guac
guac copied to clipboard
guacsec
GUAC aggregates software security metadata into a high fidelity graph database.
# Description of the PR Included pagination for queries in KeyValue, and fixed the tests. Part of issue https://github.com/guacsec/guac/issues/1525 Same as https://github.com/guacsec/guac/pull/1901 # PR Checklist - [ ] All commits...
**Is your feature request related to a problem? Please describe.** Currently, the CDX parser appends all dependencies to the top level package which may be inaccurate: https://github.com/guacsec/guac/blob/main/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go#L243-L262 Instead, this needs...
## Background Currently, GUAC is calculating the OpenSSF Scorecard scores directly using the Scorecard library. This requires having a GitHub token to access the repository data. However, there are cases...
Official vote documentation for the following folks who've done great contributions to GUAC! (some of these were agreed upon/announced before, so a bit of a retroactive) - Dejan Bosanac (https://github.com/dejanb)...
**Describe the bug** ``` # Setting noVuln to true return all packages that have no vulnerabilities # Setting noVuln to false return all packages with vulnerabilities query CertifyNoVuln { CertifyVuln(certifyVulnSpec:...
**Describe the bug** After a large dataset is ingested, the OSV certifier and others that queries for all packages hit the PostgreSQL 65535 parameters limit: ``` go run ./cmd/guacone certifier...
**Is your feature request related to a problem? Please describe.** Currently, the certifier query for all `packages` (for [osv](https://github.com/guacsec/guac/blob/main/pkg/certifier/components/root_package/root_package.go#L127-L182)) and `sources` (for [scorecard](https://github.com/guacsec/guac/blob/main/pkg/certifier/components/source/source.go#L50-L96)). After the packages are obtained, a neighbors...
SPDX 3.0 was officially released on April 16, 2024. We should get support into GUAC for when we start getting SBOMs that follow the new specification.
# Description of the PR As I was removing the version range from deps.dev collector, I noticed that I made a mistake when quantifying the `direct` vs `indirect`. While I...
# Description of the PR Fixes #2016 Fixes #2015 Updated known command for hasSBOM to check for packages with attached artifacts having sboms. Updated getSlsaEntity to use subjects uri as...
