package vex import ( openvex "github.com/openvex/go-vex/pkg/vex" "github.com/aquasecurity/trivy/pkg/sbom/core" "github.com/aquasecurity/trivy/pkg/types" ) type OpenVEX struct { vex openvex.VEX } func newOpenVEX(vex openvex.VEX) VEX { return &OpenVEX{ vex: vex, } } func (v *OpenVEX) Filter(result *types.Result, bom *core.BOM) { filterVulnerabilities(result, bom, v.NotAffected) } func (v *OpenVEX) NotAffected(vuln types.DetectedVulnerability, product, subComponent *core.Component) (types.ModifiedFinding, bool) { stmts := v.Matches(vuln, product, subComponent) if len(stmts) == 0 { return types.ModifiedFinding{}, false } // Take the latest statement for a given vulnerability and product // as a sequence of statements can be overridden by the newer one. // cf. https://github.com/openvex/spec/blob/fa5ba0c0afedb008dc5ebad418548cacf16a3ca7/OPENVEX-SPEC.md#the-vex-statement stmt := stmts[len(stmts)-1] if stmt.Status == openvex.StatusNotAffected || stmt.Status == openvex.StatusFixed { modifiedFindings := types.NewModifiedFinding(vuln, findingStatus(stmt.Status), string(stmt.Justification), "OpenVEX") return modifiedFindings, true } return types.ModifiedFinding{}, false } func (v *OpenVEX) Matches(vuln types.DetectedVulnerability, product, subComponent *core.Component) []openvex.Statement { if product == nil || product.PkgIdentifier.PURL == nil { return nil } var subComponentPURL string if subComponent != nil && subComponent.PkgIdentifier.PURL != nil { subComponentPURL = subComponent.PkgIdentifier.PURL.String() } return v.vex.Matches(vuln.VulnerabilityID, product.PkgIdentifier.PURL.String(), []string{subComponentPURL}) } func findingStatus(status openvex.Status) types.FindingStatus { switch status { case openvex.StatusNotAffected: return types.FindingStatusNotAffected case openvex.StatusFixed: return types.FindingStatusFixed case openvex.StatusUnderInvestigation: return types.FindingStatusUnderInvestigation default: return types.FindingStatusUnknown } }