Included dep search

Signed-off-by: nathannaveen <[email protected]>
guacsec · Sep 3, 2024 · 0e10d8f · 0e10d8f
1 parent 4f8610f
commit 0e10d8f
Show file tree

Hide file tree

Showing 8 changed files with 222 additions and 48 deletions.
diff --git a/pkg/guacrest/client/client.go b/pkg/guacrest/client/client.go
diff --git a/pkg/guacrest/client/models.go b/pkg/guacrest/client/models.go
diff --git a/pkg/guacrest/generated/models.go b/pkg/guacrest/generated/models.go
diff --git a/pkg/guacrest/generated/server.go b/pkg/guacrest/generated/server.go
diff --git a/pkg/guacrest/generated/spec.go b/pkg/guacrest/generated/spec.go
diff --git a/pkg/guacrest/helpers/getPackageInfo.go b/pkg/guacrest/helpers/getPackageInfo.go
@@ -9,10 +9,15 @@ import (
 	"github.com/guacsec/guac/pkg/logging"
 )
 
-func GetInfoForPackage(ctx context.Context, gqlClient graphql.Client, pkgInput *model.PkgInputSpec, shouldSearchVulns *bool) (*gen.PackageInfoResponseJSONResponse, error) {
+type QueryType struct {
+	Vulns        *bool
+	Dependencies *bool
+	Licenses     *bool
+}
+
+func GetInfoForPackage(ctx context.Context, gqlClient graphql.Client, pkgInput *model.PkgInputSpec, shouldQuery QueryType) (*gen.PackageInfoResponseJSONResponse, error) {
 	logger := logging.FromContext(ctx)
-	var purls []string
-	var vulnerabilities []gen.Vulnerability
+	response := gen.PackageInfoResponseJSONResponse{}
 
 	pkgSpec := model.PkgSpec{
 		Type: &pkgInput.Type,
@@ -34,6 +39,8 @@ func GetInfoForPackage(ctx context.Context, gqlClient graphql.Client, pkgInput *
 		return nil, err
 	}
 
+	var purls []string
+
 	for _, pkg := range pkgs.Packages {
 		for _, namespace := range pkg.Namespaces {
 			for _, n := range namespace.Names {
@@ -44,10 +51,66 @@ func GetInfoForPackage(ctx context.Context, gqlClient graphql.Client, pkgInput *
 		}
 	}
 
-	if shouldSearchVulns != nil && *shouldSearchVulns {
+	response.Packages = purls
+
+	if shouldQuery.Vulns != nil && *shouldQuery.Vulns {
 		logger.Infof("Searching for vulnerabilities in package %s", pkgInput.Name)
+		vulnerabilities, err := searchAttachedVulns(ctx, gqlClient, pkgSpec)
+		if err != nil {
+			return nil, err
+		}
+		response.Vulnerabilities = &vulnerabilities
+	}
+	if shouldQuery.Dependencies != nil && *shouldQuery.Dependencies {
+		logger.Infof("Searching for dependencies in package %s", pkgInput.Name)
+
+		var dependencies []gen.PackageInfo
+
+		deps, err := searchDependencies(ctx, gqlClient, pkgSpec)
+		if err != nil {
+			return nil, err
+		}
+		for _, purl := range deps {
+			dependencies = append(dependencies, purl)
+		}
+		response.Dependencies = &dependencies
+	}
+
+	return &response, nil
+}
+
+// searchAttachedVulns searches for vulnerabilities associated with the given package
+// and its dependencies via a BFS.
+//
+// Parameters:
+// - ctx: The context for the operation
+// - gqlClient: The GraphQL client used for querying
+// - pkgSpec: The package specification to start the search from
+//
+// Returns:
+// - A slice of Vulnerability objects containing the found vulnerabilities
+// - An error
+//
+// The function performs a breadth-first search starting from the given package,
+// collecting vulnerabilities for each package and its dependencies.
+func searchAttachedVulns(ctx context.Context, gqlClient graphql.Client, pkgSpec model.PkgSpec) ([]gen.Vulnerability, error) {
+	logger := logging.FromContext(ctx)
+	var vulnerabilities []gen.Vulnerability
+
+	pkgs, err := searchDependencies(ctx, gqlClient, pkgSpec)
+	if err != nil {
+		return nil, fmt.Errorf("error searching dependencies: %w", err)
+	}
+
+	for pkg, purl := range pkgs {
+		logger.Infof("package: %+v, purl: %s", pkg, purl)
+	}
+
+	for pkg := range pkgs {
 		vulns, err := model.CertifyVuln(ctx, gqlClient, model.CertifyVulnSpec{
-			Package: &pkgSpec,
+			Package: &model.PkgSpec{
+				Id: &pkg,
+			},
 		})
 		if err != nil {
 			return nil, fmt.Errorf("error fetching vulnerabilities from package spec: %w", err)
@@ -85,10 +148,49 @@ func GetInfoForPackage(ctx context.Context, gqlClient graphql.Client, pkgInput *
 		}
 	}
 
-	response := gen.PackageInfoResponseJSONResponse{
-		Packages:        &purls,
-		Vulnerabilities: &vulnerabilities,
+	return vulnerabilities, nil
+}
+
+func searchDependencies(ctx context.Context, gqlClient graphql.Client, pkgSpec model.PkgSpec) (map[string]string, error) {
+	dependencies := make(map[string]string)
+
+	pkgs, err := model.Packages(ctx, gqlClient, pkgSpec)
+	if err != nil {
+		return nil, fmt.Errorf("error searching packages: %w", err)
 	}
 
-	return &response, nil
+	for _, pkg := range pkgs.Packages {
+		dependencies[pkg.Namespaces[0].Names[0].Versions[0].Id] = pkg.Namespaces[0].Names[0].Versions[0].Purl
+	}
+
+	queue := []model.PkgSpec{pkgSpec}
+
+	for len(queue) > 0 {
+		pop := queue[0]
+		queue = queue[1:]
+
+		hasSboms, err := model.HasSBOMs(ctx, gqlClient, model.HasSBOMSpec{
+			Subject: &model.PackageOrArtifactSpec{
+				Package: &pop,
+			},
+		})
+
+		//isDeps, err := model.Dependencies(ctx, gqlClient, model.IsDependencySpec{
+		//	DependencyPackage: &pop,
+		//})
+		if err != nil {
+			return nil, fmt.Errorf("error fetching hasSboms from package spec %+v: %w", pop, err)
+		}
+
+		for _, hasSbom := range hasSboms.HasSBOM {
+			for _, dep := range hasSbom.IncludedDependencies {
+				dependencies[dep.Package.Namespaces[0].Names[0].Versions[0].Id] = dep.Package.Namespaces[0].Names[0].Versions[0].Purl
+				queue = append(queue, model.PkgSpec{
+					Id: &dep.Package.Namespaces[0].Names[0].Versions[0].Id,
+				})
+			}
+		}
+	}
+
+	return dependencies, nil
 }