Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add support for keyType in signature by adding a new message type #1

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

hkadakia
Copy link
Owner

No description provided.

hkadakia pushed a commit that referenced this pull request Dec 8, 2021
add archive time field to occurrence
hkadakia pushed a commit that referenced this pull request Dec 28, 2021
add pg filter based on mysql filter
hkadakia pushed a commit that referenced this pull request Dec 28, 2021
All the pgsql specific code will be moved out to tetradio repo, as mentioned
upstream in grafeas#341
When we are ready, we can submit this and pgsql code to be merged upstream.
hkadakia added a commit that referenced this pull request Dec 28, 2021
* updating json examples and extended the grpc client example

* Deal with Windows line-endings that git introduces

* Allow for Windows protoc download

* Deal with explicitly shelling out via bash

* Unzip on Windows slow to release file handles

* fix marshalling error when deleting projects

* backfill tests

* Add tests on permission checking

Add some tests to validate the permission checks on UpdateOccurrence
operations. To support the tests, add a allowListAuth test implementation
of Auth that just stores a list of allowed project/permission pairs.

Two of the tests are documenting incorrect behavior that will be fixed in
a later commit. Namely:
(1) Updating the NoteName should require NotesAttachOccurrence on the old
NoteName (as this is effectively a detach operation).
(2) When excluding the NoteName from the update using an UpdateMask, the
permission check should be performed against the existing NoteName, not
whatever was passed in (and which will be ignored).

* Fix permission checks in occurrence update function

This commit fixes the permission checks in UpdateOccurrence and
updates the tests from the last commit to demonstrate the change.

In particular, we now check the NotesAttachOccurrence on the
occurrence's existing NoteName before allowing updates. We continue
to check the NotesAttachOccurrence on the updated NoteName (if it
is different from the existing NoteName whose permission has already
been checked). This means that updating an occurrence from one note
to another requires NotesAttachOccurrence on both notes.

* Changes to v1 proto only

* fix the field number of inclusive.

* also add changes to v1beta1

* fix typo

* Update running_grafeas.md

The instructions for using the curl command with the certificate didn't work for me.  I got the error message: 

`curl: (58) unable to set private key file: 'server.pem' type PEM`

When I added these additional flags, it worked fine.

* add grafeas-elasticsearch to list of backends

* Add the vendor field to Vulnerability.Detail

* Increase max page size in v1 API: 1k -> 10k.

* fixes ARM build

* initial commit of grafeas proto

* add files generated by running make

* Added roadmap and clarifications for architecture

* addressing comments on the PR

* further comments addressed

* Add the non_compliance_reason field to ComplianceOccurrence

The field is necessary to support the cases where the benchmark is
non-compliant but there are no associated files, like the upcoming
SQL checks.

* remove unused deps from compliance proto

* add COMPLIANCE to note kind

* Added SECURITY guidelines

* fix: broken link

* Add the vendor info to the V1 api.

* Initial commit of DSSE Attestation and IntotoProvenance support.

* Remove prefix from intotoprovenance

* Add generation code.

* Add dsse references in grafeas.proto

* Fixes in reference to the comments.

* Fix common.proto field format

* Change names of fields to work around naming conflicts.

* Renamed Builder to BuilderConfig, to not conflict with the Java generated Builder class.

* Make casing of dsse consistent

* Make casing of dsse consistent

* Move the package type and effective severity to the PackageIssue level

When we are creating vulnerabilities, we may find vulnerabilities for
multiple different package types (e.g. OS, Maven, NPM, Go, etc.) on a
single Note. Since type is currently on the Vulnerability occurrence
level, we need to move it down into the PackageIssue level. Similarly,
vulnerabilities issued for different package types (potentially by
different vulnerability sources) can have different effective
severities. Therefore, this field also needs to be moved down into the
PackageIssue level.

* Change intoto provenance arguments to be of Any type.

* Change intoto provenance arguments to be of Any type.

* Fix small typo

* Add comment about "Any"

* SBOM protos

* move spdx proto to v1beta1 and split into seperate files

* Add TODO to encapsulate spdx license fields

* Change arguments and recipe from []Any to just Any, to more closely follow the spec.

* Add SPDX Relationships protos and consolidate SPDX protos into one file.

* Remove obsolete SPDX files.

* Added fields to PackageInfoOccurrence and RelationshipNote

* Created License message

* Use License message instead of the string field type

* Use annotations for output only fields

* Clean up comments for output only fields

* Top-level enums should appear ahead of messages

* Correction: top-level enums should appear after messages

* 1. Add a new type, of type slsa_provenance, which exactly follows the slsa spec (as opposed to the intoto_provenance, which has a few differences).
2. Add slsa_provenance as a predicate type to the intoto_statement
3. Add the intoto_statement to the build type.
4. Change the json serialization of the intoto_statement type to "_type" to follow the spec.

* Correct import paths

* Keep intoto_provenance as-is.

* Cmment out the slsa provenance to see if compilation works.

* Fix spelling of deployable

* 1. Move intoto_statement to its own file, replacing dsse_attestation and references to it.
2. Add slsa_provenaecn and intoto_statement to generate file.

* Add build verification and tests

* Keep dsse attestation, just move around intoto_statement to its own file.

* Keep dsse attestation with the original statement

* Added links for clarification.

* Rename Builder message to BuilderConfig

* Prepend messages with "Slsa" to avoid naming conflicts in the "grafeas.v1" package.

* changes for cvss v3

* Add grafeas-rds to list of backends.

* use backticks for strings

* regen with protoc 3.11.4 and grpc-gateway 1.19.6

* add v1 proto generated code

* preserve original v1 generate.go

* regen with v2 and sync with master

* add git validation that was done in https://git.vzbuilders.com/maditya/grafeas-orig/pull/3

* add pg filter based on mysql filter

* Remove pgsql implementation (#1)

All the pgsql specific code will be moved out to tetradio repo, as mentioned
upstream in grafeas#341
When we are ready, we can submit this and pgsql code to be merged upstream.

* add custom uploader_id and content_hash field for package type (grafeas#2)

Co-authored-by: jwang04 <jwang04@verizonmedia.com>

* regen with protoc 3.11.4 and grpc-gateway 1.19.6

* add v1 proto generated code

* preserve original v1 generate.go

* regen with v2 and sync with master

* add pg filter based on mysql filter

* initial working version

* fix kind sql parsing

* Remove pgsql implementation (#1)

All the pgsql specific code will be moved out to tetradio repo, as mentioned
upstream in grafeas#341
When we are ready, we can submit this and pgsql code to be merged upstream.

Co-authored-by: greendinosaur <greendinosaur@users.noreply.github.com>
Co-authored-by: Sean Dukehart <tomcruise81@users.noreply.github.com>
Co-authored-by: Michael Parker <michael@parker.gg>
Co-authored-by: wkozlik <61755482+wkozlik@users.noreply.github.com>
Co-authored-by: Eric Zimanyi <ezimanyi@google.com>
Co-authored-by: Aysylu Greenberg <aysylu@users.noreply.github.com>
Co-authored-by: Neetha Sebastian <neethas@google.com>
Co-authored-by: Dina Graves Portman <dinagraves@google.com>
Co-authored-by: Yinpeng Li <yinpengli@google.com>
Co-authored-by: Catherine Jones <31020910+catherinejones@users.noreply.github.com>
Co-authored-by: Pietro Ferretti <pferretti@google.com>
Co-authored-by: Nolan Emirot <emirot.nolan@gmail.com>
Co-authored-by: vyinpengli <mousquetairesyl@gmail.com>
Co-authored-by: sherzberg <sherzberg@google.com>
Co-authored-by: Nicholas Cho <nickcho2@gmail.com>
Co-authored-by: Yousef Alowayed <yousef.alowayed@gmail.com>
Co-authored-by: Wiktor Kozlik <wkozlik@google.com>
Co-authored-by: Ethan Anderson <eanderson@atlassian.com>
Co-authored-by: yzhao02 <yonghe.zhao@verizonmedia.com>
Co-authored-by: Aditya Mahendrakar <maditya@verizonmedia.com>
Co-authored-by: Junyi Wang <junyi.wang@oath.com>
Co-authored-by: jwang04 <jwang04@verizonmedia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant