guacsec / guac-visualizer

Visualizer for GUAC
https://guac.sh/
27 stars 21 forks source link

[bug] 422 using vault.json demo data #39

Closed BWhitfield closed 1 year ago

BWhitfield commented 1 year ago

Describe the bug While running locally requests to http://localhost:3000/api/graphql return with a 422 status.

To Reproduce Steps to reproduce the behavior:

  1. Follow instructions on https://docs.guac.sh/expanding-your-view/
  2. Spin up the guac-visualizer
  3. Select:
  4. Package Type: golang
  5. Package Namespace: cloud.google.com
  6. Package name: go
  7. Package Version: v0.110.0[] (or any version really)

You should get the 422

Screenshots image image

GUAC version guac: 30321c71 guac-data: 5f0ddb94 guac-visualizer: 5d174e6e

Additional context Request from inspect element: fetch("http://localhost:3000/api/graphql", { "headers": { "accept": "*/*", "accept-language": "en-US,en;q=0.9", "cache-control": "no-cache", "content-type": "application/json", "pragma": "no-cache", "sec-ch-ua": "\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Google Chrome\";v=\"114\"", "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": "\"macOS\"", "sec-fetch-dest": "empty", "sec-fetch-mode": "cors", "sec-fetch-site": "same-origin", "cookie": "_ga=GA1.1.1386983528.1673881015; _ga_M43RDNHN7J=GS1.1.1675875418.36.0.1675875418.0.0.0; mp_892341e8387efb088b8844a41e4bcd31_mixpanel=%7B%22distinct_id%22%3A%20%2221aa7b1f-d459-4feb-8162-ee8894aee314%22%2C%22%24device_id%22%3A%20%22185bc75ddef11c9-0898a1772c844f-17525635-2a3000-185bc75ddf09ef%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%3A3000%2Favalanche%2F0x2f484AE898A0182B46C104C4a7529D5E08e68d68%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%3A3000%22%2C%22app_root%22%3A%20%22http%3A%2F%2Flocalhost%3A3000%22%2C%22environment%22%3A%20%22development%22%2C%22app%22%3A%20%22Chainmail%22%2C%22git_sha%22%3A%20%22LOCAL%22%2C%22%24user_id%22%3A%20%2221aa7b1f-d459-4feb-8162-ee8894aee314%22%7D", "Referer": "http://localhost:3000/", "Referrer-Policy": "strict-origin-when-cross-origin" }, "body": "{\"operationName\":\"GetNeighbors\",\"variables\":{\"nodeId\":\"6\",\"edges\":[]},\"query\":\"query GetNeighbors($nodeId: ID!, $edges: [Edge!]!) {\\n neighbors(node: $nodeId, usingOnly: $edges) {\\n __typename\\n ... on Package {\\n ...allPkgTree\\n __typename\\n }\\n ... on Source {\\n ...allSrcTree\\n __typename\\n }\\n ... on Artifact {\\n ...allArtifactTree\\n __typename\\n }\\n ... on Builder {\\n ...allBuilderTree\\n __typename\\n }\\n ... on OSV {\\n ...allOSVTree\\n __typename\\n }\\n ... on CVE {\\n ...allCveTree\\n __typename\\n }\\n ... on GHSA {\\n ...allGHSATree\\n __typename\\n }\\n ... on NoVuln {\\n id\\n __typename\\n }\\n ... on IsOccurrence {\\n ...allIsOccurrencesTree\\n __typename\\n }\\n ... on IsDependency {\\n ...allIsDependencyTree\\n __typename\\n }\\n ... on IsVulnerability {\\n ...allIsVulnerabilityTree\\n __typename\\n }\\n ... on CertifyVEXStatement {\\n ...allCertifyVEXStatementTree\\n __typename\\n }\\n ... on HashEqual {\\n ...allHashEqualTree\\n __typename\\n }\\n ... on CertifyBad {\\n ...allCertifyBadTree\\n __typename\\n }\\n ... on CertifyGood {\\n ...allCertifyGoodTree\\n __typename\\n }\\n ... on CertifyBad {\\n ...allCertifyBadTree\\n __typename\\n }\\n ... on PkgEqual {\\n ...allPkgEqualTree\\n __typename\\n }\\n ... on CertifyScorecard {\\n ...allCertifyScorecardTree\\n __typename\\n }\\n ... on CertifyVuln {\\n ...allCertifyVulnTree\\n __typename\\n }\\n ... on HasSourceAt {\\n ...allHasSourceAtTree\\n __typename\\n }\\n ... on HasSBOM {\\n ...allHasSBOMTree\\n __typename\\n }\\n ... on HasSLSA {\\n ...allHasSLSATree\\n __typename\\n }\\n }\\n}\\n\\nfragment allSrcTree on Source {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n tag\\n commit\\n __typename\\n }\\n __typename\\n }\\n __typename\\n}\\n\\nfragment allPkgTree on Package {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n versions {\\n id\\n version\\n qualifiers {\\n key\\n value\\n __typename\\n }\\n subpath\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n __typename\\n}\\n\\nfragment allArtifactTree on Artifact {\\n id\\n algorithm\\n digest\\n __typename\\n}\\n\\nfragment allBuilderTree on Builder {\\n id\\n uri\\n __typename\\n}\\n\\nfragment allOSVTree on OSV {\\n id\\n osvId\\n __typename\\n}\\n\\nfragment allCveTree on CVE {\\n id\\n year\\n cveId\\n __typename\\n}\\n\\nfragment allGHSATree on GHSA {\\n id\\n ghsaId\\n __typename\\n}\\n\\nfragment allIsOccurrencesTree on IsOccurrence {\\n id\\n subject {\\n __typename\\n ... on Package {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n versions {\\n id\\n version\\n qualifiers {\\n key\\n value\\n __typename\\n }\\n subpath\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n ... on Source {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n tag\\n commit\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n }\\n artifact {\\n id\\n algorithm\\n digest\\n __typename\\n }\\n justification\\n origin\\n collector\\n __typename\\n}\\n\\nfragment allIsDependencyTree on IsDependency {\\n id\\n justification\\n package {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n versions {\\n id\\n version\\n qualifiers {\\n key\\n value\\n __typename\\n }\\n subpath\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n dependentPackage {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n versions {\\n id\\n version\\n qualifiers {\\n key\\n value\\n __typename\\n }\\n subpath\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n dependencyType\\n versionRange\\n origin\\n collector\\n __typename\\n}\\n\\nfragment allIsVulnerabilityTree on IsVulnerability {\\n id\\n osv {\\n id\\n osvId\\n __typename\\n }\\n vulnerability {\\n __typename\\n ... on CVE {\\n id\\n year\\n cveId\\n __typename\\n }\\n ... on GHSA {\\n id\\n ghsaId\\n __typename\\n }\\n }\\n justification\\n origin\\n collector\\n __typename\\n}\\n\\nfragment allCertifyVEXStatementTree on CertifyVEXStatement {\\n id\\n subject {\\n __typename\\n ... on Package {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n versions {\\n id\\n version\\n qualifiers {\\n key\\n value\\n __typename\\n }\\n subpath\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n ... on Artifact {\\n id\\n algorithm\\n digest\\n __typename\\n }\\n }\\n vulnerability {\\n __typename\\n ... on CVE {\\n id\\n year\\n cveId\\n __typename\\n }\\n ... on OSV {\\n id\\n osvId\\n __typename\\n }\\n ... on GHSA {\\n id\\n ghsaId\\n __typename\\n }\\n }\\n status\\n vexJustification\\n statement\\n statusNotes\\n knownSince\\n origin\\n collector\\n __typename\\n}\\n\\nfragment allHashEqualTree on HashEqual {\\n id\\n justification\\n artifacts {\\n id\\n algorithm\\n digest\\n __typename\\n }\\n origin\\n collector\\n __typename\\n}\\n\\nfragment allCertifyBadTree on CertifyBad {\\n id\\n justification\\n subject {\\n __typename\\n ... on Package {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n versions {\\n id\\n version\\n qualifiers {\\n key\\n value\\n __typename\\n }\\n subpath\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n ... on Source {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n tag\\n commit\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n ... on Artifact {\\n id\\n algorithm\\n digest\\n __typename\\n }\\n }\\n origin\\n collector\\n __typename\\n}\\n\\nfragment allCertifyGoodTree on CertifyGood {\\n id\\n justification\\n subject {\\n __typename\\n ... on Package {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n versions {\\n id\\n version\\n qualifiers {\\n key\\n value\\n __typename\\n }\\n subpath\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n ... on Source {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n tag\\n commit\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n ... on Artifact {\\n id\\n algorithm\\n digest\\n __typename\\n }\\n }\\n origin\\n collector\\n __typename\\n}\\n\\nfragment allPkgEqualTree on PkgEqual {\\n id\\n justification\\n packages {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n versions {\\n id\\n version\\n qualifiers {\\n key\\n value\\n __typename\\n }\\n subpath\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n origin\\n collector\\n __typename\\n}\\n\\nfragment allCertifyScorecardTree on CertifyScorecard {\\n id\\n source {\\n ...allSrcTree\\n __typename\\n }\\n scorecard {\\n timeScanned\\n aggregateScore\\n checks {\\n check\\n score\\n __typename\\n }\\n scorecardVersion\\n scorecardCommit\\n origin\\n collector\\n __typename\\n }\\n __typename\\n}\\n\\nfragment allCertifyVulnTree on CertifyVuln {\\n id\\n package {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n versions {\\n id\\n version\\n qualifiers {\\n key\\n value\\n __typename\\n }\\n subpath\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n vulnerability {\\n __typename\\n ... on CVE {\\n id\\n year\\n cveId\\n __typename\\n }\\n ... on OSV {\\n id\\n osvId\\n __typename\\n }\\n ... on GHSA {\\n id\\n ghsaId\\n __typename\\n }\\n ... on NoVuln {\\n id\\n __typename\\n }\\n }\\n metadata {\\n dbUri\\n dbVersion\\n scannerUri\\n scannerVersion\\n timeScanned\\n origin\\n collector\\n __typename\\n }\\n __typename\\n}\\n\\nfragment allHasSourceAtTree on HasSourceAt {\\n id\\n justification\\n knownSince\\n package {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n versions {\\n id\\n version\\n qualifiers {\\n key\\n value\\n __typename\\n }\\n subpath\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n source {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n tag\\n commit\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n origin\\n collector\\n __typename\\n}\\n\\nfragment allHasSBOMTree on HasSBOM {\\n id\\n subject {\\n __typename\\n ... on Package {\\n id\\n type\\n namespaces {\\n id\\n namespace\\n names {\\n id\\n name\\n versions {\\n id\\n version\\n qualifiers {\\n key\\n value\\n __typename\\n }\\n subpath\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n __typename\\n }\\n ... on Artifact {\\n id\\n algorithm\\n digest\\n __typename\\n }\\n }\\n uri\\n algorithm\\n digest\\n downloadLocation\\n annotations {\\n key\\n value\\n __typename\\n }\\n origin\\n collector\\n __typename\\n}\\n\\nfragment allHasSLSATree on HasSLSA {\\n id\\n subject {\\n id\\n algorithm\\n digest\\n __typename\\n }\\n slsa {\\n builtFrom {\\n id\\n algorithm\\n digest\\n __typename\\n }\\n builtBy {\\n id\\n uri\\n __typename\\n }\\n buildType\\n slsaPredicate {\\n key\\n value\\n __typename\\n }\\n slsaVersion\\n startedOn\\n finishedOn\\n origin\\n collector\\n __typename\\n }\\n __typename\\n}\"}", "method": "POST" });

