-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[question] How do you handle drift? #1266
Comments
Depending on the query you run, you could retrieve the old SBOM data. Currently, GUAC does not delete data but we will add some type of archival flag to data as needed in the future. Currently, you could query based on the new version of the artifact you have generated that does not contain those dependencies. In that case, it will only include dependency information from the new SBOM (as the origin would be the new SBOM). The packages and artifacts nodes will remain the same between the two SBOMs if nothing has changed (only the dependency from the new version of the artifact will not include the vulnerable packages). If you queried the old version of the artifact (associated with vulnerable dependencies), those dependencies will show up with vulnerabilities associated with them from the old SBOM. There are some changes we are making with regard to how dependencies are associated with artifacts and SBOMs. This will also make it easier to determine which dependencies are associated with a particular SBOM. #966 goes into more detail about this and also links to a design doc that expands the solution we are planning to implement. This issue is being actively worked on by the guac community. Please let me know if that answers your question. :) |
So if I'm understanding your comment correctly, then I should be able to:
It doesn't seem to work for me. What am I missing? |
Ah no, that should not work. It wouldn't make sense to modify an existing SBOM, as that is not a real world scenario. Here is one example:
At this point you are able to run
The above scenario is what would happen for packages released and distributed by version. Let's say you are generating SBOMs for your own project without releases. In this case, it is the responsibility of the build system and/or SBOM generator to insert a "version" of the top-level package based on the git commit hash. So if the latest release is In general a package is expected to be immutable. Another interesting scenario is where two different SBOM generators/scanners have different results when scanning the exact same artifact or package. In this case, the GUAC GraphQL API is setup to store all relevant metadata information in all "verb" nodes. For example the As a group we haven't fully built out all the commands and queries to fully utilize these metadata fields (for example, you can't filter on those when using the |
This makes sense, thanks for the clarification. So when I'm building an SBOM, how do I indicate the version? Is that taken from the root level version key? And is the hash taken from the root level serialNumber key? |
No, the version of the component being described is what is important, not the bom version This one: https://github.com/CycloneDX/specification/blob/1.5/schema/bom-1.5.schema.json#L259-L263 Version is either pulled from purl GUAC code is here: |
That makes sense. So just to say it again, to make sure I understand the source code correctly, there are two ways to specify the sbom version to keep them separate inside guac:
|
Question
Lets say I have an SBOM ingested with some dependencies that are vulnerable, so I fix them and ingest a new SBOM without those dependencies.
If I do some queries, will the old/out-of-date SBOM still show up?
The text was updated successfully, but these errors were encountered: