Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue 966: Extend HasSBOM to include references to included software … #1367

Merged
merged 2 commits into from Oct 26, 2023
Merged

Issue 966: Extend HasSBOM to include references to included software … #1367

merged 2 commits into from Oct 26, 2023

Conversation

knrc
Copy link
Contributor

@knrc knrc commented Oct 9, 2023
edited

…(Package and Artifact), dependencies and occurrences

Description of the PR

Extends HasSBOM to include related packages/artifacts, dependencies and occurrences. Requires IDs to be sent for included nodes. Addresses #966, but still needs work done on backends other than inmem.

Consider this a work in progress for now

PR Checklist

  • All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
  • All new changes are covered by tests
  • If GraphQL schema is changed, make generate has been run
  • If collectsub protobuf has been changed, make proto has been run
  • All CI checks are passing (tests and formatting)
  • All dependent PRs have already been merged

@knrc knrc force-pushed the issue_966 branch 4 times, most recently from ff425d1 to 028fe27 Compare October 9, 2023 17:54
@knrc
Copy link
Contributor Author

knrc commented Oct 9, 2023

Note this PR needs discussion and further work so should not be merged at present

@knrc
Copy link
Contributor Author

knrc commented Oct 10, 2023

One question that needs answering relates to the edges used to identify Neighbors, as these are currently unidirectional (sbom -> PackageVersion/Artifact, IsDependency, IsOccurrence). Do we want those to be bidirectional? If so, how should we handle PackageVersion -> sbom?

@mdeicas mdeicas mentioned this pull request Oct 10, 2023
Closed
@mrizzi
Copy link
Collaborator

mrizzi commented Oct 11, 2023

Cherry-pick'd 890fe58 because other PRs failing and it would fix them without having to wait for this PR to get merged.

@knrc knrc force-pushed the issue_966 branch 2 times, most recently from 02b320c to 9df7e49 Compare October 16, 2023 16:07
@knrc
Copy link
Contributor Author

knrc commented Oct 16, 2023

@pxp928 updated to use a flattened structure. There's also an additional commit for one e2e tests, it seemed to be non-deterministic in that the versions being diffed could be in different orders.

pxp928
pxp928 reviewed Oct 16, 2023
View reviewed changes
Copy link
Collaborator

@pxp928 pxp928 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this looks great! Thanks @knrc for all the work on this!

pkg/assembler/backends/inmem/hasSBOM.go Outdated Show resolved Hide resolved
pkg/assembler/backends/inmem/hasSBOM.go Outdated Show resolved Hide resolved
pkg/assembler/graphql/resolvers/package.resolvers.go Outdated Show resolved Hide resolved
pkg/assembler/graphql/helpers/package.go Show resolved Hide resolved
@pxp928 pxp928 mentioned this pull request Oct 17, 2023
Closed
@pxp928 pxp928 added the needs-review Needs writer LGTM label Oct 19, 2023
@knrc knrc force-pushed the issue_966 branch 2 times, most recently from ec50d14 to 37f2f1d Compare October 24, 2023 13:45
@knrc
Copy link
Contributor Author

knrc commented Oct 24, 2023

@pxp928 @mihaimaruseac I've pushed the latest version, now also including the sbom includes in the filtering. I have also updated the source ingestion so it returns all IDs, rather than just the top level, non-specific ID.

I believe this is all the required functionality, let me know what you think and I can squash and remove the WIP tag if you are happy

pxp928
pxp928 reviewed Oct 24, 2023
View reviewed changes
Copy link
Collaborator

@pxp928 pxp928 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me! Thanks for all the work on this!

mihaimaruseac
mihaimaruseac approved these changes Oct 24, 2023
View reviewed changes
Copy link
Collaborator

@mihaimaruseac mihaimaruseac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Thank you

@knrc
Copy link
Contributor Author

knrc commented Oct 24, 2023
edited

Thanks very much. I'll squash the PR into two commits, the first for these changes and the second for the small fix to the e2e test that's also in this PR.

@knrc knrc changed the title WIP: Issue 966: Extend HasSBOM to include references to included software … Issue 966: Extend HasSBOM to include references to included software … Oct 24, 2023
lumjjb
lumjjb approved these changes Oct 25, 2023
View reviewed changes
Copy link
Contributor

@lumjjb lumjjb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wanted to recall what the decision was around having the ID list vs having the ID be part of the DependencyInputSpec, OccurrenceInputSpec, etc. , else lgtm

pkg/assembler/graphql/schema/hasSBOM.graphql Show resolved Hide resolved
pkg/assembler/backends/inmem/hasSBOM.go Outdated Show resolved Hide resolved
pkg/assembler/backends/inmem/hasSBOM.go Outdated Show resolved Hide resolved
pkg/assembler/backends/inmem/hasSBOM.go Outdated Show resolved Hide resolved
pkg/assembler/backends/inmem/isDependency.go Outdated Show resolved Hide resolved
@pxp928 pxp928 mentioned this pull request Oct 25, 2023
Merged
6 tasks
@knrc
Issue 966: Extend HasSBOM to include references to included software …
380c67d 
…(Package and Artifact), dependencies and occurrences

	Update package and source ingestion to return all relevant IDs to caller.
	Include includes in SBOM filtering

Signed-off-by: Kevin Conner <kev.conner@gmail.com>
@knrc
Sort versions based on ID to guarantee order
e8c8172 
Signed-off-by: Kevin Conner <kev.conner@gmail.com>
@knrc
Copy link
Contributor Author

knrc commented Oct 25, 2023

Looks like I need to rebase again, I'll update to the latest main branch and push

@kodiakhq kodiakhq bot merged commit 165897d into guacsec:main Oct 26, 2023
9 checks passed
@pxp928 pxp928 mentioned this pull request Oct 26, 2023
Closed
This was referenced Dec 3, 2023
Closed
Closed
Merged
This was referenced Apr 2, 2024
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pxp928 pxp928 pxp928 left review comments

@mihaimaruseac mihaimaruseac mihaimaruseac approved these changes

@lumjjb lumjjb lumjjb approved these changes

@jeffmendoza jeffmendoza Awaiting requested review from jeffmendoza

Assignees
No one assigned
Labels
needs-review Needs writer LGTM size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@knrc @mrizzi @mihaimaruseac @lumjjb @pxp928