#TrustShell
Command Line Tool to work with Trustify.
Directly from GitHub:
$ pip install git+https://github.com/RedHatProductSecurity/trustshell.git#egg=trustshell
Ensure the following environment variables are set:
Atlas Production:
export TRUSTIFY_URL="https://atlas.release.devshift.net"
export AUTH_ENDPOINT="https://auth.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect"
Atlas Stage:
export TRUSTIFY_URL="https://atlas.release.stage.devshift.net"
export AUTH_ENDPOINT="https://auth.stage.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect"
Each component in Atlas has a PackageURL (purl). This helps remove ambiguity around the type of component. Before relating a component to a product, you first need to determine the purl of the component. You can do using trustshell, eg:
$ trust-purl qemu
Querying Trustify for packages matching qemu
Found these matching packages in Trustify, including the highest version found:
pkg:oci/[email protected]
pkg:rpm/redhat/[email protected]+el8.10.0+22375+ea5e8167.2
Once you have a PackageURL, you can then relate that to any products using the trust-products command. For example:
$ trust-products pkg:oci/quay-builder-qemu-rhcos-rhel8
Querying Trustify for products matching pkg:oci/quay-builder-qemu-rhcos-rhel8
Found these products in Trustify, including the latest shipped artifact
pkg:oci/quay-builder-qemu-rhcos-rhel8
└── pkg:oci/quay-builder-qemu-rhcos-rhel8?tag=v3.12.8-1
└── cpe:/a:redhat:quay:3:*:el8:*
If components are found with the trust-purl command, but they are not being linked to products with
trust-products, it could be because the Trustify graph cache is not yet primed. In order to prime the graph
cache run the trust-prime command as follows.
# trust-prime
Status before prime:
graph count: 0
sbom_count: 673
Priming graph ...
It can also be run with --check to see the graph and sbom counts without actually priming the garph cache.