anchore
Support using VEX documents with directory scans and SBOMs
What happened:
When running grype on an SBOM generated by syft on a local directory, and using the --vex argument pointing to an OpenVEX document, the following error occurs:
[0000] ERROR unable to find matches against VEX sources: unable to find matches against VEX documents: checking matches against VEX data: reading product identifiers from context: source type not supported for VEX
What you expected to happen:
Grype successfully reads the SBOM and OpenVEX documents, and provides its expected output (e.g. suppressing a warning).
How to reproduce it (as minimally and precisely as possible):
# Creating an SBOM on a local directory (Python project managed by poetry)
syft scan . -o json > sbom.json
# Note: Here's a warning which mightg help solve this:
# [0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
# Running grype without VEX
grype sbom.json
# Table output with some vulnerabilities. For example:
# urllib3 2.2.1 2.2.2 python GHSA-34jh-p97f-mpxf Medium
# Creating a VEX statement on this vulnerability. The PURL was taken from grype's JSON output
vexctl create --file openvex.json -p "pkg:pypi/[email protected]" -v "GHSA-34jh-p97f-mpxf" -s "not_affected" -j "vulnerable_code_not_in_execute_path"
# Run grype with the VEX
grype sbom:sbom.json --vex openvex.json
The output for the last command:
✘ Scan for vulnerabilities [7 vulnerability matches]
├── by severity: 0 critical, 0 high, 5 medium, 2 low, 0 negligible
└── by status: 7 fixed, 0 not-fixed, 0 ignored
[0000] ERROR unable to find matches against VEX sources: unable to find matches against VEX documents: checking matches against VEX data: reading product identifiers from context: source type not supported for VEX
Anything else we need to know?:
Attaching the generated files:
Environment:
Output of grype version:
Application: grype
Version: 0.87.0
BuildDate: 2025-01-22T20:51:16Z
GitCommit: 247f5d72abf2131aa37f3164a98495c121b29029
GitDescription: v0.87.0
Platform: linux/amd64
GoVersion: go1.23.4
Compiler: gc
Syft Version: v1.19.0
Supported DB Schema: 5
OS (e.g: cat /etc/os-release or similar):
Distributor ID: Ubuntu
Description: Ubuntu 22.04.4 LTS
Release: 22.04
Codename: jammy
vexctl version:
GitVersion: v0.3.0
GitCommit: c613023a69ce990a54c25c2f5e69d5d78285927f
GitTreeState: clean
BuildDate: 2024-09-10T01:45:26Z
GoVersion: go1.22.7
Compiler: gc
Platform: linux/amd64
syft --version: syft 1.19.0
Looks like the function for matching subjects and sources only supports images -- the next step is to try and only error out if there is actively a mismatch with the subject on the vex statement.
@wagoodman I assume that there isn't currently a priority for this. And I dont want to pressure you but would it be possible that you point me some places in the code that are relevant for vex or this error (or is it only the current link you provided?) so that i could do this on the sbom level? :)
Hey @henrysachs I believe the spot linked above is pertinent; and: https://github.com/anchore/grype/blob/main/grype/vex/openvex/implementation.go#L157
It seems to me that it would be ok to enhance the openvex logic to be more lenient or support more features, as long as we're not going against the spec in any way.
I don't think this issue is ready to be closed. I still run into the same error running the latest versions of syft and grype. Perhaps #2798 is the missing puzzle piece?
@mxmehl as #2798 has landed feel free to try again, hopefully it works for your use case now as well
Thanks! I will try again once a new release with these changes is available.
I tried it with grype 0.104.0 and the error still persists, using the very same minimum workflow as above.
ERROR unable to find matches against VEX sources: unable to find matches against VEX documents: checking matches against VEX data: reading product identifiers from context: source type not supported for VEX
Am I holding it wrong?