New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SPDX Parser: ingest CPE from externalRefs #1347
Conversation
Signed-off-by: mrizzi <mrizzi@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @mrizzi this makes sense. Questions about if we need the redundant verbs for the CPEs
Signed-off-by: mrizzi <mrizzi@redhat.com>
Signed-off-by: mrizzi <mrizzi@redhat.com>
@pxp928 @lumjjb @mihaimaruseac the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome! Thanks
LGTM, but deferring to @lumjjb for second approval |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Description of the PR
2023-10-09 update
After the discussion on how to best manage the CPE information, the new
HasMetadata
based approach has been pushed.Initial proposal
The changes in this PR are meant to read the
referenceLocator
values for theexternalRefs
withreferenceCategory: SECURITY
andreferenceType
equalscpe22Type
orcpe23Type
.In order to properly sustain the correlation's requirement, CPE found is translated into a
purl
using an approach similar to theGuacPkgPurl
func generatedpurl
.The CPE-based purl will be created following this algorithm:
cpe
as the hardcoded purl typecpe-part
cpe-update
cpe-edition
cpe-lang
cpe-sw-edition
cpe-target-sw
cpe-target-hw
cpe-other
So, for example, the CPE
will generate the purl
The SPDX parser also generates
PkgEqual
predicate between the currentpurl
package and the CPE-based purl in order to have into guac also this information.A follow-up PR must be opened to change consistently https://github.com/guacsec/guac-docs/blob/main/guac-graphql.mdFixes #1346
PR Checklist
-s
flag togit commit
.make generate
has been runcollectsub
protobuf has been changed,make proto
has been run