lunasec-io
diff --git a/‎lunatrace/bsl/docker-compose.yaml
Lines changed: 1 addition & 1 deletion b/‎lunatrace/bsl/docker-compose.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎lunatrace/bsl/hasura/metadata/databases/lunatrace/tables/tables.yaml
Lines changed: 2 additions & 0 deletions b/‎lunatrace/bsl/hasura/metadata/databases/lunatrace/tables/tables.yaml
Lines changed: 2 additions & 0 deletions
diff --git a/‎lunatrace/bsl/hasura/metadata/databases/lunatrace/tables/vulnerability_reference_content.yaml
Lines changed: 15 additions & 0 deletions b/‎lunatrace/bsl/hasura/metadata/databases/lunatrace/tables/vulnerability_reference_content.yaml
Lines changed: 15 additions & 0 deletions
diff --git a/‎lunatrace/bsl/hasura/metadata/databases/lunatrace/tables/vulnerability_reference_embedding.yaml
Lines changed: 7 additions & 0 deletions b/‎lunatrace/bsl/hasura/metadata/databases/lunatrace/tables/vulnerability_reference_embedding.yaml
Lines changed: 7 additions & 0 deletions
diff --git a/‎lunatrace/bsl/hasura/metadata/remote_schemas.yaml
Lines changed: 41 additions & 41 deletions b/‎lunatrace/bsl/hasura/metadata/remote_schemas.yaml
Lines changed: 41 additions & 41 deletions
diff --git a/‎lunatrace/bsl/hasura/migrations/lunatrace/1677516215552_vulnerable_reference_embeddings/down.sql
Lines changed: 4 additions & 0 deletions b/‎lunatrace/bsl/hasura/migrations/lunatrace/1677516215552_vulnerable_reference_embeddings/down.sql
Lines changed: 4 additions & 0 deletions
diff --git a/‎lunatrace/bsl/hasura/migrations/lunatrace/1677516215552_vulnerable_reference_embeddings/up.sql
Lines changed: 59 additions & 0 deletions b/‎lunatrace/bsl/hasura/migrations/lunatrace/1677516215552_vulnerable_reference_embeddings/up.sql
Lines changed: 59 additions & 0 deletions
diff --git a/‎lunatrace/bsl/ingest-worker/cmd/ingestworker/main.go
Lines changed: 16 additions & 7 deletions b/‎lunatrace/bsl/ingest-worker/cmd/ingestworker/main.go
Lines changed: 16 additions & 7 deletions
diff --git a/‎lunatrace/bsl/ingest-worker/cmd/ingestworker/package/package.go
Lines changed: 17 additions & 3 deletions b/‎lunatrace/bsl/ingest-worker/cmd/ingestworker/package/package.go
Lines changed: 17 additions & 3 deletions
@@ -87,7 +87,7 @@ services:
     - "host.docker.internal:host-gateway"
 
   postgres:
-    image: postgres:12
+    image: ankane/pgvector:v0.4.0
     restart: always
     # Uncomment this if you want Postgres to log queries out.
     # command: ["postgres", "-c", "logging_collector=on", "-c", "log_directory=/tmp", "-c", "log_filename=postgresql.log", "-c", "log_statement=all"]
 
