-
Notifications
You must be signed in to change notification settings - Fork 19
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
implement implement /api/v1/analysis/root-component, add get_purl pg …
…func, loadgrap and rwlocked hashmap<petgraph>
- Loading branch information
1 parent
48605ee
commit c584c01
Showing
30 changed files
with
2,990 additions
and
23 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,7 @@ Date: 2024-08-26 | |
|
||
## Status | ||
|
||
Draft | ||
Accepted | ||
|
||
## Context | ||
|
||
|
@@ -44,12 +44,15 @@ This roughly translates to: | |
|
||
## Process flow | ||
|
||
Graphs will be loaded 'lazily' eg. when they are requested. | ||
Graphs will be loaded 'lazily' eg. when they are requested: | ||
|
||
1) retrieve list of _latest_ unique sbom ids searched by like or exact name. | ||
2) Using unique sbom ids, filter query package_relates_to_package (resolving left and right ID purl strings) | ||
3) load into write locked hashmap<petgraph>, where the key is the sbom_id | ||
|
||
We can easily 'prime' the loading of graphs either by programmatically invoking service load_graphs() (from say importing and ingesting an sbom) or | ||
indirectly by running a series of HTTP requests. | ||
|
||
Once a graph is loaded then query is | ||
1) retrieve list of _latest_ unique sbom ids searched by like or exact name. | ||
2) read only access on hashmap<petgraph>, looping through petgraphs performing ancestor node search | ||
|
@@ -78,32 +81,133 @@ HTTP GET api/v1/analysis/root-component/{component-purl} | |
|
||
all of the above should return paginated lists: | ||
|
||
``` | ||
```json | ||
{"total" : 2, | ||
"items" : [ | ||
{ | ||
"items": [ | ||
{ | ||
"purl": "pkg://rpm/redhat/[email protected]?arch=x86_64", | ||
"name": "libproxy-webkitgtk4", | ||
"published": "2024-07-30 19:22:06+00", | ||
"document_id": "https://access.redhat.com/security/data/sbom/spdx/MTA-6.2.Z", | ||
"product_name": "MTA-6.2.Z", | ||
"product_version": "6.2.z", | ||
"ancestors":[ .... ] | ||
"sbom_id": "0191d750-49a2-72b2-bf1a-f7c6ae792518", | ||
"node_id": "SPDXRef-3d373f74-e7e5-4c41-90d9-b29d5a7e2312", | ||
"purl": "pkg://oci/sandboxed-containers-operator-bundle@sha256:ff2bb666c2696fed365df55de78141a02e372044647b8031e6d06e7583478af4?arch=x86_64&repository_url=registry.redhat.io/openshift/sandboxed-containers-operator-bundle&tag=1.2.0-24", | ||
"name": "sandboxed-containers-operator-bundle", | ||
"published": "2024-08-06 05:28:39+00", | ||
"document_id": "https://access.redhat.com/security/data/sbom/spdx/OSE-OSC-1.2.0-RHEL-8", | ||
"product_name": "OSE-OSC-1.2.0-RHEL-8", | ||
"product_version": "1-2", | ||
"ancestors": [ | ||
{ | ||
"sbom_id": "0191d750-49a2-72b2-bf1a-f7c6ae792518", | ||
"node_id": "SPDXRef-440459d0-4240-4ac9-844f-2fd6b3d37429", | ||
"purl": "pkg://oci/sandboxed-containers-operator-bundle@sha256:782313f2b91c115191593b8b63e10f5e30cf87f6c2d15618d6bfa359f51de947?repository_url=registry.redhat.io/openshift/sandboxed-containers-operator-bundle&tag=1.2.0-24", | ||
"name": "sandboxed-containers-operator-bundle" | ||
} | ||
] | ||
}, | ||
{ | ||
"purl":"...", | ||
"name":"...", | ||
"published":"...", | ||
"product_name":"...", | ||
"product_version":"...", | ||
"ancestors":[...] | ||
} ... | ||
] | ||
"sbom_id": "0191d750-49a2-72b2-bf1a-f7c6ae792518", | ||
"node_id": "SPDXRef-440459d0-4240-4ac9-844f-2fd6b3d37429", | ||
"purl": "pkg://oci/sandboxed-containers-operator-bundle@sha256:782313f2b91c115191593b8b63e10f5e30cf87f6c2d15618d6bfa359f51de947?repository_url=registry.redhat.io/openshift/sandboxed-containers-operator-bundle&tag=1.2.0-24", | ||
"name": "sandboxed-containers-operator-bundle", | ||
"published": "2024-08-06 05:28:39+00", | ||
"document_id": "https://access.redhat.com/security/data/sbom/spdx/OSE-OSC-1.2.0-RHEL-8", | ||
"product_name": "OSE-OSC-1.2.0-RHEL-8", | ||
"product_version": "1-2", | ||
"ancestors": [] | ||
}, | ||
.... | ||
] | ||
} | ||
``` | ||
|
||
where ancestors contain purl, name, published and document_id which answers our questions. | ||
|
||
**Retrieve a component(s) dependencies** | ||
HTTP GET api/v1/analysis/dep?q={} | ||
HTTP GET api/v1/analysis/dep/{component-name} | ||
HTTP GET api/v1/analysis/dep/{component-purl} | ||
|
||
```json | ||
{ | ||
"items": [ | ||
{ | ||
"sbom_id": "0191d750-49a2-72b2-bf1a-f7c6ae792518", | ||
"node_id": "SPDXRef-3d373f74-e7e5-4c41-90d9-b29d5a7e2312", | ||
"purl": "pkg://oci/sandboxed-containers-operator-bundle@sha256:ff2bb666c2696fed365df55de78141a02e372044647b8031e6d06e7583478af4?arch=x86_64&repository_url=registry.redhat.io/openshift/sandboxed-containers-operator-bundle&tag=1.2.0-24", | ||
"name": "sandboxed-containers-operator-bundle", | ||
"published": "2024-08-06 05:28:39+00", | ||
"document_id": "https://access.redhat.com/security/data/sbom/spdx/OSE-OSC-1.2.0-RHEL-8", | ||
"product_name": "OSE-OSC-1.2.0-RHEL-8", | ||
"product_version": "1-2", | ||
"deps": [] | ||
}, | ||
{ | ||
"sbom_id": "0191d750-49a2-72b2-bf1a-f7c6ae792518", | ||
"node_id": "SPDXRef-440459d0-4240-4ac9-844f-2fd6b3d37429", | ||
"purl": "pkg://oci/sandboxed-containers-operator-bundle@sha256:782313f2b91c115191593b8b63e10f5e30cf87f6c2d15618d6bfa359f51de947?repository_url=registry.redhat.io/openshift/sandboxed-containers-operator-bundle&tag=1.2.0-24", | ||
"name": "sandboxed-containers-operator-bundle", | ||
"published": "2024-08-06 05:28:39+00", | ||
"document_id": "https://access.redhat.com/security/data/sbom/spdx/OSE-OSC-1.2.0-RHEL-8", | ||
"product_name": "OSE-OSC-1.2.0-RHEL-8", | ||
"product_version": "1-2", | ||
"deps": [ | ||
{ | ||
"sbom_id": "0191d750-49a2-72b2-bf1a-f7c6ae792518", | ||
"node_id": "SPDXRef-3d373f74-e7e5-4c41-90d9-b29d5a7e2312", | ||
"purl": "pkg://oci/sandboxed-containers-operator-bundle@sha256:ff2bb666c2696fed365df55de78141a02e372044647b8031e6d06e7583478af4?arch=x86_64&repository_url=registry.redhat.io/openshift/sandboxed-containers-operator-bundle&tag=1.2.0-24", | ||
"name": "sandboxed-containers-operator-bundle", | ||
"deps": [] | ||
} | ||
] | ||
}, | ||
{ | ||
"sbom_id": "0191d750-49a2-72b2-bf1a-f7c6ae792518", | ||
"node_id": "SPDXRef-6447af1f-4faa-481a-a1e6-90ecbb6ab631", | ||
"purl": "pkg://github/openshift/sandboxed-containers-operator@9b5eef5d49a967ba3240f01a2cb4476c44f1f66e", | ||
"name": "sandboxed-containers-operator", | ||
"published": "2024-08-06 05:28:39+00", | ||
"document_id": "https://access.redhat.com/security/data/sbom/spdx/OSE-OSC-1.2.0-RHEL-8", | ||
