Skip to content
This repository was archived by the owner on Jul 18, 2025. It is now read-only.

Commit b6b73ad

Browse files
author
Jim Clark
committed
Make most of relationships on the evidence cardinality one
1 parent ce3f8ce commit b6b73ad

File tree

3 files changed

+51
-46
lines changed

3 files changed

+51
-46
lines changed

datalog/subscription/on-discovery.edn

Lines changed: 20 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -29,33 +29,32 @@
2929
:git.user/name
3030
{:git.user/emails [:email.email/address]}]}
3131
:git.commit/sha])
32-
(pull ?cve [:vulnerability.cve/source
33-
:vulnerability.cpe/evidence
34-
:vulnerability.cve/source-id
35-
:vulnerability.cve/cvss-score
36-
{:vulnerability.cpe/_cves
37-
[{:vulnerability.cpe/evidence
38-
[{:package.evidence/dependency
39-
[:package.dependency/license
40-
:package.dependency/fileName]}
41-
:package.evidence/confidence
42-
:package.evidence/source]}]}
43-
{:package.url/_cves
44-
[{:package.url/evidence
45-
[{:package.evidence/dependency
46-
[:package.dependency/license
47-
:package.dependency/fileName]}
48-
:package.evidence/confidence
49-
:package.evidence/source]}]}])
32+
(pull ?evidence [{:package.evidence/dependency
33+
[:package.dependency/license
34+
:package.dependency/fileName]}
35+
:package.evidence/confidence
36+
:package.evidence/source
37+
{:package.evidence/purl
38+
[:package.url/url
39+
{:package.url/cves
40+
[:vulnerability.cve/source
41+
:vulnerability.cve/cvss-score
42+
:vulnerability.cve/source-id]}]}
43+
{:package.evidence/cpe
44+
[:vulnerability.cve/source-id
45+
{:vulnerability.cpe/cves
46+
[:vulnerability.cve/source
47+
:vulnerability.cve/cvss-score
48+
:vulnerability.cve/source-id]}]}])
5049
:in $ $before %
5150
:where
5251
(tx-entity-attr-value :dependency.analysis.discovery/status ?discovery ?status)
5352
[?discovery :dependency.analysis.discovery/status :dependency.analysis.discovery.status/COMPLETE]
5453
[?discovery :dependency.analysis.discovery/source :dependency.analysis.discovery.source/OWASP_DEPENDENCY_SCANNER]
5554
[?discovery :dependency.analysis.discovery/commit ?commit]
56-
[?commit :git.commit/dependency-evidence ?evidence]
55+
[?evidence :package.evidence/commit ?commit]
5756
(or-join [?evidence ?cve]
58-
(and [?cpe :vulnerability.cpe/evidence ?evidence]
57+
(and [?evidence :package.evidence/cpe ?cpe]
5958
[?cpe :vulnerability.cpe/cves ?cve])
60-
(and [?purl :package.url/evidence ?evidence]
59+
(and [?evidence :package.evidence/purl ?purl]
6160
[?purl :package.url/cves ?cve]))]

resources/schema.edn

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,9 @@
1313
;; limitations under the License.
1414

1515
{:attributes
16-
{:package/url {:db.entity/attrs [:package.url/url]}
16+
{;; package/url
17+
18+
:package/url {:db.entity/attrs [:package.url/url]}
1719
:package.url/url {:db/valueType :db.type/string
1820
:db/cardinality :db.cardinality/one}
1921
:package.url/evidence {:db/valueType :db.type/ref
@@ -23,7 +25,10 @@
2325
:package.url/cves {:db/valueType :db.type/ref
2426
:db/cardinality :db.cardinality/many }
2527

26-
:package/evidence {:db.entity/attrs [:schema/random-guid]}
28+
;; package/evidence
29+
:package/evidence {:db.entity/attrs [:package.evidence/commit :package.evidence/dependency]}
30+
:package.evidence/commit {:db/valueType :db.type/ref
31+
:db/cardinality :db.cardinality/one}
2732
:package.evidence/dependency {:db/valueType :db.type/ref
2833
:db/cardinality :db.cardinality/one}
2934
:package.evidence/source {:db/valueType :db.type/ref
@@ -32,6 +37,7 @@
3237
:db/cardinality :db.cardinality/one}
3338
:package.evidence.source/DEPENDENCY_CHECK {}
3439

40+
;; package/dependency
3541
:package/dependency {:db.entity/attrs [:package.dependency/sha256]}
3642
:package.dependency/sha256 {:db/valueType :db.type/string
3743
:db/cardinality :db.cardinality/one}
@@ -40,6 +46,7 @@
4046
:package.dependency/license {:db/valueType :db.type/string
4147
:db/cardinality :db.cardinality/one}
4248

49+
;; dependency.analysis/discovery
4350
:dependency.analysis/discovery {:db.entity/attrs [:dependency.analysis.discovery/commit]}
4451
:dependency.analysis.discovery/commit {:db/valueType :db.type/ref
4552
:db/cardinality :db.cardinality/one}
@@ -65,6 +72,4 @@
6572
:vulnerability.cpe/cves {:db/valueType :db.type/ref
6673
:db/cardinality :db.cardinality/many}
6774

68-
;; adding some attributes to the Commit
69-
:git.commit/dependency-evidence {:db/valueType :db.type/ref
70-
:db/cardinality :db.cardinality/many}}}
75+
}}

src/atomist/main.cljs

Lines changed: 21 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -191,32 +191,37 @@
191191
;; case 9 - 1 package, 1 CPE, 1 CVE but SHADED - (*** humio-sender shades two libraries)
192192
(defn transact-dependency [request org repo commit {:keys [fileName license sha256 packages vulnerabilityIds vulnerabilities]}]
193193
(go-safe
194-
(let [cpes (->> (seq vulnerabilityIds)
194+
(let [commit "$commit"
195+
cpes (->> (seq vulnerabilityIds)
195196
(map-indexed (fn [index {:keys [id confidence url]}]
196-
(let [cpe-evidence (gstring/format "cpe-evidence-%s-%d" fileName index)]
197+
(let [cpe-evidence (gstring/format "cpe-evidence-%s-%d" fileName index)
198+
cpe (gstring/format "cpe-%s-%d" fileName index)]
197199
[(merge
198200
{:schema/entity-type :vulnerability/cpe
199-
:schema/entity (gstring/format "vuln-%s-%d" fileName index)
200-
:vulnerability.cpe/evidence {:add [cpe-evidence]}
201+
:schema/entity cpe
201202
:vulnerability.cpe/url id}
202203
(when url {:vulnerability.cpe/search-url url}))
203204
{:schema/entity-type :package/evidence
204205
:schema/entity cpe-evidence
206+
:package.evidence/commit commit
205207
:package.evidence/dependency fileName
208+
:package.evidence/cpe cpe
206209
:package.evidence/source :package.evidence.source/DEPENDENCY_CHECK
207210
:package.evidence/confidence confidence}])))
208211
(apply concat))
209212
purls (->> (seq packages)
210213
(map-indexed (fn [index {:keys [id confidence url]}]
211-
(let [package-evidence (gstring/format "package-evidence-%s-%d" fileName index)]
214+
(let [package-evidence (gstring/format "package-evidence-%s-%d" fileName index)
215+
purl (gstring/format "package-%s-%d" fileName index)]
212216
[{:schema/entity-type :package/url
213-
:schema/entity (gstring/format "package-%s-%d" fileName index)
214-
:package.url/evidence {:add [package-evidence]}
217+
:schema/entity purl
215218
:package.url/url id
216219
:package.url/search-url url}
217220
{:schema/entity-type :package/evidence
218221
:schema/entity package-evidence
222+
:package.evidence/commit commit
219223
:package.evidence/dependency fileName
224+
:package.evidence/purl purl
220225
:package.evidence/confidence confidence
221226
:package.evidence/source :package.evidence.source/DEPENDENCY_CHECK}])))
222227
(apply concat))
@@ -257,17 +262,10 @@
257262
:git.provider/url (:git.provider/url org)
258263
:git.repo/source-id (:git.repo/source-id repo)}
259264
{:schema/entity-type :git/commit
260-
:schema/entity "$commit"
265+
:schema/entity commit
261266
:git.provider/url (:git.provider/url org)
262267
:git.commit/sha (:git.commit/sha commit)
263-
:git.commit/repo "$repo"
264-
265-
;; add discovered dependencies to the Commit
266-
:git.commit/dependency-evidence
267-
{:add (->> entities
268-
(filter #(= :package/evidence (:schema/entity-type %)))
269-
(map :schema/entity)
270-
(into []))}}])
268+
:git.commit/repo "$repo"}])
271269
(into [])))))))
272270

273271
(defn transact-vulns [handler]
@@ -423,10 +421,13 @@
423421
(let [{:git.commit/keys [sha]} (-> request :subscription :result first first)
424422
summary (->> (-> request :subscription :result first)
425423
(map second)
426-
(map (fn [{:vulnerability.cve/keys [source-id source cvss-score]
427-
cpes :vulnerability.cpe/_cves
428-
packages :package.url/_cves}]
429-
(gstring/format "%-20s%-10s(%-5s) -- %s - %s" source-id source cvss-score cpes packages)))
424+
(map (fn [{:package.evidence/keys [confidence source purl cpe]}
425+
{{:package.dependency/keys [license fileName]} :package.evidence/dependency}]
426+
(or
427+
(if-let [{:package.url/keys [url]} purl]
428+
(gstring/format "%s, %s, %s, %s, %s" url source confidence fileName license))
429+
(if-let [{:vulnerability.cpe/keys [url]} cpe]
430+
(gstring/format "%s, %s, %s, %s, %s" url source confidence fileName license)))))
430431
(interpose "\n* ")
431432
(apply str))]
432433
(<? (handler (assoc request

0 commit comments

Comments
 (0)