Ent implementation for use cases #1 and #2 (#24)

* Ent - PackageVersion: added index for improving IsDependency ingestion (guacsec#1439) Signed-off-by: mrizzi <[email protected]> * Ent: Package,IsDependency concurrent bulk ingestions (guacsec#1440) Signed-off-by: mrizzi <[email protected]> * Ent - HasMetadata: fix ingesting same twice (guacsec#1392) Signed-off-by: mrizzi <[email protected]> * Ent - Vulnerability endpoints: applied concurrent approach Signed-off-by: mrizzi <[email protected]> * Ent implementation for use case #1-#2 Signed-off-by: mrizzi <[email protected]> --------- Signed-off-by: mrizzi <[email protected]>
trustification · Nov 10, 2023 · 307a19e · 307a19e
1 parent d084a42
commit 307a19e
Show file tree

Hide file tree

Showing 41 changed files with 2,638 additions and 181 deletions.
diff --git a/.github/scripts/excluded_from_copyright b/.github/scripts/excluded_from_copyright
@@ -242,6 +242,7 @@
 ./pkg/assembler/graphql/generated/prelude.generated.go
 ./pkg/assembler/graphql/generated/root_.generated.go
 ./pkg/assembler/graphql/generated/schema.generated.go
+./pkg/assembler/graphql/generated/search.generated.go
 ./pkg/assembler/graphql/generated/source.generated.go
 ./pkg/assembler/graphql/generated/vulnEqual.generated.go
 ./pkg/assembler/graphql/generated/vulnMetadata.generated.go

diff --git a/internal/testing/testdata/testdata.go b/internal/testing/testdata/testdata.go
@@ -822,6 +822,17 @@ var (
 				Collector:     "GUAC",
 			},
 		},
+		{
+			Pkg:          baselayoutPack,
+			PkgMatchFlag: generated.MatchFlags{Pkg: "SPECIFIC_VERSION"},
+			HasMetadata: &generated.HasMetadataInputSpec{
+				Key:           "topLevelPackage",
+				Value:         "pkg:guac/spdx/gcr.io/google-containers/alpine-latest",
+				Justification: "spdx top level package reference",
+				Origin:        "GUAC SPDX",
+				Collector:     "GUAC",
+			},
+		},
 		{
 			Pkg:          baselayoutdataPack,
 			PkgMatchFlag: model.MatchFlags{Pkg: model.PkgMatchTypeSpecificVersion},
@@ -844,6 +855,17 @@ var (
 				Collector:     "GUAC",
 			},
 		},
+		{
+			Pkg:          baselayoutdataPack,
+			PkgMatchFlag: generated.MatchFlags{Pkg: "SPECIFIC_VERSION"},
+			HasMetadata: &generated.HasMetadataInputSpec{
+				Key:           "topLevelPackage",
+				Value:         "pkg:guac/spdx/gcr.io/google-containers/alpine-latest",
+				Justification: "spdx top level package reference",
+				Origin:        "GUAC SPDX",
+				Collector:     "GUAC",
+			},
+		},
 		{
 			Pkg:          keysPack,
 			PkgMatchFlag: model.MatchFlags{Pkg: model.PkgMatchTypeSpecificVersion},
@@ -888,6 +910,17 @@ var (
 				Collector:     "GUAC",
 			},
 		},
+		{
+			Pkg:          keysPack,
+			PkgMatchFlag: generated.MatchFlags{Pkg: "SPECIFIC_VERSION"},
+			HasMetadata: &generated.HasMetadataInputSpec{
+				Key:           "topLevelPackage",
+				Value:         "pkg:guac/spdx/gcr.io/google-containers/alpine-latest",
+				Justification: "spdx top level package reference",
+				Origin:        "GUAC SPDX",
+				Collector:     "GUAC",
+			},
+		},
 	}
 
 	SpdxIngestionPredicates = assembler.IngestPredicates{

diff --git a/pkg/assembler/backends/ent/backend/certifyVEXStatement.go b/pkg/assembler/backends/ent/backend/certifyVEXStatement.go
@@ -20,6 +20,7 @@ import (
 	stdsql "database/sql"
 
 	"entgo.io/ent/dialect/sql"
+	"github.com/guacsec/guac/internal/testing/ptrfrom"
 	"github.com/guacsec/guac/pkg/assembler/backends/ent"
 	"github.com/guacsec/guac/pkg/assembler/backends/ent/certifyvex"
 	"github.com/guacsec/guac/pkg/assembler/backends/ent/predicate"
@@ -29,6 +30,7 @@ import (
 	"github.com/guacsec/guac/pkg/assembler/graphql/model"
 	"github.com/pkg/errors"
 	"github.com/vektah/gqlparser/v2/gqlerror"
+	"golang.org/x/sync/errgroup"
 )
 
 func (b *EntBackend) IngestVEXStatement(ctx context.Context, subject model.PackageOrArtifactInput, vulnerability model.VulnerabilityInputSpec, vexStatement model.VexStatementInputSpec) (*model.CertifyVEXStatement, error) {
@@ -63,12 +65,14 @@ func (b *EntBackend) IngestVEXStatement(ctx context.Context, subject model.Packa
 		var conflictWhere *sql.Predicate
 
 		// manage package or artifact
+		var subjectID int
 		if subject.Package != nil {
 			p, err := getPkgVersion(ctx, client.Client(), *subject.Package)
 			if err != nil {
 				return nil, Errorf("%v ::  %s", funcName, err)
 			}
 			insert.SetPackage(p)
+			subjectID = p.ID
 			conflictColumns = append(conflictColumns, certifyvex.FieldPackageID)
 			conflictWhere = sql.And(
 				sql.NotNull(certifyvex.FieldPackageID),
@@ -82,6 +86,7 @@ func (b *EntBackend) IngestVEXStatement(ctx context.Context, subject model.Packa
 				return nil, Errorf("%v ::  %s", funcName, err)
 			}
 			insert.SetArtifactID(artID)
+			subjectID = artID
 			conflictColumns = append(conflictColumns, certifyvex.FieldArtifactID)
 			conflictWhere = sql.And(
 				sql.IsNull(certifyvex.FieldPackageID),
@@ -112,7 +117,7 @@ func (b *EntBackend) IngestVEXStatement(ctx context.Context, subject model.Packa
 				return nil, errors.Wrap(err, "upsert certify vex statement node")
 			}
 			id, err = client.CertifyVex.Query().
-				Where(vexStatementInputPredicate(subject, vulnerability, vexStatement)).
+				Where(vexStatementInputPredicate(subject, subjectID, vulnerability, vulnID, vexStatement)).
 				WithPackage(func(q *ent.PackageVersionQuery) {
 					q.WithName(func(q *ent.PackageNameQuery) {
 						q.WithNamespace(func(q *ent.PackageNamespaceQuery) {
@@ -139,19 +144,30 @@ func (b *EntBackend) IngestVEXStatement(ctx context.Context, subject model.Packa
 }
 
