Starting:
podman-compose -f deploy/compose/compose.yaml upConnect to PSQL:
env PGPASSWORD=eggs psql -U postgres -d huevos -h localhost -p 5432Import data:
cargo run --bin huevos-cli importer csaf --source ../trustification/data/ds1/csaf --db-user postgres --db-password eggs
cargo run --bin huevos-cli importer sbom --source ../trustification/data/ds1/sbom --db-user postgres --db-password eggsA package exists or it does not. Represented by a pURL. No source-tracking required.
Rework to Package. VersionedPackage. QualifiedVersionedPackage. and VersionRangePackage for vulnerable references. Plus appropriate junction tables.
Probably need a fancy CPE table structure. sigh. Or two+ tables (cpe22, cpe23) and a Product table. Platonic form of a product may have 0+ CPEs/pURLs. Platonic form of a product may have 0+ known hashable artifacts.
A CVE exists or it does not. Represented by an identifier. No source-tracking required.
A CWE exists or it does not. Represented by an identifier. No source-tracking required.
An Advisory exists or it does not. Represented by a location/hash/identifier. Source tracked from an Advisory Source.
There is probably always an advisory from NVD for every CVE.
Something like GHSA, Red Hat VEX, etc. Maybe? Based on source URL? Regexp! Still unsure here.
They should just point us towards first order advisories to ingest. OSV just tells us to look elsewhere. They are helpers not nouns.
Package Range + Advisory + CVE.
QualifiedPackage + Advisory + CVE.
Both impl'd for pURL and CPE.
hashed document that claims things about stuff. All package/product relationships exist only within the context of an SBOM making the claim.
CPE (Product?) and/or pURLs described by the SBOM