updates

Signed-off-by: Sertac Ozercan <[email protected]>
project-copacetic · Aug 28, 2023 · 92a5385 · 92a5385
1 parent dbcf2d3
commit 92a5385
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 17 deletions.
diff --git a/pkg/patch/patch.go b/pkg/patch/patch.go
@@ -154,7 +154,8 @@ func patchWithContext(ctx context.Context, buildkitAddr, image, reportFile, patc
 			validatedManifest.Updates = append(validatedManifest.Updates, update)
 		}
 	}
-	if output != "" {
+	// vex document must contain at least one statement
+	if output != "" && len(validatedManifest.Updates) > 0 {
 		return vex.TryOutputVexDocument(validatedManifest, pkgmgr, format, output)
 	}
 	return nil

diff --git a/pkg/vex/openvex.go b/pkg/vex/openvex.go
@@ -48,7 +48,7 @@ func (o *OpenVex) CreateVEXDocument(updates *types.UpdateManifest, pkgmgr pkgmgr
 		product := vex.Product{
 			Component: vex.Component{
 				// syntax is "pkg:<pkgType>/<osType>/<packageName>@<installedVersion>?arch=<arch>"
-				ID: "pkg:" + pkgType + "/" + updates.OSType + "/" + u.Name + "@" + u.InstalledVersion + "?arch=" + updates.Arch,
+				ID: "pkg:" + pkgType + "/" + updates.OSType + "/" + u.Name + "@" + u.FixedVersion + "?arch=" + updates.Arch,
 			},
 		}
 

diff --git a/pkg/vex/openvex_test.go b/pkg/vex/openvex_test.go
@@ -40,8 +40,9 @@ func TestOpenVex_CreateVEXDocument(t *testing.T) {
 				updates: &types.UpdateManifest{
 					Updates: []types.UpdatePackage{
 						{
-							Name:             "test",
+							Name:             "test1",
 							InstalledVersion: "1.0",
+							FixedVersion:     "1.1",
 							VulnerabilityID:  "CVE-2020-1234",
 						},
 					},
@@ -64,7 +65,7 @@ func TestOpenVex_CreateVEXDocument(t *testing.T) {
       },
       "products": [
         {
-          "@id": "pkg:apk/alpine/test@1.0?arch=x86_64"
+          "@id": "pkg:apk/alpine/test1@1.1?arch=x86_64"
         }
       ],
       "status": "fixed"
@@ -80,19 +81,16 @@ func TestOpenVex_CreateVEXDocument(t *testing.T) {
 			args: args{
 				updates: &types.UpdateManifest{
 					Updates: []types.UpdatePackage{
-						{
-							Name:             "test",
-							InstalledVersion: "1.0",
-							VulnerabilityID:  "CVE-2020-1234",
-						},
 						{
 							Name:             "test2",
 							InstalledVersion: "1.0",
+							FixedVersion:     "1.2",
 							VulnerabilityID:  "CVE-2020-1234",
 						},
 						{
 							Name:             "test3",
 							InstalledVersion: "1.0",
+							FixedVersion:     "1.3",
 							VulnerabilityID:  "CVE-2020-1235",
 						},
 					},
@@ -115,13 +113,10 @@ func TestOpenVex_CreateVEXDocument(t *testing.T) {
       },
       "products": [
         {
-          "@id": "pkg:apk/alpine/[email protected]?arch=x86_64"
-        },
-        {
-          "@id": "pkg:deb/debian/[email protected]?arch=x86_64"
+          "@id": "pkg:apk/alpine/[email protected]?arch=x86_64"
         },
         {
-          "@id": "pkg:deb/debian/test2@1.0?arch=x86_64"
+          "@id": "pkg:deb/debian/test2@1.2?arch=x86_64"
         }
       ],
       "status": "fixed"
@@ -132,7 +127,7 @@ func TestOpenVex_CreateVEXDocument(t *testing.T) {
       },
       "products": [
         {
-          "@id": "pkg:deb/debian/test3@1.0?arch=x86_64"
+          "@id": "pkg:deb/debian/test3@1.3?arch=x86_64"
         }
       ],
       "status": "fixed"

diff --git a/website/docs/output.md b/website/docs/output.md
@@ -2,6 +2,12 @@
 title: Output
 ---
 
+:::caution
+
+Experimental: This feature might change without preserving backwards compatibility.
+
+:::
+
 Copa optionally outputs a Vulnerability Exploitability eXchange (VEX) file as a result of the patching process to surface the vulnerabilities and packages that were patched.
 
 Currently, Copa supports the [OpenVEX](https://github.com/openvex) format, but it can be extended to support other formats.
@@ -10,14 +16,20 @@ Currently, Copa supports the [OpenVEX](https://github.com/openvex) format, but i
 
 OpenVEX is an implementation of Vulnerability Exploitability eXchange (VEX) format. For more information, see [OpenVEX specification](https://github.com/openvex/spec/).
 
+:::tip
+
+- Use `COPA_VEX_AUTHOR` environment variable to set the author of the VEX document. If it's not set, the author will default to `Project Copacetic`.
+
+- A VEX document must contain at least one VEX statement. If there are no fixed vulnerabilities, Copa will not generate a VEX document.
+
+:::
+
 To generate a VEX document using OpenVEX, use `--format="openvex"` flag, and use `--output` to specify a file path. For example:
 
 ```bash
 copa patch -i docker.io/library/nginx:1.21.6 -r nginx.1.21.6.json -t 1.21.6-patched --format="openvex" --output "nginx.1.21.6-vex.json"
 ```
 
-Use `COPA_VEX_AUTHOR` environment variable to set the author of the VEX document. If it's not set, the author will default to `Project Copacetic`.
-
 This will generate a VEX Document that looks like:
 
 ```json