-
Notifications
You must be signed in to change notification settings - Fork 600
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(vex): CSAF support #1826
base: main
Are you sure you want to change the base?
feat(vex): CSAF support #1826
Conversation
Signed-off-by: juan131 <[email protected]>
Still a drat since it's missing unit & integration tests |
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
Unit & integration tests added |
cc @wagoodman |
Hi @wagoodman, is there anything we can help with at this time? |
Hi @carrodher thanks for the ping! I'm sorry this sat for a while. I have some time in my calendar in the next few weeks to review this and get it in. Is this still something you all are interested in working on? If so, I think the main things to do first are get it up to date with Let me know how you all would like to proceed. Thanks! |
Hi @willmurphyscode, yes, definitely. Juan is now on PTO, but he will resume those contributions once he's back in a few days. |
Following #1397, this PR extends VEX support for ignoring/adding matches based on Vulnerability Exploitability Exchange data so it also accepts CSAF format.
The PR also refactors the
grype/vex
package since now there's more than one supported VEX format (CSAF & OpenVEX) and it requires the vex processor to be able to distinguish between VEX formats and apply a different implementation.Credits to @joancafom as the designer of this implementation.
Use case
Given a CSAF VEX document such as the one below:
You can use it so Grype suppresses the vulnerability which status is
known_not_affected
given the justificationClass with vulnerable code was removed before shipping
: