### Retrieve Dependencies for a Package URL (Request Example) Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-rest.md Example of a GET request to retrieve dependencies associated with a specific Package URL. ```bash GET /api/v1/package/{purl}/dependencies ``` -------------------------------- ### Install Project Dependencies Source: https://github.com/guacsec/guac-docs/blob/main/README.md Installs the necessary Ruby gems for building the documentation locally using Bundler. ```bash bundler install ``` -------------------------------- ### Install Dependencies with Yarn Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-visualizer.md Install all necessary project dependencies using Yarn. ```bash yarn install ``` -------------------------------- ### Example CLI Output for Bad Packages Source: https://github.com/guacsec/guac-docs/blob/main/guac/supply-chain.md This is an example of the interactive output when querying for bad packages. Use arrow keys to navigate and select an item to generate a visualizer URL. ```bash Use the arrow keys to navigate: ↓ ↑ → ← ? Select CertifyBad to Query: pkg:golang/k8s.io/release/images/build/go-runner@%28devel%29 (compromised go-runner) ╴╠ pkg:deb/debian/tzdata@2021a-1+deb11u5 (compromised version of tzdata) ``` -------------------------------- ### Trustify Infrastructure Helm Chart Values (Minikube Example) Source: https://github.com/guacsec/guac-docs/blob/main/trustify/kubernetes-infrastructure.md Example Helm values file for the trustify-infrastructure chart, configured for Minikube. Customize admin credentials and client secrets as needed. ```yaml keycloak: enabled: true production: false auth: adminUser: admin adminPassword: admin123456 # notsecret, replace tls: enabled: false service: {} ingress: enabled: true servicePort: http oidc: clients: frontend: {} cli: clientSecret: value: 5460cc91-4e20-4edd-881c-b15b169f8a79 # notsecret, replace ``` -------------------------------- ### Run Development Server Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-visualizer.md Start the GUAC Visualizer development server locally. ```bash yarn dev ``` -------------------------------- ### Install Trustify Infrastructure Helm Chart Source: https://github.com/guacsec/guac-docs/blob/main/trustify/kubernetes-infrastructure.md Use this Helm command to install the opinionated infrastructure chart for Keycloak, PostgreSQL, and filesystem storage. Ensure you provide a values file for customization. ```bash NAMESPACE=trustify APP_DOMAIN=public.cluster.domain helm upgrade --install -n $NAMESPACE --repo https://guacsec.github.io/trustify-helm-charts/ infrastructure trustify-infrastructure --values --set-string keycloak.ingress.hostname=sso$APP_DOMAIN --set-string appDomain=$APP_DOMAIN ``` -------------------------------- ### Example Docker Compose Service Output Source: https://github.com/guacsec/guac-docs/blob/main/guac/setup-install.md This is an example of the expected output when verifying the GUAC service status. It indicates that the 'guac' and 'guac-demo' services are running. ```text NAME STATUS CONFIG FILES guac running(2) /Users/lumb/go/src/github.com/guacsec/guac/docker-compose.yml,/Users/lumb/go/src/github.com/guacsec/guac/guac/container_files/mem.yaml guac-demo running(5) /Users/lumb/go/src/github.com/guac-demo/guac-demo-compose.yaml ``` -------------------------------- ### Example JSON Output for Package Query Source: https://github.com/guacsec/guac-docs/blob/main/guac/known-and-unknown.md This is an example of the JSON output that might be returned when querying package information. It includes details like package ID, type, and namespace information. ```json { "id": "7624", "justification": "dependency data collected via deps.dev", "package": { "id": "6", "type": "golang", "namespaces": [ { "id": "279", ``` -------------------------------- ### Enter Nix Shell Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-graphql.md Enter a nix shell with all prerequisites installed if using the nix package manager. ```bash nix-shell shell.nix ``` -------------------------------- ### Start GUAC Server with Docker Compose Source: https://github.com/guacsec/guac-docs/blob/main/guac/setup-install.md Use this command to start the GUAC server and its associated services using a Docker Compose file. Ensure you are in the directory where the compose file was downloaded. ```bash docker compose -f guac-demo-compose.yaml -p guac up --force-recreate ``` -------------------------------- ### Start