vulncheck: update documentation for vex

Adds documentation/updates some tests & comments to reflect the
introduction of the openVEX standard as a valid output format for
govulncheck.

fixes golang/go#62486

Change-Id: I88c6fc830439606441bb1855ba8b36642007738c
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/590575
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Commit-Queue: Maceo Thompson <maceothompson@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

Author: Maceo Thompson

cmd/govulncheck/doc.go

@@ -67,12 +67,16 @@ Govulncheck also supports Static Analysis Results Interchange Format (SARIF) out
 format, following the specification at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=sarif.
 For more details, please see [golang.org/x/vuln/internal/sarif].
 
+Govulncheck supports the Vulnerability EXchange (VEX) output format, following
+the specification at https://github.com/openvex/spec.
+For more details, please see [golang.org/x/vuln/internal/openvex].
+
 # Exit codes
 
 Govulncheck exits successfully (exit code 0) if there are no vulnerabilities,
 and exits unsuccessfully if there are. It also exits successfully if the
-'format -json' ('-json') or '-format sarif' is provided, regardless of the number
-of detected vulnerabilities.
+'format -json' ('-json'), '-format sarif', or '-format openvex' is provided,
+regardless of the number of detected vulnerabilities.
 
 # Limitations
 

cmd/govulncheck/testdata/common/testfiles/usage/usage.ct

@@ -14,7 +14,7 @@ Usage:
     	vulnerability database url (default "https://vuln.go.dev")
   -format value
     	specify format output
-    	The supported values are 'text', 'json', and 'sarif' (default 'text')
+    	The supported values are 'text', 'json', 'sarif', and 'openvex' (default 'text')
   -json
     	output JSON (Go compatible legacy flag, see format flag)
   -mode value

internal/openvex/vex.go

@@ -7,6 +7,9 @@
 //
 // These types match the OpenVEX standard. See https://github.com/openvex for
 // more information on VEX and OpenVEX.
+//
+// This is intended to be the minimimal amount of information required to output
+// a complete VEX document according to the specification.
 package openvex
 
 import "time"

internal/scan/flags.go

@@ -42,7 +42,7 @@ func parseFlags(cfg *config, stderr io.Writer, args []string) error {
 	flags.Var(&modeFlag, "mode", "supports 'source', 'binary', and 'extract' (default 'source')")
 	flags.Var(&cfg.tags, "tags", "comma-separated `list` of build tags")
 	flags.Var(&cfg.show, "show", "enable display of additional information specified by the comma separated `list`\nThe supported values are 'traces','color', 'version', and 'verbose'")
-	flags.Var(&cfg.format, "format", "specify format output\nThe supported values are 'text', 'json', and 'sarif' (default 'text')")
+	flags.Var(&cfg.format, "format", "specify format output\nThe supported values are 'text', 'json', 'sarif', and 'openvex' (default 'text')")
 	flags.BoolVar(&version, "version", false, "print the version information")
 	flags.Var(&scanFlag, "scan", "set the scanning level desired, one of 'module', 'package', or 'symbol' (default 'symbol')")