"product_name": "OSE-OSC-1.2.0-RHEL-8", | ||
"product_version": "1-2", | ||
"deps": [ | ||
{ | ||
"sbom_id": "0191d750-49a2-72b2-bf1a-f7c6ae792518", | ||
"node_id": "SPDXRef-0b155bf3-15cc-4353-9e47-58b722ed067e", | ||
"purl": "pkg://oci/osc-must-gather-container@sha256:97c02ff2227bb56c2edeb37f674db11ebd0a5ab63897b64e852d7db11163e1ba?repository_url=registry.redhat.io/openshift-sandboxed-containers-operator-must-gather&tag=1.2.0-11.1655140658", | ||
"name": "osc-must-gather-container", | ||
"deps": [ | ||
{ | ||
"sbom_id": "0191d750-49a2-72b2-bf1a-f7c6ae792518", | ||
"node_id": "SPDXRef-ff914a27-712b-4e23-8074-f530f0fa2eca", | ||
"purl": "pkg://golang/github.com/pmezard/[email protected]", | ||
"name": "go-difflib", | ||
"deps": [] | ||
}, | ||
{ | ||
"sbom_id": "0191d750-49a2-72b2-bf1a-f7c6ae792518", | ||
"node_id": "SPDXRef-ff198394-86b5-4cf5-a58f-da0ef9b516e3", | ||
"purl": "pkg://golang/k8s.io/api/admissionregistration/[email protected]", | ||
"name": "v1", | ||
"deps": [] | ||
}, | ||
{ | ||
"sbom_id": "0191d750-49a2-72b2-bf1a-f7c6ae792518", | ||
"node_id": "SPDXRef-ff086cd5-146b-442f-85a7-2a1c84767ab9", | ||
"purl": "pkg://rpm/redhat/[email protected]?arch=noarch", | ||
"name": "crypto-policies", | ||
"deps": [] | ||
}, | ||
{ | ||
"sbom_id": "0191d750-49a2-72b2-bf1a-f7c6ae792518", | ||
"node_id": "SPDXRef-fe93b41a-ebab-48b5-813b-60307b4a711d", | ||
"purl": "pkg://rpm/redhat/[email protected]?arch=x86_64", | ||
"name": "openldap", | ||
"deps": [] | ||
}, | ||
... | ||
] | ||
} | ||
``` | ||
|
||
## Alternative approaches | ||
|
||
We could query existing package_relates_to_package to resolve relationships though previous attempts with a pure SQL based | ||
|
@@ -134,9 +238,16 @@ We are mostly interested in answering these questions in the current context whi | |
relationships as defined in latest version of SBOMs. Answering this question in a historical context is out of scope (possible | ||
but much more complicated). | ||
|
||
Performance is limited by the fact we bespoke build a graph for each query ... we should optimise this approach by having | ||
a graph always available (loaded with latest version SBOM relationships) either as a single graph or a hashmap<graph> (containing | ||
a graph per sbom). | ||
|
||
Loading and interrogating an 'in memory' graph has resource implications - it might be that this analytics process, at scale, will | ||
need processing to be isolated (for example, as separate pod(s) in openshift). We might also have to consider connection specific | ||
postgres configuration (and/or connect to a dedicated read only postgres replica). | ||
|
||
Performance is limited by the fact we bespoke build a graph for each query ... we could optimise this approach by having | ||
a graph always available (loaded with latest version SBOM relationships). | ||
The default performance profile of graphmap should be biased toward multiple concurrent read access - loading graph into a hashmap will lock it. | ||
|
||
It should be possible to parallise the loading and querying of multiple graphs in hashmap. | ||
|
||
It should be possible to use https://crates.io/crates/lru to limit number of graphs in hashmap. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.