-
Notifications
You must be signed in to change notification settings - Fork 583
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add initial support for embedded CycloneDX VEX documents #678
Conversation
5345ea9
to
e65fa54
Compare
2d37bb0
to
49bef16
Compare
The first cut of this VEX PR is done. I have opted to go with an embedded VEX for now so that it is portable across input SBOMs, we can add support for external VEX once the upstream syft PR lands and we have more discussions on how we want to pass format specific data around in grype. (in this case the cdx bom's uuid) I have also opted to generate a minimal list of components for the embedded VEX which use the same bom ref generation process as the sibling syft PR anchore/syft#914 Finally from conversations with the cyclonedx core team, I have verified that in case of embedded vex documents, the target ref needs to be a bom ref and not an external link. I have put up a PR at CycloneDX/specification#136 to document the same in the upstream spec. Finally I have added an initial vuln. analysis state of "in_triage" which we can expand upon in the future with something like |
04d32aa
to
95a9d49
Compare
// TODO: In the future we may want to dedupe by PURL and combine components with | ||
// the same PURL while preserving their unique metadata. | ||
if parsedPURL, err := packageurl.FromString(p.PURL); err == nil { | ||
parsedPURL.Qualifiers = append(parsedPURL.Qualifiers, packageurl.Qualifier{Key: "syft-id", Value: string(p.ID)}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there is no longer a guarantee that the input SBOM will be from syft, so having a syft-id
key here could be misleading in some cases. (also, if we make a change here, we should probably head back to syft and match these approaches up... maybe simply id
would suffice?)
embeddedVEXJSON format = "embedded-cyclonedx-vex-json" | ||
embeddedVEXXML format = "embedded-cyclonedx-vex-xml" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these are accurate, though pretty verbose. I'll give a little more thought to something that is shorter / friendlier to input.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have any suggestions for how these could be shorter. @wagoodman did you still have thoughts?
👋🏻 @samj1912, Do you need a hand with the changes ? We'd be glad to help :) |
I think the PR is functionally complete. Waiting for @wagoodman's reply on better output format names. As for the syft-id, id comment, will address that soon but I think we should use something more specific than id. Maybe package-id? Thoughts? |
@samj1912 that is great, I'll give it a try. It sounds good to me to use package ids. |
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
Updated this PR to reflect the comments around syft-id v/s package-id. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved! Thanks for the contribution @samj1912. I tagged @wagoodman on his comment regarding verbosity of options, but after giving this a run locally and looking at the code I don't see any issues.
embeddedVEXJSON format = "embedded-cyclonedx-vex-json" | ||
embeddedVEXXML format = "embedded-cyclonedx-vex-xml" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't have any suggestions for how these could be shorter. @wagoodman did you still have thoughts?
@samj1912 Thanks 👏🏻 |
Signed-off-by: Sambhav Kothari skothari44@bloomberg.net
Fixes #591
This adds some initial support for CycloneDX VEX documents. There are a couple of things we will need to think through -
Marking it as a draft while we resolve the above questions.
cc: @luhring , @wagoodman , @spiffcs , @kzantow , @stevespringett, @coderpatros, @nscuro