search

openvex / vexctl

A tool to create, transform and attest VEX metadata
Apache License 2.0
108 stars 21 forks source link

Support for vulnerability with multilple aliases #219

Closed macedogm closed 2 months ago

macedogm commented 2 months ago

Is there a way, please, to add a vulnerability that has multiple aliases with vexctl add, for example:

    {   
      "vulnerability": {
        "@id": "https://pkg.go.dev/vuln/GO-2022-0646",
        "name": "GO-2022-0646",
        "description": "Use of risky cryptographic algorithm in github.com/aws/aws-sdk-go",
        "aliases": [
          "CVE-2020-8911",
          "CVE-2020-8912",
          "GHSA-7f33-f4f5-xwgw",
          "GHSA-f5pg-7wfw-84q9"
        ]
      },  
      "products": [
        {
          "@id": "pkg:golang/github.com/aws/aws-sdk-go@1.51.21"
        }
      ],  
      "status": "not_affected",
      "justification": "vulnerable_code_not_present",
      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
    }

My current understanding is that we can only add one vulnerability ID and no aliases, unless I missed the right syntax.

~~If this isn't currently supported, would a PR be accepted? I believe that the support must be added in https://github.com/openvex/go-vex/blob/8dad46c35e3c6e45b43abc9641901f2d5c2c450f/pkg/vex/statement.go#L19 .~~

Update: I looked at the wrong file above, because the aliases field is already present in the vulnerability struct -> https://github.com/openvex/go-vex/blob/8dad46c35e3c6e45b43abc9641901f2d5c2c450f/pkg/vex/vulnerability.go#L22 , so it appears that we only need to add support for the vexctl add ... cli.

cpanato commented 2 months ago

yep, i think we need to have some kind of aliases

@puerco is that something we should add?

macedogm commented 2 months ago

For context, govulncheck produces multiple corresponding aliases, because their main identifier is the Go vulnerability ID, not CVE, plus a CVE can also have a GHSA identifier.

Having the ability to add aliases makes automation work easier between, for example, govulncheck > vexctl > Trivy/Grype. Of course, it's possible to create some glue scripts to add the aliases later.

macedogm commented 2 months ago

I went ahead and did an initial implementation in https://github.com/openvex/vexctl/pull/220 (easier to do with vexctl than having to deal with jq to update Vex files). Hope that it helps.