-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: PURL matching with qualifiers in OpenVEX #5061
Conversation
} | ||
return true | ||
// Take the effective statement | ||
stmt := stmts[len(stmts)-1] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you specify why we need get only last matched element?
If i understand correctly if we swap statements
in example - we will not filter CVE-2021-44228
.
But i am not sure that we need filter this CVE in this case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added abb7295
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Description
Trivy supports the exact match for PURL and BOM-Ref in OpenVEX.
https://aquasecurity.github.io/trivy/v0.44/docs/supply-chain/vex/#openvex
This PR uses PURL matching with qualifiers, as discussed here. Also, it bumps the OpenVEX spec to v0.2.0, including some breaking changes.
Related issues
Checklist