Skip to content

fix(ui): prevent extract-purls endpoint from returning invalid purls#1888

Merged
ctron merged 2 commits intoguacsec:mainfrom
ctron:feature/remove_invalid_1
Jul 24, 2025
Merged

fix(ui): prevent extract-purls endpoint from returning invalid purls#1888
ctron merged 2 commits intoguacsec:mainfrom
ctron:feature/remove_invalid_1

Conversation

@ctron
Copy link
Contributor

@ctron ctron commented Jul 21, 2025
edited
Loading

Closes: #1887

Summary by Sourcery

Validate and filter PURLs in SPDX and CycloneDX extraction to prevent invalid PURLs from being returned

Bug Fixes:

  • Filter out invalid PURLs from the extract-purls endpoints

Enhancements:

  • Introduce filter_purl helper using Purl::try_from for validation
  • Apply PURL validation in extract_spdx_purls and extract_cyclonedx_purls functions

Tests:

  • Add unit tests for filter_purl to verify valid and invalid PURLs

@ctron ctron added this to the RHTPA 2.1.1 milestone Jul 21, 2025
@ctron ctron added this to Trustify Jul 21, 2025
@sourcery-ai
Copy link
Contributor

sourcery-ai bot commented Jul 21, 2025
edited
Loading

Reviewer's Guide

Introduce PURL validation and integrate it into SPDX and CycloneDX extraction to filter out invalid PURLs, with accompanying unit tests.

Class diagram for PURL validation integration

classDiagram
    class ExtractPackage
    class Purl {
        +try_from(str) Result<Purl, Error>
    }
    class service {
        +extract_spdx_purls(sbom: SPDX) BTreeMap<String, ExtractPackage>
        +extract_cyclonedx_purls(sbom: CycloneDX) BTreeMap<String, ExtractPackage>
        +filter_purl(purl: String) Option<String>
    }
    service --> Purl : uses
    service --> ExtractPackage : returns
    Purl <.. filter_purl : validation
Loading

Flow diagram for PURL extraction and validation

flowchart TD
    A[Extract SPDX/CycloneDX SBOM] --> B[Extract PURLs]
    B --> C[filter_purl]
    C -- Valid PURL --> D[Add to result]
    C -- Invalid PURL --> E[Discard]
Loading

File-Level Changes

Change Details Files
Add PURL validation helper and tests
  • Import Purl from trustify_common
  • Implement filter_purl returning Some only for valid PURLs
  • Add unit tests for valid and invalid cases
 modules/ui/src/service.rs
Integrate PURL filtering into extraction functions
  • Use filter_purl in extract_spdx_purls to extend only valid purls
  • Wrap component.purl with filter_purl in extract_cyclonedx_purls
  • Chain filter_purl in concluded_value flat_map
 modules/ui/src/service.rs

Possibly linked issues

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Jul 21, 2025
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @ctron - I've reviewed your changes and they look great!

Prompt for AI Agents 
Please address the comments from this code review:
## Individual Comments

### Comment 1
<location> `modules/ui/src/service.rs:79` </location>
<code_context>
+/// Filter out invalid PURLs
+///
+/// If the PURL is valid, return the `Some(input)`, otherwise return `None`.
+fn filter_purl(purl: String) -> Option<String> {
+    Purl::try_from(purl.as_str()).ok().map(|_| purl)
+}
</code_context>

<issue_to_address>
filter_purl takes ownership of the String unnecessarily.

Change the parameter to accept a `&str` to avoid unnecessary allocations and improve flexibility.

Suggested implementation:

```rust
/// Filter out invalid PURLs
///
/// If the PURL is valid, return `Some(input)`, otherwise return `None`.
fn filter_purl(purl: &str) -> Option<&str> {
    Purl::try_from(purl).ok().map(|_| purl)
}

```

```rust
        let mut purls = vec![];
        if let Some(ref purl_str) = component.purl {
            if let Some(valid_purl) = filter_purl(purl_str) {
                purls.push(valid_purl.to_string());
            }
        }

```
</issue_to_address>
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

carlosthe19916
carlosthe19916 requested changes Jul 21, 2025
View reviewed changes
Copy link
Contributor

@carlosthe19916 carlosthe19916 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still see the package pkg:golang/archive/tar being returned by the SBOM

OCP-TOOLS-4.11-RHEL-8.json

{

"packages": {
        "archive/tar": {
            "purls": [
                "pkg:golang/archive/tar"
            ]
        },

The package pkg:golang/archive/tar cannot be sent to POST /api/v2/vulnerability/analyze

@codecov
Copy link

codecov bot commented Jul 21, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 96.38554% with 3 lines in your changes missing coverage. Please review.

Project coverage is 68.14%. Comparing base (4149075) to head (391aca3).
Report is 7 commits behind head on main.

