From 61909cc2a0f47ec3ef63b22f4310e192b129fa6e Mon Sep 17 00:00:00 2001 From: Alessio Greggi Date: Sat, 19 Jul 2025 02:36:28 +0200 Subject: [PATCH] fix(vex): set default product list Signed-off-by: Alessio Greggi --- grype/vex/openvex/implementation.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/grype/vex/openvex/implementation.go b/grype/vex/openvex/implementation.go index 2f875a50266..a6e25f1c7bc 100644 --- a/grype/vex/openvex/implementation.go +++ b/grype/vex/openvex/implementation.go @@ -71,6 +71,18 @@ func productIdentifiersFromContext(pkgContext *pkg.Context) ([]string, error) { } } +// productIdentifierFromVEX reads the VEX documents and returns software +// identifiers listed in the statements. +func productIdentifierFromVEX(doc *openvex.VEX) []string { + var products []string + for _, stmt := range doc.Statements { + for _, product := range stmt.Products { + products = append(products, product.ID) + } + } + return products +} + func identifiersFromTags(tags []string, name string) []string { identifiers := []string{} @@ -164,11 +176,18 @@ func (ovm *Processor) FilterMatches( remainingMatches := match.NewMatches() + // this works only when grype uses the SBOM syft format products, err := productIdentifiersFromContext(pkgContext) if err != nil { return nil, nil, fmt.Errorf("reading product identifiers from context: %w", err) } + // if the previous method didn't work to find products, + // we get them from the VEX document. + if len(products) == 0 { + products = productIdentifierFromVEX(doc) + } + // TODO(alex): should we apply the vex ignore rules to the already ignored matches? // that way the end user sees all of the reasons a match was ignored in case multiple apply