)

// Retrieval read-only queries for evidence trees
CertifyBad(ctx context.Context, certifyBadSpec *model.CertifyBadSpec) ([]*model.CertifyBad, error)
CertifyGood(ctx context.Context, certifyGoodSpec *model.CertifyGoodSpec) ([]*model.CertifyGood, error)
CertifyVEXStatement(ctx context.Context, certifyVEXStatementSpec *model.CertifyVEXStatementSpec) ([]*model.CertifyVEXStatement, error)
CertifyVuln(ctx context.Context, certifyVulnSpec *model.CertifyVulnSpec) ([]*model.CertifyVuln, error)
CertifyLegal(ctx context.Context, certifyLegalSpec *model.CertifyLegalSpec) ([]*model.CertifyLegal, error)
HasSBOM(ctx context.Context, hasSBOMSpec *model.HasSBOMSpec) ([]*model.HasSbom, error)
HasSlsa(ctx context.Context, hasSLSASpec *model.HasSLSASpec) ([]*model.HasSlsa, error)
HasSourceAt(ctx context.Context, hasSourceAtSpec *model.HasSourceAtSpec) ([]*model.HasSourceAt, error)
Expand All @@ -61,6 +63,8 @@ type Backend interface {
IngestPackages(ctx context.Context, pkgs []*model.PkgInputSpec) ([]*model.Package, error)
IngestSource(ctx context.Context, source model.SourceInputSpec) (*model.Source, error)
IngestSources(ctx context.Context, sources []*model.SourceInputSpec) ([]*model.Source, error)
IngestLicense(ctx context.Context, license *model.LicenseInputSpec) (*model.License, error)
IngestLicenses(ctx context.Context, licenses []*model.LicenseInputSpec) ([]*model.License, error)

// Mutations for evidence trees (read-write queries, assume software trees ingested)
IngestScorecard(ctx context.Context, source model.SourceInputSpec, scorecard model.ScorecardInputSpec) (*model.CertifyScorecard, error)
Expand All @@ -86,6 +90,8 @@ type Backend interface {
IngestVEXStatements(ctx context.Context, subjects model.PackageOrArtifactInputs, vulnerabilities []*model.VulnerabilityInputSpec, vexStatements []*model.VexStatementInputSpec) ([]string, error)
IngestCertifyVuln(ctx context.Context, pkg model.PkgInputSpec, vulnerability model.VulnerabilityInputSpec, certifyVuln model.ScanMetadataInput) (*model.CertifyVuln, error)
IngestCertifyVulns(ctx context.Context, pkgs []*model.PkgInputSpec, vulnerabilities []*model.VulnerabilityInputSpec, certifyVulns []*model.ScanMetadataInput) ([]*model.CertifyVuln, error)
IngestCertifyLegal(ctx context.Context, subject model.PackageOrSourceInput, declaredLicenses []*model.LicenseInputSpec, discoveredLicenses []*model.LicenseInputSpec, certifyLegal *model.CertifyLegalInputSpec) (*model.CertifyLegal, error)
IngestCertifyLegals(ctx context.Context, subjects model.PackageOrSourceInputs, declaredLicensesList [][]*model.LicenseInputSpec, discoveredLicensesList [][]*model.LicenseInputSpec, certifyLegals []*model.CertifyLegalInputSpec) ([]*model.CertifyLegal, error)
IngestHasMetadata(ctx context.Context, subject model.PackageSourceOrArtifactInput, pkgMatchType *model.MatchFlags, hasMetadata model.HasMetadataInputSpec) (*model.HasMetadata, error)
IngestPointOfContact(ctx context.Context, subject model.PackageSourceOrArtifactInput, pkgMatchType *model.MatchFlags, pointOfContact model.PointOfContactInputSpec) (*model.PointOfContact, error)
IngestVulnerabilityMetadata(ctx context.Context, vulnerability model.VulnerabilityInputSpec, vulnerabilityMetadata model.VulnerabilityMetadataInputSpec) (string, error)
Expand Down
24 changes: 24 additions & 0 deletions pkg/assembler/backends/helper/validation.go
View file
Expand Up @@ -127,6 +127,30 @@ func ValidatePackageOrArtifactQueryFilter(subject *model.PackageOrArtifactSpec)
return nil
}