GUAC Server with Docker Compose Source: https://github.com/guacsec/guac-docs/blob/main/guac/setup-postgres.md Use this command to start the GUAC server and its PostgreSQL backend using Docker Compose. Ensure you are in the directory where you downloaded the compose file. ```bash docker compose -f guac-postgres-compose.yaml up ``` -------------------------------- ### Retrieve Vulnerabilities for an Artifact Digest (Request Example) Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-rest.md Example of a GET request to retrieve vulnerabilities related to a specific artifact digest. ```bash GET /api/v1/artifact/{digest}/vulns ``` -------------------------------- ### Example Successful Vulnerability Query Output Source: https://github.com/guacsec/guac-docs/blob/main/guac/querying-via-cli.md This is an example of the expected output after a successful vulnerability query, showing node types, IDs, and additional information like vulnerability IDs. It also includes a visualizer URL for further exploration. ```bash +-------------+-----------+---------------------------------------+ | NODE TYPE | NODE ID | ADDITIONAL INFORMATION | +-------------+-----------+---------------------------------------+ | certifyVuln | 148776 | vulnerability ID: ghsa-599f-7c49-w659 | | certifyVuln | 147968 | vulnerability ID: dsa-5343-1 | | certifyVuln | 147969 | vulnerability ID: dsa-5417-1 | | certifyVuln | 148766 | vulnerability ID: ghsa-7rjr-3q55-vv33 | | certifyVuln | 148767 | vulnerability ID: ghsa-8489-44mv-ggj8 | | certifyVuln | 148768 | vulnerability ID: ghsa-fxph-q3j8-mv87 | | certifyVuln | 147769 | vulnerability ID: ghsa-jfh8-c2jp-5v3q | | certifyVuln | 148770 | vulnerability ID: ghsa-p6xc-xr62-6r2g | | certifyVuln | 148771 | vulnerability ID: ghsa-vwqq-5vrc-xw9h | +-------------+-----------+---------------------------------------+ Visualizer url: http://localhost:3000/?path=20041,20040,20039,15,26177,22175,22174,20781,2455,147738,148776,26195,21827,2158,1302,1301,147731,147968,147815,147969,26202,74224,1411,147764,148467,26206,18025,18024,18023,147803,148766,147798,148767,147799,148768,147733,148769,147774,148770,147765,148771,75955,81946,87980,94043,99976,105990,1523,2110,2230,2360,2512,2744,3474,4167 ``` -------------------------------- ### Build GUAC binaries with Make Source: https://github.com/guacsec/guac-docs/blob/main/guac/dev-setup.md Builds the GUAC binaries using the Make utility. Ensure Make and Go are installed and configured. ```bash make ``` -------------------------------- ### Example JSON Output for All Package Types Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-graphql.md This is the expected JSON output when querying for all package types without specifying any nested nodes. ```json { "packages": [ { "type": "alpine" }, { "type": "golang" }, { "type": "pypi" }, { "type": "deb" }, { "type": "maven" }, { "type": "guac" } ] } ``` -------------------------------- ### Example Cosign Verification Output Source: https://github.com/guacsec/guac-docs/blob/main/guac/verification.md This is an example of the expected output when the GUAC image verification is successful. It confirms that the cosign claims were validated, existence in the transparency log was verified, and the code-signing certificate was trusted. ```bash Verification for ghcr.io/guacsec/guac@sha256:57cacf2388a3bd9322db99d7acb861ab8aff6964bdbaba910547e9fc268a5480 -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The code-signing certificate was verified using trusted certificate authority certificates [{"critical":{"identity":{"docker-reference":"ghcr.io/guacsec/guac"},"image":{"docker-manifest-digest":"sha256:57cacf2388a3bd9322db99d7acb861ab8aff6964bdbaba910547e9fc268a5480"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"https://token.actions.githubusercontent.com","1.3.6.1.4.1.57264.1.2":"push","1.3.6.1.4.1.57264.1.3":"7c3b1b9188e868c1ce2c8c21793cd7e6894aa244","1.3.6.1.4.1.57264.1.4":"release","1.3.6.1.4.1.57264.1.5":"guacsec/guac","1.3.6.1.4.1.57264.1.6":"refs/tags/v0.3.0","Bundle":{"SignedEntryTimestamp":"MEQCIAgytT/O/3ZP3gYoKt6wcDl9n3vOjm+tXe+Abjyf2qrKAiBVmrJIsbIy9sa3E/JGNnxgupdiykudfUXDtHeylpptvA==","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI3NGViYmE0NjMzYWUzOTAyOGFmMTcxMGJhNjg0MmJjNWEyODk1NDUxZDQzM2JiODliNWYyOGE2MWQwMDdiYjFiIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUREZWlQcEFibkg1SXpEeWZrdVVVV09NUEJmTVZjdTk0c0JGd3VxQnRUUS9BSWdLUkgvUk5UcmdNcUQrQmZrR3BsdG4zZWhmV1dNeU81aTJZcktDcmNkVDdZPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVZHFha05EUW1oUFowRjNTVUpCWjBsVlNsUjNWRU5SWW10bVJqRnhXWEpuV1RSMk1HTmlVa1V5VFVwamQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcE5lRTFFUlhwTmFrRjZUbFJSTUZkb1kwNU5hazE0VFVSRmVrMXFRVEJPVkZFd1YycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZZWjNWc05rMTJlSGxCUVU0eVJHOWpkemgzUkhoQ1VrTnNXamxHWVhkU09XTnBSREVLUlhJeE9VTkRZV1p5ZGtkdU1rTlRUMkpoU214bk9WUmxNaXRLYjFNMU56UjRORTQ1VWtZM2RVVnlka0kyU0daa1VUWlBRMEpVU1hkbloxVjFUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlV3YVRoTkNuTlFMMk5qWVdGWmFXUjBaMFJxVTNSNWJISmFWbmRyZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFoUldVUldVakJTUVZGSUwwSkdUWGRWV1ZwUVlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKa01WbFhUbnBhVjAxMldqTldhQXBaZVRoMVdqSnNNR0ZJVm1sTU0yUjJZMjEwYldKSE9UTmplVGw1V2xkNGJGbFlUbXhNYm14b1lsZDRRV050Vm0xamVUa3dXVmRrZWt3eldYZE1hazExQ2sxRVFUVkNaMjl5UW1kRlJVRlpUeTlOUVVWQ1FrTjBiMlJJVW5kamVtOTJURE5TZG1FeVNuVk1iVVpxWkVkc2RtSnVUWFZhTW13d1lVaFdhV1JZVG13S1kyMU9kbUp1VW14aWJsRjFXVEk1ZEUxQ1NVZERhWE5IUVZGUlFtYzNPSGRCVVVsRlFraENNV015WjNkT1oxbExTMzRaUWtKQlIwUjJla0ZDUVhkUmJ3cE9NazE2V1dwR2FVOVVSVFJQUjFVMFRtcG9hazFYVG14TmJVMDBXWHBKZUU1NmEzcFpNbEV6V2xSWk5FOVVVbWhaVkVrd1RrUkJWa0puYjNKQ1owVkZDa0ZaVHk5TlFVVkZRa0ZrZVZwWGVHeFpXRTVzVFVKdlIwTnBjMGRCVVZGQ1p6YzRkMEZSVlVWRVIyUXhXVmRPZWxwWFRYWmFNMVpvV1hwQlpVSm5iM0lLUW1kRlJVRlpUeTlOUVVWSFFrWkZUVlF5YURCa1NFSjZUMms0ZGxveWJEQmhTRlpwVEcxT2RtSlRPVzVrVjBacVl6Sldha3d5WkRGWlYwMTJURzFrY0dSSGFERUtXV2s1TTJJelNuSmFiWGgyWkROTmRtTnRWbk5hVjBaNlxtTTFOVmxYTVhOUkNFcHNXbTVOZG1IUkptNWplVGt5VFVNMGVreHFRWGRQUVZsTFMzZFpRZ3BDUVVkRWRucEJRa05uVVhGRVEyY3pXWHBPYVUxWFNUVk5WR2MwV2xSbk1rOUhUWGhaTWxWNVdYcG9hazFxUlROUFZFNXFXa1JrYkU1cVp6Vk9SMFpvQ2sxcVVUQk5RakJIUTJselIwRlJVVUpuTnpoM1FWRnpSVVIzZDA1YU1td3dZVWhXYVV4WGFIWmpNMUpzV2tSQmRrSm5iM0pDWjBWRlFWbFBMMDFCUlUwS1FrTkZUVWd5YURCa1NFSjZUMms0ZGxveWJEQmhTRlpwVEcxT2RtSlRPVzVrVjBacVl6Sldha3d5WkRGWlYwMTNUMEZaUzB0M1dVSkNRVWRFZG5wQlFncEVVVkZ4UkVObk0xbDZUbWxOVjBrMVRWUm5ORnBVWnpKUFIwMTRXVEpWZVZsNmFHcE5ha1V6VDFST2FscEVaR3hPYW1jMVRrZEdhRTFxVVRCTlEwRkhDa05wYzBkQlVWRkNaemM0ZDBGUk5FVkZaM2RSWTIxV2JXTjVPVEJaVjJSNlRETlpkMHhxVFhWTlJFRmFRbWR2Y2tKblJVVkJXVTh2VFVGRlVFSkJjMDBLUTFSVmQwMXFSWGxPZWtVeVRtcEJjVUpuYjNKQ1owVkZRVmxQTDAxQlJWRkNRbmROUjIxb01HUklRbnBQYVRoMldqSnNNR0ZJVm1sTWJVNTJZbE01Ymdwa1YwWnFZekpXYWsxQ2EwZERhWE5IUVZGUlFtYzNPSG ``` -------------------------------- ### Vault SBOM Ingestion Log Example Source: https://github.com/guacsec/guac-docs/blob/main/guac/expanding-your-view.md Example output from the Guac ingestor logs when processing a Vault SBOM. It shows the creation of streams and the processing of document trees. ```json {"level":"info","ts":1681992933.3817039,"caller":"emitter/nats_emitter.go:121","msg":"creating stream \"DOCUMENTS\" and subjects \"DOCUMENTS.*\""} {"level":"info","ts":1681994359.306624,"caller":"process/process.go:97","msg":"[processor: 856ef1f5-1627-4ec9-b9e1-507b7bdee58f] docTree Processed: {Collector:FileCollector Source:file:///../guac-data/top-dh-sboms/vault.json}"} {"level":"info","ts":1681994359.31475,"caller":"parser/parser.go:128","msg":"parsing document tree with root type: SPDX"} {"level":"info","ts":1681994359.3263202,"caller":"helpers/assembler.go:34","msg":"assembling CertifyScorecard: 0"} {"level":"info","ts":1681994359.32635,"caller":"helpers/assembler.go:39","msg":"assembling IsDependency: 2260"} {"level":"info","ts":1681994359.7843368,"caller":"helpers/assembler.go:44","msg":"assembling IsOccurence: 963"} {"level":"info","ts":1681994359.954613,"caller":"helpers/assembler.go:49","msg":"assembling HasSLSA: 0"} {"level":"info","ts":1681994359.954643,"caller":"helpers/assembler.go:54","msg":"assembling CertifyVuln: 0"} {"level":"info","ts":1681994359.954647,"caller":"helpers/assembler.go:59","msg":"assembling IsVuln: 0"} {"level":"info","ts":1681994359.9546518,"caller":"helpers/assembler.go:64","msg":"assembling HasSourceAt: 0"} {"level":"info","ts":1681994359.954654,"caller":"helpers/assembler.go:69","msg":"assembling CertifyBad: 0"} {"level":"info","ts":1681994359.9546711,"caller":"helpers/assembler.go:74","msg":"assembling CertifyGood: 0"} {"level":"info","ts":1681994359.9546711,"caller":"cmd/ingest.go:118","msg":"got collect entries to add: 349"} {"level":"info","ts":1681994359.9560268,"caller":"parser/parser.go:110","msg":"[ingestor: 04462d2a-a2c7-4aa9-95eb-2183cb5f249d] ingested docTree: {Collector:FileCollector Source:file:///../guac-data/top-dh-sboms/vault.json}"} ``` -------------------------------- ### Next.js Development