Work towards new API from ADR 00002-analysis-graph #1217
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ctron
force-pushed
the
feature/adr_api_2
branch
from
3bfd817 to
72596aa
Compare
JimFuller-RedHat
force-pushed
the
feature/adr_api_2
branch
3 times, most recently
from
56d0bc2 to
103bc7e
Compare
ctron
force-pushed
the
feature/adr_api_2
branch
from
9d1912e to
106e45d
Compare
ctron
force-pushed
the
feature/adr_api_2
branch
from
63f5663 to
e07c4f0
Compare
ctron
force-pushed
the
feature/adr_api_2
branch
from
082556d to
5d46cb0
Compare
JimFuller-RedHat
approved these changes
Feb 3, 2025
ctron
force-pushed
the
feature/adr_api_2
branch
3 times, most recently
from
f88ec5f to
78663c8
Compare
Co-authored-by: Jens Reimann <[email protected]>
Co-authored-by: JimFuller-RedHat <[email protected]>
Dropping old code in the process, which was only used for a single test case anyway, which was broken.
For "describes", it actually is the document describing the package.
Also, use constants instead of magic numbers.
ctron
force-pushed
the
feature/adr_api_2
branch
from
78663c8 to
679a272
Compare
|
I rewrote a few commits to bring down the number. But I think the remaining ones make sense. Alternatively, we squash them all. Which I think makes less sense. |
|
@carlosthe19916 there will be some API changes with the PR. Might have an impact on the UI. |
JimFuller-RedHat
changed the title
Just to confirm there was no impact on the UI |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a rather large set of changes ... mostly related to implementing recommendations from docs/adrs/00002-analysis-graph
Where we normalise all directional relationships from
graph TD PackageA -->|CONTAINS| PackageOther PackageD -->|CONTAINED_BY| PackageA PackageA -->|DEPENDS_ON| PackageB PackageB -->|DEPENDENCY_OF| PackageA SBOMDOC1 -->|DESCRIBES| PackageA UpstreamComponent -->|ANCESTOR_OF| PackageA image.arch1 -->|VARIANT_OF| ImageIndex1 image.arch2 -->|VARIANT_OF| ImageIndex1 SBOMDOC2 -->|DESCRIBES| ImageIndex1 SBOMDOC3 -->|DESCRIBES| srpm_component binarycomponent1 -->|GENERATED_FROM| srpm_component binarycomponent2 -->|GENERATED_FROM| srpm_componentThat is in our internal model we will only have one form of the relationship (ex. Describes instead of DescribedBy, Variants instead of VariantOf) resulting in all relationships pointing 'downward' in a directed DAG.
graph TD SBOMDOC1 -->|DESCRIBES| PackageA PackageA -->|CONTAINS| PackageOther PackageA -->|CONTAINS| PackageD PackageA -->|DEPENDS| PackageB SBOMDOC2 -->|DESCRIBES| ImageIndex1 UpstreamComponent -->|ANCESTOR_OF| PackageA ImageIndex1 -->|VARIANTS| image.arch1 ImageIndex1 -->|VARIANTS| image.arch2 SBOMDOC3 -->|DESCRIBES| srpm_component srpm_component -->|GENERATES| binarycomponent1 srpm_component -->|GENERATES| binarycomponent2This normalisation to a single downward direction makes the resultant conceptual model easier to understand, easier to query and will be easier to maintain.
api/v2/analysis/root-componentandapi/v2/analysis/depsendpointsapi/v2/analysis/componentendpointExample of new graph analysis /component/ endpoint where we
{ "items": [ { "sbom_id": "0194cbea-a290-7343-855f-00db9f86a1c2", "node_id": "SPDXRef-02e69ad2-f243-4b2e-a3ca-c632629c45a9", "purl": [ "pkg:rpm/redhat/[email protected]_9.1?arch=ppc64" ], "cpe": [], "name": "curl", "version": "curl-7.29.0-59.el7_9.1.ppc64", "published": "2023-09-05 21:08:00+00", "document_id": "https://access.redhat.com/security/data/sbom/beta/spdx/rhel-7.9.z-c98403ce-5e02-4278-98ec-b36ecd1f46a5", "product_name": "rhel-7.9.z", "product_version": "7.9.z", "ancestors": [ { "sbom_id": "0194cbea-a290-7343-855f-00db9f86a1c2", "node_id": "SPDXRef-19609913-9f13-40f8-b5ec-429271a17d6b", "purl": [ "pkg:rpm/redhat/[email protected]_9.1?arch=src" ], "cpe": [], "name": "curl", "version": "curl-7.29.0-59.el7_9.1.src", "published": "2023-09-05 21:08:00+00", "document_id": "https://access.redhat.com/security/data/sbom/beta/spdx/rhel-7.9.z-c98403ce-5e02-4278-98ec-b36ecd1f46a5", "product_name": "rhel-7.9.z", "product_version": "7.9.z", "relationship": "contains", "ancestors": [ { "sbom_id": "0194cbea-a290-7343-855f-00db9f86a1c2", "node_id": "SPDXRef-c98403ce-5e02-4278-98ec-b36ecd1f46a5", "purl": [], "cpe": [ "cpe:/o:redhat:enterprise_linux:7:*:server:*", "cpe:/o:redhat:enterprise_linux:7:*:computenode:*", "cpe:/a:redhat:rhel_extras_other:7:*:*:*", "cpe:/a:redhat:rhel_extras_rt:7:*:*:*", "cpe:/a:redhat:rhel_extras:7:*:*:*", "cpe:/a:redhat:rhel_extras_sap_hana:7:*:*:*", "cpe:/o:redhat:enterprise_linux:7:*:workstation:*", "cpe:/a:redhat:rhel_extras_sap:7:*:*:*", "cpe:/a:redhat:enterprise_linux:7:*:*:*", "cpe:/o:redhat:enterprise_linux:7:*:client:*" ], "name": "rhel-7.9.z", "version": "7.9.z", "published": "2023-09-05 21:08:00+00", "document_id": "https://access.redhat.com/security/data/sbom/beta/spdx/rhel-7.9.z-c98403ce-5e02-4278-98ec-b36ecd1f46a5", "product_name": "rhel-7.9.z", "product_version": "7.9.z", "relationship": "package", "ancestors": [ { "sbom_id": "0194cbea-a290-7343-855f-00db9f86a1c2", "node_id": "SPDXRef-DOCUMENT", "purl": [], "cpe": [], "name": "rhel-7.9.z", "version": "", "published": "2023-09-05 21:08:00+00", "document_id": "https://access.redhat.com/security/data/sbom/beta/spdx/rhel-7.9.z-c98403ce-5e02-4278-98ec-b36ecd1f46a5", "product_name": "rhel-7.9.z", "product_version": "7.9.z", "relationship": "describes", "ancestors": [] } ] } ] } ] }, ... elided ...Where the nested ancestors show provenance from matched component all the way up to SPDX document describing:
Similarly It is possible to get descendants of a matched component:
Or even both
Where url params
ancestorsanddescendantscontrol processing depth.Closes: ##1202, 1203