#TrustShell
Command Line Tool to work with Trustify.
Directly from GitHub:
pip install git+https://github.com/RedHatProductSecurity/trustshell.git#egg=trustshellEnsure the following environment variables are set:
Atlas Production:
export TRUSTIFY_URL="https://atlas.release.devshift.net"
export AUTH_ENDPOINT="https://auth.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect"Atlas Stage:
export TRUSTIFY_URL="https://atlas.release.stage.devshift.net"
export AUTH_ENDPOINT="https://auth.stage.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect"Product Mapping:
export PRODDEFS_URL="https://prodsec.pages.example.com/product-definitions/products.json"
export SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crtEach component in Atlas has a PackageURL (purl). This helps remove ambiguity around the type of component. Before relating a component to a product, you first need to determine the purl of the component:
$ trust-purl qemu
Querying Trustify for packages matching qemu
Found these matching packages in Trustify, including the highest version found:
pkg:oci/[email protected]
pkg:rpm/redhat/[email protected]+el8.10.0+22375+ea5e8167.2Once you have a PackageURL, you can then relate it to any products using the trust-products command. For example:
$ trust-products pkg:oci/quay-builder-qemu-rhcos-rhel8
Querying Trustify for products matching pkg:oci/quay-builder-qemu-rhcos-rhel8
Found these products in Trustify, including the latest shipped artifact
pkg:oci/quay-builder-qemu-rhcos-rhel8
└── pkg:oci/quay-builder-qemu-rhcos-rhel8?tag=v3.12.8-1
└── cpe:/a:redhat:quay:3:*:el8:*Use the --latest flag to include non-latest results. The default is to filter to the latest root components in a CPE.
Latest is calculated by comparing the published date of the product SBOM.
If components are found with the trust-purl command, but they are not being linked to products with
trust-products, it could be because the Trustify graph cache is not yet primed. To prime the graph
cache run the trust-prime command as follows.
$ trust-prime
Status before prime:
graph count: 0
sbom_count: 673
Priming graph ...It can also be run with --check to see the graph and sbom counts without actually priming the graph cache.
It's possible to map CPEs to products using product metadata as demonstrated in the docs/product-definitions.json
file. This allows integration with a bug tracking system like Jira.
The way this mapping works is to match against a ps_update_steam if such a map exists. If not, we try to match against ps_modules.