search

openvex / vexctl

A tool to create, transform and attest VEX metadata
Apache License 2.0
108 stars 21 forks source link

`--author` and `--author-role` flag values are not passed #87

Closed chipzoller closed 1 year ago

chipzoller commented 1 year ago

Version: v0.2.0

When using either --author or --author-role flags to the vexctl create command, the values are not passed into the final document:

vexctl create --author foo --author-role bar -p "pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64" -v CVE-2022-39260 -s fixed
{
  "@context": "https://openvex.dev/ns",
  "@id": "https://openvex.dev/docs/public/vex-44d6d65b95727ed7d86672ec3d310662408ded2496ebb77fb11c56e70b53df15",
  "author": "Unknown Author",
  "role": "Document Creator",
  "timestamp": "2023-07-05T20:09:39.505766-05:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2022-39260",
      "products": [
        "pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64"
      ],
      "status": "fixed"
    }
  ]
}

My expectation is the following output:

{
  "@context": "https://openvex.dev/ns",
  "@id": "https://openvex.dev/docs/public/vex-44d6d65b95727ed7d86672ec3d310662408ded2496ebb77fb11c56e70b53df15",
  "author": "foo",
  "role": "bar",
  "timestamp": "2023-07-05T20:09:39.505766-05:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2022-39260",
      "products": [
        "pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64"
      ],
      "status": "fixed"
    }
  ]
}

Since, presumably, the @id field's value is a hash of the generated contents, manually changing the author and/or role fields after generation would result in an invalid document.

puerco commented 1 year ago

Thanks for the issue @chipzoller !

I think this was fixed at some point as I'm not getting the same behavior when running vexctl at HEAD:

go run . create --author foo --author-role bar -p "pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64" -v CVE-2022-39260 -s fixed
{
  "@context": "https://openvex.dev/ns",
  "@id": "https://openvex.dev/docs/public/vex-6362559bd355c78d972e0dc27b0380cd431bba0d7f399752264858eccd5b3266",
  "author": "foo",
  "role": "bar",
  "timestamp": "2023-07-05T19:28:04.111863814-06:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2022-39260",
      "products": [
        "pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64"
      ],
      "status": "fixed"
    }
  ]
}

(I do get it at v0.2.0)

We're cutting a new release of go-vex and vexctl which should fix it when running on the latest tagged version.

puerco commented 1 year ago

The cannoncal hash on the document ID does not take into account the author information. It is generated from the statement data, but perhaps it would b a good idea to add those fields into the mix too.

chipzoller commented 1 year ago

See related issue #88 which sounds like it will impact that document ID.

ferozsalam commented 1 year ago

This is the already merged fix for the author and role data: https://github.com/openvex/vexctl/pull/27

puerco commented 1 year ago

Thanks for noticing @ferozsalam !