guacsec · nathannaveen · Aug 14, 2024 · Aug 15, 2024 · Aug 21, 2024 · Aug 26, 2024
@@ -26,7 +26,7 @@ import (
 	"time"
 
 	"github.com/Khan/genqlient/graphql"
-	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/v5"
 	"github.com/guacsec/guac/pkg/assembler/backends/ent"
 	"github.com/guacsec/guac/pkg/assembler/backends/ent/backend"
 	"github.com/guacsec/guac/pkg/cli"

diff --git a/go.mod b/go.mod
@@ -292,8 +292,7 @@ require (
 	github.com/cloudevents/sdk-go/v2 v2.15.2
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/getkin/kin-openapi v0.127.0
-	github.com/go-chi/chi v4.1.2+incompatible
-	github.com/go-chi/chi/v5 v5.0.12
+	github.com/go-chi/chi/v5 v5.1.0
 	github.com/go-git/go-git/v5 v5.12.0
 	github.com/gobwas/glob v0.2.3
 	github.com/gofrs/uuid v4.4.0+incompatible

diff --git a/go.sum b/go.sum
@@ -297,10 +297,8 @@ github.com/gkampitakis/go-snaps v0.5.7 h1:uVGjHR4t4pPHU944udMx7VKHpwepZXmvDMF+yD
 github.com/gkampitakis/go-snaps v0.5.7/go.mod h1:ZABkO14uCuVxBHAXAfKG+bqNz+aa1bGPAg8jkI0Nk8Y=
 github.com/gliderlabs/ssh v0.3.7 h1:iV3Bqi942d9huXnzEF2Mt+CY9gLu8DNM4Obd+8bODRE=
 github.com/gliderlabs/ssh v0.3.7/go.mod h1:zpHEXBstFnQYtGnB8k8kQLol82umzn/2/snG7alWVD8=
-github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec=
-github.com/go-chi/chi v4.1.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
-github.com/go-chi/chi/v5 v5.0.12 h1:9euLV5sTrTNTRUU9POmDUvfxyj6LAABLUcEWO+JJb4s=
-github.com/go-chi/chi/v5 v5.0.12/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw=
+github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
 github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=

diff --git a/internal/testing/graphqlClients/guacdata.go b/internal/testing/graphqlClients/guacdata.go
@@ -17,6 +17,7 @@ package clients
 
 import (
 	"context"
+	"strings"
 	"testing"
 	"time"
 
@@ -64,7 +65,7 @@ const (
 	defaultHasSlsaPredicateValue = "test-predicate-value"
 )
 
-// Defines the Guac graph, to test clients of the Graphql server.
+// GuacData Defines the Guac graph, to test clients of the Graphql server.
 //
 // This type, along with the Ingest function, is similar to the backend IngestPredicates
 // type and the corresponding assembler function, but allows for significantly less verbose
@@ -76,17 +77,19 @@ const (
 // could be added if needed.
 type GuacData struct {
 	/** the nouns need to be specified here in order to be referenced from a verb **/
-	Packages  []string // packages are specified by purl
-	Artifacts []string // artifacts are specified by digest
-	Sources   []string // sources are specified by the name in the SourceName node
-	Builders  []string // builders are specified by URI
+	Packages        []string // packages are specified by purl
+	Artifacts       []string // artifacts are specified by digest
+	Sources         []string // sources are specified by the name in the SourceName node
+	Builders        []string // builders are specified by URI
+	Vulnerabilities []string // vulnerabilities are specified by type and ID
 
 	/** verbs **/
 	HasSboms       []HasSbom
 	IsOccurrences  []IsOccurrence
 	IsDependencies []IsDependency
 	HashEquals     []HashEqual
 	HasSlsas       []HasSlsa
+	CertifyVulns   []CertifyVuln
 
 	// Other graphql verbs still need to be added here
 }
@@ -124,13 +127,19 @@ type HasSlsa struct {
 	Spec      *gql.SLSAInputSpec // if nil, a default will be used
 }
 
