Vex support

artifacts/openvulnerabilityexchangecontainer/example-01.yaml

@@ -0,0 +1,57 @@
+kind: OpenVulnerabilityExchangeContainer
+apiVersion: spdx.softwarecomposition.kubescape.io/v1beta1
+metadata:
+  name: test1
+  namespace: default
+spec:
+  "@context": https://openvex.dev/ns/v0.2.0
+  "@id": https://openvex.dev/docs/public/vex-567f9d48cbf740f635d324a7a511fc7fd19a25412494c528ec37eb9e49e75923
+  author: Kubescape vulnerability scanner
+  role: Senior open source project :)
+  timestamp: '2023-10-11T12:44:05.299994172+03:00'
+  version: 1
+  statements:
+  - vulnerability:
+      "@id": https://nvd.nist.gov/vuln/detail/CVE-2020-8908
+      name: CVE-2020-8908
+      description: "A temp directory creation vulnerability exists in all versions
+        of Guava, allowing an attacker with access to the machine to potentially access
+        data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir().
+        By default, on unix-like systems, the created directory is world-readable
+        (readable by an attacker with access to the system). The method in question
+        has been marked @Deprecated in versions 30.0 and later and should not be used.
+        For Android developers, we recommend choosing a temporary directory API provided
+        by Android, such as context.getCacheDir(). For other Java developers, we recommend
+        migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which
+        explicitly configures permissions of 700, or configuring the Java runtime's
+        java.io.tmpdir system property to point to a location whose permissions are
+        appropriately configured.\n\n"
+    products:
+    - "@id": gcr.io/google-samples/microservices-demo/adservice@sha256:45fb8ed886902c0c49e044b1f8870fad61c1022fa23c4943098302a8f1c5b75f
+      identifiers:
+        cpe23: cpe:2.3:a:guava:guava:31.1-android:*:*:*:*:*:*:*
+        purl: pkg:maven/com.google.guava/guava@31.1-android
+    status: affected
+    impact_statement: Vulnerable component is loaded into the memory
+  - vulnerability:
+      "@id": https://nvd.nist.gov/vuln/detail/CVE-2020-8908
+      name: CVE-2020-8908
+      description: "A temp directory creation vulnerability exists in all versions
+        of Guava, allowing an attacker with access to the machine to potentially access
+        data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir().
+        By default, on unix-like systems, the created directory is world-readable
+        (readable by an attacker with access to the system). The method in question
+        has been marked @Deprecated in versions 30.0 and later and should not be used.
+        For Android developers, we recommend choosing a temporary directory API provided
+        by Android, such as context.getCacheDir(). For other Java developers, we recommend
+        migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which
+        explicitly configures permissions of 700, or configuring the Java runtime's
+        java.io.tmpdir system property to point to a location whose permissions are
+        appropriately configured.\n\n"
+    products:
+    - "@id": gcr.io/google-samples/microservices-demo/adservice@sha256:45fb8ed886902c0c49e044b1f8870fad61c1022fa23c4943098302a8f1c5b75f
+      identifiers:
+        cpe23: cpe:2.3:a:guava:guava:31.1-jre:*:*:*:*:*:*:*
+        purl: pkg:maven/com.google.guava/guava@31.1-jre
+    status: affected
+    impact_statement: Vulnerable component is loaded into the memory

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/puzpuzpuz/xsync/v2 v2.4.1
 	github.com/spf13/afero v1.9.5
 	github.com/spf13/cobra v1.6.0
-	github.com/stretchr/testify v1.8.3
+	github.com/stretchr/testify v1.8.4
 	go.opentelemetry.io/otel v1.13.0
 	k8s.io/apimachinery v0.26.2
 	k8s.io/apiserver v0.26.2
@@ -51,7 +51,7 @@ require (
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/cel-go v0.12.6 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.0 // indirect
@@ -76,6 +76,7 @@ require (
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.37.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/cast v1.5.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
@@ -135,6 +136,7 @@ require (
 )
 
