Issue 966: Extend HasSBOM to include references to included software …

…(Package and Artifact), dependencies and occurrences Signed-off-by: Kevin Conner <kev.conner@gmail.com>
guacsec · Oct 9, 2023 · 028fe27 · 028fe27
1 parent 542f03f
commit 028fe27
Show file tree

Hide file tree

Showing 30 changed files with 2,260 additions and 248 deletions.
diff --git a/internal/testing/mocks/backend.go b/internal/testing/mocks/backend.go
diff --git a/pkg/assembler/assembler.go b/pkg/assembler/assembler.go
@@ -147,7 +147,8 @@ type HasSBOMIngest struct {
  Pkg *generated.PkgInputSpec `json:"pkg,omitempty"`
  Artifact *generated.ArtifactInputSpec `json:"artifact,omitempty"`
 
- HasSBOM *generated.HasSBOMInputSpec `json:"hasSbom,omitempty"`
+ HasSBOM *generated.HasSBOMInputSpec `json:"hasSbom,omitempty"`
+ Includes *generated.HasSBOMIncludesInputSpec `json:"includes,omitempty"`
 }
 
 type VexIngest struct {

diff --git a/pkg/assembler/backends/arangodb/hasSBOM.go b/pkg/assembler/backends/arangodb/hasSBOM.go
@@ -200,7 +200,8 @@ func getHasSBOMQueryValues(pkg *model.PkgInputSpec, artifact *model.ArtifactInpu
  return values
 }
 
-func (c *arangoClient) IngestHasSBOMs(ctx context.Context, subjects model.PackageOrArtifactInputs, hasSBOMs []*model.HasSBOMInputSpec) ([]*model.HasSbom, error) {
+func (c *arangoClient) IngestHasSBOMs(ctx context.Context, subjects model.PackageOrArtifactInputs, hasSBOMs []*model.HasSBOMInputSpec, includes []*model.HasSBOMIncludesInputSpec) ([]*model.HasSbom, error) {
+ // TODO(knrc) - handle includes
  if len(subjects.Packages) > 0 {
  var listOfValues []map[string]any
 
@@ -381,7 +382,8 @@ func (c *arangoClient) IngestHasSBOMs(ctx context.Context, subjects model.Packag
  }
 }
 
-func (c *arangoClient) IngestHasSbom(ctx context.Context, subject model.PackageOrArtifactInput, hasSbom model.HasSBOMInputSpec) (*model.HasSbom, error) {
+func (c *arangoClient) IngestHasSbom(ctx context.Context, subject model.PackageOrArtifactInput, hasSbom model.HasSBOMInputSpec, includes model.HasSBOMIncludesInputSpec) (*model.HasSbom, error) {
+ // TODO(knrc) - handle includes
  if subject.Artifact != nil {
  query := `LET artifact = FIRST(FOR art IN artifacts FILTER art.algorithm == @art_algorithm FILTER art.digest == @art_digest RETURN art)
  

diff --git a/pkg/assembler/backends/arangodb/hasSBOM_test.go b/pkg/assembler/backends/arangodb/hasSBOM_test.go
@@ -42,6 +42,7 @@ func TestHasSBOM(t *testing.T) {
  type call struct {
  Sub model.PackageOrArtifactInput
  HS *model.HasSBOMInputSpec
+ Inc *model.HasSBOMIncludesInputSpec
  }
  tests := []struct {
  Name string
@@ -539,7 +540,8 @@ func TestHasSBOM(t *testing.T) {
  }
  }
  for _, o := range test.Calls {
- found, err := b.IngestHasSbom(ctx, o.Sub, *o.HS)
+ // TODO (knrc) handle includes
+ found, err := b.IngestHasSbom(ctx, o.Sub, *o.HS, model.HasSBOMIncludesInputSpec{})
  if (err != nil) != test.ExpIngestErr {
  t.Fatalf("did not get expected ingest error, want: %v, got: %v", test.ExpIngestErr, err)
  }
@@ -602,6 +604,7 @@ func TestIngestHasSBOM(t *testing.T) {
  type call struct {
  Sub model.PackageOrArtifactInputs
  HS []*model.HasSBOMInputSpec
+ Inc []*model.HasSBOMIncludesInputSpec
  }
  tests := []struct {
  Name string
@@ -797,7 +800,7 @@ func TestIngestHasSBOM(t *testing.T) {
  }
  }
  for _, o := range test.Calls {
- _, err := b.IngestHasSBOMs(ctx, o.Sub, o.HS)
+ _, err := b.IngestHasSBOMs(ctx, o.Sub, o.HS, o.Inc)
  if (err != nil) != test.ExpIngestErr {
  t.Fatalf("did not get expected ingest error, want: %v, got: %v", test.ExpIngestErr, err)
  }

