-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(vex): Add support for CSAF format #5535
Conversation
Signed-off-by: juan131 <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution!
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
…istribution library Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
I have been on paid leave irregularly for various reasons most recently, but would like to review it this week. Thanks! |
Friendly reminder @knqyf263 |
@DmitriyLewen @knqyf263 I'd appreciate your review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @juan131
Thank you for your work and sorry for the wait.
LGTM.
Left 1 comment.
Can you also add information about CSAF
in docs?
Pay attention to 1 point:
For default scanning (I mean non-sbom mode), vuln.PkgRef is usually empty.
We need to write that CSAF
only works for sbom
mode.
After merge #5439 we will update docs.
package vex | ||
|
||
import ( | ||
csaf "github.com/csaf-poc/csaf_distribution/v3/csaf" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if use https://github.com/openvex/go-vex/blob/main/pkg/csaf/csaf.go
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd rather use the one maintained by OASIS CSAF TC, see https://oasis-open.github.io/csaf-documentation/tools.html
Signed-off-by: juan131 <[email protected]>
Signed-off-by: juan131 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
Signed-off-by: knqyf263 <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your patience! LGTM!
Awesome, thanks @knqyf263 !! Do you plan to include this enhancement in the next minor version |
Yes. Also, I started implementing PURL matching to improve CSAF support. |
This is awesome!! 🎉🚀 @tschmidtb51 FYI!! |
Description
This PR adds support for filtering out detected vulnerabilities using the existing
--vex
experimental flag and VEX data provided using CSAF format (currently only OpenVEX & CycloneDX are supported).Given the following SBOM running the scanner will report the following vulnerabilities:
Now, if we create a CSAF VEX assessment for
CVE-2023-1732
for example, and we run the command again:Related issues
Checklist