Merge multiple affected products with the same CVE ID together

[macedogm]

When vexctl merges documents that have the same CVE ID, even if the affected products/subcomponents are the same, the new document will contain one statement for each CVE ID merged. For example, suppose that we have 2 documents that have the same CVE ID CVE-1234-5678, but the affected products differ, pkg:apk/wolfi/bash@1.0.0 and pkg:apk/wolfi/bash@1.5.0.

Doc 1 - doc-1-bash-1.0.0.vex.json

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://openvex.dev/docs/public/vex-0f3be8817faafa24e4bfb3d17eaf619efb1fe54923b9c42c57b156a936b91431",
  "author": "John Doe",
  "role": "Senior Trusted VEX Issuer",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-1234-5678"
      },
      "products": [
        {
          "@id": "pkg:apk/wolfi/bash@1.0.0"
        }
      ],
      "status": "under_investigation",
      "timestamp": "2023-12-05T05:04:34.77929922Z"
    }
  ],
  "timestamp": "2023-12-05T05:04:34.77929844Z"
}

Doc 2 - doc-2-bash-1.5.0.vex.json

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://openvex.dev/docs/public/vex-0f3be8817faafa24e4bfb3d17eaf619efb1fe54923b9c42c57b156a936b91431",
  "author": "John Doe",
  "role": "Senior Trusted VEX Issuer",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-1234-5678"
      },
      "products": [
        {
          "@id": "pkg:apk/wolfi/bash@1.5.0"
        }
      ],
      "status": "under_investigation",
      "timestamp": "2023-12-05T05:04:34.77929922Z"
    }
  ],
  "timestamp": "2023-12-05T05:04:34.77929844Z"
}

The merged doc will be:

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "merged-vex-318615fd4367a52301a6f47023c40190c788b864c360eb94fd8109c913a4a77d",
  "author": "Unknown Author",
  "timestamp": "2024-07-12T18:19:33.041047414-03:00",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-1234-5678"
      },
      "timestamp": "2023-12-05T05:04:34.77929922Z",
      "products": [
        {
          "@id": "pkg:apk/wolfi/bash@1.0.0"
        }
      ],
      "status": "under_investigation"
    },
    {
      "vulnerability": {
        "name": "CVE-1234-5678"
      },
      "timestamp": "2023-12-05T05:04:34.77929922Z",
      "products": [
        {
          "@id": "pkg:apk/wolfi/bash@1.5.0"
        }
      ],
      "status": "under_investigation"
    }
  ]
}

If we keep merging docs that contain the same CVE ID, the number of statement will grow proportionally.

Would it make sense to combine the products inside the structure products[] if certain conditions are meet, for example, (CVE IDs are equal) AND (statuses are equal) AND (justifications, if present, are equal) AND (action statements, if present, are equal) AND (impact statements, if present, are equal) AND (status notes, if present, are equal)? Products, and their affected subcomponents, can vary. Ideally, this can help make the merged docs smaller and concise, specially if automation is used to scan and merge multiple docs together.

Example of a possible concise ("compact") version:

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "merged-vex-318615fd4367a52301a6f47023c40190c788b864c360eb94fd8109c913a4a77d",
  "author": "Unknown Author",
  "timestamp": "2024-07-12T18:32:19.084311228-03:00",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-1234-5678"
      },
      "timestamp": "2023-12-05T05:04:34.77929922Z",
      "products": [
        { "@id": "pkg:apk/wolfi/bash@1.0.0" },
        { "@id": "pkg:apk/wolfi/bash@1.5.0" }
      ],
      "status": "under_investigation"
    }
  ]
}

Apologies if this isn't the right place to ask or discuss about this. Please let me know if I should direct this conversation to a different channel. Thanks!

[macedogm]

Note: I plan to submit a PR with a proposal for this (as soon as I get spare time).