@@ -53,6 +53,8 @@
 - "!include vulnerability_equivalent.yaml"
 - "!include vulnerability_range.yaml"
 - "!include vulnerability_reference.yaml"
+- "!include vulnerability_reference_content.yaml"
+- "!include vulnerability_reference_embedding.yaml"
 - "!include vulnerability_severity.yaml"
 - "!include vulnerability_vulnerability.yaml"
 - "!include vulnerability_vulnerability_cwe.yaml"
@@ -0,0 +1,15 @@
+table:
+  name: reference_content
+  schema: vulnerability
+object_relationships:
+  - name: reference
+    using:
+      foreign_key_constraint_on: reference_id
+array_relationships:
+  - name: reference_embeddings
+    using:
+      foreign_key_constraint_on:
+        column: reference_content_id
+        table:
+          name: reference_embedding
+          schema: vulnerability
@@ -0,0 +1,7 @@
+table:
+  name: reference_embedding
+  schema: vulnerability
+object_relationships:
+  - name: reference_content
+    using:
+      foreign_key_constraint_on: reference_content_id
@@ -13,81 +13,81 @@
     - role: user
       definition:
         schema: |
+          scalar JSON
+          scalar UUID
           type AuthenticatedRepoCloneUrlOutput {
-          	url: String
+            url: String
           }
-          scalar JSON
           type Mutation {
-          	presignManifestUpload(project_id: UUID!): PresignedUrlResponse
+            presignManifestUpload(project_id: UUID!): PresignedUrlResponse
           }
           type PresignedUrlResponse {
-          	bucket: String!
-          	headers: JSON!
-          	key: String!
-          	url: String!
+            bucket: String!
+            headers: JSON!
+            key: String!
+            url: String!
           }
           type Query {
-          	authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput
-          	fakeQueryToHackHasuraBeingABuggyMess: String
-          	sbomUrl(buildId: UUID!): String
+            authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput
+            fakeQueryToHackHasuraBeingABuggyMess: String
+            sbomUrl(buildId: UUID!): String
           }
           type SbomUploadUrlOutput {
-          	error: Boolean!
-          	uploadUrl: UploadUrl
+            error: Boolean!
+            uploadUrl: UploadUrl
           }
-          scalar UUID
           type UploadUrl {
-          	headers: JSON!
-          	url: String!
+            headers: JSON!
+            url: String!
           }
     - role: service
       definition:
         schema: |
+          scalar JSON
+          scalar UUID
           type AuthenticatedRepoCloneUrlOutput {
-          	url: String
+            url: String
           }
-          scalar JSON
           type Mutation {
-          	presignManifestUpload(project_id: UUID!): PresignedUrlResponse
+            presignManifestUpload(project_id: UUID!): PresignedUrlResponse
           }
           type PresignedUrlResponse {
-          	bucket: String!
-          	headers: JSON!
-          	key: String!
-          	url: String!
+            bucket: String!
+            headers: JSON!
+            key: String!
+            url: String!
           }
           type Query {
-          	authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput
-          	fakeQueryToHackHasuraBeingABuggyMess: String
-          	presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput
-          	sbomUrl(buildId: UUID!): String
-          }
-          input SbomUploadUrlInput {
-          	orgId: UUID!
-          	projectId: UUID!
+            authenticatedRepoCloneUrl(repoGithubId: Int!): AuthenticatedRepoCloneUrlOutput
+            fakeQueryToHackHasuraBeingABuggyMess: String
+            presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput
+            sbomUrl(buildId: UUID!): String
           }
           type SbomUploadUrlOutput {
-          	error: Boolean!
-          	uploadUrl: UploadUrl
+            error: Boolean!
+            uploadUrl: UploadUrl
           }
-          scalar UUID
           type UploadUrl {
-          	headers: JSON!
-          	url: String!
+            headers: JSON!
+            url: String!
+          }
+          input SbomUploadUrlInput {
+            orgId: UUID!
+            projectId: UUID!
           }
     - role: cli
       definition:
         schema: |
           scalar JSON
+          scalar UUID
           type Query {
-          	presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput
+            presignSbomUpload(orgId: UUID!, buildId: UUID!): SbomUploadUrlOutput
           }
           type SbomUploadUrlOutput {
-          	error: Boolean!
-          	uploadUrl: UploadUrl
+            error: Boolean!
+            uploadUrl: UploadUrl
           }
-          scalar UUID
           type UploadUrl {
-          	headers: JSON!
-          	url: String!
+            headers: JSON!
+            url: String!
           }
@@ -0,0 +1,4 @@
+DROP FUNCTION vulnerability.match_reference_embedding_for_vulnerability;
+DROP TABLE "vulnerability"."reference_embedding";
+DROP TABLE "vulnerability"."reference_content";
+DROP EXTENSION vector;
@@ -0,0 +1,59 @@
+CREATE EXTENSION vector;
+
+CREATE TABLE "vulnerability"."reference_content" (
+    "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+    "reference_id" uuid NOT NULL REFERENCES "vulnerability"."reference"("id") ON UPDATE cascade ON DELETE cascade,
+    "title" text NOT NULL,
+    "content" text NOT NULL,
+    "normalized_content" text NOT NULL,
+    "content_type" text NOT NULL,
+    "last_successful_fetch" timestamptz DEFAULT NULL,
+    PRIMARY KEY ("id"),
+    UNIQUE ("reference_id")
+);
+
+CREATE TABLE "vulnerability"."reference_embedding" (
+    "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+    "content_hash" text NOT NULL,
+    "reference_content_id" uuid NOT NULL REFERENCES "vulnerability"."reference_content"("id") ON UPDATE cascade ON DELETE cascade,
+    "content" text NOT NULL,
+    "embedding" vector (1536) NOT NULL,
+    PRIMARY KEY ("id"),
+    UNIQUE ("content_hash")
+);
+
+CREATE INDEX ON "vulnerability"."reference_embedding"
+USING ivfflat (embedding vector_cosine_ops)
+WITH (lists = 100);
+
+create or replace function vulnerability.match_reference_embedding_for_vulnerability (
+    query_embedding vector(1536),
+    vuln_id text,
+    similarity_threshold float,
+    match_count int
+)
+    returns table (
+                      id uuid,
+                      url text,
+                      content text,
+                      similarity float
+                  )
+    language plpgsql
+as $$
+begin
+    return query
+        select
+            r.id,
+            r.url,
+            re.content,
+            1 - (re.embedding <=> query_embedding) as similarity
+        from vulnerability.reference_embedding re
+                 join vulnerability.reference_content rc on rc.id = re.reference_content_id
+                 join vulnerability.reference r on r.id = rc.reference_id
+                 join vulnerability.vulnerability v on v.id = r.vulnerability_id
+        where 1 - (re.embedding <=> query_embedding) > similarity_threshold
+          and v.source_id = vuln_id
+        order by re.embedding <=> query_embedding
+        limit match_count;
+end;
+$$;
@@ -35,12 +35,13 @@ import (
 	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/metadata/registry"
 	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/metadata/replicator"
 	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/metadata/replicator/npm"
+	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/ml"
 	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/openaifx"
-	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/pineconefx"
 	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/scanner/licensecheck"
 	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/scanner/packagejson"
+	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/vulnbot"
 	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/vulnerability/affected"
-	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/vulnerability/process"
+	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/vulnerability/scrape"
 
 	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/cmd/ingestworker/license"
 	"github.com/lunasec-io/lunasec/lunatrace/bsl/ingest-worker/pkg/metadata/ingester"
@@ -49,7 +50,11 @@ import (
 
 func main() {
 	// TODO (cthompson) this should be configured with an fx module
-	log.Logger = zerolog.New(os.Stderr).With().Timestamp().Logger()
+	logLevel := zerolog.InfoLevel
+	if os.Getenv("LOG_LEVEL") == "debug" {
+		logLevel = zerolog.DebugLevel
+	}
+	log.Logger = zerolog.New(os.Stderr).With().Timestamp().Logger().Level(logLevel)
 
 	clifx.Main(
 		// TODO (cthompson) move this into an fx module
@@ -60,13 +65,19 @@ func main() {
 		registry.NPMModule,
 		ingester.Module,
 		openaifx.Module,
-		pineconefx.Module,
+		scrape.Module,
 
 		fx.Provide(
+			ml.NewService,
 			cwe2.NewCWEIngester,
 			epss2.NewEPSSIngester,
 			cisa2.NewCISAKnownVulnIngester,
-			process.NewProcessor,
+			vulnbot.NewVulnBot,
+		),
+
+		fx.Provide(
+			vulnmanager.NewProcessor,
+			//metadata.NewProcessor,
 		),
 
 		// todo make a module
@@ -96,8 +107,6 @@ func main() {
 			cwe.NewCommand,
 			epss.NewCommand,
 			cisa.NewCommand,
-		),
-		fx.Provide(
 			packageCommand.NewCommand,
 		),
 	)
 
@@ -30,6 +30,7 @@ type Params struct {
 	Ingester      metadata.PackageIngester
 	Replicator    metadata.Replicator
 	APIReplicator metadata.APIReplicator
+	//Processor     metadata.Processor
 }
 
 func NewCommand(p Params) clifx.CommandResult {
@@ -56,6 +57,11 @@ func NewCommand(p Params) clifx.CommandResult {
 							Required: false,
 							Usage:    "If a package ingestion fails, continue without fatally failing.",
 						},
+						&cli.BoolFlag{
+							Name:     "references",
+							Required: false,
+							Usage:    "Only ingest package references.",
+						},
 						&cli.DurationFlag{
 							Name:     "refetch-duration",
 							Required: false,
@@ -66,12 +72,13 @@ func NewCommand(p Params) clifx.CommandResult {
 						packageName := ctx.Args().First()
 						registry := ctx.Bool("registry")
 						ignoreErrors := ctx.Bool("ignore-errors")
+						references := ctx.Bool("references")
 						packagesFile := ctx.String("packages")
 						refetchDuration := ctx.Duration("refetch-duration")
 
 						// import packages from a file
 						if packagesFile != "" {
-							return p.Ingester.IngestPackagesFromFile(ctx.Context, packagesFile, ignoreErrors, refetchDuration)
+							return p.Ingester.IngestPackagesFromFile(ctx.Context, packagesFile, references)
 						}
 
 						if registry {
@@ -82,10 +89,17 @@ func NewCommand(p Params) clifx.CommandResult {
 							err := errors.New("no package name provided")
 							return err
 						}
-
-						return p.Ingester.IngestPackageAndDependencies(ctx.Context, packageName, ignoreErrors, refetchDuration)
+						return p.Ingester.IngestWithDownloadCounts(ctx.Context, packageName)
 					},
 				},
+				//{
+				//	Name:  "embedding",
+				//	Flags: []cli.Flag{},
+				//	Action: func(ctx *cli.Context) error {
+				//		_ = ctx.Args().First()
+				//		return p.Processor.GenerateEmbeddingsForReferences()
+				//	},
+				//},
 				{
 					Name: "replicate",
 					Subcommands: []*cli.Command{