Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Purl-sync vocabulary #35

Open
ziadhany opened this issue Jul 9, 2023 · 6 comments
Open

Purl-sync vocabulary #35

ziadhany opened this issue Jul 9, 2023 · 6 comments
Assignees

Comments

@ziadhany
Copy link
Collaborator

ziadhany commented Jul 9, 2023

Actors:

  • Person : can create a review and follow Package URLs
  • Service : can clone a git repo and push/sync ( publishing of events )
  • Purl : posts that v1.2.3 is vulnerable to @VCID-123

Activities:

Objects

  • Note
  • Review
  • Repository
  • Vulnerability
@ziadhany ziadhany self-assigned this Jul 9, 2023
@ziadhany
Copy link
Collaborator Author

ziadhany commented Jul 10, 2023

Person:

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
     "http://schema.org",
  ],
  "@type": "Person",
  "@id": "https://example.com/user/@user1",
  "name": "user1",
  "summary": "We’re creating a federated tool for vulnerability review and curation!",
  "inbox": "https://example.com/user/@user1/inbox",
  "outbox": "https://example.com/user/@user1/outbox",
  "following": "https://example.com/user/@user1/following",
  "image": "https://example.com/image/avatar",
}

Purl:

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
    ....
  ],
  "@type": "Purl",
  "@id": "https://example.com/purls/@pkg:maven/org.apache.logging",
  "string": "pkg:maven/org.apache.logging",
  "inbox": "https://example.com/purls/@pkg:maven/org.apache.logging/inbox",
  "outbox": "https://example.com/purls/@pkg:maven/org.apache.logging/outbox",
  "followers": "https://example.com/purls/@pkg:maven/org.apache.logging/followers",
}

@ziadhany
Copy link
Collaborator Author

ziadhany commented Jul 10, 2023

Note

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
     "http://schema.org", 
  ],
  "@type": "Note",
  "id": "https://example.com/notes/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
  "actor": "https://example.com/users/@user1"
  "content": "we should fix this purl",
  "published": "2015-02-10T15:04:55Z",
  "inReplyTo": "https://example.com/notes/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}

Repository

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
     ..............
  ],
   "@id":"16fd2706-8baf-433b-82eb-8c7fada847da",
   "@type": "Repository",
   "cloneUri": "https://example.com/repository/repository.git",     
}

Review

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
     .........
  ],
  "@type": "Review",
  "id": "https://example.com/review/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
  "author": "https://example.com/user/@user1",
  "headline": "review vulnerablecode-data VCID-0000-0000-0000",
  "repository": "https://example.com/repository/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
  "reviewBody": "text diff",

  "notes": {        
       "type": "Collection",
       "totalItems": 1,
       "orderedItems": [
             {
                "type": "Note",
                "id": "https://example.com/note/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
                "actor": "https://example.com/user/@user1"
                "content": "we should fix this purl",
            }],
   }
  "published":  "2015-02-10T15:04:55Z",
}

Vulnerability

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
     ..............
  ],
   "@type": "Vulnerability",
    "id": "https://example.com/vulnerability/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",  
    "repository": "https://github.com/nexB/vulnerablecode-data",
    "branch": "main",
    "filename": "VCID-2r45-a1c2-aaag.yaml",
    "commit": "d3bdb08c2aa4d2a949e7a4ed719a7a167d62b2e8",
}

@ziadhany
Copy link
Collaborator Author

ziadhany commented Jul 12, 2023

Follow

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
     .........
  ],
  "type": "Follow",
  "actor": {
    "@id": "https://example.com/users/@user1",
    "@type": "Person",
  },

  "object": {
         "@id": "https://example.com/pursl/@pkg:bitbucket/birkenfeld/pygments-main",
         "@type": "Purl",
         "string": "pkg:bitbucket/birkenfeld/pygments-main"",
  },

  "cc": [{
    "@context": "http://www.w3.org/ns/activitystreams",
    "@id": "http://activityschema.org/collection/public",
    .....
    "@type": "Collection"
  }]
}

Create

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
     "http://schema.org", 
  ],
"type": "Create",
"actor": {
  "@type": "Person",
  "name": "user1"
  "@id": "https://example.com/users/@user1",
},
"object": {
  "@type": "Review",
  "headline": "review vulnerablecode-data VCID-0000-0000-0000.json",
  "reviewBody": "diff string"
}
}

@pombredanne
Copy link
Member

pombredanne commented Jul 27, 2023

Attached is a pdf and the source of xournal notes from a meeting we had today.

Screenshot from 2023-07-27 15-11-16

2023-07-27-Note-13-20.pdf
2023-07-27-Note-13-20.xoj.zip

@ziadhany
Copy link
Collaborator Author

ziadhany commented Aug 2, 2023

@pombredanne After carefully reading the notes I have some questions .

  1. VC.IO push events to activitypub server ( what is the type of events ?) .
    I think of it like a service actor run a python script after we merge new files . OR git send http post request to activitypub server using service Actor credentials after a new file get merged using post-merge

  2. should every purl have a username and password ( Fediverse account ) or just get managed by service ( vc.io ) ?
    purl will create the post ( pkg:maven/org.apache.logging posts that v1.2.3 is vulnerable to @VCID-123 )
    Who will create the purl ? service actor ( vc.io )
    Is this correct ?

  3. How can we store the relations between a git repo , purl and vulnerability ?
    I think of vulnerability as git file VCID-aejr-k98q-aaad.yaml
    but how can we detect purls in our system ?
    we can have two separated files one for purl ( affected and fixed ) and one for vulnerability .
    but How we create a purls and vulnerabilities ?
    should I create a python script read all git files and create vulnerability and purl ?

@pombredanne
Copy link
Member

Here is some notes of today's sync: what if we were to file for a package (all versions) and another for the vulnerability (no package info there)?
See attached mock files:

@keshav-space keshav-space transferred this issue from aboutcode-org/vulnerablecode Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants