search

gocsaf / csaf

Tools to download or provide CSAF (Common Security Advisory Framework) documents.
https://csaf.io
40 stars 23 forks source link

Consuming CSAF model from go v1.20 projects #508

Closed mpermar closed 11 months ago

mpermar commented 1 year ago

The CSAF current model requires go 1.21.

As a continuation of #367 , @juan131 has been working with the folks from AquaSecurity to add support to the CSAF VEX profile in the Trivy Open Source scanner.

However, we haven't been able to find a workaround and Trivy's policy is to use the immediate older Golang version, currently 1.20. So, right now we are blocked as it is not possible to integrate it with this library. There are a couple of approaches we have been thinking:

  1. Create a fork that builds on 1.20. Bitnami could do a fork and we could sustain it. Perhaps better, this fork could rather be a branch in this project.
  2. My preferred approach. Downgrade this project to Golang 1.20. @juan131 has been looking at it and it looks like this project is only using the new max and clear functions from 1.21. So it's literally a few line changes.

In the spirit of #367 which was aiming to make easier consumption, what do you think if we downgrade the golang dependency? The change is simple, we have the PR ready to be merged, all tests are passing and it will make adoption broader.

@bernhardreiter @tschmidtb51 @s-l-teichmann , thoughts?

s-l-teichmann commented 1 year ago

Lowering the required Go version should be fine. PR #509 implements this.

mpermar commented 1 year ago

Ah that's awesome. Thanks!

s-l-teichmann commented 1 year ago

Lowering the required Go version should be fine. PR #509 implements this.

As i've overlooked the dependencies to log/slog and slices I've sat the PR back to draft. I've replaced the two packages with there golang.org/x/exp counterparts but we have to discuss our policies before we merge this.

tschmidtb51 commented 1 year ago

@s-l-teichmann / @bernhardreiter: We should discuss this in the next meeting.

tschmidtb51 commented 12 months ago

@mpermar Please test - this should be resolved with the current main.

mpermar commented 11 months ago

Looks good to me. Trivy builds now when pointing it to main branch's commit hash.

When do you think there will be a release including this change? We will pin it to the hash for the time being, but it is nicer to have a release.

tschmidtb51 commented 11 months ago

There are a few things that we need to test before the next release. Nevertheless, the plan is to have it before the end of the year.

mpermar commented 11 months ago

Understood. I think this issue can be closed now. Thanks for the quick response!