Server Output Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-visualizer.md Example output from the Next.js development server indicating the local URL and port. ```text next dev ready - started server on 0.0.0.0:3000, url: http://localhost:3000 info - Using webpack 5. Reason: Enabled by default https://nextjs.org/docs/messages/webpack5 ``` -------------------------------- ### Example JSON Output for Package Namespaces Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-graphql.md This JSON output shows the 'deb' package type and its associated namespaces, 'ubuntu' and 'debian'. ```json { "data": { "packages": [ { "type": "deb", "namespaces": [ { "namespace": "ubuntu" }, { "namespace": "debian" } ] } ] } } ``` -------------------------------- ### Build GUAC container with Make Source: https://github.com/guacsec/guac-docs/blob/main/guac/dev-setup.md Builds a Docker container for GUAC using the Make utility. Ensure Docker and Make are installed. ```bash make container ``` -------------------------------- ### Example GraphQL Response Source: https://github.com/guacsec/guac-docs/blob/main/guac/setup-ingest-data.md A sample JSON response from the GraphQL query, showing the types of packages ingested into GUAC. ```json { "data": { "packages": [ { "type": "oci" }, ... ``` -------------------------------- ### Ingestor Log Example Source: https://github.com/guacsec/guac-docs/blob/main/guac/expanding-your-view.md This log indicates that CertifyScorecard, IsDependency, and HasSourceAt are being ingested by the system. ```json {"level":"info","ts":1681994398.158665,"caller":"parser/parser.go:110","msg":"[ingestor: 04462d2a-a2c7-4aa9-95eb-2183cb5f249d] ingested docTree: {Collector:deps.dev Source:deps.dev}"} ``` -------------------------------- ### deps.dev Collector Log Example Source: https://github.com/guacsec/guac-docs/blob/main/guac/expanding-your-view.md Sample output from the deps.dev collector logs, indicating the successful retrieval of additional metadata for various Go packages. ```json {"level":"info","ts":1681994369.748968,"caller":"deps_dev/deps_dev.go:217","msg":"obtained additional metadata for package: pkg:golang/cloud.google.com/go@v0.65.0"} {"level":"info","ts":1681994372.493675,"caller":"deps_dev/deps_dev.go:217","msg":"obtained additional metadata for package: pkg:golang/cloud.google.com/go/spanner@v1.5.1"} {"level":"info","ts":1681994375.3482509,"caller":"deps_dev/deps_dev.go:217","msg":"obtained additional metadata for package: pkg:golang/cloud.google.com/go/storage@v1.10.0"} {"level":"info","ts":1681994376.722956,"caller":"deps_dev/deps_dev.go:217","msg":"obtained additional metadata for package: pkg:golang/code.cloudfoundry.org/gofileutils@v0.0.0-20170111115228-4d0c80011a0f"} {"level":"info","ts":1681994377.476279,"caller":"deps_dev/deps_dev.go:217","msg":"obtained additional metadata for package: pkg:golang/github.com/Azure/azure-pipeline-go@v0.2.3"} {"level":"info","ts":1681994380.7538428,"caller":"deps_dev/deps_dev.go:217","msg":"obtained additional metadata for package: pkg:golang/github.com/Azure/azure-sdk-for-go@v61.4.0+incompatible"} {"level":"info","ts":1681994382.8232992,"caller":"deps_dev/deps_dev.go:217","msg":"obtained additional metadata for package: pkg:golang/github.com/Azure/azure-storage-blob-go@v0.14.0"} ``` -------------------------------- ### Run Trustify in Personal Machine Mode Source: https://github.com/guacsec/guac-docs/blob/main/trustify/getting-started.md Start the Trustify server in a lightweight mode for local use. This creates a local database in the current directory. ```shell ./path/to/your/downloaded/trustd-pm ``` -------------------------------- ### OSV Certifier Log Example Source: https://github.com/guacsec/guac-docs/blob/main/guac/expanding-your-view.md These logs show the completion of document processing by the OSV certifier, indicating the time taken for each document. ```bash {"level":"info","ts":1681994498.498469,"caller":"cmd/osv.go:115","msg":"[209.458µs] completed doc {Collector:guac Source:guac}"} ``` ```bash {"level":"info","ts":1681994498.4986901,"caller":"cmd/osv.go:115","msg":"[216µs] completed doc {Collector:guac Source:guac}"} ``` ```bash {"level":"info","ts":1681994498.4989061,"caller":"cmd/osv.go:115","msg":"[211.042µs] completed doc {Collector:guac Source:guac}"} ``` ```bash {"level":"info","ts":1681994498.498911,"caller":"cmd/osv.go:122","msg":"certifier ended gracefully"} ``` -------------------------------- ### Get Package