search

anchore / grype

A vulnerability scanner for container images and filesystems
Apache License 2.0
8.19k stars 529 forks source link

Ability to summarize and alter VEX documents #637

Open wagoodman opened 2 years ago

wagoodman commented 2 years ago

As we start to introduce producing VEX documents https://github.com/anchore/grype/issues/591 , there are some input values which are manually curated (e.g. "affected" / "not affected", "justification", "response", etc). There are (at least) two opportunities here:

  1. Provide a way to summarize documents provided as input
  2. Provide a way to add or modify contents (such as indicate "not affected", add a justification, etc) without having the consumer resort to scripting
rjb4standards commented 2 years ago

FYI: The SPDX SBOM team is working on a V2.3 release that includes the ability for a software vendor to provide a link to a vulnerability report that is independently updated from the static SBOM. The SPDX proposal uses existing ExternalRef capabilities and supports any type of vulnerability report format, i.e.

CDX VEX: ExternalRef: SECURITY Disclosure https://raw.githubusercontent.com/rjb4standards/REA-Products/master/CDXVEX/CDX14.xml

SBOM VDR: ExternalRef: SECURITY Disclosure https://raw.githubusercontent.com/rjb4standards/REA-Products/master/SAGVulnDisclosureSAMPLE.xml