feat: download sboms with verifier

* todo: add a image with vulnz
* expand dependencytrack client with upload sbom
* seed local dependencytrack with real data from sbom

Co-authored-by: ybelmekk <[email protected]>

Author: tommytroen

cmd/cli/main.go

@@ -78,7 +78,7 @@ func main() {
 						Usage:   "list vulnerabilities for image",
 						Flags:   commonFlags(opts, "cluster", "namespace", "workload"),
 						Action: func(ctx context.Context, cmd *cli.Command) error {
-							return listVulnerabilities(ctx, cmd, c, opts)
+							return listVulnerabilitiesForImage(ctx, cmd, c, opts)
 						},
 					},
 					{
@@ -149,7 +149,7 @@ func main() {
 	}
 }
 
-func listVulnerabilities(ctx context.Context, cmd *cli.Command, c vulnerabilities.Client, o *options) error {
+func listVulnerabilitiesForImage(ctx context.Context, cmd *cli.Command, c vulnerabilities.Client, o *options) error {
 	opts := parseOptions(cmd, o)
 	if cmd.Args().Len() == 0 {
 		return fmt.Errorf("missing image name")
@@ -244,9 +244,12 @@ func getSummary(ctx context.Context, cmd *cli.Command, c vulnerabilities.Client,
 }
 
 func listSummaries(ctx context.Context, cmd *cli.Command, c vulnerabilities.Client, o *options) error {
-	opts := parseOptions(cmd, o)
+	offset := 0
 	for {
 		//opts = append(opts, vulnerabilities.Limit(int32(limit)), vulnerabilities.Offset(int32(offset)))
+		opts := parseOptions(cmd, o)
+		opts = append(opts, vulnerabilities.Offset(int32(offset)))
+
 		start := time.Now()
 		resp, err := c.ListVulnerabilitySummaries(ctx, opts...)
 		if err != nil {
@@ -277,7 +280,6 @@ func listSummaries(ctx context.Context, cmd *cli.Command, c vulnerabilities.Clie
 		}
 
 		tbl.Print()
-		offset := 0
 		numFetched := offset + int(o.limit)
 		if numFetched > int(resp.PageInfo.TotalCount) {
 			numFetched = int(resp.PageInfo.TotalCount)
@@ -308,9 +310,11 @@ func listSummaries(ctx context.Context, cmd *cli.Command, c vulnerabilities.Clie
 }
 
 func listVulnz(ctx context.Context, cmd *cli.Command, c vulnerabilities.Client, o *options) error {
-	opts := parseOptions(cmd, o)
+	offset := 0
 	for {
 		start := time.Now()
+		opts := parseOptions(cmd, o)
+		opts = append(opts, vulnerabilities.Offset(int32(offset)))
 		resp, err := c.ListVulnerabilities(ctx, opts...)
 		if err != nil {
 			return err
@@ -340,7 +344,6 @@ func listVulnz(ctx context.Context, cmd *cli.Command, c vulnerabilities.Client,
 		}
 
 		tbl.Print()
-		offset := 0
 		numFetched := offset + int(o.limit)
 		if numFetched > int(resp.PageInfo.TotalCount) {
 			numFetched = int(resp.PageInfo.TotalCount)

cmd/seed/main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"fmt"
+	"github.com/nais/v13s/internal/attestation"
 	"github.com/nais/v13s/internal/database/typeext"
 	"math"
 	"os"
@@ -43,6 +44,49 @@ func main() {
 	images := createNaisApiWorkloads(ctx, db, "dev", "devteam")
 	createNaisApiWorkloads(ctx, db, "superprod", "devteam")
 	createVulnData(ctx, db, images)
+
+	err = uploadSboms(ctx, "")
+	if err != nil {
+		panic(err)
+	}
+}
+
+func uploadSboms(ctx context.Context, images ...string) error {
+	c, err := dependencytrack.NewClient(
+		"http://localhost:9010/api",
+		"Administrators",
+		"admin",
+		"yolo",
+		log.WithField("subsystem", "dp-client"),
+	)
+	if err != nil {
+		return err
+	}
+
+	verifier, err := attestation.NewVerifier(ctx, log.WithField("subsystem", "cosign-verifier"), "navikt", "nais")
+	if err != nil {
+		return err
+	}
+
+	for _, image := range images {
+		parts := strings.Split(image, ":")
+		ref := &dependencytrack.WorkloadRef{
+			Cluster:   "dev",
+			Namespace: "devteam",
+			Type:      "app",
+			Name:      "nais-deploy-chicken-1",
+		}
+		att, err := verifier.GetAttestation(ctx, image)
+		if err != nil {
+			return err
+		}
+		err = c.CreateProjectWithSbom(ctx, parts[0], parts[1], att, ref)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
 }
 
 func seedFromDependencyTrack(ctx context.Context, db sql.Querier) {

docker-compose.yaml

@@ -20,5 +20,51 @@ services:
     environment:
       ADMINER_DEFAULT_SERVER: postgres
 
+  swagger:
+    image: swaggerapi/swagger-ui
+    environment:
+      SWAGGER_JSON_URL: http://localhost:9001/api/swagger.json
+    volumes:
+      - ./swagger.json:/swagger.json
+    ports:
+      - '9002:8080'
+
+  dtrack-apiserver:
+    image: dependencytrack/apiserver:4.11.7
+    deploy:
+      resources:
+        limits:
+          memory: 12288m
+        reservations:
+          memory: 8192m
+      restart_policy:
+        condition: on-failure
+    ports:
+      - '9010:8080'
+    environment:
+      - LOGGING_LEVEL=INFO
+    healthcheck:
+      test: wget --no-verbose --tries=1 --spider http://localhost:8080 || exit 1
+      interval: 10s
+      retries: 5
+      start_period: 20s
+      timeout: 10s
+    volumes:
+      # Optional volume mount to override default notification publisher templates
+      # - "/host/path/to/template/base/dir:/data/templates"
+      - 'dependency-track:/data'
+    restart: unless-stopped
+
+  dtrack-frontend:
+    image: dependencytrack/frontend:4.11.7
+    depends_on:
+      - dtrack-apiserver
+    environment:
+      - API_BASE_URL=http://localhost:9010
+    ports:
+      - "9020:8080"
+    restart: unless-stopped
+
 volumes:
-  pgdata:
+  pgdata:
+  dependency-track: