vexctl
vexctl copied to clipboard
openvex
A tool to create, transform and attest VEX metadata
Lets consider a CVE **c** that impacts a product with version **x**. This CVE is fixed in product version **y**. According to [OpenVEX Specs](https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#:~:text=for%20automated%20systems.-,action_statement,-%E2%9C%95), field 'Action_Statement' under 'Statement' can contain...
When I am trying to attest image in a public repository it is resulting into an error **'has no digest**' meanwhile we are giving required digest in query. I am...
This ticket is something between a discussion item and a bug report, let me know if there is a better place for it. `vexctl` can currently filter out entries from...
When filtering SARIF results, vexctl should offer a setting to filter `not_affected` statements depending on their justification. For example I may want to filter only statements where software is `not_affected`...
We should add a configuration setting to vexctl to support defining which vex statuses cause results to get filtered when running `vex filter`. Right now we have it fixed to...
Hey There, It would be nice if I could use vexctl with the output of the Grype Scanning tool and not just with SARIF Documents. PS: I was quite sure...
VEX documents are intended to be created in response to vulnerability scan results. We should have a way in `vexctl` to make it easy to react to claims made by...
Once we finalize the initial scanner support, we should document the limitations and capabilities of the scanning subcommand of `vexctl`.
The `vexctl create --help` gives this example ```shell vexctl create --product="pkg:apk/wolfi/[email protected]?arch=x86_64" \ --product="pkg:apk/wolfi/[email protected]?arch=armv7" \ --vuln="CVE-2023-12345" \ --status="fixed" ``` Running this command however only outputs the last `--product`: ```shell $ vexctl...
When vexctl merges documents that have the same CVE ID, even if the affected products/subcomponents are the same, the new document will contain one statement for each CVE ID merged....
