### Install vexctl using Go Source: https://github.com/openvex/vexctl/blob/main/README.md Install the latest version of vexctl using the Go package manager. Requires Go 1.16 or later. ```console go install github.com/openvex/vexctl@latest ``` -------------------------------- ### Install vexctl using Homebrew Source: https://github.com/openvex/vexctl/blob/main/README.md Install the latest tagged version of vexctl using Homebrew. This is an alternative installation method for macOS and Linux users. ```console brew install vexctl ``` -------------------------------- ### Example VEX document JSON Source: https://github.com/openvex/vexctl/blob/main/README.md This is an example of a VEX document created using the `vexctl create` command. It details a specific vulnerability's status for a given product. ```json { "@context": "https://openvex.dev/ns/v0.2.0", "@id": "https://openvex.dev/docs/public/vex-adc52fe6c8d2ba0feee7f4343f9b40c90e8cdb077817f880a6650502aece82bc", "author": "Unknown Author", "timestamp": "2023-10-07T23:32:07.620932-08:00", "version": 1, "statements": [ { "vulnerability": { "name": "CVE-2014-123456" }, "timestamp": "2023-10-07T23:32:07.620932-08:00", "products": [ { "@id": "pkg:apk/wolfi/git@2.38.1-r0?arch=x86_64" } ], "status": "not_affected", "justification": "inline_mitigations_already_exist" } ] } ``` -------------------------------- ### Merged VEX document example Source: https://github.com/openvex/vexctl/blob/main/README.md An example of a merged VEX document showing the evolution of a vulnerability's status over time. This document combines statements from multiple sources. ```json { "@context": "https://openvex.dev/ns/v0.2.0", "@id": "merged-vex-077a7a26ee6f351b86fba3206d39e1872cb726f955ce18535b2e890cc20a8bf6", "author": "Unknown Author", "timestamp": "2023-10-07T23:33:45.966496-08:00", "version": 1, "statements": [ { "vulnerability": { "name": "CVE-1234-5678" }, "timestamp": "2022-12-22T16:36:43-05:00", "products": [ { "@id": "pkg:apk/wolfi/bash@1.0.0" } ], "status": "under_investigation" }, { "vulnerability": { "name": "CVE-1234-5678" }, "timestamp": "2022-12-22T20:56:05-05:00", "products": [ { "@id": "pkg:apk/wolfi/bash@1.0.0" } ], "status": "fixed" } ] } ``` -------------------------------- ### Example SARIF output after filtering Source: https://github.com/openvex/vexctl/blob/main/README.md This JSON structure represents a SARIF result file after VEX filtering has been applied, showing the expected output format. ```json { "version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json", "runs": [ { "tool": { "driver": { "fullName": "Trivy Vulnerability Scanner", "informationUri": "https://github.com/aquasecurity/trivy", "name": "Trivy", "rules": [ ``` -------------------------------- ### Get Nginx Image SHA Source: https://github.com/openvex/vexctl/blob/main/examples/sarif/README.md Obtain the SHA256 hash for a specific version of the nginx image to generate SARIF output. ```shell sha256:13d22ec63300e16014d4a42aed735207a8b33c223cff19627dd3042e5a10a3a0 ``` -------------------------------- ### Clone and build vexctl Source: https://github.com/openvex/vexctl/blob/main/README.md Instructions to clone the vexctl repository and build the executable using make. This process includes checking out the code and running the build command. ```bash $ git clone https://github.com/openvex/vexctl.git $ cd vex $ make $ ./vexctl version ``` -------------------------------- ### Create a new VEX document Source: https://github.com/openvex/vexctl/blob/main/README.md Create a VEX document with a single statement indicating a product is not affected by a vulnerability. This command specifies the product, vulnerability, status, and justification. ```console vexctl create --product="pkg:apk/wolfi/git@2.38.1-r0?arch=x86_64" \ --vuln="CVE-2014-123456" \ --status="not_affected" \ --justification="inline_mitigations_already_exist" ``` -------------------------------- ### vexctl version information Source: https://github.com/openvex/vexctl/blob/main/README.md Displays the version and build details of the vexctl tool. This output includes Git information, build date, and platform details. ```text _ _ _____ __ __ _____ _____ _ | | | || ___|\ \ / // __ |\|_ _|| | | | | || |__ \ V / | / \/ | | | | | | | || __| / \ | | | | | | \ \_/ /| |___ / /^\ \| \__\/ | | | |____ \___/ \____/ \/ \/ \____/ \_/ \_____/ vexctl: A tool for working with VEX data GitVersion: v0.1.0-21-g769ba3f-dirty GitCommit: 769ba3f0c638003b6c5e3c41ae88f4cdc63555ab GitTreeState: dirty BuildDate: 2023-01-18T00:19:24Z GoVersion: go1.19.4 Compiler: gc Platform: darwin/arm64 ``` -------------------------------- ### Attest VEX statements to a container image Source: https://github.com/openvex/vexctl/blob/main/README.md Attest and attach VEX statements from a local file to a container image. This command signs the VEX data and associates it with the specified