Skip to content
/ go-vex Public
forked from openvex/go-vex

Go module to generate and transform VEX documents

License

Apache-2.0 license
0 stars 16 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rnjudge/go-vex

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

205 Commits
.github
.github
 
 
hack/boilerplate
hack/boilerplate
 
 
pkg
pkg
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
LICENSE
LICENSE
 
 
MAINTAINERS.md
MAINTAINERS.md
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

go-vex

Go library for generating, consuming, and operating on VEX documents

Build Status PkgGoDev Go Report Card

This repository contains the OpenVEX Go source code. This module lets authors create, modify and manage VEX documents.

The full documentation for this module can be found at https://pkg.go.dev/github.com/openvex/go-vex.

For more information about the OpenVEX specification implemented by this module, check out the OpenVEX specification.

Installing

Run go get to install the latest version of the library.

go get -u github.com/openvex/go-vex@latest

Example Usage: Generate a VEX Document

The following is a simple example showing how to generate a VEX document:

package main

import (
	"os"

	"github.com/openvex/go-vex/pkg/vex"
)

func main() {
	// Create new VEX document
	doc := vex.New()

	// Define the documenmt author
	doc.Author = "Wolfi J. Inkinson"
	doc.AuthorRole = "Senior VEXing Engineer"

	// Here, we add an impact statement. The core of VEX. We will inform
	// that our git image is not affected by CVE-2023-12345 and why:
	doc.Statements = append(doc.Statements, vex.Statement{
		// ... define the vulnerability:
		Vulnerability: "CVE-2023-12345",

		// ... add an image as product:
		Products: []string{
			"pkg:oci/git@sha256:23a264e6e429852221a963e9f17338ba3f5796dc7086e46439a6f4482cf6e0cb",
		},

		// ... specify optional subcomponents:
		Subcomponents: []string{
			"pkg:apk/alpine/[email protected]?arch=x86_64",
			"pkg:apk/alpine/[email protected]?arch=ppc64le",
		},

		// ... choose one of the VEX status labels:
		Status: vex.StatusNotAffected,

		// ... finally, a machine-readable justification and optional statement:
		Justification:   vex.InlineMitigationsAlreadyExist,
		ImpactStatement: "Included git is mitigated against CVE-2023-12345 !",
	})

	// Generate a canonical identifier for the VEX document:
	doc.GenerateCanonicalID()

	// Output the document to stdout:
	doc.ToJSON(os.Stdout)
}

Running this example renders the following simple VEX document:

{
  "@context": "https://openvex.dev/ns",
  "@id": "https://openvex.dev/docs/public/vex-a06f9de1ad1b1e555a33b2d0c1e7e6ecc4dc1800ff457c61ea09d8e97670d2a3",
  "author": "Wolfi J. Inkinson",
  "role": "Senior VEXing Engineer",
  "timestamp": "2023-01-09T21:23:03.579712389-06:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2023-12345",
      "products": [
        "pkg:oci/git@sha256:23a264e6e429852221a963e9f17338ba3f5796dc7086e46439a6f4482cf6e0cb"
      ],
      "subcomponents": [
        "pkg:apk/alpine/[email protected]?arch=x86_64",
        "pkg:apk/alpine/[email protected]?arch=ppc64le"
      ],
      "status": "not_affected",
      "justification": "inline_mitigations_already_exist",
      "impact_statement": "Included git is mitigated against CVE-2023-12345 !"
    }
  ]
}

About

Go module to generate and transform VEX documents

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 95.3%
  • Makefile 4.4%
  • Shell 0.3%