Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for cyclonedx 1.4 and VEX #591

Closed
sambhav opened this issue Jan 13, 2022 · 5 comments · Fixed by #678
Closed

Add support for cyclonedx 1.4 and VEX #591

sambhav opened this issue Jan 13, 2022 · 5 comments · Fixed by #678
Assignees
@luhring
Labels
enhancement New feature or request format:cyclonedx CycloneDX related enhancement or bug

Comments

@sambhav
Copy link
Contributor

sambhav commented Jan 13, 2022
edited
Loading

What would you like to be added: CycloneDX 1.4 was released with added support for a common vulnerability exchange format.

It would be great if grype could output its vulnerability reports in this format. This could also be helpful down the road as a standardized format to attach vulnerability data as intoto attestations.

Why is this needed: This provides a well defined standard to output and parse vulnerability information. syft already supports Cyclonedx SBOMs and this could be a great counterpart for grype.

Additional context:

More details at

https://cyclonedx.org/capabilities/vex/

https://github.com/CycloneDX/sbom-examples/blob/master/VEX/vex.json
@sambhav sambhav added the enhancement New feature or request label Jan 13, 2022
@sambhav sambhav mentioned this issue Jan 13, 2022
Closed
@nwl
Copy link
Contributor

nwl commented Jan 13, 2022

Syft ticket here: anchore/syft#744

@sambhav sambhav mentioned this issue Feb 14, 2022
Merged
@wagoodman wagoodman mentioned this issue Feb 17, 2022
Open
@wagoodman wagoodman added the format:cyclonedx CycloneDX related enhancement or bug label Feb 17, 2022
@sambhav
Copy link
Contributor Author

sambhav commented Mar 16, 2022

Now that syft support for cyclonedx 1.4 is out, I believe this is unblocked. I might be able to get around to a draft PR this week.

@luhring
Copy link
Contributor

luhring commented Mar 16, 2022

That would be amazing! I'm very excited about this one.

@sambhav sambhav mentioned this issue Mar 17, 2022
Merged
@hectorj2f
Copy link

@luhring Are there any plans to support CycloneDX 1.4 in the incoming releases ? Do you have an idea when that could happen ? Thanks :).

@spiffcs spiffcs added this to OSS Apr 28, 2022
@spiffcs spiffcs moved this to Triage in OSS Apr 28, 2022
Repository owner moved this from Triage (Comments or Progress Made) to Done in OSS Apr 28, 2022
@luhring
Copy link
Contributor

luhring commented Apr 29, 2022

@hectorj2f Just released!

@HNKNTA HNKNTA mentioned this issue Apr 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@luhring luhring

Labels
enhancement New feature or request format:cyclonedx CycloneDX related enhancement or bug
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add initial support for embedded CycloneDX VEX documents sambhav/grype
5 participants
@wagoodman @nwl @hectorj2f @luhring @sambhav