Skip to content
This repository has been archived by the owner on Mar 27, 2023. It is now read-only.

VEX Tool: First Commit #1

Merged
merged 13 commits into from
Sep 28, 2022
Merged

VEX Tool: First Commit #1

merged 13 commits into from
Sep 28, 2022

Conversation

puerco
Copy link
Contributor

@puerco puerco commented Sep 28, 2022

This PR is the initial commit of code of the VEX tool. This initial version supports:

  • Parsing SARIF results. Tested with Trivy and Grype results
  • Reading VEX data from our internal format
  • Reading VEX data from CSAF documents
  • Filtering scanner results using cmd vex results.sarif.json rules.vex.json

Signed-off-by: Adolfo García Veytia (Puerco) puerco@chainguard.dev

puerco and others added 10 commits September 9, 2022 09:11
@puerco
Initial commit
2836f53 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
code check in
a4eff69 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Add CSAF parser
71161fe 
Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
@puerco
Add CSAF document support
67a9521 
Add CSAF document support

This commit adds CSAF document support to the VEX tool.
It introduces a	new flag --product to let it know which
of the products	in the document	are being vexed.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@puerco
Add version subcommand
fc045b4 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@puerco
Add ID to CSAF importer test
905656d 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@puerco
Rename Implementation interface
aa7caf8 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@puerco
Rename Implementation interface
ebff955 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@puerco
Minor linter changes
85c750b 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@puerco
First draft of the tool README!
48715ee 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
cpanato
cpanato approved these changes Sep 28, 2022
View reviewed changes
Copy link
Member

@cpanato cpanato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks cool

just nit suggestions :)

internal/cmd/vex.go Outdated Show resolved Hide resolved
internal/cmd/attest.go Outdated Show resolved Hide resolved
internal/cmd/vex.go Show resolved Hide resolved
main.go Outdated Show resolved Hide resolved
pkg/attestation/attestation.go Outdated Show resolved Hide resolved
pkg/mrc/implementation.go Show resolved Hide resolved
pkg/mrc/mrc_test.go Show resolved Hide resolved
pkg/mrc/testdata/test.vex.json
@@ -0,0 +1,19 @@
{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we dont need the boilerplate here as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought you cannot add comments to JSON files?

pkg/vex/vex.go Show resolved Hide resolved
pkg/vex/vex_test.go Outdated Show resolved Hide resolved
hectorj2f
hectorj2f approved these changes Sep 28, 2022
View reviewed changes
Copy link

@hectorj2f hectorj2f left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I have several feature proposals 👏🏻 🎬

@puerco
Update copyright headers
889b9f9 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@puerco
Group go imports properly
2654c10 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@puerco
Split out CSAF document racking to own struct
fde9521 
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
@puerco
Copy link
Contributor Author

puerco commented Sep 28, 2022

I've addressed @cpanato 's nits. Thanks!

@puerco puerco merged commit 0b6f19a into chainguard-dev:main Sep 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@hectorj2f hectorj2f hectorj2f approved these changes

@cpanato cpanato cpanato approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@puerco @hectorj2f @cpanato