Skip to content

trustification/guac-rs

Repository files navigation

Guac Rust library

Rust

This library provides toolkit for working with Guac from Rust. It can be used for querying data using GraphQL API and ingesting data with collectors. It also contains a command-line interface (CLI) that exposes query API and collectors.

Prerequisites

In order to use this library and CLI, you need to have a running Guac instance (and preferably ingest some data into it). Following Guac Docker Compose guide might be the easiest way to get you started.

Install

To install CLI, run

cargo install --path=cli

from the root directory.

Use

Once the CLI is installed, you can use it to query and ingest Guac data.

Queries

The following are examples of query commands that CLI (and thus the library as well) are supporting.

Get dependencies

Returns purls of all known dependencies of the provided purl.

$ guac query dependencies pkg:maven/io.vertx/[email protected]
[
  "pkg:maven/io.vertx/[email protected]",
  "pkg:maven/io.vertx/[email protected]",
  "pkg:maven/io.vertx/[email protected]",
  "pkg:maven/io.vertx/[email protected]"
]

Get dependents

Returns purls of all known dependents for the provided purl.

$ guac query dependents pkg:maven/io.vertx/[email protected]
[
  "pkg:maven/io.seedwing/[email protected]?type=jar",
  "pkg:maven/io.quarkus.resteasy.reactive/[email protected]?type=jar",
  "pkg:maven/io.quarkus/[email protected]?type=jar",
  "pkg:maven/io.quarkus/[email protected]?type=jar",
  "pkg:maven/io.smallrye.reactive/[email protected]?type=jar"
]

Get Vulnerabilities

Returns list of all known vulnerabilities for the provided purl

$ guac query vulnerabilities pkg:rpm/redhat/[email protected]_6
[
  {
    "cve": "cve-2023-0286",
    "ghsa": null,
    "no_vuln": null,
    "osv": null,
    "packages": [
      "pkg:rpm/redhat/[email protected]_6?arch=x86_64&epoch=1"
    ]
  }
]

Get Packages

Returns list of all versions for the given package purl

$ guac query packages pkg:maven/io.vertx/vertx-web
[
  "pkg:maven/io.vertx/[email protected]?type=jar",
  "pkg:maven/io.vertx/[email protected]?type=jar"
]

Collectors

S3

The S3 collector is implemented as part of the Trustification project. For more documentation take a look at [https://github.com/trustification/trustification/tree/main/exporter].

If you wish to run it locally with just Bombastic/Vexination APIs in combination with Minio and Kafka, run

cd example/compose
docker-compose -f compose.yaml -f compose-trustification.yaml -f compose-guac.yaml up

Then you can run the collector like

RUST_LOG=debug cargo run --bin guac collect s3 --storage-bucket bombastic  --devmode

Now, you can ingest your SBOMs, like

curl -X POST --json @example/seedwing-java-example.bom "http://localhost:8082/api/v1/sbom?id=my-sbom"

And use Guac to explore data

open http://localhost:8084

File

The file collector can at the moment ingest only individual files, like

cargo run --bin guac collect file example/seedwing-java-example.bom

Contribute

See contributing guide.

Update schema

cargo install graphql_client_cli --force
graphql-client introspect-schema http://localhost:8080/query > lib/src/client/intrinsic/schema.json