 replace (
+	github.com/openvex/go-vex => github.com/slashben/go-vex v0.0.0-20231012123606-f58e5ee0e14e
 	k8s.io/api => k8s.io/api v0.0.0-20230207050353-0478a3e95231
 	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20230207050124-7687996c715e
 	k8s.io/apiserver => k8s.io/apiserver v0.0.0-20230207052343-3cee67d89e1b

go.sum

@@ -216,8 +216,8 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -405,7 +405,8 @@ github.com/shurcooL/webdavfs v0.0.0-20170829043945-18c3829fa133/go.mod h1:hKmq5k
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
-github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/soheilhy/cmux v0.1.5 h1:jjzc5WVemNEDTLwv9tlmemhC73tI08BNOIGwBOo10Js=
 github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d/go.mod h1:UdhH50NIW0fCiwBSr0co2m7BnFLdv4fQTgdqdJTHFeE=
 github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e/go.mod h1:HuIsMU8RRBOtsCgI77wP899iHVBQpCmg4ErYMZB+2IA=
@@ -436,8 +437,9 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY=
 github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stripe/stripe-go/v74 v74.8.0 h1:0+3EfQSBhMg8SQ1+w+AP6Gxyko2crWbUG2uXbzYs8SU=
 github.com/stripe/stripe-go/v74 v74.8.0/go.mod h1:5PoXNp30AJ3tGq57ZcFuaMylzNi8KpwlrYAFmO1fHZw=
 github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8=
@@ -689,6 +691,7 @@ golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

pkg/apis/softwarecomposition/register.go

@@ -71,6 +71,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ApplicationProfileSummaryList{},
 		&ApplicationActivity{},
 		&ApplicationActivityList{},
+		&OpenVulnerabilityExchangeContainer{},
+		&OpenVulnerabilityExchangeContainerList{},
 	)
 	return nil
 }

