fix(vex): set default product list #2811
Open
+19
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello!
I was recently using grype with VEX to filter false positives on my vulnerabilty scans.
As far as I understood VEX documents are currently supported only when using SBOMs in
syft-jsonformat.I would need to use the
cyclonedx-jsonformat, but this doesn't seems to work now:This PR adds support for setting a default product values in case the
productIdentifiersFromContextdoesn't return anything. This happens when the input SBOM is not insyft-jsonformat. I suppose this is because thepkg.Providefunction is not able to retrieve the expected product name, when returning thepkgContext, with other formats.If this fix works for you I can add tests or documentation accordingly. Just let me know.
Fixes #2471
Thanks for this nice project :)