Merge multiple affected products with the same CVE ID together #226
Comments
macedogm
changed the title
|
Note: I plan to submit a PR with a proposal for this (as soon as I get spare time). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When vexctl merges documents that have the same CVE ID, even if the affected products/subcomponents are the same, the new document will contain one statement for each CVE ID merged. For example, suppose that we have 2 documents that have the same CVE ID
CVE-1234-5678, but the affected products differ,pkg:apk/wolfi/bash@1.0.0andpkg:apk/wolfi/bash@1.5.0.Doc 1 -
doc-1-bash-1.0.0.vex.json{ "@context": "https://openvex.dev/ns/v0.2.0", "@id": "https://openvex.dev/docs/public/vex-0f3be8817faafa24e4bfb3d17eaf619efb1fe54923b9c42c57b156a936b91431", "author": "John Doe", "role": "Senior Trusted VEX Issuer", "version": 1, "statements": [ { "vulnerability": { "name": "CVE-1234-5678" }, "products": [ { "@id": "pkg:apk/wolfi/bash@1.0.0" } ], "status": "under_investigation", "timestamp": "2023-12-05T05:04:34.77929922Z" } ], "timestamp": "2023-12-05T05:04:34.77929844Z" }Doc 2 -
doc-2-bash-1.5.0.vex.json{ "@context": "https://openvex.dev/ns/v0.2.0", "@id": "https://openvex.dev/docs/public/vex-0f3be8817faafa24e4bfb3d17eaf619efb1fe54923b9c42c57b156a936b91431", "author": "John Doe", "role": "Senior Trusted VEX Issuer", "version": 1, "statements": [ { "vulnerability": { "name": "CVE-1234-5678" }, "products": [ { "@id": "pkg:apk/wolfi/bash@1.5.0" } ], "status": "under_investigation", "timestamp": "2023-12-05T05:04:34.77929922Z" } ], "timestamp": "2023-12-05T05:04:34.77929844Z" }The merged doc will be:
{ "@context": "https://openvex.dev/ns/v0.2.0", "@id": "merged-vex-318615fd4367a52301a6f47023c40190c788b864c360eb94fd8109c913a4a77d", "author": "Unknown Author", "timestamp": "2024-07-12T18:19:33.041047414-03:00", "version": 1, "statements": [ { "vulnerability": { "name": "CVE-1234-5678" }, "timestamp": "2023-12-05T05:04:34.77929922Z", "products": [ { "@id": "pkg:apk/wolfi/bash@1.0.0" } ], "status": "under_investigation" }, { "vulnerability": { "name": "CVE-1234-5678" }, "timestamp": "2023-12-05T05:04:34.77929922Z", "products": [ { "@id": "pkg:apk/wolfi/bash@1.5.0" } ], "status": "under_investigation" } ] }If we keep merging docs that contain the same CVE ID, the number of statement will grow proportionally.
Would it make sense to combine the products inside the structure
products[]if certain conditions are meet, for example,(CVE IDs are equal) AND (statuses are equal) AND (justifications, if present, are equal) AND (action statements, if present, are equal) AND (impact statements, if present, are equal) AND (status notes, if present, are equal)? Products, and their affected subcomponents, can vary. Ideally, this can help make the merged docs smaller and concise, specially if automation is used to scan and merge multiple docs together.Example of a possible concise ("compact") version:
{ "@context": "https://openvex.dev/ns/v0.2.0", "@id": "merged-vex-318615fd4367a52301a6f47023c40190c788b864c360eb94fd8109c913a4a77d", "author": "Unknown Author", "timestamp": "2024-07-12T18:32:19.084311228-03:00", "version": 1, "statements": [ { "vulnerability": { "name": "CVE-1234-5678" }, "timestamp": "2023-12-05T05:04:34.77929922Z", "products": [ { "@id": "pkg:apk/wolfi/bash@1.0.0" }, { "@id": "pkg:apk/wolfi/bash@1.5.0" } ], "status": "under_investigation" } ] }Apologies if this isn't the right place to ask or discuss about this. Please let me know if I should direct this conversation to a different channel. Thanks!
The text was updated successfully, but these errors were encountered: