Closed chipzoller closed 1 year ago
Thanks for the issue @chipzoller !
I think this was fixed at some point as I'm not getting the same behavior when running vexctl at HEAD:
go run . create --author foo --author-role bar -p "pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64" -v CVE-2022-39260 -s fixed
{
"@context": "https://openvex.dev/ns",
"@id": "https://openvex.dev/docs/public/vex-6362559bd355c78d972e0dc27b0380cd431bba0d7f399752264858eccd5b3266",
"author": "foo",
"role": "bar",
"timestamp": "2023-07-05T19:28:04.111863814-06:00",
"version": "1",
"statements": [
{
"vulnerability": "CVE-2022-39260",
"products": [
"pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64"
],
"status": "fixed"
}
]
}
(I do get it at v0.2.0)
We're cutting a new release of go-vex and vexctl which should fix it when running on the latest tagged version.
The cannoncal hash on the document ID does not take into account the author information. It is generated from the statement data, but perhaps it would b a good idea to add those fields into the mix too.
See related issue #88 which sounds like it will impact that document ID.
This is the already merged fix for the author and role data: https://github.com/openvex/vexctl/pull/27
Thanks for noticing @ferozsalam !
Version: v0.2.0
When using either
--author
or--author-role
flags to thevexctl create
command, the values are not passed into the final document:My expectation is the following output:
Since, presumably, the
@id
field's value is a hash of the generated contents, manually changing theauthor
and/orrole
fields after generation would result in an invalid document.