Conversation
This change introduces the `generate_openvex.py` script, which converts the `VEX.cyclonedx.xml` file into a compliant OpenVEX JSON document. ### Highlights * Adds a Python script to automate VEX conversion from CycloneDX format to OpenVEX. * Generates a fully populated OpenVEX document based on vulnerability analysis data in `VEX.cyclonedx.xml`. ### Additional Fixes * Corrects a non-unique `serialNumber` (UUID) that was mistakenly copy-pasted from `commons-bcel`. * Removes unintended indentation from the explanation text, ensuring valid Markdown formatting.
| @@ -0,0 +1,177 @@ | |||
| #!/usr/bin/env python3 | |||
There was a problem hiding this comment.
Hi @ppkarwasz
This seems like a bad idea because all 20+ components will need this duplicated. It seems we should have an "empty" VEX statement for components without issues to affirm that we are OK there. We have TWO plug-ins already for this kind of housekeeping (we really should have a single one), can't we stick stuff like this in there?
There was a problem hiding this comment.
Which plugin do you think would be the best?
As an alternative we can also move the VEX-es into a separate repo, where we can also store the Python scripts to generate them. What do you think? A single repo would also allow us to update VEX entries for all Commons components at once.
There was a problem hiding this comment.
What do you think about putting this in commons-build-plugin?
That plugin generates files already like the release notes, read me, and some site XML files. This would allow us to also generate the security page with VEX information! Super 👌!
Requiring Python is not great, the plug-in generates files without Python.
There was a problem hiding this comment.
Sure, I could write a Maven Site Plugin that generates the OpenVEX.
Since it is experimental and might be used by projects other than Commons, I'll write a prototype either in sbom-enforcer or vex-generation-toolset: it will be easier to publish and it can be easier to drop support for it, if it ends up not being useful.
| @@ -0,0 +1,177 @@ | |||
| #!/usr/bin/env python3 | |||
| import xml.etree.ElementTree as ET | |||
There was a problem hiding this comment.
This file is missing its Apache license header which blows up the build's RAT check. Run 'mvn' solo to run the default Maven goal 😉
This change introduces the
generate_openvex.pyscript, which converts theVEX.cyclonedx.xmlfile into a compliant OpenVEX JSON document.Highlights
VEX.cyclonedx.xml.Additional Fixes
serialNumber(UUID) that was mistakenly copy-pasted fromcommons-bcel.Check list