Skip to content

vex documents from the --vex flag do get processed or applied to the output correctly #1836

New issue
New issue
Closed
#2741
Closed
vex documents from the --vex flag do get processed or applied to the output correctly#1836
#2741
Assignees
willmurphyscode
Labels
bugSomething isn't working
@willejs

Description

@willejs
willejs
opened on Apr 30, 2024

What happened:

When following the example here using the vex document specified, the vulnerability is rendered in the outputted report. This happens in any format.

vex.json

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://openvex.dev/docs/public/vex-d4e9020b6d0d26f131d535e055902dd6ccf3e2088bce3079a8cd3588a4b14c78",
  "author": "A Grype User <jdoe@example.com>",
  "timestamp": "2023-07-17T18:28:47.696004345-06:00",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2023-1255"
      },
      "products": [
        {
          "@id": "pkg:oci/alpine@sha256%3A124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126",
          "subcomponents": [
            { "@id": "pkg:apk/alpine/libssl3@3.0.8-r3" },
            { "@id": "pkg:apk/alpine/libcrypto3@3.0.8-r3" }
          ]
        }
      ],
      "status": "fixed"
    }
  ]
}

command

docker run -it -v $PWD/vex.json:/vex.json  anchore/grype alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 --vex /vex.json
 ✔ Vulnerability DB                [updated]  
 ✔ Parsed image                                         sha256:51e60588ff2cd9f45792b23de89bfface0a7fbd711d17c5f5ce900a4f6b16260
 ✔ Cataloged contents                                          b5a5b7ce4eabc8414bf367761a28f4e8b16952ce5de537c15ed917b71b245f11
   ├── ✔ Packages                        [15 packages]  
   ├── ✔ File digests                    [78 files]  
   ├── ✔ File metadata                   [78 locations]  
   └── ✔ Executables                     [17 executables]  
 ✔ Scanned for vulnerabilities     [22 vulnerability matches]  
   ├── by severity: 0 critical, 2 high, 16 medium, 0 low, 0 negligible (4 unknown)
   └── by status:   22 fixed, 0 not-fixed, 0 ignored 
NAME        INSTALLED  FIXED-IN   TYPE  VULNERABILITY  SEVERITY 
...
libcrypto3  3.0.8-r3   3.0.8-r4   apk   CVE-2023-1255  Medium  
...

vexctl filter works

1

What you expected to happen:

I do not expect the vulnerability to be reported.
Maybe I am missing something here?

How to reproduce it (as minimally and precisely as possible):
see above
Anything else we need to know?:

Environment:

  • Output of grype version: 0.77.1
  • OS (e.g: cat /etc/os-release or similar): mac/linux - tested both

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

OSS

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions