Search REST via Purl

[nathannaveen]

Description of the PR

• This is the start of work on [feature] Add ability to fetch info related to a purl and similar identifiers in the REST api as well as aggregations on subsets of the identifiers #1734

  • Currently there are two different types of queries, search via "vulns" or "dependencies".
  • This PR will be replacing Find Latest SBOM for a Package or Artifact #2064. This PR has its own changes, but also covers the concepts defined in [feature] Questions regarding adding REST Endpoints for Vulnerability and Legal info in an SBOM #2058 (comment).

• Here are some design decisions:

  • This searches via Purl and Artifact.
  • The purl or artifact is passed in via the path (i.e. http://localhost:8081/v1/package/pkg%3Agolang%2Ftest-namespace-1%2Ftest-name-1), while the queries like vulns or dependencies are being passed in as parameters (i.e. http://localhost:8081/v1/package/pkg%3Agolang%2Ftest-namespace-1%2Ftest-name-1?vulns=true) The purl or digest is passed in via the path along with the queries. For example v1/package/pkg%3Agolang%2Ftest-namespace-1%2Ftest-name-1/vulns or v1/package/pkg%3Agolang%2Ftest-namespace-1%2Ftest-name-1/dependencies.
  • The purl or artifact that is being passed in the path has to be URL encoded because the http endpoint doesn't handle slashes properly.
  • If the latestSbom parameter is passed in, then when doing the vulnerability and dependency queries the code will only search for them in the latest SBOM. The latestSbom will be added in another PR.

PR Checklist

• All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
• All new changes are covered by tests
• If GraphQL schema is changed, make generate has been run
• If GraphQL schema is changed, GraphQL client updates/additions have been made
• If OpenAPI spec is changed, make generate has been run
• If ent schema is changed, make generate has been run
• If collectsub protobuf has been changed, make proto has been run
• All CI checks are passing (tests and formatting)
• All dependent PRs have already been merged

[funnelfiasco]

while the queries like vulns or dependencies are being passed in as parameters (i.e. http://localhost:8081/v1/package/pkg%3Agolang%2Ftest-namespace-1%2Ftest-name-1?vulns=true)

I think it would be better from a usability point of view (assuming the initial way people interact with this will be manually creating the search with curl on in a browser) to have something like query=vulns instead of vulns=true, unless we expect to support querying multiple aspects in a single call (thus vulns=true&deps=true), but even then I think something like query=vulns,deps would be better. Is this something you considered and if not, does it make the implementation or maintainability more difficult?

[nathannaveen]

@funnelfiasco thank you for your input! I think this is a great idea! I never thought about passing all of the flags as a single query parameter. So, now our endpoint will look similar to: http://localhost:8081/v1/package/pkg%3Agolang%2Ftest-namespace-1%2Ftest-name-1?query=vulns,dependencies