Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(vex): set default product list #2811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 6, 2025
Merged

fix(vex): set default product list #2811

merged 2 commits into from
Oct 6, 2025
+213 −0

Conversation

alegrey91
Copy link
Contributor

@alegrey91 alegrey91 commented Jul 19, 2025
edited
Loading

Hello!

I was recently using grype with VEX to filter false positives on my vulnerabilty scans.
As far as I understood VEX documents are currently supported only when using SBOMs in syft-json format.

syft alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 --output syft-json=grype-alpine.sbom.syft
grype sbom:grype-alpine.sbom.syft --vex ./grype/grype/vex/testdata/vex-docs/openvex-demo2.json --show-suppressed

I would need to use the cyclonedx-json format, but this doesn't seems to work now:

syft alpine@sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 --output cyclonedx-json=grype-alpine.sbom.cdx
grype sbom:grype-alpine.sbom.cdx --vex ./grype/grype/vex/testdata/vex-docs/openvex-demo2.json --show-suppressed

This PR adds support for setting a default product values in case the productIdentifiersFromContext doesn't return anything. This happens when the input SBOM is not in syft-json format. I suppose this is because the pkg.Provide function is not able to retrieve the expected product name, when returning the pkgContext, with other formats.
If this fix works for you I can add tests or documentation accordingly. Just let me know.

Fixes #2471

Thanks for this nice project :)

@alegrey91 alegrey91 marked this pull request as ready for review July 19, 2025 11:59
@alegrey91
Copy link
Contributor Author

Any thoughts about the fix?

@willmurphyscode willmurphyscode self-assigned this Sep 18, 2025
@willmurphyscode willmurphyscode moved this to In Review in OSS Sep 18, 2025
@spiffcs spiffcs added the bug Something isn't working label Oct 6, 2025
@wagoodman
add tests
50bf869 
Signed-off-by: Alex Goodman <[email protected]>
@wagoodman wagoodman removed the bug Something isn't working label Oct 6, 2025
@wagoodman wagoodman enabled auto-merge (squash) October 6, 2025 16:18
@wagoodman wagoodman merged commit 2077245 into anchore:main Oct 6, 2025
12 checks passed
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Oct 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees

@willmurphyscode willmurphyscode

Labels

None yet

Projects

OSS
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support using VEX documents with directory scans and SBOMs

4 participants

@alegrey91 @wagoodman @willmurphyscode @spiffcs