Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clearly defined certifier #2035

Merged
merged 20 commits into from
Jul 25, 2024
Merged

Conversation

pxp928
Copy link
Collaborator

@pxp928 pxp928 commented Jul 18, 2024

Description of the PR

  • Adds a new clearly defined certifier/guesser/processor/parser with unit tests.
  • Update to OSV and CD to use the new attestation headers with resource descriptor
  • adds ability to query CD on ingestion (default to false)

closes #1964

PR Checklist

  • All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
  • All new changes are covered by tests
  • If GraphQL schema is changed, make generate has been run
  • If GraphQL schema is changed, GraphQL client updates/additions have been made
  • If OpenAPI spec is changed, make generate has been run
  • If ent schema is changed, make generate has been run
  • If collectsub protobuf has been changed, make proto has been run
  • All CI checks are passing (tests and formatting)
  • All dependent PRs have already been merged

pxp928 added 18 commits July 17, 2024 14:00
…alues ingestor is run as a service

Signed-off-by: pxp928 <[email protected]>
@pxp928 pxp928 force-pushed the clearlyDefined-certifier branch 2 times, most recently from 397d932 to e182ed5 Compare July 18, 2024 20:05
@pxp928
Copy link
Collaborator Author

pxp928 commented Jul 18, 2024

FYI @nickvidal

@jeffmendoza
Copy link
Collaborator

jeffmendoza commented Jul 19, 2024

A few things (not blocking this pr)

  • We should post the purl -> coordinate code to the CD discord and ask for comments.
  • Test the parser for a not harvested component. This should give "NOASSERTION"
  • We should consider weather to save "NOASSERTION" or not, and/or to skip results that are not harvested, this should be discernible based on the "tools" section under "described" but there might be a better way. Again, something we can ask about in discord.

I'm excited to test this out with real data!

@nickvidal
Copy link

Thank you @pxp928 and @jeffmendoza!

@nickvidal
Copy link

@jeffmendoza wrt NOASSERTION, you might be interested in this recent development: https://opensource.org/blog/beyond-spdx-expanding-licenses-identified-by-clearlydefined

@pxp928 pxp928 requested a review from lumjjb July 24, 2024 16:33
Copy link
Collaborator

@mihaimaruseac mihaimaruseac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@kodiakhq kodiakhq bot merged commit a0762a6 into guacsec:main Jul 25, 2024
8 checks passed
@@ -88,7 +90,7 @@ var ociCmd = &cobra.Command{
// Set emit function to go through the entire pipeline
emit := func(d *processor.Document) error {
totalNum += 1
err := ingestor.Ingest(ctx, d, opts.graphqlEndpoint, transport, csubClient, opts.queryVulnOnIngestion)
err := ingestor.Ingest(ctx, d, opts.graphqlEndpoint, transport, csubClient, opts.queryVulnOnIngestion, opts.queryLicenseOnIngestion)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm seeing this pattern repeated throughout of adding booleans for some behavior changes. Would this be a good time to change the function signature to take opts as a single parameter instead of each bool separately?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes great point. We can clean this up in a future pr

mp string // message provider name (sqs or kafka, will default to kafka)
mpEndpoint string // endpoint for the message provider (only for polling behaviour)
poll bool // polling or non-polling behaviour? (defaults to non-polling)
graphqlEndpoint string // endpoint for the graphql server
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we could contain some of the fields below as a separate struct that's used across all different cmds to have a SSoT

@@ -0,0 +1,156 @@
//
// Copyright 2022 The GUAC Authors.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we care about copyright years? (I see some here are 2024, some are 2022)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, I thought I caught this...can be fixed in another PR.

@pxp928 pxp928 deleted the clearlyDefined-certifier branch July 25, 2024 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[feature] Implement collector for ClearlyDefined
5 participants