feat(cyclonedx): Add initial support for loading external VEX files from SBOM references #8254
Conversation
|
|
|
Thanks for your contribution. The next release is coming soon. We hope to add this feature in v0.60.0. |
Sounds great, linting issues and co. should be gone by now 👍 |
|
Any chance this still makes it into 0.60 @nikpivkin @knqyf263? |
|
I'll take a look this week. |
pkg/vex/vex.go
Outdated
| v, err = NewSBOMReferenceSet(report) | ||
| if err != nil { | ||
| return nil, xerrors.Errorf("failed to create set of external VEX documents: %w", err) | ||
| } |
There was a problem hiding this comment.
Now, we should handle nil :)
| v, err = NewSBOMReferenceSet(report) | |
| if err != nil { | |
| return nil, xerrors.Errorf("failed to create set of external VEX documents: %w", err) | |
| } | |
| v, err = NewSBOMReferenceSet(report) | |
| if err != nil { | |
| return nil, xerrors.Errorf("failed to create set of external VEX documents: %w", err) | |
| } else if v == nil { | |
| continue | |
| } |
There was a problem hiding this comment.
This now raises a question for me. If this is an experimental feature and somebody explicitly scans an SBOM with --vex sbom-ref shouldn't trivy throw an error if it finds no valid external references in the scanned SBOM?
Similar to how it is now throwing an error if e.g. a server responds with 404.
There was a problem hiding this comment.
This now raises a question for me. If this is an experimental feature and somebody explicitly scans an SBOM with --vex sbom-ref shouldn't trivy throw an error if it finds no valid external references in the scanned SBOM?
Good question. The --vex sbom-ref flag tells Trivy that it should use any VEX reference found within the SBOM. Therefore, enabling it even if it's not yet clear whether external VEX references exist in the SBOM is expected behavior. Conversely, it would be unexpected if external references were silently ignored even when present.
Similarly, the -vex oci flag is designed to use any available VEX attestations. If no attestation is found, it doesn't trigger an error; however, if attestation is found but contains issues, an error will be returned.
That said, as you mentioned, if it is essential that external references are reliably loaded, returning an error might be more appropriate. This is something we can reconsider based on future community feedback. At the very least, it would be advisable to display a log message that no vex references are found for now.
RingoDev
force-pushed
the
main
branch
2 times, most recently
from
77652c1 to
c3ba95a
Compare
…fined in CycloneDX SBOMs * by specifying option `--vex sbom-ref` the externalReferences of a CycloneDx SBOM are used to fetch external VEX documents referenced as type `exploitability-statement` * trivy will error if one of the referenced VEX statements can not be fetched or parsed * added documentation of feature
…rom SBOM references (aquasecurity#8254)
…rom SBOM references (aquasecurity#8254)
Description
Related discussion
Checklist