func ValidateLicenseInput(license *model.LicenseInputSpec) error {
var inline string
var listVersion string
if license.Inline != nil {
inline = *license.Inline
}
if license.ListVersion != nil {
listVersion = *license.ListVersion
}
if inline == "" && listVersion == "" {
return gqlerror.Errorf("Neither Inline nor ListVersion are provided.")
}
if inline != "" && listVersion != "" {
return gqlerror.Errorf("Both Inline and ListVersion are provided.")
}
if inline == "" && strings.HasPrefix(license.Name, "LicenseRef") {
return gqlerror.Errorf("LicenseRef name provided without inline.")
}
if listVersion == "" && !strings.HasPrefix(license.Name, "LicenseRef") {
return gqlerror.Errorf("Inline provided provided with non LicenseRef name.")
}
return nil
}

// ValidateVexInput
/*
For [status] “not_affected”, a VEX statement SHOULD provide a [justification].
Expand Down
56 changes: 23 additions & 33 deletions pkg/assembler/backends/inmem/backend.go
View file
Expand Up @@ -72,55 +72,45 @@ func (c *demoClient) getNextID() uint32 {
}

type demoClient struct {
id uint32
m sync.RWMutex
id uint32
m sync.RWMutex
index indexType

artifacts artMap
builders builderMap
licenses licMap
packages pkgTypeMap
sources srcTypeMap
vulnerabilities vulnTypeMap

artifacts artMap
builders builderMap
certifyBads badList
certifyGoods goodList
pkgEquals pkgEqualList
vulnerabilities vulnTypeMap
vulnerabilityEquals vulnerabilityEqualList
vulnerabilityMetadatas vulnerabilityMetadataList
certifyLegals certifyLegalList
certifyVulnerabilities certifyVulnerabilityList
hasMetadatas hasMetadataList
pointOfContacts pointOfContactList
hasSBOMs hasSBOMList
hasSLSAs hasSLSAList
hasSources hasSrcList
hashEquals hashEqualList
index indexType
isDependencies isDependencyList
occurrences isOccurrenceList
packages pkgTypeMap
pkgEquals pkgEqualList
pointOfContacts pointOfContactList
scorecards scorecardList
sources srcTypeMap
vexs vexList
certifyVulnerabilities certifyVulnerabilityList
vulnerabilityEquals vulnerabilityEqualList
vulnerabilityMetadatas vulnerabilityMetadataList
}

func GetBackend(args backends.BackendArgs) (backends.Backend, error) {
client := &demoClient{
artifacts: artMap{},
builders: builderMap{},
certifyBads: badList{},
certifyGoods: goodList{},
pkgEquals: pkgEqualList{},
vulnerabilities: vulnTypeMap{},
vulnerabilityEquals: vulnerabilityEqualList{},
vulnerabilityMetadatas: vulnerabilityMetadataList{},
hasSBOMs: hasSBOMList{},
hasSLSAs: hasSLSAList{},
hasSources: hasSrcList{},
hashEquals: hashEqualList{},
index: indexType{},
isDependencies: isDependencyList{},
occurrences: isOccurrenceList{},
packages: pkgTypeMap{},
scorecards: scorecardList{},
sources: srcTypeMap{},
vexs: vexList{},
certifyVulnerabilities: certifyVulnerabilityList{},
artifacts: artMap{},
builders: builderMap{},
index: indexType{},
licenses: licMap{},
packages: pkgTypeMap{},
sources: srcTypeMap{},
vulnerabilities: vulnTypeMap{},
}

return client, nil
Expand Down

0 comments on commit 68e0455

Please sign in to comment.