This library provides toolkit for working with Guac from Rust. It can be used for querying data using GraphQL API and ingesting data with collectors. It also contains a command-line interface (CLI) that exposes query API and collectors.
In order to use this library and CLI, you need to have a running Guac instance (and preferably ingest some data into it). Following Guac Docker Compose guide might be the easiest way to get you started.
To install CLI, run
cargo install --path=cli
from the root directory.
Once the CLI is installed, you can use it to query and ingest Guac data.
The following are examples of query commands that CLI (and thus the library as well) are supporting.
Returns purls of all known dependencies of the provided purl.
$ guac query dependencies pkg:maven/io.vertx/[email protected]
[
"pkg:maven/io.vertx/[email protected]",
"pkg:maven/io.vertx/[email protected]",
"pkg:maven/io.vertx/[email protected]",
"pkg:maven/io.vertx/[email protected]"
]
Returns purls of all known dependents for the provided purl.
$ guac query dependents pkg:maven/io.vertx/[email protected]
[
"pkg:maven/io.seedwing/[email protected]?type=jar",
"pkg:maven/io.quarkus.resteasy.reactive/[email protected]?type=jar",
"pkg:maven/io.quarkus/[email protected]?type=jar",
"pkg:maven/io.quarkus/[email protected]?type=jar",
"pkg:maven/io.smallrye.reactive/[email protected]?type=jar"
]
Returns list of all known vulnerabilities for the provided purl
$ guac query vulnerabilities pkg:rpm/redhat/[email protected]_6
[
{
"cve": "cve-2023-0286",
"ghsa": null,
"no_vuln": null,
"osv": null,
"packages": [
"pkg:rpm/redhat/[email protected]_6?arch=x86_64&epoch=1"
]
}
]
Returns list of all versions for the given package purl
$ guac query packages pkg:maven/io.vertx/vertx-web
[
"pkg:maven/io.vertx/[email protected]?type=jar",
"pkg:maven/io.vertx/[email protected]?type=jar"
]
The S3 collector is implemented as part of the Trustification project. For more documentation take a look at [https://github.com/trustification/trustification/tree/main/exporter].
If you wish to run it locally with just Bombastic/Vexination APIs in combination with Minio and Kafka, run
cd example/compose
docker-compose -f compose.yaml -f compose-trustification.yaml -f compose-guac.yaml up
Then you can run the collector like
RUST_LOG=debug cargo run --bin guac collect s3 --storage-bucket bombastic --devmode
Now, you can ingest your SBOMs, like
curl -X POST --json @example/seedwing-java-example.bom "http://localhost:8082/api/v1/sbom?id=my-sbom"
And use Guac to explore data
open http://localhost:8084
The file collector can at the moment ingest only individual files, like
cargo run --bin guac collect file example/seedwing-java-example.bom
cargo install graphql_client_cli --force
graphql-client introspect-schema http://localhost:8080/query > lib/src/graphql/schema.json