add certifyBad query, certifyGood ingestion and query, update bul…

…k assembler (#1123) * add query for certifyBad Signed-off-by: pxp928 <parth.psu@gmail.com> * remove root src and pkg and seperate query for subjects Signed-off-by: pxp928 <parth.psu@gmail.com> * add certifyGood to arango Signed-off-by: pxp928 <parth.psu@gmail.com> * update batch assembler to use certifyBad and certifyGood bulk ingestion Signed-off-by: pxp928 <parth.psu@gmail.com> --------- Signed-off-by: pxp928 <parth.psu@gmail.com>
guacsec · Aug 3, 2023 · c0614ec · c0614ec
1 parent a0b4370
commit c0614ec
Show file tree

Hide file tree

Showing 17 changed files with 1,741 additions and 267 deletions.
diff --git a/cmd/guacgql/cmd/ingest.go b/cmd/guacgql/cmd/ingest.go
@@ -51,6 +51,7 @@ func ingestData(port int) {
 	ingestCertifyBad(ctx, gqlclient)
 	ingestCertifyBads(ctx, gqlclient)
 	ingestCertifyGood(ctx, gqlclient)
+	ingestCertifyGoods(ctx, gqlclient)
 	ingestHashEqual(ctx, gqlclient)
 	ingestHasSBOM(ctx, gqlclient)
 	ingestHasSourceAt(ctx, gqlclient)
@@ -1220,6 +1221,167 @@ func ingestCertifyGood(ctx context.Context, client graphql.Client) {
 	}
 }
 
+func ingestCertifyGoods(ctx context.Context, client graphql.Client) {
+	logger := logging.FromContext(ctx)
+	opensslNs := "openssl.org"
+	opensslVersion := "3.0.3"
+	djangoNameSpace := ""
+	sourceTag := "v0.0.1"
+	ingestCertifyGood := []struct {
+		name         string
+		pkg          []model.PkgInputSpec
+		pkgMatchType model.MatchFlags
+		source       []model.SourceInputSpec
+		artifact     []model.ArtifactInputSpec
+		certifyGood  []model.CertifyGoodInputSpec
+	}{
+		{
+			name: "this package as this specific version has been audited",
+			pkg: []model.PkgInputSpec{
+				{
+					Type:       "conan",
+					Namespace:  &opensslNs,
+					Name:       "openssl",
+					Version:    &opensslVersion,
+					Qualifiers: []model.PackageQualifierInputSpec{{Key: "user", Value: "bincrafters"}, {Key: "channel", Value: "stable"}},
+				},
+				{
+					Type:       "conan",
+					Namespace:  &opensslNs,
+					Name:       "openssl",
+					Version:    &opensslVersion,
+					Qualifiers: []model.PackageQualifierInputSpec{{Key: "user", Value: "bincrafters"}, {Key: "channel", Value: "stable"}},
+				},
+			},
+			pkgMatchType: model.MatchFlags{
+				Pkg: model.PkgMatchTypeSpecificVersion,
+			},
+			certifyGood: []model.CertifyGoodInputSpec{
+				{
+					Justification: "this package as this specific version has been audited",
+					Origin:        "Demo ingestion",
+					Collector:     "Demo ingestion",
+				},
+				{
+					Justification: "this package as this specific version has been audited",
+					Origin:        "Demo ingestion",
+					Collector:     "Demo ingestion",
+				},
+			},
+		},
+		{
+			name: "this package (all versions) is trusted",
+			pkg: []model.PkgInputSpec{
+				{
+					Type:      "pypi",
+					Namespace: &djangoNameSpace,
+					Name:      "django",
+				},
+				{
+					Type:      "pypi",
+					Namespace: &djangoNameSpace,
+					Name:      "django",
+				},
+			},
+			pkgMatchType: model.MatchFlags{
+				Pkg: model.PkgMatchTypeAllVersions,
+			},
+			certifyGood: []model.CertifyGoodInputSpec{
+				{
+					Justification: "this package (all versions) is trusted",
+					Origin:        "Demo ingestion",
+					Collector:     "Demo ingestion",
+				},
+				{
+					Justification: "this package (all versions) is trusted",
+					Origin:        "Demo ingestion",
+					Collector:     "Demo ingestion",
+				},
+			},
+		},
+		{
+			name: "this source repo is trusted",
+			source: []model.SourceInputSpec{
+				{
+					Type:      "git",
+					Namespace: "github",
+					Name:      "github.com/guacsec/guac",
+					Tag:       &sourceTag,
+				},
+				{
+					Type:      "git",
+					Namespace: "github",
+					Name:      "github.com/guacsec/guac",
+					Tag:       &sourceTag,
+				},
+			},
+			certifyGood: []model.CertifyGoodInputSpec{
+				{
+					Justification: "this source repo is trusted",
+					Origin:        "Demo ingestion",
+					Collector:     "Demo ingestion",
+				},
+				{
+					Justification: "this source repo is trusted",
+					Origin:        "Demo ingestion",
+					Collector:     "Demo ingestion",
+				},
+			},
+		},
+		{
+			name: "artifact is associated with an audited build",
+			artifact: []model.ArtifactInputSpec{
+				{
+					Digest:    "6bbb0da1891646e58eb3e6a63af3a6fc3c8eb5a0d44824cba581d2e14a0450cf",
+					Algorithm: "sha256",
+				},
+				{
+					Digest:    "6bbb0da1891646e58eb3e6a63af3a6fc3c8eb5a0d44824cba581d2e14a0450cf",
+					Algorithm: "sha256",
+				},
+			},
+			certifyGood: []model.CertifyGoodInputSpec{
+				{
+					Justification: "this artifact is associated with an audited build",
+					Origin:        "Demo ingestion",
+					Collector:     "Demo ingestion",
+				},
+				{
+					Justification: "this artifact is associated with an audited build",
+					Origin:        "Demo ingestion",
+					Collector:     "Demo ingestion",
+				},
+			},
+		},
+	}
+	for _, ingest := range ingestCertifyGood {
+		if ingest.pkg != nil {
+			if _, err := model.IngestPackages(ctx, client, ingest.pkg); err != nil {
+				logger.Errorf("Error in ingesting package: %v\n", err)
+			}
+			if _, err := model.CertifyGoodPkgs(ctx, client, ingest.pkg, ingest.pkgMatchType, ingest.certifyGood); err != nil {
+				logger.Errorf("Error in ingesting: %v\n", err)
+			}
+		} else if ingest.source != nil {
+			if _, err := model.IngestSources(ctx, client, ingest.source); err != nil {
+				logger.Errorf("Error in ingesting source: %v\n", err)
+			}
+			if _, err := model.CertifyGoodSrcs(ctx, client, ingest.source, ingest.certifyGood); err != nil {
+				logger.Errorf("Error in ingesting: %v\n", err)
+			}
+		} else if ingest.artifact != nil {
+			if _, err := model.IngestArtifacts(ctx, client, ingest.artifact); err != nil {
+				logger.Errorf("Error in ingesting artifact: %v\n", err)
+			}
+			if _, err := model.CertifyGoodArtifacts(ctx, client, ingest.artifact, ingest.certifyGood); err != nil {
+				logger.Errorf("Error in ingesting: %v\n", err)
+			}
+		} else {
+			fmt.Printf("input missing for cve, osv or ghsa")
+		}
+	}
+}
+
 func ingestHashEqual(ctx context.Context, client graphql.Client) {
 	logger := logging.FromContext(ctx)
 	ingestHashEqual := []struct {

