Add License and CertifyLegal to Arango backend. (guacsec#1349)

* Add License and CertifyLegal to Arango backend. Signed-off-by: Jeff Mendoza <[email protected]> * Legal testdata to common package Signed-off-by: Jeff Mendoza <[email protected]> * Fix errors after merging with main. Signed-off-by: Jeff Mendoza <[email protected]> --------- Signed-off-by: Jeff Mendoza <[email protected]>
nathannaveen · Oct 5, 2023 · 2c19f25 · 2c19f25
1 parent a3299ca
commit 2c19f25
Show file tree

Hide file tree

Showing 9 changed files with 2,313 additions and 190 deletions.
diff --git a/internal/testing/testdata/models.go b/internal/testing/testdata/models.go
@@ -23,6 +23,8 @@ import (
 )
 
 var T1, _ = time.Parse(time.RFC3339, "2023-01-01T00:00:00Z")
+var T2 = time.Unix(1e9, 0)
+var T3 = time.Unix(1e9+5, 0)
 
 var A1 = &model.ArtifactInputSpec{
 	Algorithm: "sha256",
@@ -399,3 +401,45 @@ var NoVulnInput = &model.VulnerabilityInputSpec{
 var NoVulnOut = &model.VulnerabilityID{
 	VulnerabilityID: "",
 }
+
+var L1 = &model.LicenseInputSpec{
+	Name:        "BSD-3-Clause",
+	ListVersion: ptrfrom.String("3.21 2023-06-18"),
+}
+var L1out = &model.License{
+	Name:        "BSD-3-Clause",
+	ListVersion: ptrfrom.String("3.21 2023-06-18"),
+}
+var L2 = &model.LicenseInputSpec{
+	Name:        "GPL-2.0-or-later",
+	ListVersion: ptrfrom.String("3.21 2023-06-18"),
+}
+var L2out = &model.License{
+	Name:        "GPL-2.0-or-later",
+	ListVersion: ptrfrom.String("3.21 2023-06-18"),
+}
+var L3 = &model.LicenseInputSpec{
+	Name:        "MPL-2.0",
+	ListVersion: ptrfrom.String("1.23 2020"),
+}
+var L3out = &model.License{
+	Name:        "MPL-2.0",
+	ListVersion: ptrfrom.String("1.23 2020"),
+}
+
+var InlineLicense = `
+Redistribution and use of the MAME code or any derivative works are permitted provided that the following conditions are met:
+* Redistributions may not be sold, nor may they be used in a commercial product or activity.
+* Redistributions that are modified from the original source must include the complete source code, including the source code for all components used by a binary built from the modified sources. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
+* Redistributions must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+`
+
+var L4 = &model.LicenseInputSpec{
+	Name:   "LicenseRef-d58b4101",
+	Inline: &InlineLicense,
+}
+var L4out = &model.License{
+	Name:   "LicenseRef-d58b4101",
+	Inline: &InlineLicense,
+}
diff --git a/pkg/assembler/backends/arangodb/backend.go b/pkg/assembler/backends/arangodb/backend.go
@@ -27,7 +27,6 @@ import (
 	arangodbdriverhttp "github.com/arangodb/go-driver/http"
 	"github.com/guacsec/guac/internal/testing/ptrfrom"
 	"github.com/guacsec/guac/pkg/assembler/backends"
-	"github.com/guacsec/guac/pkg/assembler/graphql/model"
 )
 
 const (
@@ -72,6 +71,10 @@ const (
 	vulnHasVulnerabilityIDStr string = "vulnHasVulnerabilityID"
 	vulnerabilitiesStr        string = "vulnerabilities"
 
+	// license collection
+
+	licensesStr string = "licenses"
+
 	// isDependency collections
 
 	isDependencyDepPkgVersionEdgesStr string = "isDependencyDepPkgVersionEdges"
@@ -178,6 +181,14 @@ const (
 	certifyGoodSrcEdgesStr        string = "certifyGoodSrcEdges"
 	certifyGoodArtEdgesStr        string = "certifyGoodArtEdges"
 	certifyGoodsStr               string = "certifyGoods"
+
+	// certifyLegal collection
+
+	certifyLegalPkgEdgesStr                string = "certifyLegalPkgEdges"
+	certifyLegalSrcEdgesStr                string = "certifyLegalSrcEdges"
+	certifyLegalDeclaredLicensesEdgesStr   string = "certifyLegalDeclaredLicensesEdges"
+	certifyLegalDiscoveredLicensesEdgesStr string = "certifyLegalDiscoveredLicensesEdges"
+	certifyLegalsStr                       string = "certifyLegals"
 )
 
 type ArangoConfig struct {
@@ -555,6 +566,27 @@ func getBackend(ctx context.Context, args backends.BackendArgs) (backends.Backen
 		certifyGoodSrcEdges.From = []string{srcNamesStr}
 		certifyGoodSrcEdges.To = []string{certifyGoodsStr}
 
