Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clearly defined certifier #2035

Merged
merged 20 commits into from
Jul 25, 2024
Merged

Clearly defined certifier #2035

merged 20 commits into from
Jul 25, 2024

Conversation

pxp928
Copy link
Collaborator

@pxp928 pxp928 commented Jul 18, 2024
edited
Loading

Description of the PR

  • Adds a new clearly defined certifier/guesser/processor/parser with unit tests.
  • Update to OSV and CD to use the new attestation headers with resource descriptor
  • adds ability to query CD on ingestion (default to false)

closes #1964

PR Checklist

  • All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
  • All new changes are covered by tests
  • If GraphQL schema is changed, make generate has been run
  • If GraphQL schema is changed, GraphQL client updates/additions have been made
  • If OpenAPI spec is changed, make generate has been run
  • If ent schema is changed, make generate has been run
  • If collectsub protobuf has been changed, make proto has been run
  • All CI checks are passing (tests and formatting)
  • All dependent PRs have already been merged

pxp928 added 18 commits July 17, 2024 14:00
@pxp928
add new clearly defined certifier with attestation
f32f133 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
add clearly definied example for tests and update definition
49f4dcb 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
add new WIP clearly defined parser
cdc2dce 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
updates clearlydefined parser
2f66ec5 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
updates to the parser for parsing legal data
92d9cdc 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
update cd certifier to add soruce query, wip cd parser, unit tests st…
a6ecc8f 
…ill need to be added

Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
updates to the certifier unit tests
70a8be8 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
add helper function to convert purl to coordinate
08819f2 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
update certifier to use new helper function
ae5b153 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
update attestation header to use resource descriptor
fd447e9 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
update cd certifier unit tests
6a99b58 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
add srcId to source helper function with unit tests
85e5962 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
update cd parser, unit tests needed
55eb79d 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
update cd unit test parser
703178a 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
add guacone license to run cd certifier, update processor and bulk in…
6a37462 
…gestion error

Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
update guaccollect with cd certifier
1931770 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
add ability to ingest license information during ingestion
195bfc5 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
add tests for scanner and add initalization for parser to clean out v…
e182ed5 
…alues ingestor is run as a service

Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928 pxp928 force-pushed the clearlyDefined-certifier branch 2 times, most recently from 397d932 to e182ed5 Compare July 18, 2024 20:05
@pxp928
fix failing unit tests
3127ab3 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@pxp928
Copy link
Collaborator Author

pxp928 commented Jul 18, 2024

FYI @nickvidal

@pxp928
change cd logs to be debug
b63240d 
Signed-off-by: pxp928 <parth.psu@gmail.com>
@jeffmendoza
Copy link
Collaborator

jeffmendoza commented Jul 19, 2024
edited
Loading

A few things (not blocking this pr)

  • We should post the purl -> coordinate code to the CD discord and ask for comments.
  • Test the parser for a not harvested component. This should give "NOASSERTION"
  • We should consider weather to save "NOASSERTION" or not, and/or to skip results that are not harvested, this should be discernible based on the "tools" section under "described" but there might be a better way. Again, something we can ask about in discord.

I'm excited to test this out with real data!

@nickvidal
Copy link

Thank you @pxp928 and @jeffmendoza!

@nickvidal
Copy link

@jeffmendoza wrt NOASSERTION, you might be interested in this recent development: https://opensource.org/blog/beyond-spdx-expanding-licenses-identified-by-clearlydefined

@pxp928 pxp928 requested a review from lumjjb July 24, 2024 16:33
mihaimaruseac
mihaimaruseac approved these changes Jul 25, 2024
View reviewed changes
Copy link
Collaborator

@mihaimaruseac mihaimaruseac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@kodiakhq kodiakhq bot merged commit a0762a6 into guacsec:main Jul 25, 2024
8 checks passed
SantiagoTorres
SantiagoTorres reviewed Jul 25, 2024
View reviewed changes
cmd/guacone/cmd/oci.go
@@ -88,7 +90,7 @@ var ociCmd = &cobra.Command{
// Set emit function to go through the entire pipeline
emit := func(d *processor.Document) error {
totalNum += 1
err := ingestor.Ingest(ctx, d, opts.graphqlEndpoint, transport, csubClient, opts.queryVulnOnIngestion)
err := ingestor.Ingest(ctx, d, opts.graphqlEndpoint, transport, csubClient, opts.queryVulnOnIngestion, opts.queryLicenseOnIngestion)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm seeing this pattern repeated throughout of adding booleans for some behavior changes. Would this be a good time to change the function signature to take opts as a single parameter instead of each bool separately?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes great point. We can clean this up in a future pr

cmd/guacone/cmd/s3.go
mp string // message provider name (sqs or kafka, will default to kafka)
mpEndpoint string // endpoint for the message provider (only for polling behaviour)
poll bool // polling or non-polling behaviour? (defaults to non-polling)
graphqlEndpoint string // endpoint for the graphql server
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we could contain some of the fields below as a separate struct that's used across all different cmds to have a SSoT

pkg/ingestor/parser/clearlydefined/clearlydefined_test.go
@@ -0,0 +1,156 @@
//
// Copyright 2022 The GUAC Authors.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we care about copyright years? (I see some here are 2024, some are 2022)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, I thought I caught this...can be fixed in another PR.

@pxp928 pxp928 deleted the clearlyDefined-certifier branch July 25, 2024 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SantiagoTorres SantiagoTorres SantiagoTorres left review comments

@jeffmendoza jeffmendoza jeffmendoza approved these changes

@mihaimaruseac mihaimaruseac mihaimaruseac approved these changes

@lumjjb lumjjb Awaiting requested review from lumjjb

Assignees
No one assigned
Labels
size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[feature] Implement collector for ClearlyDefined
5 participants
@pxp928 @jeffmendoza @nickvidal @mihaimaruseac @SantiagoTorres