Generating VEX statements

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev

https://google.github.io/osv-scanner/

Apache License 2.0

6.03k stars 337 forks source link

Generating VEX statements #19

Open another-rex opened 1 year ago

another-rex commented 1 year ago

Automatically generate VEX statements based on call graph analysis or ignored vulnerabilities set in the scanner config.

puerco commented 1 year ago

At Chainguard we are starting to run tests issuing vex for Wolfi, our linux distro. We are generating documents in a simplified VEX format which we also embed in in-toto attestations. We are proposing this format to the VEX working group and have been trying to capture the latest data model.

Here is the VEX structure and type we are using: https://github.com/chainguard-dev/vex/blob/main/pkg/vex/vex.go

We would love to collaborate and learn more about you rvex use case!

oliverchang commented 1 year ago

Hey @puerco! Thanks for reaching out!

The use case we have in mind right now is just generating VEX statements from:

The ignore files provided by the user.
Automated call graph analysis on vulnerable functions.

If possible we'd certainly like to re-use an existing VEX structure for this. Very happy to chat more here about this or other potential areas of collaboration!

CC @lumjjb