Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRAVEX: Export VEX document: CycloneDX VEX #108

Closed
pombredanne opened this issue May 8, 2024 · 5 comments
Closed

CRAVEX: Export VEX document: CycloneDX VEX #108

pombredanne opened this issue May 8, 2024 · 5 comments
Assignees
@DennisClark
Labels
design needed Design details needed to complete the issue enhancement New feature or request HighPriority High Priority integration Integration with other applications risk evaluate severity, exploitability, and context factors to determine a vulnerability risk score vulnerabilities Vulnerability Management

Comments

@pombredanne
Copy link
Contributor

pombredanne commented May 8, 2024
edited by tdruez
Loading

Export the results of the vulnerabilities triage and processing as CycloneDX VEX document

https://cyclonedx.org/capabilities/vex/
https://github.com/CycloneDX/bom-examples/tree/master/VEX
@DennisClark DennisClark self-assigned this May 14, 2024
@DennisClark DennisClark added enhancement New feature or request design needed Design details needed to complete the issue integration Integration with other applications HighPriority High Priority labels May 14, 2024
@DennisClark
Copy link
Contributor

See #15 for additional background.

@DennisClark DennisClark added the vulnerabilities Vulnerability Management label Jun 19, 2024
@DennisClark DennisClark added the risk evaluate severity, exploitability, and context factors to determine a vulnerability risk score label Aug 10, 2024
tdruez added a commit that referenced this issue Sep 3, 2024
@tdruez
Add the as_cyclonedx method on the Vulnerability model #108
27db675 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Sep 3, 2024
@tdruez
Add the ability to download the VEX output #108
75c6c26 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Sep 3, 2024
@tdruez
Add support for combined SBOM+VEX download output #108
47ccba4 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Sep 3, 2024
@tdruez
Add unit test for the include_vex feature #108
27bb15e 
Signed-off-by: tdruez <tdruez@nexb.com>
@tdruez
Copy link
Contributor

tdruez commented Sep 3, 2024

@DennisClark Implementation of the tCycloneDX VEX-only and SBOM+VEX combined outputs available for review.
Those new links are available in the Product "Share" dropdown, when the enable_vulnerablecodedb_access is enabled.

See https://cyclonedx.org/capabilities/vex/#independent-bom-and-vex-bom and https://cyclonedx.org/capabilities/vex/#bom-with-embedded-vex and

@DennisClark
Copy link
Contributor

@tdruez A quick review of the new VEX export feature looks quite good, no problems found. I'll need some time to explore the details more thoroughly.

tdruez added a commit that referenced this issue Sep 4, 2024
@tdruez
Set the proper vulnerablecode_url in the tab context #108
7945972 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Sep 4, 2024
@tdruez
Add the ability to download the VEX output #108 (#174)
29c7d32 
Signed-off-by: tdruez <tdruez@nexb.com>
@tdruez tdruez mentioned this issue Sep 5, 2024
Open
@tdruez
Copy link
Contributor

tdruez commented Sep 5, 2024

Once the analysis fields from #98 (comment) are available, those can be added in the Vulnerability.as_cyclonedx() method at https://github.com/aboutcode-org/dejacode/blob/main/vulnerabilities/models.py#L206
The content of as_cyclonedx() is directly available in the new VEX output.

@pombredanne
Copy link
Contributor Author

This is LGTM. Closing as done. I added a comment to #98 (comment) to track the part related to #98

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DennisClark DennisClark

Labels
design needed Design details needed to complete the issue enhancement New feature or request HighPriority High Priority integration Integration with other applications risk evaluate severity, exploitability, and context factors to determine a vulnerability risk score vulnerabilities Vulnerability Management
Projects
03-CRAVEX
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tdruez @pombredanne @DennisClark