Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: explain how VEX is applied #6864

Merged
merged 3 commits into from
Jun 6, 2024
Merged

docs: explain how VEX is applied #6864

merged 3 commits into from
Jun 6, 2024

Conversation

knqyf263
Copy link
Collaborator

@knqyf263 knqyf263 commented Jun 6, 2024

Description

Better describe how VEX is applied in the dependency tree

Related PRs

Remove this section if you don't have related PRs.

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@knqyf263 knqyf263 self-assigned this Jun 6, 2024
@knqyf263 knqyf263 requested review from itaysk and DmitriyLewen June 6, 2024 07:49
itaysk
itaysk approved these changes Jun 6, 2024
View reviewed changes
Copy link
Contributor

@itaysk itaysk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great

docs/docs/supply-chain/vex.md

### Applying VEX to Dependency Trees

Trivy internally generates a dependency tree and applies VEX statements to this graph.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe link to the dependency tree docs for more info?
https://aquasecurity.github.io/trivy/v0.52/docs/configuration/reporting/#show-origins-of-vulnerable-dependencies

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this can be confusing.
This logic is not related to the dependency tree display.

docs/docs/supply-chain/vex.md Outdated Show resolved Hide resolved
DmitriyLewen
DmitriyLewen reviewed Jun 6, 2024
View reviewed changes
docs/docs/supply-chain/vex.md
"vulnerability": {"name": "CVE-XXXX-YYYY"},
"products": [
{
"@id": "pkg:golang/[email protected]",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We check all parents of the dependency tree.
Can we add information that either parent can be used(parent of parent, etc.)?
I mean is that for this case we can choose module-b or module-a.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added 51e8b4f

docs/docs/supply-chain/vex.md

### Applying VEX to Dependency Trees

Trivy internally generates a dependency tree and applies VEX statements to this graph.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this can be confusing.
This logic is not related to the dependency tree display.

@knqyf263
docs: delete a mistake
1fac633 
Signed-off-by: knqyf263 <[email protected]>
@knqyf263 knqyf263 force-pushed the docs/vex_internal branch from 4a9024b to 7ab49ef Compare June 6, 2024 13:09
@knqyf263 knqyf263 force-pushed the docs/vex_internal branch from 7ab49ef to 51e8b4f Compare June 6, 2024 13:16
@knqyf263 knqyf263 added this pull request to the merge queue Jun 6, 2024
Merged via the queue into aquasecurity:main with commit 63eb85a Jun 6, 2024
7 checks passed
@knqyf263 knqyf263 deleted the docs/vex_internal branch June 6, 2024 13:41
@knqyf263
Copy link
Collaborator Author

knqyf263 commented Jun 7, 2024

This document should have been part of v0.52.0. I'll backport it to release/v0.52 so v0.52.1 release will update the v0.52 document.

@knqyf263
Copy link
Collaborator Author

knqyf263 commented Jun 7, 2024

@aqua-bot backport release/v0.52

github-actions bot pushed a commit that referenced this pull request Jun 7, 2024
@knqyf263 @actions-user
docs: explain how VEX is applied (#6864)
53850c8 
Signed-off-by: knqyf263 <[email protected]>
@aqua-bot aqua-bot mentioned this pull request Jun 7, 2024
Merged
@aqua-bot
Copy link
Contributor

aqua-bot commented Jun 7, 2024

Backport PR created: #6879

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen left review comments

@itaysk itaysk itaysk approved these changes

Assignees

@knqyf263 knqyf263

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@knqyf263 @aqua-bot @itaysk @DmitriyLewen