pxp928 commented 1 year ago

Thanks for the bug report @BWhitfield. @shafeeshafee can you look into this more?

shafeeshafee commented 1 year ago

yeah, let me take a look. Thanks for the heads up on this @BWhitfield

BWhitfield commented 1 year ago

I checked it out this morning and saw this in the response:

image

I tried to run graphql-codegen I got the following error. image

When I removed the annotations block from the pkg/assembler/graphql/examples/has_sbom.gql file the codegen was successful and the visualizer was no longer tossing 422's.

pxp928 commented 1 year ago

I checked it out this morning and saw this in the response:

image

I tried to run graphql-codegen I got the following error.

image

When I removed the annotations block from the pkg/assembler/graphql/examples/has_sbom.gql file the codegen was successful and the visualizer was no longer tossing 422's.

Yes, good catch! We recently changed the graphQL schema on the main guac project to remove annotations from the HasSBOM node and did not update the codegen here on the visualizer.

pxp928 commented 1 year ago

@BWhitfield this issue has been fixed with #40

krumware commented 1 year ago

Is there anything additional that needs to be done after cloning for this? I seem to be experiencing the issue on a fresh clone today. I'm using fresh clones of guac, guac-data, and guac-visualizer image

{
    "errors": [
        {
            "message": "Unknown type \"OSV\".",
            "locations": [
                {
                    "line": 20,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"CVE\".",
            "locations": [
                {
                    "line": 24,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"GHSA\".",
            "locations": [
                {
                    "line": 28,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"NoVuln\".",
            "locations": [
                {
                    "line": 32,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"CVE\".",
            "locations": [
                {
                    "line": 415,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"OSV\".",
            "locations": [
                {
                    "line": 419,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"GHSA\".",
            "locations": [
                {
                    "line": 423,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"NoVuln\".",
            "locations": [
                {
                    "line": 427,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"CVE\".",
            "locations": [
                {
                    "line": 453,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"GHSA\".",
            "locations": [
                {
                    "line": 457,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"IsVulnerability\".",
            "locations": [
                {
                    "line": 84,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"CVE\".",
            "locations": [
                {
                    "line": 483,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"GHSA\".",
            "locations": [
                {
                    "line": 487,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"OSV\".",
            "locations": [
                {
                    "line": 491,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"CVE\".",
            "locations": [
                {
                    "line": 151,
                    "column": 1
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"OSV\".",
            "locations": [
                {
                    "line": 158,
                    "column": 1
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"GHSA\". Did you mean \"SLSA\"?",
            "locations": [
                {
                    "line": 164,
                    "column": 1
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"CVE\".",
            "locations": [
                {
                    "line": 415,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"OSV\".",
            "locations": [
                {
                    "line": 419,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"GHSA\".",
            "locations": [
                {
                    "line": 423,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"NoVuln\".",
            "locations": [
                {
                    "line": 427,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"CVE\".",
            "locations": [
                {
                    "line": 453,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"GHSA\".",
            "locations": [
                {
                    "line": 457,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"IsVulnerability\". Did you mean \"Vulnerability\", \"VulnerabilityID\", or \"VulnerabilitySpec\"?",
            "locations": [
                {
                    "line": 445,
                    "column": 1
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"CVE\".",
            "locations": [
                {
                    "line": 483,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"GHSA\".",
            "locations": [
                {
                    "line": 487,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        },
        {
            "message": "Unknown type \"OSV\".",
            "locations": [
                {
                    "line": 491,
                    "column": 9
                }
            ],
            "extensions": {
                "code": "GRAPHQL_VALIDATION_FAILED"
            }
        }
    ],
    "data": null
}
pxp928 commented 1 year ago

@krumware we just updated the graphQL API that is causing a mismatch between the visualizer and guac (on main). We have open PRs to update the docs to use the released versions so that this does not happen. Please see PR: https://github.com/guacsec/guac-docs/pull/88 and https://github.com/guacsec/guac-docs/pull/89

for how to use the released version of guac and the visualizer

krumware commented 1 year ago

Ah, I just have poor timing. Looks like the docs updates are addressing what got me there as well, with the cloning and making vs using the binary. Thank you!