 func (b *EntBackend) IngestVEXStatements(ctx context.Context, subjects model.PackageOrArtifactInputs, vulnerabilities []*model.VulnerabilityInputSpec, vexStatements []*model.VexStatementInputSpec) ([]string, error) {
-	var ids []string
+	var ids = make([]string, len(vexStatements))
+	eg, ctx := errgroup.WithContext(ctx)
 	for i := range vexStatements {
+		index := i
 		var subject model.PackageOrArtifactInput
 		if len(subjects.Packages) > 0 {
-			subject = model.PackageOrArtifactInput{Package: subjects.Packages[i]}
+			subject = model.PackageOrArtifactInput{Package: subjects.Packages[index]}
 		} else {
-			subject = model.PackageOrArtifactInput{Artifact: subjects.Artifacts[i]}
+			subject = model.PackageOrArtifactInput{Artifact: subjects.Artifacts[index]}
 		}
-		statement, err := b.IngestVEXStatement(ctx, subject, *vulnerabilities[i], *vexStatements[i])
-		if err != nil {
-			return nil, gqlerror.Errorf("IngestVEXStatements failed with element #%v with err: %v", i, err)
-		}
-		ids = append(ids, statement.ID)
+		vuln := *vulnerabilities[index]
+		vexStatement := *vexStatements[index]
+		concurrently(eg, func() error {
+			statement, err := b.IngestVEXStatement(ctx, subject, vuln, vexStatement)
+			if err == nil {
+				ids[index] = statement.ID
+				return err
+			} else {
+				return gqlerror.Errorf("IngestVEXStatements failed with element #%v with err: %v", i, err)
+			}
+		})
+	}
+	if err := eg.Wait(); err != nil {
+		return nil, err
 	}
 	return ids, nil
 }
@@ -202,27 +218,21 @@ func certifyVexPredicate(filter model.CertifyVEXStatementSpec) predicate.Certify
 	predicates := []predicate.CertifyVex{
 		optionalPredicate(filter.ID, IDEQ),
 		optionalPredicate(filter.KnownSince, certifyvex.KnownSinceEQ),
-		optionalPredicate(filter.Statement, certifyvex.StatementEQ),
-		optionalPredicate(filter.StatusNotes, certifyvex.StatusNotesEQ),
-		optionalPredicate(filter.Collector, certifyvex.CollectorEQ),
-		optionalPredicate(filter.Origin, certifyvex.OriginEQ),
-	}
-	if filter.Status != nil {
-		status := filter.Status.String()
-		predicates = append(predicates, optionalPredicate(&status, certifyvex.StatusEQ))
 	}
 	if filter.VexJustification != nil {
 		justification := filter.VexJustification.String()
 		predicates = append(predicates, optionalPredicate(&justification, certifyvex.JustificationEQ))
 	}
-
-	if filter.Subject != nil {
-		if filter.Subject.Package != nil {
-			predicates = append(predicates, certifyvex.HasPackageWith(packageVersionQuery(filter.Subject.Package)))
-		} else if filter.Subject.Artifact != nil {
-			predicates = append(predicates, certifyvex.HasArtifactWith(artifactQueryPredicates(filter.Subject.Artifact)))
-		}
+	if filter.Status != nil {
+		status := filter.Status.String()
+		predicates = append(predicates, optionalPredicate(&status, certifyvex.StatusEQ))
 	}
+	predicates = append(predicates,
+		optionalPredicate(filter.Statement, certifyvex.StatementEQ),
+		optionalPredicate(filter.StatusNotes, certifyvex.StatusNotesEQ),
+		optionalPredicate(filter.Origin, certifyvex.OriginEQ),
+		optionalPredicate(filter.Collector, certifyvex.CollectorEQ),
+	)
 
 	if filter.Vulnerability != nil {
 		if filter.Vulnerability.NoVuln != nil && *filter.Vulnerability.NoVuln {
@@ -239,23 +249,35 @@ func certifyVexPredicate(filter model.CertifyVEXStatementSpec) predicate.Certify
 			)
 		}
 	}
+
+	if filter.Subject != nil {
+		if filter.Subject.Package != nil {
+			predicates = append(predicates, certifyvex.HasPackageWith(packageVersionQuery(filter.Subject.Package)))
+		} else if filter.Subject.Artifact != nil {
+			predicates = append(predicates, certifyvex.HasArtifactWith(artifactQueryPredicates(filter.Subject.Artifact)))
+		}
+	}
+
 	return certifyvex.And(predicates...)
 }
 
