updates

Signed-off-by: Sertac Ozercan <[email protected]>
project-copacetic · Aug 28, 2023 · 347a9a4 · 347a9a4
1 parent dbcf2d3
commit 347a9a4
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 4 deletions.
diff --git a/pkg/patch/patch.go b/pkg/patch/patch.go
@@ -154,7 +154,8 @@ func patchWithContext(ctx context.Context, buildkitAddr, image, reportFile, patc
 			validatedManifest.Updates = append(validatedManifest.Updates, update)
 		}
 	}
-	if output != "" {
+	// vex document must contain at least one statement
+	if output != "" && len(validatedManifest.Updates) > 0 {
 		return vex.TryOutputVexDocument(validatedManifest, pkgmgr, format, output)
 	}
 	return nil

diff --git a/pkg/vex/openvex.go b/pkg/vex/openvex.go
@@ -48,7 +48,7 @@ func (o *OpenVex) CreateVEXDocument(updates *types.UpdateManifest, pkgmgr pkgmgr
 		product := vex.Product{
 			Component: vex.Component{
 				// syntax is "pkg:<pkgType>/<osType>/<packageName>@<installedVersion>?arch=<arch>"
-				ID: "pkg:" + pkgType + "/" + updates.OSType + "/" + u.Name + "@" + u.InstalledVersion + "?arch=" + updates.Arch,
+				ID: "pkg:" + pkgType + "/" + updates.OSType + "/" + u.Name + "@" + u.FixedVersion + "?arch=" + updates.Arch,
 			},
 		}
 

diff --git a/website/docs/output.md b/website/docs/output.md
@@ -2,6 +2,12 @@
 title: Output
 ---
 
+:::caution
+
+Experimental: This feature might change without preserving backwards compatibility.
+
+:::
+
 Copa optionally outputs a Vulnerability Exploitability eXchange (VEX) file as a result of the patching process to surface the vulnerabilities and packages that were patched.
 
 Currently, Copa supports the [OpenVEX](https://github.com/openvex) format, but it can be extended to support other formats.
@@ -10,14 +16,20 @@ Currently, Copa supports the [OpenVEX](https://github.com/openvex) format, but i
 
 OpenVEX is an implementation of Vulnerability Exploitability eXchange (VEX) format. For more information, see [OpenVEX specification](https://github.com/openvex/spec/).
 
+:::tip
+
+- Use `COPA_VEX_AUTHOR` environment variable to set the author of the VEX document. If it's not set, the author will default to `Project Copacetic`.
+
+- A VEX document must contain at least one VEX statement. If there are no fixed vulnerabilities, Copa will not generate a VEX document.
+
+:::
+
 To generate a VEX document using OpenVEX, use `--format="openvex"` flag, and use `--output` to specify a file path. For example:
 
 ```bash
 copa patch -i docker.io/library/nginx:1.21.6 -r nginx.1.21.6.json -t 1.21.6-patched --format="openvex" --output "nginx.1.21.6-vex.json"
 ```
 
-Use `COPA_VEX_AUTHOR` environment variable to set the author of the VEX document. If it's not set, the author will default to `Project Copacetic`.
-
 This will generate a VEX Document that looks like:
 
 ```json