Split CertifyScorecard, separating subject from object. (#502)

* Remove `mutation.gql` as it is included in `packages.gql`

Signed-off-by: Mihai Maruseac <[email protected]>

* Fix some empty lines

Signed-off-by: Mihai Maruseac <[email protected]>

* Separate backend interface functions

Signed-off-by: Mihai Maruseac <[email protected]>

* Use `scorecards` for the query instead of `CertifyScorecard`

Since `CertifyScorecard` is a verb, using it for mutation instead.

While here, also fix formatting, naming (start lowercase as that's the
GraphQL convention), comments.

Includes the generated code too, to ensure that code still builds.

Signed-off-by: Mihai Maruseac <[email protected]>

* Split `CertifyScorecard`, separating subject from object.

This is because the ingestion will require these to be separate,
creating the object only when certification exists.

For now, I did not do the same split for the input spec, but it should
be doable if we want a consistent interface, though it will make the
query JSON nest one extra level.

Signed-off-by: Mihai Maruseac <[email protected]>

* Fix format

Signed-off-by: Mihai Maruseac <[email protected]>

---------

Signed-off-by: Mihai Maruseac <[email protected]>

Author: mihaimaruseac

pkg/assembler/backends/backends.go

@@ -25,35 +25,39 @@ import (
 // GraphQL interface. All backends must implement all queries specified by the
 // GraphQL interface and this is enforced by this interface.
 type Backend interface {
-	// Retrieval read-only queries
+	// Retrieval read-only queries for software trees
 	Packages(ctx context.Context, pkgSpec *model.PkgSpec) ([]*model.Package, error)
 	Sources(ctx context.Context, sourceSpec *model.SourceSpec) ([]*model.Source, error)
 	Cve(ctx context.Context, cveSpec *model.CVESpec) ([]*model.Cve, error)
 	Ghsa(ctx context.Context, ghsaSpec *model.GHSASpec) ([]*model.Ghsa, error)
 	Osv(ctx context.Context, osvSpec *model.OSVSpec) ([]*model.Osv, error)
 	Artifacts(ctx context.Context, artifactSpec *model.ArtifactSpec) ([]*model.Artifact, error)
 	Builders(ctx context.Context, builderSpec *model.BuilderSpec) ([]*model.Builder, error)
+
+	// Retrieval read-only queries for evidence trees
 	HashEqual(ctx context.Context, hashEqualSpec *model.HashEqualSpec) ([]*model.HashEqual, error)
 	IsOccurrence(ctx context.Context, isOccurrenceSpec *model.IsOccurrenceSpec) ([]*model.IsOccurrence, error)
 	HasSBOM(ctx context.Context, hasSBOMSpec *model.HasSBOMSpec) ([]*model.HasSbom, error)
 	IsDependency(ctx context.Context, isDependencySpec *model.IsDependencySpec) ([]*model.IsDependency, error)
 	CertifyPkg(ctx context.Context, certifyPkgSpec *model.CertifyPkgSpec) ([]*model.CertifyPkg, error)
 	HasSourceAt(ctx context.Context, hasSourceAtSpec *model.HasSourceAtSpec) ([]*model.HasSourceAt, error)
 	CertifyBad(ctx context.Context, certifyBadSpec *model.CertifyBadSpec) ([]*model.CertifyBad, error)
-	CertifyScorecard(ctx context.Context, certifyScorecardSpec *model.CertifyScorecardSpec) ([]*model.CertifyScorecard, error)
+	Scorecards(ctx context.Context, certifyScorecardSpec *model.CertifyScorecardSpec) ([]*model.CertifyScorecard, error)
 	CertifyVuln(ctx context.Context, certifyVulnSpec *model.CertifyVulnSpec) ([]*model.CertifyVuln, error)
 	IsVulnerability(ctx context.Context, isVulnerabilitySpec *model.IsVulnerabilitySpec) ([]*model.IsVulnerability, error)
 	CertifyVEXStatement(ctx context.Context, certifyVEXStatementSpec *model.CertifyVEXStatementSpec) ([]*model.CertifyVEXStatement, error)
 	HasSlsa(ctx context.Context, hasSLSASpec *model.HasSLSASpec) ([]*model.HasSlsa, error)
 
