-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for ingesting VEX documents in the CSAF format #729
Conversation
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lulf Thanks for the PR! Yes this looks good so far. Just a couple of questions
Hey @lulf ! Thanks for opening this PR! in the meantime, if you need help with resolving the DCO or CLA, let us know! |
Update: I'm still working on this, and it's almost done. I'm just awaiting a PR to be merged in go-vex and a release of that module. I have added some tests here in the PR as well and will rebase it soon. |
Sorry for the delay, but the go-vex has been merged now, so this is ready for review. |
Thanks @lulf for the update! We will review this soon! |
Ping :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay! Added some comments
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome @lulf !! Thanks for the great PR! Looks good to me, i've added some comments but i think most of it can be part of iterative process in future PRs as we encounter docs with different data. Cheers!
1ca6e37
to
a03fb1a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. We need to address if artifacts can be used by VEX (can open an issue for this). Also need to address the noVuln
case.
@lulf a rebase will auto merge this PR |
Signed-off-by: Ulf Lilleengen <ulf.lilleengen@gmail.com>
* feat: add support for ingesting VEX documents in CSAF format Signed-off-by: Ulf Lilleengen <ulf.lilleengen@gmail.com> * fix: typo Signed-off-by: Dejan Bosanac <dbosanac@redhat.com> --------- Signed-off-by: Ulf Lilleengen <ulf.lilleengen@gmail.com> Signed-off-by: Dejan Bosanac <dbosanac@redhat.com> Co-authored-by: Dejan Bosanac <dbosanac@redhat.com>
Marking this as draft to check if I'm on the right path and waiting for a pr to go-vex to be reviewed and merged.
This adds a new parser for CSAF documents that and supporting ingestion of Vex documents. In addition it injects CertifyVulnIngest for known_affected or under_investigation statements as discussed in chat.
I'll fix/add a unit test for the parser as well.