search

chainguard-dev / vex

vexctl is a tool to attest VEX impact statements
Apache License 2.0
44 stars 12 forks source link

vexctl merge: Combine vex data sources into new doc #47

Closed puerco closed 1 year ago

puerco commented 1 year ago

This PR introduces new functionality into vexctl to merge vex data from various sources into one document.

The functionality is baked into the ctl package and its implementation and it is also exposed in a new CLI subcommand vexctl merge. Here's an example using the included test documents:

go run ./main.go  merge ./pkg/ctl/testdata/document1.vex.json ./pkg/ctl/testdata/document2.vex.json
{
  "id": "merged-vex-4d11a8a0f5138a44c61161655e36393b871d4439380eae14bd3c2d66f5ee3873",
  "format": "text/vex",
  "author": "unknown",
  "role": "document creator",
  "timestamp": "2022-12-23T14:55:34.18948616-06:00",
  "statements": [
    {
      "timestamp": "2022-12-22T20:56:05-05:00",
      "status": "under_investigation",
    },
    {
      "timestamp": "2022-12-22T20:56:05-05:00",
      "status": "affected",
    }
  ]
}

The new subcommand can receive product IDs and vulnerability identifiers to compose a new document using only the specified bits.