Skip to content

Support using VEX documents with directory scans and SBOMs #2471

New issue
New issue
Open
#2811
#2798
Open
Support using VEX documents with directory scans and SBOMs#2471
#2811
#2798
Labels
enhancementNew feature or request
@mxmehl

Description

@mxmehl
mxmehl
opened on Feb 21, 2025

What happened:

When running grype on an SBOM generated by syft on a local directory, and using the --vex argument pointing to an OpenVEX document, the following error occurs:

[0000] ERROR unable to find matches against VEX sources: unable to find matches against VEX documents: checking matches against VEX data: reading product identifiers from context: source type not supported for VEX

What you expected to happen:

Grype successfully reads the SBOM and OpenVEX documents, and provides its expected output (e.g. suppressing a warning).

How to reproduce it (as minimally and precisely as possible):

# Creating an SBOM on a local directory (Python project managed by poetry)
syft scan . -o json > sbom.json
# Note: Here's a warning which mightg help solve this:
# [0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)

# Running grype without VEX
grype sbom.json
# Table output with some vulnerabilities. For example:
# urllib3       2.2.1      2.2.2     python  GHSA-34jh-p97f-mpxf  Medium

# Creating a VEX statement on this vulnerability. The PURL was taken from grype's JSON output
vexctl create --file openvex.json -p "pkg:pypi/urllib3@2.2.1" -v "GHSA-34jh-p97f-mpxf" -s "not_affected" -j "vulnerable_code_not_in_execute_path"

# Run grype with the VEX
grype sbom:sbom.json --vex openvex.json

The output for the last command:

 ✘ Scan for vulnerabilities        [7 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 5 medium, 2 low, 0 negligible
   └── by status:   7 fixed, 0 not-fixed, 0 ignored
[0000] ERROR unable to find matches against VEX sources: unable to find matches against VEX documents: checking matches against VEX data: reading product identifiers from context: source type not supported for VEX

Anything else we need to know?:

Attaching the generated files:

Environment:
Output of grype version:

Application:         grype
Version:             0.87.0

BuildDate:           2025-01-22T20:51:16Z
GitCommit:           247f5d72abf2131aa37f3164a98495c121b29029
GitDescription:      v0.87.0
Platform:            linux/amd64
GoVersion:           go1.23.4
Compiler:            gc
Syft Version:        v1.19.0
Supported DB Schema: 5

OS (e.g: cat /etc/os-release or similar):

Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:        22.04
Codename:       jammy

vexctl version:

GitVersion:    v0.3.0
GitCommit:     c613023a69ce990a54c25c2f5e69d5d78285927f
GitTreeState:  clean
BuildDate:     2024-09-10T01:45:26Z
GoVersion:     go1.22.7
Compiler:      gc
Platform:      linux/amd64

syft --version: syft 1.19.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    OSS

    Status

    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions