Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grype error when reading SBOM for directory and VEX document: unable to find matches #2471

Open
mxmehl opened this issue Feb 21, 2025 · 0 comments
Open

Grype error when reading SBOM for directory and VEX document: unable to find matches #2471

mxmehl opened this issue Feb 21, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@mxmehl
Copy link

mxmehl commented Feb 21, 2025

What happened:

When running grype on an SBOM generated by syft on a local directory, and using the --vex argument pointing to an OpenVEX document, the following error occurs:

[0000] ERROR unable to find matches against VEX sources: unable to find matches against VEX documents: checking matches against VEX data: reading product identifiers from context: source type not supported for VEX

What you expected to happen:

Grype successfully reads the SBOM and OpenVEX documents, and provides its expected output (e.g. suppressing a warning).

How to reproduce it (as minimally and precisely as possible):

# Creating an SBOM on a local directory (Python project managed by poetry)
syft scan . -o json > sbom.json
# Note: Here's a warning which mightg help solve this:
# [0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)

# Running grype without VEX
grype sbom.json
# Table output with some vulnerabilities. For example:
# urllib3       2.2.1      2.2.2     python  GHSA-34jh-p97f-mpxf  Medium

# Creating a VEX statement on this vulnerability. The PURL was taken from grype's JSON output
vexctl create --file openvex.json -p "pkg:pypi/[email protected]" -v "GHSA-34jh-p97f-mpxf" -s "not_affected" -j "vulnerable_code_not_in_execute_path"

# Run grype with the VEX
grype sbom:sbom.json --vex openvex.json

The output for the last command:

 ✘ Scan for vulnerabilities        [7 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 5 medium, 2 low, 0 negligible
   └── by status:   7 fixed, 0 not-fixed, 0 ignored
[0000] ERROR unable to find matches against VEX sources: unable to find matches against VEX documents: checking matches against VEX data: reading product identifiers from context: source type not supported for VEX

Anything else we need to know?:

Attaching the generated files:

Environment:
Output of grype version:

Application:         grype
Version:             0.87.0

BuildDate:           2025-01-22T20:51:16Z
GitCommit:           247f5d72abf2131aa37f3164a98495c121b29029
GitDescription:      v0.87.0
Platform:            linux/amd64
GoVersion:           go1.23.4
Compiler:            gc
Syft Version:        v1.19.0
Supported DB Schema: 5

OS (e.g: cat /etc/os-release or similar):

Distributor ID: Ubuntu
Description:    Ubuntu 22.04.4 LTS
Release:        22.04
Codename:       jammy

vexctl version:

GitVersion:    v0.3.0
GitCommit:     c613023a69ce990a54c25c2f5e69d5d78285927f
GitTreeState:  clean
BuildDate:     2024-09-10T01:45:26Z
GoVersion:     go1.22.7
Compiler:      gc
Platform:      linux/amd64

syft --version: syft 1.19.0
@mxmehl mxmehl added the bug Something isn't working label Feb 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mxmehl