Implement the CSAF VEX output view #107

[tdruez]

CRAVEX: Export VEX document: CSAF #107

Those changes add the ability to download a CSAF VEX document from the Product details view "Share" menu.

Note: You can use the https://secvisogram.github.io/ tool to load the exported CSAF document and check the validity.

[DennisClark]

@tdruez Looks like a good start on the CSAF. I generated a CSAF VEX from Product CargoManager 2.9.5 in Staging Starship and loaded it into the secvisogram online tool, and it found 4 errors, all related to CVE values being in the wrong format. Those 4 vulnerabilities entries have a VCID value in the cve field; I suppose it's possible that the program is doing that when there is no CVE value available for a DejaCode vulnerability. The other 35 vulnerabilities in the document are valid. See screenshots and attached files. Please let me know if you need any more details.

dejacode_starship_product_cargomanager_2.9.5.csaf.vex.json

dejacode_starship_product_cargomanager_2.9.5.cdx.json

[DennisClark]

from the spec:

3.2.3.2 Vulnerabilities Property - CVE
CVE (cve) of value type string with pattern (regular expression):
    ^CVE-[0-9]{4}-[0-9]{4,}$
holds the MITRE standard Common Vulnerabilities and Exposures (CVE) tracking number for the vulnerability.

and it might be possible simply to leave it out if there is no CVE available.

[DennisClark]

and perhaps we should use this property for VCID values:

3.2.3.6 Vulnerabilities Property - IDs

List of IDs (ids) of value type array with one or more unique ID items of value type object represents a list of unique labels or tracking IDs for the vulnerability (if such information exists).

    "ids": {
      // ...
      "items": {
        // ...
      }
    },

Every ID item of value type object with the two mandatory properties System Name (system_name) and Text (text) contains a single unique label or tracking ID for the vulnerability.

      "properties": {
        "system_name": {
          // ...
        },
        "text": {
          // ...
        }
      }

System name (system_name) of value type string with 1 or more characters indicates the name of the vulnerability tracking or numbering system.

[pombredanne]

@DennisClark all your feedback makes ++ sense :)

[tdruez]

@DennisClark Thanks for the input.

I've re-implemented the whole feature as the initial prototype based on csaf-tool was not good enough.
The new implementation is based on Pydantic, the models are directly generated from the CSAF schema.

---

TODOs:

• Solve the Pydentic dependency packages issue.
• Add unit tests

[DennisClark]

@tdruez I generated a CSAF VEX from Product CargoManager 2.9.5 in Staging Starship and loaded it into the secvisogram online tool, which found no errors and declared it to be a valid document. The various details in the json file look fine to me and are fairly easy to understand. No problems found; I think this one is ready.

[pombredanne]

@tdruez re:

Solve the Pydentic dependency packages issue.
do you need help there?

@keshav-space did you ever experience issues there in the past?

@tdruez if you are faced with an non reconcilable version issue, we can always create, release and maintain for a while a temp fork.

[tdruez]

@pombredanne The problem is mostly a side effect of forcing this in DejaCode: PIP_ARGS=--find-links=./thirdparty/dist/ --no-index --no-cache-dir

Some dependencies of Pydantic cannot built from the source package in the Docker context.
We need to either make sure to include all the various pre-built dist packages for those dependencies or add the missing dependencies at the OS level to ensure the wheels can be built.

[pombredanne]

We need to either make sure to include all the various pre-built dist packages for those dependencies or add the missing dependencies at the OS level to ensure the wheels can be built.

Do you have a trace or log of the issue?

[tdruez]

@pombredanne error: can't find Rust compiler

There's over 100 dist packages for https://pypi.org/project/pydantic-core/#files

Solutions:

• Install Rust compiler and compile each time a Docker image is re-built
• Put the dist compiled for the Docker image (have to deal with this issue each time we have to upgrade Pydantic) This is probably the easiest short term fix.
• Stop vendoring the dists and let pip fetch the appropriated ones (current SCIO setup)

29.27 Processing ./thirdparty/dist/pydantic_core-2.27.1.tar.gz (from dejacode==5.2.1)
29.31   Installing build dependencies: started
33.56   Installing build dependencies: finished with status 'error'
33.56   error: subprocess-exited-with-error
33.56
33.56   × pip subprocess to install build dependencies did not run successfully.
33.56   │ exit code: 1
33.56   ╰─> [68 lines of output]
33.56       Looking in links: /opt/dejacode/thirdparty/dist/
33.56       Processing ./thirdparty/dist/maturin-1.7.8.tar.gz
33.56         Installing build dependencies: started
33.56         Installing build dependencies: finished with status 'done'
33.56         Getting requirements to build wheel: started
33.56         Getting requirements to build wheel: finished with status 'done'
33.56         Preparing metadata (pyproject.toml): started
33.56         Preparing metadata (pyproject.toml): finished with status 'done'
33.56       Processing ./thirdparty/dist/typing_extensions-4.12.2-py3-none-any.whl
33.56       Building wheels for collected packages: maturin
33.56         Building wheel for maturin (pyproject.toml): started
33.56         Building wheel for maturin (pyproject.toml): finished with status 'error'
33.56         error: subprocess-exited-with-error
33.56
33.56         × Building wheel for maturin (pyproject.toml) did not run successfully.
33.56         │ exit code: 1
33.56         ╰─> [45 lines of output]
33.56             /opt/dejacode/.venv/lib/python3.12/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py:251: _IncompatibleBdistWheel: wheel.bdist_wheel is deprecated, please import it from setuptools
33.56             !!
33.56
33.56                     ********************************************************************************
33.56                     Ensure that any custom bdist_wheel implementation is a subclass of
33.56                     setuptools.command.bdist_wheel.bdist_wheel.
33.56
33.56                     By 2025-Oct-15, you need to update your project and remove deprecated calls
33.56                     or your builds will no longer be supported.
33.56
33.56                     See https://github.com/pypa/wheel/pull/631 for details.
33.56                     ********************************************************************************
33.56
33.56             !!
33.56               return _build_backend().build_wheel(wheel_directory, config_settings,
33.56             running bdist_wheel
33.56             running build
33.56             running build_py
33.56             creating build/lib.linux-x86_64-cpython-312/maturin
33.56             copying maturin/__main__.py -> build/lib.linux-x86_64-cpython-312/maturin
33.56             copying maturin/__init__.py -> build/lib.linux-x86_64-cpython-312/maturin
33.56             running egg_info
33.56             writing maturin.egg-info/PKG-INFO
33.56             writing dependency_links to maturin.egg-info/dependency_links.txt
33.56             writing requirements to maturin.egg-info/requires.txt
33.56             writing top-level names to maturin.egg-info/top_level.txt
33.56             reading manifest file 'maturin.egg-info/SOURCES.txt'
33.56             reading manifest template 'MANIFEST.in'
33.56             warning: no files found matching '*.json' under directory 'src/python_interpreter'
33.56             writing manifest file 'maturin.egg-info/SOURCES.txt'
33.56             warning: build_py: byte-compiling is disabled, skipping.
33.56
33.56             running build_ext
33.56             running build_rust
33.56             error: can't find Rust compiler
33.56
33.56             If you are using an outdated pip version, it is possible a prebuilt wheel is available for this package but pip is not able to install from it. Installing from the wheel would avoid the need for a Rust compiler.
33.56
33.56             To update pip, run:
33.56
33.56                 pip install --upgrade pip
33.56
33.56             and then retry package installation.
33.56
33.56             If you did intend to build this package from source, try installing a Rust compiler from your system package manager and ensure it is on the PATH during installation. Alternatively, rustup (available at https://rustup.rs) is the recommended way to download and update the Rust compiler toolchain.
33.56             [end of output]
33.56
33.56         note: This error originates from a subprocess, and is likely not a problem with pip.
33.56         ERROR: Failed building wheel for maturin
33.56       Failed to build maturin
33.56       ERROR: ERROR: Failed to build installable wheels for some pyproject.toml based projects (maturin)
33.56       [end of output]
33.56
33.56   note: This error originates from a subprocess, and is likely not a problem with pip.
33.57 error: subprocess-exited-with-error
33.57
33.57 × pip subprocess to install build dependencies did not run successfully.
33.57 │ exit code: 1
33.57 ╰─> See above for output.
33.57
33.57 note: This error originates from a subprocess, and is likely not a problem with pip.
------
failed to solve: process "/bin/sh -c pip install --find-links=$APP_DIR/thirdparty/dist/ --no-index --no-cache-dir ." did not complete successfully: exit code: 1

[tdruez]

@pombredanne Fix @ 8c5873c

[pombredanne]

@tschmidtb51 FYI, we now have CSAF support in DejaCode.

[ghsa-retrieval]

Really great to see progress with CSAF!