-func vexStatementInputPredicate(subject model.PackageOrArtifactInput, vulnerability model.VulnerabilityInputSpec, vexStatement model.VexStatementInputSpec) predicate.CertifyVex {
+func vexStatementInputPredicate(subject model.PackageOrArtifactInput, subjectID int, vulnerability model.VulnerabilityInputSpec, vulnerabilityID int, vexStatement model.VexStatementInputSpec) predicate.CertifyVex {
 	var sub *model.PackageOrArtifactSpec
 	if subject.Package != nil {
 		sub = &model.PackageOrArtifactSpec{
 			Package: helper.ConvertPkgInputSpecToPkgSpec(subject.Package),
 		}
+		sub.Package.ID = ptrfrom.String(nodeID(subjectID))
 	} else {
 		sub = &model.PackageOrArtifactSpec{
 			Artifact: helper.ConvertArtInputSpecToArtSpec(subject.Artifact),
 		}
+		sub.Artifact.ID = ptrfrom.String(nodeID(subjectID))
 	}
 	return certifyVexPredicate(model.CertifyVEXStatementSpec{
 		Subject: sub,
 		Vulnerability: &model.VulnerabilitySpec{
+			ID:              ptrfrom.String(nodeID(vulnerabilityID)),
 			Type:            &vulnerability.Type,
 			VulnerabilityID: &vulnerability.VulnerabilityID,
 		},

diff --git a/pkg/assembler/backends/ent/backend/certifyVEXStatement_test.go b/pkg/assembler/backends/ent/backend/certifyVEXStatement_test.go
@@ -1063,7 +1063,7 @@ func (s *Suite) TestVEXBulkIngest() {
 			if err != nil {
 				return
 			}
-			if diff := cmp.Diff(test.ExpVEX, got, ignoreID); diff != "" {
+			if diff := cmp.Diff(test.ExpVEX, got, IngestPredicatesCmpOpts...); diff != "" {
 				t.Errorf("Unexpected results. (-want +got):\n%s", diff)
 			}
 		})

diff --git a/pkg/assembler/backends/ent/backend/certifyVuln.go b/pkg/assembler/backends/ent/backend/certifyVuln.go
@@ -30,6 +30,7 @@ import (
 	"github.com/guacsec/guac/pkg/assembler/backends/ent/vulnerabilitytype"
 	"github.com/guacsec/guac/pkg/assembler/graphql/model"
 	"github.com/vektah/gqlparser/v2/gqlerror"
+	"golang.org/x/sync/errgroup"
 )
 
 func (b *EntBackend) IngestCertifyVuln(ctx context.Context, pkg model.PkgInputSpec, spec model.VulnerabilityInputSpec, certifyVuln model.ScanMetadataInput) (*model.CertifyVuln, error) {
@@ -90,13 +91,25 @@ func (b *EntBackend) IngestCertifyVuln(ctx context.Context, pkg model.PkgInputSp
 }
 
 func (b *EntBackend) IngestCertifyVulns(ctx context.Context, pkgs []*model.PkgInputSpec, vulnerabilities []*model.VulnerabilityInputSpec, certifyVulns []*model.ScanMetadataInput) ([]*model.CertifyVuln, error) {
-	var modelCertifyVulns []*model.CertifyVuln
-	for i, certifyVuln := range certifyVulns {
-		modelCertifyVuln, err := b.IngestCertifyVuln(ctx, *pkgs[i], *vulnerabilities[i], *certifyVuln)
-		if err != nil {
-			return nil, gqlerror.Errorf("IngestVulnerability failed with err: %v", err)
-		}
-		modelCertifyVulns = append(modelCertifyVulns, modelCertifyVuln)
+	var modelCertifyVulns = make([]*model.CertifyVuln, len(vulnerabilities))
+	eg, ctx := errgroup.WithContext(ctx)
+	for i := range certifyVulns {
+		index := i
+		pkg := *pkgs[index]
+		vuln := *vulnerabilities[index]
+		certifyVuln := *certifyVulns[index]
+		concurrently(eg, func() error {
+			modelCertifyVuln, err := b.IngestCertifyVuln(ctx, pkg, vuln, certifyVuln)
+			if err == nil {
+				modelCertifyVulns[index] = modelCertifyVuln
+				return err
+			} else {
+				return gqlerror.Errorf("IngestCertifyVulns failed with err: %v", err)
+			}
+		})
+	}
+	if err := eg.Wait(); err != nil {
+		return nil, err
 	}
 	return modelCertifyVulns, nil
 }