image. ```shell vexctl attest --attach --sign mydata.vex.json cgr.dev/image@sha256:e4cf37d568d195b4.. ``` -------------------------------- ### Count SARIF Results with jq Source: https://github.com/openvex/vexctl/blob/main/examples/sarif/README.md Use `jq` to count the number of results in a SARIF file by inspecting the `runs[0].results` array length. ```shell cat examples/sarif/nginx-grype.sarif.json | jq '.runs[0].results | length' 99 ``` -------------------------------- ### Merge Multiple Documents (CSAF and OpenVEX) with vexctl Source: https://github.com/openvex/vexctl/blob/main/examples/csaf/README.md Use `vexctl merge` to combine VEX data from multiple documents, including CSAF and OpenVEX formats, into a single OpenVEX document. This demonstrates composing VEX information from diverse sources. ```bash vexctl merge examples/csaf/csaf.json examples/csaf/openvex.json ``` -------------------------------- ### Merge Single CSAF Document with vexctl Source: https://github.com/openvex/vexctl/blob/main/examples/csaf/README.md Use `vexctl merge` to ingest a single CSAF file and generate an OpenVEX document. This is useful for testing basic CSAF to OpenVEX conversion. ```bash vexctl merge examples/csaf/csaf.json ``` -------------------------------- ### Output of Merging Multiple Documents Source: https://github.com/openvex/vexctl/blob/main/examples/csaf/README.md The resulting OpenVEX JSON document after merging a CSAF file and an OpenVEX file. ```json { "@context": "https://openvex.dev/ns", "@id": "merged-vex-d036fc7d69d1dddc641ab6f19e604be821fef5c9b2db00e0ed6bffe5ab9c470e", "author": "Unknown Author", "role": "Document Creator", "timestamp": "2023-06-19T17:27:53.725858678-06:00", "version": 1, "statements": [ { "vulnerability": "CVE-2009-4487", "timestamp": "2022-03-03T11:00:00.000Z", "products": [ "pkg:generic/component1@1.3.4" ], "status": "not_affected", "action_statement": "Class with vulnerable code was removed before shipping." }, { "vulnerability": "CVE-2014-123456", "timestamp": "2023-01-08T18:02:03.647Z", "products": [ "pkg:generic/component2@2.39.0-r1" ], "status": "fixed" } ] } ``` -------------------------------- ### Output of Merging Single CSAF Document Source: https://github.com/openvex/vexctl/blob/main/examples/csaf/README.md The resulting OpenVEX JSON document generated from a single CSAF file. ```json { "@context": "https://openvex.dev/ns", "@id": "merged-vex-23b3bef63c834f02772204d8c823c5c7d35db12b31518b3b111752b3f991769a", "author": "Unknown Author", "role": "Document Creator", "timestamp": "2023-06-09T12:01:32.239990099-06:00", "version": 1, "statements": [ { "vulnerability": "CVE-2009-4487", "timestamp": "2022-03-03T11:00:00.000Z", "products": [ "pkg:generic/component1@1.3.4" ], "status": "not_affected", "action_statement": "Class with vulnerable code was removed before shipping." } ] } ``` -------------------------------- ### Filter SARIF Reports with vexctl Source: https://github.com/openvex/vexctl/blob/main/examples/sarif/README.md Use `vexctl filter` to process a SARIF report with an OpenVEX document, printing filtered results to STDERR. ```shell vexctl filter examples/sarif/nginx-grype.sarif.json examples/sarif/sample-1statement.openvex.json ``` -------------------------------- ### Merge existing VEX documents Source: https://github.com/openvex/vexctl/blob/main/README.md Merge multiple VEX documents into a single, consolidated document. This command is useful when multiple stakeholders provide VEX metadata for the same software. ```console vexctl merge --product=pkg:apk/wolfi/bash@1.0.0 \ examples/openvex/document1.vex.json \ examples/openvex/document2.vex.json ``` -------------------------------- ### Count Filtered SARIF Results with vexctl and jq Source: https://github.com/openvex/vexctl/blob/main/examples/sarif/README.md Combine `vexctl filter` with `jq` to count the remaining results after filtering SARIF reports against an OpenVEX document. ```shell vexctl filter \ examples/sarif/nginx-grype.sarif.json \ examples/sarif/sample-1statement.openvex.json | jq '.runs[0].results | length' ``` -------------------------------- ### Filter SARIF results with vexctl Source: https://github.com/openvex/vexctl/blob/main/README.md Use vexctl to filter SARIF scan results, removing vulnerabilities marked as not exploitable. This command processes a SARIF file and applies VEX filtering. ```bash vexctl filter scan_results.sarif.json cgr.dev/image@sha256:e4cf37d568d195b4b5af4c36a... ``` -------------------------------- ### Filter security scan results using VEX data Source: https://github.com/openvex/vexctl/blob/main/README.md Filter security scanner results (e.g., SARIF format) using VEX data from a specified file. This command removes entries that are VEX'ed out. ```shell # From a VEX file: vexctl filter scan_results.sarif.json vex_data.csaf ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.