diff --git a/pkg/assembler/backends/arangodb/artifact.go b/pkg/assembler/backends/arangodb/artifact.go
@@ -28,7 +28,7 @@ import (
 func (c *arangoClient) Artifacts(ctx context.Context, artifactSpec *model.ArtifactSpec) ([]*model.Artifact, error) {
 	values := map[string]any{}
 
-	arangoQueryBuilder := setArtifactMatchValues(nil, artifactSpec, values)
+	arangoQueryBuilder := setArtifactMatchValues(artifactSpec, values)
 	arangoQueryBuilder.query.WriteString("\n")
 	arangoQueryBuilder.query.WriteString(`RETURN {
 		"id": art._id,
@@ -46,10 +46,8 @@ func (c *arangoClient) Artifacts(ctx context.Context, artifactSpec *model.Artifa
 	return getArtifacts(ctx, cursor)
 }
 
-func setArtifactMatchValues(arangoQueryBuilder *arangoQueryBuilder, artifactSpec *model.ArtifactSpec, queryValues map[string]any) *arangoQueryBuilder {
-	if arangoQueryBuilder == nil {
-		arangoQueryBuilder = newForQuery(artifactsStr, "art")
-	}
+func setArtifactMatchValues(artifactSpec *model.ArtifactSpec, queryValues map[string]any) *arangoQueryBuilder {
+	arangoQueryBuilder := newForQuery(artifactsStr, "art")
 	if artifactSpec != nil {
 		if artifactSpec.ID != nil {
 			arangoQueryBuilder.filter("art", "_id", "==", "@id")