Purl-sync vocabulary

[ziadhany]

Actors:

• Person : can create a review and follow Package URLs
• Service : can clone a git repo and push/sync ( publishing of events )
• Purl : posts that v1.2.3 is vulnerable to @VCID-123

Activities:

• Follow
• UnFollow
• Create
• Update
• Delete
• Sync
• Vote

Objects

• Note
• Review
• Repository
• Vulnerability

[ziadhany]

Person:

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
     "http://schema.org",
  ],
  "@type": "Person",
  "@id": "https://example.com/user/@user1",
  "name": "user1",
  "summary": "We’re creating a federated tool for vulnerability review and curation!",
  "inbox": "https://example.com/user/@user1/inbox",
  "outbox": "https://example.com/user/@user1/outbox",
  "following": "https://example.com/user/@user1/following",
  "image": "https://example.com/image/avatar",
}

Purl:

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
    ....
  ],
  "@type": "Purl",
  "@id": "https://example.com/purls/@pkg:maven/org.apache.logging",
  "string": "pkg:maven/org.apache.logging",
  "inbox": "https://example.com/purls/@pkg:maven/org.apache.logging/inbox",
  "outbox": "https://example.com/purls/@pkg:maven/org.apache.logging/outbox",
  "followers": "https://example.com/purls/@pkg:maven/org.apache.logging/followers",
}

[ziadhany]

Note

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
     "http://schema.org", 
  ],
  "@type": "Note",
  "id": "https://example.com/notes/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
  "actor": "https://example.com/users/@user1"
  "content": "we should fix this purl",
  "published": "2015-02-10T15:04:55Z",
  "inReplyTo": "https://example.com/notes/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}

Repository

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
     ..............
  ],
   "@id":"16fd2706-8baf-433b-82eb-8c7fada847da",
   "@type": "Repository",
   "cloneUri": "https://example.com/repository/repository.git",     
}

Review

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
     .........
  ],
  "@type": "Review",
  "id": "https://example.com/review/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
  "author": "https://example.com/user/@user1",
  "headline": "review vulnerablecode-data VCID-0000-0000-0000",
  "repository": "https://example.com/repository/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
  "reviewBody": "text diff",

  "notes": {        
       "type": "Collection",
       "totalItems": 1,
       "orderedItems": [
             {
                "type": "Note",
                "id": "https://example.com/note/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
                "actor": "https://example.com/user/@user1"
                "content": "we should fix this purl",
            }],
   }
  "published":  "2015-02-10T15:04:55Z",
}

Vulnerability

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
     ..............
  ],
   "@type": "Vulnerability",
    "id": "https://example.com/vulnerability/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",  
    "repository": "https://github.com/nexB/vulnerablecode-data",
    "branch": "main",
    "filename": "VCID-2r45-a1c2-aaag.yaml",
    "commit": "d3bdb08c2aa4d2a949e7a4ed719a7a167d62b2e8",
}

[ziadhany]

Follow

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
     .........
  ],
  "type": "Follow",
  "actor": {
    "@id": "https://example.com/users/@user1",
    "@type": "Person",
  },

  "object": {
         "@id": "https://example.com/pursl/@pkg:bitbucket/birkenfeld/pygments-main",
         "@type": "Purl",
         "string": "pkg:bitbucket/birkenfeld/pygments-main"",
  },

  "cc": [{
    "@context": "http://www.w3.org/ns/activitystreams",
    "@id": "http://activityschema.org/collection/public",
    .....
    "@type": "Collection"
  }]
}

Create

{
  "@context": [
    "https://www.w3.org/ns/activitystreams",
     "http://schema.org", 
  ],
"type": "Create",
"actor": {
  "@type": "Person",
  "name": "user1"
  "@id": "https://example.com/users/@user1",
},
"object": {
  "@type": "Review",
  "headline": "review vulnerablecode-data VCID-0000-0000-0000.json",
  "reviewBody": "diff string"
}
}

[pombredanne]

Attached is a pdf and the source of xournal notes from a meeting we had today.

2023-07-27-Note-13-20.pdf
2023-07-27-Note-13-20.xoj.zip

[ziadhany]

@pombredanne After carefully reading the notes I have some questions .

1. VC.IO push events to activitypub server ( what is the type of events ?) .
   I think of it like a service actor run a python script after we merge new files . OR git send http post request to activitypub server using service Actor credentials after a new file get merged using post-merge

2. should every purl have a username and password ( Fediverse account ) or just get managed by service ( vc.io ) ?
   purl will create the post ( pkg:maven/org.apache.logging posts that v1.2.3 is vulnerable to @VCID-123 )
   Who will create the purl ? service actor ( vc.io )
   Is this correct ?

3. How can we store the relations between a git repo , purl and vulnerability ?
   I think of vulnerability as git file VCID-aejr-k98q-aaad.yaml
   but how can we detect purls in our system ?
   we can have two separated files one for purl ( affected and fixed ) and one for vulnerability .
   but How we create a purls and vulnerabilities ?
   should I create a python script read all git files and create vulnerability and purl ?

[pombredanne]

Here is some notes of today's sync: what if we were to file for a package (all versions) and another for the vulnerability (no package info there)?
See attached mock files:

• a package file alpine-apache2.yml.txt
• another package file rpm-centos-apachehttpd.yml.txt
• a shared vulnerability between these two packages VCID-2nyb-8rwu-12ag.yml.txt