Closed felipecruz91 closed 2 months ago
Since v0.2.5 multiple products specified in the --product flag are not respected, only the last entry is included in the generated document.
--product
Input:
./vexctl create \ --product="pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64" \ --product="pkg:apk/wolfi/git@2.39.0-r1?arch=armv7" \ --vuln="CVE-2023-12345" \ --status="fixed"
The document contains both products as expected.
{ "@context": "https://openvex.dev/ns", "@id": "https://openvex.dev/docs/public/vex-2613e8dc7264f6789755f29d2af472a62d062bfd2ca490daf79f80413a88d919", "author": "Unknown Author", "role": "Document Creator", "timestamp": "2024-07-08T16:08:40.017534+02:00", "version": "1", "statements": [ { "vulnerability": "CVE-2023-12345", "products": [ "pkg:apk/wolfi/git@2.39.0-r1?arch=armv7", "pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64" ], "status": "fixed" } ] }
The document contains only one product which is the last one specified in the --product flag.
{ "@context": "https://openvex.dev/ns/v0.2.0", "@id": "https://openvex.dev/docs/public/vex-efaf99907d8597748979c0dec618c1f55fc247d11b43d5f0be8c96a68f7dda9f", "author": "Unknown Author", "timestamp": "2024-07-08T16:10:17.192584+02:00", "version": 1, "statements": [ { "vulnerability": { "name": "CVE-2023-12345" }, "timestamp": "2024-07-08T16:10:17.192585+02:00", "products": [ { "@id": "pkg:apk/wolfi/git@2.39.0-r1?arch=armv7" } ], "status": "fixed" } ] }
@puerco Are there any plans on cutting a new release including this fix any time soon?
Since v0.2.5 multiple products specified in the
--product
flag are not respected, only the last entry is included in the generated document.Input:
v0.2.3 (working version)
The document contains both products as expected.
v0.2.5 or later.
The document contains only one product which is the last one specified in the
--product
flag.