Basics of Grafeas

[Prakash]

Hello Team,

I came across the Grafeas and was wondering if there are any sample examples on how to use it.

My use case is

CodeCommit-->PR Review-->Build generation-->Artifact Storing.

Basically I want to back trace if a particular binary in the JFROG Artifactory with its code commit.

Can Grafeas be used here ? If yes , how do I use it , as it has clients as well as server . Additionally the client are in Java, Go and some examples of REST API to  .

Do I use curl command with REST API in the build pipelines or how do I use it

Any information on it would be useful.

Thanks

Prakash

[Wiktor Kozlik]

Hi Prakash,

It seems that what you describe is about generating and storing build provenance, similar to what Google Cloud Build provides: https://cloud.google.com/build/docs/securing-builds/view-build-provenance

Behind the scenes GCP uses hosted implementation of Grafeas which is called Container Analysis API (https://cloud.google.com/container-analysis/docs/reference/rest) which you can use directly even if you are not using GCP Cloud Build.

Client libraries are available at https://cloud.google.com/container-analysis/docs/reference/libraries.

Thanks,

Wiktor

[Prakash Rungta]

Hi Wiktor,

Appreciate your response.

I am looking for on premise solution.

I believe there is a open source Grafeas server. However I see there are clients libraries in Java, go etc . 

We are using jfrog artifactory and many more tools to store artifacts . As mentioned earlier I am looking forward to backtrack any artifact to the source code commits. 

What difficulty I m facing is how and where should I consume the Grafeas API. Any simple sample examples for it. There is extensive documentation of API but it doesn't make sense if I am just a novice in this area .

Thanks for your help and support. Looking forward to hearing from you. 

Thanks
Prakash

--
You received this message because you are subscribed to a topic in the Google Groups "Grafeas Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grafeas-users/ZjtR7IC-25g/unsubscribe.
To unsubscribe from this group and all its topics, send an email to grafeas-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grafeas-users/b9638a55-bea2-4249-999c-6d26d50c11f5n%40googlegroups.com.

[Prakash Rungta]

Hello Team,

I would appreciate if anyone can respond. 

Thanks
Prakash

[Wiktor Kozlik]

Hi Prakash,

The open source Grafeas server is a basic reference implementation that is unlikely to be suitable in a production environment.

I am not aware of any examples of using the Grafeas with the jfrog artifactory. At the high level the Grafeas API is a structured CRUD application, so you would effectively be looking at a few methods initially: CreateNote, CreateOccurrence, and ListOccurrences. I am guessing that you would need to use the BUILD Note Kind for capturing the build provenance. 

You can find basic information about using a Java client library at https://github.com/grafeas/client-java#getting-started.

Thanks,

Wiktor

[Aditya Mahendrakar]

Hi Prakash,

At a high level, you could create notes/occurrences at every stage in SDLC such as source code repository(github/gitlab, etc.), build system(github actions, gitlab runners, etc.) and artifact store(in your case JFrog Artifactory). This would require writing a plugin/script/addon for whatever tool you are using, which can invoke appropriate grafeas APIs. You would need some way to tie occurrences pertaining to one artifact.

There was a related talk at CloudNativeSecurityCon earlier in February (disclaimer: presented by our team 🙂 ) which discusses some of these concepts; provenance check details are mentioned at https://youtu.be/6Zz798IW8Gs?t=735

You can also explore https://github.com/grafeas/grafeas/blob/master/proto/v1/slsa_provenance.proto which references concepts mentioned in https://slsa.dev/provenance/v0.2 and determine if you can map your data to SLSA provenance specs.

To make the grafeas server production ready, you'll have to think about and incorporate the standard practices such as load balancing, rate limiting, database which can scale based on your needs, has replicas to handle failover or reduce latency.

Thanks,

-aditya

You received this message because you are subscribed to the Google Groups "Grafeas Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grafeas-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grafeas-users/6a07c682-859c-46a9-a5fe-4838a0ca841en%40googlegroups.com.

[Aditya Sirish A Yelgundhalli]

Hey!

Adding on to what Aditya mentioned in the last email, you may want to look at in-toto attestations (https://github.com/in-toto/attestation) for the stages of your pipeline you want to record, which you can plug into Grafeas as occurrences. Note: I'm one of the maintainers of in-toto, happy to chat about anything specific to attestations.

Thanks,
(the other) Aditya

To view this discussion on the web visit https://groups.google.com/d/msgid/grafeas-users/CABjy0jAgbMz94P8Prtomw5_vw_qZdVSk7L--YtBBtCx%3Dcr5Tow%40mail.gmail.com.

