search

openvex / vexctl

A tool to create, transform and attest VEX metadata
Apache License 2.0
108 stars 21 forks source link

Multiple `--product` ignored since v0.2.5 #215

Closed felipecruz91 closed 2 months ago

felipecruz91 commented 2 months ago

Since v0.2.5 multiple products specified in the --product flag are not respected, only the last entry is included in the generated document.

Input:

./vexctl create \
  --product="pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64" \
  --product="pkg:apk/wolfi/git@2.39.0-r1?arch=armv7" \
  --vuln="CVE-2023-12345" \
  --status="fixed"

v0.2.3 (working version)

The document contains both products as expected.

{
  "@context": "https://openvex.dev/ns",
  "@id": "https://openvex.dev/docs/public/vex-2613e8dc7264f6789755f29d2af472a62d062bfd2ca490daf79f80413a88d919",
  "author": "Unknown Author",
  "role": "Document Creator",
  "timestamp": "2024-07-08T16:08:40.017534+02:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2023-12345",
      "products": [
        "pkg:apk/wolfi/git@2.39.0-r1?arch=armv7",
        "pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64"
      ],
      "status": "fixed"
    }
  ]
}

v0.2.5 or later.

The document contains only one product which is the last one specified in the --product flag.

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://openvex.dev/docs/public/vex-efaf99907d8597748979c0dec618c1f55fc247d11b43d5f0be8c96a68f7dda9f",
  "author": "Unknown Author",
  "timestamp": "2024-07-08T16:10:17.192584+02:00",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2023-12345"
      },
      "timestamp": "2024-07-08T16:10:17.192585+02:00",
      "products": [
        {
          "@id": "pkg:apk/wolfi/git@2.39.0-r1?arch=armv7"
        }
      ],
      "status": "fixed"
    }
  ]
}
felipecruz91 commented 2 weeks ago

@puerco Are there any plans on cutting a new release including this fix any time soon?