+type CertifyVuln struct {
+	Package       string
+	Vulnerability string
+	Metadata      *gql.ScanMetadataInput // if nil, a default will be used
+}
+
 // maintains the ids of nouns, to use when ingesting verbs
 type nounIds struct {
-	PackageIds  map[string]string // map from purls to IDs of PackageName nodes
-	ArtifactIds map[string]string // map from digest to IDs of Artifact nodes
-	SourceIds   map[string]string // map from source names to IDs of SourceName nodes
-	BuilderIds  map[string]string // map from URI to IDs of Builder nodes
-
+	PackageIds       map[string]string // map from purls to IDs of PackageName nodes
+	ArtifactIds      map[string]string // map from digest to IDs of Artifact nodes
+	SourceIds        map[string]string // map from source names to IDs of SourceName nodes
+	BuilderIds       map[string]string // map from URI to IDs of Builder nodes
+	VulnerabilityIds map[string]string // map from vulnerability type and ID to IDs of Vulnerability nodes
 }
 
 func Ingest(ctx context.Context, t *testing.T, gqlClient graphql.Client, data GuacData) nounIds {
@@ -154,11 +163,17 @@ func Ingest(ctx context.Context, t *testing.T, gqlClient graphql.Client, data Gu
 		builderIds[builder] = ingestBuilder(ctx, t, gqlClient, builder)
 	}
 
+	vulnerabilityIds := map[string]string{}
+	for _, vuln := range data.Vulnerabilities {
+		vulnerabilityIds[vuln] = ingestVulnerability(ctx, t, gqlClient, vuln)
+	}
+
 	i := nounIds{
-		PackageIds:  packageIds,
-		ArtifactIds: artifactIds,
-		SourceIds:   sourceIds,
-		BuilderIds:  builderIds,
+		PackageIds:       packageIds,
+		ArtifactIds:      artifactIds,
+		SourceIds:        sourceIds,
+		BuilderIds:       builderIds,
+		VulnerabilityIds: vulnerabilityIds,
 	}
 
 	for _, sbom := range data.HasSboms {
@@ -181,6 +196,10 @@ func Ingest(ctx context.Context, t *testing.T, gqlClient graphql.Client, data Gu
 		i.ingestHasSlsa(ctx, t, gqlClient, hasSlsa)
 	}
 
+	for _, certifyVuln := range data.CertifyVulns {
+		i.ingestCertifyVuln(ctx, t, gqlClient, certifyVuln)
+	}
+
 	return i
 }
 
@@ -438,3 +457,46 @@ func ingestBuilder(ctx context.Context, t *testing.T, gqlClient graphql.Client,
 	}
 	return res.GetIngestBuilder()
 }
+
+func ingestVulnerability(ctx context.Context, t *testing.T, gqlClient graphql.Client, vuln string) string {
+	parts := strings.SplitN(vuln, "/", 2)
+	if len(parts) != 2 {
+		t.Fatalf("Invalid vulnerability format: %s", vuln)
+	}
+	vulnType, vulnID := parts[0], parts[1]
+
+	spec := gql.VulnerabilityInputSpec{
+		Type:            vulnType,
+		VulnerabilityID: vulnID,
+	}
+	idOrInputSpec := gql.IDorVulnerabilityInput{VulnerabilityInput: &spec}
+	res, err := gql.IngestVulnerability(ctx, gqlClient, idOrInputSpec)
+	if err != nil {
+		t.Fatalf("Error ingesting vulnerability when setting up test: %s", err)
+	}
+	return res.IngestVulnerability.VulnerabilityNodeID
+}
+
+func (i nounIds) ingestCertifyVuln(ctx context.Context, t *testing.T, gqlClient graphql.Client, certifyVuln CertifyVuln) {
+	spec := certifyVuln.Metadata
+	if spec == nil {
+		spec = &gql.ScanMetadataInput{}
+	}
+
+	packageId, ok := i.PackageIds[certifyVuln.Package]
+	if !ok {
+		t.Fatalf("The package %s has not been ingested", certifyVuln.Package)
+	}
+	pkgSpec := gql.IDorPkgInput{PackageVersionID: &packageId}
+
+	vulnerabilityId, ok := i.VulnerabilityIds[certifyVuln.Vulnerability]
+	if !ok {
+		t.Fatalf("The vulnerability %s has not been ingested", certifyVuln.Vulnerability)
+	}
+	vulnSpec := gql.IDorVulnerabilityInput{VulnerabilityNodeID: &vulnerabilityId}
+
+	_, err := gql.IngestCertifyVulnPkg(ctx, gqlClient, pkgSpec, vulnSpec, *spec)
+	if err != nil {
+		t.Fatalf("Error ingesting CertifyVuln when setting up test: %s", err)
+	}
+}