Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(spdx_vex): Add support for SPDX VEX format using lib4vex (WIP) #4862

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

feat(spdx_vex): Add support for SPDX VEX format using lib4vex (WIP) #4862

wants to merge 2 commits into from

Conversation

JigyasuRajput
Copy link
Contributor

@JigyasuRajput JigyasuRajput commented Feb 27, 2025
edited
Loading

TLDR; this PR needs work once lib4vex v0.3.0 is available as discussed in #4716

Description:
This PR aims to add support for the SPDX VEX format using lib4vex. However, the required version (lib4vex 0.3.0) is not yet released.

Current Status:

  • Added the spdx option to the CLI for VEX generation.
  • Implemented error handling for SPDX VEX files.
  • Integrated lib4vex for parsing SPDX VEX and mapped SPDX product info to the tool’s internal format.
  • Updated SBOM detection to identify SPDX VEX files based on content (e.g., spdxVersion and vulnerabilityAnalysis).
  • Added unit tests for SPDX VEX parsing and validation.
  • The implementation requires further work once lib4vex 0.3.0 is available.

Next Steps: (once lib4vex v0.3.0 is available)

  • update the import statements
  • update requirements for lib4vex
  • improve test cases and error handling accordingly
  • add documentation for the same

Marking this as a draft to track progress and get early feedback. Suggestions are welcome!
(WIP) - #4716

@JigyasuRajput JigyasuRajput marked this pull request as draft February 27, 2025 13:38
terriko
terriko requested changes Feb 27, 2025
View reviewed changes
Copy link
Contributor

@terriko terriko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor nit while I was quick scanning this to make sure nothing weird would happen if I allowed CI. I haven't actually done a full review but it looks safe to run the tests so I'll trigger those now.

cve_bin_tool/error_handler.py
@@ -243,6 +249,7 @@ def __exit__(self, exc_type, exc_val, exc_tb):
UnknownArchiveType: 31,
UnknownConfigType: 32,
CVEDataMissing: 33,
InvalidSpdxError: 33,
Copy link
Contributor

@terriko terriko Feb 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably just give this a new number for disambiguation from CVEDataMissing above. I don't really have these organized in any way so you can dump it at the bottom and use whatever the next number is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terriko terriko terriko requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JigyasuRajput @terriko