TC-2220 FindTopLevelPackagesRelatedToVulnerability: fix response builder

Signed-off-by: mrizzi <[email protected]>
trustification · Feb 4, 2025 · d85cffb · d85cffb
1 parent 6699821
commit d85cffb
Show file tree

Hide file tree

Showing 6 changed files with 469 additions and 26 deletions.
diff --git a/demo/graphql/queries-trustification.gql b/demo/graphql/queries-trustification.gql
@@ -502,3 +502,57 @@ query TC_1928_FindVulnerabilityBySbomURI {
     }
   }
 }
+
+mutation TC_2220_OSV_GHSA_vulnerability{
+  ingestVulnerability (
+    vuln: {
+      vulnerabilityInput : {
+        type: "osv"
+        vulnerabilityID: "GHSA-2363-cqg2-863c"
+      }
+    }
+  ){vulnerabilityNodeID}
+}
+
+mutation TC_2220_OSV_GHSA_certify_vuln {
+  ingestCertifyVuln(
+    pkg: {
+      packageInput: {
+        type: "maven"
+        namespace: "org.jdom"
+        name: "jdom"
+        version: "1.1"
+      }
+    }
+    vulnerability: {
+      vulnerabilityInput: {
+        type: "osv"
+        vulnerabilityID: "GHSA-2363-cqg2-863c"
+      }
+    }
+    certifyVuln: {
+      timeScanned: "2025-02-04T11:03:05.999999999Z"
+      dbUri: "test"
+      dbVersion: "0.0.0"
+      scannerUri: "test"
+      scannerVersion: "0.0.0"
+      origin: "test"
+      collector: "test"
+      documentRef: "test"
+    }
+  )
+}
+
+query TC_2220_find_product_by_cve {
+  findTopLevelPackagesRelatedToVulnerability(vulnerabilityID: "ghsa-2363-cqg2-863c") {
+    ... on CertifyVuln {
+      ...allCertifyVulnTree
+    }
+    ... on Package {
+      ...allPkgTree
+    }
+    ... on IsDependency {
+      ...allIsDependencyTree
+    }
+  }
+}
diff --git a/internal/testing/e2e-trustification/e2e b/internal/testing/e2e-trustification/e2e
@@ -113,7 +113,7 @@ time go run ./cmd/guacone collect files ${GUAC_DIR}/internal/testing/testdata/ex
 
 echo @@@@ Running TC_1609 queries and validating output
 
-cat "$queries" | gql-cli http://localhost:8080/query -o TC_1609_FindDependentProduct | jq 'del(.. | .id?) | del(.. | .downloadLocation?) | del(.. | .origin?) | .findDependentProduct[].subject.namespaces[]?.names[]?.versions[]?.qualifiers? |= sort | .findDependentProduct' > "${GUAC_DIR}/gotTC_1609_FindDependentProduct.json"
+cat "$queries" | gql-cli http://localhost:8080/query -o TC_1609_FindDependentProduct | jq 'del(.. | .id?) | del(.. | .downloadLocation?) | del(.. | .origin?) | .findDependentProduct | sort_by(.digest) | .[].subject.namespaces[]?.names[]?.versions[]?.qualifiers? |= sort | .' > "${GUAC_DIR}/gotTC_1609_FindDependentProduct.json"
 diff -u "${SCRIPT_DIR}/expectTC_1609_FindDependentProduct.json" "${GUAC_DIR}/gotTC_1609_FindDependentProduct.json"
 
 echo @@@@ Ingesting TC_1757_openssl-3.0.7-18.el9_2.spdx.json into server
@@ -166,11 +166,20 @@ echo @@@@ Ingesting alpine-cyclonedx.json into server for TC-1842
 time go run ./cmd/guacone collect files ${GUAC_DIR}/internal/testing/testdata/exampledata/alpine-cyclonedx.json;
 
 echo @@@@ Running TC-1842 queries and validating output
-cat "$queries" | gql-cli http://localhost:8080/query -o TC_1842_HasMetadata | jq 'del(.. | .id?) | .HasMetadata ' > "${GUAC_DIR}/gotTC_1842_HasMetadata.json"
+cat "$queries" | gql-cli http://localhost:8080/query -o TC_1842_HasMetadata | jq 'del(.. | .id?) | .HasMetadata[].subject.namespaces[]?.names[]?.versions[]?.qualifiers? |= sort | .HasMetadata ' > "${GUAC_DIR}/gotTC_1842_HasMetadata.json"
 diff -u "${SCRIPT_DIR}/expectTC_1842_HasMetadata.json" "${GUAC_DIR}/gotTC_1842_HasMetadata.json"
 
 echo @@@@ Running TC-1928 queries
 cat "$queries" | gql-cli http://localhost:8080/query -o TC_1928_FindVulnerabilityBySbomURI | jq ' .findVulnerabilityBySbomURI ' > "${GUAC_DIR}/gotTC_1928_FindVulnerabilityBySbomURI.json"
 diff -u "${SCRIPT_DIR}/expectTC_1928_FindVulnerabilityBySbomURI.json" "${GUAC_DIR}/gotTC_1928_FindVulnerabilityBySbomURI.json"
 
+echo @@@@ Ingesting data for TC-2220
+time go run ./cmd/guacone collect files ${GUAC_DIR}/internal/testing/testdata/exampledata/rhel-9.4-slimmed-down.json;
+cat "$queries" | gql-cli http://localhost:8080/query -o TC_2220_OSV_GHSA_vulnerability
+cat "$queries" | gql-cli http://localhost:8080/query -o TC_2220_OSV_GHSA_certify_vuln
+
+echo @@@@ Running TC-2220 queries
+cat "$queries" | gql-cli http://localhost:8080/query -o TC_2220_find_product_by_cve | jq 'del(.. | .id?) | del(.. | .origin?) | .findTopLevelPackagesRelatedToVulnerability[] ' > "${GUAC_DIR}/gotTC_2220_FindProductByCVE.json"
+diff -u "${SCRIPT_DIR}/expectTC_2220_FindProductByCVE.json" "${GUAC_DIR}/gotTC_2220_FindProductByCVE.json"
+
 # Note: graphql_playground is left running, CI will clean it up
diff --git a/internal/testing/e2e-trustification/expectTC_1609_FindDependentProduct.json b/internal/testing/e2e-trustification/expectTC_1609_FindDependentProduct.json
@@ -5,17 +5,21 @@
       "type": "maven",
       "namespaces": [
         {
-          "namespace": "com.example",
+          "namespace": "com.redhat.quarkus.platform",
           "names": [
             {
-              "name": "demo",
+              "name": "quarkus-bom",
               "versions": [
                 {
-                  "version": "0.0.1-SNAPSHOT",
+                  "version": "2.13.8.Final-redhat-00004",
                   "qualifiers": [
+                    {
+                      "key": "repository_url",
+                      "value": "https://maven.repository.redhat.com/ga/"
+                    },
                     {
                       "key": "type",
-                      "value": "jar"
+                      "value": "pom"
                     }
                   ],
                   "subpath": ""
@@ -26,9 +30,9 @@
         }
       ]
     },
-    "uri": "urn:uuid:4dd9ce9a-b3f2-47c9-b670-a7884f29fd21",
+    "uri": "https://access.redhat.com/security/data/sbom/beta/spdx/quarkus-bom-d6ecbbd9-31bf-46fd-afda-8082120f5260",
     "algorithm": "sha256",
-    "digest": "d2d350e6a166d24530297215b415a041cef1942394528bc8b625dd123a401341",
+    "digest": "4087ad9b170efe11192ff2dd28ec11c3c07e0d859dba42685d2665aa4086bcf8",
     "collector": "FileCollector"
   },
   {
@@ -37,21 +41,17 @@
       "type": "maven",
       "namespaces": [
         {
-          "namespace": "com.redhat.quarkus.platform",
+          "namespace": "com.example",
           "names": [
             {
-              "name": "quarkus-bom",
+              "name": "demo",
               "versions": [
                 {
-                  "version": "2.13.8.Final-redhat-00004",
+                  "version": "0.0.1-SNAPSHOT",
                   "qualifiers": [
-                    {
-                      "key": "repository_url",
-                      "value": "https://maven.repository.redhat.com/ga/"
-                    },
                     {
                       "key": "type",
-                      "value": "pom"
+                      "value": "jar"
                     }
                   ],
                   "subpath": ""
@@ -62,9 +62,9 @@
         }
       ]
     },
-    "uri": "https://access.redhat.com/security/data/sbom/beta/spdx/quarkus-bom-d6ecbbd9-31bf-46fd-afda-8082120f5260",
+    "uri": "urn:uuid:4dd9ce9a-b3f2-47c9-b670-a7884f29fd21",
     "algorithm": "sha256",
-    "digest": "4087ad9b170efe11192ff2dd28ec11c3c07e0d859dba42685d2665aa4086bcf8",
+    "digest": "d2d350e6a166d24530297215b415a041cef1942394528bc8b625dd123a401341",
     "collector": "FileCollector"
   }
 ]
diff --git a/internal/testing/e2e-trustification/expectTC_2220_FindProductByCVE.json b/internal/testing/e2e-trustification/expectTC_2220_FindProductByCVE.json
@@ -0,0 +1,205 @@
+[
+  {
+    "package": {
+      "type": "maven",
+      "namespaces": [
+        {
+          "namespace": "org.jdom",