Files with missing lines Patch % Lines
modules/ui/src/service.rs 93.47% 1 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1888      +/-   ##
==========================================
+ Coverage   67.97%   68.14%   +0.17%     
==========================================
  Files         364      365       +1     
  Lines       22997    23123     +126     
  Branches    22997    23123     +126     
==========================================
+ Hits        15632    15757     +125     
+ Misses       6486     6485       -1     
- Partials      879      881       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ctron
Copy link
Contributor Author

ctron commented Jul 21, 2025

I still see the package pkg:golang/archive/tar being returned by the SBOM

OCP-TOOLS-4.11-RHEL-8.json

{

"packages": {
        "archive/tar": {
            "purls": [
                "pkg:golang/archive/tar"
            ]
        },

The package pkg:golang/archive/tar cannot be sent to POST /api/v2/vulnerability/analyze

And rightly so. Because it is a valid PURL. As mentioned above, the problem is more complex. Versions are optional. We'd need to add another change to return some kind of information in the case of a missing warning. Possible ideas:

  • No correlations
  • A warning for this PURL

@ctron ctron force-pushed the feature/remove_invalid_1 branch from 033b080 to 4f61844 Compare July 23, 2025 11:50
@ctron ctron requested a review from ruromero July 23, 2025 12:09
@ctron ctron force-pushed the feature/remove_invalid_1 branch from 4f61844 to b17bbb0 Compare July 23, 2025 12:17
@ctron
Copy link
Contributor Author

ctron commented Jul 23, 2025

With the latest change this now does:

  • return warnings for invalid PURLs on the "extract" endpoint
  • return an error on the "analyze" endpoint for invalid PURLs
  • return warnings for unsuitable PURLs on the "analyze" endpoint

@ctron
Copy link
Contributor Author

ctron commented Jul 23, 2025

Worth mentioning: this breaks the current API. As the warnings field did change the schema in an incompatible way.

I think there are several options we have:

  • Use api/v3
  • Add a warnings query flag to enable this new behavior
  • Use a different endpoint path

@ruromero
Copy link
Contributor

ruromero commented Jul 23, 2025

@ctron I don't mind adapting the RHDA backend to the new api changes as long as it is justified. So no problem from my side.

@ctron ctron force-pushed the feature/remove_invalid_1 branch from b17bbb0 to 654df5d Compare July 23, 2025 12:56
@ctron
Copy link
Contributor Author

ctron commented Jul 24, 2025

@carlosthe19916 could you take another look at this PR?

carlosthe19916
carlosthe19916 reviewed Jul 24, 2025
View reviewed changes
Copy link
Contributor

@carlosthe19916 carlosthe19916 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

POST /api/v2/vulnerability/analyze

@ctron I confirm, now I can send multiple PURLs to POST /api/v2/vulnerability/analyze and if one PURL is missing the version then it contains warnings and avoids the request to fail. Just one minor thing:

  • When I send PURLs, the response contains only the purls that either have warnings or vulnerabilities; those purls that do not have vulnerabilities and no warnings are omitted in the response. E.g.
POST /api/v2/vulnerability/analyze

{
  "purls": [
    "pkg:maven/com.fasterxml.jackson.module/jackson-module-jaxb-annotations@2.15.2",
    "pkg:rpm/redhat/jenkins-2-plugins@4.11.1706516946-1.el8?arch=noarch",
    "pkg:golang/archive/tar"
  ]
}

Generates the response:

{
  "pkg:golang/archive/tar": {
    "details": [],
    "warnings": [
      "Unable to process: missing version component"
    ]
  },
  "pkg:rpm/redhat/jenkins-2-plugins@4.11.1706516946-1.el8?arch=noarch": {
    "details": [ // some vulnerabilities],
    "warnings": []
  }
}

But notice that the PURL pkg:maven/com.fasterxml.jackson.module/jackson-module-jaxb-annotations@2.15.2 was not included in the response; my assumption is that it is due to the fact that there were no vulnerabilities found. To avoid assumptions like mine, I wonder if it is a good idea to always include all PURLs from the request into the response, even if no vulnerabilities are found (the array of vulnerabilities will be just an empty array)

POST /api/v2/ui/extract-sbom-purls

I see a new field warnings were added. I was not able to populate that field with the SBOMs I tried locally, which SBOM did you use to test that?

@ctron
Copy link
Contributor Author

ctron commented Jul 24, 2025

Regarding the missing entries, I noticed that too and was wondering if we want that (or not). However, that behavior hasn't changed. I'm open to adding this if we think it's helpful.

I see a new field warnings were added. I was not able to populate that field with the SBOMs I tried locally, which SBOM did you use to test that?

I'll add a unit test. That's currently missing but should be there.

@ctron ctron force-pushed the feature/remove_invalid_1 branch from 654df5d to 391aca3 Compare July 24, 2025 11:12
@ctron
Copy link
Contributor Author

ctron commented Jul 24, 2025

Added a test that should demonstrate it.

carlosthe19916
carlosthe19916 approved these changes Jul 24, 2025
View reviewed changes
Copy link
Contributor

@carlosthe19916 carlosthe19916 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding the missing entries, I noticed that too and was wondering if we want that (or not). However, that behavior hasn't changed. I'm open to adding this if we think it's helpful.

Let's leave it for a separate PR.

@ctron ctron added this pull request to the merge queue Jul 24, 2025
Merged via the queue into guacsec:main with commit 704fdb1 Jul 24, 2025
7 checks passed
@ctron ctron deleted the feature/remove_invalid_1 branch July 24, 2025 12:35
@github-project-automation github-project-automation bot moved this to Done in Trustify Jul 24, 2025
@ruromero ruromero mentioned this pull request Jul 25, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

@carlosthe19916 carlosthe19916 carlosthe19916 approved these changes

@dejanb dejanb Awaiting requested review from dejanb

@mrizzi mrizzi Awaiting requested review from mrizzi

@ruromero ruromero Awaiting requested review from ruromero

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Handle invalid/inadequate PURLs for POST /api/v2/ui/extract-sbom-purls and POST /api/v2/vulnerability/analyze

3 participants

@ctron @ruromero @carlosthe19916