diff --git a/pkg/assembler/backends/ent/backend/certifyVuln_test.go b/pkg/assembler/backends/ent/backend/certifyVuln_test.go
@@ -1023,9 +1023,6 @@ func (s *Suite) TestIngestCertifyVulns() {
 			},
 		},
 	}
-	ignoreID := cmp.FilterPath(func(p cmp.Path) bool {
-		return strings.Compare(".ID", p[len(p)-1].String()) == 0
-	}, cmp.Ignore())
 	ctx := context.Background()
 	for _, test := range tests {
 		s.Run(test.Name, func() {
@@ -1072,7 +1069,7 @@ func (s *Suite) TestIngestCertifyVulns() {
 			if err != nil {
 				return
 			}
-			if diff := cmp.Diff(test.ExpVuln, got, ignoreID); diff != "" {
+			if diff := cmp.Diff(test.ExpVuln, got, IngestPredicatesCmpOpts...); diff != "" {
 				t.Errorf("Unexpected results. (-want +got):\n%s", diff)
 			}
 		})

diff --git a/pkg/assembler/backends/ent/backend/concurrently.go b/pkg/assembler/backends/ent/backend/concurrently.go
@@ -0,0 +1,79 @@
+//
+// Copyright 2023 The GUAC Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package backend
+
+import (
+	"context"
+	"os"
+	"strconv"
+
+	"github.com/guacsec/guac/pkg/logging"
+	"golang.org/x/sync/errgroup"
+)
+
+var concurrent chan struct{}
+var concurrentRead chan struct{}
+
+const MaxConcurrentBulkIngestionString string = "MAX_CONCURRENT_BULK_INGESTION"
+const defaultMaxConcurrentBulkIngestion int = 50
+const MaxConcurrentReadString string = "MAX_CONCURRENT_READ"
+const defaultMaxConcurrentRead int = 40
+
+func init() {
+	logger := logging.FromContext(context.Background())
+	concurrentSize := defaultMaxConcurrentBulkIngestion
+	maxConcurrentBulkIngestionEnv, found := os.LookupEnv(MaxConcurrentBulkIngestionString)
+	if found {
+		maxConcurrentBulkIngestion, err := strconv.Atoi(maxConcurrentBulkIngestionEnv)
+		if err != nil {
+			logger.Warnf("failed to convert %v value %v to integer. Default value %v will be applied", MaxConcurrentBulkIngestionString, maxConcurrentBulkIngestionEnv, defaultMaxConcurrentBulkIngestion)
+			concurrentSize = defaultMaxConcurrentBulkIngestion
+		} else {
+			concurrentSize = maxConcurrentBulkIngestion
+		}
+	}
+	concurrent = make(chan struct{}, concurrentSize)
+
+	concurrentReadSize := defaultMaxConcurrentRead
+	maxConcurrentReadEnv, found := os.LookupEnv(MaxConcurrentReadString)
+	if found {
+		maxConcurrentBulkIngestion, err := strconv.Atoi(maxConcurrentReadEnv)
+		if err != nil {
+			logger.Warnf("failed to convert %v value %v to integer. Default value applied is %v\n", MaxConcurrentReadString, maxConcurrentReadEnv, concurrentReadSize)
+		} else {
+			concurrentReadSize = maxConcurrentBulkIngestion
+		}
+	}
+	concurrentRead = make(chan struct{}, concurrentReadSize)
+}
+
+func concurrently(eg *errgroup.Group, fn func() error) {
+	eg.Go(func() error {
+		concurrent <- struct{}{}
+		err := fn()
+		<-concurrent
+		return err
+	})
+}
+
+func concurrentlyRead(eg *errgroup.Group, fn func() error) {
+	eg.Go(func() error {
+		concurrentRead <- struct{}{}
+		err := fn()
+		<-concurrentRead
+		return err
+	})
+}