feat: command line arguements for vex #4226
Conversation
|
also I'll include spdx vex support in later commits once the project is more towards the completion. |
cve_bin_tool/cli.py
Outdated
| input_group.add_argument( | ||
| "--vex", | ||
| action="store", | ||
| choices=["cyclonedx", "csaf", "open"], |
There was a problem hiding this comment.
The choices should be cyclonedx, csaf, openvex and auto.
However, do we need this if we assume auto?
There was a problem hiding this comment.
@anthonyharrison I think its better this way so that lib4vex don't have to figure out on auto and auto being handy if no value for --vex is passed, should i remove it so, for parser to always work on auto?
There was a problem hiding this comment.
If auto is accurate enough (and I'm fairly sure it is?) we should probably use auto and get rid of the option. It'll take a milisecond for the computer to figure it out and a lot longer than that for the human if they don't already know the answer. ;)
There was a problem hiding this comment.
@terriko i have shifted the manual defining of vex to auto ; )
cve_bin_tool/vex_manager/generate.py
Outdated
| # vulnerability.set_remediation(cve.response) | ||
| # set_remediation is not available for lib4sbom pypi version for now | ||
| # if cve.response: | ||
| # vulnerability.set_remediation(cve.response[0]) |
There was a problem hiding this comment.
The vulnerability class has a set_value function which allows the setting of any attribute.
e.g. vulnerability.set_value("remediation","Some interesting remediation description")
There was a problem hiding this comment.
@anthonyharrison i thought the same of using set_value as the Vulnerability class do not include set_remediation in pypi version but even if set it the cyclonedx generator in lib4sbom latest pypi version do not take remediation into account for now so i thought to use it in comment, although i am aware that csaf takes it into account, I'll shift it to set_value()
|
Hey @anthonyharrison I have made the requested changes can you checkout them, Thanks |
There was a problem hiding this comment.
Re-running the windows tests just in case.
If you're planning to bring back those tests once the lib4sbom version mismatch is fixed, could you disable them rather than deleting here? And if you aren't planning to bring those particular ones back, can we get a new test to replace them here?
|
@terriko im not sure which one you are talking about, but the removal in the test_vex of test_triage file the 2 lines removed is due to the code logic in lib4vex generation(that one actually works with GitHub version of lib4sbom so in future we just need to enable it) and if it's about the generate_vex test, that test is already shifted into test_vex file so older one is not needed also I didn't include the test regarding the schema of cyclonedx vex because there will be a minor fix that I open PR for in lib4sbom so that test would fail too, I hope I didn't missed something ; ) |
|
Pinging @mastersans : you'll need to do some conflict resolution on this before it can be merged. |
In flash speed...... edit: And here goes the bad cache dayyy ; ( |
|
Yeah, this is blocked until those tests clear up. If you or @inosmeet can make a PR that just temporarily disables those 24 tests, that would probably be a good idea so we can keep the gsoc things moving. |
|
(this is what I get for turning on branch protection so certain tests have to pass or the merge button disappears...) |
|
yay for tests behaving again. Going to merge this now. |
cc @anthonyharrison @terriko