Searching for hasSBOMs via Artifacts in Vuln cli #1965
Conversation
nathannaveen
force-pushed
the
nathan/hasSBOMSearch
branch
from
89b8f9e
to
911c72d
Compare
Signed-off-by: nathannaveen <42319948+nathannaveen@users.noreply.github.com>
nathannaveen
force-pushed
the
nathan/hasSBOMSearch
branch
from
911c72d
to
273fcc8
Compare
Signed-off-by: nathannaveen <42319948+nathannaveen@users.noreply.github.com>
| pkgInput, err := helpers.PurlToPkg(opts.searchString) | ||
| if err != nil { | ||
| logger.Fatalf("failed to parse PURL: %v", err) | ||
| } | ||
|
|
||
| pkgQualifierFilter := []model.PackageQualifierSpec{} | ||
| for _, qualifier := range pkgInput.Qualifiers { | ||
| // to prevent https://github.com/golang/go/discussions/56010 | ||
| qualifier := qualifier | ||
| pkgQualifierFilter = append(pkgQualifierFilter, model.PackageQualifierSpec{ | ||
| Key: qualifier.Key, | ||
| Value: &qualifier.Value, | ||
| }) | ||
| } | ||
|
|
||
| pkgFilter := &model.PkgSpec{ | ||
| Type: &pkgInput.Type, | ||
| Namespace: pkgInput.Namespace, | ||
| Name: &pkgInput.Name, | ||
| Version: pkgInput.Version, | ||
| Subpath: pkgInput.Subpath, | ||
| Qualifiers: pkgQualifierFilter, | ||
| } | ||
|
|
||
| o, err := model.Occurrences(ctx, gqlclient, model.IsOccurrenceSpec{ | ||
| Subject: &model.PackageOrSourceSpec{ | ||
| Package: pkgFilter, | ||
| }, | ||
| }) | ||
| if err != nil { | ||
| logger.Fatalf("error querying for occurrences: %v", err) | ||
| } | ||
|
|
||
| depVulnPath, depVulnTableRows, err = searchForSBOMViaArtifact(ctx, gqlclient, o.IsOccurrence[0].Artifact.Id, opts.depth, false) | ||
| if err != nil { | ||
| logger.Fatalf("error searching for SBOMs via artifact: %v", err) | ||
| } |
There was a problem hiding this comment.
the function is getting a bit long - i think we can refactor some of these inner conditionals into functions or at least with some helpers around going from search string to an occurrence.
| path = append(path, depVulnPath...) | ||
| tableRows = append(tableRows, depVulnTableRows...) | ||
| } | ||
| } else { |
There was a problem hiding this comment.
is there an opts for artifact here? it would be good if its not default artifact if opts.Purl isnt set, so that the user is intentional.
| return nil, nil, fmt.Errorf("failed getting hasSBOM via URI: %s with error: %w", now, err) | ||
| } | ||
| // if the initial depth, check if it's a purl or an SBOM URI. Otherwise, always search by pkgID | ||
| if nowNode.depth == 0 && primaryCall { |
There was a problem hiding this comment.
could you elaborate a bit more on what primaryCall is? Given this is in a loop rather than recursing, would primaryCall be static throughout the function?
| if nowNode.depth == 0 && primaryCall { | ||
| pkgResponse, err := getPkgResponseFromPurl(ctx, gqlclient, now) | ||
| if err != nil { | ||
| return nil, nil, fmt.Errorf("getPkgResponseFromPurl - error: %v", err) |
There was a problem hiding this comment.
%w for wraps (a couple instances)
| return path, tableRows, nil | ||
| } | ||
|
|
||
| func searchForSBOMViaArtifact(ctx context.Context, gqlclient graphql.Client, searchString string, maxLength int, primaryCall bool) ([]string, []table.Row, error) { |
There was a problem hiding this comment.
I think we should have the search functions in a central place so that we don't duplicate too many DFS / BFSes with a lot of boilerplate code - in addition we want to use the same type of search (in this case by SBOM) for everything, and having a common function will be helpful! Can you help take a look at https://github.com/guacsec/guac/blob/0675b6779487e206f30d64ce234bb42c762502a3/pkg/guacanalytics/patchPlanning.go and see if we can implement it in that function?
Description of the PR
hasSBOMnodes viaArtifactnodes in the vulnerability cli.PR Checklist
-sflag togit commit.make generatehas been runmake generatehas been runcollectsubprotobuf has been changed,make protohas been run