search

openvex / go-vex

Go module to generate and transform VEX documents
Apache License 2.0
33 stars 15 forks source link

Take the latest statement #29

Closed knqyf263 closed 1 year ago

knqyf263 commented 1 year ago

StatementFromID function always returns the first statement. However, the data inheritance specification allows for multiple statements with the same vulnerability ID to be registered, as follows.

{
  "@context": "https://openvex.dev/ns",
  "author": "Aqua Security",
  "role": "Project Release Bot",
  "timestamp": "2023-01-16T19:07:16.853479631-06:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2019-0001",
      "timestamp": "2023-01-16T19:06:16.853479631-06:00",
      "products": [
        "pkg:golang/github.com/aquasecurity/foo@1.2.3"
      ],
      "status": "under_investigation"
    },
    {
      "vulnerability": "CVE-2019-0001",
      "products": [
        "pkg:golang/github.com/aquasecurity/foo@1.2.3"
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path"
    }
  ]
}

I'm aware that SortStatements is provided and VEX.Stetements is a pubic field, so we can implement it on our end, but IMHO StatementFromID should take responsibility of that. Or it should provide an option to sort statements by timestamp.

dlorenc commented 1 year ago

Thanks for the report! We'll take a look shortly.

puerco commented 1 year ago

You are right @knqyf263 it is a bug, it also bit me I didn't open an issue and forgot to fix it. Thanks for reporting it!

puerco commented 1 year ago

I opened https://github.com/openvex/go-vex/pull/30 which adds a new vex.EffectiveStatement function to properly get the latest impact statement. It will deprecate StatementFromID as we need to specify a product to know the effective status,