-	// Mutations (read-write queries)
+	// Mutations for software trees (read-write queries)
 	IngestPackage(ctx context.Context, pkg *model.PkgInputSpec) (*model.Package, error)
 	IngestSource(ctx context.Context, source *model.SourceInputSpec) (*model.Source, error)
 	IngestArtifact(ctx context.Context, artifact *model.ArtifactInputSpec) (*model.Artifact, error)
 	IngestBuilder(ctx context.Context, builder *model.BuilderInputSpec) (*model.Builder, error)
 	IngestCve(ctx context.Context, cve *model.CVEInputSpec) (*model.Cve, error)
 	IngestGhsa(ctx context.Context, ghsa *model.GHSAInputSpec) (*model.Ghsa, error)
 	IngestOsv(ctx context.Context, osv *model.OSVInputSpec) (*model.Osv, error)
+
+	// Mutations for evidence trees (read-write queries, assume software trees ingested)
 }
 
 // BackendArgs interface allows each backend to specify the arguments needed to

pkg/assembler/backends/neo4j/certifyScorecard.go

@@ -35,8 +35,7 @@ const (
 	scorecardCommit  string = "scorecardCommit"
 )
 
-func (c *neo4jClient) CertifyScorecard(ctx context.Context, certifyScorecardSpec *model.CertifyScorecardSpec) ([]*model.CertifyScorecard, error) {
-
+func (c *neo4jClient) Scorecards(ctx context.Context, certifyScorecardSpec *model.CertifyScorecardSpec) ([]*model.CertifyScorecard, error) {
 	session := c.driver.NewSession(neo4j.SessionConfig{AccessMode: neo4j.AccessModeRead})
 	defer session.Close()
 
@@ -54,7 +53,6 @@ func (c *neo4jClient) CertifyScorecard(ctx context.Context, certifyScorecardSpec
 
 	result, err := session.ReadTransaction(
 		func(tx neo4j.Transaction) (interface{}, error) {
-
 			result, err := tx.Run(sb.String(), queryValues)
 			if err != nil {
 				return nil, err
@@ -67,10 +65,12 @@ func (c *neo4jClient) CertifyScorecard(ctx context.Context, certifyScorecardSpec
 				if result.Record().Values[4] != nil {
 					commitString = result.Record().Values[4].(string)
 				}
+
 				tagString := ""
 				if result.Record().Values[3] != nil {
 					tagString = result.Record().Values[3].(string)
 				}
+
 				nameString := result.Record().Values[2].(string)
 				namespaceString := result.Record().Values[1].(string)
 				typeString := result.Record().Values[0].(string)
@@ -85,10 +85,12 @@ func (c *neo4jClient) CertifyScorecard(ctx context.Context, certifyScorecardSpec
 					Namespace: namespaceString,
 					Names:     []*model.SourceName{srcName},
 				}
+
 				src := model.Source{
 					Type:       typeString,
 					Namespaces: []*model.SourceNamespace{srcNamespace},
 				}
+
 				certifyScorecardNode := dbtype.Node{}
 				if result.Record().Values[5] != nil {
 					certifyScorecardNode = result.Record().Values[5].(dbtype.Node)
@@ -100,8 +102,8 @@ func (c *neo4jClient) CertifyScorecard(ctx context.Context, certifyScorecardSpec
 				if err != nil {
 					return nil, err
 				}
-				certifyScorecard := &model.CertifyScorecard{
-					Source:           &src,
+
+				scorecard := model.Scorecard{
 					TimeScanned:      certifyScorecardNode.Props[timeScanned].(string),
 					AggregateScore:   certifyScorecardNode.Props[aggregateScore].(float64),
 					Checks:           checks,
@@ -110,6 +112,12 @@ func (c *neo4jClient) CertifyScorecard(ctx context.Context, certifyScorecardSpec
 					Origin:           certifyScorecardNode.Props[origin].(string),
 					Collector:        certifyScorecardNode.Props[collector].(string),
 				}
+
+				certifyScorecard := &model.CertifyScorecard{
+					Source:    &src,
+					Scorecard: &scorecard,
+				}
+
 				collectedCertifyScorecard = append(collectedCertifyScorecard, certifyScorecard)
 			}
 			if err = result.Err(); err != nil {

pkg/assembler/backends/testing/certifyScorecard.go

@@ -24,7 +24,6 @@ import (
 )
 
 func registerAllCertifyScorecard(client *demoClient) error {
-
 	// "git", "github", "https://github.com/django/django", "tag=1.11.1"
 	selectedSourceType := "git"
 	selectedSourceNameSpace := "github"
@@ -44,7 +43,6 @@ func registerAllCertifyScorecard(client *demoClient) error {
 
