Closed ridhoq closed 8 months ago
Thanks for the bug report @ridhoq! The issue seems to be that we are not taking into account VEX during the query with a purl and vulnerability ID: https://github.com/guacsec/guac/blob/main/cmd/guacone/cmd/vulnerability.go#L121. We are filtering on certifyVuln
edge but we should also be including certifyVex
edges from the vulnerability.
Specifically, queryVulnsViaVulnNodeNeighbors will need to be updated.
@pxp928 I took a stab at it in in #1540. Let me know if it's in the right direction.
Cool will take a look!
Describe the bug When running
guacone query vuln <purl> --vuln-id <vuln-id>
, the table output does not show any related VEX statements when they are present. However, if you were to runguacone query vuln <purl>
without a vulnerability ID, related VEX statements are returned.To Reproduce Steps to reproduce the behavior:
guacone query vuln pkg:swid/MySBOMDocument --vuln-id ghsa-4374-p667-p6c8
Expected behavior VEX statements should always be returned, regardless of whether a vulnerability ID is passed in.
GUAC version Latest on main
Additional context Will update the description with a better test case if I find one. I discovered the bug on an internal SBOM.