pkg/apis/softwarecomposition/types.go

@@ -367,3 +367,169 @@ type ApplicationActivityList struct {
 
 	Items []ApplicationActivity
 }
+
+///////////////////////////////////////////////////////////////////////////////
+// VEX
+///////////////////////////////////////////////////////////////////////////////
+
+type (
+	Algorithm         string
+	Hash              string
+	IdentifierLocator string
+	IdentifierType    string
+	Status            string
+)
+
+type Justification string
+
+type Component struct {
+	// ID is an IRI identifying the component. It is optional as the component
+	// can also be identified using hashes or software identifiers.
+	ID string `json:"@id,omitempty"`
+
+	// Hashes is a map of hashes to identify the component using cryptographic
+	// hashes.
+	Hashes map[Algorithm]Hash `json:"hashes,omitempty"`
+
+	// Identifiers is a list of software identifiers that describe the component.
+	Identifiers map[IdentifierType]string `json:"identifiers,omitempty"`
+
+	// Supplier is an optional machine-readable identifier for the supplier of
+	// the component. Valid examples include email address or IRIs.
+	Supplier string `json:"supplier,omitempty"`
+}
+
+type Product struct {
+	Component
+	Subcomponents []Subcomponent `json:"subcomponents,omitempty"`
+}
+
+type Subcomponent struct {
+	Component
+}
+
+type VexVulnerability struct {
+	//  ID is an IRI to reference the vulnerability in the statement.
+	ID string `json:"@id,omitempty"`
+
+	// Name is the main vulnerability identifier.
+	Name string `json:"name,omitempty"`
+
+	// Description is a short free form text description of the vulnerability.
+	Description string `json:"description,omitempty"`
+
+	// Aliases is a list of other vulnerability identifier strings that
+	// locate the vulnerability in other tracking systems.
+	Aliases []string `json:"aliases,omitempty"`
+}
+
+type Statement struct {
+	// ID is an optional identifier for the statement. It takes an IRI and must
+	// be unique for each statement in the document.
+	ID string `json:"@id,omitempty"`
+
+	// [vul_id] SHOULD use existing and well known identifiers, for example:
+	// CVE, the Global Security Database (GSD), or a supplier’s vulnerability
+	// tracking system. It is expected that vulnerability identification systems
+	// are external to and maintained separately from VEX.
+	//
+	// [vul_id] MAY be URIs or URLs.
+	// [vul_id] MAY be arbitrary and MAY be created by the VEX statement [author].
+	Vulnerability VexVulnerability `json:"vulnerability,omitempty"`
+
+	// Timestamp is the time at which the information expressed in the Statement
+	// was known to be true.
+	Timestamp string `json:"timestamp,omitempty"`
+
+	// LastUpdated records the time when the statement last had a modification
+	LastUpdated string `json:"last_updated,omitempty"`
+
+	// Product
+	// Product details MUST specify what Status applies to.
+	// Product details MUST include [product_id] and MAY include [subcomponent_id].
+	Products []Product `json:"products,omitempty"`
+
+	// A VEX statement MUST provide Status of the vulnerabilities with respect to the
+	// products and components listed in the statement. Status MUST be one of the
+	// Status const values, some of which have further options and requirements.
+	Status Status `json:"status"`
+
+	// [status_notes] MAY convey information about how [status] was determined
+	// and MAY reference other VEX information.
+	StatusNotes string `json:"status_notes,omitempty"`
+
+	// For ”not_affected” status, a VEX statement MUST include a status Justification
+	// that further explains the status.
+	Justification Justification `json:"justification,omitempty"`
+
+	// For ”not_affected” status, a VEX statement MAY include an ImpactStatement
+	// that contains a description why the vulnerability cannot be exploited.
+	ImpactStatement string `json:"impact_statement,omitempty"`
+
+	// For "affected" status, a VEX statement MUST include an ActionStatement that
+	// SHOULD describe actions to remediate or mitigate [vul_id].
+	ActionStatement          string `json:"action_statement,omitempty"`
+	ActionStatementTimestamp string `json:"action_statement_timestamp,omitempty"`
+}
+
+type VEX struct {
+	Metadata
+	Statements []Statement `json:"statements"`
+}
+
+type Metadata struct {
+	// Context is the URL pointing to the jsonld context definition
+	Context string `json:"@context"`
+
+	// ID is the identifying string for the VEX document. This should be unique per
+	// document.
+	ID string `json:"@id"`
+
+	// Author is the identifier for the author of the VEX statement, ideally a common
+	// name, may be a URI. [author] is an individual or organization. [author]
+	// identity SHOULD be cryptographically associated with the signature of the VEX
+	// statement or document or transport.
+	Author string `json:"author"`
+
+	// AuthorRole describes the role of the document Author.
+	AuthorRole string `json:"role,omitempty"`
+
+	// Timestamp defines the time at which the document was issued.
+	Timestamp string `json:"timestamp"`
+
+	// LastUpdated marks the time when the document had its last update. When the
+	// document changes both version and this field should be updated.
+	LastUpdated string `json:"last_updated,omitempty"`
+
+	// Version is the document version. It must be incremented when any content
+	// within the VEX document changes, including any VEX statements included within
+	// the VEX document.
+	Version int `json:"version"`
+
+	// Tooling expresses how the VEX document and contained VEX statements were
+	// generated. It's optional. It may specify tools or automated processes used in
+	// the document or statement generation.
+	Tooling string `json:"tooling,omitempty"`
+
+	// Supplier is an optional field.
+	Supplier string `json:"supplier,omitempty"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type OpenVulnerabilityExchangeContainer struct {
+	metav1.TypeMeta
+	metav1.ObjectMeta
+
+	Spec VEX
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+type OpenVulnerabilityExchangeContainerList struct {
+	metav1.TypeMeta
+	metav1.ListMeta
+
+	Items []OpenVulnerabilityExchangeContainer
+}

pkg/apis/softwarecomposition/v1beta1/register.go

@@ -73,6 +73,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&ApplicationProfileSummaryList{},
 		&ApplicationActivity{},
 		&ApplicationActivityList{},
+		&OpenVulnerabilityExchangeContainer{},
+		&OpenVulnerabilityExchangeContainerList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil