Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OpenVEX matching on local package name + tags #2355

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add OpenVEX matching on local package name + tags #2355

wants to merge 1 commit into from

Conversation

ferozsalam
Copy link
Contributor

Add local package name and image tag information to the list of identifiers that OpenVEX products are matched against.

Where tags are provided, create a product identifier matching the pURL spec in https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#oci.

Also add a basic test for the functionality.

Closes #1905

@ferozsalam
Add OpenVEX matching on local package name + tags
836de65 
Add local package name and image tag information to the list of identifiers
that OpenVEX products are matched against.

Where tags are provided, create a product identifier matching the pURL spec in
https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#oci.

Also add a basic test for the functionality.

Signed-off-by: Feroz Salam <[email protected]>
@ferozsalam
Copy link
Contributor Author

For local testing beyond the unit test, the following vex.json:

{
  "@context": "https://openvex.dev/ns",
  "@id": "https://openvex.dev/docs/example/vex-9fb3463de1b57",
  "author": "Wolfi J Inkinson",
  "role": "Document Creator",
  "timestamp": "2023-01-08T18:02:03.647787998-06:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2023-42363",
      "products": [
        "pkg:oci/busybox?tag=1.36"
      ],
      "status": "not_affected",
      "justification": "blah"
    }
  ]
}

used with go build -o main ./cmd/grype ; ./main busybox:1.36 --vex vex.json

results in 1 ignored vulnerability as desired:

$ go build -o main ./cmd/grype ; ./main busybox:1.36 --vex vex.json                                                                                                  
 ✔ Loaded image                                                                                                                                                busybox:1.36
 ✔ Parsed image                                                                                     sha256:b6bdb81e03b7525b1c21cea8d4b44ccb6bbcd2250a2868debce24fc9709c62db
 ✔ Cataloged contents                                                                                      50f371fd21362e52ae5422b22636bb256c9a1d75ba79c56ff9f6746b44ec7c1e
   ├── ✔ Packages                        [1 packages]
   ├── ✔ File digests                    [1 files]
   ├── ✔ File metadata                   [1 locations]
   └── ✔ Executables                     [11 executables]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 4 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 4 not-fixed, 1 ignored
NAME     INSTALLED  FIXED-IN  TYPE    VULNERABILITY   SEVERITY
busybox  1.36.1               binary  CVE-2023-42366  Medium
busybox  1.36.1               binary  CVE-2023-42365  Medium
busybox  1.36.1               binary  CVE-2023-42364  Medium

@ferozsalam ferozsalam marked this pull request as ready for review December 29, 2024 22:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

vex: Add package name to VEX product identifiers
1 participant
@ferozsalam