 	// "git", "github", "https://github.com/vapor-ware/kubetest", "tag=0.9.5"
 	// client.registerSource("git", "github", "https://github.com/vapor-ware/kubetest", "tag=0.9.5")
-
 	selectedSourceType = "git"
 	selectedSourceNameSpace = "github"
 	selectedSourceName = "https://github.com/vapor-ware/kubetest"
@@ -66,25 +64,29 @@ func registerAllCertifyScorecard(client *demoClient) error {
 // Ingest CertifyScorecard
 
 func (c *demoClient) registerCertifyScorecard(selectedSource *model.Source, timeScanned time.Time, aggregateScore float64, collectedChecks []model.ScorecardCheckSpec, scorecardVersion, scorecardCommit string) error {
-
 	for _, h := range c.certifyScorecard {
-		if h.AggregateScore == aggregateScore && h.ScorecardVersion == scorecardVersion &&
-			h.ScorecardCommit == scorecardCommit && h.Source == selectedSource {
+		if h.Source == selectedSource &&
+			h.Scorecard.AggregateScore == aggregateScore &&
+			h.Scorecard.ScorecardVersion == scorecardVersion &&
+			h.Scorecard.ScorecardCommit == scorecardCommit {
 			return nil
 		}
 	}
 
 	newCertifyScorecard := &model.CertifyScorecard{
-		Source:           selectedSource,
-		TimeScanned:      timeScanned.String(),
-		AggregateScore:   aggregateScore,
-		Checks:           buildScorecardChecks(collectedChecks),
-		ScorecardVersion: scorecardVersion,
-		ScorecardCommit:  scorecardCommit,
-		Origin:           "testing backend",
-		Collector:        "testing backend",
+		Source: selectedSource,
+		Scorecard: &model.Scorecard{
+			TimeScanned:      timeScanned.String(),
+			AggregateScore:   aggregateScore,
+			Checks:           buildScorecardChecks(collectedChecks),
+			ScorecardVersion: scorecardVersion,
+			ScorecardCommit:  scorecardCommit,
+			Origin:           "testing backend",
+			Collector:        "testing backend",
+		},
 	}
 	c.certifyScorecard = append(c.certifyScorecard, newCertifyScorecard)
+
 	return nil
 }
 
@@ -101,27 +103,31 @@ func buildScorecardChecks(checks []model.ScorecardCheckSpec) []*model.ScorecardC
 
 // Query CertifyScorecard
 
-func (c *demoClient) CertifyScorecard(ctx context.Context, certifyScorecardSpec *model.CertifyScorecardSpec) ([]*model.CertifyScorecard, error) {
-
+func (c *demoClient) Scorecards(ctx context.Context, certifyScorecardSpec *model.CertifyScorecardSpec) ([]*model.CertifyScorecard, error) {
 	var collectedHasSourceAt []*model.CertifyScorecard
 
 	for _, h := range c.certifyScorecard {
 		matchOrSkip := true
 
-		if certifyScorecardSpec.ScorecardVersion != nil && h.ScorecardVersion != *certifyScorecardSpec.ScorecardVersion {
+		if certifyScorecardSpec.ScorecardVersion != nil &&
+			h.Scorecard.ScorecardVersion != *certifyScorecardSpec.ScorecardVersion {
 			matchOrSkip = false
 		}
-		if certifyScorecardSpec.ScorecardCommit != nil && h.ScorecardCommit != *certifyScorecardSpec.ScorecardCommit {
+		if certifyScorecardSpec.ScorecardCommit != nil &&
+			h.Scorecard.ScorecardCommit != *certifyScorecardSpec.ScorecardCommit {
 			matchOrSkip = false
 		}
-		if certifyScorecardSpec.Collector != nil && h.Collector != *certifyScorecardSpec.Collector {
+		if certifyScorecardSpec.Collector != nil &&
+			h.Scorecard.Collector != *certifyScorecardSpec.Collector {
 			matchOrSkip = false
 		}
-		if certifyScorecardSpec.Origin != nil && h.Origin != *certifyScorecardSpec.Origin {
+		if certifyScorecardSpec.Origin != nil &&
+			h.Scorecard.Origin != *certifyScorecardSpec.Origin {
 			matchOrSkip = false
 		}
 
-		if certifyScorecardSpec.Source != nil && h.Source != nil {
+		if certifyScorecardSpec.Source != nil &&
+			h.Source != nil {
 			if certifyScorecardSpec.Source.Type == nil || h.Source.Type == *certifyScorecardSpec.Source.Type {
 				newSource, err := filterSourceNamespace(h.Source, certifyScorecardSpec.Source)
 				if err != nil {

pkg/assembler/graphql/examples/mutation.gql

@@ -33,7 +33,6 @@ query SrcQ3 {
   }
 }
 
-
 query SrcQ4 {
   sources(sourceSpec: {name: "github.com/guacsec/guac"}) {
     ...allSrcTree
@@ -53,6 +52,7 @@ query SrcQ6 {
     ...allSrcTree
   }
 }
+
 query SrcQ7 {
   sources(sourceSpec: {type: "svn"}) {
     ...allSrcTree