+          "names": [
+            {
+              "name": "jdom",
+              "versions": [
+                {
+                  "version": "1.1",
+                  "qualifiers": [],
+                  "subpath": ""
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    },
+    "vulnerability": {
+      "type": "osv",
+      "vulnerabilityIDs": [
+        {
+          "vulnerabilityID": "ghsa-2363-cqg2-863c"
+        }
+      ]
+    },
+    "metadata": {
+      "dbUri": "test",
+      "dbVersion": "0.0.0",
+      "scannerUri": "test",
+      "scannerVersion": "0.0.0",
+      "timeScanned": "2025-02-04T11:03:06Z",
+      "collector": "test"
+    }
+  },
+  {
+    "type": "maven",
+    "namespaces": [
+      {
+        "namespace": "org.jdom",
+        "names": [
+          {
+            "name": "jdom",
+            "versions": [
+              {
+                "version": "1.1",
+                "qualifiers": [],
+                "subpath": ""
+              }
+            ]
+          }
+        ]
+      }
+    ]
+  },
+  {
+    "justification": "Derived from SPDX CONTAINED_BY relationship",
+    "versionRange": "1.1",
+    "package": {
+      "type": "rpm",
+      "namespaces": [
+        {
+          "namespace": "redhat",
+          "names": [
+            {
+              "name": "maven-plugin-bundle",
+              "versions": [
+                {
+                  "version": "5.1.1-5.el9",
+                  "qualifiers": [
+                    {
+                      "key": "arch",
+                      "value": "src"
+                    }
+                  ],
+                  "subpath": ""
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    },
+    "dependencyPackage": {
+      "type": "maven",
+      "namespaces": [
+        {
+          "namespace": "org.jdom",
+          "names": [
+            {
+              "name": "jdom",
+              "versions": [
+                {
+                  "version": "1.1",
+                  "qualifiers": [],
+                  "subpath": ""
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    },
+    "collector": "FileCollector"
+  },
+  {
+    "type": "rpm",
+    "namespaces": [
+      {
+        "namespace": "redhat",
+        "names": [
+          {
+            "name": "maven-plugin-bundle",
+            "versions": [
+              {
+                "version": "5.1.1-5.el9",
+                "qualifiers": [
+                  {
+                    "key": "arch",
+                    "value": "src"
+                  }
+                ],
+                "subpath": ""
+              }
+            ]
+          }
+        ]
+      }
+    ]
+  },
+  {
+    "justification": "Derived from SPDX PACKAGE_OF relationship",
+    "versionRange": "5.1.1-5.el9",
+    "package": {
+      "type": "guac",
+      "namespaces": [
+        {
+          "namespace": "pkg",
+          "names": [
+            {
+              "name": "RHEL-9.4.0.Z.MAIN+EUS",
+              "versions": [
+                {
+                  "version": "9.4.0",
+                  "qualifiers": [],
+                  "subpath": ""
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    },
+    "dependencyPackage": {
+      "type": "rpm",
+      "namespaces": [
+        {
+          "namespace": "redhat",
+          "names": [
+            {
+              "name": "maven-plugin-bundle",
+              "versions": [
+                {
+                  "version": "5.1.1-5.el9",
+                  "qualifiers": [
+                    {
+                      "key": "arch",
+                      "value": "src"
+                    }
+                  ],
+                  "subpath": ""
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    },
+    "collector": "FileCollector"
+  },
+  {
+    "type": "guac",
+    "namespaces": [
+      {
+        "namespace": "pkg",
+        "names": [
+          {
+            "name": "RHEL-9.4.0.Z.MAIN+EUS",
+            "versions": [
+              {
+                "version": "9.4.0",
+                "qualifiers": [],
+                "subpath": ""
+              }
+            ]
+          }
+        ]
+      }
+    ]
+  }
+]