vulncheck: update documentation for vex

Adds documentation/updates some tests & comments to reflect the introduction of the openVEX standard as a valid output format for govulncheck. fixes golang/go#62486 Change-Id: I88c6fc830439606441bb1855ba8b36642007738c Reviewed-on: https://go-review.googlesource.com/c/vuln/+/590575 Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com> Commit-Queue: Maceo Thompson <maceothompson@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
golang · Jun 5, 2024 · 29462d7 · 29462d7
1 parent 2736e1d
commit 29462d7
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 4 deletions.
diff --git a/cmd/govulncheck/doc.go b/cmd/govulncheck/doc.go
@@ -67,12 +67,16 @@ Govulncheck also supports Static Analysis Results Interchange Format (SARIF) out
 format, following the specification at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif.
 For more details, please see [golang.org/x/vuln/internal/sarif].
 
+Govulncheck supports the Vulnerability EXchange (VEX) output format, following
+the specification at https://github.com/openvex/spec.
+For more details, please see [golang.org/x/vuln/internal/openvex].
+
 # Exit codes
 
 Govulncheck exits successfully (exit code 0) if there are no vulnerabilities,
 and exits unsuccessfully if there are. It also exits successfully if the
-'format -json' ('-json') or '-format sarif' is provided, regardless of the number
-of detected vulnerabilities.
+'format -json' ('-json'), '-format sarif', or '-format openvex' is provided,
+regardless of the number of detected vulnerabilities.
 
 # Limitations
 

diff --git a/cmd/govulncheck/testdata/common/testfiles/usage/usage.ct b/cmd/govulncheck/testdata/common/testfiles/usage/usage.ct
@@ -14,7 +14,7 @@ Usage:
     	vulnerability database url (default "https://vuln.go.dev")
   -format value
     	specify format output
-    	The supported values are 'text', 'json', and 'sarif' (default 'text')
+    	The supported values are 'text', 'json', 'sarif', and 'openvex' (default 'text')
   -json
     	output JSON (Go compatible legacy flag, see format flag)
   -mode value

diff --git a/internal/openvex/vex.go b/internal/openvex/vex.go
@@ -7,6 +7,9 @@
 //
 // These types match the OpenVEX standard. See https://github.com/openvex for
 // more information on VEX and OpenVEX.
+//
+// This is intended to be the minimimal amount of information required to output
+// a complete VEX document according to the specification.
 package openvex
 
 import "time"

diff --git a/internal/scan/flags.go b/internal/scan/flags.go
@@ -42,7 +42,7 @@ func parseFlags(cfg *config, stderr io.Writer, args []string) error {
 	flags.Var(&modeFlag, "mode", "supports 'source', 'binary', and 'extract' (default 'source')")
 	flags.Var(&cfg.tags, "tags", "comma-separated `list` of build tags")
 	flags.Var(&cfg.show, "show", "enable display of additional information specified by the comma separated `list`\nThe supported values are 'traces','color', 'version', and 'verbose'")
-	flags.Var(&cfg.format, "format", "specify format output\nThe supported values are 'text', 'json', and 'sarif' (default 'text')")
+	flags.Var(&cfg.format, "format", "specify format output\nThe supported values are 'text', 'json', 'sarif', and 'openvex' (default 'text')")
 	flags.BoolVar(&version, "version", false, "print the version information")
 	flags.Var(&scanFlag, "scan", "set the scanning level desired, one of 'module', 'package', or 'symbol' (default 'symbol')")