-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Storing VEX files in a dedicated directory within Git repositories #46
Comments
Makes sense to me! |
how do we differentiate the different versions, architecture for a component? for container images, may need the image digest. |
In my opinion, if the
Different
I'm also open to the idea of combining all relevant products into one VEX file per format (e.g., openvex.json and csaf.json). |
What are the drawbacks/disadvantages of having a single |
I plan on somehow grabbing this VEX file when scanning for vulnerabilities, and having it all in one file means there will be some inefficiencies in file size and processing speed since it contains a lot of unnecessary statements (irrelevant products). For example, statements about OCI images are unnecessary when scanning Go binaries. If they are grouped together in a certain unit, it is efficient to obtain only the necessary VEX documents, but if we separate files by version or arch, the number of files will become too large, so I proposed grouping by type, namespace, and name. However, I don't think it's a big deal even if all the products are in one file, as it might just make things a little less efficient (or harder for humans to view). |
@knqyf263 I see, thanks. I think this could be resolved with clarity in the client contract. Let me describe how I understand the client will find the VEX file in the location you're proposing, and how it'll use it. This is my understanding from your proposal, so I could be wrong:
Having a single OpenVEX file per repository is a way for the owners of
Note: since (1) is an open, hard problem (I wonder if reverse lookups on things like SECURITY-INSIGHTS could be interesting, CC @luigigubello), we could say the problem of a single file vs. many files (one per package type, package name, version, architecture) isn't that big of a problem (this is similar to how APT and RPM can fetch the right manifest by convention once you can give them a base URL to a repository) The difference is that the I apologize for the long comment, and I apologize if I misinterpreted or misrepresented anything. I appreciate the opportunity to think deeply about this problem. I still think there are many merits to having an agreeable convention for repository owners to keep their VEX counterclaims under source control, happily solving part of the distribution problem too, and to that extent I would suggest lowering the bar making it simpler for producers and consumers to discover, acquire and process a single file for all artifacts produced from a given repository. |
Yes, you're correct!
True. I have an idea for that, but it's out of scope in this request. Let's assume that clients find the source repository in some way.
That's also true. Clients have to implement the same logic as go-vex.
There is no way to specify version ranges now. #26
To start with a simple specification, a single file, like BTW, we already have two files under |
FYI: This is what we did. |
Description
I would like to open a discussion regarding the file path convention for storing OpenVEX files within a Git repository. In the example of Cilium, the filename
.openvex.json
is used. However, considering factors such as future OpenVEX version upgrades, the need to retain older files, storing individual VEX files for the OCI artifact and the project, and accommodating multiple VEX formats like OpenVEX and CSAF, I think it would be better to store VEX files under a dedicated directory like.vex/
rather than using a single file.Example
For example, a filename format would be like NAME.FORMAT.json for storing the VEX files. With this approach, the file path would look like this:
When storing VEX files in a Git repository, there is a challenge in associating package names with repository names for most ecosystems other than Go. However, users can still utilize the VEX files by manually downloading them, and defining a standard location for these files is beneficial.
I welcome any feedback or thoughts on this proposal.
The text was updated successfully, but these errors were encountered: