Add CertifyLegal to query known package

[robert-cronin]

Description of the PR

Fixes #2253

Example using the demo stack and demo docs after collection with add license on ingest flag set:

❯ go run ./cmd/guacone/main.go query known package "pkg:maven/org.apache.logging.log4j/[email protected]"

{"level":"info","ts":1730698004.0871081,"caller":"logging/logger.go:79","msg":"Logging at info level","guac-version":"v0.0.1-custom"}
{"level":"info","ts":1730698004.087162,"caller":"cli/init.go:65","msg":"Using config file: /home/rob/go/src/guacsec/guac/guac.yaml","guac-version":"v0.0.1-custom"}
+------------------------------------------------+
| Package Name Nodes                             |
+-----------+-----------+------------------------+
| NODE TYPE | NODE ID # | ADDITIONAL INFORMATION |
+-----------+-----------+------------------------+
+-----------+-----------+------------------------+
Visualizer url: http://localhost:3000/?path=25409,25408,4450
+----------------------------------------------------------------------------------------------+
| Package Version Nodes                                                                        |
+--------------+-----------+-------------------------------------------------------------------+
| NODE TYPE    | NODE ID # | ADDITIONAL INFORMATION                                            |
+--------------+-----------+-------------------------------------------------------------------+
| hasSrcAt     | 167073    | Source: sourcearchive+https://org.apache.logging.log4j/log4j-core |
+--------------+-----------+-------------------------------------------------------------------+
| certifyVuln  | 41980     | vulnerability ID: ghsa-7rjr-3q55-vv33                             |
| certifyVuln  | 41981     | vulnerability ID: ghsa-8489-44mv-ggj8                             |
| certifyVuln  | 41982     | vulnerability ID: ghsa-fxph-q3j8-mv87                             |
| certifyVuln  | 41983     | vulnerability ID: ghsa-jfh8-c2jp-5v3q                             |
| certifyVuln  | 41984     | vulnerability ID: ghsa-p6xc-xr62-6r2g                             |
| certifyVuln  | 41985     | vulnerability ID: ghsa-vwqq-5vrc-xw9h                             |
| certifyVuln  | 166892    | vulnerability ID: ghsa-7rjr-3q55-vv33                             |
| certifyVuln  | 166893    | vulnerability ID: ghsa-8489-44mv-ggj8                             |
| certifyVuln  | 166894    | vulnerability ID: ghsa-fxph-q3j8-mv87                             |
| certifyVuln  | 166895    | vulnerability ID: ghsa-jfh8-c2jp-5v3q                             |
| certifyVuln  | 166896    | vulnerability ID: ghsa-p6xc-xr62-6r2g                             |
| certifyVuln  | 166897    | vulnerability ID: ghsa-vwqq-5vrc-xw9h                             |
+--------------+-----------+-------------------------------------------------------------------+
| certifyLegal | 42719     | declared: NONE, discovered: NONE                                  |
| certifyLegal | 167585    | declared: Apache-2.0, discovered: Apache-2.0                      |
+--------------+-----------+-------------------------------------------------------------------+
| hasSBOM      | 183697    | SBOM Download Location: deps.dev                                  |
+--------------+-----------+-------------------------------------------------------------------+
Visualizer url: http://localhost:3000/?path=25410,25409,25408,4450,167073,41980,41981,41982,41983,41984,41985,166892,166893,166894,166895,166896,166897,183697,42719,167585

PR Checklist

• All commits have a Developer Certificate of Origin (DCO) -- they are generated using -s flag to git commit.
• All new changes are covered by tests
• If GraphQL schema is changed, make generate has been run
• If GraphQL schema is changed, GraphQL client updates/additions have been made
• If OpenAPI spec is changed, make generate has been run
• If ent schema is changed, make generate has been run
• If collectsub protobuf has been changed, make proto has been run
• All CI checks are passing (tests and formatting)
• All dependent PRs have already been merged

[pxp928]

LGTM! Thank You!

[funnelfiasco]

I can't comment on the implementation details, but the user experience is spot on. Do we need to explicitly add it to the --help output though, or does that get picked up automatically?

[robert-cronin]

I can't comment on the implementation details, but the user experience is spot on. Do we need to explicitly add it to the --help output though, or does that get picked up automatically?

It looks like it gets picked up automatically, here it is with the additions:

❯ go run ./cmd/guacone/main.go query known package --help

Query for all the available information on a package, source, or artifact.
  <type> must be either "package", "source", or "artifact".
  <subject> is in the form of "<purl>" for package, "<vcs_tool>+<transport>" for source, or "<algorithm>:<digest>" for artiact.

Usage:
  guacone query known [flags] <type> <subject>

Flags:
  -h, --help   help for known

Global Flags:
      --add-license-on-ingest   if enabled, the ingestor will query and ingest clearly defined for licenses. Warning: This will increase ingestion times
      --add-vuln-on-ingest      if enabled, the ingestor will query and ingest OSV for vulnerabilities. Warning: This will increase ingestion times
      --csub-addr string        address to connect to collect-sub service (default "localhost:2782")
      --csub-tls                enable tls connection to the server
      --csub-tls-skip-verify    skip verifying server certificate (for self-signed certificates for example)
      --gql-addr string         endpoint used to connect to graphQL server (default "http://localhost:8080/query")
      --header-file string      a text file containing HTTP headers to send to the GQL server, in RFC 822 format