search

openvex / vexctl

A tool to create, transform and attest VEX metadata
Apache License 2.0
108 stars 21 forks source link

vexctl show command referenced but not present #25

Closed brandtkeller closed 1 year ago

brandtkeller commented 1 year ago

As I started to play with vexctl - the vexctl references a vexctl show command for both status and justification as a potential helper command for the users.

vexctl show statuses

vexctl show justifications

Is the intent that there might be a helper command show that presents some static information? Both functions look to be listing a predetermined set of possible options after looking at openvex.

Open to assisting here if interested.

puerco commented 1 year ago

Thanks for reporting this @brandtkeller !

Yes I think that was the intent, just a helpful way to print the values for users writing their statements. They are constants defined already in the go-vex/vex package:

https://github.com/openvex/go-vex/blob/88cbbf4a6ed0a2349b74653440ab1a70e23555bc/pkg/vex/justification.go#L12-L48

I'm starting work on other parts of the vexctl show subcommand, if you want to help building this part you are more than welcome, if not I'll add these very soon :)

chipzoller commented 1 year ago

I just discovered this as well and found the show subcommand to be missing.

madchap commented 1 year ago

It looks like the --author flag to the create command is not honored either.

$ vexctl create --author="Fred" --product="$VEX_PRODUCT" --vuln="$VEX_CVE" --status="$VEX_STATUS" --justification="$VEX_JUSTIFICATION"
{
  "@context": "https://openvex.dev/ns",
  "@id": "https://openvex.dev/docs/public/vex-391c7f7828a3c2b044da23d8d814db972fef87b38ebce0ceb77c9c523cd30025",
  "author": "Unknown Author",
  "role": "Document Creator",
  "timestamp": "2023-07-16T08:46:25.325955149+02:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2023-34362",
      "products": [
        "pkg:generic/test@5.7.0&checksum=sha256:de4d501267da"
      ],
      "status": "not_affected",
      "justification": "component_not_present"
    }
  ]
}
GitVersion:    v0.2.0
GitCommit:     unknown
GitTreeState:  unknown
BuildDate:     unknown
GoVersion:     go1.20.5
Compiler:      gc
Platform:      linux/amd64
chipzoller commented 1 year ago

@puerco, the show command is still missing as of 0.2.3 which prevents users from running commands vexctl show statuses and vexctl show justifications as advertised in the help for vexctl create -h.

puerco commented 1 year ago

This feature is now implemented as vevxctl list , thanks for fixing it @brandtkeller!