API server for trusted content (TC).
See this repository
Running:
cargo run -- run -p 8080Usage:
curl --json '["pkg:maven/org.quarkus/quarkus@1.2"]' http://localhost:8080/api/packageStart guac:
podman run -p 8080:8080 -ti ghcr.io/xkcd-2347/guac:latest gql-server --gql-debugIngest test SBOMs:
podman run --net=host -v $PWD/data/files:/data:Z --rm -ti ghcr.io/xkcd-2347/guac:latest files /dataRun certifier:
podman run --net=host --rm -ti ghcr.io/xkcd-2347/guac:latest osv -p=falseRun the API server:
cargo run -- run -p 8081You can also run the API server using a container:
podman run --net=host -ti ghcr.io/xkcd-2347/trust-api:latest run -p 8081If snyk-org and snyk-token parameters are provided, the api/package call will check purl vulnerabilities in Snyk (on top of Guac).
cargo run -- run -p 8080 --snyk-org=63884128-5f57-4752-b9c0-9d0882873bf4 --snyk-token=<TOKEN>curl --json '["pkg:oci/registry.redhat.io/ubi9@sha256:cb303404e576ff5528d4f08b12ad85fab8f61fa9e5dba67b37b119db24865df3"]' http://localhost:8081/api/package/dependencies | jqcurl --json '["pkg:rpm/redhat/openssl@1.1.1k-7.el8_6?arch=x86_64&epoch=1"]' http://localhost:8081/api/package | jqcurl -s "http://localhost:8081/api/vulnerability?cve=cve-2023-0286" | jqcurl --json '["pkg:maven/io.quarkus/quarkus-vertx@2.16.2.Final?type=jar"]' http://localhost:8081/api/package | jqcurl --json '["pkg:maven/io.vertx/vertx-web@4.3.7"]' http://localhost:8081/api/package/dependents | jqcurl --json '["pkg:maven/io.vertx/vertx-web@4.3.7"]' http://localhost:8081/api/package/dependencies | jqcurl --json '["pkg:maven/io.vertx/vertx-web"]' http://localhost:8081/api/package/search | jq