VEX - can't get grype to match

[akcrisp]

What happened: I am testing use of vex for excluding cve's.

The image is in an azure acr - it scans the image ok for vulnerabilities. I am testing this against an image from dockerhub i know has cve's in it.

What you expected to happen:

the dpkg is excluded from the affected package list / or added to the show-suppressed list How to reproduce it (as minimally and precisely as possible):

Create the vex document -

vexctl create --product "pkg:oci/myapp@sha256:sha256:261e230db3d87f3d2df65182c3f0b2fdba02a93a319078641f2cb2168513b3c1" --subcomponents "pkg:deb/debian/dpkg@1.18.25" --vuln "CVE-2022-1664" --status "not_affected" --justification "vulnerable_code_not_present" --file c:\users\\vex\cve-2022-1664.json

Run grype against it -

grype registry:.azurecr.io/janakiramm/myapp:v2 -c c:\users\\grype\config.yml --vex C:\Users\\vex\cve-2022-1664.json

Output (curtailed) - still shows package in affected list -

coreutils 8.26-3 deb CVE-2017-18018 Negligible dpkg 1.18.25 1.18.26 deb CVE-2022-1664 Critical e2fslibs 1.43.4-2 (won't fix) deb CVE-2022-1304 High

Anything else we need to know?:

I've logged a ticket on openvex as well (https://github.com/openvex/vexctl/issues/134) - as the format of the document is different to what you show on your page - there is no @id against product or subcomponent. Equally subcomponent is not nested under product (see below). Trying to understand if there's been a change in document format and whether that would impact grype ?

{
  "@context": "https://openvex.dev/ns",
  "@id": "https://openvex.dev/docs/public/vex-de3f13aece8cf241965e00fc1dfdb4abdafe0f61365c311bb1026dc8d22f8327",
  "author": "Unknown Author",
  "role": "Document Creator",
  "timestamp": "2023-11-07T15:18:47.5281235Z",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2022-1664",
      "products": [
        "pkg:oci/myapp@sha256:sha256:261e230db3d87f3d2df65182c3f0b2fdba02a93a319078641f2cb2168513b3c1"
      ],
      "subcomponents": [
        "pkg:dpkg@1.18.25"
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_present"
    }
  ]
}

Also can you confirm the subcomponent should be the output of the purl line as outputted in json from grype ? Be useful if you could confirm as well which entry in json would match the image in question - I've worked the syntax out I believe but an entry in json explicit would be useful which you could copy and paste into vex product entry.

Environment:

• Output of grype version: grype version Application: grype Version: 0.72.0 BuildDate: 2023-10-20T18:17:05Z GitCommit: 04df28051b7694a5e4a28fc5b2ea2068f24ef213 GitDescription: v0.72.0 Platform: windows/amd64 GoVersion: go1.21.3 Compiler: gc Syft Version: v0.94.0 Supported DB Schema: 5
• OS : windows 11

[akcrisp]

Sorry forgot to add the vex document is created using vexctl version:

---

| | | || _|\ \ / // | || | | | | || | \ V / | / \/ | | | | | | | || | / \ | | | | | | \ _/ /| |_ / /^\ | _/\ | | | |____ \/ _/ \/ \/ ____/ \/ ___/ vexctl: A tool for working with VEX data

GitVersion: v0.2.3 GitCommit: a1d4be001cec81db7e75e7cc2ab84322b65c31f1 GitTreeState: clean BuildDate: 2023-07-21T18:35:07Z GoVersion: go1.20.6 Compiler: gc Platform: windows/amd64

[akcrisp]

@kzantow any chance i can get some feedback on the above ? Is it something I've done wrong or something changed ??

[akcrisp]

fyi - just had reply from openvex on my ticket there - Oh sorry for the late reply @akcrisp! I see what is happening. Apparently, we did not cut a release of vexctl after the last library update. The last released version of vexctl is still producing documents with the previous version of the spec.

Please use the version at HEAD and we'll get a new release out today, thanks!

[puerco]

Sorry we had not cut a release of vexctl to generate documents with the latest version of the spec (which Grype uses). v0.2.5 is out and should work right out of the box!

[akcrisp]

vexctl binary has been updated to latest library to work with grype. closing ticket