Skip to content

vexctl does not output multiple --product options #241

New issue
New issue
Open
Open
vexctl does not output multiple --product options#241
@zmanion

Description

@zmanion
zmanion
opened on Aug 16, 2024

The vexctl create --help gives this example

vexctl create --product="pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64" \
              --product="pkg:apk/wolfi/git@2.39.0-r1?arch=armv7" \
              --vuln="CVE-2023-12345" \
              --status="fixed"

Running this command however only outputs the last --product:

$ vexctl create --product="pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64" \
              --product="pkg:apk/wolfi/git@2.39.0-r1?arch=armv7" \
              --vuln="CVE-2023-12345" \
              --status="fixed"
{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://openvex.dev/docs/public/vex-a582a5c0870717337ed44decdab46b963e31a1d76d085aab11760801788da3d4",
  "author": "Unknown Author",
  "timestamp": "2024-08-16T12:55:57.430219-04:00",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2023-12345"
      },
      "timestamp": "2024-08-16T12:55:57.43022-04:00",
      "products": [
        {
  ### -->  was expecting to see "pkg:apk/wolfi/git@2.39.0-r1?arch=x86_64" here  <--         
          "@id": "pkg:apk/wolfi/git@2.39.0-r1?arch=armv7"
        }
      ],
      "status": "fixed"
    }
  ]
}

I don't know go, here's where --product options are read

vexctl/internal/cmd/create.go

Lines 89 to 97 in 1853391

case 0:
if len(opts.Products) > 0 && args[i] != "" {
return errors.New("multiple products can only be specified using the --product flag")
}
// Specifying multiple products through args is not supported as we can't tell how many products are provided:
// e.g the second argument could be a vulnerability or a status instead of a product, for example.
// When using args only the first one is considered a product.
// To specify multiple products, use the --product flag multiple times instead.
opts.Products = append(opts.Products, args[i])

and output here?

vexctl/internal/cmd/options.go

Lines 224 to 231 in 1853391

for _, id := range so.Products {
s.Products = append(s.Products, vex.Product{
Component: vex.Component{
ID: id,
},
Subcomponents: []vex.Subcomponent{},
})
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions