Comments (4)
Besides the ones mentioned above, we also have plans for a plausibility check regarding VEX.
@italvi i also agree with the deprecation notice, since the implementation might not happen for some time
from cyclonedx-editor-validator.
@mmarseu Thanks for starting this discussion as this is something we also discussed internally since #35 and #36. And we decided to deprecate merge-vex
in favor of a vex
command. The vex
command should have several sub-commands.
The ones we currently think of:
merge
. This would merge two VEX-files, i.e. not requiring an SBOM anymore. Part of this merge would be to check, whether the same CVE from one VEX-file was maybe updated and therefore the currentanalyis.state
should be overwritten (one of the use-cases I can think of there).list
. This would list me all CVEs in the VEX. Here I could even think of further flags, e.g. "--affected" to only see CVEs where (after analysis) I am really affected.prune
/trim
. This would remove not required entries, e.g. if you want to remove thefalse-positives
CVEs from the VEX-file.
I think this command would bring a real benefit and justify a separate command for VEX-files.
Meaning for your integration test: Ignore it.
@CBeck-96 maybe for the time being, till the rework happens, we should add a deprecation notice to the command. This way we also see whether somebody reacts to it, as up to now only one user is known to us.
from cyclonedx-editor-validator.
@mmarseu Thanks for starting this discussion as this is something we also discussed internally since #35 and #36. And we decided to deprecate
merge-vex
in favor of avex
command. Thevex
command should have several sub-commands.The ones we currently think of:
merge
. This would merge two VEX-files, i.e. not requiring an SBOM anymore. Part of this merge would be to check, whether the same CVE from one VEX-file was maybe updated and therefore the currentanalyis.state
should be overwritten (one of the use-cases I can think of there).
That raises the same question again: Vex is CycloneDX (at least in the sense that we use it. Other implementations exist but we don't support them). Why do we need two separate merge commands for CycloneDX files, depending on the contents?
list
. This would list me all CVEs in the VEX. Here I could even think of further flags, e.g. "--affected" to only see CVEs where (after analysis) I am really affected.prune
/trim
. This would remove not required entries, e.g. if you want to remove thefalse-positives
CVEs from the VEX-file.
Okay, I can see possible use-cases for these.
Meaning for your integration test: Ignore it.
Cool 😆
from cyclonedx-editor-validator.
That raises the same question again: Vex is CycloneDX (at least in the sense that we use it. Other implementations exist but we don't support them). Why do we need two separate merge commands for CycloneDX files, depending on the contents?
Ok, agree. It would only make sense, if we start to support other formats like OpenVEX and CSAF VEX profile. And before doing so, we should then have something like convert
.
Okay, I can see possible use-cases for these.
Glad, that this seems to be of use for you, too 😉. One more use-case could be extract
for only getting the VEX, if somebody provides an embedded VEX.
from cyclonedx-editor-validator.
Related Issues (20)
- Filename validation happens with default schema HOT 2
- `build-public` incorrectly deletes nested components
- Merge is not hierarchical HOT 1
- `build-public` shouldn't require a schema HOT 1
- `build-public` messes up compositions
- `merge-vex` reference check doesn't take nested components into account
- Should `amend` set `compositions` to `unknown` rather than `incomplete`? HOT 3
- feat: add support for cdx 1.6
- Missing attribution for license data HOT 3
- Amend throws error on Windows using licenses from Conan project HOT 7
- Add 'add_to_dependencies' option for merge command HOT 1
- Ad further options for the modification of a sbom
- refactor: change documentation creation from mkdocs to sphinx
- Automatically update copyright year
- fix: allow only license in custom schema
- Should validate silently overwrite `issues.json`? HOT 1
- fix: add copyright information to files
- Custom validation applies components requirements to tools HOT 2
- Should `build-public` delete `licensing`? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cyclonedx-editor-validator.