🤖 triggering CI on branch 'release-next' after synching from upstream/main

.github/workflows/ci.yaml

@@ -65,7 +65,7 @@ jobs:
       - name: setup-go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v3.2.1
         with:
-          go-version: '1.19'
+          go-version: '1.21'
       - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/go/pkg/mod
@@ -86,7 +86,7 @@ jobs:
       - name: setup-go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v3.2.1
         with:
-          go-version: '1.19'
+          go-version: '1.21'
       - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/go/pkg/mod
@@ -105,7 +105,7 @@ jobs:
       - name: setup-go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v3.2.1
         with:
-          go-version: '1.19'
+          go-version: '1.21'
       - name: Install formatter
         run: go install golang.org/x/tools/cmd/goimports@latest
       - name: Check format
@@ -118,6 +118,10 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # tag=v3
+      - name: setup-go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v4.1.0
+        with:
+          go-version: '1.21'
       - name: golangci-lint
         uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # tag=v3.2.0
         with:
@@ -134,7 +138,7 @@ jobs:
     - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608
     - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
       with:
-        go-version: '~1.19'
+        go-version: '~1.21'
     - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236
       with:
         python-version: '3.10'
@@ -190,7 +194,7 @@ jobs:
       - name: setup-go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v3.2.1
         with:
-          go-version: '1.19'
+          go-version: '1.21'
       - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/go/pkg/mod

.github/workflows/postmerge.yaml

@@ -30,7 +30,7 @@ jobs:
       - name: setup-go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v3.2.1
         with:
-          go-version: '1.19'
+          go-version: '1.21'
       - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/go/pkg/mod

.github/workflows/release.yaml

@@ -48,6 +48,8 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up Go
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: '1.21'
       - name: Install cosign
         uses:  sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # main
       - name: Install syft

.golangci.yaml

@@ -1,5 +1,5 @@
 run:
-  timeout: 3m
+  timeout: 6m
   skip-files:
     - ".*\\.pb\\.go$"
     - "pkg/assembler/generated/.*"

ci

@@ -0,0 +1 @@
+Thu Oct  5 15:04:15 CEST 2023

cmd/README.md

@@ -0,0 +1,127 @@
+# Developer notes for cli commands
+
+Divide the commands into two categories:
+
+- User-facing: Made to be run by a user / tester to accomplish something. Should
+  be consistent and intuitive CLI UX. One powerful command makes sense for the
+  user to learn.
+
+- Service: Things to be run as a service, ex: in a container, as a cron, as a
+  systemd service, etc. Separate single-purpose binaries make sense.
+
+## Commands
+
+user-facing:
+
+**guacone**
+
+- what it does: performs user-facing operations that require setting up a
+  processor / ingestor / assembler in one binary, only talks to GQL, no nats
+- options:
+  - gql endpoint
+- commands:
+  - certify <type> - runs the <type> certifier once (once by default, optional
+    poll)
+  - collector <type> - runs the <type> collector once, includes "files" (once by
+    default, optional poll)
+  - query <name> - runs the canned <name> query.
+
+services:
+
+**guacgql**
+
+- what it does: runs a GraphQL server
+- options:
+  - backend: inmem, neo4j, arango, ent, or future DB
+  - backend-specific options: neo4j connection options
+  - playground / debug: also start playground
+
+**guaccsub**
+
+- what it does: runs the collector-subscriber service
+- options:
+  - listening port
+
+**guacingest**
+
+- what it does: runs the ingestor connected to nats and GraphQL
+- options:
+  - nats addr
+  - gql endpoint
+
+**guaccollect**
+
+- what it does: runs the named collector or certifier connected to GraphQL and
+  nats
+- options:
+  - nats addr
+  - gql addr
+  - colsub addr
+  - collector/certifier name
+  - polling options
+
+## Collectors and Certifiers
+
+These appear both in `guacone` and in `guaccollect`. The difference is that
+`guacone` uses the all-in-one processor-ingestor-assembler, and only depends on
+`guacgql` being up. Conversely `guaccollect` depends on the nats ingestion
+pipeline (or future ingestor services) being up and running.
+
+Collectors and Certifiers that are intended to be run by a user can be added to
+`guacone` first, and should default to run-once. A polling option can be
+included, though is not required..
+
+Collectors and Certifiers that will be eventually run as part of a guac
+deployment should be added to `guaccollect`. This is not required for initial
+implementations / contributions. These should default to running as a service,
+polling, a "watch", etc. An option to disable polling can be included, but is
+not required.
+
+## Flag names:
+
+- Consistent name - For example, the Graph QL address is needed in most
+  commands, the flag name should be the same across all commands.
+
+- Consistent style - whatever it is, make is consistent. Use dash-style,
+  therefore don't use camelCase anywhere.
+
+- Descriptive on its own - The flag names are also used in the guac.yaml config
+  file. Therefore a name should be self descriptive. Good: `nats-addr`, Bad:
+  `type`. If it is something that has the same meaning everywhere, it is ok to
+  be short: ex: interval.
+
+- Namespaced - If appropriate, group a group of flags that go together with a
+  prefix, ex: neo4j.
+
+- Short versions - Service oriented flags don't need short versions, user
+  oriented flags should.
+
+- User oriented bools default false - Name bools so that the default is false.
+  Because long names must be descriptive and possibly namespaced (for the config
+  file), they are more cumbersome to type. You can't set a bool to false with
+  the short version, only with long (--long-name=false), so default to false,
+  and the short version can be used to enable it.
+
+- Required args - required args should be positional. Options should be optional
+  with good defaults.
+
+All the current flags are in
+https://github.com/guacsec/guac/blob/main/pkg/cli/store.go This helps with the
+consistent name, and to make sure the flags are not used for different meanings
+in two places.
+
+## Other notes:
+
+Prefix all the binaries with guac. Binaries could eventually be installed in
+/usr/bin. Avoid collisions by namespacing, ex: `ingestor` or `collector` are too
+generic.
+
+Service-oriented CLI commands should exit gracefully. This means catching
+SIGINT/SIGTERM and canceling contexts and/or calling Shutdown() on http servers.
+`time.Sleep` should not be used anywhere for polling.
+
+## Background / history:
+
+https://github.com/guacsec/guac/issues/719
+https://github.com/guacsec/guac/issues/762
+https://github.com/guacsec/guac/issues/809

cmd/guacgql/cmd/ingest.go

@@ -1965,6 +1965,7 @@ func ingestHashEqual(ctx context.Context, client graphql.Client) {
 
 func ingestHasSBOM(ctx context.Context, client graphql.Client) {
 	logger := logging.FromContext(ctx)
+	tm, _ := time.Parse(time.RFC3339, "2022-11-21T17:45:50.52Z")
 	opensslNs := "openssl.org"
 	opensslVersion := "3.0.3"
 	ingestHasSBOM := []struct {
@@ -1989,6 +1990,7 @@ func ingestHasSBOM(ctx context.Context, client graphql.Client) {
 				DownloadLocation: "uri: download location of the SBOM",
 				Origin:           "Demo ingestion",
 				Collector:        "Demo ingestion",
+				KnownSince:       tm,
 			},
 		},
 		{
@@ -2004,6 +2006,7 @@ func ingestHasSBOM(ctx context.Context, client graphql.Client) {
 				DownloadLocation: "uri: download location of the SBOM",
 				Origin:           "Demo ingestion",
 				Collector:        "Demo ingestion",
+				KnownSince:       tm,
 			},
 		},
 		{
@@ -2022,6 +2025,7 @@ func ingestHasSBOM(ctx context.Context, client graphql.Client) {
 				DownloadLocation: "uri: download location of the SBOM",
 				Origin:           "Demo ingestion",
 				Collector:        "Demo ingestion",
+				KnownSince:       tm,
 			},
 		},
 		{
@@ -2037,6 +2041,7 @@ func ingestHasSBOM(ctx context.Context, client graphql.Client) {
 				DownloadLocation: "uri: download location of the SBOM",
 				Origin:           "Demo ingestion",
 				Collector:        "Demo ingestion",
+				KnownSince:       tm,
 			},
 		},
 	}

cmd/guacone/cmd/certify.go

@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"os"
 	"strings"
+	"time"
 
 	"github.com/guacsec/guac/pkg/assembler"
 	model "github.com/guacsec/guac/pkg/assembler/clients/generated"
@@ -122,6 +123,7 @@ var certifyCmd = &cobra.Command{
 				Justification: opts.justification,
 				Origin:        "GUAC Certify CLI",
 				Collector:     "GUAC",
+				KnownSince:    time.Now().UTC(),
 			}
 			preds.CertifyGood = append(preds.CertifyGood, *certifyGood)
 		} else {
@@ -140,6 +142,7 @@ var certifyCmd = &cobra.Command{
 				Justification: opts.justification,
 				Origin:        "GUAC Certify CLI",
 				Collector:     "GUAC",
+				KnownSince:    time.Now().UTC(),
 			}
 			preds.CertifyBad = append(preds.CertifyBad, *certifyBad)
 		}