Use cases for Grafeas

[John Tan]

May I know how do you associate metadata with an artifact? For example, there are note kinds such as SBOMs, SBOM references, SPDX files, SPDX packages, etc. How do I associate all of them to a single SBOM/artifact? Is it just using the "resource" field when creating the occurrence? However, I can't find any APIs to query occurrences based on the resource (I'm looking at the swagger definition).

Thanks!

[Shmuel Herzberg]

Good morning,

1. In terms of associating the metadata with an artifact, you're correct that you'd want to use the resource field when creating the occurrence. So for example, if you have a note representing a CVE, and a resource myimage:latest, you would create an occurrence associated with the CVE note, and with the resource field having the value myimage:latest.

2. In terms of querying, you'll want to use the filter field in the ListOccurrences request, and you'd implement a way of parsing that filter. For example, you can have a table where one column is the resource and another is the occurrence. When an occurrence is created, you store the resource in the resource column, and the full occurrence in the other. You then would allow for filters in the form of "resource=<some_value_here>". When you receive a filter with that value, you can parse out <some_value_here>, and search in your table with resources that have that value. There is no default implementation of filtering - it'll be based on your architecture, data storage, and use case. For Google's Artifact Analysis, we https://google.aip.dev/160.

Shmuel