Merge branch 'guacsec:main' into main

sunnyyip · Sep 14, 2023 · aa219a9 · aa219a9
2 parents 45014f0 + 6dfd549
commit aa219a9
Show file tree

Hide file tree

Showing 30 changed files with 3,867 additions and 672 deletions.
diff --git a/cmd/guacone/cmd/files.go b/cmd/guacone/cmd/files.go
@@ -145,6 +145,7 @@ var filesCmd = &cobra.Command{
 				gotErr = true
 				return fmt.Errorf("unable to ingest document: %w", err)
 			}
+			totalSuccess += 1
 			return nil
 		}
 

diff --git a/internal/testing/e2e/e2e b/internal/testing/e2e/e2e
@@ -36,6 +36,8 @@ popd
 echo @@@@ Starting up guac server in background
 go run "${GUAC_DIR}/cmd/guacgql" &
 
+sleep 15
+
 echo @@@@ Ingesting guac-data into server
 go run "${GUAC_DIR}/cmd/guacone" collect files "${GUAC_DIR}/guac-data/docs/"
 

diff --git a/internal/testing/mocks/backend.go b/internal/testing/mocks/backend.go
diff --git a/internal/testing/testdata/testdata.go b/internal/testing/testdata/testdata.go
@@ -734,10 +734,77 @@ var (
 		},
 	}
 
+	SpdxCertifyLegal = []assembler.CertifyLegalIngest{
+		{
+			Pkg: baselayoutPack,
+			Declared: []model.LicenseInputSpec{
+				{
+					Name:        "GPL-2.0-only",
+					ListVersion: ptrfrom.String("3.18"),
+				},
+			},
+			Discovered: []model.LicenseInputSpec{
+				{
+					Name:        "GPL-2.0-only",
+					ListVersion: ptrfrom.String("3.18"),
+				},
+			},
+			CertifyLegal: &model.CertifyLegalInputSpec{
+				DeclaredLicense:   "GPL-2.0-only",
+				DiscoveredLicense: "GPL-2.0-only",
+				Justification:     "Found in SPDX document.",
+				TimeScanned:       parseRfc3339("2022-09-24T17:27:55.556104Z"),
+			},
+		},
+		{
+			Pkg: baselayoutdataPack,
+			Declared: []model.LicenseInputSpec{
+				{
+					Name:        "GPL-2.0-only",
+					ListVersion: ptrfrom.String("3.18"),
+				},
+			},
+			Discovered: []model.LicenseInputSpec{
+				{
+					Name:        "GPL-2.0-only",
+					ListVersion: ptrfrom.String("3.18"),
+				},
+			},
+			CertifyLegal: &model.CertifyLegalInputSpec{
+				DeclaredLicense:   "GPL-2.0-only",
+				DiscoveredLicense: "GPL-2.0-only",
+				Justification:     "Found in SPDX document.",
+				TimeScanned:       parseRfc3339("2022-09-24T17:27:55.556104Z"),
+			},
+		},
+		{
+			Pkg: keysPack,
+			Declared: []model.LicenseInputSpec{
+				{
+					Name:        "MIT",
+					ListVersion: ptrfrom.String("3.18"),
+				},
+			},
+			Discovered: []model.LicenseInputSpec{
+				{
+					Name:        "MIT",
+					ListVersion: ptrfrom.String("3.18"),
+				},
+			},
+			CertifyLegal: &model.CertifyLegalInputSpec{
+				DeclaredLicense:   "MIT",
+				DiscoveredLicense: "MIT",
+				Justification:     "Found in SPDX document.",
+				TimeScanned:       parseRfc3339("2022-09-24T17:27:55.556104Z"),
+			},
+		},
+	}
+
 	SpdxIngestionPredicates = assembler.IngestPredicates{
 		IsDependency: SpdxDeps,
 		IsOccurrence: SpdxOccurences,
 		HasSBOM:      SpdxHasSBOM,
+		CertifyLegal: SpdxCertifyLegal,
 	}
 
 	// CycloneDX Testdata
@@ -2613,6 +2680,8 @@ var IngestPredicatesCmpOpts = []cmp.Option{
 	cmpopts.SortSlices(packageQualifierInputSpecLess),
 	cmpopts.SortSlices(psaInputSpecLess),
 	cmpopts.SortSlices(slsaPredicateInputSpecLess),
+	cmpopts.SortSlices(certifyLegalInputSpecLess),
+	cmpopts.SortSlices(licenseInputSpecLess),
 }
 
 func certifyScorecardLess(e1, e2 assembler.CertifyScorecardIngest) bool {
@@ -2639,6 +2708,14 @@ func slsaPredicateInputSpecLess(e1, e2 model.SLSAPredicateInputSpec) bool {
 	return gLess(e1, e2)
 }
 