IDs for Path Query Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-graphql.md Use these bash commands to retrieve the IDs of 'consul/sdk' and 'consul/api' Go packages, which are necessary for the path query. ```bash cat demo/graphql/queries.gql | gql-cli http://localhost:8080/query -o PkgQ5 | jq ``` ```bash cat demo/graphql/queries.gql | gql-cli http://localhost:8080/query -o PkgQ6 | jq ``` -------------------------------- ### Successful Vulnerability Query Output Source: https://github.com/guacsec/guac-docs/blob/main/guac/querying-via-cli.md This is an example of successful output after querying for a vulnerability. It includes a node type, node ID, and additional information, along with a visualizer URL. ```bash +-------------+-----------+---------------------------------------+ | NODE TYPE | NODE ID | ADDITIONAL INFORMATION | +-------------+-----------+---------------------------------------+ | certifyVuln | 137535 | vulnerability ID: ghsa-7rjr-3q55-vv33 | +-------------+-----------+---------------------------------------+ Visualizer url: http://localhost:3000/?path=134994,136775,137535,20677,20676,20675,2417,26288,19815,19814,19813,27 ``` -------------------------------- ### Verify GUAC Server Status Source: https://github.com/guacsec/guac-docs/blob/main/guac/setup-postgres.md After starting GUAC, use this command to verify that the containers are running. If issues arise, consider running `docker compose down` to reset the state. ```bash docker compose ls ``` -------------------------------- ### Execute Python Path Search Script Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-graphql.md Run the Python script to perform a client-side search for dependency paths between specified node IDs. This command executes the script with two example node IDs. ```bash ./demo/graphql/path.py 5809 6721 ``` -------------------------------- ### Vulnerability Schema Example Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-rest.md Example schema for vulnerability data returned by the API. ```json { "package": "pkg:foo/bar", "vulnerability": { "type": "CVE", "vulnerabilityIDs": ["CVE-2024-0001"] }, "metadata": { "scannerUri": "example-scanner", "timeScanned": "2024-10-26T10:00:00Z" } } ``` -------------------------------- ### GET /v0/package/{purl}/vulns Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-rest.md Get vulnerabilities associated with the given purl and its dependencies. ```APIDOC ## GET /v0/package/{purl}/vulns ### Description Get vulnerabilities associated with the given `purl` and its dependencies. ### Method GET ### Endpoint /v0/package/{purl}/vulns ### Parameters #### Path Parameters - **purl** (string) - Required: A URL-encoded Package URL. #### Query Parameters - **includeDependencies** (boolean) - Optional, default: `false`: Include vulnerabilities of dependencies. ### Response #### Success Response (200) - **Response Body** (array) - A list of vulnerabilities associated with the package. ### Response Example ```json [ { "package": "pkg:foo/bar", "vulnerability": { "type": "CVE", "vulnerabilityIDs": ["CVE-2024-0001"] } } ] ``` ``` -------------------------------- ### Example GraphQL Query Response Source: https://github.com/guacsec/guac-docs/blob/main/guac/setup-postgres.md This is an example JSON response from a GraphQL query to the GUAC API, showing the types of packages that have been ingested. ```json { "data": { "packages": [ { "type": "oci" }, ... ] } } ``` -------------------------------- ### Retrieve Full Package Data with gql-cli Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-graphql.md Use this command to fetch all details for a specific package by name. It pipes the query from a file to the gql-cli and formats the output with jq. ```bash cat demo/graphql/queries.gql | gql-cli http://localhost:8080/query -o PkgQ3 | jq ``` -------------------------------- ### Build and Run Trustify from Source Source: https://github.com/guacsec/guac-docs/blob/main/trustify/getting-started.md Build and run the Trustify server from source code using cargo. Disables authentication for local development. ```shell AUTH_DISABLED=true cargo run --bin trustd ``` -------------------------------- ### deps.dev Ingestion Log Example in Guac Ingestor Source: https://github.com/guacsec/guac-docs/blob/main/guac/expanding-your-view.md Example log output from the Guac ingestor when processing documents from the deps.dev collector. It details the parsing of the DEPS_DEV document type and the assembly of various graph components. ```json {"level":"info","ts":1681994398.146413,"caller":"parser/parser.go:128","msg":"parsing document tree with root type: DEPS_DEV"} {"level":"info","ts":1681994398.146731,"caller":"helpers/assembler.go:34","msg":"assembling CertifyScorecard: 1"} {"level":"info","ts":1681994398.148156,"caller":"helpers/assembler.go:39","msg":"assembling IsDependency: 12"} {"level":"info","ts":1681994398.156023,"caller":"helpers/assembler.go:44","msg":"assembling IsOccurence: 0"} {"level":"info","ts":1681994398.156051,"caller":"helpers/assembler.go:49","msg":"assembling HasSLSA: 0"} {"level":"info","ts":1681994398.1560571,"caller":"helpers/assembler.go:54","msg":"assembling CertifyVuln: 0"} {"level":"info","ts":1681994398.156063,"caller":"helpers/assembler.go:59","msg":"assembling IsVuln: 0"} {"level":"info","ts":1681994398.156069,"caller":"helpers/assembler.go:64","msg":"assembling HasSourceAt: 4"} {"level":"info","ts":1681994398.157971,"caller":"helpers/assembler.go:69","msg":"assembling CertifyBad: 0"} {"level":"info","ts":1681994398.1579862,"caller":"helpers/assembler.go:74","msg":"assembling CertifyGood: 0"} {"level":"info","ts":1681994398.157998,"caller":"cmd/ingest.go:118","msg":"got collect entries to add: 12"} ``` -------------------------------- ### Query Patch Plan by Package Version Source: https://github.com/guacsec/guac-docs/blob/main/guac/patch-cli.md Use this command to query for the patch plan of a package at the version level. Set --is-pkg-version-start to true. ```bash guacone query patch --start-purl "pkg:maven/jfr/jfr@1.8.0_342" --search-depth 10 --is-pkg-version-start true ``` ```bash pkg:maven/jfr/jfr@1.8.0_342 ``` ```bash --- ---FRONTIER LEVEL 0--- 18572: pkg:maven/jfr/jfr@1.8.0_342 18571: pkg:maven/jfr/jfr ---FRONTIER LEVEL 1--- 16669: pkg:guac/spdx/ghcr.io/guacsec/vul-image-latest 16668: pkg:guac/spdx/ghcr.io/guacsec/vul-image-latest 25104: artifact: algorithm-sha1 | digest:dc323c36dcbb81f74adabe3cc38bdb88bb5dbe66 ---INFO NODES--- no info nodes found ---POINTS OF CONTACT--- no POCs found ---SUBGRAPH VISUALIZER URL--- http://localhost:3000/?path=26193,16667,36245,18570,18572,18571,16669,16668,25104 ``` -------------------------------- ### Serve Documentation Locally Source: https://github.com/guacsec/guac-docs/blob/main/README.md Builds and serves the GUAC documentation locally using Jekyll. The output is typically available at http://127.0.0.1:4000/guac-docs. ```bash bundler exec jekyll serve ``` -------------------------------- ### GET /analysis/dependencies Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-rest.md Identify the most important dependencies by frequency or score. ```APIDOC ## GET /analysis/dependencies ### Description Identify the most important dependencies by frequency or score. ### Method GET ### Endpoint /analysis/dependencies ### Parameters #### Query Parameters - **PaginationSpec** (object) - Optional: Pagination details like page size and cursor. - **sort** (string) - Required: Sort order of the packages. Options: 'frequency' (Packages with the most dependents), 'scorecard' (Packages with the lowest OpenSSF scorecard score). ### Response #### Success Response (200) - **Response Body** (array) - A list of dependencies with their counts or scores. ### Response Example ```json [ { "Name": "example/dependency1", "DependentCount": 100 }, { "Name": "example/dependency2", "DependentCount": 50 } ] ``` ``` -------------------------------- ### GET /healthz Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-rest.md Health check to ensure the server is running correctly. ```APIDOC ## GET /healthz ### Description Health check to ensure the server is running correctly. ### Method GET ### Endpoint /healthz ### Response #### Success Response (200) - **Response Body** (string) - Indicates if the server is healthy. ### Response Example ```json "Healthy" ``` ``` -------------------------------- ### Make Trustify Binary Executable Source: https://github.com/guacsec/guac-docs/blob/main/trustify/getting-started.md Ensure the downloaded Trustify binary has execute permissions before running it. ```shell chmod +x /path/to/your/downloaded/trustd-pm ``` -------------------------------- ### Run GUAC GraphQL server with Go Source: https://github.com/guacsec/guac-docs/blob/main/guac/dev-setup.md Alternatively, build and run the GUAC GraphQL server directly using the Go command. This is useful for development and debugging. ```bash go run ./cmd/guacgql --gql-debug ``` -------------------------------- ### GET /v0/artifact/{digest}/vulns Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-rest.md Retrieve vulnerabilities related to a specific artifact digest. ```APIDOC ## GET /v0/artifact/{digest}/vulns ### Description Retrieve vulnerabilities related to a specific artifact digest. ### Method GET ### Endpoint /v0/artifact/{digest}/vulns ### Parameters #### Path Parameters - **purl** (string) - Required: A URL-encoded Package URL. (Note: This seems to be a typo in the source, should likely be 'digest') ### Request Example ```bash GET /api/v1/artifact/{digest}/vulns ``` ### Response #### Success Response (200) - **vulnerabilities** (array) - A list of vulnerabilities associated with the artifact. ### Response Example ```json { "vulnerabilities": [ { "id": "CVE-2023-12345", "description": "Sample vulnerability description.", "severity": "High" } ] } ``` ``` -------------------------------- ### GET /v0/artifact/{digest}/dependencies Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-rest.md Retrieve dependencies associated with a specific artifact digest. ```APIDOC ## GET /v0/artifact/{digest}/dependencies ### Description Retrieve dependencies associated with a specific digest. ### Method GET ### Endpoint /v0/artifact/{digest}/dependencies ### Parameters #### Path Parameters - **digest** (string) - Required: Digest of the artifact in `` format. ### Response #### Success Response (200) - **PurlList** (array) - A list of package URLs representing the dependencies. ### Response Example ```json { "PurlList": ["pkg:foo/bar@1.0", "pkg:foo/bar@2.0"] } ``` ``` -------------------------------- ### Create psql Pod using kubectl Source: https://github.com/guacsec/guac-docs/blob/main/trustify/kubernetes-rds.md Command to create a Kubernetes Pod using a YAML definition file. Ensure `psql-pod.yaml` is correctly configured before running. ```bash kubectl create -f examples/psql-pod.yaml ``` -------------------------------- ### GET /v0/package/{purl} Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-rest.md Retrieve all package URLs (purls) related to the provided purl. ```APIDOC ## GET /v0/package/{purl} ### Description Retrieve all package URLs (purls) related to the provided `purl`. ### Method GET ### Endpoint /v0/package/{purl} ### Parameters #### Path Parameters - **purl** (string) - Required: A URL-encoded Package URL (purl). ### Response #### Success Response (200) - **PaginationInfo** (object) - Information about pagination. - **NextCursor** (string) - The cursor for the next page of results. - **TotalCount** (integer) - The total number of items. - **PurlList** (array) - A list of related package URLs. ### Response Example ```json { "PaginationInfo": { "NextCursor": "abc123", "TotalCount": 2 }, "PurlList": ["pkg:foo/bar@1.0", "pkg:foo/bar@2.0"] } ``` ``` -------------------------------- ### Terraform Apply Command Source: https://github.com/guacsec/guac-docs/blob/main/trustify/kubernetes-infrastructure.md Run this command to create the AWS and Kubernetes resources defined in your Terraform configuration. This command requires the APP_DOMAIN environment variable to be set. ```bash tofu apply --var app-domain=$APP_DOMAIN ``` -------------------------------- ### Query Patch Plan by Package Name Source: https://github.com/guacsec/guac-docs/blob/main/guac/patch-cli.md Use this command to query for the patch plan of a package at the name level. Adjust --search-depth as needed. ```bash guacone query patch --start-purl "pkg:golang/github.com/antlr/antlr4/runtime/go/antlr" --search-depth 10 ``` ```bash pkg:golang/github.com/antlr/antlr4/runtime/go/antlr ``` ```bash --- ---FRONTIER LEVEL 0--- 353: pkg:golang/github.com/antlr/antlr4/runtime/go/antlr 354: pkg:golang/github.com/antlr/antlr4/runtime/go/antlr@v0.0.0-20220418222510-f25a4f6275ed ---FRONTIER LEVEL 1--- 193: pkg:golang/github.com/google/cel-go 194: pkg:golang/github.com/google/cel-go@v0.12.5 ---FRONTIER LEVEL 2--- 51113: pkg:guac/spdx/k8s.gcr.io/kube-apiserver-v1.25.2 129824: src:git/github.com/google/cel-go 51112: pkg:guac/spdx/k8s.gcr.io/kube-apiserver-v1.25.2 48784: pkg:guac/spdx/k8s.gcr.io/kube-apiserver-v1.25.1 205: pkg:golang/github.com/caddyserver/caddy/v2@v2.6.2 48785: pkg:guac/spdx/k8s.gcr.io/kube-apiserver-v1.25.1 204: pkg:golang/github.com/caddyserver/caddy/v2 ---FRONTIER LEVEL 3--- 129945: src:git/github.com/caddyserver/caddy 106: pkg:guac/cdx/docker.io/library/caddy@sha256:7992b931b7da3cf0840dd69ea74b2c67d423faf03408da8abdc31b7590a239a7?tag=latest 