Closed macedogm closed 2 months ago
yep, i think we need to have some kind of aliases
@puerco is that something we should add?
For context, govulncheck produces multiple corresponding aliases, because their main identifier is the Go vulnerability ID, not CVE, plus a CVE can also have a GHSA identifier.
Having the ability to add aliases makes automation work easier between, for example, govulncheck > vexctl > Trivy/Grype. Of course, it's possible to create some glue scripts to add the aliases later.
I went ahead and did an initial implementation in https://github.com/openvex/vexctl/pull/220 (easier to do with vexctl
than having to deal with jq
to update Vex files). Hope that it helps.
Is there a way, please, to add a vulnerability that has multiple aliases with
vexctl add
, for example:My current understanding is that we can only add one vulnerability ID and no aliases, unless I missed the right syntax.
~~If this isn't currently supported, would a PR be accepted? I believe that the support must be added in https://github.com/openvex/go-vex/blob/8dad46c35e3c6e45b43abc9641901f2d5c2c450f/pkg/vex/statement.go#L19 .~~
Update: I looked at the wrong file above, because the
aliases
field is already present in thevulnerability
struct -> https://github.com/openvex/go-vex/blob/8dad46c35e3c6e45b43abc9641901f2d5c2c450f/pkg/vex/vulnerability.go#L22 , so it appears that we only need to add support for thevexctl add ...
cli.