Support using VEX documents with directory scans and SBOMs

[mxmehl]

What happened:

When running grype on an SBOM generated by syft on a local directory, and using the --vex argument pointing to an OpenVEX document, the following error occurs:

[0000] ERROR unable to find matches against VEX sources: unable to find matches against VEX documents: checking matches against VEX data: reading product identifiers from context: source type not supported for VEX

What you expected to happen:

Grype successfully reads the SBOM and OpenVEX documents, and provides its expected output (e.g. suppressing a warning).

How to reproduce it (as minimally and precisely as possible):

# Creating an SBOM on a local directory (Python project managed by poetry)
syft scan . -o json > sbom.json
# Note: Here's a warning which mightg help solve this:
# [0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)

# Running grype without VEX
grype sbom.json
# Table output with some vulnerabilities. For example:
# urllib3       2.2.1      2.2.2     python  GHSA-34jh-p97f-mpxf  Medium

# Creating a VEX statement on this vulnerability. The PURL was taken from grype's JSON output
vexctl create --file openvex.json -p "pkg:pypi/[email protected]" -v "GHSA-34jh-p97f-mpxf" -s "not_affected" -j "vulnerable_code_not_in_execute_path"

# Run grype with the VEX
grype sbom:sbom.json --vex openvex.json

The output for the last command:

 ✘ Scan for vulnerabilities        [7 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 5 medium, 2 low, 0 negligible
   └── by status:   7 fixed, 0 not-fixed, 0 ignored
[0000] ERROR unable to find matches against VEX sources: unable to find matches against VEX documents: checking matches against VEX data: reading product identifiers from context: source type not supported for VEX

Anything else we need to know?:

Attaching the generated files:

• openvex.json
• sbom.json
• grype.json

Environment:
Output of grype version:

Application:         grype
Version:             0.87.0

BuildDate:           2025-01-22T20:51:16Z
GitCommit:           247f5d72abf2131aa37f3164a98495c121b29029
GitDescription:      v0.87.0
Platform:            linux/amd64
GoVersion:           go1.23.4
Compiler:            gc
Syft Version:        v1.19.0
Supported DB Schema: 5

OS (e.g: cat /etc/os-release or similar):

Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:        22.04
Codename:       jammy

vexctl version:

GitVersion:    v0.3.0
GitCommit:     c613023a69ce990a54c25c2f5e69d5d78285927f
GitTreeState:  clean
BuildDate:     2024-09-10T01:45:26Z
GoVersion:     go1.22.7
Compiler:      gc
Platform:      linux/amd64

syft --version: syft 1.19.0

[wagoodman]

Looks like the function for matching subjects and sources only supports images -- the next step is to try and only error out if there is actively a mismatch with the subject on the vex statement.