Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: allow searching for SBOMs #167

Closed
wants to merge 2 commits into from
Closed

feat: allow searching for SBOMs #167

wants to merge 2 commits into from

Conversation

ctron
Copy link
Contributor

@ctron ctron commented Apr 16, 2024

No description provided.

@bobmcwhirter
Copy link
Contributor

bobmcwhirter commented Apr 16, 2024
edited
Loading

A couple of thoughts, not suitable for a specific code review...

Per conversation with @jcrossley3 yesterday, I think we decided /api/v1/sbom is the collection of all sboms, and to search within, /api/v1/sbom?q=... and avoid an /api/v1/search/whatever parallel set of endpoints.

Also, I'd hoped to move any format-specific document-parsing and weaving into the graph out of graph crate and over to ingestor.

I welcome disagreement.

bobmcwhirter
bobmcwhirter reviewed Apr 16, 2024
View reviewed changes
modules/search/src/model.rs
@@ -19,6 +19,10 @@ pub struct SearchOptions {
pub struct FoundAdvisory {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've similar DTOs (AdvisorySummary, AdvisoryDetails) in the graph models for DTOing.

modules/search/src/service.rs

// `filters` should be of the form, "full text search({field}{op}{value})*", e.g.
// "some text&published>=2020/11/11&location=localhost&severity=low|high&modified=true"
pub async fn search_sboms<'a>(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd hoped this would just be graph.sboms(...same params...) which could return the entire collection or a filtered subset.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean locate_sbom? I've no idea how I would need to map the query to that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not necessarily locate_sbom(...) but perhaps a new .sboms(...) method to do the fetch/filter.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, I can't seem to find a method with that name.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, we probably need to write it.

modules/search/src/service.rs
sort: String,
paginated: Paginated,
) -> Result<PaginatedResults<FoundSbom>, Error> {
let mut select = sbom::Entity::find()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've also used this pattern, and while not on your shoulders, I feel like we are repeating ourselves a lot, and perhaps @jcrossley3 could get us some more ergonomics around using search/sort.

modules/search/src/endpoints.rs Outdated Show resolved Hide resolved
@ctron
Copy link
Contributor Author

ctron commented Apr 16, 2024

Per conversation with @jcrossley3 yesterday, I think we decided /api/v1/sbom is the collection of all sboms, and to search within, /api/v1/sbom?q=... and avoid an /api/v1/search/whatever parallel set of endpoints.

I kept it aligned with the current pattern. We can of course refactor, but maybe it makes sense to do this outside of this PR. Either before or after merging this one.

Also, I'd hoped to move any format-specific document-parsing and weaving into the graph out of graph crate and over to ingestor.

Makes sense, but right now that's tricky, because the tests of graph actually parse SPDX SBOMs. We can would need to either duplicate parsing code, shuffle tests around into a another crate, or come up with some alternate idea. Again not sure if we want to pack this into this PR.

@jcrossley3 jcrossley3 mentioned this pull request Apr 16, 2024
Closed
@bobmcwhirter
Copy link
Contributor

Also, agree with subsequent PR to shuffle locations of things.

@ctron ctron mentioned this pull request Apr 16, 2024
Merged
@ctron
Copy link
Contributor Author

ctron commented May 2, 2024

Superseded by #169

@ctron ctron closed this May 2, 2024
@ctron ctron deleted the feature/search_sbom_1 branch May 2, 2024 08:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bobmcwhirter bobmcwhirter bobmcwhirter left review comments

@jcrossley3 jcrossley3 Awaiting requested review from jcrossley3

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ctron @bobmcwhirter