Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set implied relationships for SBOM components in analysis graph #1027

Merged
merged 1 commit into from
Nov 21, 2024
Merged

Set implied relationships for SBOM components in analysis graph #1027

merged 1 commit into from
Nov 21, 2024

Conversation

JimFuller-RedHat
Copy link
Collaborator

@JimFuller-RedHat JimFuller-RedHat commented Nov 20, 2024
edited
Loading

SPDX/cyclonedx both allow defining components without any explicit relationship.

In our internal logical database we consider existence of a component, in an SBOM to have an implied Undefined relationship with the DESCRIBES component.

This PR ensures we do the similar in analysis graph.

Example;

Where quarkus-vertx-http component has no defined relationship (in etc/test-data/spdx/quarkus-bom-3.2.11.Final-redhat-00001.json)

>curl -H "Authorization:$(oidc token testing-client --bearer)" "http://localhost:8080/api/v1/analysis/root-component/quarkus-vertx-http"  | jq | bat --language=json

Previously this would list no ancestor component as no explicit dependency was defined in the SBOM thus no relationship was set in analysis graph.

{
      "sbom_id": "01934961-44a7-7b51-8675-2e613fde4334",
      "node_id": "SPDXRef-dfe6bb5c-fc2e-4115-a11e-75947122dbc0",
      "purl": "pkg:maven/io.quarkus/[email protected]?type=jar&repository_url=https://maven.repository.redhat.com/ga/",
      "name": "quarkus-vertx-http-deployment",
      "version": "3.2.11.Final-redhat-00001",
      "published": "2024-05-28 09:26:01+00",
      "document_id": "https://access.redhat.com/security/data/sbom/spdx/quarkus-bom-3.2.11.Final-redhat-00001",
      "product_name": "quarkus-bom",
      "product_version": "3.2.11.Final-redhat-00001",
      "ancestors": []
}

Now we get an ancestor component with relationship key:

{
      "sbom_id": "01934961-44a7-7b51-8675-2e613fde4334",
      "node_id": "SPDXRef-dfe6bb5c-fc2e-4115-a11e-75947122dbc0",
      "purl": "pkg:maven/io.quarkus/[email protected]?type=jar&repository_url=https://maven.repository.redhat.com/ga/",
      "name": "quarkus-vertx-http-deployment",
      "version": "3.2.11.Final-redhat-00001",
      "published": "2024-05-28 09:26:01+00",
      "document_id": "https://access.redhat.com/security/data/sbom/spdx/quarkus-bom-3.2.11.Final-redhat-00001",
      "product_name": "quarkus-bom",
      "product_version": "3.2.11.Final-redhat-00001",
      "ancestors": [
        {
          "sbom_id": "01934961-44a7-7b51-8675-2e613fde4334",
          "node_id": "SPDXRef-2d16b9fa-2dfb-44e5-abab-dc32fcd49628",
          "relationship": "Undefined",
          "purl": "pkg:maven/com.redhat.quarkus.platform/[email protected]?type=pom&repository_url=https://maven.repository.redhat.com/ga/",
          "name": "quarkus-bom",
          "version": "3.2.11.Final-redhat-00001"
        }
      ]
}

This work supports correlation work litigated in #1014

@JimFuller-RedHat JimFuller-RedHat added the Vulnerability Correlation Correlation of vulnerabilities to Packages, SBOMs and Products label Nov 20, 2024
@JimFuller-RedHat JimFuller-RedHat self-assigned this Nov 20, 2024
dejanb
dejanb approved these changes Nov 20, 2024
View reviewed changes
Copy link
Contributor

@dejanb dejanb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ctron
ctron requested changes Nov 20, 2024
View reviewed changes
Copy link
Contributor

@ctron ctron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there are a few things to iron out.

Also, let's have a chat about this is the right approach. To my understanding, this only affects the in-memory model. Not the actual DB data, right?

modules/analysis/src/service.rs Outdated Show resolved Hide resolved
modules/analysis/src/service.rs Show resolved Hide resolved
@JimFuller-RedHat JimFuller-RedHat force-pushed the correlation-implicit-relationships branch 2 times, most recently from cd1aa2d to 31d5465 Compare November 21, 2024 12:07
@JimFuller-RedHat
Copy link
Collaborator Author

@dejanb @ctron - added relationship type with 'Undefined' for this kind of relationship.

@JimFuller-RedHat JimFuller-RedHat force-pushed the correlation-implicit-relationships branch 2 times, most recently from fb5b9cc to 10a2aeb Compare November 21, 2024 13:12
@JimFuller-RedHat
For components in an SBOM that have no explicitly defined relationshi…
963319e 
…ps we now set an implied relationship in analysis graph.
@JimFuller-RedHat JimFuller-RedHat force-pushed the correlation-implicit-relationships branch from 10a2aeb to 963319e Compare November 21, 2024 13:37
@JimFuller-RedHat JimFuller-RedHat added this pull request to the merge queue Nov 21, 2024
Merged via the queue into trustification:main with commit 81f0c12 Nov 21, 2024
3 checks passed
@JimFuller-RedHat JimFuller-RedHat deleted the correlation-implicit-relationships branch November 21, 2024 14:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ctron ctron ctron approved these changes

@dejanb dejanb Awaiting requested review from dejanb

Assignees

@JimFuller-RedHat JimFuller-RedHat

Labels
Vulnerability Correlation Correlation of vulnerabilities to Packages, SBOMs and Products
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JimFuller-RedHat @dejanb @ctron