feat: create AncestorOf relationship from cdx pedigree/ancestors

Fixes #1151 Signed-off-by: Jim Crossley <[email protected]>
trustification · Jan 21, 2025 · 532a12a · 532a12a
1 parent 31acd1f
commit 532a12a
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 5 deletions.
diff --git a/modules/analysis/src/endpoints/test.rs b/modules/analysis/src/endpoints/test.rs
@@ -512,3 +512,47 @@ async fn issue_tc_2052(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
 
     Ok(())
 }
+
+#[test_context(TrustifyContext)]
+#[test(actix_web::test)]
+async fn issue_tc_2054(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
+    let app = caller(ctx).await?;
+    ctx.ingest_documents(["cyclonedx/openssl-3.0.7-18.el9_2.cdx_1.6.sbom.json"])
+        .await?;
+
+    // Find all deps of parent
+    let parent = "pkg:rpm/redhat/[email protected]_2?arch=src";
+    let uri = format!("/api/v2/analysis/dep/{}", urlencoding::encode(parent));
+    let request: Request = TestRequest::get().uri(&uri).to_request();
+    let response: Value = app.call_and_read_body_json(request).await;
+    log::debug!("{response:#?}");
+    assert_eq!(
+        1,
+        response["items"][0]["deps"]
+            .as_array()
+            .into_iter()
+            .flatten()
+            .filter(|m| m["relationship"] == "AncestorOf")
+            .count()
+    );
+
+    // Ensure child has ancestors
+    let child = "pkg:generic/[email protected]?download_url=https://pkgs.devel.redhat.com/repo/openssl/openssl-3.0.7-hobbled.tar.gz/sha512/1aea183b0b6650d9d5e7ba87b613bb1692c71720b0e75377b40db336b40bad780f7e8ae8dfb9f60841eeb4381f4b79c4c5043210c96e7cb51f90791b80c8285e/openssl-3.0.7-hobbled.tar.gz&checksum=SHA-512:1aea183b0b6650d9d5e7ba87b613bb1692c71720b0e75377b40db336b40bad780f7e8ae8dfb9f60841eeb4381f4b79c4c5043210c96e7cb51f90791b80c8285e";
+    let uri = format!(
+        "/api/v2/analysis/root-component/{}",
+        urlencoding::encode(child)
+    );
+    let request: Request = TestRequest::get().uri(&uri).to_request();
+    let response: Value = app.call_and_read_body_json(request).await;
+    log::debug!("{response:#?}");
+    assert_eq!(
+        "AncestorOf",
+        response["items"][0]["ancestors"][0]["relationship"]
+    );
+    assert_eq!(
+        Value::from(vec![Value::from(parent)]),
+        response["items"][0]["ancestors"][0]["purl"]
+    );
+
+    Ok(())
+}
diff --git a/modules/fundamental/tests/sbom/cyclonedx/purl.rs b/modules/fundamental/tests/sbom/cyclonedx/purl.rs
@@ -1,6 +1,7 @@
 use itertools::Itertools;
 use test_context::test_context;
 use test_log::test;
+use trustify_entity::relationship::Relationship;
 use trustify_module_fundamental::sbom::model::{SbomNodeReference, Which};
 use trustify_module_fundamental::{
     purl::model::summary::purl::PurlSummary, sbom::service::SbomService,
@@ -53,9 +54,9 @@ async fn simple_ref(ctx: &TrustifyContext) -> Result<(), anyhow::Error> {
             sbom_id,
             Default::default(),
             Default::default(),
-            Which::Left,
+            Which::Right,
             SbomNodeReference::Package("pkg:rpm/redhat/[email protected]_2?arch=src" /* this is actually the bom-ref value */),
-            None,
+            Some(Relationship::AncestorOf),
             &ctx.db,
         )
         .await?;

diff --git a/modules/ingestor/src/graph/sbom/cyclonedx.rs b/modules/ingestor/src/graph/sbom/cyclonedx.rs
@@ -360,10 +360,8 @@ impl<'a> ComponentCreator<'a> {
             creator.create(ancestor);
 
             // and store a relationship
-
-            // TODO: check - self.relate(source.clone(), Relationship::AncestorOf, target);
             self.relationships
-                .relate(node_id.clone(), Relationship::AncestorOf, target);
+                .relate(target, Relationship::AncestorOf, node_id.clone());
         }
 
         for variant in comp