search

openvex / vexctl

A tool to create, transform and attest VEX metadata
Apache License 2.0
108 stars 21 forks source link

vex document structure changed ? #134

Closed akcrisp closed 9 months ago

akcrisp commented 10 months ago

Hi, So I am using vexctl version v0.2.3

I am trying to get grype to ignore a cve (this is purely testing). However I can't get it to match. I've noticed though that the structure of the document vexctl creates looks different to the example on the grype page and wonder if its related ?

So on grype documentation it shows the structure of document different to what vexctl is producing - https://github.com/anchore/grype#vex-support - 

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://openvex.dev/docs/public/vex-d4e9020b6d0d26f131d535e055902dd6ccf3e2088bce3079a8cd3588a4b14c78",
  "author": "A Grype User <jdoe@example.com>",
  "timestamp": "2023-07-17T18:28:47.696004345-06:00",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2023-1255"
      },
      "products": [
        {
          "@id": "pkg:oci/alpine@sha256%3A124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126",
          "subcomponents": [
            { "@id": "pkg:apk/alpine/libssl3@3.0.8-r3" },
            { "@id": "pkg:apk/alpine/libcrypto3@3.0.8-r3" }
          ]
        }
      ],
      "status": "fixed"
    }
  ]
}

The product and subcomponents both have "@id:" as a key value pair entry and subcomponents is under product. Where as if i look at what vexctl now produces -

{
  "@context": "https://openvex.dev/ns",
  "@id": "https://openvex.dev/docs/public/vex-3494284e4340d252443d94e25e16ac4e10b996e25c7aaa7667c921c1d7c879c7",
  "author": "Unknown Author",
  "role": "Document Creator",
  "timestamp": "2023-11-07T11:21:21.107327Z",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2022-1664",
      "products": [
        "pkg:oci/myapp@sha256:sha256:261e230db3d87f3d2df65182c3f0b2fdba02a93a319078641f2cb2168513b3c1"
      ],
      "subcomponents": [
        "pkg:deb/debian/dpkg@1.18.25?arch=amd64&distro=debian-9"
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_present"
    }
  ]
}

I used the following command to create it -

vexctl create --product "pkg:oci/myapp@sha256:sha256:261e230db3d87f3d2df65182c3f0b2fdba02a93a319078641f2cb2168513b3c1" --subcomponents "pkg:deb/debian/dpkg@1.18.25?arch=amd64&distro=debian-9" --vuln "CVE-2022-1664" --status "not_affected" --justification "vulnerable_code_not_present"

Can someone confirm that the output from vexctl is correct (not broken) and there has been a change to the document format. I will then follow up with grype team to understand if the change would impact the matching of vulnerabilities.

Reading the openvex specification - https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#product-data-structure it does say :- @id Optional IRI identifying the component to make it externally referenceable.

So I am wondering if the lack of @id against product / subcomponents is causing the grype not to match ?

Note not sure if makes any difference but this is the windows version if vexctl being used.

Andy

akcrisp commented 9 months ago

Can I get some feedback on the above ?

puerco commented 9 months ago

Oh sorry for the late reply @akcrisp! I see what is happening. Apparently, we did not cut a release of vexctl after the last library update. The last released version of vexctl is still producing documents with the previous version of the spec.

Please use the version at HEAD and we'll get a new release out today, thanks!

akcrisp commented 9 months ago

brilliant thanks very much :-)

puerco commented 9 months ago

Done, we've pushed out v0.2.5 which generates docs with v0.2.0 of the spec. Thanks for flagging this @akcrisp !