Merge branch 'trustification-v0.7.2' into TC-1642

trustification · Jul 26, 2024 · bc21e14 · bc21e14
2 parents ebb9a6a + 9f6fd5a
commit bc21e14
Show file tree

Hide file tree

Showing 30 changed files with 20,106 additions and 943 deletions.
diff --git a/demo/graphql/queries-trustification.gql b/demo/graphql/queries-trustification.gql
@@ -287,6 +287,28 @@ query FindVulnerabilitySbomURI_quarkus {
   }
 }
 
+query FindVulnerabilityCPE_quarkus {
+  findVulnerabilityByCPE (cpe: "cpe:/a:redhat:quarkus:2.13::el8") {
+    ... on CertifyVuln {
+      ...allCertifyVulnTree
+    }
+    ... on CertifyVEXStatement {
+      ...allCertifyVEXStatementTree
+    }
+  }
+}
+
+query FindVulnerability_quarkus {
+  findVulnerability (purl: "pkg:maven/com.redhat.quarkus.platform/[email protected]?type=pom") {
+    ... on CertifyVuln {
+      ...allCertifyVulnTree
+    }
+    ... on CertifyVEXStatement {
+      ...allCertifyVEXStatementTree
+    }
+  }
+}
+
 query FindVulnerabilitySbomURI_ubi9 {
   findVulnerabilityBySbomURI (
     sbomURI:"https://access.redhat.com/security/data/sbom/beta/spdx/ubi9-minimal-container-9b954617-943f-43ab-bd5b-3df62a706ed6", offset:0, limit:1000) {
@@ -357,26 +379,27 @@ query TC_1593_FindDependentProduct {
   }
 }
 
-query TC_1593_HasMetadata {
-  HasMetadata (hasMetadataSpec: {key: "topLevelPackage", value: "pkg:maven/pom-with-deps-no-ignore/[email protected]?type=jar"}) {
-    subject {
-      ... on Package {
-        ...allPkgTree
-      }
-    }
+query TC_1609_FindDependentProduct {
+  findDependentProduct (
+    purl: "pkg:maven/io.github.crac/[email protected]?type=jar"
+  ) {
+    ...allHasSBOMTree
   }
 }
 
-query TC_1609_HasMetadata {
-  HasMetadata (hasMetadataSpec: {
-    key: "topLevelPackage",
-    value: "pkg:maven/com.example/[email protected]?type=jar",
-    subject: {package: {name:"org-crac"}}
-  }) {
-    subject {
-      ... on Package {
-        ...allPkgTree
+query CVE_2023_1664 {
+  CertifyVEXStatement (
+    certifyVEXStatementSpec: {
+      vulnerability: {
+        vulnerabilityID: "cve-2023-1664"
+      }
+      subject: {
+        package: {
+          name: "keycloak-core"
+        }
       }
     }
+  ) {
+    documentRef
   }
 }
diff --git a/internal/testing/e2e-trustification/e2e b/internal/testing/e2e-trustification/e2e
@@ -63,36 +63,42 @@ queries="${GUAC_DIR}/demo/graphql/queries-trustification.gql"
 
 echo @@@@ Running queries and validating output
 
-cat "$queries" | gql-cli http://localhost:8080/query -o FindVulnerabilitySbomURI_quarkus | jq --sort-keys 'del(.. | .id?) | del(.. | .origin?) | .findVulnerabilityBySbomURI |= sort | .findVulnerabilityBySbomURI[].subject.namespaces[]?.names[]?.versions[]?.qualifiers? |= sort' > "${GUAC_DIR}/gotFindVulnerabilitySbomURI_quarkus.json"
-diff -u "${SCRIPT_DIR}/expectFindVulnerabilitySbomURI_quarkus.json" "${GUAC_DIR}/gotFindVulnerabilitySbomURI_quarkus.json"
+cat ./demo/graphql/queries-trustification.gql | gql-cli http://localhost:8080/query -o HasSBOM | jq ' .HasSBOM |= sort ' > "${GUAC_DIR}/gotHasSBOM.json"
+diff -u "${SCRIPT_DIR}/expectHasSBOM.json" "${GUAC_DIR}/gotHasSBOM.json"
+
+cat ./demo/graphql/queries-trustification.gql | gql-cli http://localhost:8080/query -o Vulnerabilities | jq ' .vulnerabilities[].vulnerabilityIDs |= sort_by(.vulnerabilityID) ' > "${GUAC_DIR}/gotVulnerabilities.json"
+diff -u "${SCRIPT_DIR}/expectVulnerabilities.json" "${GUAC_DIR}/gotVulnerabilities.json"
+
+cat ./demo/graphql/queries-trustification.gql | gql-cli http://localhost:8080/query -o CVE_2023_1664 | jq . > "${GUAC_DIR}/gotCVE_2023_1664.json"
+diff -u "${SCRIPT_DIR}/expectCVE_2023_1664.json" "${GUAC_DIR}/gotCVE_2023_1664.json"
+
+cat "$queries" | gql-cli http://localhost:8080/query -o FindVulnerabilitySbomURI_quarkus | jq --sort-keys 'del(.. | .id?) | del(.. | .origin?) | .findVulnerabilityBySbomURI |= sort | .findVulnerabilityBySbomURI[].subject.namespaces[]?.names[]?.versions[]?.qualifiers? |= sort | .findVulnerabilityBySbomURI ' > "${GUAC_DIR}/gotFindVulnerabilitySbomURI_quarkus.json"
+diff -u "${SCRIPT_DIR}/expectVulnerabilityQuarkus.json" "${GUAC_DIR}/gotFindVulnerabilitySbomURI_quarkus.json"
+
+cat "$queries" | gql-cli http://localhost:8080/query -o FindVulnerabilityCPE_quarkus | jq --sort-keys 'del(.. | .id?) | del(.. | .origin?) | .findVulnerabilityByCPE |= sort | .findVulnerabilityByCPE[].subject.namespaces[]?.names[]?.versions[]?.qualifiers? |= sort | .findVulnerabilityByCPE ' > "${GUAC_DIR}/gotFindVulnerabilityCPE_quarkus.json"
+diff -u "${SCRIPT_DIR}/expectVulnerabilityQuarkus.json" "${GUAC_DIR}/gotFindVulnerabilityCPE_quarkus.json"
+
+cat "$queries" | gql-cli http://localhost:8080/query -o FindVulnerability_quarkus | jq --sort-keys 'del(.. | .id?) | del(.. | .origin?) | .findVulnerability |= sort | .findVulnerability[].subject.namespaces[]?.names[]?.versions[]?.qualifiers? |= sort | .findVulnerability ' > "${GUAC_DIR}/gotFindVulnerability_quarkus.json"
+diff -u "${SCRIPT_DIR}/expectVulnerabilityQuarkus.json" "${GUAC_DIR}/gotFindVulnerability_quarkus.json"
 
