Adding Analyze command to guacone

[arorasoham9]

Description of the PR

Analyze command for guacone

Comparing largely similar SBOMs
guacone analyze diff --uri --sboms=https://anchore.com/syft/image/k8s.gcr.io/kube-apiserver-v1.24.1-583a02ce-8f7e-4794-91af-35f27ffeb73d,https://anchore.com/syft/image/k8s.gcr.io/kube-apiserver-v1.24.2-ee7e0a81-87de-4761-9689-4f7162d81e44

The diff is a 4 step process:

• Create graph for SBOMs
• Find all paths in both graphs
• Find the paths that are present in one graph and not in the other, do this for both graphs.
• Pair paths from one graph to the other that are closest, then find the difference between these pairs.

Each step has tests to ensure that it is stable. Meaning, if the steps are repeated for the same Input SBOM, the results are the same. The JSON you see are the test SBOMS I use to carry out the tests for each step of the diff. These JSON files are marshalled HasSBOM nodes for SBOMs I ingested into GUAC, pulled using the Node function.

PR Checklist

• All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
• All new changes are covered by tests
• If GraphQL schema is changed, make generate has been run
• If OpenAPI spec is changed, make generate has been run
• If collectsub protobuf has been changed, make proto has been run
• All CI checks are passing (tests and formatting)
• All dependent PRs have already been merged

[arorasoham9]

@pxp928 ready for review.

[pxp928]

Cool, @arorasoham9 can you add some screenshots to what the output will look like for the CLI?

[pxp928]

one major task would be to add unit tests to this package. Some things like the graph, getting data from graphQL can be abstracted away but do you have some tests you can add here to test the functionality?

[arorasoham9]

I don't have any at the moment. I can write a few. Could they come in a future PR?

[arorasoham9]

Added unit tests as requested.

[arorasoham9]

Cool, @arorasoham9 can you add some screenshots to what the output will look like for the CLI?

Added some screenshots. The Prettify function errored out at many instances so I improvised to print the same details that function does but taken from the graph DS itself, not graphQL.

[pxp928]

need to return this as an error.

[pxp928]

don't use os.Exit(1) should return error

[pxp928]

no need to instantiate this here, can just it on line 72?

[pxp928]

why is this returning an interface{}

[pxp928]

dont use fmt.Printf, you should return an error via fmt.Errorf

[pxp928]

return a proper error and dont use os.Exit

[pxp928]

clean up and pass out proper error

[pxp928]

should user logger here: https://github.com/guacsec/guac/blob/main/pkg/handler/processor/process/process.go#L117

It should be able to be pulled from the context:

logger := logging.FromContext(ctx)

[pxp928]

pass in options or something similar and not the actual cmd. See: https://github.com/guacsec/guac/blob/main/cmd/guacone/cmd/s3.go#L80-L93

[pxp928]

fix error

[pxp928]

missing header

[jeffmendoza]

Mostly code organization and naming comments.

[jeffmendoza]

Any reason for the import rename here?

[jeffmendoza]

This should be a positional argument if required, not a flag/option.

[jeffmendoza]

Don't pass cmd to a package under pkg/. Those shouldn't have a dependency on cli commands or cobra. Explicitly pass the parameters this needs.

[jeffmendoza]

Don't add flags to rootCmd, this will show up on all guacone cmds if so. Use this analyzeCmd you are creating.
Also, cli options are normally under pkg/cli/store.go but this command has so many it might make sense to just leave them here.

[jeffmendoza]

change to incl-soft and similar for others. All cli options use hyphen-case.

[jeffmendoza]

Add a newline to the end of the file

[jeffmendoza]

Shouldn't have any os.Exit in a package under pkg/, assume this is a library that can be called from anywhere. Propagate errors back to the caller.

[jeffmendoza]

All this should be under the file in cmd/, shouldn't have any flag validation here in pkg/.

[jeffmendoza]

add an empty line between functions.

[jeffmendoza]

Anything under pkg/ should not print anything to stdout. Any logic should result in a datastructure that returns back to cmd/ and is then printed. This helps for testability. Looks like much of this may need to be moved back to cmd/

[pxp928]

@arorasoham9 did the node functionality get fixed?

[arorasoham9]

@pxp928 Ready for review. Please let me know what changes you require to the output presentation.

[nathannaveen]

Hey, @arorasoham9, I have a suggestion. Could you move the test data to https://github.com/guacsec/guac-test?

There are over 1,000,000 lines of code in this PR, making it virtually impossible to review, and without adequate reviews, security bugs could be introduced into the code.

If the test files were to be moved into guac-test, then the majority of this code wouldn’t be in this PR so that we can properly review it.

If the test files were moved to guac-test, this code would not be built and intern would not affect the end user.

I am not entirely sure whether the JSON files are part of executable code. Even if they aren't right now I am not sure whether we will in the future.

While JSON files are typically safe, there's a potential risk that they could contain encoded scripts, which might inadvertently introduce security vulnerabilities.

[arorasoham9]

@nathannaveen Done! I have moved the HasSBOM JSON test files for gaucanalyze to guac-test. I have also added some explanation for having these JSON files to the description of this PR.

I will require this PR merged before I can send a final commit to reflect the code changes to accept the JSON test from guac-test.

[pxp928]

@arorasoham9 any luck in improving the output? It is very hard to understand. Like if you can show less information and just show only what is relevant, that would be better.

[arorasoham9]

@pxp928 I am still thinking of ways to show only the relevant information. This is a better explanation for why you see so much even with just a small difference between two sboms. The diff works at the granularity of a path, not a node, so when it finds even one node different it classifies all paths with that participating node as different (and prints them). I believe the original aim was to find missing/different paths bw two sboms was to also offer a graph "structural" difference as well. I am trying to think how we can still offer the same differences in an easier to understand manner.

[lumjjb]

Thanks @arorasoham9 for working on this big feature!! definitely going to be very useful, would you be able to help break this up into a few separate PRs, that would be very helpful in getting this merged in faster!

maybe start with the analyzer package, and then add a table formatter pkg, and then the CLI options and the CLI itself?

[lumjjb]

these flags should be initialized in https://github.com/guacsec/guac/blob/main/pkg/cli/store.go, and preferably prefixed in a way that shows its for guacanalyze

[lumjjb]

nit: golang errors style guide is lowercase first characters.

[lumjjb]

make it into different lines for readability.

[lumjjb]

nit: the comment doesn't add much context to the code, either remove or expand.

[lumjjb]

would it make sense for these to be subcommands? otherwise this should be a flag maybe?

[lumjjb]

can you provide additional context and documentation around the functions? it is not clear what should be in value, unless there's a good reason, i would highly recommend not having interface{} as the type of value. If anything it can be a hidden type that can be minted by the analyzer but must provide sufficient constructors to make sense of it.

[lumjjb]

use an enum :)

[lumjjb]

what is color used for? Is it the identity of an edge of just for analysis purpose? can it be passed it as an option on the node for extensibility?

_ID should be id to follow golang style?

[lumjjb]

would be helpful to move all printing stuff to either a different package or a different file

[lumjjb]

why read two sboms from a file? i don't think that's a common pattern?