+		// setup certifyLegal collections
+		var certifyLegalPkgEdges driver.EdgeDefinition
+		certifyLegalPkgEdges.Collection = certifyLegalPkgEdgesStr
+		certifyLegalPkgEdges.From = []string{pkgVersionsStr}
+		certifyLegalPkgEdges.To = []string{certifyLegalsStr}
+
+		var certifyLegalSrcEdges driver.EdgeDefinition
+		certifyLegalSrcEdges.Collection = certifyLegalSrcEdgesStr
+		certifyLegalSrcEdges.From = []string{srcNamesStr}
+		certifyLegalSrcEdges.To = []string{certifyLegalsStr}
+
+		var certifyLegalDeclaredLicensesEdges driver.EdgeDefinition
+		certifyLegalDeclaredLicensesEdges.Collection = certifyLegalDeclaredLicensesEdgesStr
+		certifyLegalDeclaredLicensesEdges.From = []string{certifyLegalsStr}
+		certifyLegalDeclaredLicensesEdges.To = []string{licensesStr}
+
+		var certifyLegalDiscoveredLicensesEdges driver.EdgeDefinition
+		certifyLegalDiscoveredLicensesEdges.Collection = certifyLegalDiscoveredLicensesEdgesStr
+		certifyLegalDiscoveredLicensesEdges.From = []string{certifyLegalsStr}
+		certifyLegalDiscoveredLicensesEdges.To = []string{licensesStr}
+
 		// A graph can contain additional vertex collections, defined in the set of orphan collections
 		var options driver.CreateGraphOptions
 		options.EdgeDefinitions = []driver.EdgeDefinition{pkgHasNamespace, pkgHasName,
@@ -566,7 +598,8 @@ func getBackend(ctx context.Context, args backends.BackendArgs) (backends.Backen
 			certifyVexPkgEdges, certifyVexArtEdges, certifyVexVulnEdges, vulnMetadataEdges, vulnEqualVulnEdges, vulnEqualSubjectVulnEdges,
 			pkgEqualPkgEdges, pkgEqualSubjectPkgEdges, hasMetadataPkgVersionEdges, hasMetadataPkgNameEdges,
 			hasMetadataArtEdges, hasMetadataSrcEdges, pointOfContactPkgVersionEdges, pointOfContactPkgNameEdges,
-			pointOfContactArtEdges, pointOfContactSrcEdges, hasSourceAtEdges, hasSourceAtPkgVersionEdges, hasSourceAtPkgNameEdges}
+			pointOfContactArtEdges, pointOfContactSrcEdges, hasSourceAtEdges, hasSourceAtPkgVersionEdges, hasSourceAtPkgNameEdges,
+			certifyLegalPkgEdges, certifyLegalSrcEdges, certifyLegalDeclaredLicensesEdges, certifyLegalDiscoveredLicensesEdges}
 
 		// create a graph
 		graph, err = db.CreateGraphV2(ctx, "guac", &options)
@@ -597,6 +630,10 @@ func getBackend(ctx context.Context, args backends.BackendArgs) (backends.Backen
 			return nil, fmt.Errorf("failed to generate index for vulnerabilities: %w", err)
 		}
 
+		if err := createIndexPerCollection(ctx, db, licensesStr, []string{"name", "inline", "listversion"}, true, "byNameInlineListVer"); err != nil {
+			return nil, fmt.Errorf("failed to generate index for licenses: %w", err)
+		}
+
 		if err := createIndexPerCollection(ctx, db, hashEqualsStr, []string{"artifactID", "equalArtifactID", "justification"}, true, "byArtIDEqualArtIDJust"); err != nil {
 			return nil, fmt.Errorf("failed to generate index for hashEquals: %w", err)
 		}
@@ -912,25 +949,6 @@ func getPreloadString(prefix, name string) string {
 	return name
 }
 
-func (c *arangoClient) Licenses(ctx context.Context, licenseSpec *model.LicenseSpec) ([]*model.License, error) {
-	panic(fmt.Errorf("not implemented: Licenses"))
-}
-func (c *arangoClient) IngestLicense(ctx context.Context, license *model.LicenseInputSpec) (*model.License, error) {
-	panic(fmt.Errorf("not implemented: IngestLicense"))
-}
-func (c *arangoClient) IngestLicenses(ctx context.Context, licenses []*model.LicenseInputSpec) ([]*model.License, error) {
-	panic(fmt.Errorf("not implemented: IngestLicenses"))
-}
-func (c *arangoClient) CertifyLegal(ctx context.Context, certifyLegalSpec *model.CertifyLegalSpec) ([]*model.CertifyLegal, error) {
-	panic(fmt.Errorf("not implemented: CertifyLegal"))
-}
-func (c *arangoClient) IngestCertifyLegal(ctx context.Context, subject model.PackageOrSourceInput, declaredLicenses []*model.LicenseInputSpec, discoveredLicenses []*model.LicenseInputSpec, certifyLegal *model.CertifyLegalInputSpec) (*model.CertifyLegal, error) {
-	panic(fmt.Errorf("not implemented: IngestCertifyLegal"))
-}
-func (c *arangoClient) IngestCertifyLegals(ctx context.Context, subjects model.PackageOrSourceInputs, declaredLicensesList [][]*model.LicenseInputSpec, discoveredLicensesList [][]*model.LicenseInputSpec, certifyLegals []*model.CertifyLegalInputSpec) ([]*model.CertifyLegal, error) {
-	panic(fmt.Errorf("not implemented: IngestCertifyLegals"))
-}
-
 func ptrfromArangoSearchNGramStreamType(s driver.ArangoSearchNGramStreamType) *driver.ArangoSearchNGramStreamType {
 	return &s
 }
diff --git a/pkg/assembler/backends/arangodb/certifyBad.go b/pkg/assembler/backends/arangodb/certifyBad.go
@@ -915,8 +915,8 @@ func getCertifyBadFromCursor(ctx context.Context, cursor driver.Cursor) ([]*mode
 		certifyBad := &model.CertifyBad{
 			ID:            createdValue.CertifyBadID,
 			Justification: createdValue.Justification,
-			Origin:        createdValue.Collector,
-			Collector:     createdValue.Origin,
+			Origin:        createdValue.Origin,
+			Collector:     createdValue.Collector,
 		}
 
 		if pkg != nil {