+func certifyLegalInputSpecLess(e1, e2 assembler.CertifyLegalIngest) bool {
+	return gLess(e1, e2)
+}
+
+func licenseInputSpecLess(e1, e2 generated.LicenseInputSpec) bool {
+	return gLess(e1, e2)
+}
+
 func gLess(e1, e2 any) bool {
 	s1, _ := json.Marshal(e1)
 	s2, _ := json.Marshal(e2)

diff --git a/pkg/assembler/assembler.go b/pkg/assembler/assembler.go
@@ -47,6 +47,7 @@ type IngestPredicates struct {
 	PointOfContact   []PointOfContactIngest   `json:"contact,omitempty"`
 	VulnMetadata     []VulnMetadataIngest     `json:"vulnMetadata,omitempty"`
 	HasMetadata      []HasMetadataIngest      `json:"hasMetadata,omitempty"`
+	CertifyLegal     []CertifyLegalIngest     `json:"certifyLegal,omitempty"`
 }
 
 type CertifyScorecardIngest struct {
@@ -184,6 +185,16 @@ type PkgEqualIngest struct {
 	PkgEqual *generated.PkgEqualInputSpec `json:"pkgEqual,omitempty"`
 }
 
+type CertifyLegalIngest struct {
+	Pkg *generated.PkgInputSpec    `json:"pkg,omitempty"`
+	Src *generated.SourceInputSpec `json:"src,omitempty"`
+
+	Declared   []generated.LicenseInputSpec `json:"declared,omitempty"`
+	Discovered []generated.LicenseInputSpec `json:"discovered,omitempty"`
+
+	CertifyLegal *generated.CertifyLegalInputSpec `json:"certifyLegal,omitempty"`
+}
+
 func (i IngestPredicates) GetPackages(ctx context.Context) []*generated.PkgInputSpec {
 	packageMap := make(map[string]*generated.PkgInputSpec)
 	for _, dep := range i.IsDependency {
@@ -286,6 +297,14 @@ func (i IngestPredicates) GetPackages(ctx context.Context) []*generated.PkgInput
 			}
 		}
 	}
+	for _, cl := range i.CertifyLegal {
+		if cl.Pkg != nil {
+			pkgPurl := helpers.PkgInputSpecToPurl(cl.Pkg)
+			if _, ok := packageMap[pkgPurl]; !ok {
+				packageMap[pkgPurl] = cl.Pkg
+			}
+		}
+	}
 	packages := make([]*generated.PkgInputSpec, 0, len(packageMap))
 
 	for _, pkg := range packageMap {
@@ -352,6 +371,14 @@ func (i IngestPredicates) GetSources(ctx context.Context) []*generated.SourceInp
 			}
 		}
 	}
+	for _, cl := range i.CertifyLegal {
+		if cl.Src != nil {
+			sourceString := concatenateSourceInput(cl.Src)
+			if _, ok := sourceMap[sourceString]; !ok {
+				sourceMap[sourceString] = cl.Src
+			}
+		}
+	}
 	sources := make([]*generated.SourceInputSpec, 0, len(sourceMap))
 
 	for _, source := range sourceMap {
@@ -527,6 +554,29 @@ func (i IngestPredicates) GetVulnerabilities(ctx context.Context) []*generated.V
 	return vulns
 }
 
+func (i IngestPredicates) GetLicenses(ctx context.Context) []generated.LicenseInputSpec {
+	licenseMap := make(map[string]*generated.LicenseInputSpec)
+	for _, cl := range i.CertifyLegal {
+		for i := range cl.Declared {
+			k := licenseKey(&cl.Declared[i])
+			if _, ok := licenseMap[k]; !ok {
+				licenseMap[k] = &cl.Declared[i]
+			}
+		}
+		for i := range cl.Discovered {
+			k := licenseKey(&cl.Discovered[i])
+			if _, ok := licenseMap[k]; !ok {
+				licenseMap[k] = &cl.Discovered[i]
+			}
+		}
+	}
+	licenses := make([]generated.LicenseInputSpec, 0, len(licenseMap))
+	for _, license := range licenseMap {
+		licenses = append(licenses, *license)
+	}
+	return licenses
+}
+
 func concatenateSourceInput(source *generated.SourceInputSpec) string {
 	var sourceElements []string
 	sourceElements = append(sourceElements, source.Type, source.Namespace, source.Name)
@@ -539,5 +589,12 @@ func concatenateSourceInput(source *generated.SourceInputSpec) string {
 	return strings.Join(sourceElements, "/")
 }
 