 cat "$queries" | gql-cli http://localhost:8080/query -o FindVulnerabilitySbomURI_ubi9 | jq --sort-keys 'del(.. | .id?) | del(.. | .origin?) | .findVulnerabilityBySbomURI |= sort | .findVulnerabilityBySbomURI[].subject.namespaces[]?.names[]?.versions[]?.qualifiers? |= sort' > "${GUAC_DIR}/gotFindVulnerabilitySbomURI_ubi9.json"
 diff -u "${SCRIPT_DIR}/expectFindVulnerabilitySbomURI_ubi9.json" "${GUAC_DIR}/gotFindVulnerabilitySbomURI_ubi9.json"
 
 cat "$queries" | gql-cli http://localhost:8080/query -o FindVulnerabilitySbomURI_ubi8 | jq --sort-keys 'del(.. | .id?) | del(.. | .origin?) | .findVulnerabilityBySbomURI |= sort | .findVulnerabilityBySbomURI[].subject.namespaces[]?.names[]?.versions[]?.qualifiers? |= sort' > "${GUAC_DIR}/gotFindVulnerabilitySbomURI_ubi8.json"
 diff -u "${SCRIPT_DIR}/expectFindVulnerabilitySbomURI_ubi8.json" "${GUAC_DIR}/gotFindVulnerabilitySbomURI_ubi8.json"
 
-cat ./demo/graphql/queries-trustification.gql | gql-cli http://localhost:8080/query -o FindRelatedProducts | jq 'del(.. | .id?) | del(.. | .origin?) | .findTopLevelPackagesRelatedToVulnerability[] | length' > "${GUAC_DIR}/gotFindRelatedProducts.json"
-diff -u "${SCRIPT_DIR}/expectFindRelatedProducts.json" "${GUAC_DIR}/gotFindRelatedProducts.json"
+#cat ./demo/graphql/queries-trustification.gql | gql-cli http://localhost:8080/query -o FindRelatedProducts | jq 'del(.. | .id?) | del(.. | .origin?) | .findTopLevelPackagesRelatedToVulnerability[] | length' > "${GUAC_DIR}/gotFindRelatedProducts.json"
+#diff -u "${SCRIPT_DIR}/expectFindRelatedProducts.json" "${GUAC_DIR}/gotFindRelatedProducts.json"
 
-cat ./demo/graphql/queries-trustification.gql | gql-cli http://localhost:8080/query -o FindDependentProduct | jq 'del(.. | .id?) | del(.. | .downloadLocation?) | .findDependentProduct | sort_by(.digest)' > "${GUAC_DIR}/gotFindDependentProduct.json"
+cat ./demo/graphql/queries-trustification.gql | gql-cli http://localhost:8080/query -o FindDependentProduct | jq 'del(.. | .id?) | del(.. | .downloadLocation?) | del(.. | .origin?) | .findDependentProduct | sort_by(.digest)' > "${GUAC_DIR}/gotFindDependentProduct.json"
 diff -u "${SCRIPT_DIR}/expectFindDependentProduct.json" "${GUAC_DIR}/gotFindDependentProduct.json"
 