105: pkg:guac/cdx/docker.io/library/caddy ---INFO NODES--- no info nodes found ---POINTS OF CONTACT--- no POCs found ---SUBGRAPH VISUALIZER URL--- http://localhost:3000/?path=444,9,49041,36298,51225,130107,192,130308,129720,500,49018,51117,130044,203,130284,129937,465,353,354,193,194,51113,129824,51112,48784,205,48785,204,129945,106,105 ``` -------------------------------- ### Health Check Endpoint Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-rest.md Use this GET endpoint to verify if the GUAC REST API server is running correctly. ```json "Healthy" ``` -------------------------------- ### OSV Certifier Basic Usage Source: https://github.com/guacsec/guac-docs/blob/main/guac/certifier-osv.md This is the basic command syntax for running the OSV certifier. No specific options are required for a default run. ```bash guacone certifier osv [options] ``` -------------------------------- ### Clone GUAC repository Source: https://github.com/guacsec/guac-docs/blob/main/guac/dev-setup.md Use this command to clone the main GUAC repository to your local machine. Ensure you have Git installed. ```bash git clone https://github.com/guacsec/guac.git ``` -------------------------------- ### Navigate to Visualizer Directory Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-visualizer.md Change the current directory to the guac-visualizer source code directory. ```bash cd guac-visualizer ``` -------------------------------- ### Terraform Plan Command Source: https://github.com/guacsec/guac-docs/blob/main/trustify/kubernetes-infrastructure.md Execute this command to preview the resources that Terraform will create for the Trustify infrastructure. It helps verify the configuration before applying changes. ```bash tofu plan --var app-domain=$APP_DOMAIN ``` -------------------------------- ### Query Package by Purl Source: https://github.com/guacsec/guac-docs/blob/main/guac/known-and-unknown.md Query Guac for a specific package using its Package URL (Purl). This example queries for the Alpine package 'alpine-keys'. ```bash guacone query known package "pkg:alpine/alpine-keys@2.4-r0?arch=x86_64&upstream=alpine-keys&distro=alpine-3.14.8" ``` -------------------------------- ### Go Code for Artifact Fields Source: https://github.com/guacsec/guac-docs/blob/main/guac/graphql.md Demonstrates how to compute the canonicalized algorithm and digest fields for an artifact in Go, given a checksum object. ```go algorithm := strings.ToLower(string(checksum.Algorithm)) digest := checksum.Value ``` -------------------------------- ### Verify Ingestion with GraphQL Query Source: https://github.com/guacsec/guac-docs/blob/main/guac/setup-ingest-data.md Query the GUAC GraphQL API to check if packages have been ingested. This example retrieves the types of all ingested packages. ```bash curl 'http://localhost:8080/query' -s -X POST -H 'content-type: application/json' \ --data '{ "query": "{ packages(pkgSpec: {}) { type } }" }' | jq ``` -------------------------------- ### Basic EOL Certifier Command Source: https://github.com/guacsec/guac-docs/blob/main/guac/certifier-eol.md Use this command to run the EOL certifier. Options can be appended to customize its behavior. ```bash guacone certifier eol [options] ``` -------------------------------- ### Query Go Package Version v1.4.0 Source: https://github.com/guacsec/guac-docs/blob/main/guac/known-and-unknown.md This command queries for a different version of the same Go package. It helps in comparing vulnerability information between package versions. ```bash guacone query known package "pkg:golang/github.com/prometheus/client_golang@v1.4.0" ``` -------------------------------- ### Get Vulnerabilities for a Package URL Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-rest.md Retrieves vulnerabilities for a specific PURL and its dependencies. The 'includeDependencies' parameter can be set to true to include dependency vulnerabilities. ```json [ { "package": "pkg:foo/bar", "vulnerability": { "type": "CVE", "vulnerabilityIDs": ["CVE-2024-0001"] } } ] ``` -------------------------------- ### Get Package Dependencies by Frequency or Score Source: https://github.com/guacsec/guac-docs/blob/main/guac/guac-rest.md Retrieves packages sorted by dependency frequency or OpenSSF scorecard. Requires a 'sort' query parameter. ```json [ { "Name": "example/dependency1", "DependentCount": 100 }, { "Name": "example/dependency2", "DependentCount": 50 } ] ```