Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPDX Parser: ingest CPE from externalRefs #1347

Merged
merged 3 commits into from Oct 9, 2023
Merged

SPDX Parser: ingest CPE from externalRefs #1347

merged 3 commits into from Oct 9, 2023

Conversation

mrizzi
Copy link
Collaborator

@mrizzi mrizzi commented Oct 3, 2023
edited

Description of the PR

2023-10-09 update

After the discussion on how to best manage the CPE information, the new HasMetadata based approach has been pushed.

Initial proposal

The changes in this PR are meant to read the referenceLocator values for the externalRefs with referenceCategory: SECURITY and referenceType equals cpe22Type or cpe23Type.

In order to properly sustain the correlation's requirement, CPE found is translated into a purl using an approach similar to the GuacPkgPurl func generated purl.

The CPE-based purl will be created following this algorithm:

  • cpe as the hardcoded purl type
  • cpe vendor as purl namespace
  • cpe product as purl name
  • cpe version as purl version
  • cpe part as purl qualifier cpe-part
  • cpe update as purl qualifier cpe-update
  • cpe edition as purl qualifier cpe-edition
  • cpe lang as purl qualifier cpe-lang
  • cpe sw_edition as purl qualifier cpe-sw-edition
  • cpe target_sw as purl qualifier cpe-target-sw
  • cpe target_hw as purl qualifier cpe-target-hw
  • cpe other as purl qualifier cpe-other

So, for example, the CPE

cpe:/o:redhat:enterprise_linux:7::server

will generate the purl

pkg:cpe/redhat/enterprise_linux@7?cpe-part=o&cpe-update=ANY&cpe-edition=server&cpe-lang=ANY&cpe-other=ANY&cpe-sw-edition=ANY&cpe-target-hw=ANY&cpe-target-sw=ANY

The SPDX parser also generates PkgEqual predicate between the current purl package and the CPE-based purl in order to have into guac also this information.

A follow-up PR must be opened to change consistently https://github.com/guacsec/guac-docs/blob/main/guac-graphql.md

Fixes #1346

PR Checklist

  • All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
  • All new changes are covered by tests
  • If GraphQL schema is changed, make generate has been run
  • If collectsub protobuf has been changed, make proto has been run
  • All CI checks are passing (tests and formatting)
  • All dependent PRs have already been merged

@mrizzi
SPDX Parser: ingest CPE from externalRefs
1043757 
Signed-off-by: mrizzi <mrizzi@redhat.com>
@pxp928 pxp928 requested a review from lumjjb October 3, 2023 20:12
@mrizzi mrizzi mentioned this pull request Oct 4, 2023
Merged
6 tasks
pxp928
pxp928 reviewed Oct 4, 2023
View reviewed changes
Copy link
Collaborator

@pxp928 pxp928 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @mrizzi this makes sense. Questions about if we need the redundant verbs for the CPEs

internal/testing/testdata/testdata.go Outdated Show resolved Hide resolved
@mrizzi
Merge main branch into 1346-spdx-parser-cpe
a4d18db 
Signed-off-by: mrizzi <mrizzi@redhat.com>
@mrizzi
SPDX Parser: HasMetadata to ingest CPE from externalRefs
2f9d455 
Signed-off-by: mrizzi <mrizzi@redhat.com>
@mrizzi
Copy link
Collaborator Author

mrizzi commented Oct 9, 2023

@pxp928 @lumjjb @mihaimaruseac the HasMetadata approach has been implemented

pxp928
pxp928 approved these changes Oct 9, 2023
View reviewed changes
Copy link
Collaborator

@pxp928 pxp928 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! Thanks

@mihaimaruseac
Copy link
Collaborator

LGTM, but deferring to @lumjjb for second approval

lumjjb
lumjjb approved these changes Oct 9, 2023
View reviewed changes
Copy link
Contributor

@lumjjb lumjjb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@kodiakhq kodiakhq bot merged commit 542f03f into guacsec:main Oct 9, 2023
9 checks passed
@mrizzi mrizzi deleted the 1346-spdx-parser-cpe branch October 9, 2023 17:20
@mrizzi mrizzi mentioned this pull request Oct 16, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lumjjb lumjjb lumjjb approved these changes

@pxp928 pxp928 pxp928 approved these changes

@mihaimaruseac mihaimaruseac Awaiting requested review from mihaimaruseac

Assignees
No one assigned
Labels
size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[ingestion/data-quality issue] SPDX/SBOM externalRefs with cpe
4 participants
@mrizzi @mihaimaruseac @lumjjb @pxp928