Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vexctl does not output multiple --product options #241

Open
zmanion opened this issue Aug 16, 2024 · 0 comments
Open

vexctl does not output multiple --product options #241

zmanion opened this issue Aug 16, 2024 · 0 comments

Comments

@zmanion
Copy link

zmanion commented Aug 16, 2024

The vexctl create --help gives this example

vexctl create --product="pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64" \
              --product="pkg:apk/wolfi/git@2.39.0-r1?arch=armv7" \
              --vuln="CVE-2023-12345" \
              --status="fixed"

Running this command however only outputs the last --product:

$ vexctl create --product="pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64" \
              --product="pkg:apk/wolfi/git@2.39.0-r1?arch=armv7" \
              --vuln="CVE-2023-12345" \
              --status="fixed"
{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://openvex.dev/docs/public/vex-a582a5c0870717337ed44decdab46b963e31a1d76d085aab11760801788da3d4",
  "author": "Unknown Author",
  "timestamp": "2024-08-16T12:55:57.430219-04:00",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2023-12345"
      },
      "timestamp": "2024-08-16T12:55:57.43022-04:00",
      "products": [
        {
  ### -->  was expecting to see "pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64" here  <--         
          "@id": "pkg:apk/wolfi/git@2.39.0-r1?arch=armv7"
        }
      ],
      "status": "fixed"
    }
  ]
}

I don't know go, here's where --product options are read

vexctl/internal/cmd/create.go

Lines 89 to 97 in 1853391

case 0:
if len(opts.Products) > 0 && args[i] != "" {
return errors.New("multiple products can only be specified using the --product flag")
}
// Specifying multiple products through args is not supported as we can't tell how many products are provided:
// e.g the second argument could be a vulnerability or a status instead of a product, for example.
// When using args only the first one is considered a product.
// To specify multiple products, use the --product flag multiple times instead.
opts.Products = append(opts.Products, args[i])

and output here?

vexctl/internal/cmd/options.go

Lines 224 to 231 in 1853391

for _, id := range so.Products {
s.Products = append(s.Products, vex.Product{
Component: vex.Component{
ID: id,
},
Subcomponents: []vex.Subcomponent{},
})
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zmanion