Add support for VEX #72
Conversation
ziadhany
commented
Apr 9, 2024
•
ziadhany
commented
ziadhany
force-pushed
the
vex
branch
2 times, most recently
from
b3010b7
to
a0f993d
Compare
|
@tdruez @DennisClark I'm finalizing the VCIO to CycloneDX vulnerability mapping (references, ratings, packages). If you have any feedback, please let me know. |
|
@ziadhany the screen shots look nice. Do you have an example of the VEX document that you can attach for me to review? Thanks. |
|
@ziadhany Please see if you can support CycloneDX spec 1.4, 1.5, and 1.6 for the VEX. |
|
Fix Vex export test Remove get_export_vex_url func from Package model Add support for vulnerability encoder Add a test for get_references_and_rating Rename UI VEX fields Fix Export VEX View Rename VEX model Add VEX Form Fix UI bug and add the model to dataspace Add basic VEX mapping for CycloneDX Automate VEX creation Add the basic Vex Form Add the skeleton view and form for vex Add Product VEX List view and update tab_vex Add the basic for vex model Add the basic skeleton for vex export Signed-off-by: ziadhany <[email protected]>
dejacode_toolkit/vex.py
Outdated
| versions.append(BomTargetVersionRange(version=vul_purl.version, status=status)) | ||
|
|
||
| if versions: | ||
| bom_target = BomTarget(ref="urn:cdx:serialNumber/version#bom-ref", versions=versions) |
There was a problem hiding this comment.
I am confused about bom_target
especially this part urn:cdx:3e671687-395b-41f5-a30f-a58921a69b79/1#
where can we get bom ref? ( vulnerablecode doesn't provide the bom ref ) should we create a bom and pass the bom ref to vex
There was a problem hiding this comment.
@ziadhany thanks for asking, yes. We should also create a CycloneDX SBOM at the same specification level as the VEX and pass the bom ref to the VEX.
|
@ziadhany as we agreed in our VCIO meeting, please use the Package URL (PURL) as the bom_ref. thanks. |
Add package purl string as a bom ref Signed-off-by: ziadhany <[email protected]>