-cat ./demo/graphql/queries-trustification.gql | gql-cli http://localhost:8080/query -o HasSBOM | jq ' .HasSBOM |= sort ' > "${GUAC_DIR}/gotHasSBOM.json"
-diff -u "${SCRIPT_DIR}/expectHasSBOM.json" "${GUAC_DIR}/gotHasSBOM.json"
-
-cat ./demo/graphql/queries-trustification.gql | gql-cli http://localhost:8080/query -o Vulnerabilities | jq ' .vulnerabilities[].vulnerabilityIDs |= sort_by(.vulnerabilityID) ' > "${GUAC_DIR}/gotVulnerabilities.json"
-diff -u "${SCRIPT_DIR}/expectVulnerabilities.json" "${GUAC_DIR}/gotVulnerabilities.json"
-
 echo @@@@ Ingesting TC_1593_sbom.json into server
 time go run ./cmd/guacone collect files ${GUAC_DIR}/internal/testing/testdata/exampledata/TC_1593_sbom.json;
 
 echo @@@@ Running TC_1593 queries and validating output
 
-cat "$queries" | gql-cli http://localhost:8080/query -o TC_1593_HasMetadata | jq 'del(.. | .id?) | .HasMetadata | sort ' > "${GUAC_DIR}/gotTC_1593_HasMetadata.json"
-diff -u "${SCRIPT_DIR}/expectTC_1593_HasMetadata.json" "${GUAC_DIR}/gotTC_1593_HasMetadata.json"
-
-cat "$queries" | gql-cli http://localhost:8080/query -o TC_1593_FindDependentProduct | jq 'del(.. | .id?) | del(.. | .downloadLocation?) | .findDependentProduct' > "${GUAC_DIR}/gotTC_1593_FindDependentProduct.json"
+cat "$queries" | gql-cli http://localhost:8080/query -o TC_1593_FindDependentProduct | jq 'del(.. | .id?) | del(.. | .downloadLocation?) | del(.. | .origin?) | .findDependentProduct' > "${GUAC_DIR}/gotTC_1593_FindDependentProduct.json"
 diff -u "${SCRIPT_DIR}/expectTC_1593_FindDependentProduct.json" "${GUAC_DIR}/gotTC_1593_FindDependentProduct.json"
 
 # IMPORTANT: this must happen after the above 'ds1/sbom' has been executed to reproduce the issue
@@ -101,7 +107,7 @@ time go run ./cmd/guacone collect files ${GUAC_DIR}/internal/testing/testdata/ex
 
 echo @@@@ Running TC_1609 queries and validating output
 
-cat "$queries" | gql-cli http://localhost:8080/query -o TC_1609_HasMetadata | jq 'del(.. | .id?) | .HasMetadata | sort ' > "${GUAC_DIR}/gotTC_1609_HasMetadata.json"
-diff -u "${SCRIPT_DIR}/expectTC_1609_HasMetadata.json" "${GUAC_DIR}/gotTC_1609_HasMetadata.json"
+cat "$queries" | gql-cli http://localhost:8080/query -o TC_1609_FindDependentProduct | jq 'del(.. | .id?) | del(.. | .downloadLocation?) | del(.. | .origin?) | .findDependentProduct[].subject.namespaces[]?.names[]?.versions[]?.qualifiers? |= sort | .findDependentProduct' > "${GUAC_DIR}/gotTC_1609_FindDependentProduct.json"
+diff -u "${SCRIPT_DIR}/expectTC_1609_FindDependentProduct.json" "${GUAC_DIR}/gotTC_1609_FindDependentProduct.json"
 
 # Note: graphql_playground is left running, CI will clean it up
diff --git a/internal/testing/e2e-trustification/expectCVE_2023_1664.json b/internal/testing/e2e-trustification/expectCVE_2023_1664.json
@@ -0,0 +1,7 @@
+{
+  "CertifyVEXStatement": [
+    {
+      "documentRef": "sha256_bcb4eb22af2714f0f4fcc5acd58d4d9ef48290212816c7ad776fc50e716d93a2"
+    }
+  ]
+}
diff --git a/internal/testing/e2e-trustification/expectFindDependentProduct.json b/internal/testing/e2e-trustification/expectFindDependentProduct.json
@@ -29,8 +29,7 @@
     "uri": "https://access.redhat.com/security/data/sbom/beta/spdx/ubi8-container-1e7fb966-cc2a-41e2-8e9d-ab6fb97d67d6",
     "algorithm": "sha256",
     "digest": "046d27ab116a37333847bc8648ce0af78d36caf719f8a8fa0a3ef2cd8d0fab89",
-    "origin": "",
-    "collector": ""
+    "collector": "FileCollector"
   },
   {
     "subject": {
@@ -62,7 +61,6 @@
     "uri": "https://access.redhat.com/security/data/sbom/beta/spdx/ubi8-minimal-container-5b43ae22-cbf0-4626-8ec5-4ae0765a3d4b",
     "algorithm": "sha256",
     "digest": "3d99f13040baaa0e682e6e3e1500907a78babe741ab3d3c2bacc13963e1d3646",
-    "origin": "",
-    "collector": ""
+    "collector": "FileCollector"
   }
 ]