diff --git a/pkg/assembler/backends/backends.go b/pkg/assembler/backends/backends.go
@@ -77,8 +77,8 @@ type Backend interface {
  IngestCertifyLegals(ctx context.Context, subjects model.PackageOrSourceInputs, declaredLicensesList [][]*model.LicenseInputSpec, discoveredLicensesList [][]*model.LicenseInputSpec, certifyLegals []*model.CertifyLegalInputSpec) ([]*model.CertifyLegal, error)
  IngestDependency(ctx context.Context, pkg model.PkgInputSpec, depPkg model.PkgInputSpec, depPkgMatchType model.MatchFlags, dependency model.IsDependencyInputSpec) (*model.IsDependency, error)
  IngestDependencies(ctx context.Context, pkgs []*model.PkgInputSpec, depPkgs []*model.PkgInputSpec, depPkgMatchType model.MatchFlags, dependencies []*model.IsDependencyInputSpec) ([]*model.IsDependency, error)
- IngestHasSbom(ctx context.Context, subject model.PackageOrArtifactInput, hasSbom model.HasSBOMInputSpec) (*model.HasSbom, error)
- IngestHasSBOMs(ctx context.Context, subjects model.PackageOrArtifactInputs, hasSBOMs []*model.HasSBOMInputSpec) ([]*model.HasSbom, error)
+ IngestHasSbom(ctx context.Context, subject model.PackageOrArtifactInput, hasSbom model.HasSBOMInputSpec, includes model.HasSBOMIncludesInputSpec) (*model.HasSbom, error)
+ IngestHasSBOMs(ctx context.Context, subjects model.PackageOrArtifactInputs, hasSBOMs []*model.HasSBOMInputSpec, includes []*model.HasSBOMIncludesInputSpec) ([]*model.HasSbom, error)
  IngestHasSourceAt(ctx context.Context, pkg model.PkgInputSpec, pkgMatchType model.MatchFlags, source model.SourceInputSpec, hasSourceAt model.HasSourceAtInputSpec) (*model.HasSourceAt, error)
  IngestHasSourceAts(ctx context.Context, pkgs []*model.PkgInputSpec, pkgMatchType *model.MatchFlags, sources []*model.SourceInputSpec, hasSourceAts []*model.HasSourceAtInputSpec) ([]string, error)
  IngestHasMetadata(ctx context.Context, subject model.PackageSourceOrArtifactInput, pkgMatchType *model.MatchFlags, hasMetadata model.HasMetadataInputSpec) (*model.HasMetadata, error)

diff --git a/pkg/assembler/backends/ent/backend/sbom.go b/pkg/assembler/backends/ent/backend/sbom.go
@@ -68,7 +68,8 @@ func (b *EntBackend) HasSBOM(ctx context.Context, spec *model.HasSBOMSpec) ([]*m
  return collect(records, toModelHasSBOM), nil
 }
 
-func (b *EntBackend) IngestHasSbom(ctx context.Context, subject model.PackageOrArtifactInput, spec model.HasSBOMInputSpec) (*model.HasSbom, error) {
+func (b *EntBackend) IngestHasSbom(ctx context.Context, subject model.PackageOrArtifactInput, spec model.HasSBOMInputSpec, includes model.HasSBOMIncludesInputSpec) (*model.HasSbom, error) {
+ // TODO(knrc) - handle includes
  funcName := "IngestHasSbom"
 
  sbomId, err := WithinTX(ctx, b.client, func(ctx context.Context) (*int, error) {
@@ -154,7 +155,7 @@ func (b *EntBackend) IngestHasSbom(ctx context.Context, subject model.PackageOrA
  return toModelHasSBOM(sbom), nil
 }
 
-func (b *EntBackend) IngestHasSBOMs(ctx context.Context, subjects model.PackageOrArtifactInputs, hasSBOMs []*model.HasSBOMInputSpec) ([]*model.HasSbom, error) {
+func (b *EntBackend) IngestHasSBOMs(ctx context.Context, subjects model.PackageOrArtifactInputs, hasSBOMs []*model.HasSBOMInputSpec, includes []*model.HasSBOMIncludesInputSpec) ([]*model.HasSbom, error) {
  var modelHasSboms []*model.HasSbom
  for i, hasSbom := range hasSBOMs {
  var subject model.PackageOrArtifactInput
@@ -163,7 +164,8 @@ func (b *EntBackend) IngestHasSBOMs(ctx context.Context, subjects model.PackageO
  } else {
  subject = model.PackageOrArtifactInput{Package: subjects.Packages[i]}
  }
- modelHasSbom, err := b.IngestHasSbom(ctx, subject, *hasSbom)
+ // TODO(knrc) - handle includes
+ modelHasSbom, err := b.IngestHasSbom(ctx, subject, *hasSbom, model.HasSBOMIncludesInputSpec{})
  if err != nil {
  return nil, gqlerror.Errorf("IngestHasSBOMs failed with err: %v", err)
  }

diff --git a/pkg/assembler/backends/ent/backend/sbom_test.go b/pkg/assembler/backends/ent/backend/sbom_test.go
@@ -29,6 +29,7 @@ func (s *Suite) Test_HasSBOM() {
  type call struct {
  Sub model.PackageOrArtifactInput
  Spec *model.HasSBOMInputSpec
+ Inc *model.HasSBOMIncludesInputSpec
  }
  tests := []struct {
  Name string
@@ -481,7 +482,8 @@ func (s *Suite) Test_HasSBOM() {
 
  recordIDs := make([]string, len(test.Calls))
  for i, o := range test.Calls {
- dep, err := b.IngestHasSbom(ctx, o.Sub, *o.Spec)
+ // TODO (knrc) handle includes
+ dep, err := b.IngestHasSbom(ctx, o.Sub, *o.Spec, model.HasSBOMIncludesInputSpec{})
  if (err != nil) != test.ExpIngestErr {
  s.T().Fatalf("did not get expected ingest error, want: %v, got: %v", test.ExpIngestErr, err)
  }
@@ -521,6 +523,7 @@ func (s *Suite) TestIngestHasSBOMs() {
  type call struct {
  Sub model.PackageOrArtifactInputs
  HS []*model.HasSBOMInputSpec
+ Inc []*model.HasSBOMIncludesInputSpec
  }
  tests := []struct {
  Name string
@@ -719,7 +722,7 @@ func (s *Suite) TestIngestHasSBOMs() {
  }
  }
  for _, o := range test.Calls {
- _, err := b.IngestHasSBOMs(ctx, o.Sub, o.HS)
+ _, err := b.IngestHasSBOMs(ctx, o.Sub, o.HS, o.Inc)
  if (err != nil) != test.ExpIngestErr {
  t.Fatalf("did not get expected ingest error, want: %v, got: %v", test.ExpIngestErr, err)
  }

diff --git a/pkg/assembler/backends/inmem/backend.go b/pkg/assembler/backends/inmem/backend.go
@@ -20,6 +20,8 @@ import (
  "errors"
  "fmt"
  "math"
+ "slices"
+ "strconv"
  "strings"
  "sync"
  "sync/atomic"
@@ -201,3 +203,37 @@ func unlock(m *sync.RWMutex, readOnly bool) {
  m.Unlock()
  }
 }
+
+func parseIDs(ids []string) ([]uint32, error) {
+ keys := make([]uint32, 0, len(ids))
+ for _, id := range ids {
+ if key, err := parseID(id); err != nil {
+ return nil, err
+ } else {
+ keys = append(keys, key)
+ }
+ }
+ return keys, nil
+}
+
+func parseID(id string) (uint32, error) {
+ id64, err := strconv.ParseUint(id, 10, 32)
+ return uint32(id64), err
+}
+
+func sortAndRemoveDups(ids []uint32) []uint32 {
+ numIDs := len(ids)
+ if numIDs > 1 {
+ slices.Sort(ids)
+ nextIndex := 1
+ for index := 1; index < numIDs; index++ {
+ currentVal := ids[index]
+ if ids[index-1] != currentVal {
+ ids[nextIndex] = currentVal
+ nextIndex++
+ }
+ }
+ ids = ids[:nextIndex]
+ }
+ return ids
+}