[ovi...@ghinet.ch]

@Prakash:

there are multiple ways this can be achieved:

* build provenence records the commitID in relatedUrl or other relatedNoteNames

* record occurrences of some type for the checksums of the artifact produced (you might need to check what checksums Artifactory supports and record those in the buildProvenance those additionally) 

There are 3 pillars in software supply chain security in my view:

1. commitID

2. artifactChecksum

3. deploymentID

you want to record note and occurrences that would also record the information about the linkage with at least one extra pillar

(example: record the commitID linkage in the note/occurrence attesting the Artifact being produced in a trusted environment.)

now any atributes about any of the 3 pillars can be created as aditional attestations attesting that a part of a process happened.

example: add an attestation that a commitID was reviewed for the resourceUri of the commitID perhaps...

(There must be some component you would write in-house that will go and check if a commitID was reviewed and record the notes  described above.)

Another idea coould be to use the  VULNERABILITY  note kind -  to mark the commits that were not reviewed as vulnerable.

(that would depend on you internal policies guidelines, for example something in the spirit of.   https://cwe.mitre.org/data/definitions/710.html).  

Everything mentioned above would work on a instance of Grafeas that would have some filtering implemented.

(Current reference implementation does not have a filtering implementation)

@Wiktor

I have noticed that even if the project went into a period of focus a lot of work got done but community calls were missing.

This might have have portrait an incomplete picture in regards to the pulse of the project.

I personally want to thank all  the Grafeas contributors that contributed in the last several months as I have noticed , that important topics  from the Software Supply Chain Security are still incorporated very fast into Grafeas proto files, which allowed me to still be proud to have chosen Grafeas.

Would also like  to  understand if there were any  Leadership of Governance structure changes for the Grafeas Open Source project.

Perhaps the first question is: 

when will the next Grafeas community call be?

[Prakash]

Hi Aditya , Aditya Sirish and Ovidiu,

Thankyou so much for responding to me. I appreciate the information shared. 

Reason why I am interested in the Grafeas , currently my organizations need is to ensure that whatever is deployed in production , we can traceback it the various stages of deployment along with the artifacts storage  , build etc and commits (Binary traceability) for legal compliance  and enforcement of policies etc which I had mentioned.

And the above ask is not for one pipeline , but a generic approach applicable org wide across products and hence the Grafeas.

Over the weekend I did  setup the grafeas server without database as postgres-sql was giving error in the installation and tried  examples of postman to evaluate my business case.

 So far I understood that grafeas acts a kind of model and can store the meta-data in a standardized format thereby making tool independent [ I meant Teamcity, Jenkins, etc to name a few ] However it will still be the responsibility of the  SDLC pipeline to co-relate and furnish the data as per the Grafeas model Later on this data can be used by the kritis in enforcing any policies [Though I  am yet to explore it but I  read/listened it in the InfoQ talks].

Has any of the major players of the tool providers partnered with Grafeas so that they can themself provide the data to grafeas server so that the client side development efforts can be saved and grafeas becomes widely acceptable .(I did read about the JFROG partnership but couldn't find more  https://leap.jfrog.com/WN2017-ImplementingaSingleSourceofTruthinaHybridCloudWorld_RegistrationPage.html). Does anyone has more details ?

Ovidiu ,

Thanks for listing down to more technical details , While the current data model that  I am working also has commitId, artifactCheckSum and deploymentId (a.ka Release No etc ) alogn with many more variables .

Scenario , Assume  a developer commits the code on regular basis and there are multiple commits --->  Then the  Build system (Teamcity etc) will build the code (May involve several builds ---> Push it to the artifactory system/binary retention system ----> (May involve image creation too etc)  Then during the deployment artifacts/images are pulled  .

Per my understanding in the  tying piece in all of this would be the project, Am i right ? or can the same BUILD kind can be updated  multiple times with Commit information and how would the DEPLOYMENT be tied to BUILD  when over the long run there can be multiple builds and artifacts  , may be I am missing  something.

Thanks

Prakash

[Wiktor Kozlik]

Hi Ovidiu,

This is true that it's been a while since the last community call. We're planning to set up the next Grafeas community call by the end of Q1 2023. I'll post an announcement soon. 

Thanks,

Wiktor

To view this discussion on the web visit https://groups.google.com/d/msgid/grafeas-users/b2d9b62b-7e13-454a-b890-88ab3ddf2a35n%40googlegroups.com.