From bab7196057e803083bc18f4e38d6ffb565d481f6 Mon Sep 17 00:00:00 2001 From: Dejan Bosanac Date: Thu, 23 Nov 2023 13:33:03 +0100 Subject: [PATCH] doc: add trustification related documentation --- docs/trustification.md | 64 +++++++++++ example/queries/product_by_package.gql | 55 ++++++++++ example/queries/product_by_vulnerability.gql | 73 +++++++++++++ .../queries/vulnerabilities_by_product.gql | 103 ++++++++++++++++++ 4 files changed, 295 insertions(+) create mode 100644 docs/trustification.md create mode 100644 example/queries/product_by_package.gql create mode 100644 example/queries/product_by_vulnerability.gql create mode 100644 example/queries/vulnerabilities_by_product.gql diff --git a/docs/trustification.md b/docs/trustification.md new file mode 100644 index 0000000..2f65371 --- /dev/null +++ b/docs/trustification.md @@ -0,0 +1,64 @@ +In order to use `guac-rs` library with [trustification](http://trustification.io), start + +* Run core trustification services + +``` +$ [trustification/deploy/compose] docker-compose -f compose.yaml -f compose-guac.yaml up --force-recreate +``` + +* You can run the rest of the services manually + +``` +$ [trustification] RUST_LOG=info cargo run -p trust -- vexination api --devmode & +RUST_LOG=info cargo run -p trust -- bombastic api --devmode & +RUST_LOG=info cargo run -p trust -- v11y api --devmode & +RUST_LOG=info cargo run -p trust -- vexination indexer --devmode & +RUST_LOG=info cargo run -p trust -- bombastic indexer --devmode & +RUST_LOG=info cargo run -p trust -- v11y indexer --devmode & +``` + +* You might want to run SPoG API separately as that's the service that uses `guac-rs` library the most + +``` +RUST_LOG=info cargo run -p trust -- spog api --devmode +``` + +* Ingest SBOM data from the ds1 set + +``` +$ [trustification] RUST_LOG=info cargo run -p trust bombastic walker --sink http://localhost:8082 --devmode --source ./data/ds1/sbom +``` + +* After SBOMs have been ingested, ingest the VEX files + +``` +$ [trustification] RUST_LOG=info cargo run -p trust -- vexination walker --devmode -3 --sink http://localhost:8081/api/v1/vex --source ./data/ds1/csaf +``` + +* After this Trustification and Guac should be properly configured and populated with the test dataset +* You can access [Guac GraphQL explorer](http://localhost:8085) +* Some example generic queries to run can be found [here](https://github.com/guacsec/guac/tree/main/pkg/assembler/graphql/examples) +* Examples of trustification specific queries can be found [here](../example/queries/) +* You can also access the database directly with +``` +psql -h localhost -U guac guac +``` +and explore the data +* [Examples](../lib/tests/spog.rs) are set to run against the instance of Guac started in the trustification context. These contain a good example of how to use some of these queries. + +TODO: They don't work with ds1 dataset and are more examples than tests. If un-ignored, they can be ran as + +``` +cargo test product_by_cve -- --nocapture +``` + +* SPoG API uses guac-rs to make queries to the Guac. It also contains a few examples currently described as [tests](https://github.com/trustification/trustification/blob/main/spog/api/src/service/guac.rs), which can be ran against running Guac instance + + +* SPoG API can be also tested directly, like for example + +``` +$ TOKEN=$(curl -s -d "client_id=walker" -d "client_secret=ZVzq9AMOVUdMY1lSohpx1jI3aW56QDPS" -d 'grant_type=client_credentials' \ + 'http://localhost:8090/realms/chicken/protocol/openid-connect/token' | jq -r .access_token) +$ curl -v -X GET --oauth2-bearer $TOKEN "http://localhost:8083/api/v1/cve/cve-2023-34454/related-products" | jq +``` diff --git a/example/queries/product_by_package.gql b/example/queries/product_by_package.gql new file mode 100644 index 0000000..af6daa7 --- /dev/null +++ b/example/queries/product_by_package.gql @@ -0,0 +1,55 @@ +query dependentProductQuarkus { + findDependentProduct( + purl: "pkg:maven/org.xerial.snappy/snappy-java@1.1.8.4-redhat-00003" + ) { + uri + subject { + ... on Package { + type + namespaces { + namespace + names { + name + versions { + id + version + qualifiers { + key + value + } + subpath + } + } + } + } + } + } +} + +query dependentProductUBI8 { + findDependentProduct( + purl: "pkg:rpm/redhat/libuuid@2.32.1-42.el8_8?arch=x86_64", offset: 0, limit: 10 + ) { + uri + subject { + ... on Package { + type + namespaces { + namespace + names { + name + versions { + id + version + qualifiers { + key + value + } + subpath + } + } + } + } + } + } +} diff --git a/example/queries/product_by_vulnerability.gql b/example/queries/product_by_vulnerability.gql new file mode 100644 index 0000000..bac32a1 --- /dev/null +++ b/example/queries/product_by_vulnerability.gql @@ -0,0 +1,73 @@ +query findTopLevelPackagesRelatedToVulnerability { + findTopLevelPackagesRelatedToVulnerability (vulnerabilityID: "cve-2022-2284" ) { + __typename + ... on CertifyVEXStatement { + ...allCertifyVEXStatementTree + } + ... on Package { + id + type + namespaces { + id + namespace + names { + name + versions { + version + } + } + } + } + ... on IsDependency { + dependencyType + } + } +} + +fragment allCertifyVEXStatementTree on CertifyVEXStatement { + id + subject { + __typename + ... on Package { + id + type + namespaces { + id + namespace + names { + id + name + versions { + id + version + qualifiers { + key + value + } + subpath + } + } + } + } + ... on Artifact { + id + algorithm + digest + } + } + vulnerability { + id + type + vulnerabilityIDs { + id + vulnerabilityID + } + } + status + vexJustification + statement + statusNotes + knownSince + origin + collector +} diff --git a/example/queries/vulnerabilities_by_product.gql b/example/queries/vulnerabilities_by_product.gql new file mode 100644 index 0000000..8ac4d67 --- /dev/null +++ b/example/queries/vulnerabilities_by_product.gql @@ -0,0 +1,103 @@ +query findVulnerabilityBySbomURI { + #findVulnerabilityBySbomURI(sbomURI: "https://access.redhat.com/security/data/sbom/beta/spdx/rhel-7.9.z-c98403ce-5e02-4278-98ec-b36ecd1f46a5") { + findVulnerabilityBySbomURI(sbomURI: "https://access.redhat.com/security/data/sbom/beta/spdx/quarkus-bom-b52acd7c-3a3f-441e-aef0-bbdaa1ec8acf") { + __typename + ... on CertifyVEXStatement { + ...allCertifyVEXStatementTree + } + ... on CertifyVuln { + ...allCertifyVulnTree + } + } +} + +fragment allCertifyVulnTree on CertifyVuln { + id + package { + id + type + namespaces { + id + namespace + names { + id + name + versions { + id + version + qualifiers { + key + value + } + subpath + } + } + } + } + vulnerability { + id + type + vulnerabilityIDs { + id + vulnerabilityID + } + } + metadata { + dbUri + dbVersion + scannerUri + scannerVersion + timeScanned + origin + collector + } +} + + +fragment allCertifyVEXStatementTree on CertifyVEXStatement { + id + subject { + __typename + ... on Package { + id + type + namespaces { + id + namespace + names { + id + name + versions { + id + version + qualifiers { + key + value + } + subpath + } + } + } + } + ... on Artifact { + id + algorithm + digest + } + } + vulnerability { + id + type + vulnerabilityIDs { + id + vulnerabilityID + } + } + status + vexJustification + statement + statusNotes + knownSince + origin + collector +}