+func licenseKey(l *generated.LicenseInputSpec) string {
+	if l.ListVersion != nil && *l.ListVersion != "" {
+		return strings.Join([]string{l.Name, *l.ListVersion}, ":")
+	}
+	return l.Name
+}
+
 // AssemblerInput represents the inputs to add to the graph
 type AssemblerInput = IngestPredicates
diff --git a/pkg/assembler/assembler_test.go b/pkg/assembler/assembler_test.go
@@ -84,6 +84,7 @@ func TestIngestPredicates(t *testing.T) {
 		wantMaterials []generated.ArtifactInputSpec
 		wantBuilder   []*generated.BuilderInputSpec
 		wantVuln      []*generated.VulnerabilityInputSpec
+		wantLicense   []generated.LicenseInputSpec
 	}{{
 		name: "get nouns",
 		field: IngestPredicates{
@@ -627,6 +628,60 @@ func TestIngestPredicates(t *testing.T) {
 					},
 				},
 			},
+			CertifyLegal: []CertifyLegalIngest{
+				{
+					Pkg: maven,
+					Declared: []generated.LicenseInputSpec{
+						{
+							Name:        "asdf",
+							ListVersion: ptrfrom.String("1.2.3"),
+						},
+					},
+					Discovered: []generated.LicenseInputSpec{
+						{
+							Name:        "asdf",
+							ListVersion: ptrfrom.String("1.2.3"),
+						},
+						{
+							Name:        "qwer",
+							ListVersion: ptrfrom.String("1.2.3"),
+						},
+					},
+					CertifyLegal: &generated.CertifyLegalInputSpec{
+						DeclaredLicense:   "asdf",
+						DiscoveredLicense: "asdf AND qwer",
+						Attribution:       "Copyright Jeff",
+						Justification:     "Scanner foo",
+						TimeScanned:       toTime("2022-10-06"),
+					},
+				},
+				{
+					Pkg: openSSL,
+					Declared: []generated.LicenseInputSpec{
+						{
+							Name:        "qwer",
+							ListVersion: ptrfrom.String("1.2.3"),
+						},
+					},
+					Discovered: []generated.LicenseInputSpec{
+						{
+							Name:        "qwer",
+							ListVersion: ptrfrom.String("1.2.3"),
+						},
+						{
+							Name:   "LicenseRef-123",
+							Inline: ptrfrom.String("This is the license text."),
+						},
+					},
+					CertifyLegal: &generated.CertifyLegalInputSpec{
+						DeclaredLicense:   "qwer",
+						DiscoveredLicense: "qwer AND LicenseRef-123",
+						Attribution:       "Copyright Jeff",
+						Justification:     "Scanner foo",
+						TimeScanned:       toTime("2022-10-06"),
+					},
+				},
+			},
 		},
 		wantPkg:    []*generated.PkgInputSpec{rootFilePack, maven, openSSL, openSSLWithQualifier, topLevelPack, baselayoutPack, baselayoutdataPack, worldFilePack},
 		wantSource: []*generated.SourceInputSpec{k8sSource},
@@ -733,6 +788,20 @@ func TestIngestPredicates(t *testing.T) {
 				VulnerabilityID: "ghsa-p6xc-xr62-6r2g",
 			},
 		},
+		wantLicense: []generated.LicenseInputSpec{
+			{
+				Name:        "qwer",
+				ListVersion: ptrfrom.String("1.2.3"),
+			},
+			{
+				Name:        "asdf",
+				ListVersion: ptrfrom.String("1.2.3"),
+			},
+			{
+				Name:   "LicenseRef-123",
+				Inline: ptrfrom.String("This is the license text."),
+			},
+		},
 	}}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -776,6 +845,12 @@ func TestIngestPredicates(t *testing.T) {
 			if diff := cmp.Diff(tt.wantVuln, gotVulns, cmpopts.SortSlices(vulnSort)); diff != "" {
 				t.Errorf("Unexpected gotVulns results. (-want +got):\n%s", diff)
 			}
+
+			gotLicenses := i.GetLicenses(ctx)
+			licSort := func(a, b generated.LicenseInputSpec) bool { return a.Name < b.Name }
+			if diff := cmp.Diff(tt.wantLicense, gotLicenses, cmpopts.SortSlices(licSort)); diff != "" {
+				t.Errorf("Unexpected GetLicenses results. (-want +got):\n%s", diff)
+			}
 		})
 	}
 }

diff --git a/pkg/assembler/backends/arangodb/backend.go b/pkg/assembler/backends/arangodb/backend.go
@@ -107,6 +107,14 @@ const (
 	hasMetadataArtEdgesStr        string = "hasMetadataArtEdges"
 	hasMetadataStr                string = "hasMetadataCollection"
 
+	// pointOfContact collection
+
+	pointOfContactPkgVersionEdgesStr string = "pointOfContactPkgVersionEdges"
+	pointOfContactPkgNameEdgesStr    string = "pointOfContactPkgNameEdges"
+	pointOfContactSrcEdgesStr        string = "pointOfContactSrcEdges"
+	pointOfContactArtEdgesStr        string = "pointOfContactArtEdges"
+	pointOfContactStr                string = "pointOfContacts"
+
 	// hasSBOM collection
 
 	hasSBOMPkgEdgesStr string = "hasSBOMPkgEdges"
@@ -388,6 +396,27 @@ func getBackend(ctx context.Context, args backends.BackendArgs) (backends.Backen
 		hasMetadataSrcEdges.From = []string{srcNamesStr}
 		hasMetadataSrcEdges.To = []string{hasMetadataStr}
 
+		// setup pointOfContact collections
+		var pointOfContactPkgVersionEdges driver.EdgeDefinition
+		pointOfContactPkgVersionEdges.Collection = pointOfContactPkgVersionEdgesStr
+		pointOfContactPkgVersionEdges.From = []string{pkgVersionsStr}
+		pointOfContactPkgVersionEdges.To = []string{pointOfContactStr}
+
+		var pointOfContactPkgNameEdges driver.EdgeDefinition
+		pointOfContactPkgNameEdges.Collection = pointOfContactPkgNameEdgesStr
+		pointOfContactPkgNameEdges.From = []string{pkgNamesStr}
+		pointOfContactPkgNameEdges.To = []string{pointOfContactStr}
+
+		var pointOfContactArtEdges driver.EdgeDefinition
+		pointOfContactArtEdges.Collection = pointOfContactArtEdgesStr
+		pointOfContactArtEdges.From = []string{artifactsStr}
+		pointOfContactArtEdges.To = []string{pointOfContactStr}
+
+		var pointOfContactSrcEdges driver.EdgeDefinition
+		pointOfContactSrcEdges.Collection = pointOfContactSrcEdgesStr
+		pointOfContactSrcEdges.From = []string{srcNamesStr}
+		pointOfContactSrcEdges.To = []string{pointOfContactStr}
+
 		// setup hasSBOM collections
 		var hasSBOMPkgEdges driver.EdgeDefinition
 		hasSBOMPkgEdges.Collection = hasSBOMPkgEdgesStr
@@ -512,7 +541,8 @@ func getBackend(ctx context.Context, args backends.BackendArgs) (backends.Backen
 			certifyBadArtEdges, certifyBadSrcEdges, certifyGoodPkgVersionEdges, certifyGoodPkgNameEdges, certifyGoodArtEdges, certifyGoodSrcEdges,
 			certifyVexPkgEdges, certifyVexArtEdges, certifyVexVulnEdges, vulnMetadataEdges, vulnEqualVulnEdges, vulnEqualSubjectVulnEdges,
 			pkgEqualPkgEdges, pkgEqualSubjectPkgEdges, hasMetadataPkgVersionEdges, hasMetadataPkgNameEdges,
-			hasMetadataArtEdges, hasMetadataSrcEdges}
+			hasMetadataArtEdges, hasMetadataSrcEdges, pointOfContactPkgVersionEdges, pointOfContactPkgNameEdges,
+			pointOfContactArtEdges, pointOfContactSrcEdges}
 
 		// create a graph
 		graph, err = db.CreateGraphV2(ctx, "guac", &options)